From owner-freebsd-security Sun Dec 17 1:32:19 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 17 01:32:17 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id 0CD3537B400 for ; Sun, 17 Dec 2000 01:32:17 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id BAA18222; Sun, 17 Dec 2000 01:33:31 -0800 Date: Sun, 17 Dec 2000 01:33:31 -0800 From: Kris Kennaway To: Kurt@pinboard.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: mcrypt Message-ID: <20001217013331.B18038@citusc.usc.edu> References: <20001216234910.A14562@pinboard.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="OwLcNYc0lM97+oe1" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20001216234910.A14562@pinboard.com>; from Kurt@pinboard.com on Sat, Dec 16, 2000 at 11:49:10PM +0100 Sender: kris@citusc.usc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --OwLcNYc0lM97+oe1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sat, Dec 16, 2000 at 11:49:10PM +0100, Kurt@pinboard.com wrote: > I'd be grateful for hints on what I'm doing wrong Just use the port. cd /usr/ports/security/mcrypt && make install clean. It might also be easier to just use openssl, which is in all post 4.0 releases and is a port which can be installed on the others.. Kris --OwLcNYc0lM97+oe1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6PIhrWry0BWjoQKURApzGAKDIcx4KRJga1LaSx4cdCGPQ66N7ugCg29eE EhnZ35t8RQbsJzl6uNWOTco= =ub23 -----END PGP SIGNATURE----- --OwLcNYc0lM97+oe1-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 17 3:59:20 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 17 03:59:16 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id E16A837B400; Sun, 17 Dec 2000 03:59:11 -0800 (PST) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 147cT6-0004sc-00; Sun, 17 Dec 2000 13:59:08 +0200 Date: Sun, 17 Dec 2000 13:59:08 +0200 (IST) From: Roman Shterenzon To: Kris Kennaway Cc: , Subject: Re: mcrypt In-Reply-To: <20001217013331.B18038@citusc.usc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 17 Dec 2000, Kris Kennaway wrote: > On Sat, Dec 16, 2000 at 11:49:10PM +0100, Kurt@pinboard.com wrote: > > I'd be grateful for hints on what I'm doing wrong > > Just use the port. cd /usr/ports/security/mcrypt && make install clean. > > It might also be easier to just use openssl, which is in all post 4.0 > releases and is a port which can be installed on the others.. > > Kris > one can also use gnupg or pgp for that purpose, also from ports or packages. --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 17 4: 0:11 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 17 04:00:05 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from nsm.htp.org (nsm.htp.org [202.241.243.104]) by hub.freebsd.org (Postfix) with SMTP id 8F87137B400 for ; Sun, 17 Dec 2000 04:00:02 -0800 (PST) Received: (qmail 9229 invoked from network); 17 Dec 2000 11:51:40 -0000 Received: from localhost (127.0.0.1) by localhost with SMTP; 17 Dec 2000 11:51:40 -0000 Date: Sun, 17 Dec 2000 21:00:00 +0900 (JST) Message-Id: <20001217.210000.48511239.sen_ml@eccosys.com> To: security@FreeBSD.ORG Subject: Re: Security Update Tool.. From: sen_ml@eccosys.com In-Reply-To: References: X-Mailer: Mew version 1.95b89 on Emacs 20.7 / Mule 4.0 (HANANOEN) X-cite-me: =?iso-2022-jp?B?GyRCJDskcxsoQg==?= Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org From: "Some Person" Subject: Re: Security Update Tool.. Date: Sun, 17 Dec 2000 07:23:08 > Ummm, it prompts for a username/password.. ;) what part of: > >(NOTE: this URL does require a SunSolve account) is difficult to understand? ;-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 17 4: 2: 5 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 17 04:02:01 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id 4CC8737B400 for ; Sun, 17 Dec 2000 04:01:59 -0800 (PST) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 147cUl-0004tD-00; Sun, 17 Dec 2000 14:00:51 +0200 Date: Sun, 17 Dec 2000 14:00:51 +0200 (IST) From: Roman Shterenzon To: Roger Marquis Cc: Subject: Re: Security Update Tool.. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It has nothing to do with FreeBSD security, since sun numbers its patches. e.g. patchid-patchrevision, for example: 123456-11 There's nothing much to look at. On Sat, 16 Dec 2000, Roger Marquis wrote: > > My question is, is there a util yet that in theory (maybe if so, or if > > someone writes one would work differently than what I'm imagining) queries a > > central database with all the security advisories, checks the local system > > for comparisons and vulnerabilities against that database and reports to the > > user who ran the util. > > Before reinventing the wheel interested developers might check the > reference implementation, Sun's Patchdiag: > > http://sunsolve.Sun.COM/private-cgi/show.pl?target=resources/patchdiag > > (NOTE: this URL does require a SunSolve account) > > -- > Roger Marquis > Roble Systems Consulting > http://www.roble.com/ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 17 9:27:11 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 17 09:27:00 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from roble.com (mx0.roble.com [206.40.34.14]) by hub.freebsd.org (Postfix) with ESMTP id 9B73137B404 for ; Sun, 17 Dec 2000 09:26:56 -0800 (PST) Received: from localhost (marquis@localhost) by roble.com with ESMTP id eBHHQux17116 for ; Sun, 17 Dec 2000 09:26:56 -0800 (PST) Date: Sun, 17 Dec 2000 09:26:56 -0800 (PST) From: Roger Marquis To: security@FreeBSD.ORG Subject: Re: Security Update Tool.. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Before reinventing the wheel interested developers might check the > reference implementation, Sun's Patchdiag: > > http://sunsolve.Sun.COM/private-cgi/show.pl?target=resources/patchdiag > > (NOTE: this URL does require a SunSolve account) The version id for FreeBSD ports would probably come from something like: grep "@name" /var/db/pkg/*/+CONTENTS | awk '{print $NF}' OS sources could be derived from the RCS/CVS version headers under /usr/src. A good example report might also look like Sunsolve's: >====================================================================================== >System Name: sunserver SunOS Vers: 5.7 Arch: sparc >Cross Reference File Date: Dec/14/00 > >PatchDiag Version: 1.0.4 >====================================================================================== >Report Note: > >Recommended patches are considered the most important and highly >recommended patches that avoid the most critical system, user, or >security related bugs which have been reported and fixed to date. >A patch not listed on the recommended list does not imply that it >should not be used if needed. Some patches listed in this report >may have certain platform specific or application specific dependencies >and thus may not be applicable to your system. It is important to >carefully review the README file of each patch to fully determine >the applicability of any patch with your system. >====================================================================================== >INSTALLED PATCHES >Patch Installed Latest Synopsis > ID Revision Revision >------ --------- -------- ------------------------------------------------------------ >106327 08 CURRENT SunOS 5.7: Shared library patch for C++ >106541 12 CURRENT SunOS 5.7: Kernel update patch >106725 02 CURRENT OpenWindows 3.6.1: mailtool vacation security patch >106793 05 CURRENT SunOS 5.7: ufsdump and ufsrestore patch >106934 03 CURRENT CDE 1.3: libDtSvc Patch >106938 04 CURRENT SunOS 5.7: libresolv patch >106942 07 CURRENT SunOS 5.7: libnsl, rpc.nisd and nis_cachemgr patch >106944 03 CURRENT SunOS 5.7: /kernel/fs/fifofs and /kernel/fs/sparcv9/fifofs patch >106950 13 CURRENT SunOS 5.7: Linker patch >106960 01 CURRENT SunOS 5.7: Manual Pages for patchadd.1m and patchrm.1m >106978 10 CURRENT SunOS 5.7: sysid patch >107018 02 CURRENT SunOS 5.7: /usr/sbin/in.named patch >107022 06 CURRENT CDE 1.3: Calendar Manager patch >107038 01 CURRENT SunOS 5.7: apropos/catman/man/whatis patch >107115 05 CURRENT SunOS 5.7: LP patch >107171 06 CURRENT SunOS 5.7: Fixes for patchadd and patchrm >107200 12 CURRENT CDE 1.3: dtmail patch >107259 01 CURRENT SunOS 5.7: /usr/sbin/vold patch >107337 01 CURRENT OpenWindows 3.6.1: KCMS configure tool has a security vulnerabilit >107359 02 CURRENT SunOS 5.7: Patch for SPARCompiler Binary Compatibility Libraries >107443 12 CURRENT SunOS 5.7: packaging utilities patch >107451 05 CURRENT SunOS 5.7: /usr/sbin/cron patch >107454 05 CURRENT SunOS 5.7: /usr/bin/ftp patch >107456 01 CURRENT SunOS 5.7: /etc/nsswitch.dns patch >107544 03 CURRENT SunOS 5.7: /usr/lib/fs/ufs/fsck patch >107587 01 CURRENT SunOS 5.7: /usr/lib/acct/lastlogin patch >107636 05 CURRENT SunOS 5.7: X Input & Output Method patch >107650 08 CURRENT OpenWindows 3.6.1 X11R6.4 Xprint Extension Patch >107684 01 CURRENT SunOS 5.7: Sendmail patch >107709 07 CURRENT SunOS 5.7: libssasnmp/libssagent/snmpdx/mibiisa patch >107792 02 CURRENT SunOS 5.7: /usr/bin/pax patch >107794 01 CURRENT SunOS 5.7: ASET patch >107885 06 CURRENT CDE 1.3: dtprintinfo Patch >107887 10 CURRENT CDE 1.3: Actions Patch >107893 09 CURRENT OpenWindows 3.6.1: Tooltalk patch >107972 01 CURRENT SunOS 5.7: /usr/sbin/static/rcp patch >108219 01 CURRENT CDE 1.3: dtaction Patch >108221 01 CURRENT CDE 1.3: dtspcd Patch >108301 02 CURRENT SunOS 5.7: /usr/sbin/in.tftpd patch >108374 04 CURRENT CDE 1.3: libDtWidget Patch >108376 16 CURRENT OpenWindows 3.6.1: Xsun Patch >108482 02 CURRENT SunOS 5.7: /usr/sbin/snoop patch >108484 01 CURRENT SunOS 5.7: aset patch >108662 01 CURRENT SunOS 5.7: Patch for sadmind >108721 01 CURRENT SunOS 5.7: admintool patch >108838 02 CURRENT SunOS 5.7: allocate/mkdevmaps/mkdevalloc patch >109104 04 CURRENT SunOS 5.7: /kernel/fs/sockfs patch >109253 01 CURRENT SunOS 5.7: /usr/bin/mail patch >109404 01 CURRENT SunOS 5.7: /usr/vmsys/bin/chkperm patch >109744 01 CURRENT SunOS 5.7: /usr/lib/nfs/nfsd patch >====================================================================================== > >UNINSTALLED RECOMMENDED PATCHES > >Patch Ins Lat Age Require Incomp Synopsis > ID Rev Rev ID ID >------ --- --- --- --------- --------- ----------------------------------------- >106952 N/A 01 713 SunOS 5.7: /usr/bin/uux patch >108327 N/A 01 262 SunOS 5.7: /usr/bin/cu patch >108331 N/A 01 262 SunOS 5.7: /usr/bin/uustat patch >108798 N/A 01 195 SunOS 5.7: /usr/bin/tip patch >109949 N/A 01 122 SunOS 5.7: jserver buffer overflow >====================================================================================== > >UNINSTALLED SECURITY PATCHES > >NOTE: This list includes the Security patches that are also Recommended > >Patch Ins Lat Age Require Incomp Synopsis > ID Rev Rev ID ID >------ --- --- --- --------- --------- ----------------------------------------- >106952 N/A 01 713 SunOS 5.7: /usr/bin/uux patch >108327 N/A 01 262 SunOS 5.7: /usr/bin/cu patch >108331 N/A 01 262 SunOS 5.7: /usr/bin/uustat patch >108798 N/A 01 195 SunOS 5.7: /usr/bin/tip patch >109949 N/A 01 122 SunOS 5.7: jserver buffer overflow >====================================================================================== > >UNINSTALLED Y2K PATCHES > >NOTE: This list includes the Y2K patches that are also Recommended > >Patch Ins Lat Age Require Incomp Synopsis > ID Rev Rev ID ID >------ --- --- --- --------- --------- ----------------------------------------- >108343 N/A 04 110 108374-01 CDE 1.3: sdtperfmeter patch >108815 N/A 02 159 OpenWindows 3.6.1: Calendar Manager patch >====================================================================================== -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 17 11:39:38 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 17 11:39:35 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 7141137B400; Sun, 17 Dec 2000 11:39:34 -0800 (PST) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.1/8.11.1) with SMTP id eBHJdXe51603; Sun, 17 Dec 2000 14:39:33 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Sun, 17 Dec 2000 14:39:32 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: freebsd-security@FreeBSD.org Cc: freebsd-arch@FreeBSD.org Subject: Removing #ifdefs on LOGIN_CAP? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: robert@fledge.watson.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As part of the mandatory access control implementation, I'm using the capabilities database (/etc/login.conf) to add label information to user classes; in this manner, each user is mapped to appropriate mandatory policy restrictions and rights. To do this, I've introduced LOGIN_SETLABEL as an option to setusercontext(), which extracts the labeling information, and applies it to user processes at login. This has a number of impacts -- first, it requires that programs use setusercontext() when working with user context information, rather than manually diddling with uid's, which is probably a good thing. It also requires the programs start correctly using LOGIN_SETALL rather than manually contructing masks (a bit of work -- I updated su to do this a couple of weeks ago, but work remains to be done in other programs). This raises the following issue: currently, the login capability code is ifdef'd by LOGIN_CAP throughout the source tree, and in many cases, alternative implementations of context management code exist in an #else. Do we know if anyone still uses the old code? Would there be any objections to transitioning to only using setusercontext() and the login capabilities database rather than retaining the old implementations, giving us a consistent implementation throughout and allowing the capability database to hold additional per-user/class security properties? I also plan to use login.conf to hold information on privileges (capabilities) that users are allowed to acquire via su as well as configuring per-user audit properties, so there are other applications that will use this also. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 17 12:27:43 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 17 12:27:41 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 2F7F437B402 for ; Sun, 17 Dec 2000 12:27:41 -0800 (PST) Received: from rfx-64-6-211-149.users.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 17 Dec 2000 12:26:03 -0800 Received: (from cjc@localhost) by rfx-64-6-211-149.users.reflexcom.com (8.11.0/8.11.0) id eBHKRdw43236; Sun, 17 Dec 2000 12:27:39 -0800 (PST) (envelope-from cjc) Date: Sun, 17 Dec 2000 12:27:39 -0800 From: "Crist J. Clark" To: Roger Marquis Subject: OT: Re: Security Update Tool.. Message-ID: <20001217122739.J96105@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from marquis@roble.com on Sun, Dec 17, 2000 at 09:26:56AM -0800 Sender: cjc@rfx-64-6-211-149.users.reflexcom.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Dec 17, 2000 at 09:26:56AM -0800, Roger Marquis wrote: > > Before reinventing the wheel interested developers might check the > > reference implementation, Sun's Patchdiag: > > > > http://sunsolve.Sun.COM/private-cgi/show.pl?target=resources/patchdiag > > > > (NOTE: this URL does require a SunSolve account) > > The version id for FreeBSD ports would probably come from something like: > > grep "@name" /var/db/pkg/*/+CONTENTS | awk '{print $NF}' Pet peeve. Why do people pipe grep to awk? awk '/@name/ { print $NF }' /var/db/pkg/*/+CONTENTS -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 17 18:15: 7 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 17 18:15:04 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f304.law7.hotmail.com [216.33.236.182]) by hub.freebsd.org (Postfix) with ESMTP id 83FF637B400 for ; Sun, 17 Dec 2000 18:15:04 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sun, 17 Dec 2000 18:15:04 -0800 Received: from 209.53.54.44 by lw7fd.law7.hotmail.msn.com with HTTP; Mon, 18 Dec 2000 02:15:04 GMT X-Originating-IP: [209.53.54.44] From: "Some Person" To: sen_ml@eccosys.com, security@FreeBSD.ORG Subject: Re: Security Update Tool.. Date: Mon, 18 Dec 2000 02:15:04 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 18 Dec 2000 02:15:04.0364 (UTC) FILETIME=[55690EC0:01C06898] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org doh! I mis-read.. lol >From: "Some Person" >Subject: Re: Security Update Tool.. >Date: Sun, 17 Dec 2000 07:23:08 > > > Ummm, it prompts for a username/password.. ;) > >what part of: > > > >(NOTE: this URL does require a SunSolve account) > >is difficult to understand? ;-) > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 17 19:43:19 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 17 19:43:15 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from hal9000.bsdonline.org (ffaxvawx3-4-047.cox.rr.com [24.168.203.47]) by hub.freebsd.org (Postfix) with ESMTP id D09CF37B400 for ; Sun, 17 Dec 2000 19:43:14 -0800 (PST) Received: by hal9000.bsdonline.org (Postfix, from userid 1001) id BEC9D1F25; Sun, 17 Dec 2000 22:43:03 -0500 (EST) Date: Sun, 17 Dec 2000 22:43:03 -0500 From: Andrew J Caines To: FreeBSD Security Subject: Re: Security Update Tool.. Message-ID: <20001217224303.B403@hal9000.bsdonline.org> Reply-To: Andrew J Caines Mail-Followup-To: FreeBSD Security References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from marquis@roble.com on Sat, Dec 16, 2000 at 10:34:07PM -0800 Organization: H.A.L. Plant X-Powered-by: FreeBSD 4.2-STABLE Importance: Normal Sender: ajc@hal9000.bsdonline.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org To add to Roger Marquis's pointer, > Before reinventing the wheel interested developers might check the > reference implementation, Sun's Patchdiag: For those without Sun experience and a SunSolve account, patchdiag uses Solaris' package and patch system and compare the current package and patch list to a "cross reference" file (currently 654kB) available from SunSolve which reflects the latest patches. The output is a report showing what how the systems patch level compare to the latest patch list from Sun. Here's a sample: INSTALLED PATCHES Patch Installed Latest Synopsis ID Revision Revision ------ --------- -------- ------------------------------------------------------------ 106146 15 16 SunOS 5.7: M64 Graphics Patch 106147 06 CURRENT SunOS 5.7: VIS/XIL Graphics Patch 106148 12 CURRENT SunOS 5.7: XFB Graphics Patch 106300 09 CURRENT SunOS 5.7: Shared library patch for 64bit C++ 106327 08 CURRENT SunOS 5.7: Shared library patch for C++ 106541 12 14 SunOS 5.7: Kernel update patch 106725 02 CURRENT OpenWindows 3.6.1: mailtool vacation security patch 106733 07 CURRENT SunOS 5.7: Create a patch analyzer 106748 04 CURRENT SunOS 5.7: /usr/ccs/bin/sccs and /usr/ccs/bin/make patch 106793 05 CURRENT SunOS 5.7: ufsdump and ufsrestore patch 106812 04 CURRENT OBSOLETED by 107432 Patches are also grouped into catagories, such as "recommended", "security" and "Y2K". Sun has also make fetching the patches much easier with the "autopatch" facility which enables you to download patches with wget of a URL based on expressions which match the patch number, eg. wget -m -L -l2 -A "105160*" http://sunsolve.sun.com/private-cgi/pls.pl?arg=105160* I've not yet come across any glue which sticks these two pieces together, although it would be very simple to make. The reason is probably the same as the one which has been suggested as the reason for not having an automated update tool here - that the choice to make changes to the system is one for the sysadmin to make, based on information made available. In Sun's case, they've made both ends of the job easy - patchdiag to identify patches and autopatch+patchadd to get apply them. Of course, this all applies only to Sun's packages. I have not seen anyone come up with additional cross reference file entries for other packages. I'll leave comparisons to FreeBSD's model and tools, along with suggestions for enhancement to others for now. Note, however, that Solaris is based on a package system for everything and that packages and patches are binary. -Andrew- -- _______________________________________________________________________ | -Andrew J. Caines- Unix Systems Engineer A.J.Caines@altavista.net | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 17 20:17: 5 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 17 20:17:04 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.pinboard.com (mail.pinboard.com [194.209.195.7]) by hub.freebsd.org (Postfix) with ESMTP id DE92E37B400; Sun, 17 Dec 2000 20:17:02 -0800 (PST) Received: (from uucp@localhost) by mail.pinboard.com (8.9.3/8.9.3/20000102-00-KK) with UUCP id FAA12987; Mon, 18 Dec 2000 05:17:01 +0100 (CET) (envelope-from kurt@pinboard.com (kurt@pinboard.com)) (client-IP ) Received: (from uucp@localhost) by squirrel.pbdhome.pinboard.com (8.9.1/8.9.1-19980817-01/KK) with UUCP id WAA14139; Sun, 17 Dec 2000 22:21:52 +0100 (CET) (envelope-from: kurt@pinboard.com) Received: (from kurt@localhost) by badger.pbdhome.pinboard.com (8.9.3/8.9.3/20000829-01-KK) id WAA58068; Sun, 17 Dec 2000 22:10:44 +0100 (CET) (envelope-from kurt (kurt)) (client-IP ) Date: Sun, 17 Dec 2000 22:10:44 +0100 From: Kurt@pinboard.com To: Kris Kennaway Cc: freebsd-security@FreeBSD.ORG Subject: Re: mcrypt Message-ID: <20001217221044.B57851@pinboard.com> Mail-Followup-To: Kurt@pinboard.com, Kris Kennaway , freebsd-security@FreeBSD.ORG References: <20001216234910.A14562@pinboard.com> <20001217013331.B18038@citusc.usc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001217013331.B18038@citusc.usc.edu>; from kris@FreeBSD.ORG on Sun, Dec 17, 2000 at 01:33:31AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Dec 17, 2000 at 01:33:31AM -0800, Kris Kennaway wrote: > Just use the port. cd /usr/ports/security/mcrypt && make install clean. libmcrypt, libmcrypt-nm and mhash are available as ports, but I could not find mcrypt. mcrypt is a program using libmcrypt and mhash. > It might also be easier to just use openssl, which is in all post 4.0 The machines in question range from 3.1 to 4.1. And it's not just about the *transport* of files, but also about the *storage* on remote machines. Kurt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 17 23:49:32 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 17 23:49:30 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from security1.noc.flyingcroc.net (security1.noc.flyingcroc.net [207.246.128.54]) by hub.freebsd.org (Postfix) with ESMTP id 951E337B400 for ; Sun, 17 Dec 2000 23:49:30 -0800 (PST) Received: from localhost (todd@localhost) by security1.noc.flyingcroc.net (8.9.3/8.9.3) with ESMTP id XAA48828 for ; Sun, 17 Dec 2000 23:48:55 -0800 (PST) (envelope-from todd@flyingcroc.net) X-Authentication-Warning: security1.noc.flyingcroc.net: todd owned process doing -bs Date: Sun, 17 Dec 2000 23:48:55 -0800 (PST) From: Todd Backman X-Sender: todd@security1.noc.flyingcroc.net To: freebsd-security@freebsd.org Subject: dsniff 2.3 info: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org FYI: The End of SSL and SSH? Yesterday, dsniff 2.3 was released. Why is this important, you ask? dsniff 2.3 allows you to exploit several fundamental flaws in two extremely popular encryption protocols, SSL and SSH. SSL and SSH are used to protect a large amount of network traffic, from financial transactions with online banks and stock trading sites to network administrator access to secured hosts holding extremely sensitive data. Could this singal the end of SSH or SSL? Read the full story here: http://securityportal.com/cover/coverstory20001218.html - Todd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 1:13:38 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 01:13:34 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 557BC37B400 for ; Mon, 18 Dec 2000 01:13:34 -0800 (PST) Received: from rfx-64-6-211-149.users.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Mon, 18 Dec 2000 01:11:47 -0800 Received: (from cjc@localhost) by rfx-64-6-211-149.users.reflexcom.com (8.11.0/8.11.0) id eBI9DKM93382; Mon, 18 Dec 2000 01:13:20 -0800 (PST) (envelope-from cjc) Date: Mon, 18 Dec 2000 01:13:20 -0800 From: "Crist J. Clark" To: Todd Backman Cc: freebsd-security@FreeBSD.ORG Subject: Re: dsniff 2.3 info: Message-ID: <20001218011320.X96105@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from todd@flyingcroc.net on Sun, Dec 17, 2000 at 11:48:55PM -0800 Sender: cjc@rfx-64-6-211-149.users.reflexcom.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Dec 17, 2000 at 11:48:55PM -0800, Todd Backman wrote: > > FYI: > > The End of SSL and SSH? > > Yesterday, dsniff 2.3 was released. Why is this important, you ask? dsniff > 2.3 allows you to exploit several fundamental flaws in two extremely > popular encryption protocols, SSL and SSH. SSL and SSH are used to protect > a large amount of network traffic, from financial transactions with online > banks and stock trading sites to network administrator access to secured > hosts holding extremely sensitive data. Could this singal the end of SSH > or SSL? > > Read the full story here: > http://securityportal.com/cover/coverstory20001218.html *sigh* Nothing new. Well known man-in-the-middle attacks. From the text, What Can You Do about This? Ignoring the problem might be one response, but that probably won't work in the long run. Without major restructuring of the SSH and SSL protocols, there is very little that can be done to "fix" them. The best course of action is to educate users to the dangers that attackers pose, and how to recognize when an attack may be taking place. SSH is already fixed. Earlier in the text, SSH simply uses a secret and public key, and since they are generally not signed, it is trivial for an attacker to sit in the middle and intercept the connection... If you do have the server's public key, you will generally receive a warning like "Warning: server's key has changed. Continue?" Most users will hit Yes. No, this is not accurate in my experience. Most clients will not let you use a server when the key does not match unless you manually remove the old key from the key list. Most clients at least have BIG FLASHY MESSAGES telling the user that a changed key means someone might be doing something Very Naughty, not just a simple, "Warning: server's key has changed. Continue?" For example, OpenSSH will say, @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. Please contact your system administrator. Add correct host key in /usr/home/user/.ssh/known_hosts to get rid of this message. RSA host key for server.wherever.org has changed and you have requested strict checking. And quit, if strict checking (the default) is on. Just as the demise of telnet was greatly exagerated by the widespread availability of tools like hunt, sniffit, et al., dsniff is not going to make SSH or SSL obsolete. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 1:27:36 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 01:27:34 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from nevermind.kiev.ua (unknown [212.109.53.33]) by hub.freebsd.org (Postfix) with ESMTP id 154D137B404; Mon, 18 Dec 2000 01:27:31 -0800 (PST) Received: (from never@localhost) by nevermind.kiev.ua (8.11.1/8.11.1) id eBI9P8X05251; Mon, 18 Dec 2000 11:25:08 +0200 (EET) (envelope-from never) Date: Mon, 18 Dec 2000 11:25:08 +0200 From: Nevermind To: Roman Shterenzon Cc: Kris Kennaway , Some Person , freebsd-security@FreeBSD.ORG Subject: Re: Security Update Tool.. Message-ID: <20001218112508.E607@nevermind.kiev.ua> References: <20001215200957.A10030@citusc.usc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from roman@xpert.com on Sat, Dec 16, 2000 at 05:23:24PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, Roman Shterenzon! On Sat, Dec 16, 2000 at 05:23:24PM +0200, you wrote: > > Note that identification of vulnerabilities is different from > > automated correction of vulnerabilities - in order to do that it needs > > some fairly complicated infrastructure in the ports system to upgrade > > ports/packages and handle dependencies etc. Not that I want to > > dissuade anyone from working on this very worthy project :-) > > > > Kris > > I'm the person Kris was talking about. I'm working on it, have little > time, and switched to gnupg lately, but it'll be done eventually. > Perhaps this thread will make me finish it earlier. > I'd like to hear ideas which I will incorporate in it. > Meanwhile the main idea is: > 1) have a local directory for advisories > 2) upon start, contact freebsd.org and check for newer advisories > 3) check advisories with gnupg (security officer's pgp key has to be > installed manually). > 4) extract the valuable information from the advisory > 5) check against /var/db/pkg/* (revisions, and before it was invented - > dates, yes, I know it's weak, but I've nothing to with it). > 6) depending on running mode, complain or upgrade (pkg_delete; pkg_install > -r) I think it would be much better if user will have an ability to choose if he wants to install binary update or to build it from source. > 7) anything else? > Written in perl and will be called pkg_security. > I guess it could be changed to sacheck if all binaries have the id in > them, so using what(1) will reveal the cvs revision. > > Looking forward for your comments, -- Alexandr P. Kovalenko http://nevermind.kiev.ua/ NEVE-RIPE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 1:38: 3 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 01:38:01 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from firefly.prairienet.org (firefly.prairienet.org [192.17.3.3]) by hub.freebsd.org (Postfix) with ESMTP id C9A0E37B402 for ; Mon, 18 Dec 2000 01:38:00 -0800 (PST) Received: from sherman.spotnet.org (slip-84.prairienet.org [192.17.3.104]) by firefly.prairienet.org (8.9.3/8.9.3) with ESMTP id DAA26500 for ; Mon, 18 Dec 2000 03:37:47 -0600 (CST) Date: Mon, 18 Dec 2000 03:37:42 -0600 (CST) From: David Talkington X-Sender: Cc: Subject: Re: dsniff 2.3 info: In-Reply-To: <20001218011320.X96105@149.211.6.64.reflexcom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Crist J. Clark wrote: >SSH is already fixed. Earlier in the text, > > SSH simply uses a secret and public key, and since they are > generally not signed, it is trivial for an attacker to sit in the > middle and intercept the connection... If you do have the server's > public key, you will generally receive a warning like "Warning: > server's key has changed. Continue?" Most users will hit Yes. > >No, this is not accurate in my experience. Most clients will not let >you use a server when the key does not match unless you manually >remove the old key from the key list. Most clients at least have BIG >FLASHY MESSAGES telling the user that a changed key means someone >might be doing something Very Naughty, not just a simple, "Warning: >server's key has changed. Continue?" SSH Communications clients (at least for Unix), both protocols, will allow the user to accept a new key with just a keystroke. My experience suggests that most users won't even bat an eye at the "SOMETHING NASTY MIGHT BE HAPPENING" message; they'll just hit "y" and go on with their days. Maybe the result of learning to reflexively dismiss Microsoft's "Are you sure?"s ... *sigh* indeed for social engineering. We can debug code, but not humans. -d To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 1:44:51 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 01:44:49 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 7CB4E37B402 for ; Mon, 18 Dec 2000 01:44:48 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id KAA95746; Mon, 18 Dec 2000 10:44:43 +0100 (CET) (envelope-from des@ofug.org) Sender: des@ofug.org X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Todd Backman Cc: freebsd-security@FreeBSD.ORG Subject: Re: dsniff 2.3 info: References: From: Dag-Erling Smorgrav Date: 18 Dec 2000 10:44:42 +0100 In-Reply-To: Todd Backman's message of "Sun, 17 Dec 2000 23:48:55 -0800 (PST)" Message-ID: Lines: 11 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Todd Backman writes: > http://securityportal.com/cover/coverstory20001218.html The ironic thing is that when I looked up this page, I got a big fat VeriSign banner ad at the top that said "Get military-grade security that will blow hackes away. Secure your site with 128-bit SSL encryption" DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 1:46:58 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 01:46:57 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from security1.noc.flyingcroc.net (security1.noc.flyingcroc.net [207.246.128.54]) by hub.freebsd.org (Postfix) with ESMTP id A8A3837B400 for ; Mon, 18 Dec 2000 01:46:56 -0800 (PST) Received: from localhost (todd@localhost) by security1.noc.flyingcroc.net (8.9.3/8.9.3) with ESMTP id BAA49899; Mon, 18 Dec 2000 01:46:23 -0800 (PST) (envelope-from todd@flyingcroc.net) X-Authentication-Warning: security1.noc.flyingcroc.net: todd owned process doing -bs Date: Mon, 18 Dec 2000 01:46:23 -0800 (PST) From: Todd Backman X-Sender: todd@security1.noc.flyingcroc.net To: Dag-Erling Smorgrav Cc: Todd Backman , freebsd-security@FreeBSD.ORG Subject: Re: dsniff 2.3 info: In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Gotta love it... ;^) On 18 Dec 2000, Dag-Erling Smorgrav wrote: > Todd Backman writes: > > http://securityportal.com/cover/coverstory20001218.html > > The ironic thing is that when I looked up this page, I got a big fat > VeriSign banner ad at the top that said "Get military-grade security > that will blow hackes away. Secure your site with 128-bit SSL > encryption" > > DES > -- > Dag-Erling Smorgrav - des@ofug.org > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 1:55:19 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 01:55:16 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.unixguru.nl (unknown [212.204.178.120]) by hub.freebsd.org (Postfix) with ESMTP id 82AB937B402 for ; Mon, 18 Dec 2000 01:55:12 -0800 (PST) Received: by mail.unixguru.nl (Postfix, from userid 1000) id 8A6E744E80; Mon, 18 Dec 2000 10:55:19 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by mail.unixguru.nl (Postfix) with ESMTP id 5D57614280; Mon, 18 Dec 2000 10:55:19 +0100 (CET) Date: Mon, 18 Dec 2000 10:55:19 +0100 (CET) From: Richard Arends To: Some Person Cc: freebsd-security@freebsd.org Subject: Re: Security Update Tool.. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 16 Dec 2000, Some Person wrote: > My question is, is there a util yet that in theory (maybe if so, or if > someone writes one would work differently than what I'm imagining) queries a > central database with all the security advisories, checks the local system > for comparisons and vulnerabilities against that database and reports to the > user who ran the util. Take a look at Nessus. Nessus is a security tool. You have a client and a server. The server holds a database with known exploits for a number of os'es/applications etc. A cleint connects to the server and uses the database (plugins). Greetings, Richard. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 2: 6:44 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 02:06:41 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from sol.cc.u-szeged.hu (sol.cc.u-szeged.hu [160.114.8.24]) by hub.freebsd.org (Postfix) with ESMTP id DBF0437B400 for ; Mon, 18 Dec 2000 02:06:39 -0800 (PST) Received: from petra.hos.u-szeged.hu by sol.cc.u-szeged.hu (8.9.3+Sun/SMI-SVR4) id LAA26473; Mon, 18 Dec 2000 11:06:38 +0100 (MET) Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian)) id 147xBl-0002WS-00 for ; Mon, 18 Dec 2000 11:06:37 +0100 Date: Mon, 18 Dec 2000 11:06:37 +0100 From: Szilveszter Adam To: freebsd-security@freebsd.org Subject: Re: dsniff 2.3 info: Message-ID: <20001218110637.D6395@petra.hos.u-szeged.hu> Mail-Followup-To: Szilveszter Adam , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from todd@flyingcroc.net on Sun, Dec 17, 2000 at 11:48:55PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Dec 17, 2000 at 11:48:55PM -0800, Todd Backman wrote: > > FYI: > > The End of SSL and SSH? > > Yesterday, dsniff 2.3 was released. Why is this important, you ask? dsniff > 2.3 allows you to exploit several fundamental flaws in two extremely > popular encryption protocols, SSL and SSH. SSL and SSH are used to protect > a large amount of network traffic, from financial transactions with online > banks and stock trading sites to network administrator access to secured > hosts holding extremely sensitive data. Could this singal the end of SSH > or SSL? > > Read the full story here: > http://securityportal.com/cover/coverstory20001218.html Hi! I have read the article and here are my thoughts about it: - First, this is nothing new, as the author also states. - Second, it requires raw access to the wire, which may or may not be available. Of course it probably will be in your typical university comp lab or if you are on Ethernet otherwise. Now let's consider the scenario that the author presents us with. This involves a man-in-the-middle-attack where the only thing the attacker does is that she intercepts the messages on the wire and always re-encrypts them and then passes them on. This scenario assumes that the parties have no way of knowing who the other party is other than what they say they are and also that they have not been in contact before. This will be most probably true for SSL transactions, especially if the server's CA is self-signed but anyway for the user side. So if you are using SSL connections for things other than say read your highly precious junk email from a free provider, you should consider other options. Also, many banks are now implementing personal certificates which they will pass to the client in a secure (ie off-line either personally or via snail-mail) way. Smart card readers are also more and more wide-spread in these settings. I think we will see people use personal certificates more often in other places too. (eg our national student ID card system in Hungary is a step in that direction. Countries where people are not used to carrying identification with themselves usually face a harder situation.) For SSH however, I see the problem to be not as big. If you are unsure, you can always check if the server's public key is what you think it is. Eg you can ask by phone, it can be on a web page etc. People normally use SSH to places that they are at least to some extent familiar with, eg your mail server. Also, the scenario described does require a constant spoofing, because as soon as the attacker gets out of the way, you will discover there is a problem. Of course, that will not help you a bit in what has already been intercepted but at least you can take action to mitigate the damage. Also, using passwords on SSH may be a good idea. Of course, session-level encryption is a useful idea and should be used whenever possible. Also, educating users about possible dangers is important. Good network design and monitoring is also essential (but we all know this already, right?:-) And you must always evaluate what your security needs are. It is possible that the application is so sensitive that you cannot place it on a network at all. It is possible that you must force use in local network only. etc. As for injecting commands, well, this may be dangerous as far deleting all the files in your home dir goes, but root should never be caught unaware because, if you are root, and you see that the server's public key has changed, you must know there is something going on since you did not do anything to change it! Yes, this involves also regular monitoring of your . files etc. BTW dsniff 2.3 is already available in NetBSD pkgsrc. I think I will go and play with it for a while now:-) As far as upgrading to SSH2 goes, it is only a temporary solution as the author also notes. But, as long as people cannot be bothered to use SSH instead of telnet even when they are hundreds of kms from here over the public Internet and give out their credit card details in the clear and choose their dog's name as password we have other problems to worry about... -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 2:18: 8 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 02:18:04 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from security1.noc.flyingcroc.net (security1.noc.flyingcroc.net [207.246.128.54]) by hub.freebsd.org (Postfix) with ESMTP id 8206237B400 for ; Mon, 18 Dec 2000 02:18:04 -0800 (PST) Received: from localhost (todd@localhost) by security1.noc.flyingcroc.net (8.9.3/8.9.3) with ESMTP id CAA50612; Mon, 18 Dec 2000 02:17:04 -0800 (PST) (envelope-from todd@flyingcroc.net) X-Authentication-Warning: security1.noc.flyingcroc.net: todd owned process doing -bs Date: Mon, 18 Dec 2000 02:17:04 -0800 (PST) From: Todd Backman X-Sender: todd@security1.noc.flyingcroc.net To: Szilveszter Adam Cc: freebsd-security@FreeBSD.ORG Subject: Re: dsniff 2.3 info: In-Reply-To: <20001218110637.D6395@petra.hos.u-szeged.hu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I couldn't find 2.3 anywhere. Care to point the way? I am interested in taking a look at: sshmitm and webmitm included in 2.3. Thanks. - Todd On Mon, 18 Dec 2000, Szilveszter Adam wrote: > > BTW dsniff 2.3 is already available in NetBSD pkgsrc. I think I will go and > play with it for a while now:-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 2:20:50 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 02:20:48 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from smtprelay1.adelphia.net (smtprelay1.adelphia.net [64.8.25.6]) by hub.freebsd.org (Postfix) with ESMTP id 6E78D37B400 for ; Mon, 18 Dec 2000 02:20:48 -0800 (PST) Received: from pa-westmifflin1a-530.pit.adelphia.net ([24.48.239.18]) by smtprelay1.adelphia.net (Netscape Messaging Server 4.15) with ESMTP id G5RE0300.V55; Mon, 18 Dec 2000 05:19:15 -0500 Date: Mon, 18 Dec 2000 05:14:29 -0500 (EST) From: pW X-X-Sender: To: Todd Backman Cc: Szilveszter Adam , Subject: Re: dsniff 2.3 info: In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org www.monkey.org/~dugsong/dsniff On Mon, 18 Dec 2000, Todd Backman wrote: > > I couldn't find 2.3 anywhere. Care to point the way? I am interested in > taking a look at: sshmitm and webmitm included in 2.3. > > Thanks. > > - Todd > > On Mon, 18 Dec 2000, Szilveszter Adam wrote: > > > > > BTW dsniff 2.3 is already available in NetBSD pkgsrc. I think I will go and > > play with it for a while now:-) > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 2:24:35 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 02:24:33 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from sol.cc.u-szeged.hu (sol.cc.u-szeged.hu [160.114.8.24]) by hub.freebsd.org (Postfix) with ESMTP id 4E9C837B400 for ; Mon, 18 Dec 2000 02:24:32 -0800 (PST) Received: from petra.hos.u-szeged.hu by sol.cc.u-szeged.hu (8.9.3+Sun/SMI-SVR4) id LAA28491; Mon, 18 Dec 2000 11:24:30 +0100 (MET) Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian)) id 147xT4-0002fk-00 for ; Mon, 18 Dec 2000 11:24:30 +0100 Date: Mon, 18 Dec 2000 11:24:30 +0100 From: Szilveszter Adam To: freebsd-security@FreeBSD.ORG Subject: Re: dsniff 2.3 info: Message-ID: <20001218112430.A10065@petra.hos.u-szeged.hu> Mail-Followup-To: Szilveszter Adam , freebsd-security@FreeBSD.ORG References: <20001218110637.D6395@petra.hos.u-szeged.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from todd@flyingcroc.net on Mon, Dec 18, 2000 at 02:17:04AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Dec 18, 2000 at 02:17:04AM -0800, Todd Backman wrote: > > I couldn't find 2.3 anywhere. Care to point the way? I am interested in > taking a look at: sshmitm and webmitm included in 2.3. > > Thanks. > > - Todd > > On Mon, 18 Dec 2000, Szilveszter Adam wrote: > > > > > BTW dsniff 2.3 is already available in NetBSD pkgsrc. I think I will go and > > play with it for a while now:-) Try: http://naughty.monkey.org/~dugsong/dsniff/ until the FreeBSD port is updated. Seeing that it is maintained by Kris, I do not think it will take long:-) -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 2:25:48 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 02:25:43 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from security1.noc.flyingcroc.net (security1.noc.flyingcroc.net [207.246.128.54]) by hub.freebsd.org (Postfix) with ESMTP id 829E637B404 for ; Mon, 18 Dec 2000 02:25:43 -0800 (PST) Received: from localhost (todd@localhost) by security1.noc.flyingcroc.net (8.9.3/8.9.3) with ESMTP id CAA50670; Mon, 18 Dec 2000 02:25:06 -0800 (PST) (envelope-from todd@flyingcroc.net) X-Authentication-Warning: security1.noc.flyingcroc.net: todd owned process doing -bs Date: Mon, 18 Dec 2000 02:25:06 -0800 (PST) From: Todd Backman X-Sender: todd@security1.noc.flyingcroc.net To: pW Cc: Szilveszter Adam , freebsd-security@FreeBSD.ORG Subject: Re: dsniff 2.3 info: In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org only has 2.2 on it which is also in the ports unless I am mistaken. - Todd On Mon, 18 Dec 2000, pW wrote: > www.monkey.org/~dugsong/dsniff > > On Mon, 18 Dec 2000, Todd Backman wrote: > > > > > I couldn't find 2.3 anywhere. Care to point the way? I am interested in > > taking a look at: sshmitm and webmitm included in 2.3. > > > > Thanks. > > > > - Todd > > > > On Mon, 18 Dec 2000, Szilveszter Adam wrote: > > > > > > > > BTW dsniff 2.3 is already available in NetBSD pkgsrc. I think I will go and > > > play with it for a while now:-) > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 2:29:24 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 02:29:22 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from smtprelay2.adelphia.net (smtprelay2.adelphia.net [64.8.25.7]) by hub.freebsd.org (Postfix) with ESMTP id 92C6F37B400 for ; Mon, 18 Dec 2000 02:29:21 -0800 (PST) Received: from pa-westmifflin1a-530.pit.adelphia.net ([24.48.239.18]) by smtprelay2.adelphia.net (Netscape Messaging Server 4.15) with ESMTP id G5REEI00.O2I; Mon, 18 Dec 2000 05:27:55 -0500 Date: Mon, 18 Dec 2000 05:23:06 -0500 (EST) From: pW X-X-Sender: To: Todd Backman Cc: Szilveszter Adam , Subject: Re: dsniff 2.3 info: In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org no... I just went there and 2.3 is there pW On Mon, 18 Dec 2000, Todd Backman wrote: > > only has 2.2 on it which is also in the ports unless I am mistaken. > > - Todd > > On Mon, 18 Dec 2000, pW wrote: > > > www.monkey.org/~dugsong/dsniff > > > > On Mon, 18 Dec 2000, Todd Backman wrote: > > > > > > > > I couldn't find 2.3 anywhere. Care to point the way? I am interested in > > > taking a look at: sshmitm and webmitm included in 2.3. > > > > > > Thanks. > > > > > > - Todd > > > > > > On Mon, 18 Dec 2000, Szilveszter Adam wrote: > > > > > > > > > > > BTW dsniff 2.3 is already available in NetBSD pkgsrc. I think I will go and > > > > play with it for a while now:-) > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 2:29:31 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 02:29:27 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from sol.cc.u-szeged.hu (sol.cc.u-szeged.hu [160.114.8.24]) by hub.freebsd.org (Postfix) with ESMTP id 010A837B404 for ; Mon, 18 Dec 2000 02:29:26 -0800 (PST) Received: from petra.hos.u-szeged.hu by sol.cc.u-szeged.hu (8.9.3+Sun/SMI-SVR4) id LAA28999; Mon, 18 Dec 2000 11:29:24 +0100 (MET) Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian)) id 147xXn-0002iG-00 for ; Mon, 18 Dec 2000 11:29:23 +0100 Date: Mon, 18 Dec 2000 11:29:23 +0100 From: Szilveszter Adam To: freebsd-security@FreeBSD.ORG Subject: Re: dsniff 2.3 info: Message-ID: <20001218112923.B10065@petra.hos.u-szeged.hu> Mail-Followup-To: Szilveszter Adam , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from todd@flyingcroc.net on Mon, Dec 18, 2000 at 02:25:06AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Dec 18, 2000 at 02:25:06AM -0800, Todd Backman wrote: > > only has 2.2 on it which is also in the ports unless I am mistaken. > > - Todd Check your facts once again... :-) Downloading it right now as we speak. http://naughty.monkey.org/~dugsong/dsniff/dsniff-2.3.tar.gz Maybe someone has intercepted your traffic with these tools and presents you with a false web page:-) Naaah. -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 2:33:44 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 02:33:39 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from security1.noc.flyingcroc.net (security1.noc.flyingcroc.net [207.246.128.54]) by hub.freebsd.org (Postfix) with ESMTP id A423C37B400 for ; Mon, 18 Dec 2000 02:33:39 -0800 (PST) Received: from localhost (todd@localhost) by security1.noc.flyingcroc.net (8.9.3/8.9.3) with ESMTP id CAA50723; Mon, 18 Dec 2000 02:32:40 -0800 (PST) (envelope-from todd@flyingcroc.net) X-Authentication-Warning: security1.noc.flyingcroc.net: todd owned process doing -bs Date: Mon, 18 Dec 2000 02:32:40 -0800 (PST) From: Todd Backman X-Sender: todd@security1.noc.flyingcroc.net To: pW Cc: Szilveszter Adam , freebsd-security@FreeBSD.ORG Subject: Re: dsniff 2.3 info: In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org That'll teach me to shift-refresh more often. Thanks for the thump. ;^) - Todd On Mon, 18 Dec 2000, pW wrote: > no... I just went there and 2.3 is there > > pW > > On Mon, 18 Dec 2000, Todd Backman wrote: > > > > > only has 2.2 on it which is also in the ports unless I am mistaken. > > > > - Todd > > > > On Mon, 18 Dec 2000, pW wrote: > > > > > www.monkey.org/~dugsong/dsniff > > > > > > On Mon, 18 Dec 2000, Todd Backman wrote: > > > > > > > > > > > I couldn't find 2.3 anywhere. Care to point the way? I am interested in > > > > taking a look at: sshmitm and webmitm included in 2.3. > > > > > > > > Thanks. > > > > > > > > - Todd > > > > > > > > On Mon, 18 Dec 2000, Szilveszter Adam wrote: > > > > > > > > > > > > > > BTW dsniff 2.3 is already available in NetBSD pkgsrc. I think I will go and > > > > > play with it for a while now:-) > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 2:35:35 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 02:35:32 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from security1.noc.flyingcroc.net (security1.noc.flyingcroc.net [207.246.128.54]) by hub.freebsd.org (Postfix) with ESMTP id 0D0C737B400 for ; Mon, 18 Dec 2000 02:35:32 -0800 (PST) Received: from localhost (todd@localhost) by security1.noc.flyingcroc.net (8.9.3/8.9.3) with ESMTP id CAA50731; Mon, 18 Dec 2000 02:34:59 -0800 (PST) (envelope-from todd@flyingcroc.net) X-Authentication-Warning: security1.noc.flyingcroc.net: todd owned process doing -bs Date: Mon, 18 Dec 2000 02:34:58 -0800 (PST) From: Todd Backman X-Sender: todd@security1.noc.flyingcroc.net To: Szilveszter Adam Cc: freebsd-security@FreeBSD.ORG Subject: Re: dsniff 2.3 info: In-Reply-To: <20001218112923.B10065@petra.hos.u-szeged.hu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Got it. Thanks. On Mon, 18 Dec 2000, Szilveszter Adam wrote: > On Mon, Dec 18, 2000 at 02:25:06AM -0800, Todd Backman wrote: > > > > only has 2.2 on it which is also in the ports unless I am mistaken. > > > > - Todd > > Check your facts once again... :-) Downloading it right now as we speak. > > http://naughty.monkey.org/~dugsong/dsniff/dsniff-2.3.tar.gz > > Maybe someone has intercepted your traffic with these tools and presents > you with a false web page:-) Naaah. > > -- > Regards: > > Szilveszter ADAM > Szeged University > Szeged Hungary > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 2:38:57 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 02:38:55 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id 01E2437B402 for ; Mon, 18 Dec 2000 02:38:54 -0800 (PST) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 147xgs-0002MQ-00; Mon, 18 Dec 2000 12:38:46 +0200 Date: Mon, 18 Dec 2000 12:38:46 +0200 (IST) From: Roman Shterenzon To: Nevermind Cc: Subject: Re: Security Update Tool.. In-Reply-To: <20001218112508.E607@nevermind.kiev.ua> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 18 Dec 2000, Nevermind wrote: > Hello, Roman Shterenzon! > > On Sat, Dec 16, 2000 at 05:23:24PM +0200, you wrote: > > > > Note that identification of vulnerabilities is different from > > > automated correction of vulnerabilities - in order to do that it needs > > > some fairly complicated infrastructure in the ports system to upgrade > > > ports/packages and handle dependencies etc. Not that I want to > > > dissuade anyone from working on this very worthy project :-) > > > > > > Kris > > > > I'm the person Kris was talking about. I'm working on it, have little > > time, and switched to gnupg lately, but it'll be done eventually. > > Perhaps this thread will make me finish it earlier. > > I'd like to hear ideas which I will incorporate in it. > > Meanwhile the main idea is: > > 1) have a local directory for advisories > > 2) upon start, contact freebsd.org and check for newer advisories > > 3) check advisories with gnupg (security officer's pgp key has to be > > installed manually). > > 4) extract the valuable information from the advisory > > 5) check against /var/db/pkg/* (revisions, and before it was invented - > > dates, yes, I know it's weak, but I've nothing to with it). > > 6) depending on running mode, complain or upgrade (pkg_delete; pkg_install > > -r) > I think it would be much better if user will have an ability to choose if he > wants to install binary update or to build it from source. hmm.. I can make it an option, but tell me, why? if user has some local modifications, he'll prefer doing it by himself anyway, and by the time advisory is released the binary probably exists already. > > 7) anything else? > > Written in perl and will be called pkg_security. > > I guess it could be changed to sacheck if all binaries have the id in > > them, so using what(1) will reveal the cvs revision. > > > > Looking forward for your comments, > > -- > Alexandr P. Kovalenko http://nevermind.kiev.ua/ > NEVE-RIPE > --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 2:47:28 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 02:47:24 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from nevermind.kiev.ua (unknown [212.109.53.33]) by hub.freebsd.org (Postfix) with ESMTP id 3FB2D37B404 for ; Mon, 18 Dec 2000 02:47:22 -0800 (PST) Received: (from never@localhost) by nevermind.kiev.ua (8.11.1/8.11.1) id eBIAkYT52263; Mon, 18 Dec 2000 12:46:34 +0200 (EET) (envelope-from never) Date: Mon, 18 Dec 2000 12:46:34 +0200 From: Nevermind To: Roman Shterenzon Cc: freebsd-security@FreeBSD.ORG Subject: Re: Security Update Tool.. Message-ID: <20001218124634.G607@nevermind.kiev.ua> References: <20001218112508.E607@nevermind.kiev.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from roman@xpert.com on Mon, Dec 18, 2000 at 12:38:46PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, Roman Shterenzon! On Mon, Dec 18, 2000 at 12:38:46PM +0200, you wrote: > On Mon, 18 Dec 2000, Nevermind wrote: > > > > 5) check against /var/db/pkg/* (revisions, and before it was invented - > > > dates, yes, I know it's weak, but I've nothing to with it). > > > 6) depending on running mode, complain or upgrade (pkg_delete; pkg_install > > > -r) > > I think it would be much better if user will have an ability to choose if he > > wants to install binary update or to build it from source. > > hmm.. I can make it an option, but tell me, why? if user has some local > modifications, he'll prefer doing it by himself anyway, and by the time > advisory is released the binary probably exists already. Because, maybe user wants to give some specific options to compiler, or maybe he wants to audit code to know what does it fixes and so on, there are a lot of reasons to do this way. I think this should be an option, but, as for me the default should be binary update, so unexperienced users won't blame you and other FreeBSD developers about non-compiling due to his local gcc/autoconf/etc problems. For experienced, who wants to know how does it works updating from source is much more better. For example I use pkg_version(1) to determine what ports should be updated, and then manually audit patches and comments before real updating. I think I explained my position in clear way, even if my English is very bad. -- Alexandr P. Kovalenko http://nevermind.kiev.ua/ NEVE-RIPE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 3:18:40 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 03:18:38 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id B1FE837B400; Mon, 18 Dec 2000 03:18:37 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id DAA27643; Mon, 18 Dec 2000 03:19:52 -0800 Date: Mon, 18 Dec 2000 03:19:52 -0800 From: Kris Kennaway To: Kurt@pinboard.com, Kris Kennaway , freebsd-security@FreeBSD.ORG Subject: Re: mcrypt Message-ID: <20001218031952.A27637@citusc.usc.edu> References: <20001216234910.A14562@pinboard.com> <20001217013331.B18038@citusc.usc.edu> <20001217221044.B57851@pinboard.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="yrj/dFKFPuw6o+aM" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20001217221044.B57851@pinboard.com>; from Kurt@pinboard.com on Sun, Dec 17, 2000 at 10:10:44PM +0100 Sender: kris@citusc.usc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --yrj/dFKFPuw6o+aM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Dec 17, 2000 at 10:10:44PM +0100, Kurt@pinboard.com wrote: > On Sun, Dec 17, 2000 at 01:33:31AM -0800, Kris Kennaway wrote: > > Just use the port. cd /usr/ports/security/mcrypt && make install clean. >=20 > libmcrypt, libmcrypt-nm and mhash are available as ports, but I > could not find mcrypt. mcrypt is a program using libmcrypt and mhash. Hmm, you're right. Well, just use openssl then since it's easier to install. > > It might also be easier to just use openssl, which is in all post 4.0 >=20 > The machines in question range from 3.1 to 4.1. And it's not just about > the *transport* of files, but also about the *storage* on remote machines. Yes, openssl can do that too. Kris --yrj/dFKFPuw6o+aM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6PfLYWry0BWjoQKURAuPsAKC0+6/odf6Sd20GNST10SKmiCkv4gCeKrPR oNifv4BvWljnOAjzWc4a2ZA= =VKbr -----END PGP SIGNATURE----- --yrj/dFKFPuw6o+aM-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 6:34:21 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 06:34:18 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from pps.de (mail.pps.de [217.13.200.134]) by hub.freebsd.org (Postfix) with ESMTP id 3DC1337B402 for ; Mon, 18 Dec 2000 06:34:17 -0800 (PST) Received: from jung7.pps.de (jung7.pps.de [192.9.200.17]) by pps.de (8.9.3/8.9.3) with ESMTP id PAA90934 for ; Mon, 18 Dec 2000 15:49:35 +0100 (CET) (envelope-from petros@pps.de) Received: from jung9.pps.de by jung7.pps.de (8.9.3+Sun/ZRZ-Sol2) id PAA12934; Mon, 18 Dec 2000 15:31:34 +0100 (MET) Received: from jung9 by jung9.pps.de (8.9.1b+Sun/ZRZ-Sol2) id PAA16565; Mon, 18 Dec 2000 15:31:34 +0100 (MET) Message-Id: <200012181431.PAA16565@jung9.pps.de> Date: Mon, 18 Dec 2000 15:31:34 +0100 (MET) From: Peter Ross Reply-To: Peter Ross Subject: FTP and firewall To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: 5X+N0SslPdruM2oOxNhz+g== X-Mailer: dtmail 1.3.0 CDE Version 1.3 SunOS 5.7 sun4u sparc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I tried to redirect FTP to an internal FTP server using natd. I wrote: > natd_flags="-redirect_port tcp ${intern_ftp_ip}:ftp ftp" > > # Allow incoming FTP connections to the internal FTP server > ipfw add allow tcp from any to ${extern_ip} ftp setup via ${extern_if} > ipfw add allow tcp from any to ${intern_ftp_ip} ftp setup via ${extern_if} > ipfw add allow tcp from any to ${intern_ftp_ip} ftp setup via ${intern_if} > > # and outgoing FTP data connections created by the internal FTP server > ipfw add allow tcp from ${intern_ftp_ip} 20 to any setup via ${intern_if} > ipfw add allow tcp from ${intern_ftp_ip} 20 to any setup via ${extern_if} > ipfw add allow tcp from ${extern_ip} 20 to any setup via ${extern_if} > > # Allow TCP through if setup succeeded > ipfw add pass tcp from any to any established > > # Everything else is denied as default. There is a problem with FTP clients using passive mode. The server listens on ports 49152..65535. I think the natd redirect option and the firewall rule > ftp_passive_range="49152-65535" > > natd_flags="-redirect_port tcp ${intern_ftp_ip}:${ftp_passive_range} > ${ftp_passive_range}" > > ipfw add allow tcp from any to ${extern_ip} ${ftp_passive_range} setup via > ${extern_if} > ipfw add allow tcp from any to ${intern_ftp_ip} {ftp_passive_range} setup via > ${extern_if} > ipfw add allow tcp from any to ${intern_ftp_ip} {ftp_passive_range} setup via > ${intern_if} should work but .. What do you think? The FTP control connection contains the data port negotiation between client and server. Can I use this information? I see five different ways to solve the FTP firewall problem: 1. external FTP server and mirror through the firewall Problem: We need the server always up to date, data more then 5 minutes old are not acceptable, also inacceptable are corrupted files (e.g. for files which created by internal processes while the mirror process works) Can I use cpdup (ports collection)? 2. external FTP proxy server with access to a internal server Problem: which proxy should I use? 3. external FTP server with NFS access trough the firewall Problem: NFS and security 4. firewall with FTP server and NFS access to the company network Problem: see above, a firewall shouldn't running daemons with public access 5. 3. or 4. with a more secure network file system (e.g. Coda ?) Thanks for advice Peter Ross ******************************************************* Dipl.Inf. Peter Ross petros@pps.de Presse Programm Service Berlin - Systems administration ******************************************************* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 7:29:27 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 07:29:25 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from wormhole.bluestar.net (wormhole.bluestar.net [208.53.1.61]) by hub.freebsd.org (Postfix) with ESMTP id 1E98237B400 for ; Mon, 18 Dec 2000 07:29:25 -0800 (PST) Received: from planetwe.com (admin.planetwe.com [64.182.69.146]) by wormhole.bluestar.net (8.10.1/8.10.1) with ESMTP id eBIFTCQ25743; Mon, 18 Dec 2000 09:29:12 -0600 (CST) Message-ID: <3A3E2D48.8030207@planetwe.com> Date: Mon, 18 Dec 2000 09:29:12 -0600 From: Drew Sanford User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.12 i386; en-GB; m18) Gecko/20001107 Netscape6/6.0 X-Accept-Language: en MIME-Version: 1.0 To: Peter Ross Cc: freebsd-security@freebsd.org Subject: Re: FTP and firewall References: <200012181431.PAA16565@jung9.pps.de> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Peter Ross wrote: > I see five different ways to solve the FTP firewall problem: > > 1. external FTP server and mirror through the firewall > Problem: We need the server always up to date, > data more then 5 minutes old are not acceptable, > also inacceptable are corrupted files (e.g. for files which created by > internal processes while the mirror process works) > Can I use cpdup (ports collection)? I speak typo - I assume you mean cvsup. The answer is yes you can. Just cron the update process on the inside mirror and cvsupd on the ftp box. > 2. external FTP proxy server with access to a internal server > Problem: which proxy should I use? > 3. external FTP server with NFS access trough the firewall > Problem: NFS and security > 4. firewall with FTP server and NFS access to the company network > Problem: see above, > a firewall shouldn't running daemons with public access > 5. 3. or 4. with a more secure network file system (e.g. Coda ?) > -- Drew Sanford Systems Administrator Planetwe.com Email: drew@planetwe.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 7:31:26 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 07:31:23 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 231D137B400 for ; Mon, 18 Dec 2000 07:31:23 -0800 (PST) Received: from localhost (traviso@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id IAA14410 for ; Mon, 18 Dec 2000 08:31:17 -0700 (MST) Date: Mon, 18 Dec 2000 08:31:17 -0700 (MST) From: Travis {RapidSupport} To: freebsd-security@FreeBSD.ORG Subject: Re: dsniff 2.3 info: In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 18 Dec 2000, Dag-Erling Smorgrav wrote: > > http://securityportal.com/cover/coverstory20001218.html > > The ironic thing is that when I looked up this page, I got a big fat > VeriSign banner ad at the top that said "Get military-grade security > that will blow hackes away. Secure your site with 128-bit SSL > encryption" *SCREENSHOT* Travis /* -=[ Travis Ogden ]-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= RapidNet Admin Team "Courage is not defined by those who Phone#: 605.341.3283 fought and did not fall, but by those ICQ#: 30220771 who fought, fell, and rose again." Mail: traviso@RapidNet.com Fax#: 605.348.1031 Web: www.RapidNet.com/~traviso 800#: 800.763.2525 ATTENTION! "RapidNet has moved to 330 Knollwood Drive, Rapid City, SD 57701." -=-=-=-=-=-=-=-=-=-=-=-=-=-[ traviso@rapidnet.com ]=-=-=-=-= */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 7:36:45 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 07:36:30 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 071BE37B400; Mon, 18 Dec 2000 07:36:19 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-00:77.procfs Reply-To: security-advisories@freebsd.org Message-Id: <20001218153619.071BE37B400@hub.freebsd.org> Date: Mon, 18 Dec 2000 07:36:19 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:77 Security Advisory FreeBSD, Inc. Topic: Several vulnerabilities in procfs Category: core Module: procfs Announced: 2000-12-18 Affects: Problem #1: FreeBSD 4.x prior to the correction date. FreeBSD 3.x is unaffected. Problem #2, #3: FreeBSD 4.x and 3.x prior to the correction date. Corrected: 2000-12-16 (FreeBSD 4.2-STABLE) 2000-12-18 (FreeBSD 3.5.1-STABLE) Credits: Frank van Vliet Joost Pol (Problem #1, #2) Esa Etelavuori (Problem #3) FreeBSD only: NO I. Background procfs is the process filesystem, which presents a filesystem interface to the system process table, together with associated data. II. Problem Description There were several problems discovered in the procfs code: 1) Unprivileged local users can gain superuser privileges due to insufficient access control checks on the /proc//mem and /proc//ctl files, which gives access to a process address space and perform various control operations on the process respectively. The attack proceeds as follows: the attacker can fork() a child process and map the address space of the child in the parent. The child process then exec()s a utility which runs with root or other increased privileges. The parent process incorrectly retains read and write access to the address space of the child process which is now running with increased privileges, and can modify it to execute arbitrary code with those privileges. 2) Unprivileged local users can execute a denial of service against the local machine by mmap()ing a processes own /proc//mem file in the procfs filesystem. This will cause the system to enter into an infinite loop in the kernel, effectively causing the system to hang until manually rebooted by an administrator on the system console. 3) Users with superuser privileges on the machine, including users with root privilege in a jail(8) virtual machine, can overflow a buffer in the kernel and bypass access control checks placed on the abilities of the superuser. These include the ability to "break out" of the jail environment (jail is often used as a compartmentalization tool for security purposes), to lower the system securelevel without requiring a reboot, and to introduce new (possibly malicious) code into the kernel on systems where loading of KLDs (kernel loadable modules) has been disabled. III. Impact 1) On vulnerable FreeBSD 4.x systems where procfs is mounted, unprivileged local users can obtain root privileges. 2) On vulnerable FreeBSD 4.x and 3.x systems where procfs is mounted, unprivileged local users can cause the system to hang. 3) On vulnerable FreeBSD 4.x and 3.x systems, superusers who can load the procfs filesystem, or on systems where it is already mounted, can bypass access control checks in the kernel which would otherwise limit their abilities. Consequences include the ability to break out of a jail environment, to lower securelevel or to introduce malicious code into the kernel on systems where loading of KLDs has been disabled. For many systems this vulnerability is likely to have minor impact. IV. Workaround To work around problems 1 and 2, perform the following steps as root: Unmount all instances of the procfs filesystem using the umount(8) command: # umount -f -a -t procfs Disable the automatic mounting of all instances of procfs in /etc/fstab: remove or comment out the line(s) of the following form: proc /proc procfs rw 0 0 The linprocfs filesystem, which provides additional interfaces to Linux binaries to emulate the Linux procfs filesystem, is believed not to be vulnerable to the problems described in this advisory and therefore does not need to be unmounted. Note however that some Linux binaries may require the presence of both procfs and linprocfs in order to function correctly. To work around problem 3 is more difficult since it involves the superuser, but the following steps are believed to be sufficient: * Unmount all procfs filesystems which are visible from within jail environments, to prevent a jail root compromise from compromising the entire system. Since jailed users do not have the ability to mount filesystems, a successful jail root compromise in a jail without procfs visible cannot exploit this vulnerability. * Remove the "options PROCFS" line from your kernel configuration file, if present, and compile a new kernel as described in http://www.freebsd.org/handbook/kernelconfig.html If the running kernel was compiled with "options PROCFS", then any user who has root privileges can mount procfs and exploit vulnerability 3, regardless of system securelevel. If the kernel does not include this option, then an attempt to mount procfs will trigger a load of the procfs.ko KLD module, which is denied at securelevel greater than zero. Since this vulnerability only has meaning (in the case of unjailed root users) on systems which are kept in a securelevel greater than zero, this will always be true, and such systems are not vulnerable to the problem. Note that unmounting procfs may have a negative impact on the operation of the system: under older versions of FreeBSD it is required for some aspects of the ps(1) command, and it may also break use of userland inter-process debuggers such as gdb. Other installed binaries including emulated Linux binaries may require access to procfs for correct operation. V. Solution Upgrade your vulnerable FreeBSD system to 4.2-STABLE after the correction date, or patch your present system source code and rebuild. To patch your present system: download the relevant patch from the below location, and execute the following commands as root: [FreeBSD 3.5.1-RELEASE] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:77/procfs.3.5.1.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:77/procfs.3.5.1.patch.asc Verify the detached PGP signature using your PGP utility. [FreeBSD 4.1-RELEASE and FreeBSD 4.1.1-RELEASE] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:77/procfs.4.1.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:77/procfs.4.1.patch.asc Verify the detached PGP signature using your PGP utility. [FreeBSD 4.2-RELEASE] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:77/procfs.4.2.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:77/procfs.4.2.patch.asc Verify the detached PGP signature using your PGP utility. # cd /usr/src/sys # patch -p < /path/to/patch If procfs is statically compiled into the kernel (e.g. the kernel configuration file contains the line 'options PROCFS'), then rebuild and reinstall your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system with the new kernel for the changes to take effect. If procfs is dynamically loaded by KLD (use the kldstat command to verify whether this is the case) and the system securelevel has not been raised, then the system can be patched at run-time without requiring a reboot, by performing the following steps after patching the source as described above: # cd /usr/src/sys/modules/procfs # make all install # umount -f -a -t procfs # kldunload procfs # kldload procfs # mount -f -a -t procfs -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOj4uH1UuHi5z0oilAQG4GAP6ArdnOC6dolMGQt4p6yrd+ssEKD62Uh7a y0EGd/7iFi7exxe+jWHQJVQmtyD4o8QYmO6qSJ+lb2iNYJTyKOlPWFWDlUlIhu3e UvsArp9ns/4ERR7eYDvpK095np1ZB6qnLXChQf/oxj7W41QBzmK7Yc/+WW57pwLl DS2/5AzXxXM= =Yol+ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 7:45:22 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 07:45:20 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from be-well.ilk.org (lowellg.ne.mediaone.net [24.147.184.128]) by hub.freebsd.org (Postfix) with ESMTP id A87D437B400 for ; Mon, 18 Dec 2000 07:45:19 -0800 (PST) Received: (from lowell@localhost) by be-well.ilk.org (8.11.1/8.11.1) id eBIFjDP64343; Mon, 18 Dec 2000 10:45:13 -0500 (EST) (envelope-from lowell) Sender: lowell@be-well.ilk.org From: Lowell Gilbert Date: 18 Dec 2000 06:21:24 -0400 To: ntvsunix@hotmail.com (Some Person), freebsd-security@freebsd.org Subject: Re: Security Update Tool.. References: In-Reply-To: ntvsunix@hotmail.com's message of "16 Dec 2000 01:16:42 +0100" Message-ID: <44u2814tti.fsf@lowellg.ne.mediaone.net> Lines: 46 X-Mailer: Gnus v5.7/Emacs 20.7 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ntvsunix@hotmail.com (Some Person) writes: > Hey ppl. Sorry I just joined the list so I dunno what kinda posts usally go > on here but I was just browsing www.freebsd.org/security and... > > Well, seeing there's new security discoveries, patches and a whole schlew of > CERT advisories etc.. it's hard to keep up with what needs securing, and > what to secure, from the base system, from the ports, etc. > > My question is, is there a util yet that in theory (maybe if so, or if > someone writes one would work differently than what I'm imagining) queries a > central database with all the security advisories, checks the local system > for comparisons and vulnerabilities against that database and reports to the > user who ran the util. > > ie, sacheck -H sa-host.freebsd.org > > I completely made that up, but jsut an idea. ie, sacheck (security advisor > check) checks against -H sa-host.freebsd.org. > > Please, if I sound like a complete idiot, no need to flame.. ;) I'm trying > to explain what I think would be a good idea in the best way I can via email > and I'm still an intermediate (non-expert) FreeBSD user. I don't know > programming (yet) so I probly don't have all the terms, but I do have ideas. > > ps: Hope I did make atleast some sense in describing my idea. It's not a terrible idea, but the unified FreeBSD development model makes it less useful than it seems. The number of security advisories is relatively low (a few dozen per year?), even if you include CERT, so the payoff is somewhat limited. Because of the unified development model, the way to apply fixes is usually to upgrade to a more recent version of the software, so keeping up to date is pretty much the bottom line. If you actually wrote your "sacheck" program, I'll bet it wouldn't have much trouble getting into the system (assuming it was *well* written), or at least the ports. You'd need a slightly more regularized format for the advisories, however, which probably means cooperation from the security officer. Furthermore, the benefits are small enough that it may be hard to get anyone else to write it for you. And I'm sure I'm not the only one who thinks it's a *good* idea for administrators (especially of Internet-connected machines) to actually read security advisories. Be well. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 8: 6:32 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 08:06:30 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id F045637B400 for ; Mon, 18 Dec 2000 08:06:28 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id LAA20972; Mon, 18 Dec 2000 11:06:19 -0500 (EST) (envelope-from wollman) Date: Mon, 18 Dec 2000 11:06:19 -0500 (EST) From: Garrett Wollman Message-Id: <200012181606.LAA20972@khavrinen.lcs.mit.edu> To: Jesper Skriver Cc: security@freebsd.org Subject: Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h In-Reply-To: <20001217155826.A16170@skriver.dk> References: <20001217012007.A18038@citusc.usc.edu> <17340.977045052@critter> <20001217015414.A18302@citusc.usc.edu> <20001217155826.A16170@skriver.dk> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > It solves problems when trying to connects to hosts behind packet > filters and/or firewalls, and I can add that Linux has this "feature" > enabled by default, atleast since kernel v2.0 which was the oldest box I > could find. I would suggest that these ICMP errors should be treated in the same way as net/host unreachable -- that is, recorded for the purposes of useful error reporting, but not acted upon immediately. 112[23] has its share of bugs. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 8:16:33 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 08:16:31 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id 3ED5A37B402 for ; Mon, 18 Dec 2000 08:16:31 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id IAA29606 for security@FreeBSD.org; Mon, 18 Dec 2000 08:17:49 -0800 Date: Mon, 18 Dec 2000 08:17:49 -0800 From: Kris Kennaway To: security@FreeBSD.org Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:77.procfs Message-ID: <20001218081749.A29592@citusc.usc.edu> References: <20001218153619.071BE37B400@hub.freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="PNTmBPCT7hxwcZjr" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20001218153619.071BE37B400@hub.freebsd.org>; from security-advisories@FreeBSD.ORG on Mon, Dec 18, 2000 at 07:36:19AM -0800 Sender: kris@citusc.usc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --PNTmBPCT7hxwcZjr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Oops, apparently the /proc//ctl local root exploit applies to 3.x as well and has not yet been fixed. I'm told the patch for 4.2 listed in the advisory applies cleanly but has not been tested. Kris --PNTmBPCT7hxwcZjr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6PjitWry0BWjoQKURAorXAKCKYpvR+6rLqr0fcejjtRAQn36OmACg9L1y NBoPXDSXYNcGp+B7C5wfLfM= =KjIH -----END PGP SIGNATURE----- --PNTmBPCT7hxwcZjr-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 8:16:45 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 08:16:44 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from adm.sci-nnov.ru (adm.sci-nnov.ru [195.122.226.2]) by hub.freebsd.org (Postfix) with ESMTP id DC9AF37B400 for ; Mon, 18 Dec 2000 08:16:42 -0800 (PST) Received: from anonymous.sandy.ru (anonymous.sandy.ru [195.122.226.40]) by adm.sci-nnov.ru (8.9.3/Dmiter-4.1-AGK-0.5) with ESMTP id TAA05980 for ; Mon, 18 Dec 2000 19:14:08 +0300 (MSK) Date: Mon, 18 Dec 2000 19:14:09 +0300 From: Vladimir Dubrovin X-Mailer: The Bat! (v1.47 Halloween Edition) Reply-To: Vladimir Dubrovin Organization: Sandy Info X-Priority: 3 (Normal) Message-ID: <156200781518.20001218191409@sandy.ru> To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:77.procfs In-reply-To: <20001218153619.071BE37B400@hub.freebsd.org> References: <20001218153619.071BE37B400@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello FreeBSD Security Advisories, As far as I remember this issue was patched twice - in 1997 and in January 2000. Do I miss something? 18.12.00 18:36, you wrote: FreeBSD Security Advisory: FreeBSD-SA-00:77.procfs; F> 1) Unprivileged local users can gain superuser privileges due to F> insufficient access control checks on the /proc//mem and F> /proc//ctl files, which gives access to a process address space F> and perform various control operations on the process respectively. F> The attack proceeds as follows: the attacker can fork() a child F> process and map the address space of the child in the parent. The F> child process then exec()s a utility which runs with root or other F> increased privileges. The parent process incorrectly retains read and F> write access to the address space of the child process which is now F> running with increased privileges, and can modify it to execute F> arbitrary code with those privileges. -- Vladimir Dubrovin Sandy, ISP Sandy CCd chief Customers Care dept http://www.sandy.ru Nizhny Novgorod, Russia http://www.security.nnov.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 8:21: 5 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 08:21:00 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id 51D9937B698 for ; Mon, 18 Dec 2000 08:20:58 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id IAA29673; Mon, 18 Dec 2000 08:22:09 -0800 Date: Mon, 18 Dec 2000 08:22:09 -0800 From: Kris Kennaway To: Vladimir Dubrovin Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:77.procfs Message-ID: <20001218082209.C29592@citusc.usc.edu> References: <20001218153619.071BE37B400@hub.freebsd.org> <156200781518.20001218191409@sandy.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ctP54qlpMx3WjD+/" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <156200781518.20001218191409@sandy.ru>; from vlad@sandy.ru on Mon, Dec 18, 2000 at 07:14:09PM +0300 Sender: kris@citusc.usc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --ctP54qlpMx3WjD+/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Dec 18, 2000 at 07:14:09PM +0300, Vladimir Dubrovin wrote: > Hello FreeBSD Security Advisories, >=20 > As far as I remember this issue was patched twice - in 1997 and in > January 2000. Do I miss something? There have been other vulnerabilities in procfs in the past. There may be others discovered in the future..it's what you might call "risky code". Kris --ctP54qlpMx3WjD+/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6PjmvWry0BWjoQKURAqgNAKDnZfCSM7tI2O4viXgQpeEo0HvDQQCg1Aoc Ytk9EmP3kSVC0t3XnvlfHss= =R2O4 -----END PGP SIGNATURE----- --ctP54qlpMx3WjD+/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 8:31:33 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 08:31:28 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from rly-ip02.mx.aol.com (rly-ip02.mx.aol.com [152.163.225.160]) by hub.freebsd.org (Postfix) with ESMTP id 1F28337B400 for ; Mon, 18 Dec 2000 08:31:28 -0800 (PST) Received: from tot-ti.proxy.aol.com (tot-ti.proxy.aol.com [152.163.194.131]) by rly-ip02.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0) with ESMTP id LAA05406 for ; Mon, 18 Dec 2000 11:31:02 -0500 (EST) Received: from pavilion (AC941CAE.ipt.aol.com [172.148.28.174]) by tot-ti.proxy.aol.com (8.10.0/8.10.0) with SMTP id eBIGV0f22816 for ; Mon, 18 Dec 2000 11:31:00 -0500 (EST) Message-ID: <007301c0690f$e7ca61c0$0101a8c0@pavilion> From: "Richard W." To: References: <20001218153619.071BE37B400@hub.freebsd.org> <20001218081749.A29592@citusc.usc.edu> Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:77.procfs Date: Mon, 18 Dec 2000 11:30:58 -0500 Organization: http://www.neonsky.net MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 X-Apparently-From: Nis8840@aol.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, When I 'mount -f -a -t procfs', I keep getting "procfs: -o force: option = not supported", any ideas? The system I'm patching on is FreeBSD = 4.1.1-STABLE, and I'm following the advisory on patching this, procs (on = this system) is dynamically loaded by KLD, so there shouldn't be a need = to reboot. Thanks for your help. -- Richard W. rward@webaffinity.net -- Original Message: From: Kris Kennaway To: Sent: Monday, December 18, 2000 11:17 AM Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:77.procfs To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 8:37:48 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 08:37:43 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id 50A7837B402; Mon, 18 Dec 2000 08:37:43 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id IAA29895; Mon, 18 Dec 2000 08:39:01 -0800 Date: Mon, 18 Dec 2000 08:39:01 -0800 From: Kris Kennaway To: developers@FreeBSD.org, security@FreeBSD.org Subject: New addition to security officer team Message-ID: <20001218083901.A29833@citusc.usc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="BOKacYhQ+x31HxR3" Content-Disposition: inline User-Agent: Mutt/1.2i Sender: kris@citusc.usc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --BOKacYhQ+x31HxR3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline I'd like to welcome Chris Faulhaber to the (now 8 or 9 member strong) security officer team..he's been very helpful for the past few months in writing advisories for me, is active in the FreeBSD Auditing Project, and I hope these welcome trends continue :-) Kris --BOKacYhQ+x31HxR3 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6Pj2jWry0BWjoQKURAt3gAKDOzBjhxX7MQZPpj8PBjX811LYwugCfeZAO ZZUz3UUzsdt6Dl7VXxiHcAw= =6XOi -----END PGP SIGNATURE----- --BOKacYhQ+x31HxR3-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 8:50:46 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 08:50:42 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id A598A37B400 for ; Mon, 18 Dec 2000 08:50:42 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id IAA30051; Mon, 18 Dec 2000 08:51:59 -0800 Date: Mon, 18 Dec 2000 08:51:59 -0800 From: Kris Kennaway To: "Richard W." Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:77.procfs Message-ID: <20001218085159.A30022@citusc.usc.edu> References: <20001218153619.071BE37B400@hub.freebsd.org> <20001218081749.A29592@citusc.usc.edu> <007301c0690f$e7ca61c0$0101a8c0@pavilion> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="d6Gm4EdcadzBjdND" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <007301c0690f$e7ca61c0$0101a8c0@pavilion>; from rward@webaffinity.net on Mon, Dec 18, 2000 at 11:30:58AM -0500 Sender: kris@citusc.usc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --d6Gm4EdcadzBjdND Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Dec 18, 2000 at 11:30:58AM -0500, Richard W. wrote: > Hello, > When I 'mount -f -a -t procfs', I keep getting "procfs: -o force: > option not supported", any ideas? The system I'm patching on is > FreeBSD 4.1.1-STABLE, and I'm following the advisory on patching > this, procs (on this system) is dynamically loaded by KLD, so there > shouldn't be a need to reboot.=20 Probably a typo..try it without the -f. Kris --d6Gm4EdcadzBjdND Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6PkCuWry0BWjoQKURAiEfAKCc3YB/GybekrnxCdJ2D2tbyemBpwCg7QYz iYd6TjeH9cIbiASHZDRFEQA= =nELX -----END PGP SIGNATURE----- --d6Gm4EdcadzBjdND-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 9:56:10 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 09:56:08 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id B2B1137B400; Mon, 18 Dec 2000 09:56:07 -0800 (PST) Received: from simoeon.sentex.net (simeon.sentex.ca [209.112.4.47]) by smtp1.sentex.ca (8.11.1/8.11.1) with ESMTP id eBIHu6l61477; Mon, 18 Dec 2000 12:56:06 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.0.1.4.0.20001218124818.01cf9040@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Mon, 18 Dec 2000 12:49:49 -0500 To: Kris Kennaway From: Mike Tancsa Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:77.procfs Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20001218082209.C29592@citusc.usc.edu> References: <156200781518.20001218191409@sandy.ru> <20001218153619.071BE37B400@hub.freebsd.org> <156200781518.20001218191409@sandy.ru> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 08:22 AM 12/18/00 -0800, Kris Kennaway wrote: >On Mon, Dec 18, 2000 at 07:14:09PM +0300, Vladimir Dubrovin wrote: > > Hello FreeBSD Security Advisories, > > > > As far as I remember this issue was patched twice - in 1997 and in > > January 2000. Do I miss something? > >There have been other vulnerabilities in procfs in the past. There may >be others discovered in the future..it's what you might call "risky >code". Apart from not mounting it, does mounting it readonly make any difference ? proc /proc procfs r 0 0 instead of proc /proc procfs rw 0 0 What does one loose these days on 4.x not mounting it by default ? ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 10: 8:35 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 10:08:30 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from sj-msg-core-4.cisco.com (sj-msg-core-4.cisco.com [171.71.163.10]) by hub.freebsd.org (Postfix) with ESMTP id D8DFC37B402 for ; Mon, 18 Dec 2000 10:08:26 -0800 (PST) Received: from bmah-freebsd-0.cisco.com (bmah-freebsd-0.cisco.com [171.70.84.42]) by sj-msg-core-4.cisco.com (8.9.3/8.9.1) with ESMTP id KAA27893; Mon, 18 Dec 2000 10:03:21 -0800 (PST) Received: (from bmah@localhost) by bmah-freebsd-0.cisco.com (8.11.1/8.11.1) id eBII3Ew94725; Mon, 18 Dec 2000 10:03:14 -0800 (PST) (envelope-from bmah) Message-Id: <200012181803.eBII3Ew94725@bmah-freebsd-0.cisco.com> X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 To: Dag-Erling Smorgrav Cc: Roman Shterenzon , Chris Faulhaber , Mikhail Kruk , James Lim , security@FreeBSD.ORG Subject: Re: Security Update Tool.. In-Reply-To: References: Comments: In-reply-to Dag-Erling Smorgrav message dated "16 Dec 2000 18:43:55 +0100." From: "Bruce A. Mah" Reply-To: bmah@FreeBSD.ORG X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Image-Url: http://www.employees.org/~bmah/Images/bmah-cisco-small.gif X-Url: http://www.employees.org/~bmah/ Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_1333571908P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Mon, 18 Dec 2000 10:03:14 -0800 Sender: bmah@cisco.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --==_Exmh_1333571908P Content-Type: text/plain; charset=us-ascii If memory serves me right, Dag-Erling Smorgrav wrote: > Roman Shterenzon writes: > > pkg_version works with /usr/ports/INDEX which tends to be outdated. > > Porteasy (ports/misc/porteasy) already knows how to: > > 1) update ports/INDEX > 2) make do without it if it already knows the "true" name of the port > 3) update individual ports and their dependencies recursively > 3) obtain the full name and version of ports from their Makefiles When PW commits a very short patch to bsd.port.mk (in his defense, he's been meaning to do this for awhile), pkg_version will work just wonderfully without an installed /usr/ports/INDEX file, querying ports' Makefiles for current version numbers. sobomax and I have been testing this since before BSDCon; the pkg_* code necessary to make this work has been in -CURRENT and -STABLE since before 4.2-RELEASE. To be honest, I haven't seen porteasy, but my feeling about #3 above is that it's really really hard for an automated system to get right all of the time. Cheers, Bruce. --==_Exmh_1333571908P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: Exmh version 2.2 06/23/2000 iD8DBQE6PlFi2MoxcVugUsMRAusbAJ4wx/LFDBntnevqN+1pglMPCAAUtgCgjazm X3ZqLRwPKbem1uR01idOQbY= =BHbd -----END PGP SIGNATURE----- --==_Exmh_1333571908P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 10:12:20 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 10:12:16 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from srv1.gnintranet.com.br (adsl-nrp10-C8B0FAFB.sao.terra.com.br [200.176.250.251]) by hub.freebsd.org (Postfix) with ESMTP id 6567737B400 for ; Mon, 18 Dec 2000 10:12:14 -0800 (PST) Received: from tec06.gnintranet.com.br ([192.168.8.40]) by srv1.gnintranet.com.br (8.9.3/8.9.3) with SMTP id QAA30724 for ; Mon, 18 Dec 2000 16:14:33 -0200 From: henrique@gruponet.com.br To: Subject: Help Date: Mon, 18 Dec 2000 16:12:19 -0200 Message-ID: <01c0691e$0fce7d60$2808a8c0@tec06.gnintranet.com.br> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_00C2_01C0690D.4C45AD60" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_00C2_01C0690D.4C45AD60 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Mrs, How do you do to configure the ftpd for restrite access of users in = others directories, example: ftp://joao.com.br, if he run of comand cd .., he doesn't have permission = for view others directories this ftp server. and if he run the command pwd, he view /, not /home/joao/. Thanks []'s Henrique ------=_NextPart_000_00C2_01C0690D.4C45AD60 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Mrs,
 
