From owner-freebsd-security Sun Feb 11 3:39:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f55.law8.hotmail.com [216.33.241.55]) by hub.freebsd.org (Postfix) with ESMTP id 76BC937B6A2 for ; Sun, 11 Feb 2001 03:39:02 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sun, 11 Feb 2001 03:39:01 -0800 Received: from 62.7.249.7 by lw8fd.law8.hotmail.msn.com with HTTP; Sun, 11 Feb 2001 11:39:01 GMT X-Originating-IP: [62.7.249.7] From: "Dominic Marks" To: freebsd-security@freebsd.org Subject: Secure Servers (SMTP, POP3, FTP) Date: Sun, 11 Feb 2001 11:39:01 -0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 11 Feb 2001 11:39:01.0781 (UTC) FILETIME=[3ACD6450:01C0941F] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I'd really appreciate some opinions on the performance of some daemons. I'm trying to assess which is the best choice to offer both security and performance under FreeBSD 4.2. Apache seems like a pretty defacto choice for HTTP which I'm very happy with but I'm a little less sure what choose on others, in particular for ftp and mail servers. FTP Options: 1. proFTPd - Seems secure and has "enterprise" features 2. wu-Ftpd - Good security (bad History) excellent performance 3. ftpd - Dodgy security? Doesn't seem to be used very much Mail Options: 1. Qmail - Secure, written for FreeBSD (Qwest?), Fast, Configurable 2. Sendmail - Industry standard, works fine, big user base 3. Postfix - Secure, quite light on system resources, growing support I'd appreciate some feedback on any of these, any comments you might have would be very helpful, or perhaps links to articles on this subject. Many thanks Dominic Marks _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 11 4:42:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id C037137B401 for ; Sun, 11 Feb 2001 04:41:59 -0800 (PST) Received: from jive.44bsd.net (oca-pm3-5-32.hitter.net [207.192.77.32]) by peitho.fxp.org (Postfix) with ESMTP id 08F8C1360C; Sun, 11 Feb 2001 07:41:58 -0500 (EST) Received: by jive.44bsd.net (Postfix, from userid 1000) id C6C90E1; Sun, 11 Feb 2001 07:42:01 -0500 (EST) Date: Sun, 11 Feb 2001 07:42:01 -0500 From: Chris Faulhaber To: Dominic Marks Cc: freebsd-security@freebsd.org Subject: Re: Secure Servers (SMTP, POP3, FTP) Message-ID: <20010211074201.B1396@jive.44bsd.net> Mail-Followup-To: Chris Faulhaber , Dominic Marks , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="24zk1gE8NUlDmwG9" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from dominic_marks@hotmail.com on Sun, Feb 11, 2001 at 11:39:01AM -0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --24zk1gE8NUlDmwG9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Feb 11, 2001 at 11:39:01AM -0000, Dominic Marks wrote: > Hello, >=20 > I'd really appreciate some opinions on the performance of some daemons. I= 'm=20 > trying to assess which is the best choice to offer both security and=20 > performance under FreeBSD 4.2. Apache seems like a pretty defacto choice = for=20 > HTTP which I'm very happy with but I'm a little less sure what choose on= =20 > others, in particular for ftp and mail servers. >=20 Well, the following seems a bit backwards: > FTP Options: > 1. proFTPd - Seems secure and has "enterprise" features Not sure... > 2. wu-Ftpd - Good security (bad History) excellent performance I doubt that it is now in the 'good security' category with numerous remote root holes per year (and I am sure more to come). > 3. ftpd - Dodgy security? Doesn't seem to be used very much Not sure where you get 'dodgy security' from. Our ftpd hasn't been vulnerable in quite a while (including not being vulnerable to the hole OpenBSD's ftpd was last year). The big question is: what features do you need? If the base ftpd has the features you require, why install something else with a poor history? >=20 > Mail Options: > 1. Qmail - Secure, written for FreeBSD (Qwest?), Fast, Configurable But the code is unauditable and the license stinks. > 2. Sendmail - Industry standard, works fine, big user base > 3. Postfix - Secure, quite light on system resources, growing support Along with easy to configure > I'd appreciate some feedback on any of these, any comments you might have= =20 > would be very helpful, or perhaps links to articles on this subject. >=20 --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --24zk1gE8NUlDmwG9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjqGiJkACgkQObaG4P6BelCF8QCgmeoybdMOvnlXgUZZ8vqzVTzg 910AoIIc9BhvuxhrR/VoYeCn0wHCi8KX =e2e4 -----END PGP SIGNATURE----- --24zk1gE8NUlDmwG9-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 11 4:45: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f291.law8.hotmail.com [216.33.240.166]) by hub.freebsd.org (Postfix) with ESMTP id D4BFC37B401 for ; Sun, 11 Feb 2001 04:44:34 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sun, 11 Feb 2001 04:44:34 -0800 Received: from 62.7.249.7 by lw8fd.law8.hotmail.msn.com with HTTP; Sun, 11 Feb 2001 12:44:34 GMT X-Originating-IP: [62.7.249.7] From: "Dominic Marks" To: jedgar@fxp.org Cc: freebsd-security@freebsd.org Subject: Re: Secure Servers (SMTP, POP3, FTP) Date: Sun, 11 Feb 2001 12:44:34 -0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 11 Feb 2001 12:44:34.0701 (UTC) FILETIME=[63015BD0:01C09428] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks, Thats cleared some things out Dominic >From: Chris Faulhaber >To: Dominic Marks >CC: freebsd-security@freebsd.org >Subject: Re: Secure Servers (SMTP, POP3, FTP) >Date: Sun, 11 Feb 2001 07:42:01 -0500 >MIME-Version: 1.0 >Received: from [209.26.95.40] by hotmail.com (3.2) with ESMTP id >MHotMailBC4FD397001540043191D11A5F28048E0; Sun Feb 11 04:42:00 2001 >Received: from jive.44bsd.net (oca-pm3-5-32.hitter.net [207.192.77.32])by >peitho.fxp.org (Postfix) with ESMTPid 08F8C1360C; Sun, 11 Feb 2001 07:41:58 >-0500 (EST) >Received: by jive.44bsd.net (Postfix, from userid 1000)id C6C90E1; Sun, 11 >Feb 2001 07:42:01 -0500 (EST) >From jedgar@www.fxp.org Sun Feb 11 04:42:16 2001 >Message-ID: <20010211074201.B1396@jive.44bsd.net> >Mail-Followup-To: Chris Faulhaber ,Dominic Marks >,freebsd-security@freebsd.org >References: >User-Agent: Mutt/1.2.5i >In-Reply-To: ; from >dominic_marks@hotmail.com on Sun, Feb 11, 2001 at 11:39:01AM -0000 >Sender: jedgar@jive.44bsd.net > >On Sun, Feb 11, 2001 at 11:39:01AM -0000, Dominic Marks wrote: > > Hello, > > > > I'd really appreciate some opinions on the performance of some daemons. >I'm > > trying to assess which is the best choice to offer both security and > > performance under FreeBSD 4.2. Apache seems like a pretty defacto choice >for > > HTTP which I'm very happy with but I'm a little less sure what choose on > > others, in particular for ftp and mail servers. > > > >Well, the following seems a bit backwards: > > > FTP Options: > > 1. proFTPd - Seems secure and has "enterprise" features > >Not sure... > > > 2. wu-Ftpd - Good security (bad History) excellent performance > >I doubt that it is now in the 'good security' category with numerous >remote root holes per year (and I am sure more to come). > > > 3. ftpd - Dodgy security? Doesn't seem to be used very much > >Not sure where you get 'dodgy security' from. Our ftpd hasn't been >vulnerable in quite a while (including not being vulnerable to the hole >OpenBSD's ftpd was last year). > >The big question is: what features do you need? If the base ftpd has >the features you require, why install something else with a poor >history? > > > > > Mail Options: > > 1. Qmail - Secure, written for FreeBSD (Qwest?), Fast, Configurable > >But the code is unauditable and the license stinks. > > > 2. Sendmail - Industry standard, works fine, big user base > > 3. Postfix - Secure, quite light on system resources, growing support > >Along with easy to configure > > > I'd appreciate some feedback on any of these, any comments you might >have > > would be very helpful, or perhaps links to articles on this subject. > > > >-- >Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org >-------------------------------------------------------- >FreeBSD: The Power To Serve - http://www.FreeBSD.org ><< attach3 >> _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 11 4:52:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from nevada.btk.za.net (nevada.btk.za.net [213.77.120.30]) by hub.freebsd.org (Postfix) with SMTP id 67D3237B491 for ; Sun, 11 Feb 2001 04:52:06 -0800 (PST) Received: from a5o7e2 (pa76.kielce.ppp.tpnet.pl [212.160.33.76]) by nevada.btk.za.net (8.11.1/8.11.1) with SMTP id f1BDp6086335 for ; Sun, 11 Feb 2001 13:51:09 GMT (envelope-from freebsd@btk.za.net) Message-ID: <004e01c0942a$3fece180$de21a0d4@a5o7e2> From: "Lukasz P" To: "Security" Subject: timedc & SIGSEGV Date: Sun, 11 Feb 2001 13:56:31 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, maybe somebody has discovered this "bug" earlier than me, but I don't know about it so... I found a strange behaviour in timedc, exactly in trace option. If hostname self-lookup fail ( i set my hostname to asdf.pl ) command "timedc trace anything" will terminate with signal 11 (SIGSEGV). arizona# uname -a FreeBSD arizona.kielce.wox.org 4.2-RELEASE FreeBSD 4.2-RELEASE #4: Wed Jan 31 20:12:44 GMT 2001 root@arizona.kielce.wox.org:/usr/src/sys/compile/optimal i386 arizona# id uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest) arizona# ls -l /usr/sbin/timedc -r-sr-xr-x 1 root wheel 15144 Feb 3 15:37 /usr/sbin/timedc arizona# timedc trace on communication error arizona# hostname asdf.pl arizona# timedc trace on pid 212 (timedc), uid 0: exited on signal 11 (core dumped) Segmentation fault (core dumped) asdf.pl is "invalid" hostname, so there is a SIGSEGV. This "silly bug" is non-exploitable because, "trace { on | off }" is a privileged command, which can be used only by superuser. I have written a very simple patch, which can be used to prevent this "mistake". ---[SNIP]--- --- cmds.c.backup Tue Feb 7 21:23:40 2001 +++ cmds.c Tue Feb 7 21:28:09 2001 @@ -431,6 +431,24 @@ return; } + /* Tue Feb 7 21:24:41 GMT 2001 + This simple code is going to disable a segmentation fault + in trace "procedure", when lookup for hostname fail. + In old code this situation was finished by signal 11 + (Segmentation fault). This bug probably is non-exploitable, + but every error situation should be fixed so... + If there is a mistake in fix please let me know. + e-mail: Lukasz.Pawlik@kielce.wox.org + Lukasz Pawlik + */ + gethostname(myname,MAXHOSTNAMELEN); + hp = gethostbyname(myname); + if (hp == NULL) { + printf("Hostname lookup for %s failed.\n",myname); + printf("Exiting before ""Segmentation fault"".\n"); + exit(1); + } + srvp = getservbyname("timed", "udp"); if (srvp == 0) { warnx("udp/timed: unknown service"); ---[SNIP]--- Sorry for my poor english ;> Lukasz Pawlik e-mail: Lukasz.Pawlik@kielce.wox.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 11 7:19:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from cc762335-a.ebnsk1.nj.home.com (cc762335-a.ebnsk1.nj.home.com [24.3.219.36]) by hub.freebsd.org (Postfix) with SMTP id 5913337B491 for ; Sun, 11 Feb 2001 07:19:08 -0800 (PST) Received: (qmail 663 invoked from network); 11 Feb 2001 15:19:15 -0000 Received: from athena.faerunhome.com (HELO athena) (192.168.0.2) by cc762335-a.ebnsk1.nj.home.com with SMTP; 11 Feb 2001 15:19:15 -0000 Message-Id: <4.2.2.20010211100158.00c95840@netmail.home.com> X-Sender: damascus@netmail.home.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Sun, 11 Feb 2001 10:05:18 -0500 To: "Dominic Marks" From: Carroll Kong Subject: Re: Secure Servers (SMTP, POP3, FTP) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:39 AM 2/11/01 +0000, Dominic Marks wrote: >Hello, > >I'd really appreciate some opinions on the performance of some daemons. >I'm trying to assess which is the best choice to offer both security and >performance under FreeBSD 4.2. Apache seems like a pretty defacto choice >for HTTP which I'm very happy with but I'm a little less sure what choose >on others, in particular for ftp and mail servers. > >FTP Options: >1. proFTPd - Seems secure and has "enterprise" features >2. wu-Ftpd - Good security (bad History) excellent performance >3. ftpd - Dodgy security? Doesn't seem to be used very much > >Mail Options: >1. Qmail - Secure, written for FreeBSD (Qwest?), Fast, Configurable >2. Sendmail - Industry standard, works fine, big user base >3. Postfix - Secure, quite light on system resources, growing support > >I'd appreciate some feedback on any of these, any comments you might have >would be very helpful, or perhaps links to articles on this subject. > >Many thanks >Dominic Marks Try ncftpd for ftp options. I suppose being closed source it has "security" by obscurity, but the author is fairly responsive in fixing bugs so any security flaws are fixed very fast. His track record seems to be pretty good. ftpd is also good if configured properly, although I am not sure if you can use virtual users. (I never used ftpd extensively as you can tell.) For mail, I suggest either qmail or postfix. Sendmail just has a bad record, so if you can avoid it sure. If you cannot, fine, roll with it. As for apache, be careful of what language you allow for CGIs. That is really going to be the major factor in security. I used to think PHP was great stuff, but it has a fairly bad track record. I am thinking of rolling my PHP scripts to Perl since at least Perl in itself is secure. (not to say using Perl guarantees any level of security; you need good secure programming practices for that). -Carroll Kong To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 11 9:13:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta5.snfc21.pbi.net (mta5.snfc21.pbi.net [206.13.28.241]) by hub.freebsd.org (Postfix) with ESMTP id 4ED4937B401 for ; Sun, 11 Feb 2001 09:13:44 -0800 (PST) Received: from xor.obsecurity.org ([63.207.60.67]) by mta5.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0G8L00NXHRP52F@mta5.snfc21.pbi.net> for freebsd-security@freebsd.org; Sun, 11 Feb 2001 09:10:17 -0800 (PST) Received: by xor.obsecurity.org (Postfix, from userid 1000) id B37C166B26; Sun, 11 Feb 2001 09:13:01 -0800 (PST) Date: Sun, 11 Feb 2001 09:13:01 -0800 From: Kris Kennaway Subject: Re: Secure Servers (SMTP, POP3, FTP) In-reply-to: ; from dominic_marks@hotmail.com on Sun, Feb 11, 2001 at 11:39:01AM -0000 To: Dominic Marks Cc: freebsd-security@freebsd.org Message-id: <20010211091301.C50667@mollari.cthul.hu> MIME-version: 1.0 Content-type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="sHrvAb52M6C8blB9" Content-disposition: inline User-Agent: Mutt/1.2.5i References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --sHrvAb52M6C8blB9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sun, Feb 11, 2001 at 11:39:01AM -0000, Dominic Marks wrote: > 2. wu-Ftpd - Good security (bad History) excellent performance > 3. ftpd - Dodgy security? Doesn't seem to be used very much FreeBSD's ftpd has one of the best track records of all ftp servers. The last known security problem was several years ago, which is more than can be said for the other two you mentioned, both of which have had multiple problems in the last 2 years. Use ftpd unless you need a feature it can't provide, and even then consider whether you really need it given the risks of running something else. Kris --sHrvAb52M6C8blB9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6hsgdWry0BWjoQKURAk33AKCvDH/qAqC6629TvUjG3kPmnN8SQwCfcuWu Y+OZY0zjtOU86an3xtflVbQ= =6B77 -----END PGP SIGNATURE----- --sHrvAb52M6C8blB9-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 11 10:20: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from waveconcepts.com (waveconcepts.com [207.126.116.40]) by hub.freebsd.org (Postfix) with ESMTP id 5931D37B401 for ; Sun, 11 Feb 2001 10:20:00 -0800 (PST) Received: from JohnArLaptop.siberian.org (c1431645-b.smateo1.sfba.home.com [65.5.11.159]) by waveconcepts.com (8.9.2/8.9.2) with ESMTP id KAA19498; Sun, 11 Feb 2001 10:15:07 -0800 (PST) Message-Id: <5.0.0.25.2.20010211101800.00a68bd0@207.126.116.40> X-Sender: siberian@207.126.116.40 X-Mailer: QUALCOMM Windows Eudora Version 5.0 Date: Sun, 11 Feb 2001 10:19:42 -0800 To: "Dominic Marks" , freebsd-security@FreeBSD.ORG From: "siberian.org" Subject: Re: Secure Servers (SMTP, POP3, FTP) In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I use ncftpd. No one talks much about it, are there inherent problems with it? I've found it to be reliable, configurable and flexible so I hope I'm not missing something... As for email platforms, I use a product called 'CommuniGate Pro' ( http://www.stalker.com/ ) Its closed source and can cost so serious money as the licenses grow but it powerful and fast, providing SMTP/POP3/IMAP/Web Mail and other features in both secure and insecure contexts. John- At 11:39 AM 2/11/2001 +0000, Dominic Marks wrote: >Hello, > >I'd really appreciate some opinions on the performance of some daemons. >I'm trying to assess which is the best choice to offer both security and >performance under FreeBSD 4.2. Apache seems like a pretty defacto choice >for HTTP which I'm very happy with but I'm a little less sure what choose >on others, in particular for ftp and mail servers. > >FTP Options: >1. proFTPd - Seems secure and has "enterprise" features >2. wu-Ftpd - Good security (bad History) excellent performance >3. ftpd - Dodgy security? Doesn't seem to be used very much > >Mail Options: >1. Qmail - Secure, written for FreeBSD (Qwest?), Fast, Configurable >2. Sendmail - Industry standard, works fine, big user base >3. Postfix - Secure, quite light on system resources, growing support > >I'd appreciate some feedback on any of these, any comments you might have >would be very helpful, or perhaps links to articles on this subject. > >Many thanks >Dominic Marks >_________________________________________________________________________ >Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 11 10:51:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta5.snfc21.pbi.net (mta5.snfc21.pbi.net [206.13.28.241]) by hub.freebsd.org (Postfix) with ESMTP id 01B2237B491 for ; Sun, 11 Feb 2001 10:51:08 -0800 (PST) Received: from xor.obsecurity.org ([63.207.60.67]) by mta5.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0G8L0057DW7TOK@mta5.snfc21.pbi.net> for freebsd-security@FreeBSD.ORG; Sun, 11 Feb 2001 10:47:53 -0800 (PST) Received: by xor.obsecurity.org (Postfix, from userid 1000) id BB85966B09; Sun, 11 Feb 2001 10:50:37 -0800 (PST) Date: Sun, 11 Feb 2001 10:50:37 -0800 From: Kris Kennaway Subject: Re: Secure Servers (SMTP, POP3, FTP) In-reply-to: <5.0.0.25.2.20010211101800.00a68bd0@207.126.116.40>; from siberian@siberian.org on Sun, Feb 11, 2001 at 10:19:42AM -0800 To: "siberian.org" Cc: Dominic Marks , freebsd-security@FreeBSD.ORG Message-id: <20010211105037.C52522@mollari.cthul.hu> MIME-version: 1.0 Content-type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="HG+GLK89HZ1zG0kk" Content-disposition: inline User-Agent: Mutt/1.2.5i References: <5.0.0.25.2.20010211101800.00a68bd0@207.126.116.40> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --HG+GLK89HZ1zG0kk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Feb 11, 2001 at 10:19:42AM -0800, siberian.org wrote: > I use ncftpd. No one talks much about it, are there inherent problems wit= h=20 > it? I've found it to be reliable, configurable and flexible so I hope I'm= =20 > not missing something... It's impossible to say because it's closed source. It hasn't received much attention from the white-hat community because it's almost impossible to audit for this reason, but someone with serious time or inclination to break lots of ncftpd servers might well be able to turn up security problems using a debugger or disassembler. Kris --HG+GLK89HZ1zG0kk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6ht78Wry0BWjoQKURAnuFAKDJYmhdgMxmQJxX1+wuSfXqSINzngCdF+1c ren9a6oNu9BuWc/z4ZMsMrU= =hEHP -----END PGP SIGNATURE----- --HG+GLK89HZ1zG0kk-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 11 11: 0:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from femail2.rdc1.on.home.com (femail2.rdc1.on.home.com [24.2.9.89]) by hub.freebsd.org (Postfix) with ESMTP id 4D7F537B401 for ; Sun, 11 Feb 2001 11:00:31 -0800 (PST) Received: from magus ([24.114.209.187]) by femail2.rdc1.on.home.com (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20010211190025.TYYF10623.femail2.rdc1.on.home.com@magus> for ; Sun, 11 Feb 2001 11:00:25 -0800 Message-ID: <000701c0945c$eb3eaff0$0300a8c0@magus> From: "William Wong" To: Subject: Default sshd_config settings Date: Sun, 11 Feb 2001 14:00:36 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi there, I wondering why only protocol 1 is enabled by default in sshd? Is there a risk with using protocol 2 (or both?) Thanks, - Will To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 11 12: 1:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from d156h168.resnet.uconn.edu (d156h168.resnet.uconn.edu [137.99.156.168]) by hub.freebsd.org (Postfix) with SMTP id 904AB37B401 for ; Sun, 11 Feb 2001 12:01:25 -0800 (PST) Received: (qmail 8212 invoked by alias); 11 Feb 2001 20:01:08 -0000 Received: from unknown (HELO sirmoobert) (137.99.158.30) by d156h168.resnet.uconn.edu with SMTP; 11 Feb 2001 20:01:08 -0000 Message-ID: <004a01c09465$86506f80$1e9e6389@137.99.156.23> From: "Peter C. Lai" To: "Chris Faulhaber" , "Dominic Marks" Cc: References: <20010211074201.B1396@jive.44bsd.net> Subject: Re: Secure Servers (SMTP, POP3, FTP) Date: Sun, 11 Feb 2001 15:02:12 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org the code is unauditable? last time i checked, you compiled qmail from source. In fact, Mr. Bernstein has tighter restrictions on binary distribution. "You are permitted to distribute a precompiled var-qmail package if (1) installing the package produces exactly the same /var/qmail hierarchy as a user would obtain by downloading, compiling, and installing qmail-1.03.tar.gz, fastforward-0.51.tar.gz, and dot-forward-0.71.tar.gz; (2) the package behaves correctly, i.e., the same way as normal qmail+fastforward+dot-forward installations on all other systems; and (3) the package's creator warrants that he has made a good-faith attempt to ensure that the package behaves correctly. It is not acceptable to have qmail working differently on different machines; any variation is a bug. If there's something about a system (compiler, libraries, kernel, hardware, whatever) that changes qmail's behavior, then that platform is not supported, and you are not permitted to distribute binaries. " the licence is the standard artistic rights licence which says any changes prior to redistribution must be approved but that's about it. I don't see how that scheme "stinks". IIRC, eric raymond requested all changes to fetchmail to go through him before going public (several years ago). the bottom line is, comb through the code, find a flaw, make an exploit, go to Mr. Bernstein with the documentation, and claim your prize. isn't that what "auditing" is all about? ----- Original Message ----- From: "Chris Faulhaber" To: "Dominic Marks" Cc: Sent: Sunday, February 11, 2001 7:42 AM Subject: Re: Secure Servers (SMTP, POP3, FTP) > Mail Options: > 1. Qmail - Secure, written for FreeBSD (Qwest?), Fast, Configurable But the code is unauditable and the license stinks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 11 12: 4:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 4A74E37B401 for ; Sun, 11 Feb 2001 12:04:44 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id PAA10522; Sun, 11 Feb 2001 15:04:40 -0500 (EST) (envelope-from wollman) Date: Sun, 11 Feb 2001 15:04:40 -0500 (EST) From: Garrett Wollman Message-Id: <200102112004.PAA10522@khavrinen.lcs.mit.edu> To: "Peter C. Lai" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Secure Servers (SMTP, POP3, FTP) In-Reply-To: <004a01c09465$86506f80$1e9e6389@137.99.156.23> References: <20010211074201.B1396@jive.44bsd.net> <004a01c09465$86506f80$1e9e6389@137.99.156.23> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > the bottom line is, comb through the code, find a flaw, make an exploit, go > to Mr. Bernstein with the documentation, and claim your assigned monetary value> prize. isn't that what "auditing" is all about? No, it's not. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 11 12:20: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta5.snfc21.pbi.net (mta5.snfc21.pbi.net [206.13.28.241]) by hub.freebsd.org (Postfix) with ESMTP id 94DE637B401 for ; Sun, 11 Feb 2001 12:20:02 -0800 (PST) Received: from xor.obsecurity.org ([63.207.60.67]) by mta5.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0G8M005AB09JUQ@mta5.snfc21.pbi.net> for freebsd-security@freebsd.org; Sun, 11 Feb 2001 12:15:23 -0800 (PST) Received: by xor.obsecurity.org (Postfix, from userid 1000) id 53C6266B32; Sun, 11 Feb 2001 12:18:04 -0800 (PST) Date: Sun, 11 Feb 2001 12:18:04 -0800 From: Kris Kennaway Subject: Re: Default sshd_config settings In-reply-to: <000701c0945c$eb3eaff0$0300a8c0@magus>; from willwong@samurai.com on Sun, Feb 11, 2001 at 02:00:36PM -0500 To: William Wong Cc: freebsd-security@freebsd.org Message-id: <20010211121803.A78601@mollari.cthul.hu> MIME-version: 1.0 Content-type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="mP3DRpeJDSE+ciuQ" Content-disposition: inline User-Agent: Mutt/1.2.5i References: <000701c0945c$eb3eaff0$0300a8c0@magus> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --mP3DRpeJDSE+ciuQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Feb 11, 2001 at 02:00:36PM -0500, William Wong wrote: > Hi there, >=20 > I wondering why only protocol 1 is enabled by default in sshd? Is there a > risk with using protocol 2 (or both?) It's not - you must have an out of date file, or are using an old version of -stable (very old versions of OpenSSH didn't support protocol 2). The risk is actually with protocol 1 -- it has protocol flaws which have been known for quite a while, independent of the recently discovered attacks. You should disable it unless you need it. Kris --mP3DRpeJDSE+ciuQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6hvN7Wry0BWjoQKURAnkMAKD8aP9UFGwgVFsC6O/XR4mB/sNseQCfZSKl cNrVHPU/KPNP9af8h0338v0= =hYDD -----END PGP SIGNATURE----- --mP3DRpeJDSE+ciuQ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 11 12:48:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id BC4CF37B401 for ; Sun, 11 Feb 2001 12:48:37 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f1BKmYM03567; Sun, 11 Feb 2001 12:48:34 -0800 (PST) Date: Sun, 11 Feb 2001 12:48:34 -0800 From: Alfred Perlstein To: Kris Kennaway Cc: William Wong , freebsd-security@FreeBSD.ORG Subject: Re: Default sshd_config settings Message-ID: <20010211124834.T3274@fw.wintelcom.net> References: <000701c0945c$eb3eaff0$0300a8c0@magus> <20010211121803.A78601@mollari.cthul.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010211121803.A78601@mollari.cthul.hu>; from kris@obsecurity.org on Sun, Feb 11, 2001 at 12:18:04PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Kris Kennaway [010211 12:20] wrote: > On Sun, Feb 11, 2001 at 02:00:36PM -0500, William Wong wrote: > > Hi there, > > > > I wondering why only protocol 1 is enabled by default in sshd? Is there a > > risk with using protocol 2 (or both?) > > It's not - you must have an out of date file, or are using an old > version of -stable (very old versions of OpenSSH didn't support > protocol 2). > > The risk is actually with protocol 1 -- it has protocol flaws which > have been known for quite a while, independent of the recently > discovered attacks. You should disable it unless you need it. I've heard that there's still no agent or authentication forwarding for ssh2 and dsa keys, have you heard about an ETA of these features? -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 11 12:51: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta5.snfc21.pbi.net (mta5.snfc21.pbi.net [206.13.28.241]) by hub.freebsd.org (Postfix) with ESMTP id 4960E37B401 for ; Sun, 11 Feb 2001 12:51:05 -0800 (PST) Received: from xor.obsecurity.org ([63.207.60.67]) by mta5.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0G8M00F6E1QQFX@mta5.snfc21.pbi.net> for freebsd-security@FreeBSD.ORG; Sun, 11 Feb 2001 12:47:14 -0800 (PST) Received: by xor.obsecurity.org (Postfix, from userid 1000) id AF80966B32; Sun, 11 Feb 2001 12:49:58 -0800 (PST) Date: Sun, 11 Feb 2001 12:49:58 -0800 From: Kris Kennaway Subject: Re: Default sshd_config settings In-reply-to: <20010211124834.T3274@fw.wintelcom.net>; from bright@wintelcom.net on Sun, Feb 11, 2001 at 12:48:34PM -0800 To: Alfred Perlstein Cc: William Wong , freebsd-security@FreeBSD.ORG Message-id: <20010211124958.A79375@mollari.cthul.hu> MIME-version: 1.0 Content-type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="envbJBWh7q8WU6mo" Content-disposition: inline User-Agent: Mutt/1.2.5i References: <000701c0945c$eb3eaff0$0300a8c0@magus> <20010211121803.A78601@mollari.cthul.hu> <20010211124834.T3274@fw.wintelcom.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --envbJBWh7q8WU6mo Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Feb 11, 2001 at 12:48:34PM -0800, Alfred Perlstein wrote: > * Kris Kennaway [010211 12:20] wrote: > > On Sun, Feb 11, 2001 at 02:00:36PM -0500, William Wong wrote: > > > Hi there, > > >=20 > > > I wondering why only protocol 1 is enabled by default in sshd? Is th= ere a > > > risk with using protocol 2 (or both?) > >=20 > > It's not - you must have an out of date file, or are using an old > > version of -stable (very old versions of OpenSSH didn't support > > protocol 2). > >=20 > > The risk is actually with protocol 1 -- it has protocol flaws which > > have been known for quite a while, independent of the recently > > discovered attacks. You should disable it unless you need it. >=20 > I've heard that there's still no agent or authentication forwarding > for ssh2 and dsa keys, have you heard about an ETA of these features? You've heard, or you've researched and found to still be true? :) Kris --envbJBWh7q8WU6mo Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6hvr2Wry0BWjoQKURAv0WAJ9MpZqex0BW0qT0licjlk3OQiBLPQCgrC6Y TA2UWC8+e/xEDwEIWfQOLVs= =/D49 -----END PGP SIGNATURE----- --envbJBWh7q8WU6mo-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 11 13: 1:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id DD52D37B491 for ; Sun, 11 Feb 2001 13:01:55 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f1BL1nL03963; Sun, 11 Feb 2001 13:01:49 -0800 (PST) Date: Sun, 11 Feb 2001 13:01:49 -0800 From: Alfred Perlstein To: Kris Kennaway Cc: William Wong , freebsd-security@FreeBSD.ORG Subject: Re: Default sshd_config settings Message-ID: <20010211130149.U3274@fw.wintelcom.net> References: <000701c0945c$eb3eaff0$0300a8c0@magus> <20010211121803.A78601@mollari.cthul.hu> <20010211124834.T3274@fw.wintelcom.net> <20010211124958.A79375@mollari.cthul.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010211124958.A79375@mollari.cthul.hu>; from kris@obsecurity.org on Sun, Feb 11, 2001 at 12:49:58PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Kris Kennaway [010211 12:50] wrote: > On Sun, Feb 11, 2001 at 12:48:34PM -0800, Alfred Perlstein wrote: > > * Kris Kennaway [010211 12:20] wrote: > > > On Sun, Feb 11, 2001 at 02:00:36PM -0500, William Wong wrote: > > > > Hi there, > > > > > > > > I wondering why only protocol 1 is enabled by default in sshd? Is there a > > > > risk with using protocol 2 (or both?) > > > > > > It's not - you must have an out of date file, or are using an old > > > version of -stable (very old versions of OpenSSH didn't support > > > protocol 2). > > > > > > The risk is actually with protocol 1 -- it has protocol flaws which > > > have been known for quite a while, independent of the recently > > > discovered attacks. You should disable it unless you need it. > > > > I've heard that there's still no agent or authentication forwarding > > for ssh2 and dsa keys, have you heard about an ETA of these features? > > You've heard, or you've researched and found to still be true? :) Usually hearing something from Peter Wemm qualifies as research... :) Is this new in 2.3.0 (time to update the port then?) It seems to all work now. :) -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 11 13:17:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta6.snfc21.pbi.net (mta6.snfc21.pbi.net [206.13.28.240]) by hub.freebsd.org (Postfix) with ESMTP id 7466A37B401 for ; Sun, 11 Feb 2001 13:17:53 -0800 (PST) Received: from xor.obsecurity.org ([63.207.60.67]) by mta6.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0G8M00AWZ2Z38Y@mta6.snfc21.pbi.net> for freebsd-security@FreeBSD.ORG; Sun, 11 Feb 2001 13:13:51 -0800 (PST) Received: by xor.obsecurity.org (Postfix, from userid 1000) id E046166B32; Sun, 11 Feb 2001 13:16:38 -0800 (PST) Date: Sun, 11 Feb 2001 13:16:38 -0800 From: Kris Kennaway Subject: Re: Default sshd_config settings In-reply-to: <20010211130149.U3274@fw.wintelcom.net>; from bright@wintelcom.net on Sun, Feb 11, 2001 at 01:01:49PM -0800 To: Alfred Perlstein Cc: William Wong , freebsd-security@FreeBSD.ORG Message-id: <20010211131638.B79776@mollari.cthul.hu> MIME-version: 1.0 Content-type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="+pHx0qQiF2pBVqBT" Content-disposition: inline User-Agent: Mutt/1.2.5i References: <000701c0945c$eb3eaff0$0300a8c0@magus> <20010211121803.A78601@mollari.cthul.hu> <20010211124834.T3274@fw.wintelcom.net> <20010211124958.A79375@mollari.cthul.hu> <20010211130149.U3274@fw.wintelcom.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --+pHx0qQiF2pBVqBT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sun, Feb 11, 2001 at 01:01:49PM -0800, Alfred Perlstein wrote: > Usually hearing something from Peter Wemm qualifies as research... :) Haha.. > Is this new in 2.3.0 (time to update the port then?) It seems to > all work now. :) Good to hear it works. Last I heard, Brian doesn't intend to update the port because it's not useful to the 4.x branch. If you wanted to take over maintainership and provide support for older releases I'm sure he'll be willing. Kris --+pHx0qQiF2pBVqBT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6hwE2Wry0BWjoQKURAiFEAKDxMjZ02E9vyhKL2aT1AISAZGKc5gCg5zVg F1JnHfrNzLcmZbMImkyoNCE= =+Eii -----END PGP SIGNATURE----- --+pHx0qQiF2pBVqBT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 11 13:28:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 2BE9337B401 for ; Sun, 11 Feb 2001 13:28:40 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f1BLScQ04554; Sun, 11 Feb 2001 13:28:38 -0800 (PST) Date: Sun, 11 Feb 2001 13:28:38 -0800 From: Alfred Perlstein To: Kris Kennaway Cc: freebsd-security@FreeBSD.ORG Subject: Re: Default sshd_config settings Message-ID: <20010211132838.W3274@fw.wintelcom.net> References: <000701c0945c$eb3eaff0$0300a8c0@magus> <20010211121803.A78601@mollari.cthul.hu> <20010211124834.T3274@fw.wintelcom.net> <20010211124958.A79375@mollari.cthul.hu> <20010211130149.U3274@fw.wintelcom.net> <20010211131638.B79776@mollari.cthul.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010211131638.B79776@mollari.cthul.hu>; from kris@obsecurity.org on Sun, Feb 11, 2001 at 01:16:38PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Kris Kennaway [010211 13:17] wrote: > On Sun, Feb 11, 2001 at 01:01:49PM -0800, Alfred Perlstein wrote: > > > Usually hearing something from Peter Wemm qualifies as research... :) > > Haha.. Well since it does seem to work, why aren't we forcing the use of it on the FreeBSD.org cluster? > > Is this new in 2.3.0 (time to update the port then?) It seems to > > all work now. :) > > Good to hear it works. Last I heard, Brian doesn't intend to update > the port because it's not useful to the 4.x branch. If you wanted to > take over maintainership and provide support for older releases I'm > sure he'll be willing. If/when I have the patches to bring it up to date and he doesn't object I might. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 11 13:30:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by hub.freebsd.org (Postfix) with ESMTP id 6F57737B401 for ; Sun, 11 Feb 2001 13:30:54 -0800 (PST) Received: from pir by moek.pir.net with local (Exim) id 14S457-0003MO-00 for freebsd-security@FreeBSD.ORG; Sun, 11 Feb 2001 16:30:53 -0500 Date: Sun, 11 Feb 2001 16:30:52 -0500 From: Peter Radcliffe To: freebsd-security@FreeBSD.ORG Subject: Re: Default sshd_config settings Message-ID: <20010211163052.D8149@pir.net> Reply-To: security@freebsd.org Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <000701c0945c$eb3eaff0$0300a8c0@magus> <20010211121803.A78601@mollari.cthul.hu> <20010211124834.T3274@fw.wintelcom.net> <20010211124958.A79375@mollari.cthul.hu> <20010211130149.U3274@fw.wintelcom.net> <20010211131638.B79776@mollari.cthul.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010211131638.B79776@mollari.cthul.hu>; from kris@obsecurity.org on Sun, Feb 11, 2001 at 01:16:38PM -0800 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway probably said: > On Sun, Feb 11, 2001 at 01:01:49PM -0800, Alfred Perlstein wrote: > > Is this new in 2.3.0 (time to update the port then?) It seems to > > all work now. :) > > Good to hear it works. Last I heard, Brian doesn't intend to update > the port because it's not useful to the 4.x branch. If you wanted to > take over maintainership and provide support for older releases I'm > sure he'll be willing. My experiments with 2.3.0p1 have shown that the agent works with V2 connections but agent forwarding does not. Agent forwarding is all that is stopping me from going completly sshV2. Someone in -stable mentioned that this was a known bug (and the ChangeLog for openssh agrees) and that it is fixed in a development version but not in a real release. Hopefully full 2.3.1 or 2.3.2 (if they don't release 2.3.1 due to the security problem in the development version) will have this fixed. P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 11 13:35: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta5.snfc21.pbi.net (mta5.snfc21.pbi.net [206.13.28.241]) by hub.freebsd.org (Postfix) with ESMTP id F099E37B401 for ; Sun, 11 Feb 2001 13:35:01 -0800 (PST) Received: from xor.obsecurity.org ([63.207.60.67]) by mta5.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0G8M00FFV3PSF6@mta5.snfc21.pbi.net> for freebsd-security@FreeBSD.ORG; Sun, 11 Feb 2001 13:29:53 -0800 (PST) Received: by xor.obsecurity.org (Postfix, from userid 1000) id 66F7866B32; Sun, 11 Feb 2001 13:32:37 -0800 (PST) Date: Sun, 11 Feb 2001 13:32:37 -0800 From: Kris Kennaway Subject: Re: Default sshd_config settings In-reply-to: <20010211132838.W3274@fw.wintelcom.net>; from bright@wintelcom.net on Sun, Feb 11, 2001 at 01:28:38PM -0800 To: Alfred Perlstein Cc: Kris Kennaway , freebsd-security@FreeBSD.ORG Message-id: <20010211133237.A87178@mollari.cthul.hu> MIME-version: 1.0 Content-type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="FL5UXtIhxfXey3p5" Content-disposition: inline User-Agent: Mutt/1.2.5i References: <000701c0945c$eb3eaff0$0300a8c0@magus> <20010211121803.A78601@mollari.cthul.hu> <20010211124834.T3274@fw.wintelcom.net> <20010211124958.A79375@mollari.cthul.hu> <20010211130149.U3274@fw.wintelcom.net> <20010211131638.B79776@mollari.cthul.hu> <20010211132838.W3274@fw.wintelcom.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --FL5UXtIhxfXey3p5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Feb 11, 2001 at 01:28:38PM -0800, Alfred Perlstein wrote: > * Kris Kennaway [010211 13:17] wrote: > > On Sun, Feb 11, 2001 at 01:01:49PM -0800, Alfred Perlstein wrote: > >=20 > > > Usually hearing something from Peter Wemm qualifies as research... :) > >=20 > > Haha.. >=20 > Well since it does seem to work, why aren't we forcing the use of > it on the FreeBSD.org cluster? Alleged Kerberos issues. Since Peter is the source of both rumours, perhaps we should re-test that one too :-) Kris --FL5UXtIhxfXey3p5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6hwT1Wry0BWjoQKURAktyAJ41TaS52OZuyN0oqqXYGQAjSILnAQCfYsyM 1ilh6DCwxOMWTgTuQV8z2ZY= =QAEh -----END PGP SIGNATURE----- --FL5UXtIhxfXey3p5-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 11 17:40:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from mobile.wemm.org (c1315225-a.plstn1.sfba.home.com [65.0.135.147]) by hub.freebsd.org (Postfix) with ESMTP id D98E537B401 for ; Sun, 11 Feb 2001 17:40:16 -0800 (PST) Received: from netplex.com.au (localhost [127.0.0.1]) by mobile.wemm.org (8.11.1/8.11.1) with ESMTP id f1C1TOU43393; Sun, 11 Feb 2001 17:29:24 -0800 (PST) (envelope-from peter@netplex.com.au) Message-Id: <200102120129.f1C1TOU43393@mobile.wemm.org> X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 To: Kris Kennaway Cc: Alfred Perlstein , freebsd-security@FreeBSD.ORG Subject: Re: Default sshd_config settings In-Reply-To: <20010211133237.A87178@mollari.cthul.hu> Date: Sun, 11 Feb 2001 17:29:23 -0800 From: Peter Wemm Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > On Sun, Feb 11, 2001 at 01:28:38PM -0800, Alfred Perlstein wrote: > > * Kris Kennaway [010211 13:17] wrote: > > > On Sun, Feb 11, 2001 at 01:01:49PM -0800, Alfred Perlstein wrote: > > >=20 > > > > Usually hearing something from Peter Wemm qualifies as research... :) > > >=20 > > > Haha.. > >=20 > > Well since it does seem to work, why aren't we forcing the use of > > it on the FreeBSD.org cluster? > > Alleged Kerberos issues. Since Peter is the source of both rumours, > perhaps we should re-test that one too :-) The moment somebody gets openssh to work (reliably :-) with kerberos V the cluster will switch in an a few hours later. Cheers, -Peter -- Peter Wemm - peter@FreeBSD.org; peter@yahoo-inc.com; peter@netplex.com.au "All of this is for nothing if we don't go to the stars" - JMS/B5 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 11 17:40:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from mobile.wemm.org (c1315225-a.plstn1.sfba.home.com [65.0.135.147]) by hub.freebsd.org (Postfix) with ESMTP id F2D8437B491 for ; Sun, 11 Feb 2001 17:40:49 -0800 (PST) Received: from netplex.com.au (localhost [127.0.0.1]) by mobile.wemm.org (8.11.1/8.11.1) with ESMTP id f1C1TtU43402; Sun, 11 Feb 2001 17:29:55 -0800 (PST) (envelope-from peter@netplex.com.au) Message-Id: <200102120129.f1C1TtU43402@mobile.wemm.org> X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 To: Alfred Perlstein Cc: Kris Kennaway , William Wong , freebsd-security@FreeBSD.ORG Subject: Re: Default sshd_config settings In-Reply-To: <20010211130149.U3274@fw.wintelcom.net> Date: Sun, 11 Feb 2001 17:29:55 -0800 From: Peter Wemm Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Alfred Perlstein wrote: > * Kris Kennaway [010211 12:50] wrote: > > On Sun, Feb 11, 2001 at 12:48:34PM -0800, Alfred Perlstein wrote: > > > * Kris Kennaway [010211 12:20] wrote: > > > > On Sun, Feb 11, 2001 at 02:00:36PM -0500, William Wong wrote: > > > > > Hi there, > > > > > > > > > > I wondering why only protocol 1 is enabled by default in sshd? Is th ere a > > > > > risk with using protocol 2 (or both?) > > > > > > > > It's not - you must have an out of date file, or are using an old > > > > version of -stable (very old versions of OpenSSH didn't support > > > > protocol 2). > > > > > > > > The risk is actually with protocol 1 -- it has protocol flaws which > > > > have been known for quite a while, independent of the recently > > > > discovered attacks. You should disable it unless you need it. > > > > > > I've heard that there's still no agent or authentication forwarding > > > for ssh2 and dsa keys, have you heard about an ETA of these features? > > > > You've heard, or you've researched and found to still be true? :) > > Usually hearing something from Peter Wemm qualifies as research... :) Alfred: I will send you an ABA routing number and account number. Please transfer US$500000 to it and you'll have ssh2 forwarding and agent in less than a week, if not already. :-) Cheers, -Peter -- Peter Wemm - peter@FreeBSD.org; peter@yahoo-inc.com; peter@netplex.com.au "All of this is for nothing if we don't go to the stars" - JMS/B5 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 11 20:32:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from eschelon.gamesquad.net (eschelon.gamesquad.net [216.115.239.45]) by hub.freebsd.org (Postfix) with SMTP id 8A1FF37B401 for ; Sun, 11 Feb 2001 20:32:10 -0800 (PST) Received: (qmail 37720 invoked by uid 89); 12 Feb 2001 04:31:50 -0000 Received: from unknown (HELO sceptre) (24.130.189.209) by eschelon.gamesquad.net with SMTP; 12 Feb 2001 04:31:50 -0000 Reply-To: From: "Vibol Hou" To: Subject: FW: [SECURITY] [DSA-029-1] New version of proftpd released Date: Sun, 11 Feb 2001 20:31:57 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----Original Message----- From: Michael Stone [mailto:mstone@osgiliath.ddts.net] Sent: Sunday, February 11, 2001 7:54 PM To: debian-security-announce@lists.debian.org Subject: [SECURITY] [DSA-029-1] New version of proftpd released -----BEGIN PGP SIGNED MESSAGE----- - -------------------------------------------------------------------------- -- Debian Security Advisory DSA-029-1 security@debian.org http://www.debian.org/security/ Michael Stone February 11, 2001 - -------------------------------------------------------------------------- -- Package: proftpd Vulnerability: remote DOS & potential buffer overflow Debian-specific: no The following problems have been reported for the version of proftpd in Debian 2.2 (potato): 1. There is a memory leak in the SIZE command which can result in a denial of service, as reported by Wojciech Purczynski. This is only a problem if proftpd cannot write to its scoreboard file; the default configuration of proftpd in Debian is not vulnerable. 2. A similar memory leak affects the USER command, also as reported by Wojciech Purczynski. The proftpd in Debian 2.2 is susceptible to this vulnerability; an attacker can cause the proftpd daemon to crash by exhausting its available memory. 3. There were some format string vulnerabilities reported by Przemyslaw Frasunek. These are not known to have exploits, but have been corrected as a precaution. All three of the above vulnerabilities have been corrected in proftpd-1.2.0pre10-2potato1. We recommend you upgrade your proftpd package immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - ------------------------------------ Potato was released for the alpha, arm, i386, m68k, powerpc and sparc architectures. Source archives: http://security.debian.org/debian-security/dists/stable/updates/main/source/ proftpd_1.2.0pre10-2potato1.diff.gz MD5 checksum: ac1f26e4effe5c6d46b9254b5edea94c http://security.debian.org/debian-security/dists/stable/updates/main/source/ proftpd_1.2.0pre10-2potato1.dsc MD5 checksum: 305a6c3ba88afd493d94a3ecd8f92db1 http://security.debian.org/debian-security/dists/stable/updates/main/source/ proftpd_1.2.0pre10.orig.tar.gz MD5 checksum: a1c25e59bb4281e2f83000796dc52388 Alpha architecture: http://security.debian.org/debian-security/dists/stable/updates/main/binary- alpha/proftpd_1.2.0pre10-2potato1_alpha.deb MD5 checksum: 9f1deb1050544c51de8a5be6e1134d05 ARM architecture: http://security.debian.org/debian-security/dists/stable/updates/main/binary- arm/proftpd_1.2.0pre10-2potato1_arm.deb MD5 checksum: 7226be3c206b287959357e3186593a71 Intel ia32 architecture: http://security.debian.org/debian-security/dists/stable/updates/main/binary- i386/proftpd_1.2.0pre10-2potato1_i386.deb MD5 checksum: 13f9f7bfb44c09dc1a69fb678aad5f2c Motorola 680x0 architecture: Not yet available. PowerPC architecture: http://security.debian.org/debian-security/dists/stable/updates/main/binary- powerpc/proftpd_1.2.0pre10-2potato1_powerpc.deb MD5 checksum: 9c03031c8de3da26686605fe7875b8b3 Sun Sparc architecture: http://security.debian.org/debian-security/dists/stable/updates/main/binary- sparc/proftpd_1.2.0pre10-2potato1_sparc.deb MD5 checksum: 1a17e4a65319645513ce86c174342d0e These files will be moved into ftp://ftp.debian.org/debian/dists/stable/*/binary-$arch/ soon. For not yet released architectures please refer to the appropriate directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ . - -------------------------------------------------------------------------- -- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iQCVAwUBOodeDQ0hVr09l8FJAQH8BAQAuBamfCkKVUDxxsSvENau567/wVcJtSK0 LLyX/CHvxqmkOjHJI8xP2O8BLs1Ix3FkXTwdeRvWC/cjUCF/UPwzH9uiME/F4t61 svj/so/5hUPE/9z0nT+YxWcBGCEcFkW9nJmxkmFXkwI3pz/AUhe1PrlW4YCH+KOL 0khxrvWE4Qg= =FH76 -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 12 3:47: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id F410C37B491 for ; Mon, 12 Feb 2001 03:47:06 -0800 (PST) Received: from jive.44bsd.net (oca-c1s2-23.mfi.net [209.26.94.70]) by peitho.fxp.org (Postfix) with ESMTP id 61CAB1360C; Mon, 12 Feb 2001 06:47:05 -0500 (EST) Received: by jive.44bsd.net (Postfix, from userid 1000) id EFCA0E1; Mon, 12 Feb 2001 06:47:04 -0500 (EST) Date: Mon, 12 Feb 2001 06:47:04 -0500 From: Chris Faulhaber To: vibol.hou@khmer.cc Cc: security@freebsd.org Subject: Re: FW: [SECURITY] [DSA-029-1] New version of proftpd released Message-ID: <20010212064704.A2892@jive.44bsd.net> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="k1lZvvs/B4yU6o8G" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from vibol@khmer.cc on Sun, Feb 11, 2001 at 08:31:57PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --k1lZvvs/B4yU6o8G Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Yes, the port was updated yesterday. --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --k1lZvvs/B4yU6o8G Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjqHzTgACgkQObaG4P6BelB6nQCfQKesVPDw0UIMPJ+7ZIIOZmLi BBkAnj++0/LTMPHX8rngNwp7V5Nzeuyq =vlyW -----END PGP SIGNATURE----- --k1lZvvs/B4yU6o8G-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 12 7:45:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id F170337B401 for ; Mon, 12 Feb 2001 07:45:56 -0800 (PST) Received: from hamlet.nectar.com (hamlet.nectar.com [10.0.1.102]) by gw.nectar.com (Postfix) with ESMTP id D798318C93; Mon, 12 Feb 2001 09:45:46 -0600 (CST) Received: (from nectar@localhost) by hamlet.nectar.com (8.11.2/8.9.3) id f1CFjkD41065; Mon, 12 Feb 2001 09:45:46 -0600 (CST) (envelope-from nectar@spawn.nectar.com) Date: Mon, 12 Feb 2001 09:45:46 -0600 From: "Jacques A. Vidrine" To: Peter Wemm Cc: Kris Kennaway , Alfred Perlstein , freebsd-security@FreeBSD.ORG Subject: Re: Default sshd_config settings Message-ID: <20010212094546.A41047@hamlet.nectar.com> Mail-Followup-To: "Jacques A. Vidrine" , Peter Wemm , Kris Kennaway , Alfred Perlstein , freebsd-security@FreeBSD.ORG References: <20010211133237.A87178@mollari.cthul.hu> <200102120129.f1C1TOU43393@mobile.wemm.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200102120129.f1C1TOU43393@mobile.wemm.org>; from peter@netplex.com.au on Sun, Feb 11, 2001 at 05:29:23PM -0800 X-Url: http://www.nectar.com/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Feb 11, 2001 at 05:29:23PM -0800, Peter Wemm wrote: > The moment somebody gets openssh to work (reliably :-) with kerberos V the > cluster will switch in an a few hours later. Kerberos V + OpenSSH works well for me. However, I build against the Heimdal port rather than the ancient Heimdal in our source tree. -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 12 8: 3:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from baco.policiacivil.rs.gov.br (unknown [200.198.151.66]) by hub.freebsd.org (Postfix) with ESMTP id 665D437B401 for ; Mon, 12 Feb 2001 08:03:50 -0800 (PST) Received: from afrodite.policiacivil.rs.gov.br (afrodite.policiacivil.rs.gov.br [200.198.151.69]) by baco.policiacivil.rs.gov.br (8.11.1/8.11.1) with ESMTP id f1CG3io02083 for ; Mon, 12 Feb 2001 14:03:46 -0200 (BRST) (envelope-from pedrini@policiacivil.rs.gov.br) Received: from AFRODITE/SpoolDir by afrodite.policiacivil.rs.gov.br (Mercury 1.48); 12 Feb 01 14:06:46 GMT-3 Received: from SpoolDir by AFRODITE (Mercury 1.48); 12 Feb 01 14:06:16 GMT-3 From: "Mauro Pedrini" Organization: Policia Civil do RS To: freebsd-security@freebsd.org Date: Mon, 12 Feb 2001 14:06:08 GMT-003 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Message-ID: <3A87EDD0.22323.E4B395@localhost> X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org subscribe ---------- Mauro Pedrini - Administrador de Rede Policia Civil - RS - Brasil Fone: 0 ** 51 288-2180 pedrini@policiacivil.rs.gov.br To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 12 10:41: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from gwdu42.gwdg.de (gwdu42.gwdg.de [134.76.10.26]) by hub.freebsd.org (Postfix) with ESMTP id 8601737B503 for ; Mon, 12 Feb 2001 10:41:07 -0800 (PST) Received: from ras23-025.gwdg.de ([134.76.23.25] helo=[192.168.0.98]) by gwdu42.gwdg.de with esmtp (Exim 3.14 #18) id 14SNuM-00022O-00 for freebsd-security@freebsd.org; Mon, 12 Feb 2001 19:41:06 +0100 Mime-Version: 1.0 X-Sender: rbeer@popper.gwdg.de Message-Id: Date: Mon, 12 Feb 2001 19:41:00 +0100 To: freebsd-security@freebsd.org From: Ragnar Beer Subject: cron and sendmail Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Howdy! I just learned (better late than never ;) that even if I have disabled sendmail as a daemon with "sendmail_enable=NO" in /etc/rc.conf the program still gets executed periodically by crond and the /etc/periodic scripts. Are there any related security issues that I need to take care of? Ragnar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 12 10:46: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 5D77837B67D for ; Mon, 12 Feb 2001 10:45:54 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id NAA20130; Mon, 12 Feb 2001 13:45:50 -0500 (EST) (envelope-from wollman) Date: Mon, 12 Feb 2001 13:45:50 -0500 (EST) From: Garrett Wollman Message-Id: <200102121845.NAA20130@khavrinen.lcs.mit.edu> To: Ragnar Beer Cc: freebsd-security@FreeBSD.ORG Subject: cron and sendmail In-Reply-To: References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > I just learned (better late than never ;) that even if I have > disabled sendmail as a daemon with "sendmail_enable=NO" in > /etc/rc.conf the program still gets executed periodically by crond > and the /etc/periodic scripts. If you are using some other MTA, you should configure `mailwrapper' to redirect requests to that MTA rather than executing Sendmail(tm). On modern FreeBSD systems, /usr/sbin/sendmail is actually the `mailwrapper' program, which redirects requests to your MTA of choice. If you are not running any sort of MTA on the machine, then you should generate and install a sendmail.cf file which uses the `nullclient' configuration to send all of its outgoing mail to an appropriate mail server. You should also periodically run a `sendmail -q' in order to deliver any mail which was queued due to the relay host being unreachable. Whether you use `cron' or `sendmail -qINTERVAL' to do this is a matter of religion. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 12 11:33:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from gwdu42.gwdg.de (gwdu42.gwdg.de [134.76.10.26]) by hub.freebsd.org (Postfix) with ESMTP id 8EA8137B4EC for ; Mon, 12 Feb 2001 11:33:24 -0800 (PST) Received: from ras23-066.gwdg.de ([134.76.23.66] helo=[192.168.0.98]) by gwdu42.gwdg.de with esmtp (Exim 3.14 #18) id 14SOix-0004Ol-00 for freebsd-security@freebsd.org; Mon, 12 Feb 2001 20:33:23 +0100 Mime-Version: 1.0 X-Sender: rbeer@popper.gwdg.de Message-Id: In-Reply-To: <200102121845.NAA20130@khavrinen.lcs.mit.edu> References: <200102121845.NAA20130@khavrinen.lcs.mit.edu> Date: Mon, 12 Feb 2001 20:32:56 +0100 To: freebsd-security@freebsd.org From: Ragnar Beer Subject: Re: cron and sendmail Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Does that mean that it's better not to use sendmail even if it's not running in daemon mode? What else should I use for simplicity and security? Ragnar >< said: > >> I just learned (better late than never ;) that even if I have >> disabled sendmail as a daemon with "sendmail_enable=NO" in >> /etc/rc.conf the program still gets executed periodically by crond >> and the /etc/periodic scripts. > >If you are using some other MTA, you should configure `mailwrapper' to >redirect requests to that MTA rather than executing Sendmail(tm). On >modern FreeBSD systems, /usr/sbin/sendmail is actually the >`mailwrapper' program, which redirects requests to your MTA of choice. > >If you are not running any sort of MTA on the machine, then you should >generate and install a sendmail.cf file which uses the `nullclient' >configuration to send all of its outgoing mail to an appropriate mail >server. You should also periodically run a `sendmail -q' in order to >deliver any mail which was queued due to the relay host being >unreachable. Whether you use `cron' or `sendmail -qINTERVAL' to do >this is a matter of religion. > >-GAWollman > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 12 11:40:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id B269437B491 for ; Mon, 12 Feb 2001 11:40:20 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id UAA90732; Mon, 12 Feb 2001 20:40:05 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Peter C. Lai" Cc: "Chris Faulhaber" , "Dominic Marks" , Subject: Re: Secure Servers (SMTP, POP3, FTP) References: <20010211074201.B1396@jive.44bsd.net> <004a01c09465$86506f80$1e9e6389@137.99.156.23> From: Dag-Erling Smorgrav Date: 12 Feb 2001 20:40:04 +0100 In-Reply-To: "Peter C. Lai"'s message of "Sun, 11 Feb 2001 15:02:12 -0500" Message-ID: Lines: 19 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Peter C. Lai" writes: > the bottom line is, comb through the code, find a flaw, make an exploit, go > to Mr. Bernstein with the documentation, and claim your assigned monetary value> prize. isn't that what "auditing" is all about? No. 1) Mr Bernstein has also threatened to sue anyone who dared claim that his code was insecure. Not the best of incentives. 2) Take it from one who has actually needed to make non-trivial modifications to qmail: the code is very hard to read (if not unreadable), and in one case I found it easier to just rewrite the entire program than try to figure out how Bernstein's version was put together. Unreadable code is not easily unauditable. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 12 12: 7:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from the.outroad.org (the.outroad.org [206.152.117.186]) by hub.freebsd.org (Postfix) with ESMTP id 1688837B503 for ; Mon, 12 Feb 2001 12:07:38 -0800 (PST) Received: (from bweaver@localhost) by the.outroad.org (8.11.1/8.11.1) id f1CKAh807835; Mon, 12 Feb 2001 14:10:43 -0600 (CST) (envelope-from bweaver) Date: Mon, 12 Feb 2001 14:10:42 -0600 From: Ben Weaver To: Mauro Pedrini Cc: freebsd-security@FreeBSD.ORG Subject: Re: your mail Message-ID: <20010212141042.A7786@tranquility.net> References: <3A87EDD0.22323.E4B395@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="sdtB3X0nJg68CQEu" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A87EDD0.22323.E4B395@localhost>; from pedrini@policiacivil.rs.gov.br on Mon, Feb 12, 2001 at 02:06:08PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --sdtB3X0nJg68CQEu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Please send your subscription request to majordomo@freebsd.org with=20 subscribe freebsd-security in the body. -Ben ###On Mon, Feb 12, 2001 at 02:06:08PM +0000, Mauro Pedrini wrote: > subscribe >=20 >=20 >=20 > ---------- > Mauro Pedrini - Administrador de Rede > Policia Civil - RS - Brasil > Fone: 0 ** 51 288-2180 > pedrini@policiacivil.rs.gov.br >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --sdtB3X0nJg68CQEu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6iENClLyqskZtc9ERAlxTAJ9AiVpVRWrQ/QVx+ZYT/8A3BvMHdQCdHlqB tcRmKllllStkwv8p6UK0piA= =uUY6 -----END PGP SIGNATURE----- --sdtB3X0nJg68CQEu-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 12 12:32:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from ldc.ro (ldc-gw.pub.ro [192.129.3.227]) by hub.freebsd.org (Postfix) with SMTP id 646B637B491 for ; Mon, 12 Feb 2001 12:32:43 -0800 (PST) Received: (qmail 39129 invoked by uid 666); 12 Feb 2001 20:32:36 -0000 Date: Mon, 12 Feb 2001 22:32:36 +0200 From: Alex Popa To: freebsd-security@freebsd.org Subject: arplookup messages for 127.0.0.1 Message-ID: <20010212223236.B39086@ldc.ro> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org got this in the security check yesterday: > arplookup 127.0.0.1 failed: could not allocate llinfo > arpresolve: can't allocate llinfo for 127.0.0.1rt Questions: 1) What is the "rt" thing on the end of 127.0.0.1; 2) How can I find out which interface the packet (possibly ARP, because I filter out spoofed packets on all interfaces and I got no messages from ipmon) The machine has two Ethernet interfaces, rl0 (Realtek 8139A), and ed0 (Realtek 8029A). Thanks a lot, Alex ------------+------------------------------------------ Alex Popa, | "Artificial Intelligence is razor@ldc.ro| no match for Natural Stupidity" ------------+------------------------------------------ "It took the computing power of three C-64s to fly to the Moon. It takes a 486 to run Windows 95. Something is wrong here." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 12 13:50:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.wnm.net (earth.wnm.net [208.246.240.243]) by hub.freebsd.org (Postfix) with ESMTP id 0F5F937B65D for ; Mon, 12 Feb 2001 13:50:38 -0800 (PST) Received: (from root@localhost) by earth.wnm.net (8.11.0/8.11.0) id f1CLoaD45622; Mon, 12 Feb 2001 15:50:36 -0600 (CST) Received: from localhost (alex@localhost) by earth.wnm.net (8.11.0/8.11.0av) with ESMTP id f1CLoYM45591; Mon, 12 Feb 2001 15:50:34 -0600 (CST) X-Authentication-Warning: earth.wnm.net: alex owned process doing -bs Date: Mon, 12 Feb 2001 15:50:34 -0600 (CST) From: Alex Charalabidis To: Dominic Marks Cc: Subject: Re: Secure Servers (SMTP, POP3, FTP) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 11 Feb 2001, Dominic Marks wrote: > Hello, > > I'd really appreciate some opinions on the performance of some daemons. I'm > trying to assess which is the best choice to offer both security and > performance under FreeBSD 4.2. Apache seems like a pretty defacto choice for > HTTP which I'm very happy with but I'm a little less sure what choose on > others, in particular for ftp and mail servers. > > FTP Options: > 1. proFTPd - Seems secure and has "enterprise" features Highly configurable. Poor security record. I use it anyway since nothing comes close to it for for features. Reasonable performance, somewhat more expensive. > 2. wu-Ftpd - Good security (bad History) excellent performance Good performance. Miserable security record. I no longer consider it an option. > 3. ftpd - Dodgy security? Doesn't seem to be used very much > Very un-dodgy security, rock solid, takes load very well. If security is your primary concern, use this one. > Mail Options: > 1. Qmail - Secure, written for FreeBSD (Qwest?), Fast, Configurable *spit* *curse*. I know this is not a helpful comment but it adequately expresses my opinion of qmail. An unreliable royal PITA. I don't know what people see in it. > 2. Sendmail - Industry standard, works fine, big user base Slow and the configuration is still written in pidgin emacs. But, as you say, an industry standard. Reliable and well-documented. > 3. Postfix - Secure, quite light on system resources, growing support > This is the smtpd of the future. Combines qmail speed and security with sendmail reliability and familiar layout. You don't mention your POP3 options. If you plan on running a common mailbox setup, cucipop is your choice for maximum speed and efficiency. If you need something more elaborate, I hate to say so but you might have to use qpopper. hth -ac -- ============================================================== Alex Charalabidis (AC8139) 5050 Poplar Ave, Ste 170 System Administrator Memphis, TN 38157 WebNet Memphis (901) 432 6000 Author, The Book of IRC http://www.bookofirc.com/ ============================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 12 13:55:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id 6B0EA37B491 for ; Mon, 12 Feb 2001 13:55:13 -0800 (PST) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id <1ZVC98L7>; Mon, 12 Feb 2001 13:55:10 -0800 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA0166D622@goofy.epylon.lan> From: Jason DiCioccio To: 'Alex Charalabidis' , Dominic Marks Cc: freebsd-security@freebsd.org Subject: RE: Secure Servers (SMTP, POP3, FTP) Date: Mon, 12 Feb 2001 13:55:09 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C0953E.77B4EA30" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C0953E.77B4EA30 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0953E.77B4EA30" ------_=_NextPart_001_01C0953E.77B4EA30 Content-Type: text/plain; charset="iso-8859-1" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I actually use Cyrus for IMAP/POP3, but that's just because I wanted IMAP.. Cyrus is very featureful, I'm sure it doesn't have the best security record.. Can't be any worse than qpopper though ;). I also use cucipop on servers that I don't need all the features of cyrus on. Oh and also, I do like qmail, it's fast and secure, I haven't had any reliability issues with it (I run it from daemontools). Just my .02 Cheers, - -JD- - ------- Jason DiCioccio Evil Genius Unix BOFH mailto:jasond@epylon.com 415-593-2761 Direct & Fax 415-593-2900 Main Epylon Corporation 645 Harrison Street, Suite 200 San Francisco, CA 94107 www.epylon.com BSD is for people who love Unix - Linux is for people who hate Microsoft - -----Original Message----- From: Alex Charalabidis [mailto:alex@wnm.net] Sent: Monday, February 12, 2001 1:51 PM To: Dominic Marks Cc: freebsd-security@freebsd.org Subject: Re: Secure Servers (SMTP, POP3, FTP) On Sun, 11 Feb 2001, Dominic Marks wrote: > Hello, > > I'd really appreciate some opinions on the performance of some > daemons. I'm trying to assess which is the best choice to offer > both security and performance under FreeBSD 4.2. Apache seems like > a pretty defacto choice for HTTP which I'm very happy with but I'm > a little less sure what choose on others, in particular for ftp and > mail servers. > > FTP Options: > 1. proFTPd - Seems secure and has "enterprise" features Highly configurable. Poor security record. I use it anyway since nothing comes close to it for for features. Reasonable performance, somewhat more expensive. > 2. wu-Ftpd - Good security (bad History) excellent performance Good performance. Miserable security record. I no longer consider it an option. > 3. ftpd - Dodgy security? Doesn't seem to be used very much > Very un-dodgy security, rock solid, takes load very well. If security is your primary concern, use this one. > Mail Options: > 1. Qmail - Secure, written for FreeBSD (Qwest?), Fast, Configurable *spit* *curse*. I know this is not a helpful comment but it adequately expresses my opinion of qmail. An unreliable royal PITA. I don't know what people see in it. > 2. Sendmail - Industry standard, works fine, big user base Slow and the configuration is still written in pidgin emacs. But, as you say, an industry standard. Reliable and well-documented. > 3. Postfix - Secure, quite light on system resources, growing > support > This is the smtpd of the future. Combines qmail speed and security with sendmail reliability and familiar layout. You don't mention your POP3 options. If you plan on running a common mailbox setup, cucipop is your choice for maximum speed and efficiency. If you need something more elaborate, I hate to say so but you might have to use qpopper. hth - -ac - -- ============================================================== Alex Charalabidis (AC8139) 5050 Poplar Ave, Ste 170 System Administrator Memphis, TN 38157 WebNet Memphis (901) 432 6000 Author, The Book of IRC http://www.bookofirc.com/ ============================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOohcJFCmU62pemyaEQJuGgCfcpPGXZEWNc3gNWZBK0I8c7qAjyYAoPBC WgW8POkn9mogbGF1YOexzPHk =L2kX -----END PGP SIGNATURE----- ------_=_NextPart_001_01C0953E.77B4EA30 Content-Type: text/html; charset="iso-8859-1" RE: Secure Servers (SMTP, POP3, FTP)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I actually use Cyrus for IMAP/POP3, but that's just because I wanted
IMAP.. Cyrus is very featureful, I'm sure it doesn't have the best
security record.. Can't be any worse than qpopper though ;). I also
use cucipop on servers that I don't need all the features of cyrus
on.  Oh and also, I do like qmail, it's fast and secure, I haven't
had any reliability issues with it (I run it from daemontools).