How do you do to = configure the ftpd=20 for restrite access of users in others directories, = example:
ftp://joao.com.br, if he run of comand cd = .., he=20 doesn't have permission for view others directories this ftp=20 server.
and if he run the = command pwd, he=20 view /, not /home/joao/. 
 
Thanks
 
[]'s
    =20 Henrique
------=_NextPart_000_00C2_01C0690D.4C45AD60-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 10:18:51 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 10:18:49 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from apollo.ocsny.com (apollo.ocsny.com [204.107.76.2]) by hub.freebsd.org (Postfix) with ESMTP id 4535E37B404 for ; Mon, 18 Dec 2000 10:18:47 -0800 (PST) Received: from ocsinternet.com (fw234.ocsny.com [204.107.76.234]) by apollo.ocsny.com (8.9.2/8.9.3) with ESMTP id NAA75888; Mon, 18 Dec 2000 13:18:29 -0500 (EST) Message-ID: <3A3E5439.BA588E08@ocsinternet.com> Date: Mon, 18 Dec 2000 13:15:21 -0500 From: mikel X-Mailer: Mozilla 4.73 [en] (Windows NT 5.0; I) X-Accept-Language: en MIME-Version: 1.0 To: henrique@gruponet.com.br Cc: freebsd-security@FreeBSD.ORG Subject: Re: Help References: <01c0691e$0fce7d60$2808a8c0@tec06.gnintranet.com.br> Content-Type: multipart/alternative; boundary="------------B73F27E0070F77B32C5EDD0E" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --------------B73F27E0070F77B32C5EDD0E Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit man ftpd and ftpchroot. Somewhere I have a shell script to aide you in this if you'd like it let me know... henrique@gruponet.com.br wrote: > Mrs, How do you do to configure the ftpd for restrite access of users > in others directories, example:ftp://joao.com.br, if he run of comand > cd .., he doesn't have permission for view others directories this ftp > server.and if he run the command pwd, he view /, not > /home/joao/. Thanks []'s Henrique --------------B73F27E0070F77B32C5EDD0E Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit man ftpd and ftpchroot. Somewhere I have a shell script to aide you in this if you'd like it let me know...

henrique@gruponet.com.br wrote:

 Mrs, How do you do to configure the ftpd for restrite access of users in others directories, example:ftp://joao.com.br, if he run of comand cd .., he doesn't have permission for view others directories this ftp server.and if he run the command pwd, he view /, not /home/joao/. Thanks []'s     Henrique
--------------B73F27E0070F77B32C5EDD0E-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 10:37:23 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 10:37:21 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc2.pa.home.com (ha2.rdc2.pa.home.com [24.12.106.195]) by hub.freebsd.org (Postfix) with ESMTP id C9B9B37B402 for ; Mon, 18 Dec 2000 10:37:20 -0800 (PST) Received: from mail.rdc1.pa.home.com ([24.7.112.46]) by mail.rdc2.pa.home.com (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20001218183720.ZPNY9109.mail.rdc2.pa.home.com@mail.rdc1.pa.home.com>; Mon, 18 Dec 2000 10:37:20 -0800 Date: Mon, 18 Dec 2000 13:37:16 +0000 From: Moses Backman III To: Todd Backman Cc: freebsd-security@FreeBSD.ORG Subject: woah Message-ID: <20001218133716.A550@cg22413-a.adubn1.nj.home.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit In-Reply-To: ; from todd@flyingcroc.net on Mon, Dec 18, 2000 at 07:48:55 +0000 X-Mailer: Balsa 1.0.0 Content-Length: 794 Lines: 29 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 2000.12.18 07:48:55 +0000 Todd Backman wrote: > > FYI: > > The End of SSL and SSH? > > Yesterday, dsniff 2.3 was released. Why is this important, you ask? > dsniff > 2.3 allows you to exploit several fundamental flaws in two extremely > popular encryption protocols, SSL and SSH. SSL and SSH are used to > protect > a large amount of network traffic, from financial transactions with > online > banks and stock trading sites to network administrator access to secured > hosts holding extremely sensitive data. Could this singal the end of SSH > or SSL? > > Read the full story here: > http://securityportal.com/cover/coverstory20001218.html > > > - Todd > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 10:44:39 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 10:44:38 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 3993537B402 for ; Mon, 18 Dec 2000 10:44:37 -0800 (PST) Received: (qmail 12352 invoked by uid 0); 18 Dec 2000 18:44:35 -0000 Received: from p3e9d4513.dip.t-dialin.net (HELO forge.local) (62.157.69.19) by mail.gmx.net (mail10) with SMTP; 18 Dec 2000 18:44:35 -0000 Received: from thomas by forge.local with local (Exim 3.16 #1 (Debian)) id 1485Ep-0000OV-00 for ; Mon, 18 Dec 2000 19:42:19 +0100 Date: Mon, 18 Dec 2000 19:42:19 +0100 To: freebsd-security@freebsd.org Subject: Re: dsniff 2.3 info: Message-ID: <20001218194219.A1481@crow.dom2ip.de> Mail-Followup-To: tmoestl@gmx.net, freebsd-security@freebsd.org References: <20001218110637.D6395@petra.hos.u-szeged.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001218110637.D6395@petra.hos.u-szeged.hu>; from sziszi@petra.hos.u-szeged.hu on Mon, Dec 18, 2000 at 11:06:37AM +0100 From: Thomas Moestl Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Dec 18, 2000 at 11:06:37AM +0100, Szilveszter Adam wrote: > Now let's consider the scenario that the author presents us with. This > involves a man-in-the-middle-attack where the only thing the attacker does > is that she intercepts the messages on the wire and always re-encrypts them > and then passes them on. This scenario assumes that the parties have no way > of knowing who the other party is other than what they say they are and > also that they have not been in contact before. This will be most probably > true for SSL transactions, especially if the server's CA is self-signed > but anyway for the user side. From the dsniff FAQ: Local clients attempting to connect to Hotmail will be sent to your machine instead, where webmitm will present them with a self-signed certificate (with the appropriate X.509v3 distinguished name), and relay their sniffed traffic to the real Hotmail site. Now, if the Site the victim wants to connect to has had a valid certificate, a fat dialog will suddenly pop up on any Browser telling the user that the ceritificate is not trusted (and it did not before). It's just like with ssh: the user _is_ warned, if he chooses to click OK, that's his/her fault. Or am I mistaken here? - thomas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 10:50: 0 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 10:49:56 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id EE4A537B400 for ; Mon, 18 Dec 2000 10:49:55 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id eBIInsT07975; Mon, 18 Dec 2000 10:49:54 -0800 (PST) Date: Mon, 18 Dec 2000 10:49:54 -0800 From: Alfred Perlstein To: Moses Backman III Cc: Todd Backman , freebsd-security@FreeBSD.ORG, seifried@securityportal.com Subject: Re: woah Message-ID: <20001218104954.B19572@fw.wintelcom.net> References: <20001218133716.A550@cg22413-a.adubn1.nj.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001218133716.A550@cg22413-a.adubn1.nj.home.com>; from penguinjedi@home.com on Mon, Dec 18, 2000 at 01:37:16PM +0000 Sender: bright@fw.wintelcom.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kurt, I was pretty disappointed to see this article. If you tear it down the to base content, the only problem with SSL/SSH is stupid users. I understand that dsniff is a powerful tool for intercepting network traffic, however it will not be "the end" of SSL and SSH technologies. If I get "server has changed keys" messages and I'm not certain that it was myself that upgraded ssh or did a clean install, there's no way I'm going to authorize the key exchange. This is like blaming bullet proof vests for the moron that decided to wear his like a turban. :) Is there something I'm missing here? -Alfred * Moses Backman III [001218 10:37] wrote: > > On 2000.12.18 07:48:55 +0000 Todd Backman wrote: > > > > FYI: > > > > The End of SSL and SSH? > > > > Yesterday, dsniff 2.3 was released. Why is this important, you ask? > > dsniff > > 2.3 allows you to exploit several fundamental flaws in two extremely > > popular encryption protocols, SSL and SSH. SSL and SSH are used to > > protect > > a large amount of network traffic, from financial transactions with > > online > > banks and stock trading sites to network administrator access to secured > > hosts holding extremely sensitive data. Could this singal the end of SSH > > or SSL? > > > > Read the full story here: > > http://securityportal.com/cover/coverstory20001218.html > > > > > > - Todd > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 10:58:19 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 10:58:17 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.seifried.org (edtn013433.hs.telusplanet.net [161.184.218.225]) by hub.freebsd.org (Postfix) with ESMTP id 88D8F37B402 for ; Mon, 18 Dec 2000 10:58:13 -0800 (PST) Received: from seifried (unknown [10.3.0.202]) by mail.seifried.org (Postfix) with SMTP id 90E042FC57; Mon, 18 Dec 2000 11:58:27 -0700 (MST) Message-ID: <005a01c06924$77186340$ca00030a@seifried.org> Reply-To: "Kurt Seifried" From: "Kurt Seifried" To: "Alfred Perlstein" , "Moses Backman III" Cc: "Todd Backman" , References: <20001218133716.A550@cg22413-a.adubn1.nj.home.com> <20001218104954.B19572@fw.wintelcom.net> Subject: Re: woah Date: Mon, 18 Dec 2000 11:58:09 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Stupid question but why did you send this to me and a mailing list, etc? > Kurt, I was pretty disappointed to see this article. If you tear > it down the to base content, the only problem with SSL/SSH is stupid > users. And the fact that SSL/SSH rely on said stupid users. Usually the weakest link... > I understand that dsniff is a powerful tool for intercepting network > traffic, however it will not be "the end" of SSL and SSH technologies. Well telnet isn't dead either (yet..), but I doubt any security concious person would advocate using it anymore. SSH/SSL are somewhat better then nothing, but far from perfect. > If I get "server has changed keys" messages and I'm not certain > that it was myself that upgraded ssh or did a clean install, there's > no way I'm going to authorize the key exchange. I asked some users, most said they have clicked ok. Also what about connecting to a new server? How do you verify the key, phone the server admin and ask for the fingerprint? > This is like blaming bullet proof vests for the moron that decided to > wear his like a turban. :) What is it with stupid gun related examples. It's more like me saying "The end of bullet proof vests - Someone just realeased a product called "sure headshot (TM)" that gives you pretty much guarenteed head shot, meaning your BPV might be useful for ID'ing the corpse". > Is there something I'm missing here? Telnet was just a fine protocol, well until people started releasing sniffers that were dead easy to use. And then things like the HUNT project that let you easily hijack/kill TCP connections (like telnet =). For some reason we don't send cleartext as much anymore, why is that? Perhaps SSH/SSL are not the be all end all perfect solution, imagine that. The main point of the article was to educate users. Like those people that know less then "us", who as a rule tend to believe blindly that SSH and SSL makes things "secure". > -Alfred Kurt Seifried, seifried@securityportal.com SecurityPortal - your focal point for security on the 'net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 11: 6:50 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 11:06:48 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from sol.cc.u-szeged.hu (sol.cc.u-szeged.hu [160.114.8.24]) by hub.freebsd.org (Postfix) with ESMTP id 67ADA37B400 for ; Mon, 18 Dec 2000 11:06:47 -0800 (PST) Received: from petra.hos.u-szeged.hu by sol.cc.u-szeged.hu (8.9.3+Sun/SMI-SVR4) id UAA25141; Mon, 18 Dec 2000 20:06:45 +0100 (MET) Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian)) id 1485cS-0005ze-00 for ; Mon, 18 Dec 2000 20:06:44 +0100 Date: Mon, 18 Dec 2000 20:06:44 +0100 From: Szilveszter Adam To: freebsd-security@freebsd.org Subject: Re: dsniff 2.3 info: Message-ID: <20001218200644.A22374@petra.hos.u-szeged.hu> Mail-Followup-To: Szilveszter Adam , freebsd-security@freebsd.org References: <20001218110637.D6395@petra.hos.u-szeged.hu> <20001218194219.A1481@crow.dom2ip.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001218194219.A1481@crow.dom2ip.de>; from tmoestl@gmx.net on Mon, Dec 18, 2000 at 07:42:19PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Dec 18, 2000 at 07:42:19PM +0100, Thomas Moestl wrote: > On Mon, Dec 18, 2000 at 11:06:37AM +0100, Szilveszter Adam wrote: > > Now let's consider the scenario that the author presents us with. This > > involves a man-in-the-middle-attack where the only thing the attacker does > > is that she intercepts the messages on the wire and always re-encrypts them > > and then passes them on. This scenario assumes that the parties have no way > > of knowing who the other party is other than what they say they are and > > also that they have not been in contact before. This will be most probably > > true for SSL transactions, especially if the server's CA is self-signed > > but anyway for the user side. > >From the dsniff FAQ: > Local clients attempting to connect to Hotmail will be sent to your > machine instead, where webmitm will present them with a self-signed > certificate (with the appropriate X.509v3 distinguished name), and relay > their sniffed traffic to the real Hotmail site. > > Now, if the Site the victim wants to connect to has had a valid certificate, > a fat dialog will suddenly pop up on any Browser telling the user that the > ceritificate is not trusted (and it did not before). It's just like with > ssh: the user _is_ warned, if he chooses to click OK, that's his/her fault. > Or am I mistaken here? Entirely correct and in fact I did not say anything else:-) The problem *is* harder to solve however, if this is your first visit to the site (and therefore there is no "previously") and you do not know if you should trust the cert presented. (Which may be self-signed even. There is a mobile phone operator here in Hungary who uses self-signed certs for their secure customer-service area. Of course, all you can do is look at the info there so no great damage potential but still...) and it is *not* common to call any SSL enabled web-site before visiting them... I also noted the exception that you would probably make with your bank but you use SSL a lot more than that... also, trusted certs make things a bit better, but I am not sure how good browsers are in determining certificate alterations and also, I have not yet read up on the way they would treat a CA-chain, that is, on top a CA that all browsers trust (say Verisign) below another, below possibly another but this last one may give out a false certificate (possibly even knowingly...) for say hotmail.com and then the attacker could use that... and I don't know if you would get a warning dialog in this case... of course, this is not a common scenario but still... also, I don't know if there is a way to turn this warning off in the browser... have not checked... in which case an exploit involving say ActiveX or other scripting... but this is just speculation. (but would be worth researching, possibly...) It all boils down to: S***t may happen but you can do a lot to avoid it, IMO. This makes it "reasonably secure". This is about all we can wish for... (BTW the same conclusion has been reached on misc@openbsd.org today, although they really care about security...) -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 11:24: 6 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 11:24:04 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from secure.smtp.email.msn.com (cpimssmtpu07.email.msn.com [207.46.181.28]) by hub.freebsd.org (Postfix) with ESMTP id 2612237B400 for ; Mon, 18 Dec 2000 11:24:03 -0800 (PST) Received: from x86w2kl1 - 209.0.249.169 by email.msn.com with Microsoft SMTPSVC; Mon, 18 Dec 2000 11:23:32 -0800 Message-ID: <017a01c06928$9e20ec60$9207c00a@local> From: "John Howie" To: "Kurt Seifried" , "Alfred Perlstein" , "Moses Backman III" Cc: "Todd Backman" , References: <20001218133716.A550@cg22413-a.adubn1.nj.home.com> <20001218104954.B19572@fw.wintelcom.net> <005a01c06924$77186340$ca00030a@seifried.org> Subject: Re: woah Date: Mon, 18 Dec 2000 11:27:52 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Original Message ----- From: "Kurt Seifried" To: "Alfred Perlstein" ; "Moses Backman III" Cc: "Todd Backman" ; Sent: Monday, December 18, 2000 10:58 AM Subject: Re: woah > Stupid question but why did you send this to me and a mailing list, etc? > > > Kurt, I was pretty disappointed to see this article. If you tear > > it down the to base content, the only problem with SSL/SSH is stupid > > users. > > And the fact that SSL/SSH rely on said stupid users. Usually the weakest link... > I find the references (here and elsewhere) to stupid users as troubling. Most users are inexperienced, not stupid, and are certainly not clued up on Security. Their main focus is getting their work done and not knowing what it means when some obscure message pops up that lets them proceed even though they should not. No, the problem is STUPID PROGRAMMERS. We should write our applications so that users cannot proceed in such circumstances. The only reason that we build applications so that users can proceed is that 99% of the time the reason the keys have changed/the certificate does not match the server is because we have reconfigured our systems thus invalidating (or losing) the keys and certificates and it is perfectly safe to proceed. Maybe I should add STUPID ADMINISTRATORS to the list here. It is easy to blame one or more of users, programmers, and administrators for weak security but until we have the science perfected we all have to work together. john... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 11:26:44 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 11:26:40 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 3F09037B400 for ; Mon, 18 Dec 2000 11:26:40 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id eBIJOYi09142; Mon, 18 Dec 2000 11:24:34 -0800 (PST) Date: Mon, 18 Dec 2000 11:24:34 -0800 From: Alfred Perlstein To: Kurt Seifried Cc: Moses Backman III , Todd Backman , freebsd-security@FreeBSD.ORG Subject: Re: woah Message-ID: <20001218112434.C19572@fw.wintelcom.net> References: <20001218133716.A550@cg22413-a.adubn1.nj.home.com> <20001218104954.B19572@fw.wintelcom.net> <005a01c06924$77186340$ca00030a@seifried.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <005a01c06924$77186340$ca00030a@seifried.org>; from seifried@securityportal.com on Mon, Dec 18, 2000 at 11:58:09AM -0700 Sender: bright@fw.wintelcom.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Kurt Seifried [001218 10:58] wrote: > Stupid question but why did you send this to me and a mailing list, etc? > > > Kurt, I was pretty disappointed to see this article. If you tear > > it down the to base content, the only problem with SSL/SSH is stupid > > users. > > And the fact that SSL/SSH rely on said stupid users. Usually the weakest link... I wouldn't say they rely on stupid users, just that there's so many out there (stupid users) that the odds are that a lot of them are using SSL/SSH. > > I understand that dsniff is a powerful tool for intercepting network > > traffic, however it will not be "the end" of SSL and SSH technologies. > > Well telnet isn't dead either (yet..), but I doubt any security > concious person would advocate using it anymore. SSH/SSL are > somewhat better then nothing, but far from perfect. > > > If I get "server has changed keys" messages and I'm not certain > > that it was myself that upgraded ssh or did a clean install, there's > > no way I'm going to authorize the key exchange. > > I asked some users, most said they have clicked ok. Also what > about connecting to a new server? How do you verify the key, phone > the server admin and ask for the fingerprint? In a perfect world, you have your admin send you a pgp signed message with the server public key in it. When you initially authenticate, you sure as hell make sure it matches. Not that difficult. > > This is like blaming bullet proof vests for the moron that decided to > > wear his like a turban. :) > > What is it with stupid gun related examples. It's more like me > saying "The end of bullet proof vests - Someone just realeased a > product called "sure headshot (TM)" that gives you pretty much > guarenteed head shot, meaning your BPV might be useful for ID'ing > the corpse". I don't think so, dsniff only allows the interception when the user allows it to happen either by ignorance or carelessness. Sort of like wearing a bullet proof vest as a turban. dsniff can _not_ intercept SSL/SHH when proper security measures are taken. > > Is there something I'm missing here? > > Telnet was just a fine protocol, well until people started > releasing sniffers that were dead easy to use. And then things like > the HUNT project that let you easily hijack/kill TCP connections > (like telnet =). For some reason we don't send cleartext as much > anymore, why is that? Perhaps SSH/SSL are not the be all end all > perfect solution, imagine that. > > The main point of the article was to educate users. Like those > people that know less then "us", who as a rule tend to believe > blindly that SSH and SSL makes things "secure". If that's true then why not explain in a calm manner how there are major problems if these tools aren't used carefully, instead of sensationalizing with a headline "The End of SSL and SSH?" ? You know how much I love sensationalists, Kurt. I've come down hard on false reports of vulnerabilities and sensationalistic journalists. As an upcoming journalist you owe it to the community to be more objective, educational and levelheaded with your stories. bye, -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 11:33:33 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 11:33:31 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.seifried.org (edtn013433.hs.telusplanet.net [161.184.218.225]) by hub.freebsd.org (Postfix) with ESMTP id 3EB2637B400 for ; Mon, 18 Dec 2000 11:33:31 -0800 (PST) Received: from seifried (unknown [10.3.0.202]) by mail.seifried.org (Postfix) with SMTP id 1BD292FC57; Mon, 18 Dec 2000 12:33:50 -0700 (MST) Message-ID: <007401c06929$68298120$ca00030a@seifried.org> Reply-To: "Kurt Seifried" From: "Kurt Seifried" To: "Alfred Perlstein" Cc: "Moses Backman III" , "Todd Backman" , References: <20001218133716.A550@cg22413-a.adubn1.nj.home.com> <20001218104954.B19572@fw.wintelcom.net> <005a01c06924$77186340$ca00030a@seifried.org> <20001218112434.C19572@fw.wintelcom.net> Subject: Re: woah Date: Mon, 18 Dec 2000 12:33:31 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > In a perfect world, you have your admin send you a pgp signed > message with the server public key in it. When you initially > authenticate, you sure as hell make sure it matches. > > Not that difficult. So you're volunteering to install PGP/GnuPG on 30,000 machines at the local university, and educate users how to use it? I'm sure Bob Beck will be happy to hear from you. This isn't a perfect world and we all know it. That's one reason I wrote this article. > > > This is like blaming bullet proof vests for the moron that decided to > > > wear his like a turban. :) > > > > What is it with stupid gun related examples. It's more like me > > saying "The end of bullet proof vests - Someone just realeased a > > product called "sure headshot (TM)" that gives you pretty much > > guarenteed head shot, meaning your BPV might be useful for ID'ing > > the corpse". > > I don't think so, dsniff only allows the interception when the user > allows it to happen either by ignorance or carelessness. Sort of > like wearing a bullet proof vest as a turban. Argh. I give up. > dsniff can _not_ intercept SSL/SHH when proper security measures > are taken. And how many people take those proper measures. Well maybe after readiong this article some more will. If you got a better way to educate people I'm open to suggestions. > If that's true then why not explain in a calm manner how there are > major problems if these tools aren't used carefully, instead of > sensationalizing with a headline "The End of SSL and SSH?" ? > > You know how much I love sensationalists, Kurt. I've come down > hard on false reports of vulnerabilities and sensationalistic > journalists. > > As an upcoming journalist you owe it to the community to be more > objective, educational and levelheaded with your stories. Please tell me about the factual errors/etc. As for the headline I didn't think it was sensationalistic, I think it's an honest question. SSL/SSH are far from perfect, I think we're far beyond the point where we should be looking for replacements (let's not pull a telnet here...). > bye, -Kurt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 11:35:51 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 11:35:48 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id E83C537B400 for ; Mon, 18 Dec 2000 11:35:47 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA26016; Mon, 18 Dec 2000 12:35:26 -0700 (MST) Message-Id: <4.3.2.7.2.20001218123004.04888760@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 18 Dec 2000 12:35:11 -0700 To: Moses Backman III , Todd Backman From: Brett Glass Subject: Re: woah Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20001218133716.A550@cg22413-a.adubn1.nj.home.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org All the author is saying is what has long been known: that Diffie-Hellman key exchange is subject to "man in the middle" attacks. There are several catches, though. First of all, the man needs to find a way to get into the middle in the first place. On the Internet, this isn't easy. Second, he needs to STAY there or the parties will find out that he was there. Third, he can't do much if there's a backchannel or a trusted third party through which the parties can verify each other's identities. --Brett At 06:37 AM 12/18/2000, Moses Backman III wrote: >> Read the full story here: >> http://securityportal.com/cover/coverstory20001218.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 11:38:37 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 11:38:34 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from srv1.gnintranet.com.br (adsl-nrp10-C8B0FAFB.sao.terra.com.br [200.176.250.251]) by hub.freebsd.org (Postfix) with ESMTP id 70C6D37B402 for ; Mon, 18 Dec 2000 11:38:32 -0800 (PST) Received: from tec06.gnintranet.com.br ([192.168.8.40]) by srv1.gnintranet.com.br (8.9.3/8.9.3) with SMTP id RAA01306 for ; Mon, 18 Dec 2000 17:40:53 -0200 From: henrique@gruponet.com.br To: Subject: ftpd Date: Mon, 18 Dec 2000 17:37:57 -0200 Message-ID: <01c0692a$06437140$2808a8c0@tec06.gnintranet.com.br> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_000E_01C06919.42BAA140" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_000E_01C06919.42BAA140 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Mrs, =20 How do you do to configure the ftpd for restrite access of users in = others directories, example: ftp://joao.com.br, if he run of comand cd .., he doesn't have permission = for view others directories this ftp server. and if he run the command pwd, he view /, not /home/joao/, but i have = the file ftpchroot, but nothing else matters. =20 Thanks =20 []'s Henrique ------=_NextPart_000_000E_01C06919.42BAA140 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Mrs,
 