Just my .02

Cheers,
- -JD-



- -------
Jason DiCioccio
Evil Genius
Unix BOFH

mailto:jasond@epylon.com

415-593-2761          Direct & Fax
415-593-2900          Main

Epylon Corporation
645 Harrison Street, Suite 200
San Francisco, CA 94107
www.epylon.com

BSD is for people who love Unix -
Linux is for people who hate Microsoft


- -----Original Message-----
From: Alex Charalabidis [mailto:alex@wnm.net]
Sent: Monday, February 12, 2001 1:51 PM
To: Dominic Marks
Cc: freebsd-security@freebsd.org
Subject: Re: Secure Servers (SMTP, POP3, FTP)


On Sun, 11 Feb 2001, Dominic Marks wrote:

> Hello,
>
> I'd really appreciate some opinions on the performance of some
> daemons. I'm trying to assess which is the best choice to offer
> both security and performance under FreeBSD 4.2. Apache seems like
> a pretty defacto choice for HTTP which I'm very happy with but I'm
> a little less sure what choose on others, in particular for ftp and
> mail servers.
>
> FTP Options:
> 1. proFTPd - Seems secure and has "enterprise" features

Highly configurable. Poor security record. I use it anyway since
nothing
comes close to it for for features. Reasonable performance, somewhat
more
expensive.

> 2. wu-Ftpd - Good security (bad History) excellent performance

Good performance. Miserable security record. I no longer consider it
an
option.

> 3. ftpd - Dodgy security? Doesn't seem to be used very much
>
Very un-dodgy security, rock solid, takes load very well. If security
is
your primary concern, use this one.

> Mail Options:
> 1. Qmail - Secure, written for FreeBSD (Qwest?), Fast, Configurable

*spit* *curse*. I know this is not a helpful comment but it
adequately
expresses my opinion of qmail. An unreliable royal PITA. I don't know
what
people see in it.

> 2. Sendmail - Industry standard, works fine, big user base

Slow and the configuration is still written in pidgin emacs. But, as
you
say, an industry standard. Reliable and well-documented.

> 3. Postfix - Secure, quite light on system resources, growing
> support
>
This is the smtpd of the future. Combines qmail speed and security
with
sendmail reliability and familiar layout.

You don't mention your POP3 options. If you plan on running a common
mailbox setup, cucipop is your choice for maximum speed and
efficiency. If
you need something more elaborate, I hate to say so but you might
have to
use qpopper.

hth

- -ac

- --
==============================================================
Alex Charalabidis (AC8139)            5050 Poplar Ave, Ste 170
System Administrator                         Memphis, TN 38157
WebNet Memphis                                  (901) 432 6000
Author, The Book of IRC              http://www.bookofirc.com/
==============================================================



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBOohcJFCmU62pemyaEQJuGgCfcpPGXZEWNc3gNWZBK0I8c7qAjyYAoPBC
WgW8POkn9mogbGF1YOexzPHk
=L2kX
-----END PGP SIGNATURE-----

  ------_=_NextPart_001_01C0953E.77B4EA30-- ------_=_NextPart_000_01C0953E.77B4EA30 Content-Type: application/octet-stream; name="Jason DiCioccio.vcf" Content-Disposition: attachment; filename="Jason DiCioccio.vcf" BEGIN:VCARD VERSION:2.1 N:DiCioccio;Jason FN:Jason DiCioccio ORG:epylon.com;operations TITLE:UNIX ADMIN ADR;WORK:;;645 Harrison St;San Francisco;CA;94107;usa LABEL;WORK;ENCODING=QUOTED-PRINTABLE:645 Harrison St=0D=0ASan Francisco, CA 94107=0D=0Ausa EMAIL;PREF;INTERNET:Jason.DiCioccio@Epylon.com REV:19990105T135529Z END:VCARD ------_=_NextPart_000_01C0953E.77B4EA30-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 12 14:17:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from tele-post-20.mail.demon.net (tele-post-20.mail.demon.net [194.217.242.20]) by hub.freebsd.org (Postfix) with ESMTP id B936B37B491 for ; Mon, 12 Feb 2001 14:17:50 -0800 (PST) Received: from shootthemlater.demon.co.uk ([194.222.93.84] helo=cerebus.parse.net) by tele-post-20.mail.demon.net with esmtp (Exim 2.12 #2) id 14SRI5-0002LD-0K; Mon, 12 Feb 2001 22:17:49 +0000 Received: from wbra0013.cognos.com ([10.0.0.3] helo=acm.org) by cerebus.parse.net with esmtp (Exim 3.16 #1) id 14SRAk-000P4B-00; Mon, 12 Feb 2001 22:10:14 +0000 Message-ID: <3A885F40.9C6AD285@acm.org> Date: Mon, 12 Feb 2001 22:10:08 +0000 From: David Goddard X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Dominic Marks Cc: freebsd-security@freebsd.org Subject: Re: Secure Servers (SMTP, POP3, FTP) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 11 Feb 2001, Dominic Marks wrote: ... > Mail Options: > 1. Qmail - Secure, written for FreeBSD (Qwest?), Fast, Configurable > 2. Sendmail - Industry standard, works fine, big user base > 3. Postfix - Secure, quite light on system resources, growing support I can't believe no-one's mentioned Exim (http://www.exim.org/) yet - doddle to configure (particularly things like virtual domains) and as far as I understand it pretty secure. I spent a while deliberating between this and Postfix for my servers but plumped for Exim after a short evaluation. Given that I couldn't seperate them on the basis of security I went for Exim on usability. I say install both on a test machine and give them a whirl - but maybe someone here can offer a petter perspective on the security comparison... Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 12 14:46: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id CA68737B491 for ; Mon, 12 Feb 2001 14:45:49 -0800 (PST) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id <1ZVC984P>; Mon, 12 Feb 2001 14:45:49 -0800 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA0166D629@goofy.epylon.lan> From: Jason DiCioccio To: "'freebsd-security@freebsd.org'" Subject: Secure Servers (SMTP, POP3, FTP) Date: Mon, 12 Feb 2001 14:45:48 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C09545.8AFD44F0" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C09545.8AFD44F0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C09545.8AFD44F0" ------_=_NextPart_001_01C09545.8AFD44F0 Content-Type: text/plain; charset="iso-8859-1" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Regarding Cyrus security, I have been politely corrected :). I have used Cyrus for about 2 months and due to it's large featureset, I incorrectly assumed it to have a small past insecurity record. My apologies :) Cheers, - -JD- - ------- Jason DiCioccio Evil Genius Unix BOFH mailto:jasond@epylon.com 415-593-2761 Direct & Fax 415-593-2900 Main Epylon Corporation 645 Harrison Street, Suite 200 San Francisco, CA 94107 www.epylon.com BSD is for people who love Unix - Linux is for people who hate Microsoft - -----Original Message----- From: Lyndon Nerenberg [mailto:lyndon@orthanc.ab.ca] Sent: Monday, February 12, 2001 2:23 PM To: Jason DiCioccio Subject: Re: Secure Servers (SMTP, POP3, FTP) Well, having worked with the Cyrus code base for over four years (including shipping commercial product based on that source code), I haven't yet run into or heard of a security breach attributable to it. So, rather than spread FUD around I think you should send a message to the mailing list posthaste retracting your incorrect statements. - --lyndon *** END PGP VERIFIED MESSAGE *** N -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOohn9FCmU62pemyaEQJkjACgxXz+J7WxPhSd879z1YkLs8ZxIzIAoNG7 uPkzfGXWFX2eOvMpo+G112z7 =alNr -----END PGP SIGNATURE----- ------_=_NextPart_001_01C09545.8AFD44F0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Secure Servers (SMTP, POP3, FTP)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Regarding Cyrus security, I have been politely = corrected :).  I have
used Cyrus for about 2 months and due to it's large = featureset, I
incorrectly assumed it to have a small past = insecurity record.  My
apologies :)

Cheers,
- -JD-


- -------
Jason DiCioccio
Evil Genius
Unix BOFH

mailto:jasond@epylon.com

415-593-2761        &nb= sp; Direct & Fax
415-593-2900        &nb= sp; Main

Epylon Corporation
645 Harrison Street, Suite 200
San Francisco, CA 94107
www.epylon.com

BSD is for people who love Unix -
Linux is for people who hate Microsoft


- -----Original Message-----
From: Lyndon Nerenberg [mailto:lyndon@orthanc.ab.ca]
Sent: Monday, February 12, 2001 2:23 PM
To: Jason DiCioccio
Subject: Re: Secure Servers (SMTP, POP3, FTP) =


Well, having worked with the Cyrus code base for over = four years
(including shipping commercial product based on that = source code),
I haven't yet run into or heard of a security breach = attributable
to it. So, rather than spread FUD around I think you = should send
a message to the mailing list posthaste retracting = your incorrect
statements.

- --lyndon


*** END PGP VERIFIED MESSAGE ***
N

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use = <http://www.pgp.com>

iQA/AwUBOohn9FCmU62pemyaEQJkjACgxXz+J7WxPhSd879z1YkLs8ZxIzIAoNG= 7
uPkzfGXWFX2eOvMpo+G112z7
=3DalNr
-----END PGP SIGNATURE-----