How do you do to = configure the ftpd=20 for restrite access of users in others directories, = example:
ftp://joao.com.br, if he run of comand cd = .., he=20 doesn't have permission for view others directories this ftp=20 server.
and if he run the = command pwd, he=20 view /, not /home/joao/, but i have the file ftpchroot, but nothing else = matters.
 
Thanks
 
[]'s
    =20 Henrique

 
------=_NextPart_000_000E_01C06919.42BAA140-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 11:41:52 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 11:41:49 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id 8185937B400 for ; Mon, 18 Dec 2000 11:41:48 -0800 (PST) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id OAA43716; Mon, 18 Dec 2000 14:41:38 -0500 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <20001218112434.C19572@fw.wintelcom.net> References: <20001218133716.A550@cg22413-a.adubn1.nj.home.com> <20001218104954.B19572@fw.wintelcom.net> <005a01c06924$77186340$ca00030a@seifried.org> <20001218112434.C19572@fw.wintelcom.net> Date: Mon, 18 Dec 2000 14:41:35 -0500 To: Alfred Perlstein , Kurt Seifried From: Garance A Drosihn Subject: Re: woah Cc: Moses Backman III , Todd Backman , freebsd-security@FreeBSD.ORG Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:24 AM -0800 12/18/00, Alfred Perlstein wrote: >In a perfect world, you have your admin send you a pgp signed >message with the server public key in it. When you initially >authenticate, you sure as hell make sure it matches. > >Not that difficult. Not for those of you living in a perfect world. In our (RPI) world, we have a few thousand users, most of whom are not doing anything with PGP. Most of them do not really understand that warning message, and the situation is not helped because we (the administrators of a few hundred unix machines) do not do a good job of keeping the ssh host-key constant. Some of these issues are just tough to deal with in an imperfect world... -- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 11:48:20 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 11:48:17 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from secure.smtp.email.msn.com (cpimssmtpu07.email.msn.com [207.46.181.28]) by hub.freebsd.org (Postfix) with ESMTP id A9A4437B400 for ; Mon, 18 Dec 2000 11:48:17 -0800 (PST) Received: from x86w2kl1 - 209.0.249.169 by email.msn.com with Microsoft SMTPSVC; Mon, 18 Dec 2000 11:48:17 -0800 Message-ID: <019301c0692c$12f7c880$9207c00a@local> From: "John Howie" To: "Kurt Seifried" Cc: References: <20001218133716.A550@cg22413-a.adubn1.nj.home.com> <20001218104954.B19572@fw.wintelcom.net> <005a01c06924$77186340$ca00030a@seifried.org> <017a01c06928$9e20ec60$9207c00a@local> <007a01c0692a$06e83cc0$ca00030a@seifried.org> Subject: Re: woah Date: Mon, 18 Dec 2000 11:52:37 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Original Message ----- From: "Kurt Seifried" To: "John Howie" Sent: Monday, December 18, 2000 11:37 AM Subject: Re: woah > > You're 100% correct and I just might write an article about this (whooo, can we say flambe). > I'll co-author with you if you like! :-) > > And that's why I wrote this article. Seems to have achieved it's purpose (educate some, make others think, etc) but OTOH it seems > some people are quite set, pity. > As far as I am concerned ANY article about security should be considered on its merits objectively, and not based on bias and prejudice for individual OSes or derisement of end-users. Keep on writing. john... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 11:59:55 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 11:59:54 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from daedalus.cs.brandeis.edu (daedalus.cs.brandeis.edu [129.64.3.179]) by hub.freebsd.org (Postfix) with ESMTP id E0D0637B400 for ; Mon, 18 Dec 2000 11:59:53 -0800 (PST) Received: from localhost (meshko@localhost) by daedalus.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id OAA16336; Mon, 18 Dec 2000 14:59:43 -0500 Date: Mon, 18 Dec 2000 14:59:42 -0500 (EST) From: Mikhail Kruk To: Cc: Todd Backman , Subject: Re: dsniff 2.3 info: In-Reply-To: <20001218011320.X96105@149.211.6.64.reflexcom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: meshko@daedalus.cs.brandeis.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > SSH is already fixed. Earlier in the text, > > SSH simply uses a secret and public key, and since they are > generally not signed, it is trivial for an attacker to sit in the > middle and intercept the connection... If you do have the server's > public key, you will generally receive a warning like "Warning: > server's key has changed. Continue?" Most users will hit Yes. > > No, this is not accurate in my experience. Most clients will not let > you use a server when the key does not match unless you manually > remove the old key from the key list. Most clients at least have BIG > FLASHY MESSAGES telling the user that a changed key means someone > might be doing something Very Naughty, not just a simple, "Warning: > server's key has changed. Continue?" For example, OpenSSH will say, In my experience due to bad administrators who screw up ssh installations those keys change after every OS upgrade and users get used to answering "yes" to this question. When I see this message while connecting to on of our university's system I usually think "they fucked up again", not "wow it's a hacker!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 12:25:26 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 12:25:23 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 2A0B437B404 for ; Mon, 18 Dec 2000 12:25:23 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id eBIKPLh11016; Mon, 18 Dec 2000 12:25:21 -0800 (PST) Date: Mon, 18 Dec 2000 12:25:20 -0800 From: Alfred Perlstein To: Kurt Seifried Cc: Moses Backman III , Todd Backman , freebsd-security@FreeBSD.ORG Subject: Re: woah Message-ID: <20001218122520.E19572@fw.wintelcom.net> References: <20001218133716.A550@cg22413-a.adubn1.nj.home.com> <20001218104954.B19572@fw.wintelcom.net> <005a01c06924$77186340$ca00030a@seifried.org> <20001218112434.C19572@fw.wintelcom.net> <007401c06929$68298120$ca00030a@seifried.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <007401c06929$68298120$ca00030a@seifried.org>; from seifried@securityportal.com on Mon, Dec 18, 2000 at 12:33:31PM -0700 Sender: bright@fw.wintelcom.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Kurt Seifried [001218 11:33] wrote: > > In a perfect world, you have your admin send you a pgp signed > > message with the server public key in it. When you initially > > authenticate, you sure as hell make sure it matches. > > > > Not that difficult. > > So you're volunteering to install PGP/GnuPG on 30,000 machines at the local university, and educate users how to use it? I'm sure > Bob Beck will be happy to hear from you. Depends on how happy he is with my price. > This isn't a perfect world and we all know it. That's one reason > I wrote this article. I completely agree with you about things being imperfect, however an inperfect world doesn't spell "The End of SSL and SSH". What the world needs is informative articles written by talented people such as yourself that educate, not strike fear into the hearts of administrators and business owners. As your article stands it really doesn't offer any solutions to the problems such as distributing the server keys with pgp signatures. And that's all I have to say. :) -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 13:43:19 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 13:43:15 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from apollo.ocsny.com (apollo.ocsny.com [204.107.76.2]) by hub.freebsd.org (Postfix) with ESMTP id BFE4337B402 for ; Mon, 18 Dec 2000 13:43:14 -0800 (PST) Received: from ocsinternet.com (fw234.ocsny.com [204.107.76.234]) by apollo.ocsny.com (8.9.2/8.9.3) with ESMTP id QAA84810; Mon, 18 Dec 2000 16:43:20 -0500 (EST) Message-ID: <3A3E843C.58D0B981@ocsinternet.com> Date: Mon, 18 Dec 2000 16:40:12 -0500 From: mikel X-Mailer: Mozilla 4.73 [en] (Windows NT 5.0; I) X-Accept-Language: en MIME-Version: 1.0 To: mdickerson@officeonweb.net Cc: freebsd-security@freebsd.org Subject: Re: Help References: <01c0691e$0fce7d60$2808a8c0@tec06.gnintranet.com.br> <3.0.6.32.20001218124941.00a4a700@officeonweb.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mike, Sure it's not much but it works. I'll probably add some routines later that parse /etc/ftpchroot to check and see if the useid is already there but that wasn't the main concer when I wrote this. It was really motivated by me having to do this a couple times a week. If you like and find it useful then please let me know, I really have to jump through a few hoops to get it up on the company site. http://www.ocsny.com/main/index.ocs?url=ftpchroot Cheers, Mikel mdickerson@officeonweb.net wrote: > Mike, > > I'd love to see that script (if you would please email me a copy). > > Thanks, > > mike > > At 01:15 PM 12/18/00 -0500, you wrote: > > man ftpd and ftpchroot. Somewhere I have a shell script to aide you in > >this if you'd like it let me know... henrique@gruponet.com.br wrote: Mrs, > >How do you do to configure the ftpd for restrite access of users in others > >directories, example:ftp://joao.com.br, if he run of comand cd .., he > >doesn't have permission for view others directories this ftp server.and if > >he run the command pwd, he view /, not /home/joao/. Thanks []'s Henrique > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 13:55:10 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 13:55:08 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 0C88537B400 for ; Mon, 18 Dec 2000 13:55:08 -0800 (PST) Received: from rfx-64-6-211-149.users.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Mon, 18 Dec 2000 13:53:25 -0800 Received: (from cjc@localhost) by rfx-64-6-211-149.users.reflexcom.com (8.11.0/8.11.0) id eBILt0A18802; Mon, 18 Dec 2000 13:55:00 -0800 (PST) (envelope-from cjc) Date: Mon, 18 Dec 2000 13:55:00 -0800 From: "Crist J. Clark" To: Mikhail Kruk Cc: Todd Backman , freebsd-security@FreeBSD.ORG Subject: Re: dsniff 2.3 info: Message-ID: <20001218135500.A18762@rfx-64-6-211-149.users.reflexco> Reply-To: cjclark@alum.mit.edu References: <20001218011320.X96105@149.211.6.64.reflexcom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from meshko@cs.brandeis.edu on Mon, Dec 18, 2000 at 02:59:42PM -0500 Sender: cjc@rfx-64-6-211-149.users.reflexcom.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Dec 18, 2000 at 02:59:42PM -0500, Mikhail Kruk wrote: > > SSH is already fixed. Earlier in the text, > > > > SSH simply uses a secret and public key, and since they are > > generally not signed, it is trivial for an attacker to sit in the > > middle and intercept the connection... If you do have the server's > > public key, you will generally receive a warning like "Warning: > > server's key has changed. Continue?" Most users will hit Yes. > > > > No, this is not accurate in my experience. Most clients will not let > > you use a server when the key does not match unless you manually > > remove the old key from the key list. Most clients at least have BIG > > FLASHY MESSAGES telling the user that a changed key means someone > > might be doing something Very Naughty, not just a simple, "Warning: > > server's key has changed. Continue?" For example, OpenSSH will say, > > In my experience due to bad administrators who screw up ssh installations > those keys change after every OS upgrade and users get used to answering > "yes" to this question. When I see this message while connecting to on > of our university's system I usually think "they fucked up again", not > "wow it's a hacker!" If that is the case, bad administration, the servers themselves are probably easier targets than going through the trouble of hijacking an SSH session. It sounds like you should be not trusting the remote server too much in the first place. Any protocol will be vulnerable to attack via inept administrators or users. I don't think there is any way to fix that other than make things as easy to use and understand as possible. Unfortunately, there are always those for which it is never simple and easy enough. Make anything idiot-proof and some ingenuous idiot will still find a way. It's a corollary to Murphy's. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 15:38:13 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 15:38:12 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from genesis.k.pl (genesis.korbank.pl [195.117.162.253]) by hub.freebsd.org (Postfix) with ESMTP id EB7B337B404 for ; Mon, 18 Dec 2000 15:38:07 -0800 (PST) Received: (from ns88@localhost) by genesis.k.pl (8.11.1/8.11.1) id eBINbd784741 for freebsd-security@freebsd.org; Tue, 19 Dec 2000 00:37:39 +0100 (CET) (envelope-from ns88) Date: Tue, 19 Dec 2000 00:37:38 +0100 From: Tomasz Paszkowski To: freebsd-security@freebsd.org Subject: procfs Message-ID: <20001219003737.C2567@genesis.k.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: ns88@genesis.k.pl Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Can somebody tell my why, FreeBSD is not creating dirs and files on procfs to be accessible only by the onwer ? I looked up in to the source and I changed default permisions to more restrited. Is there're any disadvantages of this solution, and if not can this be included in FreeBSD project ? -- _ _ _ _ _ / \ | | / / / \ / \ --- Tomasz Paszkowski ------------------------------ | |\ \| | \ \ |/ \||/ \| === IPv4://3575244866 === IPNg://3ffe:8010:59::2 === /_/ \__/ /_/ \_/ \_/ ---------------------------- ( 2B | ~ 2B ) == FF --- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 15:46: 4 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 15:46:02 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.isppro.net (unknown [209.223.152.100]) by hub.freebsd.org (Postfix) with ESMTP id E66C437B400 for ; Mon, 18 Dec 2000 15:45:59 -0800 (PST) Received: from localhost (jmejia@localhost) by mail.isppro.net (8.9.3/8.9.3) with ESMTP id PAA88245; Mon, 18 Dec 2000 15:44:47 -0800 (PST) Date: Mon, 18 Dec 2000 15:44:47 -0800 (PST) From: JImmy Mejia To: Tomasz Paszkowski Cc: freebsd-security@FreeBSD.ORG Subject: Re: procfs In-Reply-To: <20001219003737.C2567@genesis.k.pl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 19 Dec 2000, Tomasz Paszkowski wrote: > > Can somebody tell my why, FreeBSD is not creating dirs and files on procfs > to be accessible only by the onwer ? I looked up in to the source and I changed > default permisions to more restrited. Is there're any disadvantages of > this solution, and if not can this be included in FreeBSD project ? > My God, how you did it?, I really do not understand what you mean. JImmy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 15:58:58 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 15:58:56 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from genesis.k.pl (genesis.korbank.pl [195.117.162.253]) by hub.freebsd.org (Postfix) with ESMTP id 950E637B400 for ; Mon, 18 Dec 2000 15:58:47 -0800 (PST) Received: (from ns88@localhost) by genesis.k.pl (8.11.1/8.11.1) id eBINw0B13382; Tue, 19 Dec 2000 00:58:00 +0100 (CET) (envelope-from ns88) Date: Tue, 19 Dec 2000 00:57:59 +0100 From: Tomasz Paszkowski To: JImmy Mejia Cc: freebsd-security@freebsd.org Subject: Re: procfs Message-ID: <20001219005756.A25653@genesis.k.pl> References: <20001219003737.C2567@genesis.k.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jmejia@mail.isppro.net on Mon, Dec 18, 2000 at 03:44:47PM -0800 Sender: ns88@genesis.k.pl Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Dec 18, 2000 at 03:44:47PM -0800, JImmy Mejia wrote: > > I was asking why everyone can access entires on procfs, which belong to proceses of other users ? -- _ _ _ _ _ / \ | | / / / \ / \ --- Tomasz Paszkowski ------------------------------ | |\ \| | \ \ |/ \||/ \| === IPv4://3575244866 === IPNg://3ffe:8010:59::2 === /_/ \__/ /_/ \_/ \_/ ---------------------------- ( 2B | ~ 2B ) == FF --- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 16:14:11 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 16:14:09 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from hex.databits.net (hex.databits.net [207.29.192.16]) by hub.freebsd.org (Postfix) with SMTP id 401AC37B402 for ; Mon, 18 Dec 2000 16:14:09 -0800 (PST) Received: (qmail 6608 invoked by uid 1001); 19 Dec 2000 00:13:44 -0000 Date: Mon, 18 Dec 2000 19:13:44 -0500 From: Pete Fritchman To: Tomasz Paszkowski Cc: freebsd-security@freebsd.org Subject: Re: procfs Message-ID: <20001218191344.B5569@databits.net> References: <20001219003737.C2567@genesis.k.pl> <20001219005756.A25653@genesis.k.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001219005756.A25653@genesis.k.pl>; from ns88@k.pl on Tue, Dec 19, 2000 at 12:57:59AM +0100 Sender: petef@hex.databits.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ++ 19/12/00 00:57 +0100 - Tomasz Paszkowski: > >I was asking why everyone can access entires on procfs, which belong >to proceses of other users ? > from the procfs(5) manpage: The process file system, or procfs, implements a view of the system pro- cess table inside the file system. It is normally mounted on /proc, and is required for the complete operation of programs such as ps(1) and w(1). Certain entries are readable by everyone and these show up in the output of commands such as ps(1). Certain entries in /proc// are not readable by the world because they may contain sensitive data (such as mem, etc). -pete To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 16:34:42 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 16:34:40 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from genesis.k.pl (genesis.korbank.pl [195.117.162.253]) by hub.freebsd.org (Postfix) with ESMTP id A57F537B400 for ; Mon, 18 Dec 2000 16:34:38 -0800 (PST) Received: (from ns88@localhost) by genesis.k.pl (8.11.1/8.11.1) id eBJ0V4v03975; Tue, 19 Dec 2000 01:31:04 +0100 (CET) (envelope-from ns88) Date: Tue, 19 Dec 2000 01:31:04 +0100 From: Tomasz Paszkowski To: Pete Fritchman Cc: freebsd-security@freebsd.org Subject: Re: procfs Message-ID: <20001219013104.A59523@genesis.k.pl> References: <20001219003737.C2567@genesis.k.pl> <20001219005756.A25653@genesis.k.pl> <20001218191344.B5569@databits.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001218191344.B5569@databits.net>; from petef@databits.net on Mon, Dec 18, 2000 at 07:13:44PM -0500 Sender: ns88@genesis.k.pl Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Dec 18, 2000 at 07:13:44PM -0500, Pete Fritchman wrote: But by using kern.ps_showallprocs MIB you can limit information about proccess table to those entires, which are owned by caller pid. Why it can't by done with procfs ? -- _ _ _ _ _ / \ | | / / / \ / \ --- Tomasz Paszkowski ------------------------------ | |\ \| | \ \ |/ \||/ \| === IPv4://3575244866 === IPNg://3ffe:8010:59::2 === /_/ \__/ /_/ \_/ \_/ ---------------------------- ( 2B | ~ 2B ) == FF --- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 16:51:26 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 16:51:23 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id 3978A37B400 for ; Mon, 18 Dec 2000 16:51:23 -0800 (PST) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2650.21) id ; Mon, 18 Dec 2000 16:51:21 -0800 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA024337@goofy.epylon.lan> From: Jason DiCioccio To: 'Tomasz Paszkowski' , Pete Fritchman Cc: freebsd-security@freebsd.org Subject: RE: procfs Date: Mon, 18 Dec 2000 16:51:21 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C06955.CDCB315A" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C06955.CDCB315A Content-Type: text/plain; charset="iso-8859-1" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It is in 5.0, procfs is restricted via that MIB.. It was probably considered too radical a change for the 4.x branch. Cheers, - -JD- - ------- Jason DiCioccio Evil Genius Unix BOFH mailto:jasond@epylon.com 415-593-2761 Direct & Fax 415-593-2900 Main Epylon Corporation 645 Harrison Street, Suite 200 San Francisco, CA 94107 www.epylon.com BSD is for people who love Unix - Linux is for people who hate Microsoft - -----Original Message----- From: Tomasz Paszkowski [mailto:ns88@k.pl] Sent: Monday, December 18, 2000 4:31 PM To: Pete Fritchman Cc: freebsd-security@freebsd.org Subject: Re: procfs On Mon, Dec 18, 2000 at 07:13:44PM -0500, Pete Fritchman wrote: But by using kern.ps_showallprocs MIB you can limit information about proccess table to those entires, which are owned by caller pid. Why it can't by done with procfs ? - -- _ _ _ _ _ / \ | | / / / \ / \ --- Tomasz Paszkowski - ------------------------------ | |\ \| | \ \ |/ \||/ \| === IPv4://3575244866 === IPNg://3ffe:8010:59::2 === /_/ \__/ /_/ \_/ \_/ ---------------------------- ( 2B | ~ 2B ) == FF --- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOj6xPFCmU62pemyaEQI9pgCfW5Svn/crKpiWSt/xT+ePuJtaNUsAoPdX VYcq9vNr8zG6lEZ7lIMAffaw =Dwlu -----END PGP SIGNATURE----- ------_=_NextPart_000_01C06955.CDCB315A Content-Type: application/octet-stream; name="Jason DiCioccio.vcf" Content-Disposition: attachment; filename="Jason DiCioccio.vcf" BEGIN:VCARD VERSION:2.1 N:DiCioccio;Jason FN:Jason DiCioccio ORG:epylon.com;operations TITLE:UNIX ADMIN ADR;WORK:;;645 Harrison St;San Francisco;CA;94107;usa LABEL;WORK;ENCODING=QUOTED-PRINTABLE:645 Harrison St=0D=0ASan Francisco, CA 94107=0D=0Ausa EMAIL;PREF;INTERNET:Jason.DiCioccio@Epylon.com REV:19990105T135529Z END:VCARD ------_=_NextPart_000_01C06955.CDCB315A-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 17:32: 6 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 17:32:04 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (mail.dobox.com [208.187.122.44]) by hub.freebsd.org (Postfix) with ESMTP id A04A137B400 for ; Mon, 18 Dec 2000 17:32:03 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 148BhH-00007j-00; Mon, 18 Dec 2000 18:36:07 -0700 Sender: wes@FreeBSD.ORG Message-ID: <3A3EBB86.3F1AD9EC@softweyr.com> Date: Mon, 18 Dec 2000 18:36:06 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: David Talkington Cc: freebsd-security@FreeBSD.ORG Subject: Re: dsniff 2.3 info: References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org David Talkington wrote: > > Crist J. Clark wrote: > > >SSH is already fixed. Earlier in the text, > > > > SSH simply uses a secret and public key, and since they are > > generally not signed, it is trivial for an attacker to sit in the > > middle and intercept the connection... If you do have the server's > > public key, you will generally receive a warning like "Warning: > > server's key has changed. Continue?" Most users will hit Yes. > > > >No, this is not accurate in my experience. Most clients will not let > >you use a server when the key does not match unless you manually > >remove the old key from the key list. Most clients at least have BIG > >FLASHY MESSAGES telling the user that a changed key means someone > >might be doing something Very Naughty, not just a simple, "Warning: > >server's key has changed. Continue?" > > SSH Communications clients (at least for Unix), both protocols, will > allow the user to accept a new key with just a keystroke. My > experience suggests that most users won't even bat an eye at the > "SOMETHING NASTY MIGHT BE HAPPENING" message; they'll just hit "y" and > go on with their days. Maybe the result of learning to reflexively > dismiss Microsoft's "Are you sure?"s ... > > *sigh* indeed for social engineering. We can debug code, but not > humans. Sounds like it's time for: Warning: the security credentials for this server have changed. Enter any 11-digit prime number to continue: ___________ -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 17:42:13 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 17:42:08 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from tiku.hut.fi (tiku.hut.fi [130.233.228.86]) by hub.freebsd.org (Postfix) with ESMTP id 4429137B400 for ; Mon, 18 Dec 2000 17:42:07 -0800 (PST) Received: from ksylofoni.hut.fi (eetelavu@ksylofoni.hut.fi [130.233.249.43]) by tiku.hut.fi (8.9.3/8.9.3) with ESMTP id DAA06440 for ; Tue, 19 Dec 2000 03:42:05 +0200 (EET) Received: (from eetelavu@localhost) by ksylofoni.hut.fi (8.9.3/8.9.3) id DAA29082 for security@FreeBSD.ORG; Tue, 19 Dec 2000 03:42:05 +0200 (EET) Date: Tue, 19 Dec 2000 03:42:05 +0200 From: Esa Etelavuori To: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:77.procfs Message-ID: <20001219034205.A29042@ksylofoni.hut.fi> References: <20001218153619.071BE37B400@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <20001218153619.071BE37B400@hub.freebsd.org>; from security-advisories@FreeBSD.ORG on Mon, Dec 18, 2000 at 07:36:19AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- > Topic: Several vulnerabilities in procfs > Announced: 2000-12-18 > Affects: Problem #1: FreeBSD 4.x prior to the correction date. > FreeBSD 3.x is unaffected. ... except for procfs/ctl > Problem #2, #3: FreeBSD 4.x and 3.x prior to the correction > date. > Corrected: 2000-12-16 (FreeBSD 4.2-STABLE) > 2000-12-18 (FreeBSD 3.5.1-STABLE) Looks fine but the story is quite unfortunate. I heard afterwards from Frank van Vliet that they notified security-officer@freebsd.org about procfs/mem problems on October 25. I mailed the FreeBSD team about the procfs/status buffer overflow on October 27. I quickly got confirmation emails, but a public announcement seemed to take ages although fixes had been committed to -current in two weeks. I asked about the status and agreed that it would be ok for me to wait for the advisory until the soon coming release of 4.2. After 4.2 had been released I got a draft advisory, checked the fixes and noticed that the procfs/ctl fix was missing. I emailed about it on November 25. Looking at the CVS repository it seems that procfs/ctl had been broken in FreeBSD since procfs was implemented. It was corrected in OpenBSD in 1996 and in NetBSD in 1997. Procfs/{mem,regs} had been corrected in 1997 (mem was still otherwise broken until early 2000), but the CHECKIO() checks were incorrectly replaced about a year ago. Afterwards it seems like a mistake to wait for over 7 weeks when partial fixes had been on the public CVS for most of the time. Now I wonder how many of "bad guys" actually scan for those changes, apparently one could get atleast several days advantage with many open source projects. CVS changes/notes can be very revealing for automated scanners, and there probably has been other silent "minor" fixes in addition to netgraph(3) loading kernel modules regardless of the securelevel on <4.1 (pointed to me by Pascal Bouchareine). -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (DreamOS) Comment: http://www.iki.fi/ee/08C1E33D.asc iQCVAwUBOj68r1ZDrCkIweM9AQGuwQP9HPfsTi0BFe6V237BaFUfOMI9CLfdEqNv ojK4CGCrXZlc6FjOTAiO8BehQPnKm18dV1zePIiYFqoUTfSwNgNC428sMa5SayIX aHBkxwe/+arBaoxhd1BGtxdrnjT59ud3wqQiew2W3irX9KE4JQRyO//Zpcopt5m4 Pa9GRcdieTQ= =+XaS -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 18:11: 3 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 18:11:00 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id B653B37B400; Mon, 18 Dec 2000 18:11:00 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id SAA02657; Mon, 18 Dec 2000 18:12:16 -0800 Date: Mon, 18 Dec 2000 18:12:16 -0800 From: Kris Kennaway To: Mike Tancsa Cc: Kris Kennaway , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:77.procfs Message-ID: <20001218181216.A2629@citusc.usc.edu> References: <156200781518.20001218191409@sandy.ru> <20001218153619.071BE37B400@hub.freebsd.org> <156200781518.20001218191409@sandy.ru> <20001218082209.C29592@citusc.usc.edu> <5.0.1.4.0.20001218124818.01cf9040@marble.sentex.ca> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="tThc/1wpZn/ma/RB" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <5.0.1.4.0.20001218124818.01cf9040@marble.sentex.ca>; from mike@sentex.net on Mon, Dec 18, 2000 at 12:49:49PM -0500 Sender: kris@citusc.usc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --tThc/1wpZn/ma/RB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Dec 18, 2000 at 12:49:49PM -0500, Mike Tancsa wrote: > At 08:22 AM 12/18/00 -0800, Kris Kennaway wrote: > >On Mon, Dec 18, 2000 at 07:14:09PM +0300, Vladimir Dubrovin wrote: > > > Hello FreeBSD Security Advisories, > > > > > > As far as I remember this issue was patched twice - in 1997 and in > > > January 2000. Do I miss something? > > > >There have been other vulnerabilities in procfs in the past. There may > >be others discovered in the future..it's what you might call "risky > >code". >=20 > Apart from not mounting it, does mounting it readonly make any difference= ? > proc /proc procfs r 0 0 > instead of > proc /proc procfs rw 0 0 Probably not. > What does one loose these days on 4.x not mounting it by default ? Not sure either. Kris --tThc/1wpZn/ma/RB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6PsQAWry0BWjoQKURAgGTAJ9XcKe+NUmFhUwymreKAwwQ012J2QCgqh1d tzBDLnkZj3ZWUc3N4Q2R0fA= =jBjJ -----END PGP SIGNATURE----- --tThc/1wpZn/ma/RB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 18:30:51 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 18:30:48 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from icarus.cs.brandeis.edu (icarus.cs.brandeis.edu [129.64.3.180]) by hub.freebsd.org (Postfix) with ESMTP id 60F4637B400; Mon, 18 Dec 2000 18:30:48 -0800 (PST) Received: from localhost (meshko@localhost) by icarus.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id VAA25556; Mon, 18 Dec 2000 21:30:47 -0500 Date: Mon, 18 Dec 2000 21:30:47 -0500 (EST) From: Mikhail Kruk To: Kris Kennaway Cc: Mike Tancsa , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:77.procfs In-Reply-To: <20001218181216.A2629@citusc.usc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: meshko@icarus.cs.brandeis.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > >There have been other vulnerabilities in procfs in the past. There may > > >be others discovered in the future..it's what you might call "risky > > >code". > > > > Apart from not mounting it, does mounting it readonly make any difference ? > > proc /proc procfs r 0 0 > > instead of > > proc /proc procfs rw 0 0 > > Probably not. > > > What does one loose these days on 4.x not mounting it by default ? > > Not sure either. I've been running with my procfs unmounted ever since you mentioned problems with it (btw I think you should have done it right after it surfaced, but maybe I'm missing something). Everything seems to work just fine (including ps and who to the extent I'm using them). The only problem I've had so far is that Star Office core dumps. I wonder what are real disadvantages of not having procfs... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 18:37:28 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 18:37:26 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id 2A77937B402 for ; Mon, 18 Dec 2000 18:37:26 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id SAA02857; Mon, 18 Dec 2000 18:38:36 -0800 Date: Mon, 18 Dec 2000 18:38:36 -0800 From: Kris Kennaway To: Moses Backman III Cc: Todd Backman , freebsd-security@FreeBSD.ORG Subject: Re: woah Message-ID: <20001218183836.D2629@citusc.usc.edu> References: <20001218133716.A550@cg22413-a.adubn1.nj.home.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="a2FkP9tdjPU2nyhF" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20001218133716.A550@cg22413-a.adubn1.nj.home.com>; from penguinjedi@home.com on Mon, Dec 18, 2000 at 01:37:16PM +0000 Sender: kris@citusc.usc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --a2FkP9tdjPU2nyhF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Dec 18, 2000 at 01:37:16PM +0000, Moses Backman III wrote: >=20 Don't Panic. Kris --a2FkP9tdjPU2nyhF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6PsosWry0BWjoQKURAl87AKC5raWm5hWrBquix3S0uGIAzhF3BQCeOUfW yW2dNiFFxtycf4wvm7LC5cY= =JRDz -----END PGP SIGNATURE----- --a2FkP9tdjPU2nyhF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 19: 0:59 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 19:00:56 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id A84FD37B402 for ; Mon, 18 Dec 2000 19:00:55 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id TAA03000; Mon, 18 Dec 2000 19:02:10 -0800 Date: Mon, 18 Dec 2000 19:02:10 -0800 From: Kris Kennaway To: Esa Etelavuori Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:77.procfs Message-ID: <20001218190210.E2629@citusc.usc.edu> References: <20001218153619.071BE37B400@hub.freebsd.org> <20001219034205.A29042@ksylofoni.hut.fi> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="JBi0ZxuS5uaEhkUZ" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20001219034205.A29042@ksylofoni.hut.fi>; from eetelavu@cc.hut.fi on Tue, Dec 19, 2000 at 03:42:05AM +0200 Sender: kris@citusc.usc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --JBi0ZxuS5uaEhkUZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Dec 19, 2000 at 03:42:05AM +0200, Esa Etelavuori wrote: > Looks fine but the story is quite unfortunate. I heard afterwards > from Frank van Vliet that they notified security-officer@freebsd.org about > procfs/mem problems on October 25. I mailed the FreeBSD team about the=20 > procfs/status buffer overflow on October 27. I have already explained the reasons for the delays in releasing the advisory, but let me go over some of them again: * procfs does not have an active maintainer in FreeBSD, meaning it was difficult to find reviewers for some of the patches, especially because of significant API changes between the various branches. From our point of view this was a very difficult problem to get fixed. * As far as I can tell the ctl problem was only pointed out to us after we'd fixed all of the other ones and were ready to release - this was just after the release of 4.2. It triggered off another cycle of trying to get patches written and reviewed which was longer for the reason below. * We're busy people, and most of the people who were trying to get the fixes written and in place have been travelling or otherwise busy with work. Don't forget that we're volunteers..we appreciate the work of people such as yourself in discovering and responsibly reporting this kind of bugs, but please realise that sometimes they cannot be fixed in internet time due to fundamental laws of physics and economics :-) * We could have committed an obvious patch right away, but chances are it would have been wrong, and in fact I believe at least one of the patches submitted to us which claimed to fix a problem here did not. Much better to take a few extra days and get it right. > Afterwards it seems like a mistake to wait for over 7 weeks when partial > fixes had been on the public CVS for most of the time. Now I wonder how > many of "bad guys" actually scan for those changes, apparently one could = get > atleast several days advantage with many open source projects. Yes, this is the case. It's a conscious decision to get the fix in as soon as possible so people who update regualrly have access to it, instead of delaying the committing of the patches until the advisory is ready, which may be a month or more where ALL FreeBSD users are vulnerable to a serious problem. > CVS changes/notes can be very revealing for automated scanners, and > there probably has been other silent "minor" fixes in addition to > netgraph(3) loading kernel modules regardless of the securelevel on <4.1 > (pointed to me by Pascal Bouchareine). When this was raised to us it was determined not to be a security vulnerability, I believe. It's too long ago for me to remember the precise details. It's certainly not a policy decision to ignore security vulnerabilities, and I think our track record in this regard is better than that of many other vendors. Sometimes they have to be prioritised and queued however, and sometimes they slip through the cracks because we're not made aware of them or whatever. Kris --JBi0ZxuS5uaEhkUZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6Ps+yWry0BWjoQKURAq3FAKDpzxSqEUMcYaA1Dt2akrUyxEcWRACg0NBz fo4QSdhfRRwr2GIkFYbBtPE= =XQ4s -----END PGP SIGNATURE----- --JBi0ZxuS5uaEhkUZ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 23:52:26 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 23:52:23 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 6090137B400 for ; Mon, 18 Dec 2000 23:52:23 -0800 (PST) Received: from rfx-64-6-211-149.users.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Mon, 18 Dec 2000 23:50:45 -0800 Received: (from cjc@localhost) by rfx-64-6-211-149.users.reflexcom.com (8.11.0/8.11.0) id eBJ7qKR21232; Mon, 18 Dec 2000 23:52:20 -0800 (PST) (envelope-from cjc) Date: Mon, 18 Dec 2000 23:52:15 -0800 From: "Crist J. Clark" To: John Howie Cc: Kurt Seifried , Alfred Perlstein , Moses Backman III , Todd Backman , freebsd-security@FreeBSD.ORG Subject: Re: woah Message-ID: <20001218235214.B96105@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <20001218133716.A550@cg22413-a.adubn1.nj.home.com> <20001218104954.B19572@fw.wintelcom.net> <005a01c06924$77186340$ca00030a@seifried.org> <017a01c06928$9e20ec60$9207c00a@local> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <017a01c06928$9e20ec60$9207c00a@local>; from JHowie@msn.com on Mon, Dec 18, 2000 at 11:27:52AM -0800 Sender: cjc@rfx-64-6-211-149.users.reflexcom.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Dec 18, 2000 at 11:27:52AM -0800, John Howie wrote: > > ----- Original Message ----- > From: "Kurt Seifried" > To: "Alfred Perlstein" ; "Moses Backman III" > > Cc: "Todd Backman" ; > Sent: Monday, December 18, 2000 10:58 AM > Subject: Re: woah > > > > Stupid question but why did you send this to me and a mailing list, etc? > > > > > Kurt, I was pretty disappointed to see this article. If you tear > > > it down the to base content, the only problem with SSL/SSH is stupid > > > users. > > > > And the fact that SSL/SSH rely on said stupid users. Usually the weakest > link... > > > > I find the references (here and elsewhere) to stupid users as troubling. > Most users are inexperienced, not stupid, and are certainly not clued up on > Security. Their main focus is getting their work done and not knowing what > it means when some obscure message pops up that lets them proceed even > though they should not. No, they are stupid. After Melissa, after LoveLetter, etc., every friggin' person on the planet knows they should not run untrusted executables they get in the mail, right? So why did I have to clean the Hybris worm off of two users' notebooks last week after they ran a executable they got from some random 'sexyfun.net' account with a subject line about Snowwhite and the Seven Dwarves. They had to save it out of their mail to disk and then run the damn thing even. Actually, I think it is not just stupidity but two factors, (1) stupidity and (2) the nothing-bad-would-ever-happen-to-me mindset. I think they are the same people who never wear seatbelts 'cause they are good drivers and they'll never be in an accident. Grade A, Darwin Award Winning Idiots. > No, the problem is STUPID PROGRAMMERS. We should > write our applications so that users cannot proceed in such circumstances. No way. You want the frantic, pissed off calls all day because, "I can't get on the server!" If you were to lock them out completely, some ingenous moron would figure out a way to get around it that is even more insecure than the alternatives (delete his whole known-keys file instead of just clearing the one conflicting line out). Just like how the default SSH won't let them procede unless they delete the mismatched keys manually. Hopefully the truly kewless will not be able to figure it out. > The only reason that we build applications so that users can proceed is that > 99% of the time the reason the keys have changed/the certificate does not > match the server is because we have reconfigured our systems thus > invalidating (or losing) the keys and certificates and it is perfectly safe > to proceed. Maybe I should add STUPID ADMINISTRATORS to the list here. Plenty of those too. More likely, the keys were lost when on a Saturday afternoon clueless luser VP could not get his email and called clueless IS manager who proceded to fix it on his own initiative. He done fix it real good. Reinstalled the operating system, pulled the hard drive out of the box without shutting down, or some other brilliant solution (yes, seen them all). > It is easy to blame one or more of users, programmers, and administrators > for weak security but until we have the science perfected we all have to > work together. Nah, I could get the computers at the office into some really tight, secure shape if it weren't for the damn humans they tell me I have to let use them. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 23:57: 1 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 23:56:59 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id E74BE37B400 for ; Mon, 18 Dec 2000 23:56:58 -0800 (PST) Received: from rfx-64-6-211-149.users.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Mon, 18 Dec 2000 23:55:22 -0800 Received: (from cjc@localhost) by rfx-64-6-211-149.users.reflexcom.com (8.11.0/8.11.0) id eBJ7uw921255; Mon, 18 Dec 2000 23:56:58 -0800 (PST) (envelope-from cjc) Date: Mon, 18 Dec 2000 23:56:58 -0800 From: "Crist J. Clark" To: Tomasz Paszkowski Cc: freebsd-security@FreeBSD.ORG Subject: Re: procfs Message-ID: <20001218235658.C96105@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <20001219003737.C2567@genesis.k.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20001219003737.C2567@genesis.k.pl>; from ns88@k.pl on Tue, Dec 19, 2000 at 12:37:38AM +0100 Sender: cjc@rfx-64-6-211-149.users.reflexcom.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Dec 19, 2000 at 12:37:38AM +0100, Tomasz Paszkowski wrote: > > Can somebody tell my why, FreeBSD is not creating dirs and files on procfs > to be accessible only by the onwer ? I looked up in to the source and I changed > default permisions to more restrited. Is there're any disadvantages of > this solution, and if not can this be included in FreeBSD project ? Just to point out, I don't think this would not make a difference with respect to any of these procfs vulnerabilities. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 18 23:58: 9 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 23:58:07 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id E348237B400 for ; Mon, 18 Dec 2000 23:58:04 -0800 (PST) Received: (qmail 864 invoked by uid 1000); 19 Dec 2000 07:57:06 -0000 Date: Tue, 19 Dec 2000 09:57:06 +0200 From: Peter Pentchev To: Jason DiCioccio Cc: 'Tomasz Paszkowski' , Pete Fritchman , freebsd-security@freebsd.org Subject: Re: procfs Message-ID: <20001219095706.B345@ringworld.oblivion.bg> Mail-Followup-To: Jason DiCioccio , 'Tomasz Paszkowski' , Pete Fritchman , freebsd-security@freebsd.org References: <657B20E93E93D4118F9700D0B73CE3EA024337@goofy.epylon.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <657B20E93E93D4118F9700D0B73CE3EA024337@goofy.epylon.lan>; from Jason.DiCioccio@Epylon.com on Mon, Dec 18, 2000 at 04:51:21PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Dec 18, 2000 at 04:51:21PM -0800, Jason DiCioccio wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > It is in 5.0, procfs is restricted via that MIB.. It was probably > considered too radical a change for the 4.x branch. I think it was not really considered too radical, rather it was given time to show off all its possible backsides before being introduced into -stable. G'luck, Peter -- If you think this sentence is confusing, then change one pig. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 1:20: 0 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 01:19:58 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id BDFAA37B400; Tue, 19 Dec 2000 01:19:57 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id KAA00945; Tue, 19 Dec 2000 10:19:55 +0100 (CET) (envelope-from des@ofug.org) Sender: des@ofug.org X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: bmah@FreeBSD.ORG Cc: Roman Shterenzon , Chris Faulhaber , Mikhail Kruk , James Lim , security@FreeBSD.ORG Subject: Re: Security Update Tool.. References: <200012181803.eBII3Ew94725@bmah-freebsd-0.cisco.com> From: Dag-Erling Smorgrav Date: 19 Dec 2000 10:19:55 +0100 In-Reply-To: "Bruce A. Mah"'s message of "Mon, 18 Dec 2000 10:03:14 -0800" Message-ID: Lines: 11 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Bruce A. Mah" writes: > To be honest, I haven't seen porteasy, but my feeling about #3 above is > that it's really really hard for an automated system to get right all of > the time. Yes, it was hard to implement, but I'm confident that porteasy gets it right. Feel free to prove me wrong. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 1:46:18 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 01:46:14 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from test.kens.com (kens.com [129.250.30.40]) by hub.freebsd.org (Postfix) with ESMTP id 5F5E337B400 for ; Tue, 19 Dec 2000 01:46:14 -0800 (PST) Received: (qmail 36647 invoked by uid 1002); 19 Dec 2000 09:46:13 -0000 Date: Tue, 19 Dec 2000 04:46:13 -0500 From: "Robin S. Socha" To: freebsd-security@FreeBSD.ORG Subject: Re: woah Message-ID: <20001219044613.B35774@kens.com> References: <20001218133716.A550@cg22413-a.adubn1.nj.home.com> <20001218104954.B19572@fw.wintelcom.net> <005a01c06924$77186340$ca00030a@seifried.org> <017a01c06928$9e20ec60$9207c00a@local> <20001218235214.B96105@149.211.6.64.reflexcom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline User-Agent: Mutt/1.3.12i In-Reply-To: <20001218235214.B96105@149.211.6.64.reflexcom.com>; from cjclark@reflexnet.net on Mon, Dec 18, 2000 at 11:52:15PM -0800 X-Mailer: Mutt http://www.mutt.org/ X-URL: https://socha.net/ X-Editor: Vim-600 http://www.vim.org/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Crist J. Clark [001219 02:52]: > On Mon, Dec 18, 2000 at 11:27:52AM -0800, John Howie wrote: > > I find the references (here and elsewhere) to stupid users as > > troubling. Most users are inexperienced, not stupid, and are > > certainly not clued up on Security. Do I care? Look, you don't give assault rifles to morons, right? Then why do you let them use technology they are simply too stupid for? People die in friendly fire, and that's ok. But who is holding whom responsible for the millions (billions) of $CURRENCY of damage caused by mindless lusers clicking away at everything that says "big tits inside"? [Opening obviously tainted attachments] > Actually, I think it is not just stupidity but two factors, (1) > stupidity and (2) the nothing-bad-would-ever-happen-to-me mindset. I > think they are the same people who never wear seatbelts 'cause they > are good drivers and they'll never be in an accident. Grade A, Darwin > Award Winning Idiots. Skip (2). Our Acceptable Use Policy says "if you do this, you're fired NQA". Doesn't help. > > It is easy to blame one or more of users, programmers, and > > administrators for weak security but until we have the science > > perfected we all have to work together. > > Nah, I could get the computers at the office into some really tight, > secure shape if it weren't for the damn humans they tell me I have to > let use them. I second that. Oh, anyone got a Microsoft-virus scanner for OpenBSD and qmail. And a bucket for me, please? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 3:41:37 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 03:41:33 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from pps.de (mail.pps.de [217.13.200.134]) by hub.freebsd.org (Postfix) with ESMTP id B8ECB37B402 for ; Tue, 19 Dec 2000 03:41:32 -0800 (PST) Received: from jung7.pps.de (jung7.pps.de [192.9.200.17]) by pps.de (8.9.3/8.9.3) with ESMTP id MAA94362; Tue, 19 Dec 2000 12:57:06 +0100 (CET) (envelope-from petros@pps.de) Received: from jung9.pps.de by jung7.pps.de (8.9.3+Sun/ZRZ-Sol2) id MAA08353; Tue, 19 Dec 2000 12:38:58 +0100 (MET) Received: from jung9 by jung9.pps.de (8.9.1b+Sun/ZRZ-Sol2) id MAA26842; Tue, 19 Dec 2000 12:38:58 +0100 (MET) Message-Id: <200012191138.MAA26842@jung9.pps.de> Date: Tue, 19 Dec 2000 12:38:58 +0100 (MET) From: Peter Ross Reply-To: Peter Ross Subject: Re: FTP and firewall To: freebsd-security@freebsd.org Cc: drew@planetwe.com MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: UEZCZhKMcnqz36ZXe4co/g== X-Mailer: dtmail 1.3.0 CDE Version 1.3 SunOS 5.7 sun4u sparc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, Drew Sanford answered to my question > > I see five different ways to solve the FTP firewall problem: > > 1. external FTP server and mirror through the firewall .. > > Can I use cpdup (ports collection)? > I speak typo - I assume you mean cvsup. No, I meant cpdup ( a mirror tool listed in the ports collection). cvsup.. thanks for the new idea. Yesterday I heard an opinion: "make and dependencies". Hmmh. --- I inherited an old FTP server (SUsE Linux 5.3 - Kernel 2.0.x). This server is protected fy firewall rules and uses NFS mounts. (My suggestion 4.) > > 4. firewall with FTP server and NFS access to the company network Every fortnight I have to reboot the machine.. I checked some articles and books about security and firewalls etc. I found "FTP is a problem" but not one good advise how to deal with it. So I decided to discuss the problem here. It would be nice to know how other administrators solve the problem and what safety-conscious people think about. --- Maybe someone did it in the way I tried (internal FTP server and redirect) and has a firewall rule set? That would be fine. --- Yesterday I checked the ftpd sources. Has someone used this sources to build a proxy? The external ftpd parse the command string and forward it to the internal ftpd. The external ftpd build requested data connections to the clients and receives or send data via a second port to the internal ftpd. Advantage: defined ports through the firewall. Thanks for every advice or opinion Peter Ross To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 3:57:43 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 03:57:41 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from adm.sci-nnov.ru (adm.sci-nnov.ru [195.122.226.2]) by hub.freebsd.org (Postfix) with ESMTP id 50FC637B400 for ; Tue, 19 Dec 2000 03:57:40 -0800 (PST) Received: from anonymous.sandy.ru (anonymous.sandy.ru [195.122.226.40]) by adm.sci-nnov.ru (8.9.3/Dmiter-4.1-AGK-0.5) with ESMTP id OAA73327 for ; Tue, 19 Dec 2000 14:56:18 +0300 (MSK) Date: Tue, 19 Dec 2000 14:56:19 +0300 From: Vladimir Dubrovin X-Mailer: The Bat! (v1.47 Halloween Edition) Reply-To: Vladimir Dubrovin Organization: Sandy Info X-Priority: 3 (Normal) Message-ID: <127277434.20001219145619@sandy.ru> To: freebsd-security@freebsd.org Subject: FTPD hole Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello freebsd-security, Does the remote root bug discovered in BSD FTPd under OpenBSD affects FreeBSD? http://www.geocrawler.com/archives/3/254/2000/12/50/4767480/ -- Vladimir Dubrovin Sandy, ISP Sandy CCd chief Customers Care dept http://www.sandy.ru Nizhny Novgorod, Russia http://www.security.nnov.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 4: 3:14 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 04:03:12 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id A043D37B400; Tue, 19 Dec 2000 04:03:11 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id NAA01639; Tue, 19 Dec 2000 13:02:58 +0100 (CET) (envelope-from des@ofug.org) Sender: des@ofug.org X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Mike Tancsa Cc: Kris Kennaway , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:77.procfs References: <156200781518.20001218191409@sandy.ru> <20001218153619.071BE37B400@hub.freebsd.org> <156200781518.20001218191409@sandy.ru> <5.0.1.4.0.20001218124818.01cf9040@marble.sentex.ca> From: Dag-Erling Smorgrav Date: 19 Dec 2000 13:02:58 +0100 In-Reply-To: Mike Tancsa's message of "Mon, 18 Dec 2000 12:49:49 -0500" Message-ID: Lines: 9 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mike Tancsa writes: > What does one loose these days on 4.x not mounting it by default ? truss(1) will not work, and ps(1) will be unable to show some types of information. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 4: 4:25 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 04:04:23 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 8C69E37B402; Tue, 19 Dec 2000 04:04:22 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id NAA01651; Tue, 19 Dec 2000 13:04:19 +0100 (CET) (envelope-from des@ofug.org) Sender: des@ofug.org X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Mikhail Kruk Cc: Kris Kennaway , Mike Tancsa , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:77.procfs References: From: Dag-Erling Smorgrav Date: 19 Dec 2000 13:04:19 +0100 In-Reply-To: Mikhail Kruk's message of "Mon, 18 Dec 2000 21:30:47 -0500 (EST)" Message-ID: Lines: 12 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mikhail Kruk writes: > Everything seems to work just fine (including ps and who to the extent I'm > using them). The only problem I've had so far is that Star Office core > dumps. Update your linprocfs to one that provides proc//cmdline and see if that helps. If not, please try to truss(1) or ktrace(1) soffice and see what files it tries to open. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 4: 8:32 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 04:08:30 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 1A11F37B400 for ; Tue, 19 Dec 2000 04:08:29 -0800 (PST) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id JAA13954; Tue, 19 Dec 2000 09:08:03 -0300 (ART) From: Fernando Schapachnik Message-Id: <200012191208.JAA13954@ns1.via-net-works.net.ar> Subject: Re: FTPD hole In-Reply-To: <127277434.20001219145619@sandy.ru> "from Vladimir Dubrovin at Dec 19, 2000 02:56:19 pm" To: Vladimir Dubrovin Date: Tue, 19 Dec 2000 09:08:03 -0300 (ART) Cc: freebsd-security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org A recent (today or yesterday) bugtraq article says NO. Look securityfocus.org for details. Regards. En un mensaje anterior, Vladimir Dubrovin escribió: > Hello freebsd-security, > > Does the remote root bug discovered in BSD FTPd under OpenBSD > affects FreeBSD? Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Conmutador: (54-11) 4323-3333 - Soporte: 0810-333-AYUDA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 4:14:49 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 04:14:47 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 7B97037B404; Tue, 19 Dec 2000 04:14:46 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id NAA01690; Tue, 19 Dec 2000 13:14:45 +0100 (CET) (envelope-from des@ofug.org) Sender: des@ofug.org X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Kris Kennaway Cc: Esa Etelavuori , security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:77.procfs References: <20001218153619.071BE37B400@hub.freebsd.org> <20001219034205.A29042@ksylofoni.hut.fi> <20001218190210.E2629@citusc.usc.edu> From: Dag-Erling Smorgrav Date: 19 Dec 2000 13:14:44 +0100 In-Reply-To: Kris Kennaway's message of "Mon, 18 Dec 2000 19:02:10 -0800" Message-ID: Lines: 9 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway writes: > * procfs does not have an active maintainer in FreeBSD, meaning it was > difficult to find reviewers for some of the patches [...] OK, it does now. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 4:15: 9 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 04:15:06 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from puck.firepipe.net (poynting.physics.purdue.edu [128.210.146.58]) by hub.freebsd.org (Postfix) with ESMTP id 4F52837B404 for ; Tue, 19 Dec 2000 04:15:06 -0800 (PST) Received: from altair.firepipe.net (pm005-044.dialup.bignet.net [64.79.80.236]) by puck.firepipe.net (Postfix) with ESMTP id 8841A1A12; Tue, 19 Dec 2000 07:15:05 -0500 (EST) Received: by altair.firepipe.net (Postfix, from userid 1000) id E31F319CB; Tue, 19 Dec 2000 06:10:39 -0500 (EST) Date: Tue, 19 Dec 2000 06:10:39 -0500 From: Will Andrews To: Vladimir Dubrovin Cc: freebsd-security@FreeBSD.ORG Subject: Re: FTPD hole Message-ID: <20001219061039.H1119@altair.firepipe.net> Reply-To: Will Andrews References: <127277434.20001219145619@sandy.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <127277434.20001219145619@sandy.ru>; from vlad@sandy.ru on Tue, Dec 19, 2000 at 02:56:19PM +0300 X-Operating-System: FreeBSD 5.0-CURRENT i386 Sender: will@altair.firepipe.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Dec 19, 2000 at 02:56:19PM +0300, Vladimir Dubrovin wrote: > Does the remote root bug discovered in BSD FTPd under OpenBSD > affects FreeBSD? Doesn't look like it.. I don't see any function called replydirname() in FreeBSD's ftpd. That's not a scientific guess, however. -- wca To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 4:21:32 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 04:21:29 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 5D3C537B698 for ; Tue, 19 Dec 2000 04:21:29 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id EAA02667; Tue, 19 Dec 2000 04:21:17 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda02665; Tue Dec 19 04:21:07 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.1/8.9.1) id eBJCL2H12532; Tue, 19 Dec 2000 04:21:02 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdK12530; Tue Dec 19 04:20:04 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.1/8.9.1) id eBJCK4O12230; Tue, 19 Dec 2000 04:20:04 -0800 (PST) Message-Id: <200012191220.eBJCK4O12230@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdf12216; Tue Dec 19 04:19:10 2000 X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.2-RELEASE X-Sender: cy To: Vladimir Dubrovin Cc: freebsd-security@FreeBSD.ORG Subject: Re: FTPD hole In-reply-to: Your message of "Tue, 19 Dec 2000 14:56:19 +0300." <127277434.20001219145619@sandy.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 19 Dec 2000 04:19:10 -0800 Sender: cy@uumail.gov.bc.ca Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <127277434.20001219145619@sandy.ru>, Vladimir Dubrovin writes: > Hello freebsd-security, > > Does the remote root bug discovered in BSD FTPd under OpenBSD > affects FreeBSD? > > http://www.geocrawler.com/archives/3/254/2000/12/50/4767480/ Comparing the source code of the FreeBSD and OpenBSD ftpd.c, FreeBSD is definitely not affected by this. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 4:41:23 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 04:41:20 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 00E4737B69B for ; Tue, 19 Dec 2000 04:41:20 -0800 (PST) Received: from chimp (fcage [192.168.0.2]) by cage.simianscience.com (8.11.1/8.11.1) with ESMTP id eBJCf6Q64266; Tue, 19 Dec 2000 07:41:08 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <4.2.2.20001219073910.01db3208@marble.sentex.net> X-Sender: mdtancsa@marble.sentex.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Tue, 19 Dec 2000 07:41:05 -0500 To: Dag-Erling Smorgrav From: Mike Tancsa Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:77.procfs Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: <156200781518.20001218191409@sandy.ru> <20001218153619.071BE37B400@hub.freebsd.org> <156200781518.20001218191409@sandy.ru> <5.0.1.4.0.20001218124818.01cf9040@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:02 PM 12/19/2000 +0100, Dag-Erling Smorgrav wrote: >Mike Tancsa writes: > > What does one loose these days on 4.x not mounting it by default ? > >truss(1) will not work, and ps(1) will be unable to show some types of >information. Is is possible to make /proc useable by root only ? ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Network Administration, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 4:57:30 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 04:57:26 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from osiris.ipform.ru (osiris.ipform.ru [212.158.165.98]) by hub.freebsd.org (Postfix) with ESMTP id 6F66637B400; Tue, 19 Dec 2000 04:57:21 -0800 (PST) Received: from wp2 (wp2 [192.168.0.12]) by osiris.ipform.ru (8.11.1/8.11.1) with SMTP id eBJCvEV04432; Tue, 19 Dec 2000 15:57:16 +0300 (MSK) (envelope-from matrix@ipform.ru) Message-ID: <00a101c069bb$36b66da0$0c00a8c0@ipform.ru> From: "Artem Koutchine" To: Cc: Subject: What anti-sniffer measures do i have? Date: Tue, 19 Dec 2000 15:57:12 +0300 Organization: IP Form MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! I guess, that there are issue which tend to grow bigger when you ignore them in the first place. So, our network has gotten pretty big and too many people can see what the should not see. Besdides, all of the people are very technically advanced and can easily use something like the new sniffer which even decrypts shh1 and ssl. So, I really need some ideas on how to disable sniffers on the network which is a typical 10Mbit ethernet build on a bunch of hubs. It consists of 1) FreeBSD workstations (many) 2) Windows 95/98/ME workstations (many) 3) WIndows NT wortstations (some) All of the need to intercommunicate: FreeBSDs work via NFS Windows (all kinds)<->FreeBSD via Samba Windows9x/ME<->WindowsNT via Samba Also , there is local office WEB, SMTP, POP3 and an Internet gatway. I am interested in knowing all kinds of solutions to the sniffer problem: software (preffered) or hardware. I'd like some more generic solution, which do not require any changed in the existing software configuration and allow the same functionality as we use now (broadcast can be screwed). Help! Regards, Artem To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 5:11: 0 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 05:10:58 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from axis.tdd.lt (axis.tdd.lt [193.219.211.5]) by hub.freebsd.org (Postfix) with ESMTP id A0DCE37B402 for ; Tue, 19 Dec 2000 05:10:56 -0800 (PST) Received: from localhost (midom@localhost) by axis.tdd.lt (8.11.1/8.11.1) with ESMTP id eBJDAVW81212; Tue, 19 Dec 2000 15:10:31 +0200 (EET) Date: Tue, 19 Dec 2000 15:10:31 +0200 (EET) From: Domas Mituzas X-Sender: midom@axis.tdd.lt To: Mike Tancsa Cc: Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:77.procfs In-Reply-To: <4.2.2.20001219073910.01db3208@marble.sentex.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Is is possible to make /proc useable by root only ? mount it under /r-x------forroot/proc and add symlink from /proc to this directory. Domas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 5:46:32 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 05:46:29 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from sivka.carrier.kiev.ua (sivka.carrier.kiev.ua [193.193.193.101]) by hub.freebsd.org (Postfix) with ESMTP id E27C537B400 for ; Tue, 19 Dec 2000 05:46:23 -0800 (PST) Received: from core.is.kiev.ua (p187.is.kiev.ua [62.244.5.187]) by sivka.carrier.kiev.ua (8/Kilkenny_is_better) with ESMTP id PRU47837; Tue, 19 Dec 2000 15:46:16 +0200 (EET) (envelope-from diman@asd.kiev.ua) Received: from ergo.local ([10.203.1.10]) by core.is.kiev.ua (8.11.1/ASDG-2.3-NR) with ESMTP id eBJDkFT41061; Tue, 19 Dec 2000 15:46:15 +0200 (EET) (envelope-from diman@asd.kiev.ua) Date: Tue, 19 Dec 2000 15:42:17 +0200 (EET) From: Dmitry Galyant X-Sender: diman@ergo.local To: Artem Koutchine Cc: security@FreeBSD.ORG Subject: Re: What anti-sniffer measures do i have? In-Reply-To: <00a101c069bb$36b66da0$0c00a8c0@ipform.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There is no software solution to your 'sniffer problem'. Experienced guys can down interfaces and still listen a traffic, can change MAC to your routers address and do not swith to promisc, etc... So, all anti-sniffs like L0pht's only can help you to be rooted remotely. Only solution is the hardware solution or crypto-solution. Regards, Dmitry. On Tue, 19 Dec 2000, Artem Koutchine wrote: > Date: Tue, 19 Dec 2000 15:57:12 +0300 > From: Artem Koutchine > To: security@FreeBSD.ORG > Cc: questions@FreeBSD.ORG > Subject: What anti-sniffer measures do i have? > > Hello! > > I guess, that there are issue which tend to grow bigger when you ignore > them in the first place. > > So, our network has gotten pretty big and too many people can see what > the should not see. Besdides, all of the people are very technically > advanced > and can easily use something like the new sniffer which even decrypts shh1 > and ssl. > > So, I really need some ideas on how to disable sniffers on the network which > is a typical 10Mbit ethernet build on a bunch of hubs. It consists of > 1) FreeBSD workstations (many) > 2) Windows 95/98/ME workstations (many) > 3) WIndows NT wortstations (some) > > All of the need to intercommunicate: > FreeBSDs work via NFS > Windows (all kinds)<->FreeBSD via Samba > Windows9x/ME<->WindowsNT via Samba > > Also , there is local office WEB, SMTP, POP3 and an Internet gatway. > > I am interested in knowing all kinds of solutions to the sniffer problem: > software (preffered) or hardware. I'd like some more generic solution, which > do not require any changed in the existing software configuration and allow > the same functionality as we use now (broadcast can be screwed). > > Help! > > Regards, > Artem > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 5:54:51 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 05:54:49 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from MCSMTP.MC.VANDERBILT.EDU (mcsmtp.mc.Vanderbilt.Edu [160.129.93.202]) by hub.freebsd.org (Postfix) with ESMTP id 9FDBE37B400 for ; Tue, 19 Dec 2000 05:54:49 -0800 (PST) Subject: Re: What anti-sniffer measures do i have? To: security@FreeBSD.ORG X-Mailer: Lotus Notes Release 5.0.2a November 23, 1999 Message-ID: From: George.Giles@mcmail.vanderbilt.edu Date: Tue, 19 Dec 2000 07:55:35 -0600 X-MIMETrack: Serialize by Router on MCSMTP/VUMC/Vanderbilt(Release 5.0.3 |March 21, 2000) at 12/19/2000 07:49:59 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It is your network: Control ALL the boxes on the network and do not allow installs of unapproved software. Access control is essential to security. If a user can install any software they choose, then you can never have security. Most admins do not have access control out of laziness. "Eternal vigilance is the price of liberty" -- Thomas Jefferson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 7:24:29 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 07:24:25 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id 02F9E37B400 for ; Tue, 19 Dec 2000 07:24:18 -0800 (PST) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 148Oaj-0002j7-00; Tue, 19 Dec 2000 17:22:13 +0200 Date: Tue, 19 Dec 2000 17:22:13 +0200 (IST) From: Roman Shterenzon To: Dmitry Galyant Cc: Artem Koutchine , Subject: Re: What anti-sniffer measures do i have? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I ported antisniffer to freebsd once (still have patches somewhere), and found it to be completely unusable (it's really alpha quality). Also, their windows version is not much better. I think that cryptography is the key. On Tue, 19 Dec 2000, Dmitry Galyant wrote: > There is no software solution to your 'sniffer problem'. > Experienced guys can down interfaces and still listen a traffic, > can change MAC to your routers address and do not swith to > promisc, etc... > So, all anti-sniffs like L0pht's only can help you to be > rooted remotely. > Only solution is the hardware solution or crypto-solution. > > Regards, Dmitry. > > On Tue, 19 Dec 2000, Artem Koutchine wrote: > > > Date: Tue, 19 Dec 2000 15:57:12 +0300 > > From: Artem Koutchine > > To: security@FreeBSD.ORG > > Cc: questions@FreeBSD.ORG > > Subject: What anti-sniffer measures do i have? > > > > Hello! > > > > I guess, that there are issue which tend to grow bigger when you ignore > > them in the first place. > > > > So, our network has gotten pretty big and too many people can see what > > the should not see. Besdides, all of the people are very technically > > advanced > > and can easily use something like the new sniffer which even decrypts shh1 > > and ssl. > > > > So, I really need some ideas on how to disable sniffers on the network which > > is a typical 10Mbit ethernet build on a bunch of hubs. It consists of > > 1) FreeBSD workstations (many) > > 2) Windows 95/98/ME workstations (many) > > 3) WIndows NT wortstations (some) > > > > All of the need to intercommunicate: > > FreeBSDs work via NFS > > Windows (all kinds)<->FreeBSD via Samba > > Windows9x/ME<->WindowsNT via Samba > > > > Also , there is local office WEB, SMTP, POP3 and an Internet gatway. > > > > I am interested in knowing all kinds of solutions to the sniffer problem: > > software (preffered) or hardware. I'd like some more generic solution, which > > do not require any changed in the existing software configuration and allow > > the same functionality as we use now (broadcast can be screwed). > > > > Help! > > > > Regards, > > Artem > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 10:45:12 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 10:45:10 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from daedalus.cs.brandeis.edu (daedalus.cs.brandeis.edu [129.64.3.179]) by hub.freebsd.org (Postfix) with ESMTP id 321FB37B400; Tue, 19 Dec 2000 10:45:06 -0800 (PST) Received: from localhost (meshko@localhost) by daedalus.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id NAA20394; Tue, 19 Dec 2000 13:45:02 -0500 Date: Tue, 19 Dec 2000 13:45:01 -0500 (EST) From: Mikhail Kruk To: Dag-Erling Smorgrav Cc: Kris Kennaway , Mike Tancsa , Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:77.procfs In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: meshko@daedalus.cs.brandeis.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Everything seems to work just fine (including ps and who to the extent I'm > > using them). The only problem I've had so far is that Star Office core > > dumps. > > Update your linprocfs to one that provides proc//cmdline and see > if that helps. If not, please try to truss(1) or ktrace(1) soffice and > see what files it tries to open. see you previous e-mail :) I was talking about things you loose when you umount procfs Apparently Star office uses FreeBSD procfs, not linprocfs (not sure how). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 11:16: 9 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 11:16:06 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.pacex.net (unknown [209.189.111.246]) by hub.freebsd.org (Postfix) with SMTP id 10AD537B400 for ; Tue, 19 Dec 2000 11:16:06 -0800 (PST) Received: (qmail 4838 invoked from network); 19 Dec 2000 19:16:01 -0000 Received: from unknown (HELO ns1.pacex.net) (209.189.111.244) by ns1.pacex.net with SMTP; 19 Dec 2000 19:16:01 -0000 Message-ID: <000e01c069e8$d30dccc0$f46fbdd1@pacex.net> From: "admin" To: Subject: Securing FreeBSD against hacking Date: Tue, 19 Dec 2000 10:23:45 -0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_000B_01C069A5.C49FC820" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_000B_01C069A5.C49FC820 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi Folks; I am kinda glad I hung around this list for a while... I am running a FreeBSD 4.2-STABLE (recently upgraded machines) for web = (Apache-1.39)mail (Qmail-1.03 sendmail-8.11.1).=20 I have recently seen some activities on the web server that make me very = nervous (I know I am being very general) but my concern is: 1. How do I setup a dedicated machine to collect data and connection = attempts to my machines 2. How to implement a notification systems to alert when critical files = on the server have been tampered with. 3. How to find out if my machines are REALY CLEAN (some sort of software = auditing to determine if what is already in the machines is a good = benchmark for future security audits) Thank you! Dan=20 ------=_NextPart_000_000B_01C069A5.C49FC820 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi Folks;
 
I am kinda glad I hung around this list = for a=20 while...
I am running a FreeBSD 4.2-STABLE = (recently=20 upgraded machines) for web (Apache-1.39)mail (Qmail-1.03 = sendmail-8.11.1).=20
I have recently seen some activities on = the web=20 server that make me very nervous (I know I am being very general) but my = concern=20 is:
 
1.  How do I setup a dedicated = machine to=20 collect data and connection attempts to my machines
2. How to implement a notification = systems to alert=20 when critical files on the server have been tampered with.
3. How to find out if my machines are = REALY CLEAN=20 (some sort of software auditing to determine if what is already in the = machines=20 is a good benchmark for future security audits)
 
 
Thank you!
 
 
Dan 
------=_NextPart_000_000B_01C069A5.C49FC820-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 11:21:27 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 11:21:25 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from daedalus.cs.brandeis.edu (daedalus.cs.brandeis.edu [129.64.3.179]) by hub.freebsd.org (Postfix) with ESMTP id 1DA0937B400 for ; Tue, 19 Dec 2000 11:21:25 -0800 (PST) Received: from localhost (meshko@localhost) by daedalus.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id OAA20807; Tue, 19 Dec 2000 14:21:18 -0500 Date: Tue, 19 Dec 2000 14:21:18 -0500 (EST) From: Mikhail Kruk To: admin Cc: Subject: Re: Securing FreeBSD against hacking In-Reply-To: <000e01c069e8$d30dccc0$f46fbdd1@pacex.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: meshko@daedalus.cs.brandeis.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org 2,3 106 meshko@polkan2 /home/meshko> cat /usr/ports/security/tripwire/pkg/DESCR Tripwire is a tool that aids system administrators and users in monitoring a designated set of files for any changes. Used with system files on a regular (e.g., daily) basis, Tripwire can notify system administrators of corrupted or tampered files, so damage control measures can be taken in a timely manner. 1 is kind of general. Set up a firewall machine between you and the world and make it log everything you find appropriate? > Hi Folks; > > I am kinda glad I hung around this list for a while... > I am running a FreeBSD 4.2-STABLE (recently upgraded machines) for web (Apache-1.39)mail (Qmail-1.03 sendmail-8.11.1). > I have recently seen some activities on the web server that make me very nervous (I know I am being very general) but my concern is: > > 1. How do I setup a dedicated machine to collect data and connection attempts to my machines > 2. How to implement a notification systems to alert when critical files on the server have been tampered with. > 3. How to find out if my machines are REALY CLEAN (some sort of software auditing to determine if what is already in the machines is a good benchmark for future security audits) > > > Thank you! > > > Dan > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 11:30:53 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 11:30:50 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from nettaxi.com (modem161.dock.net [207.113.51.18]) by hub.freebsd.org (Postfix) with SMTP id A98D437B73C for ; Tue, 19 Dec 2000 11:30:40 -0800 (PST) From: Benefitsall@nettaxi.com Reply-To: Benefitsall@nettaxi.com To: security@freebsd.org Subject: Donation to your organization 121900 Message-Id: <20001219193040.A98D437B73C@hub.freebsd.org> Date: Tue, 19 Dec 2000 11:30:40 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear Friend Help your organization raise money in a painless way Cash rebates of up to 30% from BenefitsAll become welcome donations to your organization when your members shop online with Lands End, Disney, Dell, Gap, Esprit and 300 plus retailers through our web site. Widely endorsed, socially responsible site offers no obligation, free rebate program for members. See how easy it is for your charity to earn substantial cash back for every online, shopping purchase made. To find out more information from BenefitsAll click on reply and we will contact you shortly. Please put "MORE INFO" in the subject box. If you prefer call us toll free at 866 961 2468. Ask for customer service extension 1 To remove you from this list type " REMOVE" in the subject box and click reply. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 11:36:44 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 11:36:41 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from srv1.gnintranet.com.br (adsl-nrp10-C8B0FAFB.sao.terra.com.br [200.176.250.251]) by hub.freebsd.org (Postfix) with ESMTP id 8F99C37B400 for ; Tue, 19 Dec 2000 11:36:39 -0800 (PST) Received: from tec06.gnintranet.com.br ([192.168.8.40]) by srv1.gnintranet.com.br (8.9.3/8.9.3) with SMTP id QAA06679 for ; Tue, 19 Dec 2000 16:39:50 -0200 From: henrique@gruponet.com.br To: Subject: Ftpd Date: Tue, 19 Dec 2000 17:36:04 -0200 Message-ID: <01c069f2$ed98f380$2808a8c0@tec06.gnintranet.com.br> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_004D_01C069E2.2A102380" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_004D_01C069E2.2A102380 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Mrs, How do you do not permited viewer the directories in my ftp server. Example:=20 If use the program voyageftp or other programs of ftp, i see the others = directories, i don't have permission for upload, but i have permission = for donwload, and access this directories. If use ftp of the DOS, I don't have permission for access the other = directories. I have file /etc/ftpchroot, and into file have domain of ftp. Thanks. []'s Henrique ------=_NextPart_000_004D_01C069E2.2A102380 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Mrs,
How do you do not = permited viewer the=20 directories in my ftp server.
 
Example:
If use the program voyageftp or other = programs of=20 ftp, i see the others directories, i don't have permission for upload, = but i=20 have permission for donwload, and access this directories.
If use ftp of the DOS, I don't have = permission for=20 access the other directories. 
   I have file = /etc/ftpchroot, and into=20 file have domain of ftp.
 
 
Thanks.
 