  ------_=_NextPart_001_01C09545.8AFD44F0-- ------_=_NextPart_000_01C09545.8AFD44F0 Content-Type: application/octet-stream; name="Jason DiCioccio.vcf" Content-Disposition: attachment; filename="Jason DiCioccio.vcf" BEGIN:VCARD VERSION:2.1 N:DiCioccio;Jason FN:Jason DiCioccio ORG:epylon.com;operations TITLE:UNIX ADMIN ADR;WORK:;;645 Harrison St;San Francisco;CA;94107;usa LABEL;WORK;ENCODING=QUOTED-PRINTABLE:645 Harrison St=0D=0ASan Francisco, CA 94107=0D=0Ausa EMAIL;PREF;INTERNET:Jason.DiCioccio@Epylon.com REV:19990105T135529Z END:VCARD ------_=_NextPart_000_01C09545.8AFD44F0 Content-Type: application/octet-stream; name="Jason DiCioccio.vcf" Content-Disposition: attachment; filename="Jason DiCioccio.vcf" BEGIN:VCARD VERSION:2.1 N:DiCioccio;Jason FN:Jason DiCioccio ORG:epylon.com;operations TITLE:UNIX ADMIN ADR;WORK:;;645 Harrison St;San Francisco;CA;94107;usa LABEL;WORK;ENCODING=QUOTED-PRINTABLE:645 Harrison St=0D=0ASan Francisco, CA 94107=0D=0Ausa EMAIL;PREF;INTERNET:Jason.DiCioccio@Epylon.com REV:19990105T135529Z END:VCARD ------_=_NextPart_000_01C09545.8AFD44F0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 12 15:37: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from Blitzkrieg.Blackened.com (blitzkrieg.blackened.com [198.182.76.8]) by hub.freebsd.org (Postfix) with ESMTP id 4076837B491 for ; Mon, 12 Feb 2001 15:37:07 -0800 (PST) Received: from cx805079a (unknown [24.177.155.225]) by Blitzkrieg.Blackened.com (Postfix) with SMTP id 401561E80D for ; Mon, 12 Feb 2001 16:36:42 -0700 (MST) Reply-To: From: "Brandt R. Cooper" To: Subject: subscribe Date: Mon, 12 Feb 2001 16:40:18 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 12 15:51:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (lc4-lfd104.law5.hotmail.com [216.32.243.126]) by hub.freebsd.org (Postfix) with ESMTP id AC07637B491 for ; Mon, 12 Feb 2001 15:51:45 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 12 Feb 2001 15:51:45 -0800 Received: from 192.122.209.42 by www.hotmail.msn.com with HTTP; Mon, 12 Feb 2001 23:51:45 GMT X-Originating-IP: [192.122.209.42] From: "Edward W. M." To: dominic_marks@hotmail.com Cc: freebsd-security@freebsd.org Subject: Re: Secure Servers (SMTP, POP3, FTP) Date: Mon, 12 Feb 2001 15:51:45 -0800 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 12 Feb 2001 23:51:45.0619 (UTC) FILETIME=[C1B47230:01C0954E] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >FTP Options: The choice depends entirely on what features you need. >1. proFTPd - Seems secure and has "enterprise" features My 1st 2nd choice. Not a very impressive security record, but if you cannot live without virtual user support, it's a good choice, I run it on one of my boxes. >2. wu-Ftpd - Good security (bad History) excellent performance I have lost all faith in wu-ftpd, I'm sorry to say. >3. ftpd - Dodgy security? Doesn't seem to be used very much ftpd is my number one choice when it comes to security and good performance. IMHO, adding virtual user support would make a fair number of proftpd users switch to this nice server. Speaking of virtual user support - is anyone already working on that? I have been thinking of doing it myself, so if you feel there is some other functionality that is missing please send me a "wish list" and I will compile the results and post them here for further discussion. >Mail Options: >1. Qmail - Secure, written for FreeBSD (Qwest?), Fast, Configurable I would advise against qmail, as I've had reliability issues with it. >2. Sendmail - Industry standard, works fine, big user base Not the best performer and it's had a bad security record, but to someone (like me) who's invested a lot of time in learning the somewhat hieroglyphical way of configuring it *cough cough*, sendmail is like religion. I still run it on a few boxes, I doubt I will ever be able to completely get rid of it. >3. Postfix - Secure, quite light on system resources, growing >support Good, secure, lightweight, good performance. I use postfix and sendmail on my boxes. I'd recommend postfix as you seem to have no emotional attachments to sendmail. :-) As for IMAP, Cyrus is the only server worth mentioning. I have yet to see a secure IMAP server that comes close to Cyrus, both in security and performance. ports/mail/courier-imap looks promising, but at this stage it's just something for people who want to tinker with it, IMHO. It's fairly new, so it has no proven security record and it currently supports the Maildir format ONLY. As for POP3, Cyrus is the number one choice if you want to have both IMAP and POP3. If you only need POP3, I would recommend ports/mail/popa3d, which is a secure, well performing server written by Solar Designer. If you need virtual host / user support, APOP or Maildir support then I would recommend ports/mail/solidpop3d. If for some odd reason you are unable to use one of the mentioned servers then cucipop would be the next choice. I hope that helps, Edward W. M. _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 12 16:39: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 3B31637B4EC; Mon, 12 Feb 2001 16:38:34 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f1D0cYn79742; Mon, 12 Feb 2001 16:38:34 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Mon, 12 Feb 2001 16:38:34 -0800 (PST) Message-Id: <200102130038.f1D0cYn79742@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:24.ssh Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:24 Security Advisory FreeBSD, Inc. Topic: SSH1 implementations may allow remote system, data compromise Category: core/ports Module: openssh, ssh Announced: 2001-02-12 Credits: Michal Zalewski (Vulnerability 1) Core-SDI (http://www.core-sdi.com) (Vulnerability 2) Affects: FreeBSD 4.x, 4.2-STABLE prior to the correction date Ports collection prior to the correction date. Corrected: OpenSSH [FreeBSD 4.x base system]: 2000-12-05 (Vulnerability 1) 2001-02-11 (Vulnerability 2) OpenSSH [ports]: 2001-02-09 (Vulnerability 1) 2001-02-11 (Vulnerability 2) ssh [ports]: 2001-02-09 (Vulnerability 1) 2001-02-09 (Vulnerability 2) Vendor status: Patches released. FreeBSD only: NO I. Background OpenSSH is an implementation of the SSH1 and SSH2 secure shell protocols for providing encrypted and authenticated network access, which is available free for unrestricted use. An SSH1 client/server (ssh) from ssh.com is included in the ports collection. This software is not available free of charge for all uses, and the FreeBSD Security Officer does not recommend its use. II. Problem Description There are two flaws in the SSH1 protocol as implemented by OpenSSH and ssh. Vulnerability 1: An integer overflow may allow arbitrary remote users to obtain root permissions on the server running sshd. This is due to a coding mistake in code intended to work around a protocol flaw in the SSH1 protocol. This vulnerability was corrected in OpenSSH 2.3.0, which was committed to FreeBSD 4.2-STABLE on 2000-12-05. Vulnerability 2; Remote attackers who can observe the encrypted contents of a user's SSH1 session, and who have the ability to mount large numbers of connections fo the SSH1 server may be able to break the transient server key used by the server to negotiate encryption parameters for the session, and from there can decrypt the entire contents of the snooped connection. The transient key has a lifetime of only one hour by default, but all snooped SSH1 sessions captured within this timeframe may be broken if the attack is successful. This attack is mitigated by the requirement to initiate large numbers of SSH1 protocol connections to the server during the lifetime of the key. On average a sustained connection rate of around 400 connections and SSH1 protocol handshakes must be carried out per second to have a high chance of succeeding within the 1 hour lifetime of the server key. OpenSSH contains rate-limiting code which will limit the number of outstanding connections to a fraction of this number in the default configuration, and computational and network limitations may reduce this number still further. Therefore, though the potential impact of this flaw is great, it is made very difficult to exploit in practice. However, note that even though the chances of success are reduced, the vulnerability is not eliminated. OpenSSH is installed if you chose to install the 'crypto' distribution at install-time or when compiling from source, and is installed and enabled by default as of FreeBSD 4.1.1-RELEASE. By default SSH1 protocol support is enabled. If SSH1 protocol support has been disabled in OpenSSH, it is not vulnerable to these attacks. They do not affect implementations of the SSH2 protocol, such as OpenSSH run in SSH2-only mode. Versions of the OpenSSH port prior to openssh-2.2.0_2, and versions of the ssh port prior to ssh-1.2.27_3 are vulnerable to these attacks. III. Impact Arbitrary remote users may be able to execute arbitrary code as root on an SSH1 server accepting connections via the SSH1 protocol. Remote users who can snoop the encrypted contents of SSH1 sessions belonging to other users, and who can mount a very high rate of connections to the server may be able to mount an attack leading to the ability to decrypt these sessions. This attack may disclose account password details as well as other sensitive data. IV. Workaround If you are running sshd, disable the use of the SSH1 protocol in OpenSSH. SSH1 contains inherent protocol deficiencies and is not recommended for use in high-security environments. Note that some third-party SSH clients are not capable of using the SSH2 protocol, however the OpenSSH client (version 2.1 and later) included in FreeBSD is SSH2-capable. To disable SSH1, add the following line to the /etc/ssh/sshd_config file (/usr/local/etc/sshd_config for the OpenSSH port): Protocol 2 and remove any other "Protocol" directives from that file. Execute the following command as root: # kill -HUP `cat /var/run/sshd.pid` This will cause the parent process to reread its configuration file, and should not interfere with existing SSH sessions. V. Solution - --[OpenSSH - base system]----- One of the following: 1) Upgrade to FreeBSD 4.2-STABLE after the correction date. Note that these versions of FreeBSD contain a newer version of OpenSSH (version 2.3.0) than was in 4.2-RELEASE (version 2.2.0). 2) Download the patch and detached PGP signature from the following location: The following patch applies to FreeBSD 4.2-RELEASE. # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24/sshd-4.2-release.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24/sshd-4.2-release.patch.asc The folllowing patch applies to FreeBSD 4.2-STABLE which is running OpenSSH 2.3.0 (4.2-STABLE dated after 2000-12-05) # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24/sshd-4.2-stable.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24/sshd-4.2-stable.patch.asc Verify the detached signature using your PGP utility. Issue the following commands as root: # cd /usr/src/crypto/openssh # patch -p < /path/to/patch # cd /usr/src/secure/lib/libssh # make all # cd /usr/src/secure/usr.bin/ssh-agent # make all install # cd /usr/src/secure/usr.sbin/sshd # make all install Finally, if sshd is already running then kill and restart the sshd daemon: perform the following command as root: # kill -KILL `cat /var/run/sshd.pid` && /usr/sbin/sshd This will not affect sessions in progress. - --[OpenSSH - port]----- Use one of the following options to upgrade the OpenSSH software, then kill and restart the sshd daemon if it is already running. This will not affect sessions in progress. To kill and restart the sshd daemon, perform the following command as root: # kill -KILL `cat /var/run/sshd.pid` && /usr/local/sbin/sshd 1) Upgrade your entire ports collection and rebuild the OpenSSH port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/security/openssh-2.2.0_2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/openssh-2.2.0_2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/openssh-2.2.0_2.tgz NOTE: It may be several days before updated packages are available. [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the OpenSSH port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz - --[ssh - port]----- Use one of the following options to upgrade the ssh software, then kill and restart the sshd daemon if it is already running. This will not affect sessions in progress. To kill and restart the sshd daemon, perform the following command as root: # kill -KILL `cat /var/run/sshd.pid` && /usr/local/sbin/sshd 1) Upgrade your entire ports collection and rebuild the ssh port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/security/ssh-1.2.27_3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/ssh-1.2.27_3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/ssh-1.2.27_3.tgz NOTE: It may be several days before updated packages are available. [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the OpenSSH port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOoiAylUuHi5z0oilAQEoVgP/Qc5UXjRnR3byHZfQyM4VyuwCWAWeAaD7 HPjlhLTiOb0HUqsVhiraIX5Mgi5ReySj2wREd4EKW9pEKiXfcXCWItivG8PrV/P8 NHEo5B393r1G8ovtkt3fu0bQ7RhOrxOeHRn5mxbmk8pIrRg7oxeZ02ygJiCV8LqT hoOxMmU4FYQ= =REEI -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 12 18:16:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from post.webmailer.de (natmail2.webmailer.de [192.67.198.65]) by hub.freebsd.org (Postfix) with ESMTP id 90D0237B491; Mon, 12 Feb 2001 18:16:50 -0800 (PST) Received: from bastion.localhost (p3E9E17A6.dip.t-dialin.net [62.158.23.166]) by post.webmailer.de (8.9.3/8.8.7) with ESMTP id DAA03418; Tue, 13 Feb 2001 03:16:48 +0100 (MET) Received: from master ([192.168.0.1]) by bastion.localhost (8.11.1/8.11.1) with ESMTP id f1D2p5l00300; Tue, 13 Feb 2001 02:51:05 GMT Date: Tue, 13 Feb 2001 02:54:30 +0100 From: Boris X-Mailer: The Bat! (v1.48f) Personal Reply-To: Boris X-Priority: 3 (Normal) Message-ID: <110373053642.20010213025430@x-itec.de> To: Bill Fumerola Cc: questions@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re[2]: ipfw security patch problem.. In-reply-To: <20010126000558.I57121@elvis.mu.org> References: <20010126000558.I57121@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Bill, Friday, January 26, 2001, 7:05:58 AM, you wrote: BF> On Fri, Jan 26, 2001 at 08:00:04AM +0200, Justin Stanford wrote: >> ipfw: setsockopt(IP_FW_ADD): Invalid argument I had the same problem last night. Thank you very much for this tip, it saved my live this night on my server. BF> You have to compile ipfw(8), compile a new kernel (or reload a new module), BF> and ipfw(8) needs to have /sys/netinet/ip_fw.h copied to /usr/include/netinet BF> unless you used buildworld(this needs to happen before recompiling ipfw). -- Boris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 12 19:17:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (mail.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 63E1237B491 for ; Mon, 12 Feb 2001 19:17:03 -0800 (PST) Received: (qmail 26768 invoked by uid 0); 13 Feb 2001 03:17:02 -0000 Received: from pd9508852.dip.t-dialin.net (HELO speedy.gsinet) (217.80.136.82) by mail.gmx.net (mail10) with SMTP; 13 Feb 2001 03:17:02 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id WAA10834 for freebsd-security@FreeBSD.ORG; Mon, 12 Feb 2001 22:43:21 +0100 Date: Mon, 12 Feb 2001 22:43:21 +0100 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Subject: Re: Secure Servers (SMTP, POP3, FTP) Message-ID: <20010212224320.G26500@speedy.gsinet> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20010211074201.B1396@jive.44bsd.net> <004a01c09465$86506f80$1e9e6389@137.99.156.23> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from des@ofug.org on Mon, Feb 12, 2001 at 08:40:04PM +0100 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [ disclaimer: IANAL, but an interested user of djb-software ] On Mon, Feb 12, 2001 at 20:40 +0100, Dag-Erling Smorgrav wrote: > > 1) Mr Bernstein has also threatened to sue anyone who dared claim that > his code was insecure. Not the best of incentives. This statement was mentioned several times in recent threads. Is there any reference? Up to now I failed to see the evil in DJB's actions (code readability aside -- I've been there myself and know how long it takes to identify the spot to put your extension into while doing it is mostly a snap; and yes it's not everybodies thing that djb wants to warrant for his software only when it's implemented the way he designed it to). Reading the documentation coming with djb-software I only see points FreeBSD claims in similar ways like "we simply _cannot_ operate reliably on broken hardware" (djb: the underlying OS and the libs linked against), "don't refer to it as a FreeBSD problem when a port has a bug" (djb: third party patches are not _my_ software, their bugs aren't mine) and "saturating your uplink doesn't prove design failures in our network stack" (djb: DoSing doesn't qualify as a security breach). What am I doing wrong when I feel the missing "and proving it" in the above "claim of insecure code" is what makes him sue somebody? I still read the "all claims and discussions get published here" as an invitation to _prove_ his software wrong, while it just didn't happen yet. Has anyone heard or read otherwise? BTW: What does the FreeBSD team do against unsubstanciated(sp?) claims like those of the (misguided and probably not even understanding the system used by himself) OpenBSD freak posted here and in other public lists lately? Looking at the webpage (antioffline? anitonline? admittedly deleted the URL quickly after looking at it, but it's in the archive) it's a really badly copied and mangled FreeBSD index.html with a whole lot of sick accusations and made to look *exactly* like the original page (including all the links into the original FreeBSD site -- just like it would be an integral part of it!). Would you like to have this pass by unanswered? And do you expect to be called arrogant, obscuring or threatening when you take action against things like these? I would be quite astonished ... virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 12 20:36:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 4BE0337B65D for ; Mon, 12 Feb 2001 20:36:16 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14SBLm-0000FA-00; Sun, 11 Feb 2001 22:16:34 -0700 Message-ID: <3A8771B2.C202B8B7@softweyr.com> Date: Sun, 11 Feb 2001 22:16:34 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: "Peter C. Lai" Cc: Chris Faulhaber , Dominic Marks , freebsd-security@freebsd.org Subject: Re: Secure Servers (SMTP, POP3, FTP) References: <20010211074201.B1396@jive.44bsd.net> <004a01c09465$86506f80$1e9e6389@137.99.156.23> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Peter C. Lai" wrote: > > the code is unauditable? Yes. It has nothing to do with the license, and everything to do with the format and (lack of) flow of the code, not to mention DJB's "tools" for compiling the code. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 12 20:45:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 98A0337B491 for ; Mon, 12 Feb 2001 20:45:32 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14RnXL-00004k-00; Sat, 10 Feb 2001 20:50:55 -0700 Message-ID: <3A860C1F.D855F48F@softweyr.com> Date: Sat, 10 Feb 2001 20:50:55 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: David La Croix Cc: Fenix , freebsd-security@FreeBSD.ORG Subject: Re: Xfree on multihomed box References: <200102110114.UAA15814@cowpie.acm.vt.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org David La Croix wrote: > > > Hello > > I have managed too run 2 separate "jails" one serving as a shell server and another one as a an internet server it all runs smooth and fine but i have a little problem as i use X on the host and it binds to all avilable IP's on the host > > so does wdm (xdm) ... I was lookin in docs to find how i can make it listen to a single ip or not at all as i dont use X remoutly... > > does anyone have any suggestions or tips ? I'll be really gratefull > > Greets Fenix > > > > add the "-nolisten tcp" option to the X invocation. > > It causes the Xserver not to bind to ANY ports/addresses, I disable > it because anything I want on my Xserver goes through a ssh tunnel > via X forwarding (forwarded to the Unix socket) > > If you're running xdm, find the file xdm/Xservers. The contents > should look something like: > > :0 local /usr/X11R6/bin/X -nolisten tcp > > Not sure about wdm (or kdm), but I'm sure they are similar. It's in wdm/Xservers on WDM, same syntax. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 12 23:22:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 5F4BA37B6AB for ; Mon, 12 Feb 2001 23:22:23 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14SZuS-0000OI-00; Tue, 13 Feb 2001 00:30:00 -0700 Message-ID: <3A88E278.26A2B4D0@softweyr.com> Date: Tue, 13 Feb 2001 00:30:00 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Ragnar Beer Cc: freebsd-security@freebsd.org Subject: Re: cron and sendmail References: <200102121845.NAA20130@khavrinen.lcs.mit.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ragnar Beer wrote: > > Does that mean that it's better not to use sendmail even if it's not > running in daemon mode? What else should I use for simplicity and > security? See the ongoing thread in this newsgroup about "secure servers". The current list seems to be bouncing back and forth between qmail (gag), Postfix (ick) and Exim (GPL). -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 12 23:33:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from rapier.smartspace.co.za (rapier.smartspace.co.za [66.8.25.34]) by hub.freebsd.org (Postfix) with SMTP id F211F37B4EC for ; Mon, 12 Feb 2001 23:33:06 -0800 (PST) Received: (qmail 41166 invoked by uid 1001); 13 Feb 2001 07:32:40 -0000 Date: Tue, 13 Feb 2001 09:32:40 +0200 From: Neil Blakey-Milner To: "Edward W. M." Cc: dominic_marks@hotmail.com, freebsd-security@freebsd.org Subject: Re: Secure Servers (SMTP, POP3, FTP) Message-ID: <20010213093240.A40761@rapier.smartspace.co.za> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from edward_wm@hotmail.com on Mon, Feb 12, 2001 at 03:51:45PM -0800 Organization: Building Intelligence X-Operating-System: FreeBSD 4.2-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon 2001-02-12 (15:51), Edward W. M. wrote: > >Mail Options: > >1. Qmail - Secure, written for FreeBSD (Qwest?), Fast, Configurable > > I would advise against qmail, as I've had reliability issues with > it. Like? > ports/mail/courier-imap looks promising, but at this stage it's just > something for people who want to tinker with it, IMHO. It's fairly > new, so it has no proven security record and it currently supports > the Maildir format ONLY. It also does POP3. Neil -- Neil Blakey-Milner nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 12 23:36:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id E8E8C37B491 for ; Mon, 12 Feb 2001 23:36:16 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14SZe0-0000Mm-00; Tue, 13 Feb 2001 00:13:00 -0700 Message-ID: <3A88DE7C.C7D414D7@softweyr.com> Date: Tue, 13 Feb 2001 00:13:00 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: David Goddard Cc: Dominic Marks , freebsd-security@freebsd.org Subject: Re: Secure Servers (SMTP, POP3, FTP) References: <3A885F40.9C6AD285@acm.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org David Goddard wrote: > > On Sun, 11 Feb 2001, Dominic Marks wrote: > ... > > Mail Options: > > 1. Qmail - Secure, written for FreeBSD (Qwest?), Fast, Configurable How did you manage to work Qwest into that? It's just qmail, as in queue mail. > > 2. Sendmail - Industry standard, works fine, big user base Lotsa bugs, lots of options you'll never use, lots of code that does god only knows what. > > 3. Postfix - Secure, quite light on system resources, growing support Completely opaque configuration, no useful documentation. I still wonder exactly how this program has such a great reputation, given what an obstinate bitch it is to make it do something useful. > I can't believe no-one's mentioned Exim (http://www.exim.org/) yet - > doddle to configure (particularly things like virtual domains) and as > far as I understand it pretty secure. I spent a while deliberating > between this and Postfix > for my servers but plumped for Exim after a short evaluation. Given > that I couldn't seperate them on the basis of security I went for Exim > on usability. I say install both on a test machine and give them a > whirl - but maybe someone here can offer a petter perspective on the > security comparison... Ditto. I'm still trying to get Postfix to do *anything* with my mail other than throw it away. I've been using qmail (at gunpoint) at work for several months, and have grown to passionately hate it. Too bad Exim is GPL'ed, but that won't make any difference unless you want to ship it to customers. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 12 23:58:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from sasami.jurai.net (sasami.jurai.net [64.0.106.45]) by hub.freebsd.org (Postfix) with ESMTP id 29EF437B491 for ; Mon, 12 Feb 2001 23:58:46 -0800 (PST) Received: from localhost (scanner@localhost) by sasami.jurai.net (8.9.3/8.8.7) with ESMTP id CAA09557; Tue, 13 Feb 2001 02:55:07 -0500 (EST) Date: Tue, 13 Feb 2001 02:55:07 -0500 (EST) From: To: Wes Peters Cc: David Goddard , Dominic Marks , freebsd-security@FreeBSD.ORG Subject: Re: Secure Servers (SMTP, POP3, FTP) In-Reply-To: <3A88DE7C.C7D414D7@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Completely opaque configuration, no useful documentation. I still > wonder exactly how this program has such a great reputation, given what > an obstinate bitch it is to make it do something useful. Your serious? You honestly find postfix lacking in doc's and poorly documented with no usefull information? *boggle* > Ditto. I'm still trying to get Postfix to do *anything* with my mail > other than throw it away. I've been using qmail (at gunpoint) at work > for several months, and have grown to passionately hate it. Too bad > Exim is GPL'ed, but that won't make any difference unless you want to > ship it to customers. Im actually quite stunned your saying this. The postfix part. Qmail I understand (vomit). You say postfix is tossing your mail? I'm going to be so bold as to claim operator error on this one :-) Since postfix is the most reliable and one of the best documented MTA's out there. I cant believe your having problems with postfix. What exactly are the errors its giving in maillog? ============================================================================= -Chris Watson (316) 326-3862 | FreeBSD Consultant, FreeBSD Geek Work: scanner@jurai.net | Open Systems Inc., Wellington, Kansas Home: scanner@deceptively.shady.org | http://open-systems.net ============================================================================= WINDOWS: "Where do you want to go today?" LINUX: "Where do you want to go tommorow?" BSD: "Are you guys coming or what?" ============================================================================= irc.openprojects.net #FreeBSD -Join the revolution! Author of the upcoming Postfix book ICQ: 20016186 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 0: 8:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from spork.pantherdragon.org (spork.pantherdragon.org [216.99.218.165]) by hub.freebsd.org (Postfix) with ESMTP id E4B8C37B491 for ; Tue, 13 Feb 2001 00:08:18 -0800 (PST) Received: from pantherdragon.org (dmpnet.pantherdragon.org [216.99.218.166]) by spork.pantherdragon.org (Postfix) with ESMTP id 66F4C471C5 for ; Tue, 13 Feb 2001 00:08:17 -0800 (PST) Message-ID: <3A88EB70.CC8CB78E@pantherdragon.org> Date: Tue, 13 Feb 2001 00:08:16 -0800 From: dmp@pantherdragon.org Organization: pantherdragon.org X-Mailer: Mozilla 4.51 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: security@freebsd.org Subject: syslogd -ss not part of extreme security option? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I was wondering why putting syslogd_flags="-ss" in /etc/rc.conf isn't part of sysinstall's extreme security option? This is in 4.2-R, has it changed since the release? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 0: 9:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from mgw1.MEIway.com (mgw1.meiway.com [212.73.210.75]) by hub.freebsd.org (Postfix) with ESMTP id 32D6037B491 for ; Tue, 13 Feb 2001 00:09:37 -0800 (PST) Received: from sv.Go2France.com (sv.meiway.com [212.73.210.79]) by mgw1.MEIway.com (Postfix Relay Hub) with ESMTP id 8AD576A907 for ; Tue, 13 Feb 2001 09:09:34 +0100 (CET) Message-Id: <5.0.0.25.0.20010213090218.04eaa7a0@mail.Go2France.com> X-Sender: lconrad%Go2France.com@mail.Go2France.com X-Mailer: QUALCOMM Windows Eudora Version 5.0 Date: Tue, 13 Feb 2001 09:08:03 +0100 To: freebsd-security@freebsd.org From: Len Conrad Subject: Re: Secure Servers (SMTP, POP3, FTP) In-Reply-To: <3A88DE7C.C7D414D7@softweyr.com> References: <3A885F40.9C6AD285@acm.org> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > 3. Postfix - Secure, quite light on system resources, growing support > >Completely opaque configuration, no useful documentation. I still >wonder exactly how this program has such a great reputation, given what >an obstinate bitch it is to make it do something useful. ??? I chose postfix for my IMGate project (FreeBSD mail hub in front=20 of Ipswitch Imail for NT) because it was so easy to configure (vs=20 qmail and sendmail), and based on the success of bunches of NT GUI=20 jockeys (basically zilch *nix backgnd) who have gotten postfix=20 working with little or no help, I chose right and your opinion is=20 180=B0 out from my experience. Len http://BIND8NT.MEIway.com : Binary for ISC BIND 8.2.3 for NT4 & W2K http://IMGate.MEIway.com : Build free, hi-perf, anti-spam mail gateways To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 0:20:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 7886D37B491 for ; Tue, 13 Feb 2001 00:20:16 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14SaqL-0000QB-00; Tue, 13 Feb 2001 01:29:49 -0700 Message-ID: <3A88F07D.535984D2@softweyr.com> Date: Tue, 13 Feb 2001 01:29:49 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Neil Blakey-Milner Cc: "Edward W. M." , dominic_marks@hotmail.com, freebsd-security@freebsd.org Subject: Re: Secure Servers (SMTP, POP3, FTP) References: <20010213093240.A40761@rapier.smartspace.co.za> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Neil Blakey-Milner wrote: > > On Mon 2001-02-12 (15:51), Edward W. M. wrote: > > >Mail Options: > > >1. Qmail - Secure, written for FreeBSD (Qwest?), Fast, Configurable > > > > I would advise against qmail, as I've had reliability issues with > > it. > > Like? > > > ports/mail/courier-imap looks promising, but at this stage it's just > > something for people who want to tinker with it, IMHO. It's fairly > > new, so it has no proven security record and it currently supports > > the Maildir format ONLY. > > It also does POP3. And IMAP-SSL, and POP3-SSL. It's far beyond the tinkering stage, though feeding it with qmail is a mistake in my opinion. Ick. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 0:26:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from mx1.dev.itouchnet.net (mx1.dev.itouchnet.net [196.14.181.66]) by hub.freebsd.org (Postfix) with ESMTP id 477CA37B491 for ; Tue, 13 Feb 2001 00:26:45 -0800 (PST) Received: from nobody by mx1.dev.itouchnet.net with scanned_ok (Exim 3.16 #1) id 14Sam8-00040i-00 for freebsd-security@freebsd.org; Tue, 13 Feb 2001 10:25:28 +0200 Received: from devco.net ([196.14.181.39] helo=e0-ter-fw1.dev.itouchnet.net) by mx1.dev.itouchnet.net with esmtp (Exim 3.16 #1) id 14Sam8-00040T-00 for freebsd-security@freebsd.org; Tue, 13 Feb 2001 10:25:28 +0200 Received: from icefall.prv.dev.itouchnet.net ([192.168.8.35] helo=icefall.neverborn.org) by e0-ter-fw1.dev.itouchnet.net with esmtp (Exim 3.15 #1) id 14Sapf-000Nij-00 for freebsd-security@freebsd.org; Tue, 13 Feb 2001 10:29:07 +0200 Received: from ljb by icefall.neverborn.org with local (Exim 3.20 #1) id 14Sal2-0001fu-00; Tue, 13 Feb 2001 10:24:20 +0200 Date: Tue, 13 Feb 2001 10:24:20 +0200 From: Leon Breedt To: Neil Blakey-Milner Cc: freebsd-security@freebsd.org Subject: Re: Secure Servers (SMTP, POP3, FTP) Message-ID: <20010213102420.B6350@icefall.neverborn.org> References: <20010213093240.A40761@rapier.smartspace.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.14i In-Reply-To: <20010213093240.A40761@rapier.smartspace.co.za>; from nbm@mithrandr.moria.org on Tue, Feb 13, 2001 at 09:32:40AM +0200 X-Checked: This message has been scanned for any virusses and unauthorized attachments. X-iScan: Version $Id: iScan,v 1.26 2000/10/08 14:12:55 rip Exp $ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Feb 13, 2001 at 09:32:40AM +0200, Neil Blakey-Milner wrote: > > ports/mail/courier-imap looks promising, but at this stage it's just > > something for people who want to tinker with it, IMHO. It's fairly > > new, so it has no proven security record and it currently supports > > the Maildir format ONLY. > It also does POP3. Exim+Courier+LDAP provides a nice virtual mail system. No system users, scalable, and Courier does IMAP-SSL and POP3-SSL. We've used it in production for all the countries we have a presence in for roughly 6 months now, with no problems. Leon. -- System Administrator, iTouch. GSM: +27-82-789-1245 PGP: http://pgp5.ai.mit.edu:11371/pks/lookup?op=get&search=0x45EFAAE1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 0:28:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from athena.za.net (athena.za.net [196.30.167.200]) by hub.freebsd.org (Postfix) with ESMTP id 6CA3F37B491 for ; Tue, 13 Feb 2001 00:28:48 -0800 (PST) Received: from localhost (jus@localhost) by athena.za.net (8.9.3/8.9.3) with ESMTP id IAA15478; Tue, 13 Feb 2001 08:32:40 GMT (envelope-from jus@security.za.net) X-Authentication-Warning: athena.za.net: jus owned process doing -bs Date: Tue, 13 Feb 2001 10:32:40 +0200 (SAST) From: Justin Stanford X-Sender: jus@athena.za.net To: Leon Breedt Cc: freebsd-security@freebsd.org Subject: Re: Secure Servers (SMTP, POP3, FTP) In-Reply-To: <20010213102420.B6350@icefall.neverborn.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Exim and Qpop can also be made to use MySQL for virtual user tables and the like - a very effective system. -- Justin Stanford 082 7402741 jus@security.za.net www.security.za.net IT Security and Solutions On Tue, 13 Feb 2001, Leon Breedt wrote: > On Tue, Feb 13, 2001 at 09:32:40AM +0200, Neil Blakey-Milner wrote: > > > ports/mail/courier-imap looks promising, but at this stage it's just > > > something for people who want to tinker with it, IMHO. It's fairly > > > new, so it has no proven security record and it currently supports > > > the Maildir format ONLY. > > It also does POP3. > Exim+Courier+LDAP provides a nice virtual mail system. No system users, > scalable, and Courier does IMAP-SSL and POP3-SSL. > > We've used it in production for all the countries we have a presence > in for roughly 6 months now, with no problems. > > Leon. > > -- > System Administrator, iTouch. > GSM: +27-82-789-1245 > PGP: http://pgp5.ai.mit.edu:11371/pks/lookup?op=get&search=0x45EFAAE1 > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 0:31:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from rapier.smartspace.co.za (rapier.smartspace.co.za [66.8.25.34]) by hub.freebsd.org (Postfix) with SMTP id D6F1D37B491 for ; Tue, 13 Feb 2001 00:31:24 -0800 (PST) Received: (qmail 45932 invoked by uid 1001); 13 Feb 2001 08:30:56 -0000 Date: Tue, 13 Feb 2001 10:30:56 +0200 From: Neil Blakey-Milner To: Wes Peters Cc: "Edward W. M." , dominic_marks@hotmail.com, freebsd-security@freebsd.org Subject: Re: Secure Servers (SMTP, POP3, FTP) Message-ID: <20010213103056.A45128@rapier.smartspace.co.za> References: <20010213093240.A40761@rapier.smartspace.co.za> <3A88F07D.535984D2@softweyr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A88F07D.535984D2@softweyr.com>; from wes@softweyr.com on Tue, Feb 13, 2001 at 01:29:49AM -0700 Organization: Building Intelligence X-Operating-System: FreeBSD 4.2-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue 2001-02-13 (01:29), Wes Peters wrote: > > On Mon 2001-02-12 (15:51), Edward W. M. wrote: > > > >Mail Options: > > > >1. Qmail - Secure, written for FreeBSD (Qwest?), Fast, Configurable > > > > > > I would advise against qmail, as I've had reliability issues with > > > it. > > > > Like? > > > > > ports/mail/courier-imap looks promising, but at this stage it's just > > > something for people who want to tinker with it, IMHO. It's fairly > > > new, so it has no proven security record and it currently supports > > > the Maildir format ONLY. > > > > It also does POP3. > > And IMAP-SSL, and POP3-SSL. It's far beyond the tinkering stage, > though feeding it with qmail is a mistake in my opinion. Ick. And there's always courier. I haven't used it in a production environment, but I'm confident in Sam's ability to write a standards-compliant SMTP server that doesn't suck technically. The question is whether Outlook will support it. ;) Neil -- Neil Blakey-Milner nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 1:40:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 4022237B491 for ; Tue, 13 Feb 2001 01:40:50 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id KAA94373; Tue, 13 Feb 2001 10:40:41 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Neil Blakey-Milner Cc: "Edward W. M." , dominic_marks@hotmail.com, freebsd-security@FreeBSD.ORG Subject: Re: Secure Servers (SMTP, POP3, FTP) References: <20010213093240.A40761@rapier.smartspace.co.za> From: Dag-Erling Smorgrav Date: 13 Feb 2001 10:40:41 +0100 In-Reply-To: Neil Blakey-Milner's message of "Tue, 13 Feb 2001 09:32:40 +0200" Message-ID: Lines: 35 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Neil Blakey-Milner writes: > On Mon 2001-02-12 (15:51), Edward W. M. wrote: > > > Mail Options: > > > 1. Qmail - Secure, written for FreeBSD (Qwest?), Fast, Configurable > > I would advise against qmail, as I've had reliability issues with > > it. > Like? I can't speak for Edward, but here are some of the reliability problems I've run into with QMail: Stock QMail (without the large-queue patches) will not handle even moderate loads gracefully. For some inexplicable reason (read: gratuitious design flaw), directories which ought to be split into buckets aren't, so you end up with flat directories holding one file per queue entry. Also, the default number of buckets (23) is ridiculously small, unless you're just setting up qmail on your DSL box to handle mail for yourself, your four months old kitten, and her pet rock. Once hell has broken loose, repairing broken QMail queues is fairly non-trivial. Even moving a broken queue aside and later merging it into the running queue is nearly impossible without some heavy scripting; the documented way of doing this is to compile and install a separate QMail installation configured to run from a separate directory and process the secondary queue. If you decide to change the number of hash buckets, there's no supported way to rehash a queue; the documentation says to let it run dry before switching, or run two installations of QMail in parallel (as described above) until the old queue has run dry. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 1:43:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id A04A237B491 for ; Tue, 13 Feb 2001 01:43:51 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id KAA94387; Tue, 13 Feb 2001 10:43:46 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Wes Peters Cc: David Goddard , Dominic Marks , freebsd-security@FreeBSD.ORG Subject: Re: Secure Servers (SMTP, POP3, FTP) References: <3A885F40.9C6AD285@acm.org> <3A88DE7C.C7D414D7@softweyr.com> From: Dag-Erling Smorgrav Date: 13 Feb 2001 10:43:46 +0100 In-Reply-To: Wes Peters's message of "Tue, 13 Feb 2001 00:13:00 -0700" Message-ID: Lines: 13 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Wes Peters writes: > > > 3. Postfix - Secure, quite light on system resources, growing support > Completely opaque configuration, no useful documentation. I still > wonder exactly how this program has such a great reputation, given what > an obstinate bitch it is to make it do something useful. Jee-zus, you can't have tried very hard. Postfix is very well documented, and very powerful, and very easy to set up once you've grasped the basic underlying principles of main.cf and master.cf. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 1:46:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id A3D4337B4EC for ; Tue, 13 Feb 2001 01:46:10 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id KAA94407; Tue, 13 Feb 2001 10:46:03 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: dmp@pantherdragon.org Cc: security@FreeBSD.ORG Subject: Re: syslogd -ss not part of extreme security option? References: <3A88EB70.CC8CB78E@pantherdragon.org> From: Dag-Erling Smorgrav Date: 13 Feb 2001 10:46:02 +0100 In-Reply-To: dmp@pantherdragon.org's message of "Tue, 13 Feb 2001 00:08:16 -0800" Message-ID: Lines: 13 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org dmp@pantherdragon.org writes: > I was wondering why putting syslogd_flags="-ss" in /etc/rc.conf isn't > part of sysinstall's extreme security option? This is in 4.2-R, has > it changed since the release? It doesn't really buy you much except an insiginficant performance increase and a warm fuzzy feeling - barring a kernel bug that would allow data to be sent to a half-closed socket, but no such bug is known. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 5:15: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from k2.jozsef.kando.hu (k2.jozsef.kando.hu [193.224.40.3]) by hub.freebsd.org (Postfix) with SMTP id 70A3E37B491 for ; Tue, 13 Feb 2001 05:15:01 -0800 (PST) Received: (qmail 4511 invoked by uid 1000); 13 Feb 2001 13:14:56 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 13 Feb 2001 13:14:56 -0000 Date: Tue, 13 Feb 2001 14:14:55 +0100 (CET) From: Attila Nagy X-X-Sender: To: Subject: Re: Secure Servers (SMTP, POP3, FTP) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, > >3. ftpd - Dodgy security? Doesn't seem to be used very much > ftpd is my number one choice when it comes to security and good performance. Hmm, the standard FreeBSD ftpd can run as a daemon. But how do you control the number of active connections? With /etc/login.conf or something similar resource control (number of running processes)? -------------------------------------------------------------------------- Attila Nagy e-mail: Attila.Nagy@fsn.hu Budapest Polytechnic (BMF.HU) @work: +361 210 1415 (194) H-1084 Budapest, Tavaszmezo u. 15-17. cell.: +3630 306 6758 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 5:26: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from sol.cc.u-szeged.hu (sol.cc.u-szeged.hu [160.114.8.24]) by hub.freebsd.org (Postfix) with ESMTP id DAE6537B491 for ; Tue, 13 Feb 2001 05:25:59 -0800 (PST) Received: from petra.hos.u-szeged.hu by sol.cc.u-szeged.hu (8.9.3+Sun/SMI-SVR4) id OAA10346; Tue, 13 Feb 2001 14:25:49 +0100 (MET) Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian)) id 14SfSn-0004MH-00 for ; Tue, 13 Feb 2001 14:25:49 +0100 Date: Tue, 13 Feb 2001 14:25:49 +0100 From: Szilveszter Adam To: freebsd-security@freebsd.org Subject: Re: Secure Servers (SMTP, POP3, FTP) Message-ID: <20010213142548.A16193@petra.hos.u-szeged.hu> Mail-Followup-To: Szilveszter Adam , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from bra@fsn.hu on Tue, Feb 13, 2001 at 02:14:55PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Attila! On Tue, Feb 13, 2001 at 02:14:55PM +0100, Attila Nagy wrote: > Hello, > > > >3. ftpd - Dodgy security? Doesn't seem to be used very much > > ftpd is my number one choice when it comes to security and good performance. > Hmm, the standard FreeBSD ftpd can run as a daemon. But how do you control > the number of active connections? With /etc/login.conf or something > similar resource control (number of running processes)? If you are not starting it from inetd (which can limit the number of concurrent connections, then IMHO it is a good idea to run it in chroot or in jail... otherwise I don't know. -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 5:28:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 8ADA137B65D for ; Tue, 13 Feb 2001 05:28:33 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id OAA95185; Tue, 13 Feb 2001 14:28:31 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Attila Nagy Cc: Subject: Re: Secure Servers (SMTP, POP3, FTP) References: From: Dag-Erling Smorgrav Date: 13 Feb 2001 14:28:30 +0100 In-Reply-To: Attila Nagy's message of "Tue, 13 Feb 2001 14:14:55 +0100 (CET)" Message-ID: Lines: 11 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Attila Nagy writes: > Hmm, the standard FreeBSD ftpd can run as a daemon. But how do you control > the number of active connections? With /etc/login.conf or something > similar resource control (number of running processes)? Run ftpd from inetd like God intended and specify a maximum number of concurrent instances in inetd.conf. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 5:38:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from cache.bi.itb.ac.id (www.bi.itb.ac.id [167.205.24.102]) by hub.freebsd.org (Postfix) with ESMTP id F1E2E37B503 for ; Tue, 13 Feb 2001 05:38:37 -0800 (PST) Received: by cache.bi.itb.ac.id (Postfix, from userid 1000) id C97DB3E07; Tue, 13 Feb 2001 20:33:33 +0000 (GMT) Received: from localhost (localhost [127.0.0.1]) by cache.bi.itb.ac.id (Postfix) with ESMTP id B62DDBA07; Tue, 13 Feb 2001 20:33:33 +0000 (GMT) Date: Tue, 13 Feb 2001 20:33:33 +0000 (GMT) From: dodi maryanto X-Sender: dodi@cache.bi.itb.ac.id To: Dag-Erling Smorgrav Cc: Attila Nagy , freebsd-security@FreeBSD.ORG Subject: Re: Secure Servers (SMTP, POP3, FTP) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 13 Feb 2001, Dag-Erling Smorgrav wrote: > Attila Nagy writes: > > Hmm, the standard FreeBSD ftpd can run as a daemon. But how do you control > > the number of active connections? With /etc/login.conf or something > > similar resource control (number of running processes)? > > Run ftpd from inetd like God intended and specify a maximum number of > concurrent instances in inetd.conf. > or maybe you like to run ftpd with tcp-server, from mr. djb. small, fast and easy to configure. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 5:43:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.de [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 0F5BB37B4EC for ; Tue, 13 Feb 2001 05:43:43 -0800 (PST) Received: (qmail 9023 invoked by uid 0); 13 Feb 2001 13:43:41 -0000 Received: from pop-zh-18-2-dialup-160.freesurf.ch (HELO blaaa.gmx.net) (194.230.220.160) by mail.gmx.net (mp008-rz3) with SMTP; 13 Feb 2001 13:43:41 -0000 Message-Id: <5.0.2.1.2.20010213144216.00a80210@mail.gmx.net> X-Sender: 627573@mail.gmx.net X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Tue, 13 Feb 2001 14:45:36 +0100 To: freebsd-security@FreeBSD.ORG From: turbo23 Subject: Re: Secure Servers (SMTP, POP3, FTP) In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Attila Nagy writes: > > > Hmm, the standard FreeBSD ftpd can run as a daemon. But how do you > control > > > the number of active connections? With /etc/login.conf or something > > > similar resource control (number of running processes)? > > > > Run ftpd from inetd like God intended and specify a maximum number of > > concurrent instances in inetd.conf. > > > >or maybe you like to run ftpd with tcp-server, from mr. djb. >small, fast and easy to configure. You can also run ftpd with xinetd. It can also handle maximum number of connections. IMHO it isn't as fast as Bernsteins tcp-server but it's more secure than inetd. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 5:52:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from rapier.smartspace.co.za (rapier.smartspace.co.za [66.8.25.34]) by hub.freebsd.org (Postfix) with SMTP id 2BA8A37B4EC for ; Tue, 13 Feb 2001 05:52:40 -0800 (PST) Received: (qmail 70925 invoked by uid 1001); 13 Feb 2001 13:52:13 -0000 Date: Tue, 13 Feb 2001 15:52:12 +0200 From: Neil Blakey-Milner To: turbo23 Cc: freebsd-security@FreeBSD.ORG Subject: Re: Secure Servers (SMTP, POP3, FTP) Message-ID: <20010213155212.A70601@rapier.smartspace.co.za> References: <5.0.2.1.2.20010213144216.00a80210@mail.gmx.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.0.2.1.2.20010213144216.00a80210@mail.gmx.net>; from turbo23@gmx.net on Tue, Feb 13, 2001 at 02:45:36PM +0100 Organization: Building Intelligence X-Operating-System: FreeBSD 4.2-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue 2001-02-13 (14:45), turbo23 wrote: > > > > Hmm, the standard FreeBSD ftpd can run as a daemon. But how do you > > control > > > > the number of active connections? With /etc/login.conf or something > > > > similar resource control (number of running processes)? > > > > > > Run ftpd from inetd like God intended and specify a maximum number of > > > concurrent instances in inetd.conf. > > > > > > >or maybe you like to run ftpd with tcp-server, from mr. djb. > >small, fast and easy to configure. > > You can also run ftpd with xinetd. It can also handle maximum number of > connections. IMHO it isn't as fast as Bernsteins tcp-server but it's more > secure than inetd. I'm not aware of any security issues in FreeBSD's inetd that involve it running an external (ie, exec) service. Care for pointers? 19 June 2000, xinetd had the following bug: Certain versions of xinetd have a bug in the access control mechanism. If you use a hostname to control access to a service (localhost instead of 127.0.0.1 ), xinetd will allow any connection from hosts that fail a reverse look-up. Perhaps you mean inetd's on other systems (like those that don't have connection limits, and those that turn services off for 10 minutes without configurability on the amount of time turned off)? Neil -- Neil Blakey-Milner nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 5:56:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id AEA6937B491 for ; Tue, 13 Feb 2001 05:56:50 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id OAA95327; Tue, 13 Feb 2001 14:56:19 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: dodi maryanto Cc: Attila Nagy , freebsd-security@FreeBSD.ORG Subject: Re: Secure Servers (SMTP, POP3, FTP) References: From: Dag-Erling Smorgrav Date: 13 Feb 2001 14:56:18 +0100 In-Reply-To: dodi maryanto's message of "Tue, 13 Feb 2001 20:33:33 +0000 (GMT)" Message-ID: Lines: 14 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org dodi maryanto writes: > On 13 Feb 2001, Dag-Erling Smorgrav wrote: > > Run ftpd from inetd like God intended and specify a maximum number of > > concurrent instances in inetd.conf. > or maybe you like to run ftpd with tcp-server, from mr. djb. > small, fast and easy to configure. Can you show that inetd is significantly larger and/or slower than tcp-server? As for ease of configuration, the format of inetd.conf is straightforward and well documented. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 6: 7:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (mail.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 5220F37B4EC for ; Tue, 13 Feb 2001 06:07:08 -0800 (PST) Received: (qmail 10931 invoked by uid 0); 13 Feb 2001 14:07:06 -0000 Received: from pop-zh-18-2-dialup-160.freesurf.ch (HELO blaaa.gmx.net) (194.230.220.160) by mail.gmx.net (mp006-rz3) with SMTP; 13 Feb 2001 14:07:06 -0000 Message-Id: <5.0.2.1.2.20010213150150.009f0620@mail.gmx.net> X-Sender: 627573@mail.gmx.net X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Tue, 13 Feb 2001 15:07:00 +0100 To: Neil Blakey-Milner From: turbo23 Subject: Re: Secure Servers (SMTP, POP3, FTP) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20010213155212.A70601@rapier.smartspace.co.za> References: <5.0.2.1.2.20010213144216.00a80210@mail.gmx.net> <5.0.2.1.2.20010213144216.00a80210@mail.gmx.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > >or maybe you like to run ftpd with tcp-server, from mr. djb. > > >small, fast and easy to configure. > > > > You can also run ftpd with xinetd. It can also handle maximum number of > > connections. IMHO it isn't as fast as Bernsteins tcp-server but it's more > > secure than inetd. > >I'm not aware of any security issues in FreeBSD's inetd that involve it >running an external (ie, exec) service. Care for pointers? > >19 June 2000, xinetd had the following bug: > > Certain versions of xinetd have a bug in the access control > mechanism. If you use a hostname to control access to a service > (localhost instead of 127.0.0.1 ), xinetd will allow any connection > from hosts that fail a reverse look-up. > >Perhaps you mean inetd's on other systems (like those that don't have >connection limits, and those that turn services off for 10 minutes >without configurability on the amount of time turned off)? You're right. But we had troubles with some inetd and Linux machines. I thought this could be a problem with freebsd too. But I was wrong. Anwyway we are using tcpserver at the moment. regards Thomas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 6:18:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 674EA37B4EC for ; Tue, 13 Feb 2001 06:18:53 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA20601; Tue, 13 Feb 2001 06:15:31 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda20599; Tue Feb 13 06:15:21 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f1DEFCn91785; Tue, 13 Feb 2001 06:15:12 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdV91780; Tue Feb 13 06:14:30 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.2/8.9.1) id f1DEET913997; Tue, 13 Feb 2001 06:14:29 -0800 (PST) Message-Id: <200102131414.f1DEET913997@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdB13991; Tue Feb 13 06:13:29 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: David Goddard Cc: Dominic Marks , freebsd-security@FreeBSD.ORG Subject: Re: Secure Servers (SMTP, POP3, FTP) In-reply-to: Your message of "Mon, 12 Feb 2001 22:10:08 GMT." <3A885F40.9C6AD285@acm.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 13 Feb 2001 06:13:29 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <3A885F40.9C6AD285@acm.org>, David Goddard writes: > On Sun, 11 Feb 2001, Dominic Marks wrote: > ... > > Mail Options: > > 1. Qmail - Secure, written for FreeBSD (Qwest?), Fast, Configurable > > > 2. Sendmail - Industry standard, works fine, big user base > > > 3. Postfix - Secure, quite light on system resources, growing support > > I can't believe no-one's mentioned Exim (http://www.exim.org/) yet - > doddle to configure (particularly things like virtual domains) and as > far as I understand it pretty secure. I spent a while deliberating > between this and Postfix > for my servers but plumped for Exim after a short evaluation. Given > that I couldn't seperate them on the basis of security I went for Exim > on usability. I say install both on a test machine and give them a > whirl - but maybe someone here can offer a petter perspective on the > security comparison... I'm also surprised that no one has mentioned smtpd (www.obtuse.com, also in the ports collection). It imposes Qmail-like or Postfix-like operation/structure on Sendmail. You can secure Sendmail even further by removing the setuid bit, however that breaks .forward to other programs. If you can live with that, you basically have the same functionality as Qmail without the qmail-aliases afterthought. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 6:28:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from cache.bi.itb.ac.id (www.bi.itb.ac.id [167.205.24.102]) by hub.freebsd.org (Postfix) with ESMTP id C089937B4EC for ; Tue, 13 Feb 2001 06:28:24 -0800 (PST) Received: by cache.bi.itb.ac.id (Postfix, from userid 1000) id B35B73E06; Tue, 13 Feb 2001 21:23:13 +0000 (GMT) Received: from localhost (localhost [127.0.0.1]) by cache.bi.itb.ac.id (Postfix) with ESMTP id 9EB51BA01; Tue, 13 Feb 2001 21:23:13 +0000 (GMT) Date: Tue, 13 Feb 2001 21:23:13 +0000 (GMT) From: dodi maryanto X-Sender: dodi@cache.bi.itb.ac.id To: Dag-Erling Smorgrav Cc: Attila Nagy , freebsd-security@FreeBSD.ORG Subject: Re: Secure Servers (SMTP, POP3, FTP) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Can you show that inetd is significantly larger and/or slower than > tcp-server? As for ease of configuration, the format of inetd.conf is > straightforward and well documented. > if you have many rule to set, cdb format is very fast to read. ( cdb is a standard db file for djb-ware ). yes, it is also easy to configure even with poor documentation. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 6:33:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 1EA5837B4EC for ; Tue, 13 Feb 2001 06:33:25 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id PAA95543; Tue, 13 Feb 2001 15:32:58 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: dodi maryanto Cc: Attila Nagy , freebsd-security@FreeBSD.ORG Subject: Re: Secure Servers (SMTP, POP3, FTP) References: From: Dag-Erling Smorgrav Date: 13 Feb 2001 15:32:57 +0100 In-Reply-To: dodi maryanto's message of "Tue, 13 Feb 2001 21:23:13 +0000 (GMT)" Message-ID: Lines: 15 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org dodi maryanto writes: > > Can you show that inetd is significantly larger and/or slower than > > tcp-server? As for ease of configuration, the format of inetd.conf is > > straightforward and well documented. > if you have many rule to set, cdb format is very fast to read. > ( cdb is a standard db file for djb-ware ). yes, it is also easy to > configure even with poor documentation. Reading the rules is something you only do very rarely - on a production machine, you only do it once, at boot. It's just not relevant. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 7:28: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 136B637B491 for ; Tue, 13 Feb 2001 07:28:02 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA21252; Tue, 13 Feb 2001 07:25:38 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda21250; Tue Feb 13 07:25:32 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f1DFPRG92177; Tue, 13 Feb 2001 07:25:27 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdq92172; Tue Feb 13 07:24:30 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.2/8.9.1) id f1DFOU814381; Tue, 13 Feb 2001 07:24:30 -0800 (PST) Message-Id: <200102131524.f1DFOU814381@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdE14376; Tue Feb 13 07:24:15 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: turbo23 Cc: Neil Blakey-Milner , freebsd-security@FreeBSD.ORG Subject: Re: Secure Servers (SMTP, POP3, FTP) In-reply-to: Your message of "Tue, 13 Feb 2001 15:07:00 +0100." <5.0.2.1.2.20010213150150.009f0620@mail.gmx.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 13 Feb 2001 07:24:15 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <5.0.2.1.2.20010213150150.009f0620@mail.gmx.net>, turbo23 writes: > > > > >or maybe you like to run ftpd with tcp-server, from mr. djb. > > > >small, fast and easy to configure. > > > > > > You can also run ftpd with xinetd. It can also handle maximum number of > > > connections. IMHO it isn't as fast as Bernsteins tcp-server but it's more > > > secure than inetd. > > > >I'm not aware of any security issues in FreeBSD's inetd that involve it > >running an external (ie, exec) service. Care for pointers? > > > >19 June 2000, xinetd had the following bug: > > > > Certain versions of xinetd have a bug in the access control > > mechanism. If you use a hostname to control access to a service > > (localhost instead of 127.0.0.1 ), xinetd will allow any connection > > from hosts that fail a reverse look-up. > > > >Perhaps you mean inetd's on other systems (like those that don't have > >connection limits, and those that turn services off for 10 minutes > >without configurability on the amount of time turned off)? > > You're right. But we had troubles with some inetd and Linux machines. I > thought this could be a problem with freebsd too. But I was wrong. Anwyway > we are using tcpserver at the moment. You can't make the assumption that just because Linux has a bug that FreeBSD would as well. In my experience, the quality of code coming out of the FreeBSD project is much better than any Linux distribution I've had to work with. Take for example the latest Vixie cron bug. Both Linux and FreeBSD use Vixie cron. FreeBSD's version of Vixie cron has been substantially modified and fixed, while Linux continues to use the original Vixie cron with most of its bugs. Another good example are the various man command security bugs in Linux which are not in FreeBSD. Few bugs discovered on Linux affect FreeBSD. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 8: 8:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from gwdu42.gwdg.de (gwdu42.gwdg.de [134.76.10.26]) by hub.freebsd.org (Postfix) with ESMTP id 4776F37B491 for ; Tue, 13 Feb 2001 08:08:29 -0800 (PST) Received: from partner.uni-psych.gwdg.de ([134.76.136.114]) by gwdu42.gwdg.de with esmtp (Exim 3.14 #18) id 14Si0B-000243-00 for freebsd-security@freebsd.org; Tue, 13 Feb 2001 17:08:27 +0100 Mime-Version: 1.0 X-Sender: rbeer@popper.gwdg.de Message-Id: Date: Tue, 13 Feb 2001 17:08:24 +0100 To: freebsd-security@freebsd.org From: Ragnar Beer Subject: port 587 - submission Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Howdy! In the process of closing all the open ports that I really don't need I found a port 587 listed as service 'submission' by nmap. Does anyone know what kind of service that is? And is there a way to find out which process is listening on a given port (so that I can kill it)? Ragnar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 8:11:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from cartman.cisp.cc (mail.cisp.cc [63.174.69.7]) by hub.freebsd.org (Postfix) with ESMTP id 30B1837B4EC for ; Tue, 13 Feb 2001 08:11:46 -0800 (PST) Received: by cartman.cisp.cc with Internet Mail Service (5.5.2650.21) id <1L28M6WY>; Tue, 13 Feb 2001 11:08:00 -0500 Message-ID: From: Aaron Weiker To: 'Ragnar Beer' Cc: "'freebsd-security@freebsd.org'" Subject: RE: port 587 - submission Date: Tue, 13 Feb 2001 11:07:59 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C095D7.224B4780" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C095D7.224B4780 Content-Type: text/plain; charset="iso-8859-1" sockstat is a great tool I use to find out what program is running on which port. Aaron Weiker Programmer CISP - Changing Internet Speed & Performance Phone: 419.724.5351 aweiker@cisp.cc Pager: 419.218.0013 http://www.cisp.cc Cell: 419.304.0323 web search: http://www.allthesites.com -----Original Message----- From: Ragnar Beer [mailto:rbeer@uni-goettingen.de] Sent: Tuesday, February 13, 2001 11:08 AM To: freebsd-security@freebsd.org Subject: port 587 - submission Howdy! In the process of closing all the open ports that I really don't need I found a port 587 listed as service 'submission' by nmap. Does anyone know what kind of service that is? And is there a way to find out which process is listening on a given port (so that I can kill it)? Ragnar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message ------_=_NextPart_001_01C095D7.224B4780 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: port 587 - submission