[]'s
   = Henrique
------=_NextPart_000_004D_01C069E2.2A102380-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 11:49:21 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 11:49:18 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from pluto.psn.net (pluto.psn.net [207.211.58.12]) by hub.freebsd.org (Postfix) with ESMTP id 0168F37B402 for ; Tue, 19 Dec 2000 11:49:18 -0800 (PST) Received: from cust-106-201.as03.nycm.eli.net ([209.210.106.201] helo=coresync) by pluto.psn.net with smtp (PSN Internet Service 3.20 #1) id 148Sko-0004Cj-00; Tue, 19 Dec 2000 12:48:54 -0700 From: "Jonathan M. Slivko" To: "John Howie" , "Kurt Seifried" , "Alfred Perlstein" , "Moses Backman III" Cc: "Todd Backman" , Subject: RE: woah Date: Tue, 19 Dec 2000 14:50:32 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 In-Reply-To: <017a01c06928$9e20ec60$9207c00a@local> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I totally agree with that statement, John :) -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of John Howie Sent: Monday, December 18, 2000 2:28 PM To: Kurt Seifried; Alfred Perlstein; Moses Backman III Cc: Todd Backman; freebsd-security@FreeBSD.ORG Subject: Re: woah ----- Original Message ----- From: "Kurt Seifried" To: "Alfred Perlstein" ; "Moses Backman III" Cc: "Todd Backman" ; Sent: Monday, December 18, 2000 10:58 AM Subject: Re: woah > Stupid question but why did you send this to me and a mailing list, etc? > > > Kurt, I was pretty disappointed to see this article. If you tear > > it down the to base content, the only problem with SSL/SSH is stupid > > users. > > And the fact that SSL/SSH rely on said stupid users. Usually the weakest link... > I find the references (here and elsewhere) to stupid users as troubling. Most users are inexperienced, not stupid, and are certainly not clued up on Security. Their main focus is getting their work done and not knowing what it means when some obscure message pops up that lets them proceed even though they should not. No, the problem is STUPID PROGRAMMERS. We should write our applications so that users cannot proceed in such circumstances. The only reason that we build applications so that users can proceed is that 99% of the time the reason the keys have changed/the certificate does not match the server is because we have reconfigured our systems thus invalidating (or losing) the keys and certificates and it is perfectly safe to proceed. Maybe I should add STUPID ADMINISTRATORS to the list here. It is easy to blame one or more of users, programmers, and administrators for weak security but until we have the science perfected we all have to work together. john... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 11:49:29 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 11:49:27 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail1.rdc1.il.home.com (mail1.rdc1.il.home.com [24.2.1.76]) by hub.freebsd.org (Postfix) with ESMTP id 82EE637B402 for ; Tue, 19 Dec 2000 11:49:27 -0800 (PST) Received: from home.com ([24.17.229.11]) by mail1.rdc1.il.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20001219194926.FEWD26687.mail1.rdc1.il.home.com@home.com>; Tue, 19 Dec 2000 11:49:26 -0800 Message-ID: <3A3FBBCA.9080808@home.com> Date: Tue, 19 Dec 2000 13:49:30 -0600 From: "Victor R. Cardona" User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.0-test11 i586; en-US; m18) Gecko/20001218 X-Accept-Language: en MIME-Version: 1.0 To: admin Cc: freebsd-security@FreeBSD.ORG Subject: Re: Securing FreeBSD against hacking References: <000e01c069e8$d30dccc0$f46fbdd1@pacex.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org admin wrote: > 1. How do I setup a dedicated machine to collect data and connection > attempts to my machines I'm not sure if this is what you have in mind, but you could setup syslog to log to a remote machine. > 2. How to implement a notification systems to alert when critical files > on the server have been tampered with. A combination of syslog and tripwire might work here. I have never tried it myself. > 3. How to find out if my machines are REALY CLEAN (some sort of software > auditing to determine if what is already in the machines is a good > benchmark for future security audits) Tripwire is a file auditing utility. Unfortunately for it to be effective, you must know that your system is clean. The only way to be 100% sure would be to run it after a fresh install from protected media, and before any network connection is made. Victor Cardona vcardona@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 11:49:45 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 11:49:42 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 6301737B402 for ; Tue, 19 Dec 2000 11:49:42 -0800 (PST) Received: from rfx-64-6-211-149.users.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 19 Dec 2000 11:48:04 -0800 Received: (from cjc@localhost) by rfx-64-6-211-149.users.reflexcom.com (8.11.0/8.11.0) id eBJJnaD23851 for freebsd-security@freebsd.org; Tue, 19 Dec 2000 11:49:36 -0800 (PST) (envelope-from cjc) Date: Tue, 19 Dec 2000 11:49:36 -0800 From: "Crist J. Clark" To: freebsd-security@freebsd.org Subject: Read-Only Filesystems Message-ID: <20001219114936.A23819@rfx-64-6-211-149.users.reflexco> Reply-To: cjclark@alum.mit.edu Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i Sender: cjc@rfx-64-6-211-149.users.reflexcom.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I was recently playing around with the idea of having a read-only root filesystem. However, it has become clear that there is no way to prevent root from changing the mount properties on any filesystem, including the root filesystem, provided there is no hardware-level block on writing and there is someplace (anyplace) where root can write. Is that accurate? I guess one must go to a "trusted OS" to get that type of functionality? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 11:57:22 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 11:57:20 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from serenity.mcc.ac.uk (serenity.mcc.ac.uk [130.88.200.93]) by hub.freebsd.org (Postfix) with ESMTP id 00C1E37B400 for ; Tue, 19 Dec 2000 11:57:20 -0800 (PST) Received: from dogma.freebsd-uk.eu.org ([130.88.200.97]) by serenity.mcc.ac.uk with esmtp (Exim 2.05 #4) id 148Ssw-000Ij7-00 for security@freebsd.org; Tue, 19 Dec 2000 19:57:18 +0000 Received: (from jcm@localhost) by dogma.freebsd-uk.eu.org (8.11.1/8.11.1) id eBJJvIC27196 for security@freebsd.org; Tue, 19 Dec 2000 19:57:18 GMT (envelope-from jcm) Date: Tue, 19 Dec 2000 19:57:18 +0000 From: j mckitrick To: security@freebsd.org Subject: security levels for sysinstall Message-ID: <20001219195717.A27171@dogma.freebsd-uk.eu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I apologize in advance if this is the wrong place to ask this question, but questions- didn't offer any help after several tries. I would like to see exactly what each of the security profiles in sysinstall does. I will install FreeBSD on a laptop with a dialup connection, and I don't want to have to worry about security when I am connected. I will set up the same ipfw firewall as I have now. I would also like icq and similar toys to work okay, but I will not be running any services on my machine. If the docs are out there and I have just missed them, please point me in the right direction. Jonathon -- "The spice must flow...." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 12: 0:45 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 12:00:41 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from magellan.palisadesys.com (magellan.palisadesys.com [192.188.162.211]) by hub.freebsd.org (Postfix) with ESMTP id 3BF4137B400 for ; Tue, 19 Dec 2000 12:00:40 -0800 (PST) Received: from localhost (ghelmer@localhost) by magellan.palisadesys.com (8.11.0/8.11.0) with ESMTP id eBJK0Ww01763; Tue, 19 Dec 2000 14:00:32 -0600 Date: Tue, 19 Dec 2000 14:00:32 -0600 (CST) From: Guy Helmer To: admin Cc: freebsd-security@FreeBSD.ORG Subject: Re: Securing FreeBSD against hacking In-Reply-To: <000e01c069e8$d30dccc0$f46fbdd1@pacex.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 19 Dec 2000, admin wrote: > I am running a FreeBSD 4.2-STABLE (recently upgraded machines) for web > (Apache-1.39)mail (Qmail-1.03 sendmail-8.11.1). I have recently seen > some activities on the web server that make me very nervous (I know I > am being very general) but my concern is: > > 1. How do I setup a dedicated machine to collect data and connection > attempts to my machines I'd suggest building a FreeBSD 4-stable machine with SNORT installed and all the network services turned off. Get the current SNORT rulelist from www.snort.org, and configure SNORT to use the current rulelist. Hook this machine up to the same network segment and see if SNORT finds anything unusual. > 2. How to implement a notification systems to alert when critical > files on the server have been tampered with. Someone else suggested that you install and use tripwire on your server machine, which is a great idea if you know that machine is clean. > 3. How to find out if my machines are REALY CLEAN (some sort of > software auditing to determine if what is already in the machines is a > good benchmark for future security audits) Use mtree(8) to check the md5 hashes of your system's binaries against the original 4.2 release (I haven't tried it, but I believe you can run "mtree -K md5digest" and compare the results against the *.mtree files in the release). To make sure the machine is REALLY CLEAN, backup the data, wipe the disks, reinstall, and reload the data... Guy -- Guy Helmer, Ph.D. Sr. Software Engineer, Palisade Systems --- ghelmer@palisadesys.com http://www.palisadesys.com/~ghelmer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 12:10: 7 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 12:10:01 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from bastion.webex.com (unknown [208.8.81.7]) by hub.freebsd.org (Postfix) with ESMTP id 3A75837B400 for ; Tue, 19 Dec 2000 12:10:01 -0800 (PST) Received: by unassigned.webex.com with Internet Mail Service (5.5.2653.19) id ; Tue, 19 Dec 2000 12:04:32 -0800 Message-ID: <15418A8C5748D411B03A0050DA649E55DB6E6C@mailserv2.webex.com> From: Jonas Luster To: freebsd-security@freebsd.org Subject: RE: Securing FreeBSD against hacking Date: Tue, 19 Dec 2000 12:09:54 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I am running a FreeBSD 4.2-STABLE (recently upgraded machines) for > web (Apache-1.39)mail (Qmail-1.03 sendmail-8.11.1). > I have recently seen some activities on the web server that > make me very nervous (I know I am being very general) but my > concern is: > 1. How do I setup a dedicated machine to collect data and > connection attempts to my machines I guess you're referring to some kind of NIDS here, right? With FreeBSD and sn0rt (see ports/security) you can setup a pretty decent NIDS, all you need is some third part tool (I use a custom hacked python script, if you want it) to analyze sn0rts output and notify you in some way. Plug the sn0rt-box into the SPAN port on your switch and you're good. > 2. How to implement a notification systems to alert when critical > files on the server have been tampered with. HIDS, host based intrusion detection, is a lie in itself :). You can, however, deploy some kind of host based modification tracking, such as Aide (ports/aide) and have a script move the generated files to some other host for analysis (levaing them on the same host some kid has root on might just lead to him tampering with your database and not reveal any changes). Again a small script should notify you if something changes (hourly intervals?). > 3. How to find out if my machines are REALY CLEAN (some sort of > software auditing to determine if what is already in the machines > is a good benchmark for future security audits) If you were good in the first place :) you'll have some md5-sum- repository of you system files somewhere offsite. If not, well, you need to start by providing a clean environment to work in, e.g. move affected harddisk into a new machine and mount r/o to analyze its contents. If the clean machines OS is built from the same sources you can start to diff one against the other, for example. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 12:10: 8 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 12:10:03 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 2E8A837B402 for ; Tue, 19 Dec 2000 12:10:03 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id eBJK9r920292; Tue, 19 Dec 2000 12:09:53 -0800 (PST) Date: Tue, 19 Dec 2000 12:09:53 -0800 From: Alfred Perlstein To: cjclark@alum.mit.edu Cc: freebsd-security@FreeBSD.ORG Subject: Re: Read-Only Filesystems Message-ID: <20001219120953.S19572@fw.wintelcom.net> References: <20001219114936.A23819@rfx-64-6-211-149.users.reflexco> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001219114936.A23819@rfx-64-6-211-149.users.reflexco>; from cjclark@reflexnet.net on Tue, Dec 19, 2000 at 11:49:36AM -0800 Sender: bright@fw.wintelcom.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Crist J. Clark [001219 11:50] wrote: > I was recently playing around with the idea of having a read-only root > filesystem. However, it has become clear that there is no way to > prevent root from changing the mount properties on any filesystem, > including the root filesystem, provided there is no hardware-level > block on writing and there is someplace (anyplace) where root can > write. > > Is that accurate? I guess one must go to a "trusted OS" to get that > type of functionality? You can trust freebsd. :) do some research on "securelevel" -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 12:17:17 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 12:17:14 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from xgate4.sd.co.nz (ns.netxsecure.com [210.55.57.156]) by hub.freebsd.org (Postfix) with ESMTP id 68D9137B400 for ; Tue, 19 Dec 2000 12:17:13 -0800 (PST) Received: from netxsecure.net (xmgate-172-2.sd.co.nz [172.16.30.2]) by xgate4.sd.co.nz (8.11.0/8.11.0) with ESMTP id eBJKQbE27015 for ; Wed, 20 Dec 2000 09:26:38 +1300 (NZDT) Sender: mike@netxsecure.net Message-ID: <3A3FC57F.E80331A7@netxsecure.net> Date: Wed, 20 Dec 2000 09:30:55 +1300 From: "Michael A. Williams" X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.5-22 i586) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: Read-Only Filesystems References: <20001219114936.A23819@rfx-64-6-211-149.users.reflexco> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Archived: msg.tqD13986@xgate4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org How about applying the immutable flag (uchg) with chflags to selected branches of the file system tree and in combination with kernel securelevel 2 then a reboot at the console into single user mode is required to reverse the immutable state of the files. In the end this comes down to physical security of the console. cheers, Mike. "Crist J. Clark" wrote: > > I was recently playing around with the idea of having a read-only root > filesystem. However, it has become clear that there is no way to > prevent root from changing the mount properties on any filesystem, > including the root filesystem, provided there is no hardware-level > block on writing and there is someplace (anyplace) where root can > write. > > Is that accurate? I guess one must go to a "trusted OS" to get that > type of functionality? > -- > Crist J. Clark cjclark@alum.mit.edu > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Michael A. Williams, InfoSec Technology Manager NetXSecure NZ Limited, mike@netxsecure.net www.netxsecure.com Ph.+64.9.278.8348, Fax.+64.9.278.8352, Mob.+64.21.995.914 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 12:17:20 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 12:17:16 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from pluto.psn.net (pluto.psn.net [207.211.58.12]) by hub.freebsd.org (Postfix) with ESMTP id 9652C37B404 for ; Tue, 19 Dec 2000 12:17:16 -0800 (PST) Received: from cust-106-201.as03.nycm.eli.net ([209.210.106.201] helo=coresync) by pluto.psn.net with smtp (PSN Internet Service 3.20 #1) for freebsd-security@freebsd.org id 148TCE-0007JQ-00; Tue, 19 Dec 2000 13:17:15 -0700 From: "Jonathan M. Slivko" To: Subject: Any basic things to patch up? Date: Tue, 19 Dec 2000 15:18:47 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Can someone please send me or point me to a list of common things that need to get patched? I just want to make sure that I have everything on my system all patched up. Thanks. -- Jonathan M. Slivko - Jonathan Slivko - Simple Hosting Solutions Head of Technical Support http://www.simphost.com jslivko@psn.net - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 12:17:50 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 12:17:46 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id CE64737B400 for ; Tue, 19 Dec 2000 12:17:44 -0800 (PST) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.1/8.11.1) with ESMTP id eBJKHr977343; Tue, 19 Dec 2000 15:17:53 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Tue, 19 Dec 2000 15:17:53 -0500 (EST) From: Rob Simmons To: "Victor R. Cardona" Cc: admin , freebsd-security@FreeBSD.ORG Subject: Re: Securing FreeBSD against hacking In-Reply-To: <3A3FBBCA.9080808@home.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org One of the best ways to setup a syslog machine is to not have it on the network and have it listening on its serial port which is connected to the serial port of the machine that is sending the log messages. This is almost impervious to tampering short of someone breaking into your server room. You may even want to set the append only flags to the syslogs on that machine. The only major drawback to this configuration is you will have to check the logs from the console of the syslog machine, so you may want to setup the machine that the logs are coming from to log locally as well as sending the log messages out the serial port to the other machine - basically using the syslog machine as an emergency backup. Robert Simmons Systems Administrator http://www.wlcg.com/ On Tue, 19 Dec 2000, Victor R. Cardona wrote: > admin wrote: > > > 1. How do I setup a dedicated machine to collect data and connection > > attempts to my machines > > I'm not sure if this is what you have in mind, but you could setup > syslog to log to a remote machine. > > > 2. How to implement a notification systems to alert when critical files > > on the server have been tampered with. > > A combination of syslog and tripwire might work here. I have never tried > it myself. > > > 3. How to find out if my machines are REALY CLEAN (some sort of software > > auditing to determine if what is already in the machines is a good > > benchmark for future security audits) > > Tripwire is a file auditing utility. Unfortunately for it to be > effective, you must know that your system is clean. The only way to be > 100% sure would be to run it after a fresh install from protected media, > and before any network connection is made. > > Victor Cardona > vcardona@home.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 12:19: 4 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 12:19:01 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id A7F9837B402 for ; Tue, 19 Dec 2000 12:19:01 -0800 (PST) Received: from rfx-64-6-211-149.users.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 19 Dec 2000 12:17:25 -0800 Received: (from cjc@localhost) by rfx-64-6-211-149.users.reflexcom.com (8.11.0/8.11.0) id eBJKJ1i24004; Tue, 19 Dec 2000 12:19:01 -0800 (PST) (envelope-from cjc) Date: Tue, 19 Dec 2000 12:19:01 -0800 From: "Crist J. Clark" To: Alfred Perlstein Cc: freebsd-security@FreeBSD.ORG Subject: Re: Read-Only Filesystems Message-ID: <20001219121901.C23819@rfx-64-6-211-149.users.reflexco> Reply-To: cjclark@alum.mit.edu References: <20001219114936.A23819@rfx-64-6-211-149.users.reflexco> <20001219120953.S19572@fw.wintelcom.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20001219120953.S19572@fw.wintelcom.net>; from bright@wintelcom.net on Tue, Dec 19, 2000 at 12:09:53PM -0800 Sender: cjc@rfx-64-6-211-149.users.reflexcom.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Dec 19, 2000 at 12:09:53PM -0800, Alfred Perlstein wrote: > * Crist J. Clark [001219 11:50] wrote: > > I was recently playing around with the idea of having a read-only root > > filesystem. However, it has become clear that there is no way to > > prevent root from changing the mount properties on any filesystem, > > including the root filesystem, provided there is no hardware-level > > block on writing and there is someplace (anyplace) where root can > > write. > > > > Is that accurate? I guess one must go to a "trusted OS" to get that > > type of functionality? > > You can trust freebsd. :) > > do some research on "securelevel" I am familiar with securelevel. Are you suggesting, # find -x / -exec chflags schg {} \; -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 12:19:49 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 12:19:47 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id E119B37B400 for ; Tue, 19 Dec 2000 12:19:46 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id eBJKJiX20680; Tue, 19 Dec 2000 12:19:44 -0800 (PST) Date: Tue, 19 Dec 2000 12:19:44 -0800 From: Alfred Perlstein To: "Jonathan M. Slivko" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Any basic things to patch up? Message-ID: <20001219121944.T19572@fw.wintelcom.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jslivko@psn.net on Tue, Dec 19, 2000 at 03:18:47PM -0500 Sender: bright@fw.wintelcom.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Jonathan M. Slivko [001219 12:19] wrote: > Can someone please send me or point me to a list of common things that need > to get patched? I just want to make sure that I have everything on my system > all patched up. Thanks. -- Jonathan M. Slivko Upgrading to -stable should suffice, this is explained in the handbook. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 12:19:59 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 12:19:57 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id B2A5037B698 for ; Tue, 19 Dec 2000 12:19:54 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id PAA33368; Tue, 19 Dec 2000 15:19:48 -0500 (EST) (envelope-from wollman) Date: Tue, 19 Dec 2000 15:19:48 -0500 (EST) From: Garrett Wollman Message-Id: <200012192019.PAA33368@khavrinen.lcs.mit.edu> To: Guy Helmer Cc: freebsd-security@FreeBSD.ORG Subject: Re: Securing FreeBSD against hacking In-Reply-To: References: <000e01c069e8$d30dccc0$f46fbdd1@pacex.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Use mtree(8) to check the md5 hashes of your system's binaries against the > original 4.2 release (I haven't tried it, but I believe you can run "mtree > -K md5digest" and compare the results against the *.mtree files in the > release). You'd probably find that to be rather difficult and tedious, and there's no reason to do such a comparison by hand since that function is built in to mtree. Just do `mtree -d /mnt/foo -f /rdonly/foo.mtree'. After setting up a new system for the first time, I recommend doing a: mtree -c -i -x -p /file/system -k \ size,flags,gid,md5digest,sha1digest,ripemd160digest,mode,nlink,uid,link,time for every filesystem. You might well want to use an excludes file for directories containing files which are very likely to change. For example, a quick test showed me: .: modification time (Tue Dec 19 15:10:20 2000, Tue Dec 19 15:11:34 2000) dev/ttyp1: modification time (Tue Dec 19 15:10:25 2000, Tue Dec 19 15:15:26 2000) dev/ptyp1: modification time (Tue Dec 19 15:10:25 2000, Tue Dec 19 15:15:26 2000) dev/ttyp2: modification time (Tue Dec 19 15:10:25 2000, Tue Dec 19 15:15:26 2000) dev/null: modification time (Tue Dec 19 15:05:54 2000, Tue Dec 19 15:11:03 2000) tmp: modification time (Tue Dec 19 15:10:01 2000, Tue Dec 19 15:15:23 2000) -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 12:20:35 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 12:20:33 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from sol.cc.u-szeged.hu (sol.cc.u-szeged.hu [160.114.8.24]) by hub.freebsd.org (Postfix) with ESMTP id 3910037B400 for ; Tue, 19 Dec 2000 12:20:32 -0800 (PST) Received: from petra.hos.u-szeged.hu by sol.cc.u-szeged.hu (8.9.3+Sun/SMI-SVR4) id VAA14883; Tue, 19 Dec 2000 21:20:29 +0100 (MET) Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian)) id 148TFN-0006Ay-00 for ; Tue, 19 Dec 2000 21:20:29 +0100 Date: Tue, 19 Dec 2000 21:20:29 +0100 From: Szilveszter Adam To: freebsd-security@freebsd.org Subject: Re: Any basic things to patch up? Message-ID: <20001219212029.A22244@petra.hos.u-szeged.hu> Mail-Followup-To: Szilveszter Adam , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jslivko@psn.net on Tue, Dec 19, 2000 at 03:18:47PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Dec 19, 2000 at 03:18:47PM -0500, Jonathan M. Slivko wrote: > Can someone please send me or point me to a list of common things that need > to get patched? I just want to make sure that I have everything on my system > all patched up. Thanks. -- Jonathan M. Slivko > > - > Jonathan Slivko - Simple Hosting Solutions > Head of Technical Support > http://www.simphost.com > jslivko@psn.net Like ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/ you mean? -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 12:21:57 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 12:21:55 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 81DDC37B404 for ; Tue, 19 Dec 2000 12:21:55 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id eBJKLor20801; Tue, 19 Dec 2000 12:21:50 -0800 (PST) Date: Tue, 19 Dec 2000 12:21:50 -0800 From: Alfred Perlstein To: cjclark@alum.mit.edu Cc: freebsd-security@FreeBSD.ORG Subject: Re: Read-Only Filesystems Message-ID: <20001219122150.U19572@fw.wintelcom.net> References: <20001219114936.A23819@rfx-64-6-211-149.users.reflexco> <20001219120953.S19572@fw.wintelcom.net> <20001219121901.C23819@rfx-64-6-211-149.users.reflexco> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001219121901.C23819@rfx-64-6-211-149.users.reflexco>; from cjclark@reflexnet.net on Tue, Dec 19, 2000 at 12:19:01PM -0800 Sender: bright@fw.wintelcom.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Crist J. Clark [001219 12:19] wrote: > On Tue, Dec 19, 2000 at 12:09:53PM -0800, Alfred Perlstein wrote: > > * Crist J. Clark [001219 11:50] wrote: > > > I was recently playing around with the idea of having a read-only root > > > filesystem. However, it has become clear that there is no way to > > > prevent root from changing the mount properties on any filesystem, > > > including the root filesystem, provided there is no hardware-level > > > block on writing and there is someplace (anyplace) where root can > > > write. > > > > > > Is that accurate? I guess one must go to a "trusted OS" to get that > > > type of functionality? > > > > You can trust freebsd. :) > > > > do some research on "securelevel" > > I am familiar with securelevel. Are you suggesting, > > # find -x / -exec chflags schg {} \; No, that wouldn't be very prudent. That's why I said "do some research", not "here's the magic bullet". You owe the Oracle an article for daemonnews about securelevel. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 12:22:34 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 12:22:33 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id B961537B400 for ; Tue, 19 Dec 2000 12:22:32 -0800 (PST) Received: by peitho.fxp.org (Postfix, from userid 1501) id AA7471360E; Tue, 19 Dec 2000 15:22:30 -0500 (EST) Date: Tue, 19 Dec 2000 15:22:30 -0500 From: Chris Faulhaber To: "Jonathan M. Slivko" Cc: freebsd-security@freebsd.org Subject: Re: Any basic things to patch up? Message-ID: <20001219152230.C20951@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , "Jonathan M. Slivko" , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jslivko@psn.net on Tue, Dec 19, 2000 at 03:18:47PM -0500 Sender: cdf.lists@fxp.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Dec 19, 2000 at 03:18:47PM -0500, Jonathan M. Slivko wrote: > Can someone please send me or point me to a list of common things that need > to get patched? I just want to make sure that I have everything on my system > all patched up. Thanks. -- Jonathan M. Slivko > First places to check: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/ which may lag behind: http://docs.freebsd.org/mail/current/freebsd-security-notifications.html http://docs.freebsd.org/mail/archive/2000/freebsd-security-notifications/ -- Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 12:45:39 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 12:45:38 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from grok.example.net (a0g1355ly34tj.bc.hsia.telus.net [216.232.254.227]) by hub.freebsd.org (Postfix) with ESMTP id AD38037B402 for ; Tue, 19 Dec 2000 12:45:37 -0800 (PST) Received: by grok.example.net (Postfix, from userid 1000) id 19C67213145; Tue, 19 Dec 2000 12:45:32 -0800 (PST) Date: Tue, 19 Dec 2000 12:45:32 -0800 From: Steve Reid To: Mikhail Kruk Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:77.procfs Message-ID: <20001219124531.F46370@grok.bc.hsia.telus.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: ; from Mikhail Kruk on Tue, Dec 19, 2000 at 01:45:01PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Dec 19, 2000 at 01:45:01PM -0500, Mikhail Kruk wrote: > see you previous e-mail :) I was talking about things you loose when you > umount procfs I unmounted /procfs late last night woke up this morning with a mailbox full of error messages from Amavis. McAfee/NAI "uvscan" appears to use "/proc/%d/cmdline" (strings(1) is your friend). My usr/local/bin/uvscan was symlinked to the actual binary installed elsewhere and when I unmounted procfs it could no longer find "./messages.dat". So I replaced the symlink with a shell script that does a cd+exec and all is well. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 14: 5: 4 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 14:05:03 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id 54B0937B400 for ; Tue, 19 Dec 2000 14:05:02 -0800 (PST) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.0/8.11.0) with ESMTP id eBJM51s15726; Tue, 19 Dec 2000 15:05:01 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id PAA03869; Tue, 19 Dec 2000 15:05:00 -0700 (MST) Message-Id: <200012192205.PAA03869@harmony.village.org> To: Vladimir Dubrovin Subject: Re: FTPD hole Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Tue, 19 Dec 2000 14:56:19 +0300." <127277434.20001219145619@sandy.ru> References: <127277434.20001219145619@sandy.ru> Date: Tue, 19 Dec 2000 15:05:00 -0700 From: Warner Losh Sender: imp@harmony.village.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <127277434.20001219145619@sandy.ru> Vladimir Dubrovin writes: : Does the remote root bug discovered in BSD FTPd under OpenBSD : affects FreeBSD? : : http://www.geocrawler.com/archives/3/254/2000/12/50/4767480/ Not at all. The code was specific to OpenBSD and was written by OpenBSD. We never imported that code. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 14: 9: 7 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 14:09:03 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id 037CD37B400; Tue, 19 Dec 2000 14:09:03 -0800 (PST) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.0/8.11.0) with ESMTP id eBJM91s15755; Tue, 19 Dec 2000 15:09:01 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id PAA03913; Tue, 19 Dec 2000 15:09:01 -0700 (MST) Message-Id: <200012192209.PAA03913@harmony.village.org> To: "Artem Koutchine" Subject: Re: What anti-sniffer measures do i have? Cc: security@FreeBSD.ORG, questions@FreeBSD.ORG In-reply-to: Your message of "Tue, 19 Dec 2000 15:57:12 +0300." <00a101c069bb$36b66da0$0c00a8c0@ipform.ru> References: <00a101c069bb$36b66da0$0c00a8c0@ipform.ru> Date: Tue, 19 Dec 2000 15:09:01 -0700 From: Warner Losh Sender: imp@harmony.village.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <00a101c069bb$36b66da0$0c00a8c0@ipform.ru> "Artem Koutchine" writes: : So, I really need some ideas on how to disable sniffers on the network which : is a typical 10Mbit ethernet build on a bunch of hubs. It consists of Upgrade to switches, or live with sniffers. Those are your choices. You can reduce the impact of sniffers with encryption. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 14:10:38 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 14:10:37 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id 2A42537B400 for ; Tue, 19 Dec 2000 14:10:36 -0800 (PST) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.0/8.11.0) with ESMTP id eBJMAYs15771; Tue, 19 Dec 2000 15:10:35 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id PAA03943; Tue, 19 Dec 2000 15:10:34 -0700 (MST) Message-Id: <200012192210.PAA03943@harmony.village.org> To: cjclark@alum.mit.edu Subject: Re: Read-Only Filesystems Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Tue, 19 Dec 2000 11:49:36 PST." <20001219114936.A23819@rfx-64-6-211-149.users.reflexco> References: <20001219114936.A23819@rfx-64-6-211-149.users.reflexco> Date: Tue, 19 Dec 2000 15:10:34 -0700 From: Warner Losh Sender: imp@harmony.village.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20001219114936.A23819@rfx-64-6-211-149.users.reflexco> "Crist J. Clark" writes: : I was recently playing around with the idea of having a read-only root : filesystem. However, it has become clear that there is no way to : prevent root from changing the mount properties on any filesystem, : including the root filesystem, provided there is no hardware-level : block on writing and there is someplace (anyplace) where root can : write. That is correct. mount -uw / works, even at high security levels. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 14:11:51 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 14:11:46 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id 54D2C37B400; Tue, 19 Dec 2000 14:11:46 -0800 (PST) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2650.21) id ; Tue, 19 Dec 2000 14:11:45 -0800 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA02433D@goofy.epylon.lan> From: Jason DiCioccio To: 'Warner Losh' , Artem Koutchine Cc: security@FreeBSD.ORG, questions@FreeBSD.ORG Subject: RE: What anti-sniffer measures do i have? Date: Tue, 19 Dec 2000 14:11:44 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C06A08.AC53E6DA" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C06A08.AC53E6DA Content-Type: text/plain; charset="iso-8859-1" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Although sniffing is still possible over a switched network with some arp tricks.. - ------- Jason DiCioccio Evil Genius Unix BOFH mailto:jasond@epylon.com 415-593-2761 Direct & Fax 415-593-2900 Main Epylon Corporation 645 Harrison Street, Suite 200 San Francisco, CA 94107 www.epylon.com BSD is for people who love Unix - Linux is for people who hate Microsoft - -----Original Message----- From: Warner Losh [mailto:imp@village.org] Sent: Tuesday, December 19, 2000 2:09 PM To: Artem Koutchine Cc: security@FreeBSD.ORG; questions@FreeBSD.ORG Subject: Re: What anti-sniffer measures do i have? In message <00a101c069bb$36b66da0$0c00a8c0@ipform.ru> "Artem Koutchine" writes: : So, I really need some ideas on how to disable sniffers on the network which : is a typical 10Mbit ethernet build on a bunch of hubs. It consists of Upgrade to switches, or live with sniffers. Those are your choices. You can reduce the impact of sniffers with encryption. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOj/dWVCmU62pemyaEQIaqgCg3583dys7OMBIeH/1WS8+vdULiEgAn0VX +h+IHtkfMoQVA/8DJi8we9pb =RZjo -----END PGP SIGNATURE----- ------_=_NextPart_000_01C06A08.AC53E6DA Content-Type: application/octet-stream; name="Jason DiCioccio.vcf" Content-Disposition: attachment; filename="Jason DiCioccio.vcf" BEGIN:VCARD VERSION:2.1 N:DiCioccio;Jason FN:Jason DiCioccio ORG:epylon.com;operations TITLE:UNIX ADMIN ADR;WORK:;;645 Harrison St;San Francisco;CA;94107;usa LABEL;WORK;ENCODING=QUOTED-PRINTABLE:645 Harrison St=0D=0ASan Francisco, CA 94107=0D=0Ausa EMAIL;PREF;INTERNET:Jason.DiCioccio@Epylon.com REV:19990105T135529Z END:VCARD ------_=_NextPart_000_01C06A08.AC53E6DA-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 14:14: 5 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 14:14:01 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id BEBA737B400; Tue, 19 Dec 2000 14:14:00 -0800 (PST) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.0/8.11.0) with ESMTP id eBJMDxs15804; Tue, 19 Dec 2000 15:13:59 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id PAA04005; Tue, 19 Dec 2000 15:13:59 -0700 (MST) Message-Id: <200012192213.PAA04005@harmony.village.org> To: Jason DiCioccio Subject: Re: What anti-sniffer measures do i have? Cc: Artem Koutchine , security@FreeBSD.ORG, questions@FreeBSD.ORG In-reply-to: Your message of "Tue, 19 Dec 2000 14:11:44 PST." <657B20E93E93D4118F9700D0B73CE3EA02433D@goofy.epylon.lan> References: <657B20E93E93D4118F9700D0B73CE3EA02433D@goofy.epylon.lan> Date: Tue, 19 Dec 2000 15:13:59 -0700 From: Warner Losh Sender: imp@harmony.village.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <657B20E93E93D4118F9700D0B73CE3EA02433D@goofy.epylon.lan> Jason DiCioccio writes: : Although sniffing is still possible over a switched network with some : arp tricks.. It depends on the switch... But there may be some man in the middle attacks that are still possible with switches, but I haven't thought about it too much. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 14:23:58 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 14:23:54 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from kira.epconline.net (kira.epconline.net [209.83.132.2]) by hub.freebsd.org (Postfix) with ESMTP id 49E6137B400; Tue, 19 Dec 2000 14:23:53 -0800 (PST) Received: from therock (betterguard.epconline.net [209.83.132.193]) by kira.epconline.net (8.11.1/8.11.1) with SMTP id eBJMNpe04063; Tue, 19 Dec 2000 16:23:52 -0600 (CST) (envelope-from carock@epconline.net) From: "Chuck Rock" To: , Subject: RE: What anti-sniffer measures do i have? Date: Tue, 19 Dec 2000 16:26:13 -0600 Message-ID: <009001c06a0a$b2163170$1805010a@epconline.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <200012192213.PAA04005@harmony.village.org> Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I believe most switches are Layer 2 which is MAC based. You would have to know the MAC address of the computer you want to intercept traffic for, and then your switch would have to give you the packets instead of erroring out and or dropping the packets because you can't have two of the same MAC addresses on the network. Has anyone actually gotten another's information spoofing MAC addresses? I don't see how this could work. Chuck > -----Original Message----- > From: imp@harmony.village.org [mailto:imp@harmony.village.org]On Behalf > Of Warner Losh > Sent: Tuesday, December 19, 2000 4:14 PM > To: Jason DiCioccio > Cc: Artem Koutchine; security@FreeBSD.ORG; questions@FreeBSD.ORG > Subject: Re: What anti-sniffer measures do i have? > > > In message > <657B20E93E93D4118F9700D0B73CE3EA02433D@goofy.epylon.lan> Jason > DiCioccio writes: > : Although sniffing is still possible over a switched network with some > : arp tricks.. > > It depends on the switch... But there may be some man in the middle > attacks that are still possible with switches, but I haven't thought > about it too much. > > Warner > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 14:28:59 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 14:28:57 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 6895C37B402 for ; Tue, 19 Dec 2000 14:28:57 -0800 (PST) Received: from rfx-64-6-211-149.users.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 19 Dec 2000 14:27:19 -0800 Received: (from cjc@localhost) by rfx-64-6-211-149.users.reflexcom.com (8.11.0/8.11.0) id eBJMStT26698; Tue, 19 Dec 2000 14:28:55 -0800 (PST) (envelope-from cjc) Date: Tue, 19 Dec 2000 14:28:55 -0800 From: "Crist J. Clark" To: Warner Losh Cc: freebsd-security@FreeBSD.ORG Subject: Re: Read-Only Filesystems Message-ID: <20001219142855.E23819@rfx-64-6-211-149.users.reflexco> Reply-To: cjclark@alum.mit.edu References: <20001219114936.A23819@rfx-64-6-211-149.users.reflexco> <200012192210.PAA03943@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200012192210.PAA03943@harmony.village.org>; from imp@village.org on Tue, Dec 19, 2000 at 03:10:34PM -0700 Sender: cjc@rfx-64-6-211-149.users.reflexcom.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Dec 19, 2000 at 03:10:34PM -0700, Warner Losh wrote: > In message <20001219114936.A23819@rfx-64-6-211-149.users.reflexco> "Crist J. Clark" writes: > : I was recently playing around with the idea of having a read-only root > : filesystem. However, it has become clear that there is no way to > : prevent root from changing the mount properties on any filesystem, > : including the root filesystem, provided there is no hardware-level > : block on writing and there is someplace (anyplace) where root can > : write. > > That is correct. mount -uw / works, even at high security levels. You can actually break that (in a dangerous way), but provided there is any other filesystem not blocked by a hardware-level, read-only block, you can then work around it. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 14:33:16 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 14:33:13 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id 2862B37B400; Tue, 19 Dec 2000 14:33:13 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1098) id AE1012B280; Tue, 19 Dec 2000 16:33:12 -0600 (CST) Date: Tue, 19 Dec 2000 16:33:12 -0600 From: Bill Fumerola To: Chuck Rock Cc: security@FreeBSD.ORG, questions@FreeBSD.ORG Subject: Re: What anti-sniffer measures do i have? Message-ID: <20001219163312.P72273@elvis.mu.org> References: <200012192213.PAA04005@harmony.village.org> <009001c06a0a$b2163170$1805010a@epconline.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <009001c06a0a$b2163170$1805010a@epconline.net>; from carock@epconline.net on Tue, Dec 19, 2000 at 04:26:13PM -0600 X-Operating-System: FreeBSD 4.2-FEARSOME-20001103 i386 Sender: billf@elvis.mu.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Dec 19, 2000 at 04:26:13PM -0600, Chuck Rock wrote: > I believe most switches are Layer 2 which is MAC based. You would have to > know the MAC address of the computer you want to intercept traffic for, and > then your switch would have to give you the packets instead of erroring out > and or dropping the packets because you can't have two of the same MAC > addresses on the network. > > Has anyone actually gotten another's information spoofing MAC addresses? > > I don't see how this could work. Some switches do bad things when one port reports lots(for various definitions of lots) of MAC addresses behind one port. -- Bill Fumerola - security yahoo / Yahoo! inc. - fumerola@yahoo-inc.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 14:37:54 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 14:37:50 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from bastion.webex.com (unknown [208.8.81.7]) by hub.freebsd.org (Postfix) with ESMTP id 80AA237B400; Tue, 19 Dec 2000 14:37:50 -0800 (PST) Received: by unassigned.webex.com with Internet Mail Service (5.5.2653.19) id ; Tue, 19 Dec 2000 14:32:26 -0800 Message-ID: <15418A8C5748D411B03A0050DA649E55DB6E75@mailserv2.webex.com> From: Jonas Luster To: security@FreeBSD.ORG, questions@FreeBSD.ORG Subject: RE: What anti-sniffer measures do i have? Date: Tue, 19 Dec 2000 14:37:48 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I believe most switches are Layer 2 which is MAC based. You would have to > know the MAC address of the computer you want to intercept traffic for, and > then your switch would have to give you the packets instead of erroring out > and or dropping the packets because you can't have two of the same MAC > addresses on the network. Well, there's MAC/ARP-proxying which allows pretty sophisticated maninthemiddles and quite a few of the more common switches fall back into Hub-Mode when you flood them with bogus ARP-entries. dsniff (ports/security) facilitates those attacks. Switches aren't much more secure than hubs, it's more a design- and speed-issue than a security-thingie to have 'em in your network. jonas -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.0.2 iQA/AwUBOj/jZKM1+GU4JoikEQJuKQCgotacqdAo08/IIw+jnVfbTdgiRQEAn0vI te4VUx1muy/U6kTluCTvX8oB =vxQF -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 17:33:36 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 17:33:33 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from crag.niss.com (niss.com [169.207.33.46]) by hub.freebsd.org (Postfix) with ESMTP id E452E37B400 for ; Tue, 19 Dec 2000 17:33:32 -0800 (PST) Received: from crag.niss.com (localhost.niss.com [127.0.0.1]) by crag.niss.com (8.9.3/8.9.3) with ESMTP id TAA83848; Tue, 19 Dec 2000 19:32:59 -0600 (CST) (envelope-from lists+freebsd-security@niss.com) Message-Id: <200012200132.TAA83848@crag.niss.com> From: lists+freebsd-security@niss.com To: Garrett Wollman Cc: Guy Helmer , freebsd-security@FreeBSD.ORG Subject: Re: Securing FreeBSD against hacking MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <83845.977275979.1@crag.niss.com> Date: Tue, 19 Dec 2000 19:32:59 -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I used to post-process the mtree specification and remove all time=value settings for directories. However, for items such as /dev/tty, that's not enough. In that case, the mode and other attributes change as well. A few days ago I modified mtree to accept the syntax of "keyword=*". The star indicates that the value for that keyword should be cleared, even if it was set using the "/set keyword=default" directive. I still post-process the output to allow for known changes, but this feature makes it a much simpler task. The patch to mtree from 4.2 is included below. Scott P.S. If someone with commit privileges could add this I would appreciate it. On Tue, 19 Dec 2000 15:19:48 -0500 (EST), Garrett Wollman wrote: > > You'd probably find that to be rather difficult and tedious, and > there's no reason to do such a comparison by hand since that function > is built in to mtree. Just do `mtree -d /mnt/foo -f /rdonly/foo.mtree'. > > After setting up a new system for the first time, I recommend doing a: > > mtree -c -i -x -p /file/system -k \ > size,flags,gid,md5digest,sha1digest,ripemd160digest,mode,nlink,uid,link,time > > for every filesystem. You might well want to use an excludes file > for directories containing files which are very likely to change. For > example, a quick test showed me: > > .: modification time (Tue Dec 19 15:10:20 2000, Tue Dec 19 15:11:34 2000) > dev/ttyp1: > modification time (Tue Dec 19 15:10:25 2000, Tue Dec 19 15:15:26 2000) > dev/ptyp1: > modification time (Tue Dec 19 15:10:25 2000, Tue Dec 19 15:15:26 2000) > dev/ttyp2: > modification time (Tue Dec 19 15:10:25 2000, Tue Dec 19 15:15:26 2000) > dev/null: > modification time (Tue Dec 19 15:05:54 2000, Tue Dec 19 15:11:03 2000) > tmp: modification time (Tue Dec 19 15:10:01 2000, Tue Dec 19 15:15:23 2000) diff -ru mtree-4.2/mtree.8 mtree-4.2+/mtree.8 --- mtree-4.2/mtree.8 Fri Jun 30 04:54:06 2000 +++ mtree-4.2+/mtree.8 Sat Dec 16 19:08:18 2000 @@ -136,7 +136,8 @@ Specifications are mostly composed of ``keywords'', i.e. strings that that specify values relating to files. No keywords have default values, and if a keyword has no value set, no -checks based on it are performed. +checks based on it are performed. If the value is ``*'', then any default +value for that keyword is cleared. .Pp Currently supported keywords are as follows: .Bl -tag -width Cm diff -ru mtree-4.2/spec.c mtree-4.2+/spec.c --- mtree-4.2/spec.c Tue Jun 27 21:33:17 2000 +++ mtree-4.2+/spec.c Sat Dec 16 19:08:12 2000 @@ -186,6 +186,10 @@ ip->flags |= type = parsekey(kw, &value); if (value && (val = strtok(NULL, " \t\n")) == NULL) errx(1, "line %d: missing value", lineno); + if (strcmp("*", val) == 0) { + ip->flags &= ~type; + continue; + } switch(type) { case F_CKSUM: ip->cksum = strtoul(val, &ep, 10); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 18:28:49 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 18:28:45 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f231.pav1.hotmail.com [64.4.31.231]) by hub.freebsd.org (Postfix) with ESMTP id 0E66937B400; Tue, 19 Dec 2000 18:28:45 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 19 Dec 2000 18:28:44 -0800 Received: from 203.150.154.5 by pv1fd.pav1.hotmail.msn.com with HTTP; Wed, 20 Dec 2000 02:28:44 GMT X-Originating-IP: [203.150.154.5] From: "Mick Nicila" To: matrix@ipform.ru Cc: security@FreeBSD.ORG, questions@FreeBSD.ORG Subject: Re: What anti-sniffer measures do i have? (fwd) Date: Wed, 20 Dec 2000 09:28:44 +0700 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 20 Dec 2000 02:28:44.0899 (UTC) FILETIME=[93504330:01C06A2C] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Check this site. http://www.l0pht.com/antisniff/ >I am interested in knowing all kinds of solutions to the sniffer problem: >software (preffered) or hardware. I'd like some more generic solution, >which >do not require any changed in the existing software configuration and allow >the same functionality as we use now (broadcast can be screwed). > >Help! > >Regards, >Artem > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 20:15:36 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 20:15:32 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from firefly.prairienet.org (firefly.prairienet.org [192.17.3.3]) by hub.freebsd.org (Postfix) with ESMTP id 2C76937B400; Tue, 19 Dec 2000 20:15:32 -0800 (PST) Received: from sherman.spotnet.org (slip-49.prairienet.org [192.17.3.69]) by firefly.prairienet.org (8.9.3/8.9.3) with ESMTP id WAA22780; Tue, 19 Dec 2000 22:15:23 -0600 (CST) Date: Tue, 19 Dec 2000 22:15:18 -0600 (CST) From: David Talkington X-Sender: To: Chuck Rock Cc: , Subject: RE: What anti-sniffer measures do i have? In-Reply-To: <009001c06a0a$b2163170$1805010a@epconline.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Chuck Rock wrote: >I believe most switches are Layer 2 which is MAC based. You would have to >know the MAC address of the computer you want to intercept traffic for, and >then your switch would have to give you the packets instead of erroring out >and or dropping the packets because you can't have two of the same MAC >addresses on the network. > >Has anyone actually gotten another's information spoofing MAC addresses? >I don't see how this could work. Play around with dsniff. On my test network at home, with two workstations (A and B) and a gateway router (C) on a 10/100 switch, I've been able to convince A that B was its router, and view A's traffic before sending it on to C. A putters away, and never even knows B is there. It's kinda scary. Far as I know, hard-coding an arp table is the only way to prevent that sort of thing ... someone please correct me if I'm wrong? -d To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 20:49:43 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 20:49:40 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id BDA1E37B400 for ; Tue, 19 Dec 2000 20:49:39 -0800 (PST) Received: (qmail 5333 invoked by uid 1000); 20 Dec 2000 04:49:33 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 20 Dec 2000 04:49:33 -0000 Date: Tue, 19 Dec 2000 22:49:33 -0600 (CST) From: Mike Silbersack To: David Talkington Cc: Chuck Rock , , Subject: RE: What anti-sniffer measures do i have? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 19 Dec 2000, David Talkington wrote: > Play around with dsniff. On my test network at home, with two > workstations (A and B) and a gateway router (C) on a 10/100 switch, > I've been able to convince A that B was its router, and view A's > traffic before sending it on to C. A putters away, and never even > knows B is there. It's kinda scary. > > Far as I know, hard-coding an arp table is the only way to prevent > that sort of thing ... someone please correct me if I'm wrong? > > -d Out of curiosity, could you run arpwatch on one of the workstations (preferrably D, not one of the involved) and see if it detects the arp oddity? Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 21:15:30 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 21:15:26 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id 67ED637B400 for ; Tue, 19 Dec 2000 21:15:26 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id VAA13698; Tue, 19 Dec 2000 21:16:42 -0800 Date: Tue, 19 Dec 2000 21:16:42 -0800 From: Kris Kennaway To: Alfred Perlstein Cc: cjclark@alum.mit.edu, freebsd-security@FreeBSD.ORG Subject: Re: Read-Only Filesystems Message-ID: <20001219211642.D13474@citusc.usc.edu> References: <20001219114936.A23819@rfx-64-6-211-149.users.reflexco> <20001219120953.S19572@fw.wintelcom.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="+B+y8wtTXqdUj1xM" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20001219120953.S19572@fw.wintelcom.net>; from bright@wintelcom.net on Tue, Dec 19, 2000 at 12:09:53PM -0800 Sender: kris@citusc.usc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --+B+y8wtTXqdUj1xM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Dec 19, 2000 at 12:09:53PM -0800, Alfred Perlstein wrote: > * Crist J. Clark [001219 11:50] wrote: > > I was recently playing around with the idea of having a read-only root > > filesystem. However, it has become clear that there is no way to > > prevent root from changing the mount properties on any filesystem, > > including the root filesystem, provided there is no hardware-level > > block on writing and there is someplace (anyplace) where root can > > write. > >=20 > > Is that accurate? I guess one must go to a "trusted OS" to get that > > type of functionality? >=20 > You can trust freebsd. :) >=20 > do some research on "securelevel" I don't believe mounting or remounting is denied by any securelevel..I raised this a few months ago but the consensus seemed to be that securelevel was too broken by design and the real fix was MAC, which is coming with TrustedBSD. Kris --+B+y8wtTXqdUj1xM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6QEC6Wry0BWjoQKURAlKQAKDcfEawy/L4hsHCWsKLF0iHPah6vACgmRjN eF30p+Dbb34IYRQru5lGXME= =ZRmE -----END PGP SIGNATURE----- --+B+y8wtTXqdUj1xM-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 21:17:53 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 21:17:48 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id BB13837B402 for ; Tue, 19 Dec 2000 21:17:42 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id VAA13794; Tue, 19 Dec 2000 21:18:57 -0800 Date: Tue, 19 Dec 2000 21:18:57 -0800 From: Kris Kennaway To: Chris Faulhaber Cc: "Jonathan M. Slivko" , freebsd-security@FreeBSD.ORG Subject: Re: Any basic things to patch up? Message-ID: <20001219211857.E13474@citusc.usc.edu> References: <20001219152230.C20951@peitho.fxp.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Ns7jmDPpOpCD+GE/" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20001219152230.C20951@peitho.fxp.org>; from jedgar@fxp.org on Tue, Dec 19, 2000 at 03:22:30PM -0500 Sender: kris@citusc.usc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --Ns7jmDPpOpCD+GE/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Dec 19, 2000 at 03:22:30PM -0500, Chris Faulhaber wrote: > On Tue, Dec 19, 2000 at 03:18:47PM -0500, Jonathan M. Slivko wrote: > > Can someone please send me or point me to a list of common things that = need > > to get patched? I just want to make sure that I have everything on my s= ystem > > all patched up. Thanks. -- Jonathan M. Slivko > >=20 >=20 > First places to check: >=20 > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/ >=20 > which may lag behind: Actually the FTP site should always be up to date..I upload the advisories at the same time I release them. It may take some extra time to appear on the website though since that's an extra edit/commit operation. Kris --Ns7jmDPpOpCD+GE/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD4DBQE6QEFBWry0BWjoQKURAsdUAKDd6Z8dtn3zIQcAzljpvgzfsZFwCACYjQ8O g9HFTCu4JTa5l/8ehhcfDQ== =XAGT -----END PGP SIGNATURE----- --Ns7jmDPpOpCD+GE/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 19 21:51: 2 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 21:50:59 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id DBB1E37B404; Tue, 19 Dec 2000 21:50:58 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id eBK5ow507515; Tue, 19 Dec 2000 21:50:58 -0800 (PST) Date: Tue, 19 Dec 2000 21:50:58 -0800 From: Alfred Perlstein To: Kris Kennaway Cc: cjclark@alum.mit.edu, freebsd-security@FreeBSD.ORG Subject: Re: Read-Only Filesystems Message-ID: <20001219215057.F19572@fw.wintelcom.net> References: <20001219114936.A23819@rfx-64-6-211-149.users.reflexco> <20001219120953.S19572@fw.wintelcom.net> <20001219211642.D13474@citusc.usc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001219211642.D13474@citusc.usc.edu>; from kris@FreeBSD.ORG on Tue, Dec 19, 2000 at 09:16:42PM -0800 Sender: bright@fw.wintelcom.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Kris Kennaway [001219 21:15] wrote: > On Tue, Dec 19, 2000 at 12:09:53PM -0800, Alfred Perlstein wrote: > > * Crist J. Clark [001219 11:50] wrote: > > > I was recently playing around with the idea of having a read-only root > > > filesystem. However, it has become clear that there is no way to > > > prevent root from changing the mount properties on any filesystem, > > > including the root filesystem, provided there is no hardware-level > > > block on writing and there is someplace (anyplace) where root can > > > write. > > > > > > Is that accurate? I guess one must go to a "trusted OS" to get that > > > type of functionality? > > > > You can trust freebsd. :) > > > > do some research on "securelevel" > > I don't believe mounting or remounting is denied by any securelevel..I > raised this a few months ago but the consensus seemed to be that > securelevel was too broken by design and the real fix was MAC, which > is coming with TrustedBSD. I don't see the problem with fixing securelevel in that aspect since the securelevel is raised late in the boot process, after the fs's are mounted. no? -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 1:39:10 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 01:39:07 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 0A64F37B402; Wed, 20 Dec 2000 01:39:06 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id KAA06650; Wed, 20 Dec 2000 10:39:01 +0100 (CET) (envelope-from des@ofug.org) Sender: des@ofug.org X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Mikhail Kruk Cc: Kris Kennaway , Mike Tancsa , Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:77.procfs References: From: Dag-Erling Smorgrav Date: 20 Dec 2000 10:39:01 +0100 In-Reply-To: Mikhail Kruk's message of "Tue, 19 Dec 2000 13:45:01 -0500 (EST)" Message-ID: Lines: 20 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mikhail Kruk writes: > see you previous e-mail :) I was talking about things you loose when you > umount procfs I am very well aware of that. > Apparently Star office uses FreeBSD procfs, not linprocfs (not sure how). If linprocfs is mounted on /compat/linux/proc, StarOffice *will* use it, as it will appear to StarOffice to be mounted on top of procfs in /proc. The -STABLE version of linprocfs does not support cmdline, as this is normally provided by procfs, so Linux applications that use cmdline will not work without procfs. The -CURRENT version of linprocfs does support cmdline. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 3:41:10 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 03:41:06 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id C821B37B402 for ; Wed, 20 Dec 2000 03:41:04 -0800 (PST) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id IAA43729; Wed, 20 Dec 2000 08:39:41 -0300 (ART) From: Fernando Schapachnik Message-Id: <200012201139.IAA43729@ns1.via-net-works.net.ar> Subject: Re: security levels for sysinstall In-Reply-To: <20001219195717.A27171@dogma.freebsd-uk.eu.org> "from j mckitrick at Dec 19, 2000 07:57:18 pm" To: j mckitrick Date: Wed, 20 Dec 2000 08:39:41 -0300 (ART) Cc: security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, j mckitrick escribió: > > I apologize in advance if this is the wrong place to ask this question, but > questions- didn't offer any help after several tries. > > I would like to see exactly what each of the security profiles in sysinstall > does. I will install FreeBSD on a laptop with a dialup connection, and I > don't want to have to worry about security when I am connected. I will set > up the same ipfw firewall as I have now. I would also like icq and similar > toys to work okay, but I will not be running any services on my machine. It seems you want to select medium and comment everything from inetd.conf. High kind of does this, but also raises the securelevel (man init). Regards. Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Conmutador: (54-11) 4323-3333 - Soporte: 0810-333-AYUDA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 4:24:35 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 04:24:31 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from nenya.ms.mff.cuni.cz (nenya.ms.mff.cuni.cz [195.113.17.137]) by hub.freebsd.org (Postfix) with ESMTP id 8CE0B37B400; Wed, 20 Dec 2000 04:24:27 -0800 (PST) Received: from localhost (mencl@localhost) by nenya.ms.mff.cuni.cz (8.9.3+Sun/8.9.1) with ESMTP id NAA03984; Wed, 20 Dec 2000 13:23:25 +0100 (MET) Date: Wed, 20 Dec 2000 13:23:25 +0100 (MET) From: "Vladimir Mencl, MK, susSED" To: David Talkington Cc: Chuck Rock , , Subject: RE: What anti-sniffer measures do i have? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 19 Dec 2000, David Talkington wrote: > Far as I know, hard-coding an arp table is the only way to prevent > that sort of thing ... someone please correct me if I'm wrong? Hardcoding the ARP table both in the switch and in every computer "to be protected" in the network. Every computer would have to know both IP and ethernet address of at least the router, the nameserver and all computers it connects to. Will it be enough? ...putting the switch into a mode like "use only-and-only this hardcoded arp-table".... Vladimir Mencl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 4:28: 2 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 04:27:56 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from osiris.ipform.ru (osiris.ipform.ru [212.158.165.98]) by hub.freebsd.org (Postfix) with ESMTP id F2D2837B402; Wed, 20 Dec 2000 04:27:52 -0800 (PST) Received: from wp2 (wp2 [192.168.0.12]) by osiris.ipform.ru (8.11.1/8.11.1) with SMTP id eBKCRgV36045; Wed, 20 Dec 2000 15:27:46 +0300 (MSK) (envelope-from matrix@ipform.ru) Message-ID: <006501c06a80$42ec1460$0c00a8c0@ipform.ru> From: "Artem Koutchine" To: "Jonas Luster" , , References: <15418A8C5748D411B03A0050DA649E55DB6E75@mailserv2.webex.com> Subject: Re: What anti-sniffer measures do i have? Date: Wed, 20 Dec 2000 15:27:41 +0300 Organization: IP Form MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello again! Well, i am depressed now :( The issue is even worse than i thought at first. So, SHOUD I upgrade to switches? Will they REALLY help? Or should i build a simple FreeBSD router for each branch of the tree with a buch of ethernet cards. For example. In a room with 8 computers i will install a Pentium MMX with 8 PCI slots and 8 network cards and route pure IP, no MAC addresing (i don't need ipx rounter or anything, just ip). Is there relatively cheap switches wich do the same? Is it even a solution? ----- Original Message ----- From: "Jonas Luster" To: ; Sent: Wednesday, December 20, 2000 1:37 AM Subject: RE: What anti-sniffer measures do i have? > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > I believe most switches are Layer 2 which is MAC based. You would > have to > > know the MAC address of the computer you want to intercept traffic > for, and > > then your switch would have to give you the packets instead of > erroring out > > and or dropping the packets because you can't have two of the same > MAC > > addresses on the network. > > Well, there's MAC/ARP-proxying which allows pretty sophisticated > maninthemiddles and quite a few of the more common switches fall > back into Hub-Mode when you flood them with bogus ARP-entries. > dsniff (ports/security) facilitates those attacks. > > Switches aren't much more secure than hubs, it's more a design- and > speed-issue than a security-thingie to have 'em in your network. > > jonas > > -----BEGIN PGP SIGNATURE----- > Version: PGP Personal Privacy 6.0.2 > > iQA/AwUBOj/jZKM1+GU4JoikEQJuKQCgotacqdAo08/IIw+jnVfbTdgiRQEAn0vI > te4VUx1muy/U6kTluCTvX8oB > =vxQF > -----END PGP SIGNATURE----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 4:31:16 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 04:31:11 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from osiris.ipform.ru (osiris.ipform.ru [212.158.165.98]) by hub.freebsd.org (Postfix) with ESMTP id 317AA37B400; Wed, 20 Dec 2000 04:31:10 -0800 (PST) Received: from wp2 (wp2 [192.168.0.12]) by osiris.ipform.ru (8.11.1/8.11.1) with SMTP id eBKCUMV36058; Wed, 20 Dec 2000 15:30:22 +0300 (MSK) (envelope-from matrix@ipform.ru) Message-ID: <007001c06a80$9fac4800$0c00a8c0@ipform.ru> From: "Artem Koutchine" To: "Vladimir Mencl, MK, susSED" , "David Talkington" Cc: "Chuck Rock" , , References: Subject: Re: What anti-sniffer measures do i have? Date: Wed, 20 Dec 2000 15:30:19 +0300 Organization: IP Form MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org N/A for windows. Only for UNIX. So, not usable in heterogenic networks. ----- Original Message ----- From: "Vladimir Mencl, MK, susSED" To: "David Talkington" Cc: "Chuck Rock" ; ; Sent: Wednesday, December 20, 2000 3:23 PM Subject: RE: What anti-sniffer measures do i have? > On Tue, 19 Dec 2000, David Talkington wrote: > > > Far as I know, hard-coding an arp table is the only way to prevent > > that sort of thing ... someone please correct me if I'm wrong? > > Hardcoding the ARP table both in the switch and in every computer "to be > protected" in the network. Every computer would have to know both IP and > ethernet address of at least the router, the nameserver and all > computers it connects to. > > Will it be enough? > > ...putting the switch into a mode like "use only-and-only this hardcoded > arp-table".... > > > > Vladimir Mencl > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 5: 2: 7 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 05:02:03 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from sivka.carrier.kiev.ua (sivka.carrier.kiev.ua [193.193.193.101]) by hub.freebsd.org (Postfix) with ESMTP id E400B37B402; Wed, 20 Dec 2000 05:01:59 -0800 (PST) Received: from core.is.kiev.ua (p187.is.kiev.ua [62.244.5.187]) by sivka.carrier.kiev.ua (8/Kilkenny_is_better) with ESMTP id PAS89881; Wed, 20 Dec 2000 15:01:49 +0200 (EET) (envelope-from diman@asd.kiev.ua) Received: from ergo.local ([10.203.1.10]) by core.is.kiev.ua (8.11.1/ASDG-2.3-NR) with ESMTP id eBKD1iT46885; Wed, 20 Dec 2000 15:01:46 +0200 (EET) (envelope-from diman@asd.kiev.ua) Date: Wed, 20 Dec 2000 14:57:42 +0200 (EET) From: Dmitry Galyant X-Sender: diman@ergo.local To: Artem Koutchine Cc: Jonas Luster , security@FreeBSD.ORG, questions@FreeBSD.ORG Subject: Re: What anti-sniffer measures do i have? In-Reply-To: <006501c06a80$42ec1460$0c00a8c0@ipform.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 20 Dec 2000, Artem Koutchine wrote: > Date: Wed, 20 Dec 2000 15:27:41 +0300 > From: Artem Koutchine > To: Jonas Luster , security@FreeBSD.ORG, > questions@FreeBSD.ORG > Subject: Re: What anti-sniffer measures do i have? > > Hello again! > > Well, i am depressed now :( The issue is even worse than i thought > at first. So, SHOUD I upgrade to switches? Will they REALLY help? > > Or should i build a simple FreeBSD router for each branch of the tree > with a buch of ethernet cards. For example. In a room with 8 computers i > will install a Pentium MMX with 8 PCI slots and 8 network cards and route > pure IP, no MAC addresing (i don't need ipx rounter or anything, just ip). and don't forget give root shell to this 8 mans ;-) switch has no shell - imho it's better way. > > Is there relatively cheap switches wich do the same? Is it even a solution? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 5: 6:40 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 05:06:38 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from pps.de (mail.pps.de [217.13.200.134]) by hub.freebsd.org (Postfix) with ESMTP id B399B37B402 for ; Wed, 20 Dec 2000 05:06:37 -0800 (PST) Received: (from petros@localhost) by pps.de (8.9.3/8.9.3) id OAA00816 for freebsd-security@FreeBSD.ORG; Wed, 20 Dec 2000 14:06:35 +0100 (CET) (envelope-from petros) From: Peter Ross Message-Id: <200012201306.OAA00816@pps.de> Subject: Re: FTP and firewall In-Reply-To: <200012191138.MAA26842@jung9.pps.de> from Peter Ross at "Dec 19, 2000 12:38:58 pm" To: freebsd-security@FreeBSD.ORG Date: Wed, 20 Dec 2000 14:06:34 +0100 (CET) X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I'm listen here and hope for answers. Sorry for my English. My girlfriend did some remarks.. I found these mails discussing the same problem: ( http://docs.freebsd.org/mail/archive/2000/freebsd-security/20000402.freebsd-security.html ) Paul Hart wrote: > On Wed, 29 Mar 2000, Alan Batie wrote: > > > To do active mode ftp properly, ipfw would need to parse the contents > > of the packets on the ftp control channel and dynamically allow the > > corresponding incoming connection. There's no indication that this > > parsing capability is present. > > I know we're talking about IPFW here, but hasn't IP Filter (also included > with FreeBSD) been supporting this very operation for quite a while now? I checked the man page again but I can't see it. And Fernando Schapachnik wrote: > What I have done is to configure FTPd to use ports between 40000 and > 44999 (wu-ftpd allows it to be done easily; don't know others) and then: > allow tcp from any to my_ip 40000-44999 in setup > It's not the best, but still better than nothing. But what's the best? Peter Ross To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 5:23:43 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 05:23:40 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 588F337B400 for ; Wed, 20 Dec 2000 05:23:39 -0800 (PST) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id KAA95716; Wed, 20 Dec 2000 10:23:42 -0300 (ART) From: Fernando Schapachnik Message-Id: <200012201323.KAA95716@ns1.via-net-works.net.ar> Subject: Re: FTP and firewall In-Reply-To: <200012201306.OAA00816@pps.de> "from Peter Ross at Dec 20, 2000 02:06:34 pm" To: Peter Ross Date: Wed, 20 Dec 2000 10:23:41 -0300 (ART) Cc: freebsd-security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org man ipf, and check: http://www.obfuscation.org/ipf/ipf-howto.txt ipfilter can do this in a much safer way than what I suggested there. Regards. En un mensaje anterior, Peter Ross escribió: > Hello, > > I'm listen here and hope for answers. Sorry for my English. My girlfriend > did some remarks.. > > I found these mails discussing the same problem: > > ( http://docs.freebsd.org/mail/archive/2000/freebsd-security/20000402.freebsd-security.html > ) > > Paul Hart wrote: > > > On Wed, 29 Mar 2000, Alan Batie wrote: > > > > > To do active mode ftp properly, ipfw would need to parse the contents > > > of the packets on the ftp control channel and dynamically allow the > > > corresponding incoming connection. There's no indication that this > > > parsing capability is present. > > > > I know we're talking about IPFW here, but hasn't IP Filter (also included > > with FreeBSD) been supporting this very operation for quite a while now? > > I checked the man page again but I can't see it. > > And Fernando Schapachnik wrote: > > > What I have done is to configure FTPd to use ports between 40000 and > > 44999 (wu-ftpd allows it to be done easily; don't know others) and then: > > > allow tcp from any to my_ip 40000-44999 in setup > > > It's not the best, but still better than nothing. > > But what's the best? > > Peter Ross > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Conmutador: (54-11) 4323-3333 - Soporte: 0810-333-AYUDA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 6:29:11 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 06:29:01 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 6BE3137B400; Wed, 20 Dec 2000 06:28:54 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:78.bitchx Reply-To: security-advisories@freebsd.org Message-Id: <20001220142854.6BE3137B400@hub.freebsd.org> Date: Wed, 20 Dec 2000 06:28:54 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:78 Security Advisory FreeBSD, Inc. Topic: bitchx allows remote code execution Category: ports Module: bitchx Announced: 2000-12-20 Credits: nimrood Affects: Ports collection prior to the correction date. Corrected: 2000-12-12 Vendor status: Updated version released FreeBSD only: NO I. Background bitchx is a popular IRC client. II. Problem Description The bitchx port, versions prior to 1.0c17_1, contains a remote vulnerability. Through a stack overflow in the DNS parsing code, a malicious remote user in control of their reverse DNS records may crash a bitchx session, or cause arbitrary code to be executed by the user running bitchx. The bitchx port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 4200 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Malicious remote users may execute arbitrary code as the user running bitchx. If you have not chosen to install the bitchx port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the bitchx port/package, if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the bitchx port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/irc/BitchX-1.0c17_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/irc/BitchX-1.0c17_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/irc/BitchX-1.0c17_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/irc/BitchX-1.0c17_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/irc/BitchX-1.0c17_1.tgz NOTE: It may be several days before updated packages are available. 3) download a new port skeleton for the bitchx port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOkDAmFUuHi5z0oilAQHj7QP+O0BAQ/wrl5FYqTb63fYO1hDncbWGxn/4 MhH2NTMj3izZS6Kw+oWDq59DspN1wCPTR8BaickNge2E82Kcg1hggXwu/3eRt7y3 FpT5oDZFk9rLSTl+VWsyV3ljA9LA3e7yCc9vnN1+65uQnW1rChUw8Hi2C5Fu5INJ /a+HgmkMcEI= =xnU+ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 6:41:23 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 06:41:10 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 4B3B637B400; Wed, 20 Dec 2000 06:41:00 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:79:oops Reply-To: security-advisories@freebsd.org Message-Id: <20001220144100.4B3B637B400@hub.freebsd.org> Date: Wed, 20 Dec 2000 06:41:00 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:79 Security Advisory FreeBSD, Inc. Topic: oops allows remote code execution Category: ports Module: oops Announced: 2000-12-20 Credits: |CyRaX| Affects: Ports collection prior to the correction date. Corrected: 2000-12-14 Vendor status: Updated version released FreeBSD only: NO I. Background oops is a caching WWW proxy server. II. Problem Description The oops port, versions prior to 1.5.2, contains remote vulnerabilities through buffer and stack overflows in the HTML parsing code. These vulnerabilities may allow remote users to execute arbitrary code as the user running oops. The oops port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 4200 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Malicious remote users may execute arbitrary code as the user running oops. If you have not chosen to install the oops port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the oops port/package, if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the oops port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/oops-1.5.2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/oops-1.5.2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/www/oops-1.5.2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/oops-1.5.2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/www/oops-1.5.2.tgz NOTE: It may be several days before updated packages are available. 3) download a new port skeleton for the oops port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOkDD+VUuHi5z0oilAQF/GQQAphFsq7DIG9Gez7F6ry71W/c9vwC0RMgz 4IWDeYtkLQhB86n2nkQFMeRQi6EAAOKrOeVJtGhjgtOib6nR6sPCJxbY+s7G/RCw /hz1q6xG4MOw+obhFUsKO8UyWfONYGnKNB5JLqi/dbzXPXwSuuf6wKPClZbXRNEv aR8tF+briCU= =ZwXz -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 7: 2:41 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 07:02:33 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id F1B4937B400; Wed, 20 Dec 2000 07:02:23 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:80.halflifeserver Reply-To: security-advisories@freebsd.org Message-Id: <20001220150223.F1B4937B400@hub.freebsd.org> Date: Wed, 20 Dec 2000 07:02:23 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:80 Security Advisory FreeBSD, Inc. Topic: halflifeserver allows remote code execution Category: ports Module: halflifeserver Announced: 2000-12-20 Credits: Mark Cooper Affects: Ports collection prior to the correction date. Corrected: 2000-11-29 Vendor status: Updated version released FreeBSD only: NO I. Background halflifeserver is a dedicated server for hosting Half-Life games. II. Problem Description The halflifeserver port, versions prior to 3.1.0.4, contains local and remote vulnerabilities through buffer overflows and format string vulnerabilities. These vulnerabilities may allow remote users to execute arbitrary code as the user running halflifeserver. The halflifeserver port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 4200 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Malicious remote users may execute arbitrary code as the user running the halflifeserver software. If you have not chosen to install the halflifeserver port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the halflifeserver port/package, if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the halflifeserver port. 2) download a new port skeleton for the halflifeserver port from: http://www.freebsd.org/ports/ and use it to rebuild the port. Due to license restrictions no binary package is provided for the halflifeserver port. 3) Use the portcheckout utility to automate option (2) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOkDIQVUuHi5z0oilAQGcqQQApE+76gPjqdkQf9TvbGBThPxcSocU8F+N GHiBPzkrgVHqCLYee0sywsQ4KRg2awuq+sP6EcqLTfaIGLZqPgS4xNZ6gqOrrgLP wxvGdtlqgad5lXLEvs1uYwBmj+lTNteYWy6KC04za2rLHYdkZce21kyj+6preXZs trAQ2uVDvsM= =s4GT -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 7:27:15 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 07:27:05 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 4B36B37B404; Wed, 20 Dec 2000 07:26:59 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:81.ethereal Reply-To: security-advisories@freebsd.org Message-Id: <20001220152659.4B36B37B404@hub.freebsd.org> Date: Wed, 20 Dec 2000 07:26:59 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:81 Security Advisory FreeBSD, Inc. Topic: ethereal allows remote code execution Category: ports Module: ethereal Announced: 2000-12-20 Credits: mat@hacksware.com Affects: Ports collection prior to the correction date. Corrected: 2000-11-21 Vendor status: Updated version released FreeBSD only: NO I. Background ethereal is a tool for monitoring network activity. II. Problem Description The ethereal port, versions prior to 0.8.14, contains buffer overflows which allow a remote attacker to crash ethereal or execute arbitrary code on the local system as the user running ethereal, typically the root user. These vulnerabilities are identical to those described in advisory 00:61 relating to tcpdump. The ethereal port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 4200 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 are vulnerable to this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Remote users can cause the local ethereal process to crash, or to execute arbitrary code as the user running ethereal (usually root). IV. Workaround Do not use vulnerable versions of ethereal in network environments which may contain packets from untrusted sources. Deinstall the ethereal port/package, if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the ethereal port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/ethereal-0.8.14.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/ethereal-0.8.14.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/net/ethereal-0.8.14.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/ethereal-0.8.14.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/net/ethereal-0.8.14.tgz 3) download a new port skeleton for the ethereal port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOkDOpVUuHi5z0oilAQFETAP/dV59JADazj/mrRLSW8a6JQluGrU4ZnYY 60KmcRkiuCte+WehA3ZE0h2WRz+RbWuszeyIZ21j6Kz4a0mbb0WURcHtj5CtlQZj BMgezi15rnSfIzfFX4lEZX6bzR9xaPuJSfrRNaMhWY+ioWLQ+fFL8OcllTfa+LYx HUzOVq9kWQk= =s7BI -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 7:31:34 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 07:31:28 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from srv1.gnintranet.com.br (adsl-nrp10-C8B0FAFB.sao.terra.com.br [200.176.250.251]) by hub.freebsd.org (Postfix) with ESMTP id 7C70537B400; Wed, 20 Dec 2000 07:31:26 -0800 (PST) Received: from tec06.gnintranet.com.br ([192.168.8.40]) by srv1.gnintranet.com.br (8.9.3/8.9.3) with SMTP id NAA08025; Wed, 20 Dec 2000 13:32:48 -0200 From: henrique@gruponet.com.br To: Cc: Subject: ftpd Date: Wed, 20 Dec 2000 13:21:01 -0200 Message-ID: <01c06a98$762e6860$2808a8c0@tec06.gnintranet.com.br> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_00AB_01C06A87.B2A59860" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_00AB_01C06A87.B2A59860 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Mrs, In my file ftpchroot i have domain of my server, example: Into ftpchroot joao.com.br, for restrict this domain only to your directory, use other = line in the file ftpchroot? How do you do configure this file ftpchroot? []' Henrique ------=_NextPart_000_00AB_01C06A87.B2A59860 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Mrs,
 
In my file ftpchroot i have domain of = my server,=20 example:
 
Into ftpchroot
 
joao.com.br, for restrict this domain = only to your=20 directory, use other line in the file ftpchroot?
 