sockstat is a great tool I use to find out what = program is running on which port.

Aaron Weiker
Programmer
CISP - Changing Internet Speed & = Performance

Phone: 419.724.5351     =         =         aweiker@cisp.cc
Pager: 419.218.0013     =         =         http://www.cisp.cc
Cell:    419.304.0323   =         =         web search: http://www.allthesites.com

-----Original Message-----
From: Ragnar Beer [mailto:rbeer@uni-goettingen.de]
Sent: Tuesday, February 13, 2001 11:08 AM
To: freebsd-security@freebsd.org
Subject: port 587 - submission


Howdy!

In the process of closing all the open ports that I = really don't need I found a port 587 listed as service 'submission' by = nmap. Does anyone know what kind of service that is? And is there a way = to find out which process is listening on a given port (so that I can = kill it)?

Ragnar


To Unsubscribe: send mail to = majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the = body of the message

------_=_NextPart_001_01C095D7.224B4780-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 8:12:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (Postfix) with ESMTP id D695D37B491 for ; Tue, 13 Feb 2001 08:12:47 -0800 (PST) Received: (from smap@localhost) by whistle.com (8.10.0/8.10.0) id f1DGClA02831; Tue, 13 Feb 2001 08:12:47 -0800 (PST) Received: from pau-amma.whistle.com( 207.76.205.64) by whistle.com via smap (V2.0) id xma002828; Tue, 13 Feb 2001 08:12:34 -0800 Received: (from dhw@localhost) by pau-amma.whistle.com (8.11.1/8.11.1) id f1DGCXb58103; Tue, 13 Feb 2001 08:12:33 -0800 (PST) Date: Tue, 13 Feb 2001 08:12:33 -0800 (PST) From: David Wolfskill Message-Id: <200102131612.f1DGCXb58103@pau-amma.whistle.com> To: freebsd-security@FreeBSD.ORG, rbeer@uni-goettingen.de Subject: Re: port 587 - submission In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Date: Tue, 13 Feb 2001 17:08:24 +0100 >From: Ragnar Beer >In the process of closing all the open ports that I really don't need I found a port 587 listed as service 'submission' by nmap. Does anyone know what kind of service that is? And is there a way to find out which process is listening on a given port (so that I can kill it)? Message (email) submisison; see RFC 2476. Cheers, david -- David Wolfskill dhw@whistle.com UNIX System Administrator Desk: 650/577-7158 TIE: 8/499-7158 Cell: 650/759-0823 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 8:13:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from devnull.xpert.com (ftp.xpert.com [199.203.132.1]) by hub.freebsd.org (Postfix) with ESMTP id 1265C37B4EC for ; Tue, 13 Feb 2001 08:13:35 -0800 (PST) Received: from mailserv.xpert.com ([199.203.132.135]) by devnull.xpert.com with esmtp (Exim 3.01 #1) id 14Si4h-0000P0-00; Tue, 13 Feb 2001 18:13:07 +0200 Received: by mailserv.xpert.com with Internet Mail Service (5.5.2650.21) id <1TMP95SS>; Tue, 13 Feb 2001 18:13:01 +0200 Message-ID: From: Yonatan Bokovza To: 'Ragnar Beer' , freebsd-security@freebsd.org Subject: RE: port 587 - submission Date: Tue, 13 Feb 2001 18:13:00 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org nmap looks for 587 in /etc/services to see what is the port's "well known" usage. use sockstat or lsof from the ports to see what program binds to that port. > -----Original Message----- > From: Ragnar Beer [mailto:rbeer@uni-goettingen.de] > Sent: Tuesday, February 13, 2001 6:08 PM > To: freebsd-security@freebsd.org > Subject: port 587 - submission > > > Howdy! > > In the process of closing all the open ports that I really > don't need I found a port 587 listed as service 'submission' > by nmap. Does anyone know what kind of service that is? And > is there a way to find out which process is listening on a > given port (so that I can kill it)? > > Ragnar > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 8:13:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 324E637B491 for ; Tue, 13 Feb 2001 08:13:56 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id LAA30846; Tue, 13 Feb 2001 11:13:49 -0500 (EST) (envelope-from wollman) Date: Tue, 13 Feb 2001 11:13:49 -0500 (EST) From: Garrett Wollman Message-Id: <200102131613.LAA30846@khavrinen.lcs.mit.edu> To: Ragnar Beer Cc: freebsd-security@FreeBSD.ORG Subject: port 587 - submission In-Reply-To: References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Howdy! Hi. Please, in the future, remember to press `return' at the end of each (72-character-or-less) line of text in your e-mail. I have reformatted your original text for clarity. > In the process of closing all the open ports that I really don't > need I found a port 587 listed as service 'submission' by nmap. Does > anyone know what kind of service that is? Yes, it is the mail submission agent which is implemented by sendmail. Its purpose is to allow network mail client programs to submit their mail and receive the appropriate processing (e.g., inserting Message-ID and Date headers) which is not permitted in SMTP. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 8:14:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.cstone.net (mail.cstone.net [209.145.64.80]) by hub.freebsd.org (Postfix) with ESMTP id 63A9537B4EC for ; Tue, 13 Feb 2001 08:14:11 -0800 (PST) Received: from cstone.net (mithril.cstone.net [209.145.64.79]) by mail.cstone.net (8.11.1/8.11.1) with ESMTP id f1DGE5881580; Tue, 13 Feb 2001 11:14:05 -0500 (EST) References: X-Accept-Language: en X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.4.0 i686) From: "Eric Sproul" To: "Ragnar Beer" Cc: freebsd-security@FreeBSD.ORG Date: Tue, 13 Feb 2001 11:14:05 -0500 Message-ID: <3A895D4D.D76ACBF7@cstone.net> Subject: Re: port 587 - submission MIME-Version: 1.0 Content-Type: TEXT/plain; charset="us-ascii" Content-Transfer-Encoding: 7BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ragnar Beer wrote: > > Howdy! > > In the process of closing all the open ports that I really don't need I found a port 587 listed as service 'submission' by nmap. Does anyone know what kind of service that is? And is there a way to find out which process is listening on a given port (so that I can kill it)? 587 is for SMTP "submissions" meaning new messages (from users) being injected into a server, versus relayed mail from other 'net mail servers, which would use port 25. There's an RFC for it, but I don't know of any MUAs that implement it. Eric -- Eric Sproul, Systems Administrator Cornerstone Networks Inc. (http://www.cstone.net) ------------------------------------------------- ZenCrafters: Total Enlightenment in about an hour. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 8:16: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from joe.pythonvideo.com (joe.pythonvideo.com [209.226.29.94]) by hub.freebsd.org (Postfix) with ESMTP id 6E56637B698 for ; Tue, 13 Feb 2001 08:15:59 -0800 (PST) Received: from advancewebhosting.com (joe@localhost.pythonvideo.com [127.0.0.1]) by joe.pythonvideo.com (8.11.1/8.11.0) with ESMTP id f1DGFJT94044; Tue, 13 Feb 2001 11:15:19 -0500 (EST) (envelope-from joe@advancewebhosting.com) Message-ID: <3A895D97.41C93D06@advancewebhosting.com> Date: Tue, 13 Feb 2001 11:15:19 -0500 From: Joe Oliveiro Reply-To: joe@advancewebhosting.com Organization: Advance Webhosting Inc. X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: David Wolfskill Cc: freebsd-security@FreeBSD.ORG, rbeer@uni-goettingen.de Subject: Re: port 587 - submission References: <200102131612.f1DGCXb58103@pau-amma.whistle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org David Wolfskill wrote: > >Date: Tue, 13 Feb 2001 17:08:24 +0100 > >From: Ragnar Beer > > >In the process of closing all the open ports that I really don't need I found a port 587 listed as service 'submission' by nmap. Does anyone know what kind of service that is? And is there a way to find out which process is listening on a given port (so that I can kill it)? > > Message (email) submisison; see RFC 2476. > > Cheers, > david > -- > David Wolfskill dhw@whistle.com UNIX System Administrator > Desk: 650/577-7158 TIE: 8/499-7158 Cell: 650/759-0823 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message If you run sockstat it will return the information your looking for (tell you which program is binded on that port) and as for the kind of service it is, your guess is as good as mine ;) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 8:29:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from ashburn.skiltech.com (ashburn.skiltech.com [216.235.79.239]) by hub.freebsd.org (Postfix) with ESMTP id 7BF7F37B491 for ; Tue, 13 Feb 2001 08:29:47 -0800 (PST) Received: (from minter@localhost) by ashburn.skiltech.com (8.11.1/8.11.1) id f1DDPMU20773; Tue, 13 Feb 2001 08:25:22 -0500 (EST) (envelope-from minter) Date: Tue, 13 Feb 2001 08:25:22 -0500 (EST) From: "H. Wade Minter" X-X-Sender: To: Subject: Getting more information from ipfw logs Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm running a ipfw firewall on 4.2-STABLE. I've got my rules set up fine, and everything seems to be going well. However, I'd like to ge more logged information than just the time, source IP:port, and dest IP:port. Can ipfw do this, or is there an addon I need to use to get things like packet content and whatnot logged? --Wade To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 8:31: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from nbux.com (ASte-Genev-Bois-101-1-2-99.abo.wanadoo.fr [193.252.179.99]) by hub.freebsd.org (Postfix) with ESMTP id 10BBD37B491 for ; Tue, 13 Feb 2001 08:31:03 -0800 (PST) Received: from goliath ([192.168.5.20]) by nbux.com (8.11.1/8.11.1) with SMTP id f1DGV1o10331 for ; Tue, 13 Feb 2001 17:31:01 +0100 (CET) (envelope-from lifo@nbux.com) Message-ID: <015301c095da$790f0310$1405a8c0@goliath> From: "lifo" To: Subject: ipfilter 3.4.16 + freebsd 4.2 crash ! Date: Tue, 13 Feb 2001 17:31:48 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hi all, i am new to this mailling list, i am french, and sorry for my bad english ;-) well, i have a little bug on a firewall freebsd 4.2-stable ( FreeBSD 4.2-STABLE #3: Mon Jan 22 09:57:16) + ipfilter 3.4.16 : when i do ipf -P -f ./ipfilter.tmp or ipf -r -f ./ipfilter.tmp where ipfilter.tmp is regular ipfilter rules file of course... The system crash and reboot ! anyone have already show this ? perhaps, there is already a patch ? thanks in advance... PS: IPFILTER is not a module, it's in my kernel... I know there is a bug with unload ipfilter 3.4.16 module. But it's different... -- NoThiNg BuT UniX -=- www.nbux.com -=- Powered by FreeBSD ! lifo@nbux.com -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 8:47:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 98F8437B4EC for ; Tue, 13 Feb 2001 08:47:34 -0800 (PST) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.1/8.11.1) with ESMTP id f1DGlJb03039; Tue, 13 Feb 2001 11:47:19 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Tue, 13 Feb 2001 11:47:19 -0500 (EST) From: Rob Simmons To: Ragnar Beer Cc: freebsd-security@FreeBSD.ORG Subject: Re: port 587 - submission In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Its the new Mail Submission Agent. It is a Good Thing (tm). The only problem is there aren't any (good) mail clients that support it yet, so you can disable it by making a copy of /usr/src/etc/sendmail/freebsd.mc and calling it .mc Then add this line to the new file: FEATURE(`no_default_msa') Then in that same directory run: make .cf Then move /usr/obj/usr/src/etc/sendmail/.cf to /etc/mail/sendmail.cf That would be the Zen way to disable it. The not-so-zen way to disable it is to edit the /etc/mail/sendmail.cf file and remove or comment out the following line: O DaemonPortOptions=Port=587, Name=MSA, M=E I recommend using the Zen approach. Also, the reason you want to make a new file just for your server is the same reason you want to make a separate file from the GENERIC kernel config file - The next time you cvsup the source tree you have a really good chance of this mc file being blown away. If you make a copy of it, it will never get blown away and you will be able to merge you local changes into the new freebsd.mc file whenever it changes. Robert Simmons Systems Administrator http://www.wlcg.com/ On Tue, 13 Feb 2001, Ragnar Beer wrote: > Howdy! > > In the process of closing all the open ports that I really don't need I found a port 587 listed as service 'submission' by nmap. Does anyone know what kind of service that is? And is there a way to find out which process is listening on a given port (so that I can kill it)? > > Ragnar > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 9: 4:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (mail.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 9552D37B491 for ; Tue, 13 Feb 2001 09:00:50 -0800 (PST) Received: (qmail 1419 invoked by uid 0); 13 Feb 2001 17:00:47 -0000 Received: from pop-zh-18-2-dialup-160.freesurf.ch (HELO blaaa.gmx.net) (194.230.220.160) by mail.gmx.net (mail05) with SMTP; 13 Feb 2001 17:00:47 -0000 Message-Id: <5.0.2.1.2.20010213174457.009f70b0@mail.gmx.net> X-Sender: 627573@mail.gmx.net X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Tue, 13 Feb 2001 18:02:42 +0100 To: Cy Schubert - ITSD Open Systems Group From: turbo23 Subject: Re: Secure Servers (SMTP, POP3, FTP) Cc: freebsd-security@freebsd.org In-Reply-To: <200102131524.f1DFOU814381@cwsys.cwsent.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > >I'm not aware of any security issues in FreeBSD's inetd that involve it > > >running an external (ie, exec) service. Care for pointers? > > > > > >19 June 2000, xinetd had the following bug: > > > > > > Certain versions of xinetd have a bug in the access control > > > mechanism. If you use a hostname to control access to a service > > > (localhost instead of 127.0.0.1 ), xinetd will allow any connection > > > from hosts that fail a reverse look-up. > > > > > >Perhaps you mean inetd's on other systems (like those that don't have > > >connection limits, and those that turn services off for 10 minutes > > >without configurability on the amount of time turned off)? > > > > You're right. But we had troubles with some inetd and Linux machines. I > > thought this could be a problem with freebsd too. But I was wrong. Anwyway > > we are using tcpserver at the moment. > >You can't make the assumption that just because Linux has a bug that >FreeBSD would as well. In my experience, the quality of code coming >out of the FreeBSD project is much better than any Linux distribution >I've had to work with. Take for example the latest Vixie cron bug. >Both Linux and FreeBSD use Vixie cron. FreeBSD's version of Vixie cron >has been substantially modified and fixed, while Linux continues to use >the original Vixie cron with most of its bugs. > >Another good example are the various man command security bugs in Linux >which are not in FreeBSD. > >Few bugs discovered on Linux affect FreeBSD. Ok that's right. But of course there are examples for the opposite as well. I didn't know the xinetd bug. But I still think that xinetd is a good alternative for inetd. Its has some good features but it isn't necessarily for the Freebsd inetd. regards Thomas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 9: 8:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id CB71837B491 for ; Tue, 13 Feb 2001 09:08:32 -0800 (PST) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f1DHV3d92721; Tue, 13 Feb 2001 11:31:08 -0600 (CST) (envelope-from nick@rogness.net) Date: Tue, 13 Feb 2001 11:31:03 -0600 (CST) From: Nick Rogness X-Sender: nick@cody.jharris.com To: "H. Wade Minter" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Getting more information from ipfw logs In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 13 Feb 2001, H. Wade Minter wrote: > I'm running a ipfw firewall on 4.2-STABLE. I've got my rules set up > fine, and everything seems to be going well. However, I'd like to ge > more logged information than just the time, source IP:port, and dest > IP:port. Can ipfw do this, or is there an addon I need to use to get > things like packet content and whatnot logged? > You are looking for an IDS (Intrusion Detection System) sotware package that will actually examine the contents of packets. A great one already exists in the ports, it's called snort. For more information on snort's capabilities, see http://www.snort.org. Nick Rogness - Keep on routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 9:22:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 01DC537B4EC for ; Tue, 13 Feb 2001 09:22:23 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14SjAE-0000Ai-00; Tue, 13 Feb 2001 10:22:54 -0700 Message-ID: <3A896D6E.6A4DB03@softweyr.com> Date: Tue, 13 Feb 2001 10:22:54 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Neil Blakey-Milner Cc: "Edward W. M." , dominic_marks@hotmail.com, freebsd-security@freebsd.org Subject: Re: Secure Servers (SMTP, POP3, FTP) References: <20010213093240.A40761@rapier.smartspace.co.za> <3A88F07D.535984D2@softweyr.com> <20010213103056.A45128@rapier.smartspace.co.za> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Neil Blakey-Milner wrote: > > On Tue 2001-02-13 (01:29), Wes Peters wrote: > > > On Mon 2001-02-12 (15:51), Edward W. M. wrote: > > > > > > > ports/mail/courier-imap looks promising, but at this stage it's just > > > > something for people who want to tinker with it, IMHO. It's fairly > > > > new, so it has no proven security record and it currently supports > > > > the Maildir format ONLY. > > > > > > It also does POP3. > > > > And IMAP-SSL, and POP3-SSL. It's far beyond the tinkering stage, > > though feeding it with qmail is a mistake in my opinion. Ick. > > And there's always courier. I haven't used it in a production > environment, but I'm confident in Sam's ability to write a > standards-compliant SMTP server that doesn't suck technically. The > question is whether Outlook will support it. ;) That's what we were talking about. It seems to work entirely adequately with the 4 or 5 versions of Lookout! and Lookout! Distress we've tested with. It also works with Netscrape 4.x and 6.x, TkRat/Ratatosk, and Mulberry. I haven't tried Eudora yet, but the wrecking^Wtesting crew will get to that sometime soon. Too bad that it's infested with the GPL virus, but it turns out to not affect me really, because it's an optional package. ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 9:32:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-24-94-35-22.stny.rr.com [24.94.35.22]) by hub.freebsd.org (Postfix) with ESMTP id 3529B37B491 for ; Tue, 13 Feb 2001 09:32:46 -0800 (PST) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.11.1/8.11.1) with ESMTP id f1DHWgV73645 for ; Tue, 13 Feb 2001 12:32:43 -0500 (EST) (envelope-from piechota@argolis.org) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Tue, 13 Feb 2001 12:32:40 -0500 (EST) From: Matt Piechota To: Subject: cithaeron security check output (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've had named crash on me twice in the last day or two. I saw this alot when I was running 8.2.2 before the BIND bug was released. After I upgraded, it stopped, only to start again Monday. Anyone hear any rumors of a new BIND bug, or have an explaination of this? From the daily run: cithaeron kernel log messages: > pid 70181 (named), uid 0: exited on signal 6 (core dumped) uname -a: FreeBSD cithaeron 4.2-STABLE FreeBSD 4.2-STABLE #0: Tue Jan 30 12:39:57 EST 2001 root@cithaeron:/usr/obj/usr/src/sys/CITHAERON i386 and ndc status: named 8.2.3-REL Tue Jan 30 02:54:49 EST 2001 root@cithaeron:/usr/obj/usr/src/usr.sbin/named -- Matt Piechota Finger piechota@emailempire.com for PGP key AOL IM: cithaeron To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 9:38: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id C449737B503 for ; Tue, 13 Feb 2001 09:38:03 -0800 (PST) Received: from algroup.co.uk ([192.168.192.1]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id RAA12474; Tue, 13 Feb 2001 17:36:00 GMT Message-ID: <3A89707C.A539BA9C@algroup.co.uk> Date: Tue, 13 Feb 2001 17:35:56 +0000 From: Adam Laurie X-Mailer: Mozilla 4.7 [en-gb] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Dag-Erling Smorgrav Cc: dmp@pantherdragon.org, security@FreeBSD.ORG Subject: Re: syslogd -ss not part of extreme security option? References: <3A88EB70.CC8CB78E@pantherdragon.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dag-Erling Smorgrav wrote: > > dmp@pantherdragon.org writes: > > I was wondering why putting syslogd_flags="-ss" in /etc/rc.conf isn't > > part of sysinstall's extreme security option? This is in 4.2-R, has > > it changed since the release? > > It doesn't really buy you much except an insiginficant performance > increase and a warm fuzzy feeling - barring a kernel bug that would > allow data to be sent to a half-closed socket, but no such bug is > known. eh? no security bug is "known" until it's found & exploited. just because it hasn't been found doesn't mean it doesn't exist. switching off a network listener for syslog when you are not doing network logging is much more than a warm fuzzy feeling, it's closing a potential security hole. i do it on standard installs, let alone "extreme security". cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 Voysey House http://www.thebunker.net Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 9:39:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from ashburn.skiltech.com (ashburn.skiltech.com [216.235.79.239]) by hub.freebsd.org (Postfix) with ESMTP id 2A13F37B491 for ; Tue, 13 Feb 2001 09:39:29 -0800 (PST) Received: (from minter@localhost) by ashburn.skiltech.com (8.11.1/8.11.1) id f1DHdI775962; Tue, 13 Feb 2001 12:39:18 -0500 (EST) (envelope-from minter) Date: Tue, 13 Feb 2001 12:39:17 -0500 (EST) From: "H. Wade Minter" X-X-Sender: To: Nick Rogness Cc: Subject: Re: Getting more information from ipfw logs In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Does snort work well with ipfw. Maybe I'm thinking of it wrong, but wouldn't I have to let the traffic into the firewall so snort could deal with it? Thanks, Wade On Tue, 13 Feb 2001, Nick Rogness wrote: > On Tue, 13 Feb 2001, H. Wade Minter wrote: > > > I'm running a ipfw firewall on 4.2-STABLE. I've got my rules set up > > fine, and everything seems to be going well. However, I'd like to ge > > more logged information than just the time, source IP:port, and dest > > IP:port. Can ipfw do this, or is there an addon I need to use to get > > things like packet content and whatnot logged? > > > > You are looking for an IDS (Intrusion Detection System) sotware > package that will actually examine the contents of packets. A > great one already exists in the ports, it's called snort. > > For more information on snort's capabilities, see > http://www.snort.org. > > Nick Rogness > - Keep on routing in a Free World... > "FreeBSD: The Power to Serve!" > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 9:48:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from veldy.net (w028.z064001117.msp-mn.dsl.cnc.net [64.1.117.28]) by hub.freebsd.org (Postfix) with ESMTP id 9E09137B503 for ; Tue, 13 Feb 2001 09:48:25 -0800 (PST) Received: from HP2500B (veldy.net [64.1.117.28]) by veldy.net (Postfix) with SMTP id 04B577017; Tue, 13 Feb 2001 11:47:55 -0600 (CST) Message-ID: <002101c095e5$29dbbd50$3028680a@tgt.com> From: "Thomas T. Veldhouse" To: "lifo" , References: <015301c095da$790f0310$1405a8c0@goliath> Subject: Re: ipfilter 3.4.16 + freebsd 4.2 crash ! Date: Tue, 13 Feb 2001 11:48:24 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Uhm -- FreeBSD 4.2-STABLE has IPFilter 3.4.8, not 3.4.16? Is this a custom hack that you have done yourself? # cat /usr/src/contrib/ipfilter/ipl.h /* * Copyright (C) 1993-2000 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * * @(#)ipl.h 1.21 6/5/96 * $Id: ipl.h,v 2.15.2.9 2000/07/19 13:40:04 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ #define IPL_VERSION "IP Filter: v3.4.8" #endif Yes, I too would like to see a less buggy version of IPFilter in stable (i.e. 3.4.16). Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "lifo" To: Sent: Tuesday, February 13, 2001 10:31 AM Subject: ipfilter 3.4.16 + freebsd 4.2 crash ! > hi all, i am new to this mailling list, i am french, and sorry for my bad > english ;-) > > well, > i have a little bug on a firewall freebsd 4.2-stable ( FreeBSD 4.2-STABLE > #3: Mon Jan 22 09:57:16) + ipfilter 3.4.16 : > when i do > ipf -P -f ./ipfilter.tmp > or > ipf -r -f ./ipfilter.tmp > > > where ipfilter.tmp is regular ipfilter rules file of course... > The system crash and reboot ! > > anyone have already show this ? perhaps, there is already a patch ? > > thanks in advance... > > PS: IPFILTER is not a module, it's in my kernel... > I know there is a bug with unload ipfilter 3.4.16 module. But it's > different... > -- > NoThiNg BuT UniX -=- www.nbux.com -=- Powered by FreeBSD ! > lifo@nbux.com > -- > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 10:21:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 58C5E37B491 for ; Tue, 13 Feb 2001 10:21:13 -0800 (PST) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id PAA80175; Tue, 13 Feb 2001 15:22:59 -0300 (ART) From: Fernando Schapachnik Message-Id: <200102131822.PAA80175@ns1.via-net-works.net.ar> Subject: Re: How to rebuild ssh w/ latest sources (was Re: SSH Vulnerability) In-Reply-To: <200102091841.f19IfNQ84385@earth.backplane.com> "from Matt Dillon at Feb 9, 2001 10:41:23 am" To: Matt Dillon Date: Tue, 13 Feb 2001 15:22:59 -0300 (ART) Cc: Mason Harding , security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Matt Dillon escribió: > Yes. If your sources are reasonably up to date (since Jan 23), > just rebuild it: > > cd /usr/src/secure/lib/libssh > make clean obj all This is driving me crazy. A 4.1.1-RELEASE. Cvsuped src-secure and src-crypto. Updated /usr/share/mk, /etc/defaults/make.conf, and still: cc -O -pipe -DSKEY -DNO_IDEA -c /usr/src/secure/lib/libssh/../../../crypto/openssh/authfd.c -o authfd.o In file included from /usr/src/secure/lib/libssh/../../../crypto/openssh/ssh.h:21, from /usr/src/secure/lib/libssh/../../../crypto/openssh/authfd.c:41: /usr/src/secure/lib/libssh/../../../crypto/openssh/rsa.h:20: openssl/bn.h: No such file or directory /usr/src/secure/lib/libssh/../../../crypto/openssh/rsa.h:21: openssl/rsa.h: No such file or directory Any ideas? TIA! Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Conmutador: (54-11) 4323-3333 - Soporte: 0810-333-AYUDA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 10:38:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 5128337B491 for ; Tue, 13 Feb 2001 10:38:11 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id TAA96716; Tue, 13 Feb 2001 19:38:09 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Adam Laurie Cc: dmp@pantherdragon.org, security@FreeBSD.ORG Subject: Re: syslogd -ss not part of extreme security option? References: <3A88EB70.CC8CB78E@pantherdragon.org> <3A89707C.A539BA9C@algroup.co.uk> From: Dag-Erling Smorgrav Date: 13 Feb 2001 19:38:08 +0100 In-Reply-To: Adam Laurie's message of "Tue, 13 Feb 2001 17:35:56 +0000" Message-ID: Lines: 16 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Adam Laurie writes: > eh? no security bug is "known" until it's found & exploited. just > because it hasn't been found doesn't mean it doesn't exist. switching > off a network listener for syslog when you are not doing network logging > is much more than a warm fuzzy feeling, it's closing a potential > security hole. i do it on standard installs, let alone "extreme > security". It's not a listener. If you specify -s, the socket is half-closed so you can use it to send log messages to other hosts, but can't receive. If you specify -ss, the socket isn't opened at all so you can neither send nor receive. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 10:48: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 558F037B491 for ; Tue, 13 Feb 2001 10:48:00 -0800 (PST) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f1DJAgr96157; Tue, 13 Feb 2001 13:10:42 -0600 (CST) (envelope-from nick@rogness.net) Date: Tue, 13 Feb 2001 13:10:42 -0600 (CST) From: Nick Rogness X-Sender: nick@cody.jharris.com To: "H. Wade Minter" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Getting more information from ipfw logs In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 13 Feb 2001, H. Wade Minter wrote: > Does snort work well with ipfw. Maybe I'm thinking of it wrong, but > wouldn't I have to let the traffic into the firewall so snort could deal > with it? yes and no, only let valid ports through for programs you are running, then let snort look at the valid packets for futher inspection. See what I mean? Why waste time looking at traffic for invalid ports? Run the firewall in front of snort, so the firewall removes useless crap, then let snort look at valid traffic, ex port 80 webserver stuff, and decide if it is a valid GET / or invalid exploit attempt. This way you get the best of both worlds. Nick Rogness - Keep on routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 11: 4: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from web4502.mail.yahoo.com (web4502.mail.yahoo.com [216.115.105.63]) by hub.freebsd.org (Postfix) with SMTP id E9C0737B4EC for ; Tue, 13 Feb 2001 11:04:01 -0800 (PST) Message-ID: <20010213190401.12121.qmail@web4502.mail.yahoo.com> Received: from [199.207.255.50] by web4502.mail.yahoo.com; Tue, 13 Feb 2001 11:04:01 PST Date: Tue, 13 Feb 2001 11:04:01 -0800 (PST) From: Jon Reply-To: cykyc@yahoo.com Subject: Re: Getting more information from ipfw logs To: Nick Rogness , "H. Wade Minter" Cc: freebsd-security@FreeBSD.ORG In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --- Nick Rogness wrote: > On Tue, 13 Feb 2001, H. Wade Minter wrote: > > > Does snort work well with ipfw. Maybe I'm > thinking of it wrong, but > > wouldn't I have to let the traffic into the > firewall so snort could deal > > with it? > > yes and no, only let valid ports through for > programs you are > running, then let snort look at the valid packets > for futher > inspection. See what I mean? Why waste time > looking at traffic > for invalid ports? Run the firewall in front of > snort, so the > firewall removes useless crap, then let snort look > at valid > traffic, ex port 80 webserver stuff, and decide if > it is a valid > GET / or invalid exploit attempt. > > This way you get the best of both worlds. > Two concerns with that logic: 1. Snort is detective (the 'D' in IDS :); a firewall is usually preventative (maybe w/ some detection). If one is preventing the 'attacks', but not knowing that they're occuring, he might not pick up on patterns of attacks, depending on the capabilities of the firewall's logging. That might not be a big deal, but I'd rather know that someone's knocking on my door instead of burying my head in the sand... 2. Snort by itself is purely detective. Scripts or shims need to be put in to it to have it actually prevent something. Your firewall will allow the "GET", and snort might not like it, and log it, but that particular "GET" is going to still happen. With the proper scripts, this might not be a concern, but out-of-the-box, it is. Jon __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 11: 4:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id CA5D137B491 for ; Tue, 13 Feb 2001 11:04:30 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14Sk9A-0000E3-00; Tue, 13 Feb 2001 11:25:52 -0700 Message-ID: <3A897C30.782C3331@softweyr.com> Date: Tue, 13 Feb 2001 11:25:52 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Justin Stanford Cc: Leon Breedt , freebsd-security@freebsd.org Subject: Re: Secure Servers (SMTP, POP3, FTP) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Justin Stanford wrote: > > Exim and Qpop can also be made to use MySQL for virtual user tables and > the like - a very effective system. Is MySQL hard-coded, or can you use another dbms like PostgreSQL? -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 11:19:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id B39FB37B65D for ; Tue, 13 Feb 2001 11:19:16 -0800 (PST) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f1DJfuW97243; Tue, 13 Feb 2001 13:41:56 -0600 (CST) (envelope-from nick@rogness.net) Date: Tue, 13 Feb 2001 13:41:56 -0600 (CST) From: Nick Rogness X-Sender: nick@cody.jharris.com To: Jon Cc: "H. Wade Minter" , freebsd-security@FreeBSD.ORG Subject: Re: Getting more information from ipfw logs In-Reply-To: <20010213190401.12121.qmail@web4502.mail.yahoo.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 13 Feb 2001, Jon wrote: [snip] > Two concerns with that logic: > > 1. Snort is detective (the 'D' in IDS :); a firewall > is usually preventative (maybe w/ some detection). If > one is preventing the 'attacks', but not knowing that > they're occuring, he might not pick up on patterns of > attacks, depending on the capabilities of the > firewall's logging. That might not be a big deal, but > I'd rather know that someone's knocking on my door > instead of burying my head in the sand... Then span it on the switch...it makes no difference. You can still log packets with ipfw and determine with those logs and the combined snort logs what the person was trying to do. Either technique works fine. If you are not smart enough to determine what the person was trying to do with both logs from ipfw and snort then you don't belong in the security job you are doing. I've had argument in the past with people over this. I don't think it belongs on this list. > > 2. Snort by itself is purely detective. Scripts or > shims need to be put in to it to have it actually > prevent something. Your firewall will allow the > "GET", and snort might not like it, and log it, but > that particular "GET" is going to still happen. With > the proper scripts, this might not be a concern, but > out-of-the-box, it is. The "flex-response" snort module does do this. IMHO, Snort is still far superior (In actual detection) to the IDS's i've used because of the active involvement and opensource flexibility. Nick Rogness - Keep on routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 11:24:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-67.dsl.lsan03.pacbell.net [63.207.60.67]) by hub.freebsd.org (Postfix) with ESMTP id A9E3637B491 for ; Tue, 13 Feb 2001 11:24:57 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 6B00466B32; Tue, 13 Feb 2001 11:24:52 -0800 (PST) Date: Tue, 13 Feb 2001 11:24:52 -0800 From: Kris Kennaway To: Matt Piechota Cc: freebsd-security@freebsd.org Subject: Re: cithaeron security check output (fwd) Message-ID: <20010213112452.B56175@mollari.cthul.hu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="xXmbgvnjoT4axfJE" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from piechota@argolis.org on Tue, Feb 13, 2001 at 12:32:40PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --xXmbgvnjoT4axfJE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Feb 13, 2001 at 12:32:40PM -0500, Matt Piechota wrote: > I've had named crash on me twice in the last day or two. I saw this alot > when I was running 8.2.2 before the BIND bug was released. After I > upgraded, it stopped, only to start again Monday. Anyone hear any rumors > of a new BIND bug, or have an explaination of this? Please show me the output of the following, run on the machine in question. dig @localhost version.bind chaos txt Kris --xXmbgvnjoT4axfJE Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6iYoDWry0BWjoQKURAsyNAJwOct/VqYG54h3lgpIp1PwrIIaVrACfTDck 5s1K8/eCo0wgeVAUA+C8lBY= =6KH2 -----END PGP SIGNATURE----- --xXmbgvnjoT4axfJE-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 12: 8:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id C939337B491 for ; Tue, 13 Feb 2001 12:08:14 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id MAA22075; Tue, 13 Feb 2001 12:08:05 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda22071; Tue Feb 13 12:07:54 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f1DK7ja94215; Tue, 13 Feb 2001 12:07:45 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdr94201; Tue Feb 13 12:07:42 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.2/8.9.1) id f1DK7fZ15502; Tue, 13 Feb 2001 12:07:41 -0800 (PST) Message-Id: <200102132007.f1DK7fZ15502@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdt15492; Tue Feb 13 12:07:22 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: turbo23 Cc: Cy Schubert - ITSD Open Systems Group , freebsd-security@FreeBSD.ORG Subject: Re: Secure Servers (SMTP, POP3, FTP) In-reply-to: Your message of "Tue, 13 Feb 2001 18:02:42 +0100." <5.0.2.1.2.20010213174457.009f70b0@mail.gmx.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 13 Feb 2001 12:07:22 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <5.0.2.1.2.20010213174457.009f70b0@mail.gmx.net>, turbo23 writes: > > > > >I'm not aware of any security issues in FreeBSD's inetd that involve it > > > >running an external (ie, exec) service. Care for pointers? > > > > > > > >19 June 2000, xinetd had the following bug: > > > > > > > > Certain versions of xinetd have a bug in the access control > > > > mechanism. If you use a hostname to control access to a service > > > > (localhost instead of 127.0.0.1 ), xinetd will allow any connection > > > > from hosts that fail a reverse look-up. > > > > > > > >Perhaps you mean inetd's on other systems (like those that don't have > > > >connection limits, and those that turn services off for 10 minutes > > > >without configurability on the amount of time turned off)? > > > > > > You're right. But we had troubles with some inetd and Linux machines. I > > > thought this could be a problem with freebsd too. But I was wrong. Anwywa > y > > > we are using tcpserver at the moment. > > > >You can't make the assumption that just because Linux has a bug that > >FreeBSD would as well. In my experience, the quality of code coming > >out of the FreeBSD project is much better than any Linux distribution > >I've had to work with. Take for example the latest Vixie cron bug. > >Both Linux and FreeBSD use Vixie cron. FreeBSD's version of Vixie cron > >has been substantially modified and fixed, while Linux continues to use > >the original Vixie cron with most of its bugs. > > > >Another good example are the various man command security bugs in Linux > >which are not in FreeBSD. > > > >Few bugs discovered on Linux affect FreeBSD. > > > Ok that's right. But of course there are examples for the opposite as well. > I didn't know the xinetd bug. But I still think that xinetd is a good > alternative for inetd. Its has some good features but it isn't necessarily > for the Freebsd inetd. Not as many examples however. Comparing xinetd to Linux and vendor inetd, I agree, however the enhancements made to FreeBSD inetd brings our inetd into the same league as xinetd. I do think that xinetd's configuration file format is more cumbersome than inetd's. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 12:19:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-67.dsl.lsan03.pacbell.net [63.207.60.67]) by hub.freebsd.org (Postfix) with ESMTP id 9938937B503 for ; Tue, 13 Feb 2001 12:19:16 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id EA89866B26; Tue, 13 Feb 2001 12:19:15 -0800 (PST) Date: Tue, 13 Feb 2001 12:19:15 -0800 From: Kris Kennaway To: Fernando Schapachnik Cc: Matt Dillon , Mason Harding , security@FreeBSD.ORG Subject: Re: How to rebuild ssh w/ latest sources (was Re: SSH Vulnerability) Message-ID: <20010213121915.A57236@mollari.cthul.hu> References: <200102091841.f19IfNQ84385@earth.backplane.com> <200102131822.PAA80175@ns1.via-net-works.net.ar> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="8t9RHnE3ZwKMSgU+" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200102131822.PAA80175@ns1.via-net-works.net.ar>; from fpscha@ns1.via-net-works.net.ar on Tue, Feb 13, 2001 at 03:22:59PM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --8t9RHnE3ZwKMSgU+ Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 13, 2001 at 03:22:59PM -0300, Fernando Schapachnik wrote: > En un mensaje anterior, Matt Dillon escribi=F3: > > Yes. If your sources are reasonably up to date (since Jan 23), > > just rebuild it: > >=20 > > cd /usr/src/secure/lib/libssh > > make clean obj all >=20 > This is driving me crazy. A 4.1.1-RELEASE. Cvsuped src-secure and > src-crypto. Updated /usr/share/mk, /etc/defaults/make.conf, and > still: Add a 'make depend' in there, or just make buildworld and follow the usual upgrade procedure. Kris --8t9RHnE3ZwKMSgU+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6iZbDWry0BWjoQKURAkJhAJ9KPYhxlR4Qw3XpYABnmxigLiNbIwCg8KPx B6hRnLcE+kih4jzx6cQ1VWg= =eNrr -----END PGP SIGNATURE----- --8t9RHnE3ZwKMSgU+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 12:20:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from mile.nevermind.kiev.ua (ppp-244.nav.kiev.ua [213.169.65.244]) by hub.freebsd.org (Postfix) with ESMTP id 3D64937B503 for ; Tue, 13 Feb 2001 12:19:59 -0800 (PST) Received: (from never@localhost) by mile.nevermind.kiev.ua (8.11.1/8.11.1) id f1DJqPF17389; Tue, 13 Feb 2001 21:52:26 +0200 (EET) (envelope-from never) Date: Tue, 13 Feb 2001 21:51:05 +0200 From: Nevermind To: Matt Piechota Cc: freebsd-security@FreeBSD.ORG Subject: Re: cithaeron security check output (fwd) Message-ID: <20010213215105.A17120@nevermind.kiev.ua> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from piechota@argolis.org on Tue, Feb 13, 2001 at 12:32:40PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, Matt Piechota! On Tue, Feb 13, 2001 at 12:32:40PM -0500, you wrote: > I've had named crash on me twice in the last day or two. I saw this alot > when I was running 8.2.2 before the BIND bug was released. After I > upgraded, it stopped, only to start again Monday. Anyone hear any rumors > of a new BIND bug, or have an explaination of this? > > >From the daily run: > cithaeron kernel log messages: > > pid 70181 (named), uid 0: exited on signal 6 (core dumped) > > uname -a: > FreeBSD cithaeron 4.2-STABLE FreeBSD 4.2-STABLE #0: Tue Jan 30 > 12:39:57 EST 2001 > root@cithaeron:/usr/obj/usr/src/sys/CITHAERON i386 > > and ndc status: > named 8.2.3-REL Tue Jan 30 02:54:49 EST 2001 > root@cithaeron:/usr/obj/usr/src/usr.sbin/named Could you, please, give us backtrace of this core dump? -- NEVE-RIPE The instructions said to install Windows 98 or better, so I installed FreeBSD. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 13:47: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id CCE1137B4EC for ; Tue, 13 Feb 2001 13:46:57 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id WAA97434; Tue, 13 Feb 2001 22:46:54 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Tomas Svensson Cc: freebsd-security@FreeBSD.ORG Subject: Re: Re[2]: Secure Servers (SMTP, POP3, FTP) References: <20010213093240.A40761@rapier.smartspace.co.za> <18823889671.20010213214108@gbdev.net> From: Dag-Erling Smorgrav Date: 13 Feb 2001 22:46:54 +0100 In-Reply-To: Tomas Svensson's message of "Tue, 13 Feb 2001 21:41:08 +0100" Message-ID: Lines: 15 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Tomas Svensson writes: > Yes, around 23000 separate messages in the queue [...] You won't even get close to that figure, because not all queue directories are split. The moment one of them hits more than a few hundred messages, your server slows to a crawl. > but seeing you jump on anyone suggesting something written by DJB > makes me wonder if your qmail problems are strictly technical. You're free to believe what you want. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 13:50:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from rapier.smartspace.co.za (rapier.smartspace.co.za [66.8.25.34]) by hub.freebsd.org (Postfix) with SMTP id 90EA137B4EC for ; Tue, 13 Feb 2001 13:50:14 -0800 (PST) Received: (qmail 91101 invoked by uid 1001); 13 Feb 2001 21:49:46 -0000 Date: Tue, 13 Feb 2001 23:49:46 +0200 From: Neil Blakey-Milner To: Wes Peters Cc: "Edward W. M." , dominic_marks@hotmail.com, freebsd-security@freebsd.org Subject: Re: Secure Servers (SMTP, POP3, FTP) Message-ID: <20010213234946.A91066@rapier.smartspace.co.za> References: <20010213093240.A40761@rapier.smartspace.co.za> <3A88F07D.535984D2@softweyr.com> <20010213103056.A45128@rapier.smartspace.co.za> <3A896D6E.6A4DB03@softweyr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A896D6E.6A4DB03@softweyr.com>; from wes@softweyr.com on Tue, Feb 13, 2001 at 10:22:54AM -0700 Organization: Building Intelligence X-Operating-System: FreeBSD 4.2-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue 2001-02-13 (10:22), Wes Peters wrote: > Neil Blakey-Milner wrote: > > > > On Tue 2001-02-13 (01:29), Wes Peters wrote: > > > > On Mon 2001-02-12 (15:51), Edward W. M. wrote: > > > > > > > > > ports/mail/courier-imap looks promising, but at this stage it's just > > > > > something for people who want to tinker with it, IMHO. It's fairly > > > > > new, so it has no proven security record and it currently supports > > > > > the Maildir format ONLY. > > > > > > > > It also does POP3. > > > > > > And IMAP-SSL, and POP3-SSL. It's far beyond the tinkering stage, > > > though feeding it with qmail is a mistake in my opinion. Ick. > > > > And there's always courier. I haven't used it in a production > > environment, but I'm confident in Sam's ability to write a > > standards-compliant SMTP server that doesn't suck technically. The > > question is whether Outlook will support it. ;) > > That's what we were talking about. It seems to work entirely adequately > with the 4 or 5 versions of Lookout! and Lookout! Distress we've tested > with. It also works with Netscrape 4.x and 6.x, TkRat/Ratatosk, and > Mulberry. I haven't tried Eudora yet, but the wrecking^Wtesting crew > will get to that sometime soon. I meant using Courier as the MTA, if that confused the issue. Neil -- Neil Blakey-Milner nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 13:55:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from core.atomicbluebear.org (core.atomicbluebear.org [64.4.83.19]) by hub.freebsd.org (Postfix) with ESMTP id 4C0F437B491 for ; Tue, 13 Feb 2001 13:55:29 -0800 (PST) Received: (qmail 72593 invoked by uid 1001); 13 Feb 2001 21:55:17 -0000 Date: Tue, 13 Feb 2001 15:55:17 -0600 From: Michael Lea To: "H. Wade Minter" Cc: Nick Rogness , freebsd-security@FreeBSD.ORG Subject: Re: Getting more information from ipfw logs Message-ID: <20010213155515.C71046@core.atomicbluebear.org> Mail-Followup-To: "H. Wade Minter" , Nick Rogness , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="F8dlzb82+Fcn6AgP" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from minter@lunenburg.org on Tue, Feb 13, 2001 at 12:39:17PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --F8dlzb82+Fcn6AgP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, 13 Feb 2001, H. Wade Minter wrote: > Does snort work well with ipfw. Maybe I'm thinking of it wrong, but > wouldn't I have to let the traffic into the firewall so snort could deal > with it? Snort runs in promiscuous mode. That means that, if you're running it on the same box as ipfw, snort will see the packets regardless of whether ipfw passes them through to the rest of the IP stack or not. - Mike --F8dlzb82+Fcn6AgP Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjqJrT8ACgkQc9EFi4qQZExn8QCgjLriNx2m4CSZkvAPadFzG6mv f2EAoIHeT4UZUDeI55gU9ZSe9cocW+oq =9aA0 -----END PGP SIGNATURE----- --F8dlzb82+Fcn6AgP-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 15: 4: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (mail.dobox.com [208.187.122.44]) by hub.freebsd.org (Postfix) with ESMTP id CEF0437B65D for ; Tue, 13 Feb 2001 15:04:01 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14Sjlk-0000BQ-00; Tue, 13 Feb 2001 11:01:40 -0700 Message-ID: <3A897683.FCB8E651@softweyr.com> Date: Tue, 13 Feb 2001 11:01:40 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Len Conrad Cc: freebsd-security@freebsd.org Subject: Re: Secure Servers (SMTP, POP3, FTP) References: <3A885F40.9C6AD285@acm.org> <5.0.0.25.0.20010213090218.04eaa7a0@mail.Go2France.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Len Conrad wrote: > > > > > 3. Postfix - Secure, quite light on system resources, growing support > > > >Completely opaque configuration, no useful documentation. I still > >wonder exactly how this program has such a great reputation, given what > >an obstinate bitch it is to make it do something useful. > > ??? I chose postfix for my IMGate project (FreeBSD mail hub in front > of Ipswitch Imail for NT) because it was so easy to configure (vs > qmail and sendmail), and based on the success of bunches of NT GUI > jockeys (basically zilch *nix backgnd) who have gotten postfix > working with little or no help, I chose right and your opinion is > 180° out from my experience. With a bit of help from Chris Watson, I've found that the problem that has been driving me crazy is the confluence of two conflicting configuration settings and neither postfix itself nor postconf reporting that they conflict. I haven't yet found anything in the documentation that mentions specifically that they conflict either, perhaps I'm the first person on the entire planet who actually tried both at the same time. I'll submit a bug report at least, postconf really should report them as a conflict. And, for anyone else who wants to try this at home, comment out the virtual_maps setting unless you actually have entries in the virtual file, and specify either mail_spool_directory OR home_mailbox, lest ye not be able to find your mail (with both hands). As for my comments about the documentation: bash-2.04# pwd /usr/local/share/doc/postfix bash-2.04# !gr grep -i mail_spool_directory * bash-2.04# Yeah, I'll count that as "opaque". -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 16:10:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from tmd.df.ru (cr219023-a.rchrd1.on.wave.home.com [24.43.203.140]) by hub.freebsd.org (Postfix) with ESMTP id 410F437B491 for ; Tue, 13 Feb 2001 16:10:51 -0800 (PST) Received: by tmd.df.ru (Postfix, from userid 1001) id F221AF614; Tue, 13 Feb 2001 19:10:39 -0500 (EST) Date: Tue, 13 Feb 2001 19:10:39 -0500 From: Vlad To: Will Mitayai Keeso Rowe Cc: Matt Heckaman , Rob Simmons , security@FreeBSD.ORG Subject: Re: ftp Message-ID: <20010213191039.A23271@tmd.df.ru> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from mit@mitayai.net on Fri, Feb 02, 2001 at 03:21:30PM -0500 X-Operating-System: FreeBSD 4.2-STABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Feb 02, 2001 at 03:21:30PM -0500, Will Mitayai Keeso Rowe (mit@mitayai.net) wrote: > unfair. > all known bugs have been fixed. and unknown left to be fixed.. :) > > > :-----Original Message----- > :From: Matt Heckaman [mailto:matt@LUCIDA.CA] > :Sent: February 2, 2001 15:16 PM > :To: Will Mitayai Keeso Rowe > :Cc: Rob Simmons; security@FreeBSD.ORG > :Subject: RE: ftp > : > : > :-----BEGIN PGP SIGNED MESSAGE----- > :Hash: SHA1 > : > :On Fri, 2 Feb 2001, Will Mitayai Keeso Rowe wrote: > : > :: Another way is to use wu-ftpd, and "man ftpaccess" > : > :Otherwise known as root-exploits-R-us :) > : > :* Matt Heckaman - mailto:matt@lucida.ca http://www.lucida.ca/pgp * > :* GPG fingerprint - 53CA 8320 C8F6 32ED 9DDF 036E 3171 C093 4AD3 1364 * > : > :-----BEGIN PGP SIGNATURE----- > :Version: GnuPG v1.0.4 (FreeBSD) > :Comment: http://www.lucida.ca/pgp > : > :iD8DBQE6exWQMXHAk0rTE2QRAir2AJ4mrAh4q44nAA8mLymQwedSmXk00QCdFmj6 > :p9k23G5pxiXQK8CFWA5trzI= > :=i5Gr > :-----END PGP SIGNATURE----- > : > : > : > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- - -- tmd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 19: 5:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from lynx.aba.net.au (lynx.esec.com.au [203.21.84.1]) by hub.freebsd.org (Postfix) with SMTP id 8596C37B684 for ; Tue, 13 Feb 2001 19:05:39 -0800 (PST) Received: (qmail 19289 invoked from network); 14 Feb 2001 03:05:35 -0000 Received: from swun.esec.com.au (HELO yahoo.com) (203.21.85.207) by lynx.esec.com.au with SMTP; 14 Feb 2001 03:05:35 -0000 Message-ID: <3A89F75A.21FFEFA5@yahoo.com> Date: Wed, 14 Feb 2001 14:11:22 +1100 From: Sam Wun Organization: eSec Limited X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 Cc: freebsd-security@FreeBSD.ORG Subject: log message for ipsec/vpn connection? References: <20001219152230.C20951@peitho.fxp.org> <20001219211857.E13474@citusc.usc.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I would like to write a script utility to monitor the ipsec connection, just like watching the msg generated by ipmon in the syslog. How this can be done? Thanks Sam To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 19:21: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id B273B37B491 for ; Tue, 13 Feb 2001 19:21:00 -0800 (PST) Received: (from root@localhost) by giganda.komkon.org (8.9.3/8.9.3) id WAA59845 for security@freebsd.org; Tue, 13 Feb 2001 22:20:59 -0500 (EST) (envelope-from str) Date: Tue, 13 Feb 2001 22:20:59 -0500 (EST) From: Igor Roshchin Message-Id: <200102140320.WAA59845@giganda.komkon.org> To: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:24.ssh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Date: Mon, 12 Feb 2001 16:38:34 -0800 (PST) > From: FreeBSD Security Advisories > Subject: FreeBSD Security Advisory FreeBSD-SA-01:24.ssh > > > ============================================================================= > FreeBSD-SA-01:24 Security Advisory > FreeBSD, Inc. > > Topic: SSH1 implementations may allow remote system, data compromise > > Category: core/ports > Module: openssh, ssh > Announced: 2001-02-12 > Credits: Michal Zalewski (Vulnerability 1) > Core-SDI (http://www.core-sdi.com) (Vulnerability 2) > Affects: FreeBSD 4.x, 4.2-STABLE prior to the correction date > Ports collection prior to the correction date. > <..> > > OpenSSH is installed if you chose to install the 'crypto' distribution > at install-time or when compiling from source, and is installed and > enabled by default as of FreeBSD 4.1.1-RELEASE. By default SSH1 > protocol support is enabled. Excuse me pointing to a similar point in the last few advisories, but , again, for some reason earlier releases 4.0 and 4.1 are forgotten. While the advisory includes those releases in the list of vulnerable systems, the paragraph quoted above tells that OpenSSH is install as of FreeBSD 4.1.1-RELEASE. However, I see that 4.0-RELEASE had OpenSSH-1.2.2 and it is, according to the quote below is vulnerable. > > Versions of the OpenSSH port prior to openssh-2.2.0_2, and versions > of the ssh port prior to ssh-1.2.27_3 are vulnerable to these attacks. > > V. Solution > > - --[OpenSSH - base system]----- > > One of the following: > <..> > > 2) Download the patch and detached PGP signature from the following > location: > > The following patch applies to FreeBSD 4.2-RELEASE. > > # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24/sshd-4.2-release.patch > # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24/sshd-4.2-release.patch.asc > While this patch complained about the absence of sshconnect1.c, if one provides it with the response to patch sshconnect.c instead, it seems to apply the patches and compile just fine. So, may be that should be taken into account, and a separate patch should be issued for OpenSSH-pre-2.x ? The advisory also might need to be corrected to address 4.0-R and 4.1-R releases. Regards, Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 19:33:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-67.dsl.lsan03.pacbell.net [63.207.60.67]) by hub.freebsd.org (Postfix) with ESMTP id 1BB5437B491 for ; Tue, 13 Feb 2001 19:33:49 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id BEAE366B26; Tue, 13 Feb 2001 19:33:48 -0800 (PST) Date: Tue, 13 Feb 2001 19:33:48 -0800 From: Kris Kennaway To: Igor Roshchin Cc: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:24.ssh Message-ID: <20010213193348.C61478@mollari.cthul.hu> References: <200102140320.WAA59845@giganda.komkon.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="lMM8JwqTlfDpEaS6" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200102140320.WAA59845@giganda.komkon.org>; from str@giganda.komkon.org on Tue, Feb 13, 2001 at 10:20:59PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --lMM8JwqTlfDpEaS6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 13, 2001 at 10:20:59PM -0500, Igor Roshchin wrote: > > OpenSSH is installed if you chose to install the 'crypto' distribution > > at install-time or when compiling from source, and is installed and > > enabled by default as of FreeBSD 4.1.1-RELEASE. By default SSH1 > > protocol support is enabled. >=20 > Excuse me pointing to a similar point in the last few advisories, > but , again, for some reason earlier releases 4.0 and 4.1 are forgotten. > While the advisory includes those releases in the list > of vulnerable systems, the paragraph quoted above tells that > OpenSSH is install as of FreeBSD 4.1.1-RELEASE. > However, I see that 4.0-RELEASE had OpenSSH-1.2.2 > and it is, according to the quote below is vulnerable. If you look at http://www.freebsd.org/security we only claim to provide security support for the most recent version of FreeBSD (4.2-RELEASE) and after. Historically this is all we've done, although recently we've been doing some support for older versions as well (e.g. 4.1.1). However it is very time-consuming to do this, and I just didn't have time to generate and test patches for older releases this time around. If someone submits patches for older releases we'll update the advisory. Kris --lMM8JwqTlfDpEaS6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6ifycWry0BWjoQKURAliuAKDI6r+VAY3s5aItN+bYfMYFbs8o7ACfYqEB bwUj3+mN81XmIhvyQVZgk/Y= =99DF -----END PGP SIGNATURE----- --lMM8JwqTlfDpEaS6-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 13 22:16:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id B097437B491 for ; Tue, 13 Feb 2001 22:16:56 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 13 Feb 2001 22:14:58 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f1E6GdO57792; Tue, 13 Feb 2001 22:16:39 -0800 (PST) (envelope-from cjc) Date: Tue, 13 Feb 2001 22:16:28 -0800 From: "Crist J. Clark" To: Michael Lea Cc: "H. Wade Minter" , Nick Rogness , freebsd-security@FreeBSD.ORG Subject: Re: Getting more information from ipfw logs Message-ID: <20010213221628.O62368@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <20010213155515.C71046@core.atomicbluebear.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010213155515.C71046@core.atomicbluebear.org>; from mlea@atomicbluebear.org on Tue, Feb 13, 2001 at 03:55:17PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Feb 13, 2001 at 03:55:17PM -0600, Michael Lea wrote: > On Tue, 13 Feb 2001, H. Wade Minter wrote: > > > Does snort work well with ipfw. Maybe I'm thinking of it wrong, but > > wouldn't I have to let the traffic into the firewall so snort could deal > > with it? > > Snort runs in promiscuous mode. That means that, if you're running it on the > same box as ipfw, snort will see the packets regardless of whether ipfw > passes them through to the rest of the IP stack or not. It actually has nothing to do with permiscuous mode. The BPF device lives very low in the IP stack, before ipfw(8). Anything that uses bfp(4) to access the network is not subject to ipfw(8) rules. But back to the original questions, I made some patches to do more verbose logging of packets within ipfw(8). It deliberately does not go down into the application data, but gives more information about IP ID, fragments, TCP sequence/ack numbers, etc. You can do a search of the mail archive or email me if you are interested and can't find them. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 0:18:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from spork.pantherdragon.org (spork.pantherdragon.org [206.29.168.146]) by hub.freebsd.org (Postfix) with ESMTP id 08B7F37B401 for ; Wed, 14 Feb 2001 00:18:54 -0800 (PST) Received: from pantherdragon.org (unknown [206.29.168.147]) by spork.pantherdragon.org (Postfix) with ESMTP id 2BA41471C5; Tue, 13 Feb 2001 20:38:50 -0800 (PST) Message-ID: <3A8A0BDA.21504E26@pantherdragon.org> Date: Tue, 13 Feb 2001 20:38:50 -0800 From: dmp@pantherdragon.org Organization: pantherdragon.org X-Mailer: Mozilla 4.51 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Dag-Erling Smorgrav Cc: Adam Laurie , security@FreeBSD.ORG Subject: Re: syslogd -ss not part of extreme security option? References: <3A88EB70.CC8CB78E@pantherdragon.org> <3A89707C.A539BA9C@algroup.co.uk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dag-Erling Smorgrav wrote: > Adam Laurie writes: > > eh? no security bug is "known" until it's found & exploited. just > > because it hasn't been found doesn't mean it doesn't exist. switching > > off a network listener for syslog when you are not doing network logging > > is much more than a warm fuzzy feeling, it's closing a potential > > security hole. i do it on standard installs, let alone "extreme > > security". > > It's not a listener. If you specify -s, the socket is half-closed so > you can use it to send log messages to other hosts, but can't receive. > If you specify -ss, the socket isn't opened at all so you can neither > send nor receive. Why not add it, though? Anyone who's going to do remote syslogging will know to set the appropriate option. For everyone else, it's just one more thing that doesn't need to be enabled by default. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 0:20:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from shasta.wstein.com (rfx-64-6-196-149.users.reflexcom.com [64.6.196.149]) by hub.freebsd.org (Postfix) with ESMTP id 5DF6037B491 for ; Wed, 14 Feb 2001 00:20:26 -0800 (PST) Received: from hood (hood.wstein.com [192.168.250.14]) by shasta.wstein.com (8.11.1/8.11.1) with ESMTP id f1E8KOj85528; Wed, 14 Feb 2001 00:20:25 -0800 (PST) (envelope-from joes@joescanner.com) Date: Wed, 14 Feb 2001 00:20:20 -0800 (Pacific Standard Time) From: Joseph Stein To: Subject: ipfw rules Message-ID: X-X-Sender: joes@shasta.wstein.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm looking for some peer-review to a firewall ruleset I've written based on the O'Reilly book "Building Internet Firewalls" and the "default" rc.firewall script Here it is. I would gladly accept any comments; this is merely what "works" on my system; if it breaks some paradigm, I'd like to hear about why (please mail me privately, and I'll summarize if there is enough interest). I do have one specific question.... The last 20 or so lines are there specifically to allow ICQ to work properly (I couldn't get ICQ to work succesfully with out them). Any ideas on how to eliminate some of that mess? Any other ideas? Thanks in advance, joe joes@joescanner.com (regardless of what the email header says) #!/bin/sh # # rc.firewall # # Created 12-Feb-2001 by joes # Editted 13-Feb-2001 by joes # * Looked at the bulk log output provided by a removed rule: # ${fwcmd} add 65000 deny log all from any to any # and reduced some of the logging overhead. Added rules to # allow ICMP ECHO from this system and traceroute. Denied some # "bogus" ports/services that are floating around on the "public" # side of my IP configuration. # # Suck in configuration if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi # Set quiet mode if requested #case ${firewall_quiet} in #[Yy][Ee][Ss]) # fwcmd="/sbin/ipfw -q" # ;; #*) fwcmd="/sbin/ipfw" # ;; #esac # Flush all rules so we don't corrupt something ${fwcmd} -f flush # Prototype Setup # Outside interface setup oif="rl0" onet="64.6.196.0" omask="255.255.255.0" oip="64.6.196.149" # Inside interface setup iif="dc0" inet="192.168.250.0" imask="255.255.255.0" iip="192.168.250.1" # Only in rare cases do you want to change these rules: ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny log all from any to 127.0.0.0/8 # Allow VPN packets ${fwcmd} add 300 pass tcp from any to ${oip} 5555 ${fwcmd} add 300 pass udp from any to ${oip} 5555 ${fwcmd} add 300 pass tcp from ${oip} 5555 to any ${fwcmd} add 300 pass udp from ${oip} 5555 to any ${fwcmd} add 300 pass all from any to any via tun0 # Allow LAN packets ${fwcmd} add 400 pass all from any to any via ${iif} # Stop spoofing: ${fwcmd} add deny log all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny log all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 addresses on the outside interface ${fwcmd} add deny log all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add deny log all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny log all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-03.txt nets ${fwcmd} add deny log all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny log all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny log all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny log all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny log all from any to 240.0.0.0/4 via ${oif} ${fwcmd} add deny udp from any 68 to any 67 via ${oif} # Turn on NATD ${fwcmd} add divert natd all from any to any via ${natd_interface} # Stop RFC1918 addresses on the outside interface ${fwcmd} add deny log all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny log all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny log all from 192.168.0.0/16 to any via ${oif} # Stop draft-manning-dsua-03.txt nets ${fwcmd} add deny log all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny log all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny log all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny log all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny log all from 240.0.0.0/4 to any via ${oif} # Allow TCP through if setup succeded ${fwcmd} add pass tcp from any to any established # Pass fragments ${fwcmd} add pass all from any to any frag # Pass e-mail ${fwcmd} add pass tcp from any to ${oip} 25 setup # Allow access to DNS ${fwcmd} add pass tcp from any to ${oip} 53 setup ${fwcmd} add pass udp from any to ${oip} 53 ${fwcmd} add pass udp from ${oip} 53 to any ${fwcmd} add pass udp from any 53 to ${oip} # Allow access to WWW (http and https) ${fwcmd} add pass tcp from any to ${oip} 80 setup ${fwcmd} add pass tcp from any to ${oip} 443 setup # Allow access to sthelens www server ${fwcmd} add pass tcp from any to ${oip} 8080 setup ${fwcmd} add pass tcp from any to 192.168.250.12 8080 via ${oif} ${fwcmd} add pass tcp from any to 192.168.250.12 8070 via ${oif} # Napster ${fwcmd} add pass tcp from any to ${oip} 6699 ${fwcmd} add pass tcp from any to 192.168.250.14 6699 via ${oif} # Allow SSH in from the outside ${fwcmd} add pass tcp from any to ${oip} 22 ${fwcmd} add pass tcp from ${oip} to any 22 # Reject and log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup # Reject all SMB/NetBIOS connections from/to outside ${fwcmd} add deny udp from any to any 137 via ${oif} ${fwcmd} add deny udp from any to any 138 via ${oif} ${fwcmd} add deny udp from any to any 139 via ${oif} # Deny all rwho/ruptime connections from/to outside ${fwcmd} add deny udp from any to any 513 via ${oif} # Allow pinging out ${fwcmd} add allow icmp from ${oip} to any via ${oif} icmptypes 8 ${fwcmd} add allow icmp from any to ${oip} via ${oif} icmptypes 0 # Allow traceroute ${fwcmd} add allow udp from ${oip} to any 32767-65535 via ${oif} ${fwcmd} add allow icmp from any to any via ${oif} icmptypes 11 ${fwcmd} add allow icmp from any to any via ${oif} icmptypes 3 # Deny 'PING' requests (ICMP type 8) ${fwcmd} add deny icmp from any to any via ${oif} icmptypes 8 # Deny attempts to hit port 631 from the outside with UDP packets ${fwcmd} add deny UDP from any to any 631 via ${oif} # Deny attempts to hit port 525 from the outside (timed) ${fwcmd} add deny all from any to any 525 via ${oif} # Deny attempts to hit port 1604 from the outside (unknown) ${fwcmd} add deny all from any to any 1604 via ${oif} # Deny attempts to hit port 1027 from the outside (unknown) ${fwcmd} add deny all from any to any 1027 via ${oif} # Deny Protocol 2 ${fwcmd} add deny 2 from any to any via ${oif} # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup # Allow NTP queries out into the world ${fwcmd} add pass udp from any 123 to any via ${oif} ${fwcmd} add pass udp from any to any 123 via ${oif} # Allow access to ICQ network ${fwcmd} add pass udp from ${oip} 1024-65535 to 205.188.153.111 4000 ${fwcmd} add pass udp from 205.188.153.111 4000 to ${oip} 1024-65535 ${fwcmd} add pass tcp from ${oip} 1024-65535 to 205.188.153.111 1024-65535 ${fwcmd} add pass tcp from 205.188.153.111 1024-65535 to ${oip} 1024-65535 ${fwcmd} add pass udp from ${oip} 1024-65535 to 205.188.153.98 4000 ${fwcmd} add pass udp from 205.188.153.98 4000 to ${oip} 1024-65535 ${fwcmd} add pass tcp from ${oip} 1024-65535 to 205.188.153.98 1024-65535 ${fwcmd} add pass tcp from 205.188.153.98 1024-65535 to ${oip} 1024-65535 ${fwcmd} add pass udp from ${oip} 1024-65535 to 205.188.153.100 4000 ${fwcmd} add pass udp from 205.188.153.100 4000 to ${oip} 1024-65535 ${fwcmd} add pass tcp from ${oip} 1024-65535 to 205.188.153.100 1024-65535 ${fwcmd} add pass tcp from 205.188.153.100 1024-65535 to ${oip} 1024-65535 ${fwcmd} add pass udp from ${oip} 1024-65535 to 205.188.153.102 4000 ${fwcmd} add pass udp from 205.188.153.102 4000 to ${oip} 1024-65535 ${fwcmd} add pass tcp from ${oip} 1024-65535 to 205.188.153.102 1024-65535 ${fwcmd} add pass tcp from 205.188.153.102 1024-65535 to ${oip} 1024-65535 ${fwcmd} add pass udp from ${oip} 1024-65535 to 205.188.153.105 4000 ${fwcmd} add pass udp from 205.188.153.105 4000 to ${oip} 1024-65535 ${fwcmd} add pass tcp from ${oip} 1024-65535 to 205.188.153.105 1024-65535 ${fwcmd} add pass tcp from 205.188.153.105 1024-65535 to ${oip} 1024-65535 ${fwcmd} add pass udp from ${oip} 1024-65535 to 205.188.153.107 4000 ${fwcmd} add pass udp from 205.188.153.107 4000 to ${oip} 1024-65535 ${fwcmd} add pass tcp from ${oip} 1024-65535 to 205.188.153.107 1024-65535 ${fwcmd} add pass tcp from 205.188.153.107 1024-65535 to ${oip} 1024-65535 ${fwcmd} add pass udp from ${oip} 1024-65535 to 205.188.153.109 4000 ${fwcmd} add pass udp from 205.188.153.109 4000 to ${oip} 1024-65535 ${fwcmd} add pass tcp from ${oip} 1024-65535 to 205.188.153.109 1024-65535 ${fwcmd} add pass tcp from 205.188.153.109 1024-65535 to ${oip} 1024-65535 ${fwcmd} add pass udp from ${oip} 1024-65535 to 205.188.3.160 4000 ${fwcmd} add pass udp from 205.188.3.160 4000 to ${oip} 1024-65535 ${fwcmd} add pass tcp from ${oip} 1024-65535 to 205.188.3.160 1024-65535 ${fwcmd} add pass tcp from 205.188.3.160 1024-65535 to ${oip} 1024-65535 ${fwcmd} add pass udp from ${oip} 1024-65535 to 205.188.3.176 4000 ${fwcmd} add pass udp from 205.188.3.176 4000 to ${oip} 1024-65535 ${fwcmd} add pass tcp from ${oip} 1024-65535 to 205.188.3.176 1024-65535 ${fwcmd} add pass tcp from 205.188.3.176 1024-65535 to ${oip} 1024-65535 ${fwcmd} add pass udp from ${oip} 1024-65535 to 64.12.162.57 4000 ${fwcmd} add pass udp from 64.12.162.57 4000 to ${oip} 1024-65535 ${fwcmd} add pass tcp from ${oip} 1024-65535 to 64.12.162.57 1024-65535 ${fwcmd} add pass tcp from 64.12.162.57 1024-65535 to ${oip} 1024-65535 # Anything not specifically listed above is denied by default # (but not logged). Uncomment the following line to log all # remaining denied packets. #${fwcmd} add deny log all from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 0:29:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from xocah.holywar.net (xocah.holywar.net [211.232.152.22]) by hub.freebsd.org (Postfix) with SMTP id 3D0C237B401 for ; Wed, 14 Feb 2001 00:29:35 -0800 (PST) Received: (qmail 76885 invoked by uid 101); 14 Feb 2001 08:29:29 -0000 Date: Wed, 14 Feb 2001 17:29:29 +0900 From: "ho-sang, yoon" To: freebsd-security@freebsd.org Subject: Racoon startup at boot problem Message-ID: <20010214172929.A76809@xocah.holywar.net> Reply-To: tsoi@xocah.dhs.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="sdtB3X0nJg68CQEu" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --sdtB3X0nJg68CQEu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable [ have questioned to questions@, but no answers, so here again ] I have two servers that were secured by IPsec by using racoon. But the problem is, When one server is rebooted and re-initialized racoon,=20 they do not communicate at all, (in my opinion) because of mis-match of=20 SPI on each server's SAD entries.=20 In my thought, racoon allocate random SPI when it is up. Any recommendation? --=20 no signature --sdtB3X0nJg68CQEu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6ikHpHLmv9nrxL/MRAnenAJ9a+sxlKGgRkNkq4vDGf86dc1woewCfSalF S+BXtUQYJYNTA3kxwqzB7hk= =J7W+ -----END PGP SIGNATURE----- --sdtB3X0nJg68CQEu-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 1:23:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 11EC837B503 for ; Wed, 14 Feb 2001 01:23:16 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Wed, 14 Feb 2001 01:20:19 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f1E9M6l59068; Wed, 14 Feb 2001 01:22:06 -0800 (PST) (envelope-from cjc) Date: Wed, 14 Feb 2001 01:22:06 -0800 From: "Crist J. Clark" To: dmp@pantherdragon.org Cc: Dag-Erling Smorgrav , Adam Laurie , security@FreeBSD.ORG Subject: Re: syslogd -ss not part of extreme security option? Message-ID: <20010214012206.P62368@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <3A88EB70.CC8CB78E@pantherdragon.org> <3A89707C.A539BA9C@algroup.co.uk> <3A8A0BDA.21504E26@pantherdragon.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A8A0BDA.21504E26@pantherdragon.org>; from dmp@pantherdragon.org on Tue, Feb 13, 2001 at 08:38:50PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Feb 13, 2001 at 08:38:50PM -0800, dmp@pantherdragon.org wrote: > Dag-Erling Smorgrav wrote: > > Adam Laurie writes: > > > eh? no security bug is "known" until it's found & exploited. just > > > because it hasn't been found doesn't mean it doesn't exist. switching > > > off a network listener for syslog when you are not doing network logging > > > is much more than a warm fuzzy feeling, it's closing a potential > > > security hole. i do it on standard installs, let alone "extreme > > > security". > > > > It's not a listener. If you specify -s, the socket is half-closed so > > you can use it to send log messages to other hosts, but can't receive. > > If you specify -ss, the socket isn't opened at all so you can neither > > send nor receive. > > Why not add it, though? Anyone who's going to do remote syslogging > will know to set the appropriate option. No they won't. Do you promise to answer all of the people who come to -questions asking why they can't log to another machine? "I could always do it before!" You can take over answering all the people asking why they can't install a new kernel (who's idea was it to have people set securelevel(8) in sysinstall(8), oops I remember...). > For everyone else, it's just > one more thing that doesn't need to be enabled by default. The only purpose the second '-s' serves is to make the line from syslogd(8) disappear from netstat(8) output. It has no real security use. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 3:17:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from g04.syd.iprimus.net.au (g04.syd.iprimus.net.au [203.134.65.6]) by hub.freebsd.org (Postfix) with SMTP id 342E337B401 for ; Wed, 14 Feb 2001 03:17:10 -0800 (PST) Received: (qmail 1281 invoked from network); 14 Feb 2001 11:17:37 -0000 Received: from unknown (HELO kdhbooks.com) (203.134.133.16) by g04.syd.iprimus.net.au with SMTP; 14 Feb 2001 11:17:37 -0000 From: "e-Publisher's Weekly" To: Subject: e-Publisher's Weekly #4 Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Date: Wed, 14 Feb 2001 22:27:46 +1100 Content-Transfer-Encoding: 8bit Message-Id: <20010214111710.342E337B401@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org e-publisher's Weekly : ISSUE # 4 =============================================================== kdhbooks - February 14, 2001 e-book publishing & marketing http://www.kdhbooks.com =============================================================== Top Sponsor Advertisement: =============================================================== Get Published Instantly with EbookoMatic. Simple, affordable, secure. Upload manuscript. Convert to ebook. Sell online within minutes. Members receive $39.00 bonus! Act now. Collect royalties. Become famous www.EbookoMatic.net. (Affiliates earn 20% on new memberships!). =============================================================== =============================================================== In this Issue =============================================================== 1- From the Author 2- eZine advertising 3- ISBN number 4- Featured Ebooks 5- Merchant Accounts 6- Ebook Publishing 7- e-Interview 8- Microsoft Reader Format 9- Next Week =============================================================== 1- From the Author: =============================================================== If you have an 'e-book', 'website' or software you wish to have reviewed here or like to be 'Interviewed, then send us an email to: mailto:epw@kdhbooks.com . Interviews will be as well featured on our website for general public access. =============================================================== 2- eZine Advertising: =============================================================== Only three (3) more issues to go for our special rate. 4632 current subscribers to 'e-publisher's Weekly'. Advertising categories are: Solo Ads, Top sponsors, Bottom Ads, and Middle Ads. Check out our rates card: http://www.kdhbooks.com/ezinerates.htm For the next four issues we will give our subscribers a %50 discount on all rates. Go here for details. http://www.kdhbooks.com/specialrates.htm The "special rates URL" will only be displayed in our weekly 'e-publisher's weekly' newsletter. =============================================================== 3- How to obtain an ISBN number: =============================================================== Why would you need an ISBN number for your ebooks? In order to sell your publication on Amazon.com you will need one. But you need to publish your book in hard/soft shell first. Depending on the layout, Graphics and paper source you are going to use it can come costly. Then after you have publish it the conventional way you can go and apply for your ISBN number here online : http://www.bowker.com/standards/home/isbn/us/application.html or print out the form and post it. Ebooks will have either an ISBN or similar code to be identified in the future. Major Issues in the Implementation of the ISBN: PRINTING THE ISBN: When the number is either written or printed, it must be preceded by the letters "ISBN" and each part must be separated by a hyphen. read more about it here: http://www.bowker.com/standards/home/isbn/us/major.html =============================================================== 4 - Featured Ebooks: =============================================================== - LARKIN, by Debby Hunt - Larkin is the original story of a wealthy young girl named Shannon O'Larkin, and her relationship with an obsessive young man named Mike Sullivan. The relationship continues even after he has murdered someone and has been committed to a mental institution. Shannon thinks she is safe some years later, and she has happily married to someone else. But Mike escapes from the mental hospital. He comes after Shannon with a calculated purpose, and her life will never be the same again. download here: http://www.exebook.com/personal/debbyhunt/ =============================================================== - The Enterprising Writer, by Michael Meanwell - The Enterprising Writer’ shows you how to develop business and literary skills, and employ the right principles for running a successful enterprise. - How to set up and launch a sustainable home-based business - How to convert prospects into clients - How to turn clients into advocates (this is the secret to the most powerful and inexpensive form of promotion) - How to keep clients satisfied and happy to help build your business - How to handle slow-paying and no-paying clients - How to get organized and stay productive - How to promote yourself online and offline - How to achieve your writing dreams and enjoy working for yourself This book is well written and offers more advice and techniques than you will find anywhere for this price. A HOT product for beginners and professionals alike. go here to download it: http://www.meanwellstore.com/ =============================================================== - 'Writers on Writing'.by Michael Meanwell - Do you want to be inspired by the Masters of Writing? Then you should read 'Writers on Writing'. This unique book couples more than 360 poignant quotations from classic and contemporary writers with over 150 positive affirmations written by me specifically for you, today's writer. go here to download it: http://www.meanwellstore.com/product22.htm =============================================================== 5 - Merchant Accounts: =============================================================== By now almost all or at least the majority of online users have either heard or obtained a merchant account for processing on-line orders for various products. It is a rather convenient choice and in some instances " can cost more then you earn". To open an merchant account at your local bank is a tedious procedure and often you get turned down for reasons that might be out of reach (for the moment). That's where the on-line banks come into place, quick set-up, low cost maintenance, and a very attractive rate. But how much are you really earning? By a rate of, will say, 7% and a additional fee of $1.50 per sale you are not earning much if your product sales for around $10.00. The "real" earner is the BANK. So, do the math and shop around to get the best price. Download some ebooks about merchant accounts here: http://www.kdhbooks.com/ebooks/finance.htm and make sure that "YOU" are getting the most return. =============================================================== 6 - Ebook Publishing: =============================================================== Ebook publishing is a revolution on the Internet, the future of how we read books. If you can publish a website, you can publish an ebook. The advantage is that you have virtually no overhead cost, only your software and Internet connection. go here to download more info: http://www.kdhbooks.com/ebooks/publishing.htm If you are planning to publish an electronic magazine or/and ebooks than this ebook will help you out almost in every way possible. Click on the link below: - E-Zines - a complete guide to publishing - E-Zine publishing Handbook http://www.kdhbooks.com/ebooks/ezine.htm =============================================================== 7 - e-interview =============================================================== Michael Meanwell, interviewed by Kathryn Hardman you can read the article on our website at: http://www.kdhbooks.com/interview/michael_meanwell.htm ............................................................... Kathryn: After 20 years in the writers business, how do you feel about ePublishing? Michael: In a word, re-born. It has re-invigorated me and, funnily enough, taken me full circle to what I wanted to do -- and started doing -- as a teenager. Writing books. It's a little strange, however, being both the author and the publisher. Now there's no