How do you do configure this file=20 ftpchroot?
 
[]'
   = Henrique
------=_NextPart_000_00AB_01C06A87.B2A59860-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 8: 1:48 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 08:01:44 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from borg.starbase.net (unknown [208.233.101.2]) by hub.freebsd.org (Postfix) with ESMTP id D5FFC37B402; Wed, 20 Dec 2000 08:01:43 -0800 (PST) Received: from localhost (alex@localhost) by borg.starbase.net (8.9.3/8.8.8) with ESMTP id LAA28288; Wed, 20 Dec 2000 11:00:42 -0500 (EST) Date: Wed, 20 Dec 2000 11:00:42 -0500 (EST) From: Alexander V P X-Sender: alex@borg.starbase.net To: henrique@gruponet.com.br Cc: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: ftpd In-Reply-To: <01c06a98$762e6860$2808a8c0@tec06.gnintranet.com.br> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org howdy, try man ftpd. in any case : /etc/ftpusers List of unwelcome/restricted users. /etc/ftpchroot List of normal users who should be chroot'd. /etc/ftphosts Virtual hosting configuration file. /etc/ftpwelcome Welcome notice. /etc/ftpmotd Welcome notice after login. /var/run/nologin Displayed and access refused. /var/log/ftpd Log file for anonymous transfers. in ftpchroot you put user names ( not domain names) that correspondent to user for that virtual domain. i hope that helps. ( i hope i understand what was your question) alex On Wed, 20 Dec 2000 henrique@gruponet.com.br wrote: > Mrs, > In my file ftpchroot i have domain of my server, example: > Into ftpchroot > joao.com.br, for restrict this domain only to your directory, use other line in the file ftpchroot? > How do you do configure this file ftpchroot? > []' > Henrique To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 8: 2:33 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 08:02:26 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from kira.epconline.net (kira.epconline.net [209.83.132.2]) by hub.freebsd.org (Postfix) with ESMTP id A271037B402; Wed, 20 Dec 2000 08:02:25 -0800 (PST) Received: from therock (betterguard.epconline.net [209.83.132.193]) by kira.epconline.net (8.11.1/8.11.1) with SMTP id eBKG2Oe35511; Wed, 20 Dec 2000 10:02:24 -0600 (CST) (envelope-from carock@epconline.net) From: "Chuck Rock" To: , Subject: RE: What anti-sniffer measures do i have? Date: Wed, 20 Dec 2000 10:02:43 -0600 Message-ID: <000301c06a9e$49383010$1805010a@epconline.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-reply-to: <007001c06a80$9fac4800$0c00a8c0@ipform.ru> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I use Intel 460T standalone switches, and they have the ability to keep the database from learning new MAC addresses, and you can manually program the MAC addresses to each port. This is much safer than default configuration, but it takes a lot of the convenience of the switches ability to handle changes. I'm not necessarily saying they are better than others, I don't like some of the features they have, and I haven't tried many other switches. I could go either way for security or convenience, but most networks don't change like mine does, so the call would up to the person that has to maintain those switch databases, and what tools are available to automate that process. Any "good" SNMP software would probably suffice in allowing you to remotely make database changes, and monitor the switches as well. another nice thing with these is they have the ability to use BOOTP so the configs can be centrally located. Chuck > -----Original Message----- > From: Artem Koutchine [mailto:matrix@ipform.ru] > Sent: Wednesday, December 20, 2000 6:30 AM > To: Vladimir Mencl, MK, susSED; David Talkington > Cc: Chuck Rock; security@FreeBSD.ORG; questions@FreeBSD.ORG > Subject: Re: What anti-sniffer measures do i have? > > > N/A for windows. Only for UNIX. So, not usable in heterogenic > networks. > > ----- Original Message ----- > From: "Vladimir Mencl, MK, susSED" > To: "David Talkington" > Cc: "Chuck Rock" ; ; > > Sent: Wednesday, December 20, 2000 3:23 PM > Subject: RE: What anti-sniffer measures do i have? > > > > On Tue, 19 Dec 2000, David Talkington wrote: > > > > > Far as I know, hard-coding an arp table is the only way to prevent > > > that sort of thing ... someone please correct me if I'm wrong? > > > > Hardcoding the ARP table both in the switch and in every computer "to be > > protected" in the network. Every computer would have to know both IP and > > ethernet address of at least the router, the nameserver and all > > computers it connects to. > > > > Will it be enough? > > > > ...putting the switch into a mode like "use only-and-only this hardcoded > > arp-table".... > > > > > > > > Vladimir Mencl > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 8:17:58 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 08:17:56 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.colltech.com (ausproxy.colltech.com [208.229.236.19]) by hub.freebsd.org (Postfix) with ESMTP id DC5F037B400 for ; Wed, 20 Dec 2000 08:17:55 -0800 (PST) Received: from mail2.colltech.com (mail2.colltech.com [208.229.236.41]) by mx1.colltech.com (8.9.3/8.9.3/not) with ESMTP id KAA27570; Wed, 20 Dec 2000 10:17:51 -0600 Received: from colltech.com (dhcp5212.wdc.colltech.com [10.20.5.212]) by mail2.colltech.com (8.9.3/8.9.3/not) with ESMTP id KAA12995; Wed, 20 Dec 2000 10:17:49 -0600 Message-ID: <3A40DBC4.92D2F874@colltech.com> Date: Wed, 20 Dec 2000 11:18:12 -0500 From: Daniel Hagan X-Mailer: Mozilla 4.72 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: David Talkington Cc: Chuck Rock , security@FreeBSD.ORG Subject: Re: What anti-sniffer measures do i have? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In the early/mid 90's there was a student at Virginia Tech who played this stunt in a dorm and collected several hundred mail server passwords. Similar tricks can be played w/ DHCP. A friend of mine did a proof of concept attack against his friend in their dorm at Tech when they rolled out DHCP there. Daniel David Talkington wrote: > Play around with dsniff. On my test network at home, with two > workstations (A and B) and a gateway router (C) on a 10/100 switch, > I've been able to convince A that B was its router, and view A's > traffic before sending it on to C. A putters away, and never even > knows B is there. It's kinda scary. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 8:58: 8 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 08:57:59 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from apollo.gti.net (apollo.gti.net [199.171.27.7]) by hub.freebsd.org (Postfix) with ESMTP id 88B2C37B400; Wed, 20 Dec 2000 08:57:59 -0800 (PST) Received: from fuckoff (localhost [127.0.0.1]) by apollo.gti.net (mail) with SMTP id CAA8E145A5E; Wed, 20 Dec 2000 11:57:54 -0500 (EST) Message-ID: <011f01c06aa5$aab683d0$0501a8c0@fuckoff> Reply-To: "Shadow" From: "Shadow" To: , References: <000301c06a9e$49383010$1805010a@epconline.net> Subject: Re: What anti-sniffer measures do i have? Date: Wed, 20 Dec 2000 11:55:32 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Most (all?) Cisco Catalyst switches allow you to set "port security" which will disable the port either for a fixed period of time or forever until a supervisor re-enables it if it detects 'too many' MACs on a port or overlapping MAC addresses on ports. It gives a decent level of security without having to manually program MACs into all of the ports (ick!) Only thing I haven't tested is if using spanning tree breaks this functionality at all (I think I remember it having to sometimes look for duplicate MACs on ports)... not that spanning tree is a good solution to anything IMHO. Only downside is their price tag.... -Shadow Sr. Systems Administrator, Global Telecom Inc. shadow@gti.net ----- Original Message ----- From: "Chuck Rock" To: ; Sent: Wednesday, December 20, 2000 11:02 AM Subject: RE: What anti-sniffer measures do i have? > I use Intel 460T standalone switches, and they have the ability to keep the > database from learning new MAC addresses, and you can manually program the > MAC addresses to each port. > > This is much safer than default configuration, but it takes a lot of the > convenience of the switches ability to handle changes. > > I'm not necessarily saying they are better than others, I don't like some of > the features they have, and I haven't tried many other switches. > > I could go either way for security or convenience, but most networks don't > change like mine does, so the call would up to the person that has to > maintain those switch databases, and what tools are available to automate > that process. Any "good" SNMP software would probably suffice in allowing > you to remotely make database changes, and monitor the switches as well. > another nice thing with these is they have the ability to use BOOTP so the > configs can be centrally located. > > Chuck > > > -----Original Message----- > > From: Artem Koutchine [mailto:matrix@ipform.ru] > > Sent: Wednesday, December 20, 2000 6:30 AM > > To: Vladimir Mencl, MK, susSED; David Talkington > > Cc: Chuck Rock; security@FreeBSD.ORG; questions@FreeBSD.ORG > > Subject: Re: What anti-sniffer measures do i have? > > > > > > N/A for windows. Only for UNIX. So, not usable in heterogenic > > networks. > > > > ----- Original Message ----- > > From: "Vladimir Mencl, MK, susSED" > > To: "David Talkington" > > Cc: "Chuck Rock" ; ; > > > > Sent: Wednesday, December 20, 2000 3:23 PM > > Subject: RE: What anti-sniffer measures do i have? > > > > > > > On Tue, 19 Dec 2000, David Talkington wrote: > > > > > > > Far as I know, hard-coding an arp table is the only way to prevent > > > > that sort of thing ... someone please correct me if I'm wrong? > > > > > > Hardcoding the ARP table both in the switch and in every computer "to be > > > protected" in the network. Every computer would have to know both IP and > > > ethernet address of at least the router, the nameserver and all > > > computers it connects to. > > > > > > Will it be enough? > > > > > > ...putting the switch into a mode like "use only-and-only this hardcoded > > > arp-table".... > > > > > > > > > > > > Vladimir Mencl > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-questions" in the body of the message > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 11: 0:11 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 11:00:09 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id 6D52337B400 for ; Wed, 20 Dec 2000 11:00:09 -0800 (PST) Received: (qmail 6780 invoked by uid 1000); 20 Dec 2000 19:00:05 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 20 Dec 2000 19:00:05 -0000 Date: Wed, 20 Dec 2000 13:00:05 -0600 (CST) From: Mike Silbersack To: Daniel Hagan Cc: David Talkington , Chuck Rock , Subject: Re: What anti-sniffer measures do i have? In-Reply-To: <3A40DBC4.92D2F874@colltech.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 20 Dec 2000, Daniel Hagan wrote: > passwords. Similar tricks can be played w/ DHCP. A friend of mine did > a proof of concept attack against his friend in their dorm at Tech when > they rolled out DHCP there. > > Daniel Heh, I had a friend who installed WinRoute Lite on his machine and started *accidently* handing out DHCP leases. It was rather funny. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 11: 8:33 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 11:08:27 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from kira.epconline.net (kira.epconline.net [209.83.132.2]) by hub.freebsd.org (Postfix) with ESMTP id A122F37B400; Wed, 20 Dec 2000 11:08:26 -0800 (PST) Received: from therock (betterguard.epconline.net [209.83.132.193]) by kira.epconline.net (8.11.1/8.11.1) with SMTP id eBKJ8Pe47579; Wed, 20 Dec 2000 13:08:25 -0600 (CST) (envelope-from carock@epconline.net) From: "Chuck Rock" To: , Subject: RE: What anti-sniffer measures do i have? Date: Wed, 20 Dec 2000 13:08:45 -0600 Message-ID: <000a01c06ab8$4676a040$1805010a@epconline.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well there is another option you may not know about.... Encrypion on the physical level. 3Com make new network cards with built in encryption that works up to full duplex 100Meg. Secures sensitive data by delivering 3DES,DES,MD5,and SHA-1 Check out the specs here.... http://www.3com.com/products/nics/3cr990fb.html I don't know if anyone has built any drivers for FreeBSD, but I think it's worth it. They make one for the server too that allows redundant NIC's for failover protection. There appear to be beta drivers for Linux for these network cards as well... http://support.3com.com/infodeli/tools/nic/linuxdownload.htm I can sell the 3CR990-TX-97 which provides 168 Bit encryption for about $120 each. And the 3CR990-SVR-97 for $115. I haven't used these, but the principal sounds good. I think the only drawback is, any server using one probably has to have one in each client computer, or there would be no way for them to speak to each other. This would rule out some other equipment as well, but they are supposed to be compliant with IPSec. If anyone has used these, I would be interested in hearing how well they work in a "real" environment running other O/S's and routers and such. Chuck > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Dmitry Galyant > Sent: Wednesday, December 20, 2000 6:58 AM > To: Artem Koutchine > Cc: Jonas Luster; security@FreeBSD.ORG; questions@FreeBSD.ORG > Subject: Re: What anti-sniffer measures do i have? > > > On Wed, 20 Dec 2000, Artem Koutchine wrote: > > > Date: Wed, 20 Dec 2000 15:27:41 +0300 > > From: Artem Koutchine > > To: Jonas Luster , security@FreeBSD.ORG, > > questions@FreeBSD.ORG > > Subject: Re: What anti-sniffer measures do i have? > > > > Hello again! > > > > Well, i am depressed now :( The issue is even worse than i thought > > at first. So, SHOUD I upgrade to switches? Will they REALLY help? > > > > Or should i build a simple FreeBSD router for each branch of the tree > > with a buch of ethernet cards. For example. In a room with 8 computers i > > will install a Pentium MMX with 8 PCI slots and 8 network cards > and route > > pure IP, no MAC addresing (i don't need ipx rounter or > anything, just ip). > > and don't forget give root shell to this 8 mans ;-) > switch has no shell - imho it's better way. > > > > > Is there relatively cheap switches wich do the same? Is it even > a solution? > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 11:26:23 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 11:26:21 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from prioris.mini.pw.edu.pl (prioris.mini.pw.edu.pl [148.81.80.7]) by hub.freebsd.org (Postfix) with ESMTP id 4102A37B402 for ; Wed, 20 Dec 2000 11:26:18 -0800 (PST) Received: from pf39.warszawa.sdi.tpnet.pl (prioris.mini.pw.edu.pl [148.81.80.7]) by prioris.mini.pw.edu.pl (Postfix) with ESMTP id ADEC97CF07 for ; Wed, 20 Dec 2000 20:26:14 +0100 (CET) Received: (from zaks@localhost) by pf39.warszawa.sdi.tpnet.pl (8.11.1/8.11.1) id eBKJQ9f00614; Wed, 20 Dec 2000 20:26:09 +0100 (CET) (envelope-from zaks) Content-MD5: 798f643a165e23ee3d8d740b75a8d470 From: Slawek Zak To: freebsd-security@freebsd.org Subject: SSH update Date: 20 Dec 2000 20:26:08 +0100 Message-ID: <87k88u99nz.fsf@pf39.warszawa.sdi.tpnet.pl> Lines: 4 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Channel Islands) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Has SSH in 4.2-RELEASE been updated to prevent the latest attack (unauthorized agent and X11 connection forwarding)? /S To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 11:33:34 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 11:33:32 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 4959337B400 for ; Wed, 20 Dec 2000 11:33:31 -0800 (PST) Received: by peitho.fxp.org (Postfix, from userid 1501) id 888631360E; Wed, 20 Dec 2000 14:33:28 -0500 (EST) Date: Wed, 20 Dec 2000 14:33:28 -0500 From: Chris Faulhaber To: Slawek Zak Cc: freebsd-security@freebsd.org Subject: Re: SSH update Message-ID: <20001220143328.A9618@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , Slawek Zak , freebsd-security@freebsd.org References: <87k88u99nz.fsf@pf39.warszawa.sdi.tpnet.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <87k88u99nz.fsf@pf39.warszawa.sdi.tpnet.pl>; from zaks@prioris.mini.pw.edu.pl on Wed, Dec 20, 2000 at 08:26:08PM +0100 Sender: cdf.lists@fxp.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Dec 20, 2000 at 08:26:08PM +0100, Slawek Zak wrote: > Has SSH in 4.2-RELEASE been updated to prevent the latest attack > (unauthorized agent and X11 connection forwarding)? > Yes, OpenSSH was patched on 2000-11-14 (before FreeBSD 4.2 was released). See http://www.FreeBSD.org/cgi/cvsweb.cgi/src/crypto/openssh/clientloop.c for more details. -- Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 12: 2:16 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 12:02:13 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from sj-msg-core-2.cisco.com (sj-msg-core-2.cisco.com [171.69.43.88]) by hub.freebsd.org (Postfix) with ESMTP id 85F4537B400 for ; Wed, 20 Dec 2000 12:02:12 -0800 (PST) Received: from bmah-freebsd-0.cisco.com (bmah-freebsd-0.cisco.com [171.70.84.42]) by sj-msg-core-2.cisco.com (8.9.3/8.9.1) with ESMTP id MAA08225; Wed, 20 Dec 2000 12:02:11 -0800 (PST) Received: (from bmah@localhost) by bmah-freebsd-0.cisco.com (8.11.1/8.11.1) id eBKK24j26307; Wed, 20 Dec 2000 12:02:04 -0800 (PST) (envelope-from bmah) Message-Id: <200012202002.eBKK24j26307@bmah-freebsd-0.cisco.com> X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 To: Chris Faulhaber Cc: Slawek Zak , freebsd-security@FreeBSD.ORG Subject: Re: SSH update In-Reply-To: <20001220143328.A9618@peitho.fxp.org> References: <87k88u99nz.fsf@pf39.warszawa.sdi.tpnet.pl> <20001220143328.A9618@peitho.fxp.org> Comments: In-reply-to Chris Faulhaber message dated "Wed, 20 Dec 2000 14:33:28 -0500." From: "Bruce A. Mah" Reply-To: bmah@FreeBSD.ORG X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Image-Url: http://www.employees.org/~bmah/Images/bmah-cisco-small.gif X-Url: http://www.employees.org/~bmah/ Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_1134604096P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Wed, 20 Dec 2000 12:02:04 -0800 Sender: bmah@cisco.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --==_Exmh_1134604096P Content-Type: text/plain; charset=us-ascii If memory serves me right, Chris Faulhaber wrote: > On Wed, Dec 20, 2000 at 08:26:08PM +0100, Slawek Zak wrote: > > Has SSH in 4.2-RELEASE been updated to prevent the latest attack > > (unauthorized agent and X11 connection forwarding)? > > > > Yes, OpenSSH was patched on 2000-11-14 (before FreeBSD 4.2 was released). > See http://www.FreeBSD.org/cgi/cvsweb.cgi/src/crypto/openssh/clientloop.c > for more details. ...a fact which should have been in the release notes file for 4.2-RELEASE, but for some reason wasn't (the MFC is noted in the release notes for -CURRENT, however). Oopsie. :-( Bruce. --==_Exmh_1134604096P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: Exmh version 2.2 06/23/2000 iD8DBQE6QRA82MoxcVugUsMRAvyfAJ4kD68mlzgJy7X6zfkKGZfddG0x7QCg7cuM Dtgz31tOG0/VvoGRW7c73Bo= =h3XK -----END PGP SIGNATURE----- --==_Exmh_1134604096P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 13:11:24 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 13:11:21 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.2cactus.com (unknown [198.93.52.67]) by hub.freebsd.org (Postfix) with ESMTP id A8A7837B400; Wed, 20 Dec 2000 13:11:20 -0800 (PST) Received: from 2cactus.com ([192.168.1.4]) by mail.2cactus.com (8.9.3/8.9.3) with ESMTP id OAA85498; Wed, 20 Dec 2000 14:07:03 -0700 (MST) (envelope-from markz@2cactus.com) Message-ID: <3A40BED3.1070909@2cactus.com> Date: Wed, 20 Dec 2000 14:14:43 +0000 From: Mark Zielinski Reply-To: Mark Zielinski User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.12 i386; en-US; m18) Gecko/20001107 Netscape6/6.0 X-Accept-Language: en MIME-Version: 1.0 To: Kris Kennaway Cc: Alfred Perlstein , cjclark@alum.mit.edu, freebsd-security@FreeBSD.ORG Subject: Re: Read-Only Filesystems References: <20001219114936.A23819@rfx-64-6-211-149.users.reflexco> <20001219120953.S19572@fw.wintelcom.net> <20001219211642.D13474@citusc.usc.edu> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a attack that we fixed in SecureBSD by not allowing filesystems to be un-mounted and re-mounted back in May of 1999. We added security checks to the mount() and unmount() system calls based upon a MIB called securebsd.options.mount which could be turned on or off depending upon your securelevel setting. Around the time that we wrote this feature, if your securelevel was not set to two or higher, root users could un-mount a filesystem and directly write to the file system's raw device in order to remove file flags on files. This option prevented this attack, even when your securelevel was only set at a level of one. Kris Kennaway wrote: > On Tue, Dec 19, 2000 at 12:09:53PM -0800, Alfred Perlstein wrote: > >> * Crist J. Clark [001219 11:50] wrote: >> >>> I was recently playing around with the idea of having a read-only root >>> filesystem. However, it has become clear that there is no way to >>> prevent root from changing the mount properties on any filesystem, >>> including the root filesystem, provided there is no hardware-level >>> block on writing and there is someplace (anyplace) where root can >>> write. >>> >>> Is that accurate? I guess one must go to a "trusted OS" to get that >>> type of functionality? >> >> You can trust freebsd. :) >> >> do some research on "securelevel" > > > I don't believe mounting or remounting is denied by any securelevel..I > raised this a few months ago but the consensus seemed to be that > securelevel was too broken by design and the real fix was MAC, which > is coming with TrustedBSD. > > Kris -- Mark Zielinski 2 Cactus Development Senior Software Engineer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 13:14:24 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 13:14:21 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from pluto.psn.net (pluto.psn.net [207.211.58.12]) by hub.freebsd.org (Postfix) with ESMTP id ECFB037B400; Wed, 20 Dec 2000 13:14:20 -0800 (PST) Received: from cust-107-11.as03.nycm.eli.net ([209.210.107.11] helo=coresync) by pluto.psn.net with smtp (PSN Internet Service 3.20 #1) id 148qZ0-0007H6-00; Wed, 20 Dec 2000 14:14:19 -0700 From: "Jonathan M. Slivko" To: Cc: Subject: SecureBSD? Date: Wed, 20 Dec 2000 16:16:28 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Whats this SecureBSD I keep hearing about? what are the primary differences between it and the mainstream FreeBSD? - Jonathan Slivko - Simple Hosting Solutions Head of Technical Support http://www.simphost.com jslivko@psn.net - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 14:33:22 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 14:33:21 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from bilver.wjv.com (dhcp-1-44.n01.orldfl01.us.ra.verio.net [157.238.210.44]) by hub.freebsd.org (Postfix) with ESMTP id A63FD37B400 for ; Wed, 20 Dec 2000 14:33:19 -0800 (PST) Received: (from bill@localhost) by bilver.wjv.com (8.9.3/8.9.3) id RAA43367 for freebsd-security@freebsd.org; Wed, 20 Dec 2000 17:33:18 -0500 (EST) (envelope-from bill) Date: Wed, 20 Dec 2000 17:33:16 -0500 From: Bill Vermillion To: freebsd-security@freebsd.org Subject: Re: SecureBSD? Message-ID: <20001220173316.A40468@wjv.com> Reply-To: bv@bilver.wjv.com References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jslivko@psn.net on Wed, Dec 20, 2000 at 04:16:28PM -0500 Organization: W.J.Vermillion / Orlando - Winter Park Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Dec 20, 2000 at 04:16:28PM -0500, Jonathan M. Slivko thus spoke: > Whats this SecureBSD I keep hearing about? what are the primary differences > between it and the mainstream FreeBSD? At the annoucement they talked about becoming a C2 implementation. I see no changes to their web page since it was first announced. See any details at www.securebsd.org Bill -- Bill Vermillion - bv @ wjv . com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 17:39:41 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 17:39:39 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id 9179137B400; Wed, 20 Dec 2000 17:39:39 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id RAA22503; Wed, 20 Dec 2000 17:40:56 -0800 Date: Wed, 20 Dec 2000 17:40:56 -0800 From: Kris Kennaway To: Mark Zielinski Cc: Kris Kennaway , Alfred Perlstein , cjclark@alum.mit.edu, freebsd-security@FreeBSD.ORG Subject: Re: Read-Only Filesystems Message-ID: <20001220174056.C22288@citusc.usc.edu> References: <20001219114936.A23819@rfx-64-6-211-149.users.reflexco> <20001219120953.S19572@fw.wintelcom.net> <20001219211642.D13474@citusc.usc.edu> <3A40BED3.1070909@2cactus.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="XMCwj5IQnwKtuyBG" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <3A40BED3.1070909@2cactus.com>; from markz@2cactus.com on Wed, Dec 20, 2000 at 02:14:43PM +0000 Sender: kris@citusc.usc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --XMCwj5IQnwKtuyBG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Dec 20, 2000 at 02:14:43PM +0000, Mark Zielinski wrote: > This is a attack that we fixed in SecureBSD by not allowing > filesystems to be un-mounted and re-mounted back in May of 1999. > We added security checks to the mount() and unmount() system calls > based upon a MIB called securebsd.options.mount which could be > turned on or off depending upon your securelevel setting. The argument is that securelevel is fundamentally flawed and fairly useless as a security feature, unless you treat every system reboot (expected or not) as a potential compromise. Kris --XMCwj5IQnwKtuyBG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6QV+nWry0BWjoQKURAguTAJ4nuC/3p4s5PlhPWdlpgVsRWWJZ0gCg7tH3 Ov/N9O5lNq+yNeE+Y8Isbag= =sUiM -----END PGP SIGNATURE----- --XMCwj5IQnwKtuyBG-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 17:41:31 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 17:41:29 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 8357D37B400; Wed, 20 Dec 2000 17:41:29 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id eBL1fTM14340; Wed, 20 Dec 2000 17:41:29 -0800 (PST) Date: Wed, 20 Dec 2000 17:41:29 -0800 From: Alfred Perlstein To: Kris Kennaway Cc: Mark Zielinski , cjclark@alum.mit.edu, freebsd-security@FreeBSD.ORG Subject: Re: Read-Only Filesystems Message-ID: <20001220174129.F19572@fw.wintelcom.net> References: <20001219114936.A23819@rfx-64-6-211-149.users.reflexco> <20001219120953.S19572@fw.wintelcom.net> <20001219211642.D13474@citusc.usc.edu> <3A40BED3.1070909@2cactus.com> <20001220174056.C22288@citusc.usc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001220174056.C22288@citusc.usc.edu>; from kris@FreeBSD.ORG on Wed, Dec 20, 2000 at 05:40:56PM -0800 Sender: bright@fw.wintelcom.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Kris Kennaway [001220 17:39] wrote: > On Wed, Dec 20, 2000 at 02:14:43PM +0000, Mark Zielinski wrote: > > This is a attack that we fixed in SecureBSD by not allowing > > filesystems to be un-mounted and re-mounted back in May of 1999. > > We added security checks to the mount() and unmount() system calls > > based upon a MIB called securebsd.options.mount which could be > > turned on or off depending upon your securelevel setting. > > The argument is that securelevel is fundamentally flawed and fairly > useless as a security feature, unless you treat every system reboot > (expected or not) as a potential compromise. Actually, securelevel as a all-covering blanket would work better if people implemented fixes for it like a solution for the mount problem described here. Securelevel is hard to implement, but hard to mess up unlike ACLs which are both hard to implement and hard to deploy. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 17:58:18 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 17:58:15 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id 4F38F37B400; Wed, 20 Dec 2000 17:58:15 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id RAA22672; Wed, 20 Dec 2000 17:59:31 -0800 Date: Wed, 20 Dec 2000 17:59:31 -0800 From: Kris Kennaway To: Alfred Perlstein Cc: Kris Kennaway , Mark Zielinski , cjclark@alum.mit.edu, freebsd-security@FreeBSD.ORG Subject: Re: Read-Only Filesystems Message-ID: <20001220175931.E22288@citusc.usc.edu> References: <20001219114936.A23819@rfx-64-6-211-149.users.reflexco> <20001219120953.S19572@fw.wintelcom.net> <20001219211642.D13474@citusc.usc.edu> <3A40BED3.1070909@2cactus.com> <20001220174056.C22288@citusc.usc.edu> <20001220174129.F19572@fw.wintelcom.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="maH1Gajj2nflutpK" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20001220174129.F19572@fw.wintelcom.net>; from bright@wintelcom.net on Wed, Dec 20, 2000 at 05:41:29PM -0800 Sender: kris@citusc.usc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --maH1Gajj2nflutpK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Dec 20, 2000 at 05:41:29PM -0800, Alfred Perlstein wrote: > * Kris Kennaway [001220 17:39] wrote: > > On Wed, Dec 20, 2000 at 02:14:43PM +0000, Mark Zielinski wrote: > > > This is a attack that we fixed in SecureBSD by not allowing > > > filesystems to be un-mounted and re-mounted back in May of 1999. > > > We added security checks to the mount() and unmount() system calls > > > based upon a MIB called securebsd.options.mount which could be > > > turned on or off depending upon your securelevel setting. > >=20 > > The argument is that securelevel is fundamentally flawed and fairly > > useless as a security feature, unless you treat every system reboot > > (expected or not) as a potential compromise. >=20 > Actually, securelevel as a all-covering blanket would work better > if people implemented fixes for it like a solution for the mount > problem described here. That still doesn't alter the fact that only a single reboot is needed to undo the restrictions. I can see both points of view: on the one hand we have a system which stops some script kiddies, so we might as well extend the coverage a bit and try and foil a few more. It also happens to be the best available system right now. On the other hand, it's fundamentally incomplete and easily worked around, so you can argue there's no point wasting effort in polishing a turd. > Securelevel is hard to implement, but hard to mess up unlike ACLs > which are both hard to implement and hard to deploy. Well, we're not talking about ACLs here..MAC is a different beast. I don't know to what extent your criticism applies, though, not having administered or configured such a system. Kris --maH1Gajj2nflutpK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6QWQDWry0BWjoQKURAsZAAJ0XGytEq3oQa34ybOEDZHR7AXyEkgCgg/3v XAR025LHIfAfx65GaJwZiEY= =9BJX -----END PGP SIGNATURE----- --maH1Gajj2nflutpK-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 18: 6:12 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 18:06:04 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id 88C4837B400; Wed, 20 Dec 2000 18:06:03 -0800 (PST) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2650.21) id ; Wed, 20 Dec 2000 18:05:59 -0800 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA024346@goofy.epylon.lan> From: Jason DiCioccio To: 'Kris Kennaway' , Alfred Perlstein Cc: Mark Zielinski , cjclark@alum.mit.edu, freebsd-security@FreeBSD.ORG Subject: RE: Read-Only Filesystems Date: Wed, 20 Dec 2000 18:05:58 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C06AF2.8F6FEEA2" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C06AF2.8F6FEEA2 Content-Type: text/plain; charset="iso-8859-1" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The only way I could think of to do his securely in the current implementation is to chflags most of the etc dir (with the exception of files that did need to be cahnged like passwd master.passwd aliases, etc.).. mainly the rc files.. but this makes administering remotely a pain in the ass.. Of course, security in many cases comes with a hassle factor. - -JD- - ------- Jason DiCioccio Evil Genius Unix BOFH mailto:jasond@epylon.com 415-593-2761 Direct & Fax 415-593-2900 Main Epylon Corporation 645 Harrison Street, Suite 200 San Francisco, CA 94107 www.epylon.com BSD is for people who love Unix - Linux is for people who hate Microsoft - -----Original Message----- From: Kris Kennaway [mailto:kris@FreeBSD.ORG] Sent: Wednesday, December 20, 2000 6:00 PM To: Alfred Perlstein Cc: Kris Kennaway; Mark Zielinski; cjclark@alum.mit.edu; freebsd-security@FreeBSD.ORG Subject: Re: Read-Only Filesystems On Wed, Dec 20, 2000 at 05:41:29PM -0800, Alfred Perlstein wrote: > * Kris Kennaway [001220 17:39] wrote: > > On Wed, Dec 20, 2000 at 02:14:43PM +0000, Mark Zielinski wrote: > > > This is a attack that we fixed in SecureBSD by not allowing > > > filesystems to be un-mounted and re-mounted back in May of > > > 1999. We added security checks to the mount() and unmount() > > > system calls based upon a MIB called securebsd.options.mount > > > which could be turned on or off depending upon your securelevel > > > setting. > > > > The argument is that securelevel is fundamentally flawed and > > fairly useless as a security feature, unless you treat every > > system reboot (expected or not) as a potential compromise. > > Actually, securelevel as a all-covering blanket would work better > if people implemented fixes for it like a solution for the mount > problem described here. That still doesn't alter the fact that only a single reboot is needed to undo the restrictions. I can see both points of view: on the one hand we have a system which stops some script kiddies, so we might as well extend the coverage a bit and try and foil a few more. It also happens to be the best available system right now. On the other hand, it's fundamentally incomplete and easily worked around, so you can argue there's no point wasting effort in polishing a turd. > Securelevel is hard to implement, but hard to mess up unlike ACLs > which are both hard to implement and hard to deploy. Well, we're not talking about ACLs here..MAC is a different beast. I don't know to what extent your criticism applies, though, not having administered or configured such a system. Kris -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOkFlvFCmU62pemyaEQIVVgCfTvE7AWOpnl9lxoYvbmNDQUJzEHEAn3uI ZJ9E45K3qXvI+o9KfW1BweZJ =qjzl -----END PGP SIGNATURE----- ------_=_NextPart_000_01C06AF2.8F6FEEA2 Content-Type: application/octet-stream; name="Jason DiCioccio.vcf" Content-Disposition: attachment; filename="Jason DiCioccio.vcf" BEGIN:VCARD VERSION:2.1 N:DiCioccio;Jason FN:Jason DiCioccio ORG:epylon.com;operations TITLE:UNIX ADMIN ADR;WORK:;;645 Harrison St;San Francisco;CA;94107;usa LABEL;WORK;ENCODING=QUOTED-PRINTABLE:645 Harrison St=0D=0ASan Francisco, CA 94107=0D=0Ausa EMAIL;PREF;INTERNET:Jason.DiCioccio@Epylon.com REV:19990105T135529Z END:VCARD ------_=_NextPart_000_01C06AF2.8F6FEEA2-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 18:22:45 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 18:22:40 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id 962BA37B400; Wed, 20 Dec 2000 18:22:40 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id SAA22888; Wed, 20 Dec 2000 18:23:54 -0800 Date: Wed, 20 Dec 2000 18:23:54 -0800 From: Kris Kennaway To: "Jonathan M. Slivko" Cc: freebsd-security@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: Re: SecureBSD? Message-ID: <20001220182354.G22288@citusc.usc.edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="p7qwJlK53pWzbayA" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from jslivko@psn.net on Wed, Dec 20, 2000 at 04:16:28PM -0500 Sender: kris@citusc.usc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --p7qwJlK53pWzbayA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Dec 20, 2000 at 04:16:28PM -0500, Jonathan M. Slivko wrote: > Whats this SecureBSD I keep hearing about? what are the primary differences > between it and the mainstream FreeBSD? It's a set of patches against FreeBSD which adds some features which can be used to configure a more tightly controlled system. It's under a fairly scary license though, and last time I checked the documentation didn't list many "whiz-bang" features I would personally find useful on an average system. That's just my personal opinion though, not any official position of the security officer or of FreeBSD, and may not in fact reflect reality if the documentation is inaccurate (someone told me there's more there which is, or was, undocumented). YMMV, of course..it's worth taking a look at to see whether it would be useful for you. Kris --p7qwJlK53pWzbayA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6QWm6Wry0BWjoQKURAmlfAJ9fqGQsp+sZYbJKFqzXytYU5RIeNgCgwWlH kn+NDRa+wlui5y7bSkXeggA= =1+7k -----END PGP SIGNATURE----- --p7qwJlK53pWzbayA-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 18:28:21 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 18:28:18 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id 76EA537B400 for ; Wed, 20 Dec 2000 18:28:18 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id SAA22915; Wed, 20 Dec 2000 18:29:36 -0800 Date: Wed, 20 Dec 2000 18:29:36 -0800 From: Kris Kennaway To: Jason DiCioccio Cc: security@FreeBSD.org Subject: Re: Read-Only Filesystems Message-ID: <20001220182936.H22288@citusc.usc.edu> References: <657B20E93E93D4118F9700D0B73CE3EA024346@goofy.epylon.lan> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="r5lq+205vWdkqwtk" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <657B20E93E93D4118F9700D0B73CE3EA024346@goofy.epylon.lan>; from Jason.DiCioccio@Epylon.com on Wed, Dec 20, 2000 at 06:05:58PM -0800 Sender: kris@citusc.usc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --r5lq+205vWdkqwtk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Dec 20, 2000 at 06:05:58PM -0800, Jason DiCioccio wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 >=20 > The only way I could think of to do his securely in the current > implementation is to chflags most of the etc dir (with the exception > of files that did need to be cahnged like passwd master.passwd > aliases, etc.).. mainly the rc files.. but this makes administering > remotely a pain in the ass.. Of course, security in many cases comes > with a hassle factor. Don't forget chflags'ing every binary involved in the startup process, too. And all of your kernel modules. And the boot loader and its config files. And all of the appropriate directories. And /etc/fstab so null or union mounts can't be used to shadow a protected file...you get the picture :-) Kris --r5lq+205vWdkqwtk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6QWsQWry0BWjoQKURAvOAAJ4/kswqD1tCUCO3DZYqp79Xq5tx/wCfY0hc 61GSxDfLbCOf5CGdki8ZoNo= =/4Va -----END PGP SIGNATURE----- --r5lq+205vWdkqwtk-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 18:35: 9 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 18:35:04 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id 9861C37B400; Wed, 20 Dec 2000 18:35:04 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id SAA22973; Wed, 20 Dec 2000 18:36:22 -0800 Date: Wed, 20 Dec 2000 18:36:22 -0800 From: Kris Kennaway To: Kris Kennaway Cc: "Jonathan M. Slivko" , freebsd-security@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: Re: SecureBSD? Message-ID: <20001220183622.I22288@citusc.usc.edu> References: <20001220182354.G22288@citusc.usc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="WR+jf/RUebEcofwt" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20001220182354.G22288@citusc.usc.edu>; from kris@FreeBSD.ORG on Wed, Dec 20, 2000 at 06:23:54PM -0800 Sender: kris@citusc.usc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --WR+jf/RUebEcofwt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Dec 20, 2000 at 06:23:54PM -0800, Kris Kennaway wrote: > On Wed, Dec 20, 2000 at 04:16:28PM -0500, Jonathan M. Slivko wrote: > > Whats this SecureBSD I keep hearing about? what are the primary differe= nces > > between it and the mainstream FreeBSD? >=20 I forgot to mention TrustedBSD (www.trustedbsd.org), which IMO is a lot more promising in terms of the feature set, and is being integrated into FreeBSD. Kris --WR+jf/RUebEcofwt Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6QWymWry0BWjoQKURAqMPAKCOPWk8ON2NSL4i1osoMCHowMSGIwCfea25 mCA528HwI3PdWfg4IQtArY0= =6KeU -----END PGP SIGNATURE----- --WR+jf/RUebEcofwt-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 19:15:42 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 19:15:39 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from hellfire.hexdump.org (h006097e24f05.ne.mediaone.net [24.128.117.73]) by hub.freebsd.org (Postfix) with ESMTP id 54EAD37B400; Wed, 20 Dec 2000 19:15:38 -0800 (PST) Received: from localhost (freebsd@localhost) by hellfire.hexdump.org (8.11.1/8.11.1) with ESMTP id eBL3IDg26691; Wed, 20 Dec 2000 22:18:13 -0500 (EST) (envelope-from freebsd@hexdump.org) Date: Wed, 20 Dec 2000 22:18:12 -0500 (EST) From: Jeff Gentry To: Kris Kennaway Cc: "Jonathan M. Slivko" , freebsd-security@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: Re: SecureBSD? In-Reply-To: <20001220182354.G22288@citusc.usc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > That's just my personal opinion though, not any official position of > the security officer or of FreeBSD, and may not in fact reflect > reality if the documentation is inaccurate (someone told me there's > more there which is, or was, undocumented). YMMV, of course..it's > worth taking a look at to see whether it would be useful for you. I looked at it recently, and while it isn't super-duper, I do remember some of the stuff seeming useful for my purposes. The real problem tho is that SecureBSD 1.0 only supports FreeBSD 4.0. I sent them an email and they said that they were going to be soon supporting the 4.2 branch, but haven't seen anything from them yet. -- Jeff Gentry jester@hexdump.org gentrj@hexdump.org SEX DRUGS UNIX To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 19:32:49 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 19:32:45 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from roble.com (mx0.roble.com [206.40.34.14]) by hub.freebsd.org (Postfix) with ESMTP id 9FA8737B400 for ; Wed, 20 Dec 2000 19:32:45 -0800 (PST) Received: from localhost (marquis@localhost) by roble.com with ESMTP id eBL3Wim62509 for ; Wed, 20 Dec 2000 19:32:44 -0800 (PST) Date: Wed, 20 Dec 2000 19:32:44 -0800 (PST) From: Roger Marquis To: security@FreeBSD.ORG Subject: Re: dsniff 2.3 info: In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mikhail Kruk wrote: > In my experience due to bad administrators who screw up ssh installations > those keys change after every OS upgrade and users get used to answering > "yes" to this question. Bad administrators? You must be joking. You only need to look at a couple of the ssh ports to see where the problem is (in FreeBSD at least). For example, if I install ssh from ports it won't upgrade the pre-installed system ssh but will instead add a second copy in different directories. Now we have 2 (or more) different revisions on the same system and a user will get either one or the other depending on their $PATH. Second, while Kris Kennaway was good enough to upgrade ssh1 to check /etc/inetd.conf before installing a startup script none of the other ssh ports do this basic check. Third, the sshd_config and ssh_config defaults are less than optimal. Fourth, the error message triggered by a key change is too terse to be very helpful to your average end-user. IMHO, his has little or nothing to do with administrators or end-users. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 21:56: 5 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 21:56:04 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from srv1.ialien.co.za (srv1.ialien.co.za [196.14.132.45]) by hub.freebsd.org (Postfix) with ESMTP id C451737B402 for ; Wed, 20 Dec 2000 21:56:00 -0800 (PST) Received: from [192.168.2.50] (helo=bob) by srv1.ialien.co.za with smtp (Exim 3.16 #1) id 148yhn-000F4r-00 for freebsd-security@freebsd.org; Thu, 21 Dec 2000 07:55:55 +0200 Message-ID: <02e401c06b13$0c66fac0$3202a8c0@ialien.co.za> From: "Jose Meredith" To: Subject: Is there anyway to record Root's keystrokes Date: Thu, 21 Dec 2000 07:58:28 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've been thinking about how to try and make a box more secure, and one of the things on my wish list would be to be able to record all the command line inputs of any root shells. I know that this should actually be the job of the shell, but I can't find out how to have them do this. The other work around would be to recompile the kernel with the snp device enabled, and everytime someone logins in etc., snoop their interaction with the machine. The problem with this, is that one would have a lot of data coming in, as well as you would be getting normal user stuff. I would only like the system to log everything it does as root etc. Any ideas? Thanx in advance Bob To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 22:10: 7 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 22:10:05 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from puck.firepipe.net (poynting.physics.purdue.edu [128.210.146.58]) by hub.freebsd.org (Postfix) with ESMTP id C9FB037B400 for ; Wed, 20 Dec 2000 22:10:05 -0800 (PST) Received: from argon.firepipe.net (pm014-044.dialup.bignet.net [64.79.82.156]) by puck.firepipe.net (Postfix) with ESMTP id C3ABE1AC4; Thu, 21 Dec 2000 01:10:04 -0500 (EST) Received: by argon.firepipe.net (Postfix, from userid 1000) id 3C64F19CF; Thu, 21 Dec 2000 01:05:44 -0500 (EST) Date: Thu, 21 Dec 2000 01:05:44 -0500 From: Will Andrews To: Jose Meredith Cc: freebsd-security@FreeBSD.ORG Subject: Re: Is there anyway to record Root's keystrokes Message-ID: <20001221010543.K319@argon.firepipe.net> Reply-To: Will Andrews References: <02e401c06b13$0c66fac0$3202a8c0@ialien.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <02e401c06b13$0c66fac0$3202a8c0@ialien.co.za>; from meredithjt@ialien.co.za on Thu, Dec 21, 2000 at 07:58:28AM +0200 X-Operating-System: FreeBSD 5.0-CURRENT i386 Sender: will@argon.firepipe.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Dec 21, 2000 at 07:58:28AM +0200, Jose Meredith wrote: > I've been thinking about how to try and make a box more secure, and one of the things on my wish list would be to be able to record > all the command line inputs of any root shells. I know that this should actually be the job of the shell, but I can't find out how > to have them do this. > > The other work around would be to recompile the kernel with the snp device enabled, and everytime someone logins in etc., snoop > their interaction with the machine. The problem with this, is that one would have a lot of data coming in, as well as you would be > getting normal user stuff. I would only like the system to log everything it does as root etc. > > Any ideas? Use sudo. See ports/security/sudo. -- wca To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 23: 6:26 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 23:06:23 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 1975E37B400; Wed, 20 Dec 2000 23:06:23 -0800 (PST) Received: from rfx-64-6-211-149.users.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Wed, 20 Dec 2000 23:04:13 -0800 Received: (from cjc@localhost) by rfx-64-6-211-149.users.reflexcom.com (8.11.0/8.11.0) id eBL75m088159; Wed, 20 Dec 2000 23:05:48 -0800 (PST) (envelope-from cjc) Date: Wed, 20 Dec 2000 23:05:48 -0800 From: "Crist J. Clark" To: Jason DiCioccio Cc: "'Kris Kennaway'" , Alfred Perlstein , Mark Zielinski , cjclark@alum.mit.edu, freebsd-security@FreeBSD.ORG Subject: Re: Read-Only Filesystems Message-ID: <20001220230548.V96105@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <657B20E93E93D4118F9700D0B73CE3EA024346@goofy.epylon.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <657B20E93E93D4118F9700D0B73CE3EA024346@goofy.epylon.lan>; from Jason.DiCioccio@Epylon.com on Wed, Dec 20, 2000 at 06:05:58PM -0800 Sender: cjc@rfx-64-6-211-149.users.reflexcom.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Dec 20, 2000 at 06:05:58PM -0800, Jason DiCioccio wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > The only way I could think of to do his securely in the current > implementation is to chflags most of the etc dir (with the exception > of files that did need to be cahnged like passwd master.passwd > aliases, etc.).. mainly the rc files.. but this makes administering > remotely a pain in the ass.. Of course, security in many cases comes > with a hassle factor. Hmmm... I was thinking that this would not be possible, to schg files in /etc and still be able to use passwd(1), but provided that / is schg, I can't seem to figure out how to mess with files in /etc with schg. I was thinking I could fsdb(8) /etc, but I can't mess with a mounted FS?! That's no fun! I still think there is a way around this... Anyone know it? I'm tired of reading 'Operation not permitted' as I try this out. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 20 23:12:20 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 20 23:12:18 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 9A0FD37B400; Wed, 20 Dec 2000 23:12:18 -0800 (PST) Received: from rfx-64-6-211-149.users.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Wed, 20 Dec 2000 23:10:39 -0800 Received: (from cjc@localhost) by rfx-64-6-211-149.users.reflexcom.com (8.11.0/8.11.0) id eBL7CAm88184; Wed, 20 Dec 2000 23:12:10 -0800 (PST) (envelope-from cjc) Date: Wed, 20 Dec 2000 23:12:05 -0800 From: "Crist J. Clark" To: Kris Kennaway Cc: Alfred Perlstein , Mark Zielinski , cjclark@alum.mit.edu, freebsd-security@FreeBSD.ORG Subject: Re: Read-Only Filesystems Message-ID: <20001220231205.W96105@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <20001219114936.A23819@rfx-64-6-211-149.users.reflexco> <20001219120953.S19572@fw.wintelcom.net> <20001219211642.D13474@citusc.usc.edu> <3A40BED3.1070909@2cactus.com> <20001220174056.C22288@citusc.usc.edu> <20001220174129.F19572@fw.wintelcom.net> <20001220175931.E22288@citusc.usc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20001220175931.E22288@citusc.usc.edu>; from kris@FreeBSD.ORG on Wed, Dec 20, 2000 at 05:59:31PM -0800 Sender: cjc@rfx-64-6-211-149.users.reflexcom.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Dec 20, 2000 at 05:59:31PM -0800, Kris Kennaway wrote: > On Wed, Dec 20, 2000 at 05:41:29PM -0800, Alfred Perlstein wrote: [snip] > > Actually, securelevel as a all-covering blanket would work better > > if people implemented fixes for it like a solution for the mount > > problem described here. > > That still doesn't alter the fact that only a single reboot is needed > to undo the restrictions. Could you elaborate on what scenario you are describing? Of course if the attacker has physical access, he is a reboot away from getting by securelevel. But is there a remote attack involving a reboot which negates securelevel besides the obvious case where the rc* files (and init, and kernel, and... ) are not sufficiently protected? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 21 0:11: 9 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 21 00:11:07 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from xgate4.sd.co.nz (ns.netxsecure.com [210.55.57.156]) by hub.freebsd.org (Postfix) with ESMTP id 5923437B402; Thu, 21 Dec 2000 00:11:06 -0800 (PST) Received: from netxsecure.net (xmgate-172-2.sd.co.nz [172.16.30.2]) by xgate4.sd.co.nz (8.11.0/8.11.0) with ESMTP id eBL8KvE10137; Thu, 21 Dec 2000 21:20:58 +1300 (NZDT) Sender: mike@netxsecure.net Message-ID: <3A41BE58.76ECD6A9@netxsecure.net> Date: Thu, 21 Dec 2000 21:24:56 +1300 From: "Michael A. Williams" X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.5-22 i586) X-Accept-Language: en MIME-Version: 1.0 To: security@FreeBSD.ORG Cc: Kris Kennaway Subject: Re: Read-Only Filesystems References: <657B20E93E93D4118F9700D0B73CE3EA024346@goofy.epylon.lan> <20001220182936.H22288@citusc.usc.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Archived: msg.Wvp13986@xgate4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > On Wed, Dec 20, 2000 at 06:05:58PM -0800, Jason DiCioccio wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > The only way I could think of to do his securely in the current > > implementation is to chflags most of the etc dir (with the exception > > of files that did need to be cahnged like passwd master.passwd > > aliases, etc.).. mainly the rc files.. but this makes administering > > remotely a pain in the ass.. Of course, security in many cases comes > > with a hassle factor. > > Don't forget chflags'ing every binary involved in the startup process, > too. And all of your kernel modules. And the boot loader and its > config files. And all of the appropriate directories. And /etc/fstab > so null or union mounts can't be used to shadow a protected file...you > get the picture :-) Securelevel 2 should not allow loading of kernel modules. Mike. -- Michael A. Williams, InfoSec Technology Manager NetXSecure NZ Limited, mike@netxsecure.net www.netxsecure.com Ph.+64.9.278.8348, Fax.+64.9.278.8352, Mob.+64.21.995.914 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 21 0:31:33 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 21 00:31:31 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 80B5137B400 for ; Thu, 21 Dec 2000 00:31:31 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 1491Cg-0000Vb-00; Thu, 21 Dec 2000 01:35:59 -0700 Sender: wes@FreeBSD.ORG Message-ID: <3A41C0EE.F4074358@softweyr.com> Date: Thu, 21 Dec 2000 01:35:58 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Fernando Schapachnik Cc: Vladimir Dubrovin , freebsd-security@FreeBSD.ORG Subject: Re: FTPD hole References: <200012191208.JAA13954@ns1.via-net-works.net.ar> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Fernando Schapachnik wrote: > > A recent (today or yesterday) bugtraq article says NO. Look > securityfocus.org for details. The SA released by OpenBSD said the vulnerability was shared with, and patched in, NetBSD, but not present in FreeBSD. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 21 3:11:28 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 21 03:11:24 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from pps.de (mail.pps.de [217.13.200.134]) by hub.freebsd.org (Postfix) with ESMTP id 5661437B400 for ; Thu, 21 Dec 2000 03:11:23 -0800 (PST) Received: from jung7.pps.de (jung7.pps.de [192.9.200.17]) by pps.de (8.9.3/8.9.3) with ESMTP id MAA04672; Thu, 21 Dec 2000 12:26:56 +0100 (CET) (envelope-from petros@pps.de) Received: from jung9.pps.de by jung7.pps.de (8.9.3+Sun/ZRZ-Sol2) id MAA00666; Thu, 21 Dec 2000 12:08:33 +0100 (MET) Received: from jung9 by jung9.pps.de (8.9.1b+Sun/ZRZ-Sol2) id MAA04895; Thu, 21 Dec 2000 12:08:33 +0100 (MET) Message-Id: <200012211108.MAA04895@jung9.pps.de> Date: Thu, 21 Dec 2000 12:08:33 +0100 (MET) From: Peter Ross Reply-To: Peter Ross Subject: Re: FTP and firewall To: fschapachnik@vianetworks.com.ar Cc: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: c3qqiSQL/5QdgtSxFS0pqA== X-Mailer: dtmail 1.3.0 CDE Version 1.3 SunOS 5.7 sun4u sparc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, Fernando Schapachnik wrote: > man ipf, and check: > > http://www.obfuscation.org/ipf/ipf-howto.txt > > ipfilter can do this in a much safer way than what I suggested there. I did: > The good news is that your FTP server gets to decide > which ports get assigned to passive sessions. This means > that instead of opening all ports above 1023, you can allo- > cate ports 15001-19999 as ftp ports and only open that range > of your firewall up. In wu-ftpd, this is done with the pas- > sive ports option in ftpaccess. Please see the man page on > ftpaccess for details in wu-ftpd configuration. On the > ipfilter side, all we need do is setup corresponding rules: > > pass in quick proto tcp from any to 20.20.20.20/32 port 15000 >< 20000 flags S keep state > pass out proto tcp all keep state > .. > While FTP server support is still less than perfect in IPF, In march you wrote: > What I have done is to configure FTPd to use ports between 40000 and > 44999 (wu-ftpd allows it to be done easily; don't know others) and then: > > allow tcp from any to my_ip 40000-44999 in setup > > It's not the best, but still better than nothing. In the same thread Paul Hart wrote (I quote it again): > On Wed, 29 Mar 2000, Alan Batie wrote: > > > To do active mode ftp properly, ipfw would need to parse the contents > > of the packets on the ftp control channel and dynamically allow the > > corresponding incoming connection. There's no indication that this > > parsing capability is present. > > I know we're talking about IPFW here, but hasn't IP Filter (also included > with FreeBSD) been supporting this very operation for quite a while now? Sorry, but http://www.obfuscation.org/ipf/ipf-howto.txt says nothing about "parsing capability". All what I find is: > If even this solution doesn't satisfy you, you can always > hack IPF support into your FTP server, or FTP server support > into IPF. I suggested: > ftp_passive_range="49152-65535" # FreeBSD ftpd listens here > > natd_flags="-redirect_port tcp ${intern_ftp_ip}:${ftp_passive_range} > ${ftp_passive_range}" > > ipfw add allow tcp from any to ${extern_ip} ${ftp_passive_range} setup via > ${extern_if} > ipfw add allow tcp from any to ${intern_ftp_ip} {ftp_passive_range} setup via > ${extern_if} > ipfw add allow tcp from any to ${intern_ftp_ip} {ftp_passive_range} setup via > ${intern_if} In principle the same, I think. But I found this discussion: On Fri, 31 Mar 2000, Vladimir Mencl wrote: > On Wed, 29 Mar 2000, Allan Saddi wrote: > > > On Wed, 29 Mar 2000, Alan Batie wrote: > > > > > ...To do active mode ftp properly, ipfw would need to parse the > > > contents of the packets on the ftp control channel and dynamically allow > > > the corresponding incoming connection. There's no indication that this > > > parsing capability is present. > > > > Interestingly enough, sometime back, Eivind Eklund added a feature to > > allow libalias(3) to "punch holes" in an ipfw-based firewall. The code is > > apparently still there. Unfortunately, it seems like neither natd nor ppp > > take advantage of this feature. (Currently, there's no way to turn it on.) > > > > It would be a seemingly trivial modification... but maybe there's some > > reason why it was never incorporated into natd/ppp? > > > The modification could be possibly "trivial", but would involve quite a > lot of implementation. > > There're many protocols, which would have to be parsed at the > application layer - ftp, talk/ntalk to name a few. > > Others might include the real audio protocols - but I do not know these > well enough. > > > A long time ago, I wrote a userland program that could "punch holes" for > incoming data connections created by outgoing talk requests. > > But to have a firewall allowing correct operation of all outgoing > "requests", you would have to explore all the protocols you wish to > support, implement a filter which would scan either UDP packets or the > TCP stream, and interact with the firewall setup. > > And also - you would have to develope some rules for selecting the > proper filter. It is clear, that a connection to port 21 is a ftp > control connection - but services might be running on arbitrary ports, > and you might wish to support access to them too. > > And furthermore, you should take some security considerations about the > effects of establishing such a firewall. By submitting a link to an ftp > site (possibly in a forged html page), an attacker might open a hole in > the firewall for himself. Yes, with a very limited range of > possibilites, but this might be considered as a security risk by some > admins. > > But still it might be better than allowing any TCP connection coming > from port 20. > > > Vladimir Mencl Rough idea: a divert of ftp control packets to a parser, which can add and delete dynamical ftp data connection rules. I'm amazed that I can't find a better solution then open the high ports but I see the problem. Thanks for the given answers - Peter Ross To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 21 3:47: 9 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 21 03:47:07 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 3E73437B400 for ; Thu, 21 Dec 2000 03:47:06 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id MAA12379; Thu, 21 Dec 2000 12:47:01 +0100 (CET) (envelope-from des@ofug.org) Sender: des@ofug.org X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Roger Marquis Cc: security@FreeBSD.ORG Subject: Re: dsniff 2.3 info: References: From: Dag-Erling Smorgrav Date: 21 Dec 2000 12:47:01 +0100 In-Reply-To: Roger Marquis's message of "Wed, 20 Dec 2000 19:32:44 -0800 (PST)" Message-ID: Lines: 9 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Roger Marquis writes: > Bad administrators? You must be joking. [it's FreeBSD's fault...] We are eagerly anticipating patches that address the issues you mention. You do have patches, don't you? DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 21 3:55:16 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 21 03:55:08 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from osiris.ipform.ru (osiris.ipform.ru [212.158.165.98]) by hub.freebsd.org (Postfix) with ESMTP id 5250837B400; Thu, 21 Dec 2000 03:55:02 -0800 (PST) Received: from wp2 (wp2 [192.168.0.12]) by osiris.ipform.ru (8.11.1/8.11.1) with SMTP id eBLBsxV39210; Thu, 21 Dec 2000 14:54:59 +0300 (MSK) (envelope-from matrix@ipform.ru) Message-ID: <001901c06b44$d88f6c00$0c00a8c0@ipform.ru> From: "Artem Koutchine" To: , References: <000a01c06ab8$4676a040$1805010a@epconline.net> Subject: Re: What anti-sniffer measures do i have? Date: Thu, 21 Dec 2000 14:54:52 +0300 Organization: IP Form MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This would cost a BUNCH of $$$ to replace every card in every machine, and not driver for BSD yet. So, most of you are saying that a switch would be a solution. Anyone can recommed a particular switch wich he/she is using without problems? Also, what about tunnelling?? Artem ----- Original Message ----- From: "Chuck Rock" To: ; Sent: Wednesday, December 20, 2000 10:08 PM Subject: RE: What anti-sniffer measures do i have? > Well there is another option you may not know about.... > > Encrypion on the physical level. > > 3Com make new network cards with built in encryption that works up to full > duplex 100Meg. > > Secures sensitive data by delivering 3DES,DES,MD5,and SHA-1 > > Check out the specs here.... > http://www.3com.com/products/nics/3cr990fb.html > > I don't know if anyone has built any drivers for FreeBSD, but I think it's > worth it. They make one for the server too that allows redundant NIC's for > failover protection. > > There appear to be beta drivers for Linux for these network cards as well... > http://support.3com.com/infodeli/tools/nic/linuxdownload.htm > > I can sell the 3CR990-TX-97 which provides 168 Bit encryption for about $120 > each. > And the 3CR990-SVR-97 for $115. > > I haven't used these, but the principal sounds good. I think the only > drawback is, any server using one probably has to have one in each client > computer, or there would be no way for them to speak to each other. This > would rule out some other equipment as well, but they are supposed to be > compliant with IPSec. > > If anyone has used these, I would be interested in hearing how well they > work in a "real" environment running other O/S's and routers and such. > > Chuck > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Dmitry Galyant > > Sent: Wednesday, December 20, 2000 6:58 AM > > To: Artem Koutchine > > Cc: Jonas Luster; security@FreeBSD.ORG; questions@FreeBSD.ORG > > Subject: Re: What anti-sniffer measures do i have? > > > > > > On Wed, 20 Dec 2000, Artem Koutchine wrote: > > > > > Date: Wed, 20 Dec 2000 15:27:41 +0300 > > > From: Artem Koutchine > > > To: Jonas Luster , security@FreeBSD.ORG, > > > questions@FreeBSD.ORG > > > Subject: Re: What anti-sniffer measures do i have? > > > > > > Hello again! > > > > > > Well, i am depressed now :( The issue is even worse than i thought > > > at first. So, SHOUD I upgrade to switches? Will they REALLY help? > > > > > > Or should i build a simple FreeBSD router for each branch of the tree > > > with a buch of ethernet cards. For example. In a room with 8 computers i > > > will install a Pentium MMX with 8 PCI slots and 8 network cards > > and route > > > pure IP, no MAC addresing (i don't need ipx rounter or > > anything, just ip). > > > > and don't forget give root shell to this 8 mans ;-) > > switch has no shell - imho it's better way. > > > > > > > > Is there relatively cheap switches wich do the same? Is it even > > a solution? > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 21 4:39: 2 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 21 04:38:59 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from zeta.qmw.ac.uk (zeta.qmw.ac.uk [138.37.6.6]) by hub.freebsd.org (Postfix) with ESMTP id 6FD3E37B400 for ; Thu, 21 Dec 2000 04:38:59 -0800 (PST) Received: from xi.css.qmw.ac.uk ([138.37.8.11]) by zeta.qmw.ac.uk with esmtp (Exim 3.02 #1) id 1494zi-0007Oa-00 for freebsd-security@freebsd.org; Thu, 21 Dec 2000 12:38:50 +0000 Received: from cgaa180 by xi.css.qmw.ac.uk with local (Exim 1.92 #1) for freebsd-security@FreeBSD.ORG id 1494zh-0007HA-00; Thu, 21 Dec 2000 12:38:49 +0000 X-Mailer: exmh version 2.0.2 2/24/98 To: freebsd-security@FreeBSD.ORG Subject: Re: Read-Only Filesystems In-reply-to: Your message of "Wed, 20 Dec 2000 18:05:58 PST." <657B20E93E93D4118F9700D0B73CE3EA024346@goofy.epylon.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 21 Dec 2000 12:38:49 +0000 From: David Pick Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > The only way I could think of to do his securely in the current > implementation is to chflags most of the etc dir (with the exception > of files that did need to be cahnged like passwd master.passwd > aliases, etc.).. mainly the rc files.. but this makes administering > remotely a pain in the ass.. Of course, security in many cases comes > with a hassle factor. Some years ago I was running a RISCiX system and wanted to use it in a number of different locations on the network. I set up a slightly unusual disc structure as follows: 1) The / filesystem was mounted read-only - permamently 2) There was no separate /usr filesystem 3) For each of the "changeable" files there was a symbolic link of the form: /etc/passwd -> /config/etc/passwd 4) Early in the "rc" scripts the system asked which configuration it should use, and this was used to chose which of a number of small filesystems should be mounted on /config providing the details for that particular "configuration" 5) /home was, of course, a separate filesystem 6) /var was linked as in item 3, giving separate sets of logs for each "configuration" and various other small points of detail. This does not actually help the original problem, but did make the separation between read-only (apart fron systems update) files and "configuration" files much cleaner. It would have allowed the root filesystem to have been on a hardware-locked read only disc drive (or a CD but they weren't around then), and that's a big win. I couldn't have put /var, but could have put the remains of /etc on a floppy and used the write-protect tab. Using the filesystem "flags" is s different approach to trying to protect files that should not normally change. It's less safe than the approach I took, but more flexible. I wasn't primarily trying to get 100% security, but did get a fair bit as fallout. It's quite a lot of work to get something like this configured, but people who *know* there are strangers out there trying to "get" at their conputers might think it's worthwhile. -- David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 21 5:59:59 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 21 05:59:56 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id EC0D337B400; Thu, 21 Dec 2000 05:59:55 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id GAA26852; Thu, 21 Dec 2000 06:01:08 -0800 Date: Thu, 21 Dec 2000 06:01:08 -0800 From: Kris Kennaway To: cjclark@alum.mit.edu Cc: Kris Kennaway , Alfred Perlstein , Mark Zielinski , freebsd-security@FreeBSD.ORG Subject: Re: Read-Only Filesystems Message-ID: <20001221060108.B26775@citusc.usc.edu> References: <20001219114936.A23819@rfx-64-6-211-149.users.reflexco> <20001219120953.S19572@fw.wintelcom.net> <20001219211642.D13474@citusc.usc.edu> <3A40BED3.1070909@2cactus.com> <20001220174056.C22288@citusc.usc.edu> <20001220174129.F19572@fw.wintelcom.net> <20001220175931.E22288@citusc.usc.edu> <20001220231205.W96105@149.211.6.64.reflexcom.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="neYutvxvOLaeuPCA" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20001220231205.W96105@149.211.6.64.reflexcom.com>; from cjclark@reflexnet.net on Wed, Dec 20, 2000 at 11:12:05PM -0800 Sender: kris@citusc.usc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --neYutvxvOLaeuPCA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable \On Wed, Dec 20, 2000 at 11:12:05PM -0800, Crist J. Clark wrote: > On Wed, Dec 20, 2000 at 05:59:31PM -0800, Kris Kennaway wrote: > > On Wed, Dec 20, 2000 at 05:41:29PM -0800, Alfred Perlstein wrote: >=20 > [snip] >=20 > > > Actually, securelevel as a all-covering blanket would work better > > > if people implemented fixes for it like a solution for the mount > > > problem described here. > >=20 > > That still doesn't alter the fact that only a single reboot is needed > > to undo the restrictions. >=20 > Could you elaborate on what scenario you are describing? Of course if > the attacker has physical access, he is a reboot away from getting by > securelevel. But is there a remote attack involving a reboot which > negates securelevel besides the obvious case where the rc* files (and > init, and kernel, and... ) are not sufficiently protected? Nope, that's the one. Once the attacker breaks root on a high securelevel machine they can arrange it so that the next time the system boots it does their dirty work for them prior to raising the securelevel (e.g. load a KLD which allows them backdoor access around the securelevel restrictions, so the system appears to be running normally). Kris --neYutvxvOLaeuPCA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6Qg0kWry0BWjoQKURAtHxAJ90fktzuAphMjWd02ntHS6yS8Z1qACfSDsl Biq3RIYIybb+jL0S/+Te6YI= =qyje -----END PGP SIGNATURE----- --neYutvxvOLaeuPCA-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 21 6:47:33 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 21 06:47:30 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id 1B80037B400; Thu, 21 Dec 2000 06:47:30 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id GAA27292; Thu, 21 Dec 2000 06:48:42 -0800 Date: Thu, 21 Dec 2000 06:48:42 -0800 From: Kris Kennaway To: "Michael A. Williams" Cc: security@FreeBSD.ORG, Kris Kennaway Subject: Re: Read-Only Filesystems Message-ID: <20001221064842.B27118@citusc.usc.edu> References: <657B20E93E93D4118F9700D0B73CE3EA024346@goofy.epylon.lan> <20001220182936.H22288@citusc.usc.edu> <3A41BE58.76ECD6A9@netxsecure.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="7AUc2qLy4jB3hD7Z" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <3A41BE58.76ECD6A9@netxsecure.net>; from mike@netxsecure.net on Thu, Dec 21, 2000 at 09:24:56PM +1300 Sender: kris@citusc.usc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --7AUc2qLy4jB3hD7Z Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Dec 21, 2000 at 09:24:56PM +1300, Michael A. Williams wrote: > > > The only way I could think of to do his securely in the current > > > implementation is to chflags most of the etc dir (with the exception > > > of files that did need to be cahnged like passwd master.passwd > > > aliases, etc.).. mainly the rc files.. but this makes administering > > > remotely a pain in the ass.. Of course, security in many cases comes > > > with a hassle factor. > >=20 > > Don't forget chflags'ing every binary involved in the startup process, > > too. And all of your kernel modules. And the boot loader and its > > config files. And all of the appropriate directories. And /etc/fstab > > so null or union mounts can't be used to shadow a protected file...you > > get the picture :-) >=20 > Securelevel 2 should not allow loading of kernel modules. Correct, but if they're not noschg then you can trivially trojan a kernel module which you know is loaded at boot time. Or you can add yourself a new kernel module and load it by editing the boot loader config, or by editing one of the startup scripts, or by trojaning one of the binaries run during the system startup prior to raising of securelevel, etc etc. Then cause, or wait for a reboot. Kris --7AUc2qLy4jB3hD7Z Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6QhhKWry0BWjoQKURAl1nAJ4qOL9z861ejey2RYrK4eE8Yh5OxwCg9ceG q7zklPtxQ92W76k+urO7+dw= =WVV5 -----END PGP SIGNATURE----- --7AUc2qLy4jB3hD7Z-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 21 8:23:41 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 21 08:23:39 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from roble.com (mx0.roble.com [206.40.34.14]) by hub.freebsd.org (Postfix) with ESMTP id 5B51337B400 for ; Thu, 21 Dec 2000 08:23:38 -0800 (PST) Received: from localhost (marquis@localhost) by roble.com with ESMTP id eBLGNbj70925; Thu, 21 Dec 2000 08:23:37 -0800 (PST) Date: Thu, 21 Dec 2000 08:23:37 -0800 (PST) From: Roger Marquis To: security@FreeBSD.ORG Cc: Dag-Erling Smorgrav Subject: Re: dsniff 2.3 info: In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 21 Dec 2000, Dag-Erling Smorgrav wrote: > Roger Marquis writes: > > Bad administrators? You must be joking. [it's FreeBSD's fault...] Dag, I would prefer if you could quote what I said instead of inserting what you want to hear and attempting to make it look like that's what I said. For the record nobody said "it's FreeBSD's fault..." other than Dag. The ssh ports, however, are the source of many ssh identity-has-changed errors (the original point of this thread). This is the result of some incorrect assumptions on the part of the ports maintainers and a lack of port standards or enforcement in general. > We are eagerly anticipating patches that address the issues you > mention. You do have patches, don't you? This answer, as we used to say in the 60s, is a cop-out. Sysadmins, though they may be experience juggling various applications, are not programmers nor should they try to be. Expecting everyone who uses FreeBSD to be a developer is neither realistic nor a good way to encourage a broad user-base. Administration and programming are high-level functions and you can't specialize in both, at least not well. Ports maintainers, on the other hand, should have a better set of guidelines to work from. This is especially the case for security related applications like ssh. Just yesterday I ran "cd /usr/ports/security/openssh; make --prefix=/; make install". The port A) ignored the "--prefix", B) ignored the pre-installed OS binaries, keys, and config files, and C) failed to check inetd.conf before putting an sshd.sh under /usr/local/etc/rc.d. The problems with these ports are obvious. Ignore them if you wish but at least don't simultaneously claim that they're the result of "stupid users" or "stupid administrators". IMHO, -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 21 8:30:29 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 21 08:30:27 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4433A37B400 for ; Thu, 21 Dec 2000 08:30:27 -0800 (PST) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 45E606E27BF for ; Thu, 21 Dec 2000 08:30:23 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id RAA13179; Thu, 21 Dec 2000 17:28:20 +0100 (CET) (envelope-from des@ofug.org) Sender: des@ofug.org X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Roger Marquis Cc: security@FreeBSD.ORG Subject: Re: dsniff 2.3 info: References: From: Dag-Erling Smorgrav Date: 21 Dec 2000 17:28:19 +0100 In-Reply-To: Roger Marquis's message of "Thu, 21 Dec 2000 08:23:37 -0800 (PST)" Message-ID: Lines: 15 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Roger Marquis writes: > Dag ...is not my name. > This is the result of some incorrect assumptions on the part of > the ports maintainers and a lack of port standards or enforcement > in general. Which translates to "it's FreeBSD's fault". Send patches or shut up. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 21 8:40: 1 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 21 08:39:58 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from daedalus.cs.brandeis.edu (daedalus.cs.brandeis.edu [129.64.3.179]) by hub.freebsd.org (Postfix) with ESMTP id 8167037B400; Thu, 21 Dec 2000 08:39:57 -0800 (PST) Received: from localhost (meshko@localhost) by daedalus.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id LAA27915; Thu, 21 Dec 2000 11:39:56 -0500 Date: Thu, 21 Dec 2000 11:39:56 -0500 (EST) From: Mikhail Kruk To: Kris Kennaway Cc: "Michael A. Williams" , Subject: Re: Read-Only Filesystems In-Reply-To: <20001221064842.B27118@citusc.usc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: meshko@daedalus.cs.brandeis.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > Don't forget chflags'ing every binary involved in the startup process, > > > too. And all of your kernel modules. And the boot loader and its > > > config files. And all of the appropriate directories. And /etc/fstab > > > so null or union mounts can't be used to shadow a protected file...you > > > get the picture :-) > > > > Securelevel 2 should not allow loading of kernel modules. > > Correct, but if they're not noschg then you can trivially trojan a > kernel module which you know is loaded at boot time. Or you can add > yourself a new kernel module and load it by editing the boot loader > config, or by editing one of the startup scripts, or by trojaning one > of the binaries run during the system startup prior to raising of > securelevel, etc etc. > > Then cause, or wait for a reboot. wait, but can't you make kernel modules and startup scripts noschg too? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 21 8:43:39 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 21 08:43:37 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id D9A8437B400; Thu, 21 Dec 2000 08:43:36 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id IAA28168; Thu, 21 Dec 2000 08:44:52 -0800 Date: Thu, 21 Dec 2000 08:44:52 -0800 From: Kris Kennaway To: Mikhail Kruk Cc: Kris Kennaway , "Michael A. Williams" , security@FreeBSD.ORG Subject: Re: Read-Only Filesystems Message-ID: <20001221084452.A28157@citusc.usc.edu> References: <20001221064842.B27118@citusc.usc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="17pEHd4RhPHOinZp" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from meshko@cs.brandeis.edu on Thu, Dec 21, 2000 at 11:39:56AM -0500 Sender: kris@citusc.usc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --17pEHd4RhPHOinZp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Dec 21, 2000 at 11:39:56AM -0500, Mikhail Kruk wrote: > > > > Don't forget chflags'ing every binary involved in the startup proce= ss, > > > > too. And all of your kernel modules. And the boot loader and its > > > > config files. And all of the appropriate directories. And /etc/fstab > > > > so null or union mounts can't be used to shadow a protected file...= you > > > > get the picture :-) > > > > > > Securelevel 2 should not allow loading of kernel modules. > > > > Correct, but if they're not noschg then you can trivially trojan a > > kernel module which you know is loaded at boot time. Or you can add > > yourself a new kernel module and load it by editing the boot loader > > config, or by editing one of the startup scripts, or by trojaning one > > of the binaries run during the system startup prior to raising of > > securelevel, etc etc. > > > > Then cause, or wait for a reboot. >=20 > wait, but can't you make kernel modules and startup scripts noschg too? Go back and read the first paragraph above. It's theoretically possible, but the list of things you would have to noschg is huge, constantly changing from version to version, and not completely known. Kris --17pEHd4RhPHOinZp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6QjOEWry0BWjoQKURAtJ6AJ90zM5qrJkJs6Ty8RoD/c+ck1opEwCfcNBB mjMO51ePPGhugRplpcTmyrA= =ypkK -----END PGP SIGNATURE----- --17pEHd4RhPHOinZp-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 21 10:58: 0 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 21 10:57:59 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 1B17737B400; Thu, 21 Dec 2000 10:57:58 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id TAA13653; Thu, 21 Dec 2000 19:57:56 +0100 (CET) (envelope-from des@ofug.org) Sender: des@ofug.org X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Kris Kennaway Cc: Mikhail Kruk , "Michael A. Williams" , security@FreeBSD.ORG Subject: Re: Read-Only Filesystems References: <20001221064842.B27118@citusc.usc.edu> <20001221084452.A28157@citusc.usc.edu> From: Dag-Erling Smorgrav Date: 21 Dec 2000 19:57:55 +0100 In-Reply-To: Kris Kennaway's message of "Thu, 21 Dec 2000 08:44:52 -0800" Message-ID: Lines: 16 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway writes: > On Thu, Dec 21, 2000 at 11:39:56AM -0500, Mikhail Kruk wrote: > > Kris Kennaway writes: > > > Correct, but if they're not noschg then you can trivially trojan a > > > kernel module which you know is loaded at boot time. [...] > > wait, but can't you make kernel modules and startup scripts noschg too? > Go back and read the first paragraph above. It's theoretically > possible, but the list of things you would have to noschg is huge, > constantly changing from version to version, and not completely known. Umm, people, please, "schg" not "noschg". If you find this confusing, use "simmutable" instead. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 21 11:30:54 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 21 11:30:52 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from ns.shawneelink.net (ns.shawneelink.net [216.240.66.11]) by hub.freebsd.org (Postfix) with ESMTP id 842F737B400 for ; Thu, 21 Dec 2000 11:30:46 -0800 (PST) Received: from jan (gate14.shawneelink.net [216.240.79.14]) by ns.shawneelink.net (8.10.1/8.10.1) with ESMTP id eBLJUeO24650 for ; Thu, 21 Dec 2000 13:30:40 -0600 (CST) Message-Id: <4.2.2.20001221111451.00b6ef00@mail.jbacher.com> X-Sender: jb@mail.jbacher.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Thu, 21 Dec 2000 13:40:29 -0600 To: security@FreeBSD.ORG From: J Bacher Subject: Re: dsniff 2.3 info: In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 05:28 PM 12/21/00 +0100, Dag-Erling Smorgrav wrote: > > This is the result of some incorrect assumptions on the part of > > the ports maintainers and a lack of port standards or enforcement > > in general. > >Which translates to "it's FreeBSD's fault". Send patches or shut up. So, are you in agreement that this is a FreeBSD issue? Or, is there a logical explanation identifying differently? If so, do you expect that anyone that reports a problem with an OS or application should also be the individual to provide patches? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 21 11:37:44 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 21 11:37:42 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id F352837B400 for ; Thu, 21 Dec 2000 11:37:40 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id UAA13826; Thu, 21 Dec 2000 20:37:36 +0100 (CET) (envelope-from des@ofug.org) Sender: des@ofug.org X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: J Bacher Cc: security@FreeBSD.ORG Subject: Re: dsniff 2.3 info: References: <4.2.2.20001221111451.00b6ef00@mail.jbacher.com> From: Dag-Erling Smorgrav Date: 21 Dec 2000 20:37:36 +0100 In-Reply-To: J Bacher's message of "Thu, 21 Dec 2000 13:40:29 -0600" Message-ID: Lines: 21 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org J Bacher writes: > At 05:28 PM 12/21/00 +0100, Dag-Erling Smorgrav wrote: > > > This is the result of some incorrect assumptions on the part of > > > the ports maintainers and a lack of port standards or enforcement > > > in general. > > Which translates to "it's FreeBSD's fault". Send patches or shut up. > So, are you in agreement that this is a FreeBSD issue? Not necessarily. I'm saying that what you write translates to laying the blame at the FreeBSD project's feet. > If so, do you expect that anyone that reports a problem with an OS or > application should also be the individual to provide patches? You're not "reporting a problem", you're saying that the problem being discussed is caused by incompetence or sloppyiness on the part of the members of the FreeBSD project. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 21 12: 4:54 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 21 12:04:52 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from ns.shawneelink.net (ns.shawneelink.net [216.240.66.11]) by hub.freebsd.org (Postfix) with ESMTP id 3A61337B400 for ; Thu, 21 Dec 2000 12:04:52 -0800 (PST) Received: from jan (gate14.shawneelink.net [216.240.79.14]) by ns.shawneelink.net (8.10.1/8.10.1) with ESMTP id eBLK4oO27685 for ; Thu, 21 Dec 2000 14:04:50 -0600 (CST) Message-Id: <4.2.2.20001221140608.00b8a2d0@mail.jbacher.com> X-Sender: jb@mail.jbacher.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Thu, 21 Dec 2000 14:14:39 -0600 To: security@FreeBSD.ORG From: J Bacher Subject: Re: dsniff 2.3 info: In-Reply-To: References: <4.2.2.20001221111451.00b6ef00@mail.jbacher.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 08:37 PM 12/21/00 +0100, you wrote: >J Bacher writes: > > > Which translates to "it's FreeBSD's fault". Send patches or shut up. > > So, are you in agreement that this is a FreeBSD issue? > >Not necessarily. I'm saying that what you write translates to laying >the blame at the FreeBSD project's feet. > > > If so, do you expect that anyone that reports a problem with an OS or > > application should also be the individual to provide patches? > >You're not "reporting a problem", you're saying that the problem being >discussed is caused by incompetence or sloppyiness on the part of the >members of the FreeBSD project. Hello? I have not reported a problem, filed a complaint, or engaged in any pissing and moaning. I'm looking for clarification as to your position regarding the disagreement you have with another individual. I saw that a problem was reported. I saw some recommended solutions. The solution that you are disagreement with doesn't resolve the entire issue but it certainly addresses one part of the problem. Is there any logical reason to not take that suggestion into consideration? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 21 12:16:44 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 21 12:16:41 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id E361437B404 for ; Thu, 21 Dec 2000 12:16:34 -0800 (PST) Received: (qmail 20156 invoked by uid 0); 21 Dec 2000 20:16:33 -0000 Received: from p3ee2165e.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.94) by mail.gmx.net (mail10) with SMTP; 21 Dec 2000 20:16:33 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id VAA25124 for freebsd-security@FreeBSD.ORG; Thu, 21 Dec 2000 21:14:16 +0100 Date: Thu, 21 Dec 2000 21:14:16 +0100 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Subject: Re: FTP and firewall Message-ID: <20001221211416.V253@speedy.gsinet> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <200012201306.OAA00816@pps.de> <200012201323.KAA95716@ns1.via-net-works.net.ar> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200012201323.KAA95716@ns1.via-net-works.net.ar>; from fpscha@ns1.via-net-works.net.ar on Wed, Dec 20, 2000 at 10:23:41AM -0300 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Dec 20, 2000 at 10:23 -0300, Fernando Schapachnik wrote: > > man ipf, and check: > > http://www.obfuscation.org/ipf/ipf-howto.txt This answer was a little terse. :) Make sure to read "man -a ipf", since there is the IP stack hookup code (4), the userland access tool (8), as well as the configuration language (5). Plus "man -a ipnat" for the functionality (4), the command line tool (1), and the language (5). And make sure to look at the /usr/src/contrib/ipfilter/rules examples. Especially the ftp* files might be of interest for you. But then again having an example with a topology drawing next to it might make it all *too* easy. :> BTW: You did read the /etc/defaults/rc.conf comments right next to the ipfilter_* settings, didn't you? Since you copied the relevant ones over to /etc/rc.conf (and turned them on) ... :> > ipfilter can do this in a much safer way than what I suggested > there. Yes. The idea is to open the control connection only (port 21) and have the proxy module handle the data connections on the fly. No need to open up wide holes big enough to drive trucks through. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 21 13:40:47 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 21 13:40:44 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from fud.indifference.org (cr597818-a.crdva1.bc.wave.home.com [24.113.89.211]) by hub.freebsd.org (Postfix) with SMTP id B50BE37B404 for ; Thu, 21 Dec 2000 13:40:43 -0800 (PST) Received: (qmail 34222 invoked by uid 1001); 21 Dec 2000 22:04:35 -0000 Date: Thu, 21 Dec 2000 14:04:35 -0800 From: kj@indifference.org To: freebsd-security@freebsd.org Subject: Re: Read-Only Filesystems Message-ID: <20001221140435.F25684@indifference.org> References: <20001219114936.A23819@rfx-64-6-211-149.users.reflexco> <20001219120953.S19572@fw.wintelcom.net> <20001219211642.D13474@citusc.usc.edu> <3A40BED3.1070909@2cactus.com> <20001220174056.C22288@citusc.usc.edu> <20001220174129.F19572@fw.wintelcom.net> <20001220175931.E22288@citusc.usc.edu> <20001220231205.W96105@149.211.6.64.reflexcom.com> <20001221060108.B26775@citusc.usc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001221060108.B26775@citusc.usc.edu>; from kris@FreeBSD.ORG on Thu, Dec 21, 2000 at 06:01:08AM -0800 X-Operating-System: BrokenBSD 1.1.1 X-List-Master: indifference.org Sender: lists@indifference.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Nope, that's the one. Once the attacker breaks root on a high > securelevel machine they can arrange it so that the next time the > system boots it does their dirty work for them prior to raising the > securelevel (e.g. load a KLD which allows them backdoor access around > the securelevel restrictions, so the system appears to be running > normally). > > Kris To be truly, anal. Couldn't one just put a bios boot password on every server reboot (really how often do we need to reboot). And have a serial console hooked up to the server. That way if the attacker drops the security level and reboots, he can't modify anything as the server never boots up. It's major downtime, but better then a comprimise. K.J. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 21 13:48:28 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 21 13:48:25 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id 8C56A37B400 for ; Thu, 21 Dec 2000 13:48:25 -0800 (PST) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id eBLLmOd30045; Thu, 21 Dec 2000 13:48:24 -0800 Date: Thu, 21 Dec 2000 13:48:24 -0800 From: Brooks Davis To: kj@indifference.org Cc: freebsd-security@FreeBSD.ORG Subject: Re: Read-Only Filesystems Message-ID: <20001221134824.A29237@Odin.AC.HMC.Edu> References: <20001219114936.A23819@rfx-64-6-211-149.users.reflexco> <20001219120953.S19572@fw.wintelcom.net> <20001219211642.D13474@citusc.usc.edu> <3A40BED3.1070909@2cactus.com> <20001220174056.C22288@citusc.usc.edu> <20001220174129.F19572@fw.wintelcom.net> <20001220175931.E22288@citusc.usc.edu> <20001220231205.W96105@149.211.6.64.reflexcom.com> <20001221060108.B26775@citusc.usc.edu> <20001221140435.F25684@indifference.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20001221140435.F25684@indifference.org>; from kj@indifference.org on Thu, Dec 21, 2000 at 02:04:35PM -0800 Sender: brdavis@odin.ac.hmc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Dec 21, 2000 at 02:04:35PM -0800, kj@indifference.org wrote: > To be truly, anal. Couldn't one just put a bios boot password on every > server reboot (really how often do we need to reboot). And have a serial > console hooked up to the server. > > That way if the attacker drops the security level and reboots, he can't > modify anything as the server never boots up. It's major downtime, but > better then a comprimise. Unless the next boot is a CD or floppy which does an integrity test of the entire system that don't do much because as soon as the system boots the security level bypassing compromise occures. Unless you're sure you protected everything related to the loader, modules, and kernel this could even happen if you just boot to single user mode. The password would mean things took longer but they wouldn't actually stop you from being back doored. Isn't paranoia fun. ;-) -- Brooks -- Any statement of the form "X is the one, true Y" is FALSE. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 21 13:50:53 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 21 13:50:51 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from p0016c23.us.kpmg.com (p0016c23.us.kpmg.com [199.207.255.23]) by hub.freebsd.org (Postfix) with ESMTP id ABAAC37B402 for ; Thu, 21 Dec 2000 13:50:50 -0800 (PST) Received: from p0016c56 by p0016c23.us.kpmg.com(Pro-8.9.3/Pro-8.9.3) with SMTP id QAA01151 for ; Thu, 21 Dec 2000 16:50:49 -0500 (EST) Received: from p0016c22.kweb.us.kpmg.com by p0016c56 via smtpd (for [199.207.255.23]) with SMTP; 21 Dec 2000 21:50:49 UT Received: from usnssexc11.kweb.us.kpmg.com by kpmg.com(Pro-8.9.2/Pro-8.9.2) with ESMTP id QAA06787 for ; Thu, 21 Dec 2000 16:50:48 -0500 (EST) Received: from usnssexc11.kweb.us.kpmg.com (unverified) by usnssexc11.kweb.us.kpmg.com (Content Technologies SMTPRS 2.0.15) with ESMTP id for ; Thu, 21 Dec 2000 16:50:40 -0500 Received: by usnssexc11.kweb.us.kpmg.com with Internet Mail Service (5.5.2650.21) id ; Thu, 21 Dec 2000 16:50:40 -0500 Message-Id: <7799D023E51ED311BFB50008C75DD7B402881BCC@uschiexc05.kweb.us.kpmg.com> From: "Passki, Jonathan P" To: freebsd-security@freebsd.org Subject: RE: Read-Only Filesystems Date: Thu, 21 Dec 2000 16:50:35 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Nope, that's the one. Once the attacker breaks root on a high > > securelevel machine they can arrange it so that the next time the > > system boots it does their dirty work for them prior to raising the > > securelevel (e.g. load a KLD which allows them backdoor > access around > > the securelevel restrictions, so the system appears to be running > > normally). > > > > Kris > > > To be truly, anal. Couldn't one just put a bios boot password > on every > server reboot (really how often do we need to reboot). And > have a serial > console hooked up to the server. > > That way if the attacker drops the security level and > reboots, he can't > modify anything as the server never boots up. It's major downtime, but > better then a comprimise. > > K.J. > Why not just unplug it, lock the computer in a safe, and seal the safe? Security is usually a compromise determined from user requirements and system requirements. The number of levels of controls in place help (onion layer effect), but at some time it will hinder. I guess it's all just a rhetorical argument, since every environment is different, and objective views on security controls are hard to make, unless you can analysis the environment. If one person is running a FreeBSD box behind a decent firewall, most attacks out there won't succeed, but perhaps that sk1ll3d h4x0r might be able to compromise your box. If you're a corporation, the more layers and controls involved. yada yada yada Jon My $.02 in this non-technical, red herring rant ;) ***************************************************************************** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. ***************************************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 21 13:52:49 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 21 13:52:47 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from henry.cs.adfa.edu.au (henry.cs.adfa.edu.au [131.236.21.158]) by hub.freebsd.org (Postfix) with ESMTP id 3BC2D37B400 for ; Thu, 21 Dec 2000 13:52:45 -0800 (PST) Received: (from wkt@localhost) by henry.cs.adfa.edu.au (8.9.3/8.9.3) id IAA69407; Fri, 22 Dec 2000 08:56:20 +1100 (EST) (envelope-from wkt) From: Warren Toomey Message-Id: <200012212156.IAA69407@henry.cs.adfa.edu.au> Subject: Re: Security Update Tool.. In-Reply-To: from Some Person at "Dec 16, 2000 00:16:29 am" To: Some Person Date: Fri, 22 Dec 2000 08:56:20 +1100 (EST) Cc: freebsd-security@FreeBSD.ORG Reply-To: wkt@cs.adfa.edu.au X-Mailer: ELM [version 2.4ME+ PL68 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In article by Some Person: > My question is, is there a util yet that in theory (maybe if so, or if > someone writes one would work differently than what I'm imagining) queries a > central database with all the security advisories, checks the local system > for comparisons and vulnerabilities against that database and reports to the > user who ran the util. See the KuangPlus prototype at http://minnie.cs.adfa.edu.au/KuangPlus/index.html Still needs an awful lot of work to do. Perhaps someone could pick it up as an Open Source project? Cheers, Warren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 21 13:59:33 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 21 13:59:31 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from secure.smtp.email.msn.com (cpimssmtpu07.email.msn.com [207.46.181.28]) by hub.freebsd.org (Postfix) with ESMTP id 53F7F37B402 for ; Thu, 21 Dec 2000 13:59:31 -0800 (PST) Received: from x86nts4 - 216.103.48.12 by email.msn.com with Microsoft SMTPSVC; Thu, 21 Dec 2000 13:59:30 -0800 Message-ID: <003701c06b9a$3123a890$fd01a8c0@pacbell.net> From: "John Howie" To: "Brooks Davis" , Cc: References: <20001219114936.A23819@rfx-64-6-211-149.users.reflexco> <20001219120953.S19572@fw.wintelcom.net> <20001219211642.D13474@citusc.usc.edu> <3A40BED3.1070909@2cactus.com> <20001220174056.C22288@citusc.usc.edu> <20001220174129.F19572@fw.wintelcom.net> <20001220175931.E22288@citusc.usc.edu> <20001220231205.W96105@149.211.6.64.reflexcom.com> <20001221060108.B26775@citusc.usc.edu> <20001221140435.F25684@indifference.org> <20001221134824.A29237@Odin.AC.HMC.Edu> Subject: Re: Read-Only Filesystems Date: Thu, 21 Dec 2000 14:05:55 -0800 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1800 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Original Message ----- From: "Brooks Davis" To: Cc: Sent: Thursday, December 21, 2000 1:48 PM Subject: Re: Read-Only Filesystems > On Thu, Dec 21, 2000 at 02:04:35PM -0800, kj@indifference.org wrote: > > To be truly, anal. Couldn't one just put a bios boot password on every > > server reboot (really how often do we need to reboot). And have a serial > > console hooked up to the server. > > > > That way if the attacker drops the security level and reboots, he can't > > modify anything as the server never boots up. It's major downtime, but > > better then a comprimise. > > Unless the next boot is a CD or floppy which does an integrity test of > the entire system that don't do much because as soon as the system boots > the security level bypassing compromise occures. Unless you're sure you > protected everything related to the loader, modules, and kernel this > could even happen if you just boot to single user mode. The password > would mean things took longer but they wouldn't actually stop you from > being back doored. Isn't paranoia fun. ;-) To be truly paranoid who says that the hacker hasn't found a way to reprogram that FlashBIOS you have on your motherboard and disk controllers. You might not actually be running the integrity checks that you think you are running and you could potentially even remove any boot-password anyway. Heck, if you are running on TransMeta's Crusoe the hacker could potentially even re-program the microprocessor itself. john... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 21 14:31:58 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 21 14:31:56 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from atlas.bit.net.au (atlas.bit.net.au [203.18.94.3]) by hub.freebsd.org (Postfix) with ESMTP id 5CCA437B400 for ; Thu, 21 Dec 2000 14:31:55 -0800 (PST) Received: (from pdh@localhost) by atlas.bit.net.au (8.11.0/8.11.0) id eBLMVdT28791; Fri, 22 Dec 2000 08:31:39 +1000 Date: Fri, 22 Dec 2000 08:31:39 +1000 From: Phil Homewood To: Roger Marquis Cc: security@FreeBSD.ORG Subject: Re: dsniff 2.3 info: Message-ID: <20001222083139.A27290@atlas.bit.net.au> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from marquis@roble.com on Thu, Dec 21, 2000 at 08:23:37AM -0800 Sender: pdh@atlas.bit.net.au Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Roger Marquis wrote: > Just yesterday I ran "cd > /usr/ports/security/openssh; make --prefix=/; make install". The > port A) ignored the "--prefix", SYNOPSIS make [-BPSeiknqrstv] [-D variable] [-d flags] [-E variable] [-f makefile] [-I directory] [-j max_jobs] [-m directory] [-V variable] [variable=value] [target ...] Gee, I wonder why? -- Phil Homewood pdh@asiaonline.net Senior Technician +61 7 3620 1930 Asia Online http://www.asiaonline.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 21 16:25:15 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 21 16:25:13 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from xgate4.sd.co.nz (ns.netxsecure.com [210.55.57.156]) by hub.freebsd.org (Postfix) with ESMTP id 5ECD537B400; Thu, 21 Dec 2000 16:25:11 -0800 (PST) Received: from netxsecure.net (xmgate-172-2.sd.co.nz [172.16.30.2]) by xgate4.sd.co.nz (8.11.0/8.11.0) with ESMTP id eBM0Z8E11122; Fri, 22 Dec 2000 13:35:09 +1300 (NZDT) Sender: mike@netxsecure.net Message-ID: <3A42A2A2.92EE47A0@netxsecure.net> Date: Fri, 22 Dec 2000 13:38:58 +1300 From: "Michael A. Williams" X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.5-22 i586) X-Accept-Language: en MIME-Version: 1.0 To: Dag-Erling Smorgrav Cc: Kris Kennaway , Mikhail Kruk , security@FreeBSD.ORG Subject: Re: Read-Only Filesystems References: <20001221064842.B27118@citusc.usc.edu> <20001221084452.A28157@citusc.usc.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Archived: msg.Cbm13986@xgate4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dag-Erling Smorgrav wrote: > > Kris Kennaway writes: > > On Thu, Dec 21, 2000 at 11:39:56AM -0500, Mikhail Kruk wrote: > > > Kris Kennaway writes: > > > > Correct, but if they're not noschg then you can trivially trojan a > > > > kernel module which you know is loaded at boot time. [...] > > > wait, but can't you make kernel modules and startup scripts noschg too? > > Go back and read the first paragraph above. It's theoretically > > possible, but the list of things you would have to noschg is huge, > > constantly changing from version to version, and not completely known. > > Umm, people, please, "schg" not "noschg". If you find this confusing, > use "simmutable" instead. Lots of good ideas put forward as to what should be set immutable with secure level 2 or higher, has anyone worked out a recommended list as such? Obviously needs will vary widely however a document relevant to certain OS Release and securelevels could be worthwhile, I am prepared to put some time in this as I would like to run with the results. Mike. -- Michael A. Williams, InfoSec Technology Manager NetXSecure NZ Limited, mike@netxsecure.net www.netxsecure.com Ph.+64.9.278.8348, Fax.+64.9.278.8352, Mob.+64.21.995.914 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 21 18: 5:44 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 21 18:05:42 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from roble.com (mx0.roble.com [206.40.34.14]) by hub.freebsd.org (Postfix) with ESMTP id EB09F37B400 for ; Thu, 21 Dec 2000 18:05:41 -0800 (PST) Received: from localhost (marquis@localhost) by roble.com with ESMTP id eBM24FQ76578; Thu, 21 Dec 2000 18:05:41 -0800 (PST) Date: Thu, 21 Dec 2000 18:04:15 -0800 (PST) From: Roger Marquis To: Phil Homewood Cc: security@FreeBSD.ORG Subject: Re: dsniff 2.3 info: In-Reply-To: <20001222083139.A27290@atlas.bit.net.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 22 Dec 2000, Phil Homewood wrote: > Roger Marquis wrote: > > Just yesterday I ran "cd > > /usr/ports/security/openssh; make --prefix=/; make install". The > > port A) ignored the "--prefix", > > SYNOPSIS > make [-BPSeiknqrstv] [-D variable] [-d flags] [-E variable] [-f makefile] > [-I directory] [-j max_jobs] [-m directory] [-V variable] > [variable=value] [target ...] > > Gee, I wonder why? Have you tried it or is this just speculation? Edit /etc/make.conf, edit the Makefile, "make prefix=", "make --prefix=", ... All yield the same result (the wrong prefix). -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 21 19:16:23 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 21 19:16:21 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 922B937B402 for ; Thu, 21 Dec 2000 19:16:17 -0800 (PST) Received: (qmail 25780 invoked by uid 0); 22 Dec 2000 03:16:16 -0000 Received: from p3ee20a81.dip.t-dialin.net (HELO speedy.gsinet) (62.226.10.129) by mail.gmx.net (mail08) with SMTP; 22 Dec 2000 03:16:16 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id WAA25496 for security@FreeBSD.ORG; Thu, 21 Dec 2000 22:45:54 +0100 Date: Thu, 21 Dec 2000 22:45:54 +0100 From: Gerhard Sittig To: security@FreeBSD.ORG Subject: Re: What anti-sniffer measures do i have? Message-ID: <20001221224554.X253@speedy.gsinet> Mail-Followup-To: security@FreeBSD.ORG References: <000a01c06ab8$4676a040$1805010a@epconline.net> <001901c06b44$d88f6c00$0c00a8c0@ipform.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <001901c06b44$d88f6c00$0c00a8c0@ipform.ru>; from matrix@ipform.ru on Thu, Dec 21, 2000 at 02:54:52PM +0300 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Dec 21, 2000 at 14:54 +0300, Artem Koutchine wrote: > > So, most of you are saying that a switch would be a solution. > Anyone can recommed a particular switch wich he/she is using > without problems? Have you actually followed the thread? :) Switches are meant to increase performance at first (by reducing collisions). The fact that not all traffic is delivered to all ports is just a side effect and not really a design goal. Switches *cannot* prevent bad guys from sniffing, as has been stated before; it's just that it gets a little more difficult than before, but not really much. You still get non unicast packets delivered broadly. "Initial" packets the switch hasn't learned the destination MAC for yet are handled like a hub would do. Flooding the switches "brain" will have a similar effect and degrade it to a repeater. And there are the ARP games mentioned in several other messages one could play -- the switch would happily deliver packets to where the MAC address points to. > Also, what about tunnelling?? I thought this would have been the conclusion: encryption being the only solution, either via software or hardware (well, it doesn't prevent sniffing, but makes the sniffed data useless:). Shrinking collision domains is not the most appropriate measure against sniffing, but more of a network performance increase. > [ ... fullquote snipped ... ] virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 21 20:19:49 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 21 20:19:47 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id 20FE037B400; Thu, 21 Dec 2000 20:19:47 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id UAA32425; Thu, 21 Dec 2000 20:21:01 -0800 Date: Thu, 21 Dec 2000 20:21:01 -0800 From: Kris Kennaway To: Dag-Erling Smorgrav Cc: Kris Kennaway , Mikhail Kruk , "Michael A. Williams" , security@FreeBSD.ORG Subject: Re: Read-Only Filesystems Message-ID: <20001221202101.A32404@citusc.usc.edu> References: <20001221064842.B27118@citusc.usc.edu> <20001221084452.A28157@citusc.usc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="IS0zKkzwUGydFO0o" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from des@ofug.org on Thu, Dec 21, 2000 at 07:57:55PM +0100 Sender: kris@citusc.usc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --IS0zKkzwUGydFO0o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Dec 21, 2000 at 07:57:55PM +0100, Dag-Erling Smorgrav wrote: > Kris Kennaway writes: > > On Thu, Dec 21, 2000 at 11:39:56AM -0500, Mikhail Kruk wrote: > > > Kris Kennaway writes: > > > > Correct, but if they're not noschg then you can trivially trojan a > > > > kernel module which you know is loaded at boot time. [...] > > > wait, but can't you make kernel modules and startup scripts noschg to= o? > > Go back and read the first paragraph above. It's theoretically > > possible, but the list of things you would have to noschg is huge, > > constantly changing from version to version, and not completely known. >=20 > Umm, people, please, "schg" not "noschg". If you find this confusing, Sorry, I always get those two confused because the abbreviation doesnt mean anything to me - I didnt have a FreeBD box handy to check the manpage on. Kris --IS0zKkzwUGydFO0o Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6QtatWry0BWjoQKURAoarAJwJD8jI4zpHaq1tCKzipqM228tS5ACgsm8m hFWeUsSRSXEuRhyUOpLmpT4= =B22z -----END PGP SIGNATURE----- --IS0zKkzwUGydFO0o-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 21 23: 3:46 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 21 23:03:44 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id A105137B400 for ; Thu, 21 Dec 2000 23:03:44 -0800 (PST) Received: from rfx-64-6-211-149.users.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Thu, 21 Dec 2000 23:02:00 -0800 Received: (from cjc@localhost) by rfx-64-6-211-149.users.reflexcom.com (8.11.0/8.11.0) id eBM73aR07566; Thu, 21 Dec 2000 23:03:36 -0800 (PST) (envelope-from cjc) Date: Thu, 21 Dec 2000 23:03:36 -0800 From: "Crist J. Clark" To: Roger Marquis Cc: Phil Homewood , security@FreeBSD.ORG Subject: Re: dsniff 2.3 info: Message-ID: <20001221230336.E96105@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <20001222083139.A27290@atlas.bit.net.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from marquis@roble.com on Thu, Dec 21, 2000 at 06:04:15PM -0800 Sender: cjc@rfx-64-6-211-149.users.reflexcom.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Dec 21, 2000 at 06:04:15PM -0800, Roger Marquis wrote: > On Fri, 22 Dec 2000, Phil Homewood wrote: > > Roger Marquis wrote: > > > Just yesterday I ran "cd > > > /usr/ports/security/openssh; make --prefix=/; make install". The > > > port A) ignored the "--prefix", > > > > SYNOPSIS > > make [-BPSeiknqrstv] [-D variable] [-d flags] [-E variable] [-f makefile] > > [-I directory] [-j max_jobs] [-m directory] [-V variable] > > [variable=value] [target ...] > > > > Gee, I wonder why? > > Have you tried it or is this just speculation? Edit /etc/make.conf, > edit the Makefile, "make prefix=", "make --prefix=", ... All > yield the same result (the wrong prefix). *sigh* All the silly flaming over nothing. # make PREFIX=/usr RTFM, ports(7), PREFIX Where to install things in general (usually /usr/local or /usr/X11R6) I just built it in /var/tmp without problem. It honors PREFIX for me just fine. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 21 23:11:41 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 21 23:11:38 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 6C92437B400 for ; Thu, 21 Dec 2000 23:11:38 -0800 (PST) Received: from rfx-64-6-211-149.users.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Thu, 21 Dec 2000 23:09:49 -0800 Received: (from cjc@localhost) by rfx-64-6-211-149.users.reflexcom.com (8.11.0/8.11.0) id eBM7BPg07669; Thu, 21 Dec 2000 23:11:25 -0800 (PST) (envelope-from cjc) Date: Thu, 21 Dec 2000 23:11:20 -0800 From: "Crist J. Clark" To: David Pick Cc: freebsd-security@FreeBSD.ORG Subject: Re: Read-Only Filesystems Message-ID: <20001221231120.F96105@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <657B20E93E93D4118F9700D0B73CE3EA024346@goofy.epylon.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from D.M.Pick@qmw.ac.uk on Thu, Dec 21, 2000 at 12:38:49PM +0000 Sender: cjc@rfx-64-6-211-149.users.reflexcom.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Dec 21, 2000 at 12:38:49PM +0000, David Pick wrote: > > > The only way I could think of to do his securely in the current > > implementation is to chflags most of the etc dir (with the exception > > of files that did need to be cahnged like passwd master.passwd > > aliases, etc.).. mainly the rc files.. but this makes administering > > remotely a pain in the ass.. Of course, security in many cases comes > > with a hassle factor. > > Some years ago I was running a RISCiX system and wanted to use > it in a number of different locations on the network. I set up > a slightly unusual disc structure as follows: > 1) The / filesystem was mounted read-only - permamently > 2) There was no separate /usr filesystem > 3) For each of the "changeable" files there was a symbolic > link of the form: /etc/passwd -> /config/etc/passwd Just a note, symlinks won't work with FreeBSD's passwd(1). -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 22 3:50: 7 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 22 03:50:05 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from staff.soim.com (unknown [202.109.109.35]) by hub.freebsd.org (Postfix) with SMTP id 38DAB37B400 for ; Fri, 22 Dec 2000 03:50:04 -0800 (PST) Received: (qmail 48808 invoked by uid 0); 22 Dec 2000 11:33:17 -0000 Received: from internet (HELO andy) (202.109.55.157) by internet with SMTP; 22 Dec 2000 11:33:17 -0000 Date: Fri, 22 Dec 2000 19:51:27 +0800 From: Andy W.L Dai To: freebsd-security@FreeBSD.ORG Subject: X-mailer: FoxMail 3.1 [cn] Mime-Version: 1.0 Content-Type: text/plain; charset="GB2312" Content-Transfer-Encoding: 7bit Message-Id: <20001222115004.38DAB37B400@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org unsubscribe freebsd-security To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 22 4: 7:59 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 22 04:07:55 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.informatoreagrario.it (rub139.vr00.ne.interbusiness.it [194.184.240.139]) by hub.freebsd.org (Postfix) with ESMTP id D373A37B400; Fri, 22 Dec 2000 04:07:37 -0800 (PST) Received: from francesco.informatoreagrario.it ([192.168.50.8]) by mail.informatoreagrario.it (Post.Office MTA v3.1 release PO203a ID# 0-37772U100L2S100) with ESMTP id AAA336; Fri, 22 Dec 2000 12:32:40 +0100 Message-Id: <5.0.2.1.0.20001222122708.024fdec0@192.168.50.2> X-Sender: f.zerbinati@192.168.50.2 X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Fri, 22 Dec 2000 12:28:06 +0100 To: f.zerbinati@informatoreagrario.it From: Francesco Zerbinati Subject: Auguri ! Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_10399739==_.ALT" Sender: f.zerbinati@mail.informatoreagrario.it Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --=====================_10399739==_.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed Buon Natale e Felice Anno Nuovo We wish you Merry Christmas and all the best for the new year ____________________________________________________ dott. Francesco Zerbinati Redazione Tecnica L'Informatore Agrario (Orticoltura, Meccanica, Informatica) Via Bencivenga-Biondani, 16 - 37133 - Verona (IT) tel. +39.045.597855 - fax +39.045.597510 e-mail: f.zerbinati@informatoreagrario.it http://www.informatoreagrario.it/ --=====================_10399739==_.ALT Content-Type: text/html; charset="us-ascii"
Buon Natale e Felice Anno Nuovo


We wish you Merry Christmas
 and all the best for the new year

____________________________________________________
             dott. Francesco Zerbinati
                 Redazione Tecnica
               L'Informatore Agrario
       (Orticoltura, Meccanica, Informatica)

 Via Bencivenga-Biondani, 16 - 37133 - Verona (IT)
     tel. +39.045.597855 - fax +39.045.597510
     e-mail: f.zerbinati@informatoreagrario.it
        http://www.informatoreagrario.it/ --=====================_10399739==_.ALT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 22 6:21:59 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 22 06:21:54 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.informatoreagrario.it (unknown [217.57.0.107]) by hub.freebsd.org (Postfix) with ESMTP id 8E88F37B400; Fri, 22 Dec 2000 06:21:53 -0800 (PST) Received: from francesco.informatoreagrario.it ([192.168.50.8]) by mail.informatoreagrario.it (Post.Office MTA v3.1 release PO203a ID# 0-37772U100L2S100) with ESMTP id AAA50; Fri, 22 Dec 2000 14:54:14 +0100 Message-Id: <5.0.2.1.0.20001222145017.02504050@192.168.50.2> X-Sender: f.zerbinati@192.168.50.2 X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Fri, 22 Dec 2000 14:50:56 +0100 To: f.zerbinati@informatoreagrario.it From: Francesco Zerbinati Subject: Auguri ! Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_18970219==_.ALT" Sender: f.zerbinati@mail.informatoreagrario.it Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --=====================_18970219==_.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed Buon Natale e Felice Anno Nuovo We wish you Merry Christmas and all the best for the new year ____________________________________________________ dott. Francesco Zerbinati Redazione Tecnica L'Informatore Agrario (Orticoltura, Meccanica, Informatica) Via Bencivenga-Biondani, 16 - 37133 - Verona (IT) tel. +39.045.597855 - fax +39.045.597510 e-mail: f.zerbinati@informatoreagrario.it http://www.informatoreagrario.it/ --=====================_18970219==_.ALT Content-Type: text/html; charset="us-ascii"
Buon Natale e Felice Anno Nuovo


We wish you Merry Christmas
 and all the best for the new year

____________________________________________________
             dott. Francesco Zerbinati
                 Redazione Tecnica
               L'Informatore Agrario
       (Orticoltura, Meccanica, Informatica)

 Via Bencivenga-Biondani, 16 - 37133 - Verona (IT)
     tel. +39.045.597855 - fax +39.045.597510
     e-mail: f.zerbinati@informatoreagrario.it
        http://www.informatoreagrario.it/ --=====================_18970219==_.ALT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 22 7: 2: 6 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 22 07:02:04 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from ajax1.sovam.com (ajax1.sovam.com [194.67.1.172]) by hub.freebsd.org (Postfix) with ESMTP id DCEA937B400 for ; Fri, 22 Dec 2000 07:02:03 -0800 (PST) Received: from ts8-a27.dial.sovam.com ([195.239.2.27]:3056 "EHLO ts8-a27.dial.sovam.com" ident: "NO-IDENT-SERVICE[2]" whoson: "-unregistered-" smtp-auth: TLS-CIPHER: TLS-PEER: ) by ajax1.sovam.com with ESMTP id ; Fri, 22 Dec 2000 17:32:35 +0300 Date: Fri, 22 Dec 2000 17:31:22 +0300 From: "Vladimir I. Kulakov" X-Mailer: The Bat! (v1.47 Halloween Edition) Reply-To: "Vladimir I. Kulakov" Organization: Kudesniki JSC X-Priority: 3 (Normal) Message-ID: <158109011449.20001222173122@kudesniki.ru> To: freebsd-security@FreeBSD.ORG Subject: Directory invisible by FTP? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, How can you explain the following situation. Some directory in user's home, let's say /home/user/www is not visible by ftp, but visible in my root shell... All other files and directories in /home/user/ with the same access rights visible very vell in both shell and ftp... When you make cd www in ftp, you can see all contents of www, but www itself is still invisible :( The user has 'ftpchroot' for his home directory and /bin/false if master.passwd. All other users with the same configuration can see all directories very vell... I already tryed all possible reasons, but nothing helps :( -- Best regards, Vladimir mailto:kulakov@kudesniki.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 22 7:31:19 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 22 07:31:16 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from sunny.fishnet.com (sunny.fishnet.com [209.150.200.6]) by hub.freebsd.org (Postfix) with ESMTP id 8807337B400 for ; Fri, 22 Dec 2000 07:31:16 -0800 (PST) Received: from walleye.corp.fishnet.com (209.150.192.114) by sunny.fishnet.com (5.0.048) id 39FECC32005010E8; Fri, 22 Dec 2000 09:31:03 -0600 Message-ID: From: "Hudson, Henrik H." To: "'Vladimir I. Kulakov'" Cc: "'security@freebsd.org'" Subject: RE: Directory invisible by FTP? Date: Fri, 22 Dec 2000 09:31:47 -0600 MIME-Version: 1.0 Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Morning Vladimir- Are you using the default BSD ftp daemon? I believe the issue is that when you chroot a user, the daemon roots them before getting the path to a shell. 3 ways around this: 1) Use a FTP daemon which doesn't do this in a rooted environment (ProFTPD is one) 2) Create a root owned /etc and /bin directory inside the users directory. Place a copy of 'ls' in the bin and a then copy the passwd and group files into your new /etc directory. Edit the passwd and group files to only include root (wheel) and the user you want. Remove any references to passwords. The passwd and group files are only necessary if you want to be able to see usernames instead of UID and GIDS when people view their directory. 3) Go home, have a christmas cake and not worry about it ;) Henrik --- Henrik Hudson -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Vladimir I. Kulakov Sent: Friday, December 22, 2000 08:31 To: freebsd-security@FreeBSD.ORG Subject: Directory invisible by FTP? Hello, How can you explain the following situation. Some directory in user's home, let's say /home/user/www is not visible by ftp, but visible in my root shell... All other files and directories in /home/user/ with the same access rights visible very vell in both shell and ftp... When you make cd www in ftp, you can see all contents of www, but www itself is still invisible :( The user has 'ftpchroot' for his home directory and /bin/false if master.passwd. All other users with the same configuration can see all directories very vell... I already tryed all possible reasons, but nothing helps :( -- Best regards, Vladimir mailto:kulakov@kudesniki.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 22 7:35:10 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 22 07:35:09 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from [204.251.62.194] (snc-inc.com [204.251.62.194]) by hub.freebsd.org (Postfix) with SMTP id 5C1C837B400; Fri, 22 Dec 2000 07:35:08 -0800 (PST) Received: from snc-inc.com by [204.251.62.194] via smtpd (for hub.FreeBSD.org [216.136.204.18]) with SMTP; 22 Dec 2000 15:31:10 UT Received: by snc-inc.com with Internet Mail Service (5.5.2650.21) id ; Fri, 22 Dec 2000 09:38:37 -0600 Message-ID: From: "Dodson, Rob" To: "'BUGTRAQ@SECURITYFOCUS.COM'" , "'freebsd-hackers-digest@FreeBSD.ORG'" , "'freebsd-security@freebsd.org'" , "'MICROSOFT_SECURITY@ANNOUNCE.MICROSOFT.COM'" , "'NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM'" , "'win2ksecadvice@LISTSERV.NTSECURITY.NET'" Subject: Date: Fri, 22 Dec 2000 09:38:36 -0600 X-Mailer: Internet Mail Service (5.5.2650.21) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org unsubscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 22 10:23: 6 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 22 10:23:04 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from roble.com (mx0.roble.com [206.40.34.14]) by hub.freebsd.org (Postfix) with ESMTP id 8813A37B402 for ; Fri, 22 Dec 2000 10:23:04 -0800 (PST) Received: from localhost (marquis@localhost) by roble.com with ESMTP id eBMIN4w87086 for ; Fri, 22 Dec 2000 10:23:04 -0800 (PST) Date: Fri, 22 Dec 2000 10:23:04 -0800 (PST) From: Roger Marquis To: security@FreeBSD.ORG Subject: Re: dsniff 2.3 info: In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 21 Dec 2000, Roger Marquis wrote: > Have you tried it or is this just speculation? Edit /etc/make.conf, > edit the Makefile, "make prefix=", "make --prefix=", ... All > yield the same result (the wrong prefix). I made a mistake here, while "make prefix=" doesn't work PREFIX= in the Makefile, /etc/make.conf, or shell environment do. Apologies. This almost allows me to upgrade openssh from ports. The OS, however, keeps its config files in /etc/ssh while the package defaults to $PREFIX/etc. This is something I'd recommend changing in the OS version. There's little utility in creating a directory (/etc/ssh) for 2 configuration files. IMHO, -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 22 12:44:10 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 22 12:44:07 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7400637B400 for ; Fri, 22 Dec 2000 12:44:07 -0800 (PST) Received: from daffy.napanet.net (daffy.napanet.net [206.81.96.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id D03E86E2555 for ; Fri, 22 Dec 2000 12:44:02 -0800 (PST) Received: from sb (dialup-157.oakland.ca.interx.net [209.209.29.157]) by daffy.napanet.net (8.9.3/8.9.3) with SMTP id MAA48369; Fri, 22 Dec 2000 12:42:18 -0800 (PST) Message-ID: <005001c06c57$adab1980$3da2169d@napanet.net> From: "VP of Engineering" To: "Michael A. Williams" , References: <20001219114936.A23819@rfx-64-6-211-149.users.reflexco> <3A3FC57F.E80331A7@netxsecure.net> Subject: Re: Read-Only Filesystems Date: Fri, 22 Dec 2000 12:42:16 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Not quite as secure as putting your read only files on a separate drive and placing the "read-only" jumper on the drive - then it requires getting into the machine itself. Last time I checked this was a feature on many SCSI drives, not many IDE drives. Steve ----- Original Message ----- From: "Michael A. Williams" To: Sent: Tuesday, December 19, 2000 12:30 PM Subject: Re: Read-Only Filesystems > How about applying the immutable flag (uchg) with chflags to selected > branches of the file system tree and in combination with kernel > securelevel 2 then a reboot at the console into single user mode is > required to reverse the immutable state of the files. > In the end this comes down to physical security of the console. > > cheers, > Mike. > > > "Crist J. Clark" wrote: > > > > I was recently playing around with the idea of having a read-only root > > filesystem. However, it has become clear that there is no way to > > prevent root from changing the mount properties on any filesystem, > > including the root filesystem, provided there is no hardware-level > > block on writing and there is someplace (anyplace) where root can > > write. > > > > Is that accurate? I guess one must go to a "trusted OS" to get that > > type of functionality? > > -- > > Crist J. Clark cjclark@alum.mit.edu > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > Michael A. Williams, InfoSec Technology Manager > NetXSecure NZ Limited, mike@netxsecure.net www.netxsecure.com > Ph.+64.9.278.8348, Fax.+64.9.278.8352, Mob.+64.21.995.914 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 22 12:52: 8 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 22 12:52:04 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from ajax1.sovam.com (ajax1.sovam.com [194.67.1.172]) by hub.freebsd.org (Postfix) with ESMTP id 3512937B400 for ; Fri, 22 Dec 2000 12:51:59 -0800 (PST) Received: from ppp-81-131.dial.sovam.com ([194.154.81.131]:3096 "EHLO ppp-81-131.dial.sovam.com" ident: "NO-IDENT-SERVICE[2]" whoson: "-unregistered-" smtp-auth: TLS-CIPHER: TLS-PEER: ) by ajax1.sovam.com with ESMTP id ; Fri, 22 Dec 2000 23:39:12 +0300 Date: Fri, 22 Dec 2000 23:38:44 +0300 From: "Vladimir I. Kulakov" X-Mailer: The Bat! (v1.47 Halloween Edition) Reply-To: "Vladimir I. Kulakov" Organization: Kudesniki JSC X-Priority: 3 (Normal) Message-ID: <197131056708.20001222233844@kudesniki.ru> To: "Hudson, Henrik H." Cc: "'security@freebsd.org'" Subject: Re[2]: Directory invisible by FTP? In-reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Henrik, Friday, December 22, 2000, 6:31:47 PM, you wrote: HHH> Are you using the default BSD ftp daemon? Yes. HHH> I believe the issue is that when HHH> you chroot a user, the daemon roots them before getting the path to a shell. HHH> 3 ways around this: But for all other users the same configuration works fine. I did't change anything ! It seems the problem is in the www directory itself... HHH> 1) Use a FTP daemon which doesn't do this in a rooted environment (ProFTPD HHH> is one) Sorry, I don't trust non standard ports (remember WU-Ftpd?) HHH> 2) Create a root owned /etc and /bin directory inside the users directory. Yes, I have /home/user/bin with 'ls' in it. Moreover, I can see all other dirs in /home/user via FTP exept the dir 'www'. BTW, all these dirs have the same owners and access rights as 'www' ! HHH> Place a copy of 'ls' in the bin and a then copy the passwd and group files HHH> into your new /etc directory. Edit the passwd and group files to only HHH> include root (wheel) and the user you want. Remove any references to HHH> passwords. The passwd and group files are only necessary if you want to be HHH> able to see usernames instead of UID and GIDS when people view their HHH> directory. Ok. I did so, but the problem's still there :( Can it be caused by some kind of sticky bit, which I heard can be applied to directory? I tried to change these bits but with no effect :( HHH> 3) Go home, have a christmas cake and not worry about it ;) Thanks ;) but I can't be happy, if I didn't solve this problem ;) HHH> Hello, HHH> How can you explain the following situation. Some directory in HHH> user's home, let's say /home/user/www is not visible by ftp, HHH> but visible in my root shell... All other files and directories in HHH> /home/user/ with the same access rights visible very vell in both HHH> shell and ftp... When you make cd www in ftp, you can see all HHH> contents of www, but www itself is still invisible :( HHH> The user has 'ftpchroot' for his home directory and /bin/false HHH> if master.passwd. All other users with the same configuration HHH> can see all directories very vell... HHH> I already tryed all possible reasons, but nothing helps :( -- Best regards, Vladimir mailto:kulakov@kudesniki.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 22 13:40:39 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 22 13:40:37 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from 147-89.waldenweb.com (147-89.waldenweb.com [209.163.147.89]) by hub.freebsd.org (Postfix) with ESMTP id 222BD37B6A4 for ; Fri, 22 Dec 2000 13:40:27 -0800 (PST) Received: (from nobody@localhost) by 147-89.waldenweb.com (8.11.1/8.11.1) id eBMLeGC16853 for freebsd-security@freebsd.org; Fri, 22 Dec 2000 15:40:16 -0600 (CST) (envelope-from aphex@nullify.org) X-Authentication-Warning: 147-89.waldenweb.com: nobody set sender to aphex@nullify.org using -f To: freebsd-security@freebsd.org Subject: IPSec + Racoon: pre-shared key length Message-ID: <977521215.3a43ca3fea068@nullify.org> Date: Fri, 22 Dec 2000 15:40:15 -0600 (CST) From: Keith Ray MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: IMP/PHP IMAP webmail program 2.2.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have finally been able to get Windows 2000 and FreeBSD to talk using IPSec + ISAKMP. However, I am not sure what the appropriate length of the pre-shared key should be. The best I could come up with is as follows: Use a password generator that creates passwords with upper/lower case letters and numbers. This gives me 62 possible combinations. 3DES uses 192-bit keys for a keyspace of 2^192. So the problem is 62^x = 2^192. Take the log of both sides and divide to get: 32.2. Therefor, a 33 length password should provide a slightly greater keyspace to search than the 3DES keyspace. Am I doing this correctly? Also, if neither machine is compromised, is there any reason to change keys periodically since I am using IKE? -------------------------------------------------------------------- Keith Ray aphex@nullify.org http://www.nullify.org PGP - 0xAE1B3529 - 8227 60E5 BAA5 9461 CAB3 A6F2 4DFE F573 AE1B 3529 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 22 15:36:39 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 22 15:36:35 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from spammie.svbug.com (unknown [198.79.110.2]) by hub.freebsd.org (Postfix) with ESMTP id 0C5BD37B400; Fri, 22 Dec 2000 15:36:35 -0800 (PST) Received: from spammie.svbug.com (localhost.mozie.org [127.0.0.1]) by spammie.svbug.com (8.9.3/8.9.3) with ESMTP id PAA20885; Fri, 22 Dec 2000 15:37:44 -0800 (PST) (envelope-from jessem@spammie.svbug.com) Message-Id: <200012222337.PAA20885@spammie.svbug.com> Date: Fri, 22 Dec 2000 15:37:43 -0800 (PST) From: opentrax@email.com Reply-To: opentrax@email.com Subject: ssh - are you nuts?!? To: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Sender: jessem@spammie.svbug.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thank you for your attention. Next month I'm giving a talk about the evils of SSH. The talk schedule is posted on: http://www.svbug.com/events/ I've already circulated this message to the OpenBSD 'tech' mailing list and the NetBSD 'security' mailing list. Now, I've like to hear from the FreeBSD community. The question asked is: why you believe ssh is beter than say telnet. Or what advantages SSH has in general. Please note, I'm not here to flame or troll, just ask questions. Your responses determine the tone of all conversations. Lastly, please trim the CC: line as you feel appropriate. Thanks. Jessem. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 22 15:48:37 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 22 15:48:34 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mta4.rcsntx.swbell.net (mta4.rcsntx.swbell.net [151.164.30.28]) by hub.freebsd.org (Postfix) with ESMTP id D919B37B400; Fri, 22 Dec 2000 15:48:33 -0800 (PST) Received: from holly.calldei.com ([208.191.149.190]) by mta4.rcsntx.swbell.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0G5Z00E5LTUFH4@mta4.rcsntx.swbell.net>; Fri, 22 Dec 2000 17:42:24 -0600 (CST) Received: (from chris@localhost) by holly.calldei.com (8.9.3/8.9.3) id RAA05477; Fri, 22 Dec 2000 17:43:38 -0600 (CST envelope-from chris) Date: Fri, 22 Dec 2000 17:43:36 -0600 From: Chris Costello Subject: Re: ssh - are you nuts?!? In-reply-to: <200012222337.PAA20885@spammie.svbug.com> To: opentrax@email.com Cc: freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Reply-To: chris@calldei.com Message-id: <20001222174335.A3922@holly.calldei.com> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii User-Agent: Mutt/0.96.4i References: <200012222337.PAA20885@spammie.svbug.com> Sender: chris@holly.calldei.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Friday, December 22, 2000, opentrax@email.com wrote: > Thank you for your attention. > > Next month I'm giving a talk about the evils of SSH. If you don't know anything about it, why do you claim it's evil? -- +-------------------+------------------------------+ | Chris Costello | I modem, but they grew back. | | chris@calldei.com | | +-------------------+------------------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 22 15:49:21 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 22 15:49:18 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mercury.ccmr.cornell.edu (mercury.ccmr.cornell.edu [128.84.231.97]) by hub.freebsd.org (Postfix) with ESMTP id 7E21037B400 for ; Fri, 22 Dec 2000 15:49:17 -0800 (PST) Received: from ruby.ccmr.cornell.edu (IDENT:0@ruby.ccmr.cornell.edu [128.84.231.115]) by mercury.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id SAA23329; Fri, 22 Dec 2000 18:49:17 -0500 Received: from localhost (mitch@localhost) by ruby.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id SAA18617; Fri, 22 Dec 2000 18:49:15 -0500 X-Authentication-Warning: ruby.ccmr.cornell.edu: mitch owned process doing -bs Date: Fri, 22 Dec 2000 18:49:15 -0500 (EST) From: Mitch Collinsworth To: opentrax@email.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: ssh - are you nuts?!? In-Reply-To: <200012222337.PAA20885@spammie.svbug.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > The question asked is: why you believe ssh is beter > than say telnet. Or what advantages SSH has in general. I think the expected advantages are well known. A better question might be "Are you suggesting ssh is no more secure than telnet and if so, why?" -Mitch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 22 17: 7:59 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 22 17:07:57 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 3214037B400 for ; Fri, 22 Dec 2000 17:07:57 -0800 (PST) Received: from bsdie.rwsystems.net([209.197.223.2]) (1290 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Fri, 22 Dec 2000 19:07:31 -0600 (CST) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Fri, 22 Dec 2000 19:07:30 -0600 (CST) From: James Wyatt To: "Dodson, Rob" Cc: "'freebsd-security@freebsd.org'" Subject: Re: blank stuff In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 22 Dec 2000, Dodson, Rob wrote: > Date: Fri, 22 Dec 2000 09:38:36 -0600 > From: "Dodson, Rob" > To: "'BUGTRAQ@SECURITYFOCUS.COM'" , "'freebsd-hackers-digest@FreeBSD.ORG'" , "'freebsd-security@freebsd.org'" , "'MICROSOFT_SECURITY@ANNOUNCE.MICROSOFT.COM'" , "'NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM'" , "'win2ksecadvice@LISTSERV.NTSECURITY.NET'" > > unsubscribe Someone leaving town for a while? (^_^) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 22 17: 9:48 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 22 17:09:46 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from imo-d10.mx.aol.com (imo-d10.mx.aol.com [205.188.157.42]) by hub.freebsd.org (Postfix) with ESMTP id C677837B400 for ; Fri, 22 Dec 2000 17:09:45 -0800 (PST) Received: from JonMS2010@aol.com by imo-d10.mx.aol.com (mail_out_v28.35.) id y.9.ec921d9 (16337); Fri, 22 Dec 2000 20:09:40 -0500 (EST) From: JonMS2010@aol.com Message-ID: <9.ec921d9.27755553@aol.com> Date: Fri, 22 Dec 2000 20:09:39 EST Subject: Re: blank stuff To: jwyatt@rwsystems.net, rob_dodson@snc-inc.com Cc: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="part1_9.ec921d9.27755553_boundary" Content-Disposition: Inline X-Mailer: 6.0 sub 149 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --part1_9.ec921d9.27755553_boundary Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Shouldn't that go to majordomo@freebsd.org, not the lists themselves? -- Jonathan --part1_9.ec921d9.27755553_boundary Content-Type: text/html; charset="US-ASCII" Content-Transfer-Encoding: 7bit Shouldn't that go to majordomo@freebsd.org, not the lists themselves? --
Jonathan --part1_9.ec921d9.27755553_boundary-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 22 17:51: 2 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 22 17:50:59 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id 84C4337B400; Fri, 22 Dec 2000 17:50:58 -0800 (PST) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id UAA787030; Fri, 22 Dec 2000 20:47:27 -0500 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <200012222337.PAA20885@spammie.svbug.com> References: <200012222337.PAA20885@spammie.svbug.com> Date: Fri, 22 Dec 2000 20:47:26 -0500 To: opentrax@email.com, freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG From: Garance A Drosihn Subject: Re: ssh - are you nuts?!? Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 3:37 PM -0800 12/22/00, opentrax@email.com wrote: >Thank you for your attention. > >Next month I'm giving a talk about the evils of SSH. >The talk schedule is posted on: >http://www.svbug.com/events/ >I've already circulated this message to the OpenBSD >'tech' mailing list and the NetBSD 'security' mailing >list. Now, I've like to hear from the FreeBSD community. People in the "FreeBSD community" are invited to read the rambling and pointless discussions that this sparked in the OpenBSD and NetBSD communities before repeating all those arguments in all the freebsd mailing lists. If you still think you have something to say which wasn't said in those threads, well, have fun at it. -- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 22 17:56: 5 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 22 17:56:03 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from imo-r03.mx.aol.com (imo-r03.mx.aol.com [152.163.225.3]) by hub.freebsd.org (Postfix) with ESMTP id 575F737B400 for ; Fri, 22 Dec 2000 17:56:03 -0800 (PST) Received: from JonMS2010@aol.com by imo-r03.mx.aol.com (mail_out_v28.35.) id n.ac.ead4366 (16337) for ; Fri, 22 Dec 2000 20:55:56 -0500 (EST) From: JonMS2010@aol.com Message-ID: Date: Fri, 22 Dec 2000 20:55:56 EST Subject: Evolution of SSH? To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="part1_ac.ead4366.2775602c_boundary" Content-Disposition: Inline X-Mailer: 6.0 sub 149 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --part1_ac.ead4366.2775602c_boundary Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Guys, What if we, as programmers/technicians/etc. created a new version of SSH, which was not prone to having all these sorts of technical mishaps? I would like to think that we can solve any problem that is put before us by using our brains and a few hours worth of coding skills. :-) I don't know if thats how all of you feel, but, I for one feel that way, and very strongly so. I am reminded of another anecdote that I read somewhere once: "He who has the time to complain also has the time to submit bug fixes." So, where are all the complainers out there? ;) -- Jonathan M. Slivko --part1_ac.ead4366.2775602c_boundary Content-Type: text/html; charset="US-ASCII" Content-Transfer-Encoding: 7bit Guys,

What if we, as programmers/technicians/etc. created a new version of SSH,
which was not prone to having all these sorts of technical mishaps? I would
like to think that we can solve any problem that is put before us by using
our brains and a few hours worth of coding skills. :-) I don't know if thats
how all of you feel, but, I for one feel that way, and very strongly so.

I am reminded of another anecdote that I read somewhere once:  "He who has
the time to complain also has the time to submit bug fixes." So, where are
all the complainers out there? ;) -- Jonathan M. Slivko --part1_ac.ead4366.2775602c_boundary-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 22 22:57: 5 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 22 22:57:02 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 34CEF37B400; Fri, 22 Dec 2000 22:57:02 -0800 (PST) Received: from rfx-64-6-211-149.users.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Fri, 22 Dec 2000 22:55:18 -0800 Received: (from cjc@localhost) by rfx-64-6-211-149.users.reflexcom.com (8.11.0/8.11.0) id eBN6ut315862; Fri, 22 Dec 2000 22:56:55 -0800 (PST) (envelope-from cjc) Date: Fri, 22 Dec 2000 22:56:55 -0800 From: "Crist J. Clark" Cc: freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: ssh - are you nuts?!? Message-ID: <20001222225655.H96105@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <200012222337.PAA20885@spammie.svbug.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200012222337.PAA20885@spammie.svbug.com>; from opentrax@email.com on Fri, Dec 22, 2000 at 03:37:43PM -0800 Sender: cjc@rfx-64-6-211-149.users.reflexcom.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ____________ | | _________ | PLEASE DO | | | | NOT FEED | | THANK | | THE TROLLS | | YOU | |____________| |_________| || | || | || | || | || | || | || | || | ````````|| |```````````|| |````````` Please, not on another list. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 22 23: 0: 9 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 22 23:00:07 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id E6DCD37B400 for ; Fri, 22 Dec 2000 23:00:06 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id XAA08019; Fri, 22 Dec 2000 23:01:23 -0800 Date: Fri, 22 Dec 2000 23:01:23 -0800 From: Kris Kennaway To: JonMS2010@aol.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: Evolution of SSH? Message-ID: <20001222230123.B7860@citusc.usc.edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="V0207lvV8h4k8FAm" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from JonMS2010@aol.com on Fri, Dec 22, 2000 at 08:55:56PM -0500 Sender: kris@citusc.usc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --V0207lvV8h4k8FAm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Dec 22, 2000 at 08:55:56PM -0500, JonMS2010@aol.com wrote: > Guys, >=20 > What if we, as programmers/technicians/etc. created a new version of SSH,= =20 > which was not prone to having all these sorts of technical mishaps? I wou= ld=20 > like to think that we can solve any problem that is put before us by usin= g=20 > our brains and a few hours worth of coding skills. :-) I don't know if th= ats=20 > how all of you feel, but, I for one feel that way, and very strongly so.= =20 To be blunt, I don't think you understand the claimed problem here. Kris --V0207lvV8h4k8FAm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6RE3DWry0BWjoQKURAiNdAKDH358JXDxwvTSXYCBw2lUPFfAfqwCfVOxK osGIwr9s8TJ3dNuwpEwErc4= =3j+d -----END PGP SIGNATURE----- --V0207lvV8h4k8FAm-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 22 23:22: 4 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 22 23:22:02 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 8A76037B400 for ; Fri, 22 Dec 2000 23:22:02 -0800 (PST) Received: from rfx-64-6-211-149.users.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Fri, 22 Dec 2000 23:20:18 -0800 Received: (from cjc@localhost) by rfx-64-6-211-149.users.reflexcom.com (8.11.0/8.11.0) id eBN7Ls115978; Fri, 22 Dec 2000 23:21:54 -0800 (PST) (envelope-from cjc) Date: Fri, 22 Dec 2000 23:21:54 -0800 From: "Crist J. Clark" To: Keith Ray Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPSec + Racoon: pre-shared key length Message-ID: <20001222232154.I96105@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <977521215.3a43ca3fea068@nullify.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <977521215.3a43ca3fea068@nullify.org>; from aphex@nullify.org on Fri, Dec 22, 2000 at 03:40:15PM -0600 Sender: cjc@rfx-64-6-211-149.users.reflexcom.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Dec 22, 2000 at 03:40:15PM -0600, Keith Ray wrote: [snip] > 3DES uses 192-bit keys > for a keyspace of 2^192. I believe ESP uses 3DES with three independent keys (as opposed to the two key method) which is a keyspace of 168-bits... But there is an attack of three independent keys which reduces the effective keyspace to what one would naively expect for two independent keys. That's a whole 'nother story tho'. ;) -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 22 23:32:36 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 22 23:32:34 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id B8A0337B400 for ; Fri, 22 Dec 2000 23:32:33 -0800 (PST) Received: from rfx-64-6-211-149.users.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Fri, 22 Dec 2000 23:30:56 -0800 Received: (from cjc@localhost) by rfx-64-6-211-149.users.reflexcom.com (8.11.0/8.11.0) id eBN7WWa16355; Fri, 22 Dec 2000 23:32:32 -0800 (PST) (envelope-from cjc) Date: Fri, 22 Dec 2000 23:32:32 -0800 From: "Crist J. Clark" To: Roger Marquis Cc: security@FreeBSD.ORG Subject: Re: dsniff 2.3 info: Message-ID: <20001222233232.J96105@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from marquis@roble.com on Fri, Dec 22, 2000 at 10:23:04AM -0800 Sender: cjc@rfx-64-6-211-149.users.reflexcom.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Dec 22, 2000 at 10:23:04AM -0800, Roger Marquis wrote: [snip] > This almost allows me to upgrade openssh from ports. The OS, > however, keeps its config files in /etc/ssh while the package > defaults to $PREFIX/etc. This is something I'd recommend changing > in the OS version. There's little utility in creating a directory > (/etc/ssh) for 2 configuration files. And four key files. Six files. But OpenBSD leaves 'em naked in /etc. *shrug* -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 23 1:20:59 2000 From owner-freebsd-security@FreeBSD.ORG Sat Dec 23 01:20:55 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from spammie.svbug.com (unknown [198.79.110.2]) by hub.freebsd.org (Postfix) with ESMTP id 70E8837B402; Sat, 23 Dec 2000 01:20:55 -0800 (PST) Received: from spammie.svbug.com (localhost.mozie.org [127.0.0.1]) by spammie.svbug.com (8.9.3/8.9.3) with ESMTP id BAA21384; Sat, 23 Dec 2000 01:21:59 -0800 (PST) (envelope-from jessem@spammie.svbug.com) Message-Id: <200012230921.BAA21384@spammie.svbug.com> Date: Sat, 23 Dec 2000 01:21:57 -0800 (PST) From: opentrax@email.com Reply-To: opentrax@email.com Subject: Re: ssh - are you nuts?!? To: chris@calldei.com Cc: freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG In-Reply-To: <20001222174335.A3922@holly.calldei.com> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Sender: jessem@spammie.svbug.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 22 Dec, Chris Costello wrote: > On Friday, December 22, 2000, opentrax@email.com wrote: >> Thank you for your attention. >> >> Next month I'm giving a talk about the evils of SSH. > > If you don't know anything about it, why do you claim it's > evil? > I don't know if I've claimed either. Jessem To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 23 2:10:20 2000 From owner-freebsd-security@FreeBSD.ORG Sat Dec 23 02:10:16 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from spammie.svbug.com (unknown [198.79.110.2]) by hub.freebsd.org (Postfix) with ESMTP id 6E1FE37B400; Sat, 23 Dec 2000 02:10:16 -0800 (PST) Received: from spammie.svbug.com (localhost.mozie.org [127.0.0.1]) by spammie.svbug.com (8.9.3/8.9.3) with ESMTP id CAA21457; Sat, 23 Dec 2000 02:11:24 -0800 (PST) (envelope-from jessem@spammie.svbug.com) Message-Id: <200012231011.CAA21457@spammie.svbug.com> Date: Sat, 23 Dec 2000 02:11:23 -0800 (PST) From: opentrax@email.com Reply-To: opentrax@email.com Subject: Re: ssh - are you nuts?!? To: drosih@rpi.edu Cc: freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG In-Reply-To: MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Sender: jessem@spammie.svbug.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 22 Dec, Garance A Drosihn wrote: > At 3:37 PM -0800 12/22/00, opentrax@email.com wrote: >>Thank you for your attention. >> >>Next month I'm giving a talk about the evils of SSH. >>The talk schedule is posted on: >>http://www.svbug.com/events/ >>I've already circulated this message to the OpenBSD >>'tech' mailing list and the NetBSD 'security' mailing >>list. Now, I've like to hear from the FreeBSD community. > > People in the "FreeBSD community" are invited to read the > rambling and pointless discussions that this sparked in > the OpenBSD and NetBSD communities before repeating all > those arguments in all the freebsd mailing lists. > > If you still think you have something to say which wasn't > said in those threads, well, have fun at it. > Mr. Drosishn, I'm not sure where you gather your information, but but other mailing list have been very helpful about this subject. As matter of fact, the harshes critics to date have been from OpenBSD. I'm not sure if we are both reading the same material. Jessem. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 23 2:11:19 2000 From owner-freebsd-security@FreeBSD.ORG Sat Dec 23 02:11:14 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from spammie.svbug.com (unknown [198.79.110.2]) by hub.freebsd.org (Postfix) with ESMTP id 33AB737B402; Sat, 23 Dec 2000 02:11:14 -0800 (PST) Received: from spammie.svbug.com (localhost.mozie.org [127.0.0.1]) by spammie.svbug.com (8.9.3/8.9.3) with ESMTP id CAA21461; Sat, 23 Dec 2000 02:12:37 -0800 (PST) (envelope-from jessem@spammie.svbug.com) Message-Id: <200012231012.CAA21461@spammie.svbug.com> Date: Sat, 23 Dec 2000 02:12:36 -0800 (PST) From: opentrax@email.com Reply-To: opentrax@email.com Subject: Re: ssh - are you nuts?!? To: cjclark@alum.mit.edu Cc: freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG In-Reply-To: <20001222225655.H96105@149.211.6.64.reflexcom.com> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Sender: jessem@spammie.svbug.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mr Clark, Could I trouble you to use your comments in my talk? Jessem. On 22 Dec, Crist J. Clark wrote: > > ____________ > | | _________ > | PLEASE DO | | | > | NOT FEED | | THANK | > | THE TROLLS | | YOU | > |____________| |_________| > || | || | > || | || | > || | || | > || | || | > ````````|| |```````````|| |````````` > > Please, not on another list. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 23 2:18:23 2000 From owner-freebsd-security@FreeBSD.ORG Sat Dec 23 02:18:21 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from spammie.svbug.com (unknown [198.79.110.2]) by hub.freebsd.org (Postfix) with ESMTP id 59EAC37B400 for ; Sat, 23 Dec 2000 02:18:21 -0800 (PST) Received: from spammie.svbug.com (localhost.mozie.org [127.0.0.1]) by spammie.svbug.com (8.9.3/8.9.3) with ESMTP id CAA21472; Sat, 23 Dec 2000 02:19:00 -0800 (PST) (envelope-from jessem@spammie.svbug.com) Message-Id: <200012231019.CAA21472@spammie.svbug.com> Date: Sat, 23 Dec 2000 02:18:59 -0800 (PST) From: opentrax@email.com Reply-To: opentrax@email.com Subject: Re: ssh - are you nuts?!? To: mitch@ccmr.cornell.edu Cc: freebsd-security@FreeBSD.ORG In-Reply-To: MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Sender: jessem@spammie.svbug.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 22 Dec, Mitch Collinsworth wrote: > >> The question asked is: why you believe ssh is beter >> than say telnet. Or what advantages SSH has in general. > > I think the expected advantages are well known. A better question > might be "Are you suggesting ssh is no more secure than telnet and > if so, why?" > For an answer to that question, you'd need to attend my talk or read the notes, which will be posted some time after the talk. Do you have an opinion about SSH? or is there some substantial statement you'd like to make in that regard? Jessem. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 23 11:56:55 2000 From owner-freebsd-security@FreeBSD.ORG Sat Dec 23 11:56:50 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from dfw-smtpout2.email.verio.net (dfw-smtpout2.email.verio.net [129.250.36.42]) by hub.freebsd.org (Postfix) with ESMTP id DBE8C37B400; Sat, 23 Dec 2000 11:56:49 -0800 (PST) Received: from [129.250.38.62] (helo=dfw-mmp2.email.verio.net) by dfw-smtpout2.email.verio.net with esmtp id 149umf-0005JA-00; Sat, 23 Dec 2000 19:56:49 +0000 Received: from [204.203.2.185] (helo=gazelle) by dfw-mmp2.email.verio.net with smtp id 149ume-00039m-00; Sat, 23 Dec 2000 19:56:49 +0000 Message-Id: <3.0.5.32.20001223120439.00935100@mail.accessone.com> X-Sender: bokr@mail.accessone.com X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Sat, 23 Dec 2000 12:04:39 -0800 To: opentrax@email.com From: Bengt Richter Subject: Re: ssh - are you nuts?!? Cc: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org In-Reply-To: <200012222337.PAA20885@spammie.svbug.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You are clueless as to the effect of your word choices. Thank you for reading that. Please note that I am not writing this to flame, but in an attempt to be helpful ;-) At 15:37 2000-12-22 -0800 opentrax@email.com wrote: >Thank you for your attention. Your subject line got my attention, but so would having someone tug at my sleeve, or worse impertinence. How about "Please help me prepare for SSH talk" ? > >Next month I'm giving a talk about the evils of SSH. If you don't know that the above sentence strongly implies the existence of the referred-to "evils," may I suggest that you attend an English refresher. (Please don't tell me an empty set can exist). If you are going to invite others to express their opinions, the implicit assertion of your own as unqualified fact is not a good starting point. >The talk schedule is posted on: >http://www.svbug.com/events/ >I've already circulated this message to the OpenBSD >'tech' mailing list and the NetBSD 'security' mailing >list. Now, I've like to hear from the FreeBSD community. > >The question asked is: why you believe ssh is beter >than say telnet. Or what advantages SSH has in general. Your foreplay stinks. You are trying to take advantage of my natural interest, but your approach forces me to overcome negative feelings before I can participate, which I would otherwise willingly do. It's a shame, really. >Please note, I'm not here to flame or troll, just >ask questions. Your responses determine the tone >of all conversations. > Your subject line resonated with the tone of crass attention grabbing. Do you disclaim all responsibility re tone, after thus giving everyone a goosing in an area of interest? If you are used that, you watch too much TV. >Lastly, please trim the CC: line as you feel appropriate. > > > Thanks. > Jessem. That's ok. HTH. Really. Regards, Bengt Richter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 23 15: 2:29 2000 From owner-freebsd-security@FreeBSD.ORG Sat Dec 23 15:02:24 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id 6463337B400; Sat, 23 Dec 2000 15:02:24 -0800 (PST) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id SAA686990; Sat, 23 Dec 2000 18:01:34 -0500 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <200012231011.CAA21457@spammie.svbug.com> References: <200012231011.CAA21457@spammie.svbug.com> Date: Sat, 23 Dec 2000 18:01:33 -0500 To: opentrax@email.com From: Garance A Drosihn Subject: Re: ssh - are you nuts?!? Cc: freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 2:11 AM -0800 12/23/00, opentrax@email.com wrote: >On 22 Dec, Garance A Drosihn wrote: > > People in the "FreeBSD community" are invited to read the >> rambling and pointless discussions that this sparked in >> the OpenBSD and NetBSD communities before repeating all >> those arguments in all the freebsd mailing lists. >> >> If you still think you have something to say which wasn't > > said in those threads, well, have fun at it. >> > I'm not sure where you gather your information, but >but other mailing list have been very helpful about this >subject. As matter of fact, the harshes critics to date >have been from OpenBSD. I'm not sure if we are both >reading the same material. a. I am part of the openbsd community too, although I am much more of a lurker there. You have your opinion of how well the thread went there, I have mine. b. All I said was that it would be a good idea for people to read the other threads before commenting. There is no sense repeating arguments which have already been presented. Assuming you are just collecting ideas for some presentation, you already have those ideas. There is no need to have them repeated here. -- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 23 22: 9:58 2000 From owner-freebsd-security@FreeBSD.ORG Sat Dec 23 22:09:55 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id DC0DE37B400; Sat, 23 Dec 2000 22:09:54 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14A4QX-0000Y6-00; Sat, 23 Dec 2000 23:14:37 -0700 Sender: wes@FreeBSD.ORG Message-ID: <3A45944D.F9E9AB66@softweyr.com> Date: Sat, 23 Dec 2000 23:14:37 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: opentrax@email.com Cc: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Subject: Re: ssh - are you nuts?!? References: <200012222337.PAA20885@spammie.svbug.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org opentrax@email.com wrote: > > Thank you for your attention. > > Next month I'm giving a talk about the evils of SSH. > The talk schedule is posted on: > http://www.svbug.com/events/ > I've already circulated this message to the OpenBSD > 'tech' mailing list and the NetBSD 'security' mailing > list. Now, I've like to hear from the FreeBSD community. > > The question asked is: why you believe ssh is beter > than say telnet. Or what advantages SSH has in general. The simple fact that it doesn't transmit passwords in clear text? This is one of the stupidest trolls I've ever found, and is completely inappropriate for freebsd-security. Try over on -chat. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message