barrier at all to being published but, with that, goes a layer of responsibility to ensure content is at the highest level. Having started my career as a newspaper reporter and sub-editor, I am used to editing my own copy, so it hasn't been too difficult a transition. When dealing with the traditional publishing world, many writers invest a lot of time, submitting their work to publishers, then play the waiting-game. While the rules are different with epublishing, there is still a considerable investment needed to be successful. When I finished my first ebook, I joked to a colleague that writing it was the easy part -- and I right (the hard part was learning and developing a workable ebook format, building the Web site and launching an ongoing marketing campaign). And that's true, even for authors who are handled by a third-party epublisher. Often, they will be responsible for not only providing the ebook in a professional, published format, but also arranging reviews, publicity and online marketing. ePublishing is, however, an exciting, evolving industry. It's a wonderful experience to be in complete control of your e-destiny. - please follow the link to the complete interview. http://www.kdhbooks.com/interview/michael_meanwell.htm or download as ebook (340 kb) http://www.kdhbooks.com/interview/michael_meanwell.exe ............................................................... =============================================================== 8 - Microsoft Reader Format =============================================================== Publish in Microsoft Reader (LIT) format. If you can not or don't want to buy www.readerworks.com publisher ($69.00), then you can download for free the ebook publisher software direct from Microsoft. Only two catches: Must have Word2000 and you can not change the ebook cover. Other than that it works straight from within Word2000. If you consider to publish ebooks in 'LIT' in the future, then take it for a test drive. http://www.microsoft.com/reader/ and don't forget to download the layout files !!!! =============================================================== 9 - Next Week: =============================================================== - eBook Compilers under the hood - Competition - get published - affiliate programs =============================================================== =============================================================== Get Published Instantly with EbookoMatic. Simple, affordable, secure. Upload manuscript. Convert to ebook. Sell online within minutes. Members receive $39.00 bonus! Act now. Collect royalties. Become famous. http://www.EbookoMatic.net (Affiliates earn 20% on new memberships!). =============================================================== we hope that you have enjoyed reading our newsletter. if you wish to un-subscribe send to: remove@kdhbooks.com best regards Kathryn Hardman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 5: 1:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from mirage.nlink.com.br (mirage.nlink.com.br [200.249.195.3]) by hub.freebsd.org (Postfix) with SMTP id 8309937B401 for ; Wed, 14 Feb 2001 05:01:44 -0800 (PST) Received: (qmail 18167 invoked by uid 501); 14 Feb 2001 13:01:40 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 14 Feb 2001 13:01:40 -0000 Date: Wed, 14 Feb 2001 11:01:40 -0200 (EDT) From: Paulo Fragoso To: freebsd-security@freebsd.org Subject: SSH2 host auth Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, We were using ssh1 protocol with host based authentication. We've upgraded all sshd to use ssh2 protocol (SSH-2.0-OpenSSH_2.2.0) but we can't estabilish host based authentication. On server side we have created some files: /etc/ssh/ssh_known_hosts2 we have put public key from client using same format found in ~/.ssh/known_hosts2 /etc/ssh/shosts.equiv /etc/shosts.equiv /etc/hosts.equiv we have put the hostname for client On the client machine we are trying to connect without password, but it's always ask for it. We're new with SSH 2 protocol and we can't found a HOW TO make configurations for host based authentication. We heve ever read man pages for sshd and we can't found any solution for this problem (guess). Can anyone help us? We can't found any information (guess) at sshd debug: debug: sshd version OpenSSH_2.2.0 debug: read DSA private key done debug: Bind to port 22 on ::. Server listening on :: port 22. debug: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug: Server will not fork when running in debugging mode. Connection from mirage.nlink.com.br port 3207 Connection from CCC.CCC.CCC.CCC port 3207 debug: Client protocol version 2.0; client software version OpenSSH_2.2.0 Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-2.0-OpenSSH_2.2.0 debug: send KEXINIT debug: done debug: wait KEXINIT debug: got kexinit: diffie-hellman-group1-sha1 debug: got kexinit: ssh-dss debug: got kexinit: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc debug: got kexinit: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160@openssh.com debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160@openssh.com debug: got kexinit: none debug: got kexinit: none debug: got kexinit: debug: got kexinit: debug: first kex follow: 0 debug: reserved: 0 debug: done debug: kex: client->server 3des-cbc hmac-sha1 none debug: kex: server->client 3des-cbc hmac-sha1 none debug: Wait SSH2_MSG_KEXDH_INIT. debug: bits set: 531/1024 debug: bits set: 519/1024 debug: sig size 20 20 debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: Wait SSH2_MSG_NEWKEYS. debug: GOT SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: userauth-request for user paulo service ssh-connection method none Failed none for paulo from CCC.CCC.CCC.CCC port 3207 ssh2 Connection closed by CCC.CCC.CCC.CCC debug: Calling cleanup 0x805b8ec(0x0) Paulo Fragoso. -- __O _-\<,_ Why drive when you can bike? (_)/ (_) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 7:53:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from magellan.palisadesys.com (magellan.palisadesys.com [192.188.162.211]) by hub.freebsd.org (Postfix) with ESMTP id 15F6737B491 for ; Wed, 14 Feb 2001 07:53:28 -0800 (PST) Received: from localhost (ghelmer@localhost) by magellan.palisadesys.com (8.11.2/8.11.2) with ESMTP id f1EFr8R04600; Wed, 14 Feb 2001 09:53:08 -0600 Date: Wed, 14 Feb 2001 09:53:07 -0600 (CST) From: Guy Helmer To: cjclark@alum.mit.edu Cc: dmp@pantherdragon.org, Dag-Erling Smorgrav , Adam Laurie , security@FreeBSD.ORG Subject: Re: syslogd -ss not part of extreme security option? In-Reply-To: <20010214012206.P62368@rfx-216-196-73-168.users.reflex> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 14 Feb 2001, Crist J. Clark wrote: > On Tue, Feb 13, 2001 at 08:38:50PM -0800, dmp@pantherdragon.org wrote: > > Dag-Erling Smorgrav wrote: > > > Adam Laurie writes: > > > > eh? no security bug is "known" until it's found & exploited. just > > > > because it hasn't been found doesn't mean it doesn't exist. switching > > > > off a network listener for syslog when you are not doing network logging > > > > is much more than a warm fuzzy feeling, it's closing a potential > > > > security hole. i do it on standard installs, let alone "extreme > > > > security". > > > > > > It's not a listener. If you specify -s, the socket is half-closed so > > > you can use it to send log messages to other hosts, but can't receive. > > > If you specify -ss, the socket isn't opened at all so you can neither > > > send nor receive. > > > > Why not add it, though? Anyone who's going to do remote syslogging > > will know to set the appropriate option. > > No they won't. Do you promise to answer all of the people who come to > -questions asking why they can't log to another machine? "I could > always do it before!" You can take over answering all the people > asking why they can't install a new kernel (who's idea was it to have > people set securelevel(8) in sysinstall(8), oops I remember...). > > > For everyone else, it's just > > one more thing that doesn't need to be enabled by default. > > The only purpose the second '-s' serves is to make the line from > syslogd(8) disappear from netstat(8) output. It has no real security > use. There is perhaps another use. There is no way to specify the listening address to syslogd, so for jails on a machine that could have listeners on the syslog port for their jail IP address, I have to give syslogd two '-s' options. It would be useful to modify syslogd to be able to bind an IP address to its socket so I don't have to keep syslog from opening a socket. I haven't actually traced through the kernel code to determine whether a UDP packet would do the right thing when syslogd has an open UDP listener but isn't receiving packets from the socket. To avoid ambiguity, I just tell syslogd not to open the socket. Guy -- Guy Helmer, Ph.D. http://www.palisadesys.com/~ghelmer Sr. Software Engineer, Palisade Systems ghelmer@palisadesys.com "In this place it takes all the running you can do, to keep in the same place." -- Lewis Carroll's "Through the Looking Glass" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 9: 0:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from gwdu42.gwdg.de (gwdu42.gwdg.de [134.76.10.26]) by hub.freebsd.org (Postfix) with ESMTP id 39E9837B4EC for ; Wed, 14 Feb 2001 09:00:46 -0800 (PST) Received: from partner.uni-psych.gwdg.de ([134.76.136.114]) by gwdu42.gwdg.de with esmtp (Exim 3.14 #18) id 14T5II-0004Y4-00 for freebsd-security@freebsd.org; Wed, 14 Feb 2001 18:00:42 +0100 Mime-Version: 1.0 X-Sender: rbeer@popper.gwdg.de Message-Id: Date: Wed, 14 Feb 2001 18:00:33 +0100 To: freebsd-security@freebsd.org From: Ragnar Beer Subject: security settings documentation Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Howdy! Is there a place where I can find _detailed_ information about what _exactly_ gets changed when I choose a security level during installation? I rather like to make an informed decision and I'd also like to learn about FreeBSD security concepts. Ragnar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 9:10:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 47DF537B491 for ; Wed, 14 Feb 2001 09:10:41 -0800 (PST) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.2/8.11.2) with ESMTP id f1EHA4Q22234; Wed, 14 Feb 2001 12:10:04 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Wed, 14 Feb 2001 12:10:04 -0500 (EST) From: Rob Simmons To: Ragnar Beer Cc: freebsd-security@FreeBSD.ORG Subject: Re: security settings documentation In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Read the man page for init(8) Robert Simmons Systems Administrator http://www.wlcg.com/ On Wed, 14 Feb 2001, Ragnar Beer wrote: > Howdy! > > Is there a place where I can find _detailed_ information about what > _exactly_ gets changed when I choose a security level during > installation? I rather like to make an informed decision and I'd also > like to learn about FreeBSD security concepts. > > Ragnar > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 9:27: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 36AC737B4EC; Wed, 14 Feb 2001 09:26:39 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f1EHQdB35045; Wed, 14 Feb 2001 09:26:39 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Wed, 14 Feb 2001 09:26:39 -0800 (PST) Message-Id: <200102141726.f1EHQdB35045@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:25.kerberosIV Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:25 Security Advisory FreeBSD, Inc. Topic: Local and remote vulnerabilities in Kerberos IV Category: core Module: libkrb, telnetd Announced: 2001-02-14 Credits: Jouko Pynnönen Affects: FreeBSD 4.2-STABLE and 3.5-STABLE prior to the correction dates. Corrected: 2000-12-13 (FreeBSD 4.2-STABLE) 2000-12-15 (FreeBSD 3.5-STABLE) FreeBSD only: NO I. Background telnetd is the server for the telnet remote login protocol, which is available with optional support for the Kerberos authentication protocol. libkrb is the library used for Kerberised applications (including telnetd and login). FreeBSD includes the KTH Kerberos implementation, which is externally maintained, contributed software, as an optional part of the base system. II. Problem Description The advisory describes three vulnerabilities: first, an overflow in the libkrb KerberosIV authentication library, second, improper filtering of environmental variables by the KerberosIV-adapted telnet daemon, and finally, a temporary file vulnerability in the KerberosIV ticket management code. A buffer overflow exists in the libkrb Kerberos authentication library, which may be exploitable by malicious remote authentication servers. This vulnerability exists in the kdc_reply_cipher() call. An attacker may be able to overflow this buffer during an authentication exchange, allowing the attacker to execute arbitrary code with the privileges of the caller of kdc_reply_cipher(). The telnet protocol allows for UNIX environmental variables to be passed from the client to the user login session on the server. The base system telnet daemon, telnetd, goes the great lengths to limit the variables passed so as to prevent them from improperly influencing the login and authentication mechanisms. The telnet daemon used with KerberosIV relied on an incomplete list of improper environment variables to remove from the environment before executing the login program. This is a similar vulnerability to that described in Security Advisory 00:69. Two environment variables have been identified that place users of Kerberos at risk. The first allows the remote user to change the Kerberos server used for authentication requests, increasing the opportunity for an attacker to exploit the buffer overflow. The second allows the configuration directory for Kerberos to be modified, allowing an attacker with the right to modify the local file system to cause Kerberos to autheticate using an improper configuration (including Kerberos realm and server configuration, as well as srvtab). These vulnerabilities may be used to leverage root access. A race condition exists in the handling of ticket files in /tmp; this vulnerability may be exploited by a local user to gain ownership of arbitrary files in the file system. This vulnerability can be leveraged to gain root access. These vulnerabilities only exist on systems which have installed the optional Kerberos IV distribution (whether or not it is configured), which is not installed by default. III. Impact If your system has the KerberosIV distribution installed, remote and local users may be able to obtain root privileges on the local system. IV. Workaround To prevent remote root compromise via the telnet service, disable the telnet service, which is usually run out of inetd: comment out the following lines in /etc/inetd.conf, if present. telnet stream tcp nowait root /usr/libexec/telnetd telnetd telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd The local root compromise cannot be easily worked around. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.2-STABLE or 3.5-STABLE after the respective correction dates. 2) Apply the relevant patch from below and recompile the affected files: Download the relevant patch and detached PGP signature from the following locations, and verify the signature using your PGP utility. [FreeBSD 4.2] ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:25/telnetd-krb.4.2.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:25/telnetd-krb.4.2.patch.asc [FreeBSD 3.5.1] ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:25/telnetd-krb.3.5.1.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:25/telnetd-krb.3.5.1.patch.asc NOTE: This patch assumes you have already applied the patch in security advisory SA-00:69. Execute the following commands as root: # cd /usr/src # patch -p < /path/to/patch # cd /usr/src/kerberosIV # make depend && make all install # cd /usr/src/libexec/telnetd # make depend && make all install -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOopfGFUuHi5z0oilAQGIZwP+OTdYs+CQQ0oZegWsQRNkf6CJCCCu/ban XWs5wIwEFESq8rCdtg4c6y2RKdF+oySU05nXRYG3gl2Il+71zjhTUnsXi2mM5WHi on6m8GOB9EGurb2xszuqNBREa61wGoYZTptzm/NKW7meaDVDlCwe1Mq+orz7ai3m WrEZuR94UFU= =TyCm -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 9:29:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-67.dsl.lsan03.pacbell.net [63.207.60.67]) by hub.freebsd.org (Postfix) with ESMTP id AE61137B503 for ; Wed, 14 Feb 2001 09:29:09 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 69B0066B26; Wed, 14 Feb 2001 09:29:09 -0800 (PST) Date: Wed, 14 Feb 2001 09:29:09 -0800 From: Kris Kennaway To: Rob Simmons Cc: Ragnar Beer , freebsd-security@FreeBSD.ORG Subject: Re: security settings documentation Message-ID: <20010214092909.B72301@mollari.cthul.hu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="hQiwHBbRI9kgIhsi" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rsimmons@wlcg.com on Wed, Feb 14, 2001 at 12:10:04PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --hQiwHBbRI9kgIhsi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Feb 14, 2001 at 12:10:04PM -0500, Rob Simmons wrote: > Read the man page for init(8) No, that's not it - he's talking about the "low/medium/high" settings in sysinstall. I don't think a good documentation source really exists at the moment - you should check the code in /usr/src/releases/sysinstall/config.c and look at the rc.conf variables it sets. Then write up some documentation for us and send it to doc@freebsd.org :-) Kris --hQiwHBbRI9kgIhsi Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6isBkWry0BWjoQKURAgkYAJ4+5Z1YIfrT0nse1yCvKf3y6Ex51gCg53Bx qxgwq7S6khMY7lt4zFyohXA= =Nqub -----END PGP SIGNATURE----- --hQiwHBbRI9kgIhsi-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 9:36:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from eros.cs.brandeis.edu (eros.cs.brandeis.edu [129.64.3.177]) by hub.freebsd.org (Postfix) with ESMTP id D8D1C37B4EC for ; Wed, 14 Feb 2001 09:36:03 -0800 (PST) Received: from localhost (meshko@localhost) by eros.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id MAA29590; Wed, 14 Feb 2001 12:35:51 -0500 Date: Wed, 14 Feb 2001 12:35:51 -0500 (EST) From: Mikhail Kruk To: Rob Simmons Cc: Ragnar Beer , Subject: Re: security settings documentation In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I think he is asking about sysinstall security settings, not about security level. It's a good0 question, I'd love to hear a detailed answer too.. > Read the man page for init(8) > > Robert Simmons > Systems Administrator > http://www.wlcg.com/ > > On Wed, 14 Feb 2001, Ragnar Beer wrote: > > > Howdy! > > > > Is there a place where I can find _detailed_ information about what > > _exactly_ gets changed when I choose a security level during > > installation? I rather like to make an informed decision and I'd also > > like to learn about FreeBSD security concepts. > > > > Ragnar > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 10:24:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from core.atomicbluebear.org (core.atomicbluebear.org [64.4.83.19]) by hub.freebsd.org (Postfix) with ESMTP id 2970537B491 for ; Wed, 14 Feb 2001 10:24:47 -0800 (PST) Received: (qmail 77348 invoked by uid 1001); 14 Feb 2001 18:24:34 -0000 Date: Wed, 14 Feb 2001 12:24:33 -0600 From: Michael Lea To: Kris Kennaway Cc: Rob Simmons , Ragnar Beer , freebsd-security@FreeBSD.ORG Subject: Re: security settings documentation Message-ID: <20010214122432.A76375@core.atomicbluebear.org> Mail-Followup-To: Kris Kennaway , Rob Simmons , Ragnar Beer , freebsd-security@FreeBSD.ORG References: <20010214092909.B72301@mollari.cthul.hu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="nFreZHaLTZJo0R7j" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010214092909.B72301@mollari.cthul.hu>; from kris@obsecurity.org on Wed, Feb 14, 2001 at 09:29:09AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --nFreZHaLTZJo0R7j Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, 14 Feb 2001, Kris Kennaway wrote: > Then write up some documentation for us and send it to doc@freebsd.org Somewhat terse, but here's a little "feature" matrix: Fascist High Moderate Low inetd NO NO YES YES sendmail NO YES YES YES sshd NO YES YES YES portmap NO NO * YES nfs_server NO NO ** *** securelevel YES (2) YES (1) NO NO Any other configuration setting are, as near as I can tell, left unchanged. For details on securelevel, see the init(8) man page. NOTES: * Portmap is enabled if the machine has been configured as either an NFS client or an NFS server earlier in the installation process. ** If the machine has been configured as an NFS server, NFS will only run on a reserved port. *** No changes are made to the NFS configuration. - Mike --nFreZHaLTZJo0R7j Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjqKzVwACgkQc9EFi4qQZEySTACgppRgyLkWRA+LJ7fIv8AYuM7T W3UAoIQeTHPbvK2WXMzN2/tYYTPMIJpW =TMdX -----END PGP SIGNATURE----- --nFreZHaLTZJo0R7j-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 10:40:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id EDCF337B491 for ; Wed, 14 Feb 2001 10:40:12 -0800 (PST) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.2/8.11.2) with ESMTP id f1EIdUp27509; Wed, 14 Feb 2001 13:39:30 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Wed, 14 Feb 2001 13:39:30 -0500 (EST) From: Rob Simmons To: Kris Kennaway Cc: Ragnar Beer , freebsd-security@FreeBSD.ORG Subject: Re: security settings documentation In-Reply-To: <20010214092909.B72301@mollari.cthul.hu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Default System Security Profile Extreme ========================================================= Adds the following settings to /etc/rc.conf inetd_enable="NO" portmap_enable="NO" sendmail_enable="NO" sshd_enable="NO" nfs_server_enable="NO" kern_securelevel_enable="YES" kern_securelevel="2" At this level the following services are disabled: inetd portmap sendmail sshd NFS The kernel securelevels are enabled and raised to level 2 --------------------------------------------------------- High ========================================================= Adds the following settings to /etc/rc.conf inetd_enable="NO" sendmail_enable="YES" sshd_enable="YES" portmap_enable="NO" nfs_server_enable="NO" kern_securelevel_enable="YES" kern_securelevel="1" At this level the following services are disabled: inetd portmap NFS Kernel securelevel is enabled and raised to level 1 --------------------------------------------------------- Medium ========================================================= Adds the following settings to /etc/rc.conf inetd_enable="YES" sendmail_enable="YES" sshd_enable="YES" If the machine has been setup as a NFS client or server: portmap_enable="YES" If the machine has not been setup as a NFS server: nfs_reserved_port_only="YES" At this level the following services are enabled: inetd sendmail sshd Depending on whether the machine is setup as a NFS client or server: Client: portmap Server: portmap and NFS is only provided on a secure port Kernel securelevel is not enabled --------------------------------------------------------- Low ========================================================= Adds the following settings to /etc/rc.conf inetd_enable="YES" sendmail_enable="YES" portmap_enable="YES" sshd_enable="YES" At this level the following services are enabled: inetd sendmail portmap sshd Kernel securelevel is not enabled --------------------------------------------------------- Robert Simmons Systems Administrator http://www.wlcg.com/ On Wed, 14 Feb 2001, Kris Kennaway wrote: > On Wed, Feb 14, 2001 at 12:10:04PM -0500, Rob Simmons wrote: > > Read the man page for init(8) > > No, that's not it - he's talking about the "low/medium/high" settings > in sysinstall. I don't think a good documentation source really > exists at the moment - you should check the code in > /usr/src/releases/sysinstall/config.c and look at the rc.conf > variables it sets. > > Then write up some documentation for us and send it to doc@freebsd.org > :-) > > Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 10:42:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 7491137B491 for ; Wed, 14 Feb 2001 10:42:19 -0800 (PST) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.2/8.11.2) with ESMTP id f1EIeqm27572; Wed, 14 Feb 2001 13:40:52 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Wed, 14 Feb 2001 13:40:52 -0500 (EST) From: Rob Simmons To: Michael Lea Cc: Kris Kennaway , Ragnar Beer , freebsd-security@FreeBSD.ORG Subject: Re: security settings documentation In-Reply-To: <20010214122432.A76375@core.atomicbluebear.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org That's much easier to read than mine :) Robert Simmons Systems Administrator http://www.wlcg.com/ On Wed, 14 Feb 2001, Michael Lea wrote: > On Wed, 14 Feb 2001, Kris Kennaway wrote: > > > Then write up some documentation for us and send it to doc@freebsd.org > > Somewhat terse, but here's a little "feature" matrix: > > Fascist High Moderate Low > inetd NO NO YES YES > sendmail NO YES YES YES > sshd NO YES YES YES > portmap NO NO * YES > nfs_server NO NO ** *** > securelevel YES (2) YES (1) NO NO > > Any other configuration setting are, as near as I can tell, left unchanged. > For details on securelevel, see the init(8) man page. > > NOTES: > * Portmap is enabled if the machine has been configured as either an NFS > client or an NFS server earlier in the installation process. > ** If the machine has been configured as an NFS server, NFS will only run > on a reserved port. > *** No changes are made to the NFS configuration. > > - Mike > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 10:45:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 1E15E37B491 for ; Wed, 14 Feb 2001 10:45:53 -0800 (PST) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.2/8.11.2) with ESMTP id f1EIjFP27859; Wed, 14 Feb 2001 13:45:15 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Wed, 14 Feb 2001 13:45:14 -0500 (EST) From: Rob Simmons To: Kris Kennaway Cc: Ragnar Beer , freebsd-security@FreeBSD.ORG Subject: Re: security settings documentation In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Also, for the "High" security setting, shouldn't this be in there: variable_set2("sendmail_flags", "-q30m", 1); That way sendmail doesn't open port 25. Robert Simmons Systems Administrator http://www.wlcg.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 11: 1:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-67.dsl.lsan03.pacbell.net [63.207.60.67]) by hub.freebsd.org (Postfix) with ESMTP id ABF1637B401; Wed, 14 Feb 2001 11:01:08 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 549EF66B26; Wed, 14 Feb 2001 11:01:08 -0800 (PST) Date: Wed, 14 Feb 2001 11:01:08 -0800 From: Kris Kennaway To: Kris Kennaway , Rob Simmons , Ragnar Beer , freebsd-security@FreeBSD.ORG Cc: doc@FreeBSD.org Subject: Re: security settings documentation Message-ID: <20010214110108.C73656@mollari.cthul.hu> References: <20010214092909.B72301@mollari.cthul.hu> <20010214122432.A76375@core.atomicbluebear.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="WfZ7S8PLGjBY9Voh" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010214122432.A76375@core.atomicbluebear.org>; from mlea@atomicbluebear.org on Wed, Feb 14, 2001 at 12:24:33PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --WfZ7S8PLGjBY9Voh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 14, 2001 at 12:24:33PM -0600, Michael Lea wrote: > On Wed, 14 Feb 2001, Kris Kennaway wrote: >=20 > > Then write up some documentation for us and send it to doc@freebsd.org >=20 > Somewhat terse, but here's a little "feature" matrix: >=20 > Fascist High Moderate Low > inetd NO NO YES YES > sendmail NO YES YES YES > sshd NO YES YES YES > portmap NO NO * YES > nfs_server NO NO ** *** > securelevel YES (2) YES (1) NO NO >=20 > Any other configuration setting are, as near as I can tell, left unchange= d. > For details on securelevel, see the init(8) man page. >=20 > NOTES: > * Portmap is enabled if the machine has been configured as either an NFS > client or an NFS server earlier in the installation process. > ** If the machine has been configured as an NFS server, NFS will only run > on a reserved port. > *** No changes are made to the NFS configuration. Good stuff - thanks! Doc-boyz and girlz, can we get this added somewhere? Kris --WfZ7S8PLGjBY9Voh Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6itXzWry0BWjoQKURAicnAJ9SkPfGdcS4ZAJYJkWDzLz2ztGI+QCeMV4L v3F/hR5Ei77r3IB63Oki8BE= =Dso5 -----END PGP SIGNATURE----- --WfZ7S8PLGjBY9Voh-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 11:12:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from eros.cs.brandeis.edu (eros.cs.brandeis.edu [129.64.3.177]) by hub.freebsd.org (Postfix) with ESMTP id 27C0637B401; Wed, 14 Feb 2001 11:12:48 -0800 (PST) Received: from localhost (meshko@localhost) by eros.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id OAA30724; Wed, 14 Feb 2001 14:11:03 -0500 Date: Wed, 14 Feb 2001 14:11:02 -0500 (EST) From: Mikhail Kruk To: Kris Kennaway Cc: Rob Simmons , Ragnar Beer , , Subject: Re: security settings documentation In-Reply-To: <20010214110108.C73656@mollari.cthul.hu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ah, I've wrote one too but managed to send it to the wrong address :) Anyway, the table is much better, but I have a correction and a suggestion: a) Fascist mode is called fascist only in code, the menu calls it "extereme", and it should be called this way in docs too. b) indicate that Moderate is default, because it really is. > > Somewhat terse, but here's a little "feature" matrix: > > > > Fascist High Moderate Low > > inetd NO NO YES YES > > sendmail NO YES YES YES > > sshd NO YES YES YES > > portmap NO NO * YES > > nfs_server NO NO ** *** > > securelevel YES (2) YES (1) NO NO > > > > Any other configuration setting are, as near as I can tell, left unchanged. > > For details on securelevel, see the init(8) man page. > > > > NOTES: > > * Portmap is enabled if the machine has been configured as either an NFS > > client or an NFS server earlier in the installation process. > > ** If the machine has been configured as an NFS server, NFS will only run > > on a reserved port. > > *** No changes are made to the NFS configuration. > > Good stuff - thanks! > > Doc-boyz and girlz, can we get this added somewhere? > > Kris > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 11:52:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 6F84A37B401 for ; Wed, 14 Feb 2001 11:52:30 -0800 (PST) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id MAA02865; Wed, 14 Feb 2001 12:52:02 -0700 (MST) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id MAA25447; Wed, 14 Feb 2001 12:52:01 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14986.57825.251227.67134@nomad.yogotech.com> Date: Wed, 14 Feb 2001 12:52:01 -0700 (MST) To: Kris Kennaway Cc: Igor Roshchin , security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:24.ssh In-Reply-To: <20010213193348.C61478@mollari.cthul.hu> References: <200102140320.WAA59845@giganda.komkon.org> <20010213193348.C61478@mollari.cthul.hu> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > OpenSSH is installed if you chose to install the 'crypto' distribution > > > at install-time or when compiling from source, and is installed and > > > enabled by default as of FreeBSD 4.1.1-RELEASE. By default SSH1 > > > protocol support is enabled. > > > > Excuse me pointing to a similar point in the last few advisories, > > but , again, for some reason earlier releases 4.0 and 4.1 are forgotten. > > While the advisory includes those releases in the list > > of vulnerable systems, the paragraph quoted above tells that > > OpenSSH is install as of FreeBSD 4.1.1-RELEASE. > > However, I see that 4.0-RELEASE had OpenSSH-1.2.2 > > and it is, according to the quote below is vulnerable. > > If you look at http://www.freebsd.org/security we only claim to > provide security support for the most recent version of FreeBSD > (4.2-RELEASE) and after. I agree that 'support' is one thing, but at least mentioning which releases are effected by this bug would be good. Most of the other vendors list all of their 'effected' releases as being effected or not, and since most of the deployed FreeBSD systems are *NOT* running 4.2R, this is of great benefit to the users. The BIND/NAMED was an example of explaining how to determine if the system was vulnerable. The OpenSSH was an example of a advisory that was not as helpful. Other information that would have been useful is a mention of whether the 'ssh1/ssh2' ports (www.ssh.org) in FreeBSD are vulnerable, etc... Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 12: 7:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from mbakercorp.com (fireout.mbakercorp.com [216.3.251.135]) by hub.freebsd.org (Postfix) with SMTP id 594E037B491 for ; Wed, 14 Feb 2001 12:07:33 -0800 (PST) Received: from gatedom-Message_Server by mbakercorp.com with Novell_GroupWise; Wed, 14 Feb 2001 15:06:50 -0500 Message-Id: X-Mailer: Novell GroupWise Internet Agent 5.5.2.1 Date: Wed, 14 Feb 2001 15:06:33 -0500 From: "Sean Roth" To: Subject: ftpd permissions question Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all; I'm setting up an anonymous ftp server for a business application and I am = having some difficulties getting the permissions to work out like I want. = freebsd-security seemed to be the best place, but if there is a better = choice, someone email me and I'll change tack. I have a system configured with a user account (johndoe for the sake of = conversation) who is in the operator group. The server accepts anonymous = ftp connections to allow clients to upload files. Issue number one is I = would like that directory to be blind, ie: allow upload without allowing = the anonymous users to browse the directory. I'm not sure if that has to = be done as a permission or a config file. Secondly, once a file has been uploaded by an anonymous ftp users, I need = johndoe to be able to move and delete those files. For now, the default = permission is 644 which doesn't allow the user to delete or rename the = files. They can be copied, but not deleted. Again, this could be due to = bad permissions or to config files. I've ready through the ftpd man pages and haven't found anything that = "feels" right. Any and all help is greatly appreciated, and thank you in = advance. Sean; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 12:17:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from amsmta01-svc.chello.nl (mail-out.chello.nl [213.46.240.7]) by hub.freebsd.org (Postfix) with ESMTP id 2328437B401 for ; Wed, 14 Feb 2001 12:17:09 -0800 (PST) Received: from devon ([212.83.73.144]) by amsmta01-svc.chello.nl (InterMail vK.4.02.00.10 201-232-116-110 license a3a2682fa4a9abbd0742aa9624d87426) with SMTP id <20010214201132.QYXO17380.amsmta01-svc@devon> for ; Wed, 14 Feb 2001 21:11:32 +0100 Message-Id: <4.1.20010214211242.0094ac90@pop.iae.nl> X-Sender: roijers@pop.iae.nl X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 14 Feb 2001 21:17:18 +0100 To: freebsd-security@freebsd.org From: Stefan Subject: Abnormal behaviour of "established" rule with ipfw? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Abnormal behaviour of "established" rule with ipfw? Theoretically, I think, the following firewall rules for ipfw would never allow any tcp connection simply because a connection can not be setup: ipfw list: 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 30000 allow tcp from any to any established 65535 deny ip from any to any However, the opposite appears to be true: ipfw show: 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 30000 212 15669 allow tcp from any to any established 65535 0 0 deny ip from any to any Connections can be setup without a problem! I'm using FreeBSD 4.1 Release with the security patches of January applied. Verified this on my workstation (above example) after observing incoming connections on my firewallbox (same version and patches). As a workaround I moved a deny incoming rule before the allow established rule but according the examples in the tutorial and handbook this should not be necessary. Is this a security vulnerability or do I understand things wrong? Greets, Stefan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 12:25:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from mobile.hub.org (mobile.acadiau.ca [131.162.137.70]) by hub.freebsd.org (Postfix) with ESMTP id 1980C37B491 for ; Wed, 14 Feb 2001 12:25:02 -0800 (PST) Received: from localhost (scrappy@localhost) by mobile.hub.org (8.11.1/8.11.1) with ESMTP id f1EJo2q70293; Wed, 14 Feb 2001 15:50:06 -0400 (AST) (envelope-from scrappy@hub.org) X-Authentication-Warning: mobile.hub.org: scrappy owned process doing -bs Date: Wed, 14 Feb 2001 15:50:02 -0400 (AST) From: The Hermit Hacker To: Nate Williams Cc: Kris Kennaway , Igor Roshchin , Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:24.ssh In-Reply-To: <14986.57825.251227.67134@nomad.yogotech.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 14 Feb 2001, Nate Williams wrote: > > > > OpenSSH is installed if you chose to install the 'crypto' distribution > > > > at install-time or when compiling from source, and is installed and > > > > enabled by default as of FreeBSD 4.1.1-RELEASE. By default SSH1 > > > > protocol support is enabled. > > > > > > Excuse me pointing to a similar point in the last few advisories, > > > but , again, for some reason earlier releases 4.0 and 4.1 are forgotten. > > > While the advisory includes those releases in the list > > > of vulnerable systems, the paragraph quoted above tells that > > > OpenSSH is install as of FreeBSD 4.1.1-RELEASE. > > > However, I see that 4.0-RELEASE had OpenSSH-1.2.2 > > > and it is, according to the quote below is vulnerable. > > > > If you look at http://www.freebsd.org/security we only claim to > > provide security support for the most recent version of FreeBSD > > (4.2-RELEASE) and after. > > I agree that 'support' is one thing, but at least mentioning which > releases are effected by this bug would be good. > > Most of the other vendors list all of their 'effected' releases as being > effected or not, and since most of the deployed FreeBSD systems are > *NOT* running 4.2R, this is of great benefit to the users. If nothing else, by listed anything before 4.2R as *being* vulnerable, but unsupported, you give ppl one more incentive to dive into upgrading ... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 12:42:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-24-94-35-22.stny.rr.com [24.94.35.22]) by hub.freebsd.org (Postfix) with ESMTP id 1BC4D37B491 for ; Wed, 14 Feb 2001 12:42:39 -0800 (PST) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.11.1/8.11.1) with ESMTP id f1EKgIj77516; Wed, 14 Feb 2001 15:42:23 -0500 (EST) (envelope-from piechota@argolis.org) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Wed, 14 Feb 2001 15:42:17 -0500 (EST) From: Matt Piechota To: Kris Kennaway Cc: Subject: Re: cithaeron security check output (fwd) In-Reply-To: <20010213112452.B56175@mollari.cthul.hu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 13 Feb 2001, Kris Kennaway wrote: > Please show me the output of the following, run on the machine in question. > > dig @localhost version.bind chaos txt Here it is: ; <<>> DiG 8.3 <<>> @localhost version.bind chaos txt ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUERY SECTION: ;; version.bind, type = TXT, class = CHAOS ;; ANSWER SECTION: VERSION.BIND. 0S CHAOS TXT "8.2.3-REL" ;; Total query time: 0 msec ;; FROM: cithaeron.argolis.org to SERVER: localhost 127.0.0.1 ;; WHEN: Wed Feb 14 15:41:01 2001 ;; MSG SIZE sent: 30 rcvd: 64 -- Matt Piechota Finger piechota@emailempire.com for PGP key AOL IM: cithaeron To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 12:50:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-67.dsl.lsan03.pacbell.net [63.207.60.67]) by hub.freebsd.org (Postfix) with ESMTP id CCF6237B684 for ; Wed, 14 Feb 2001 12:50:05 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 3284866B26; Wed, 14 Feb 2001 12:50:00 -0800 (PST) Date: Wed, 14 Feb 2001 12:50:00 -0800 From: Kris Kennaway To: Matt Piechota Cc: Kris Kennaway , freebsd-security@freebsd.org Subject: Re: cithaeron security check output (fwd) Message-ID: <20010214125000.A74993@mollari.cthul.hu> References: <20010213112452.B56175@mollari.cthul.hu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="SUOF0GtieIMvvwua" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from piechota@argolis.org on Wed, Feb 14, 2001 at 03:42:17PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --SUOF0GtieIMvvwua Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 14, 2001 at 03:42:17PM -0500, Matt Piechota wrote: > On Tue, 13 Feb 2001, Kris Kennaway wrote: >=20 > > Please show me the output of the following, run on the machine in quest= ion. > > > > dig @localhost version.bind chaos txt >=20 > Here it is: Okay, thanks. You're running a version believed to be safe - but I wanted to check because there's a lot of confusion over the fact that the vulnerable betas are also called 8.2.3-* Some other people have reported their named 8.2.3-REL crashing. We don't at this time believe it to be an exploitable bug, but hope to learn more when someone can provide us with a core and/or traceback. Kris --SUOF0GtieIMvvwua Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6iu93Wry0BWjoQKURArvpAJsEweUiJTo30hTEg0LvpFtAcuNe/wCgqD7L eKFboxMznNp/9ALusPNzdNg= =EX1N -----END PGP SIGNATURE----- --SUOF0GtieIMvvwua-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 13: 0:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id B68E737B4EC for ; Wed, 14 Feb 2001 13:00:27 -0800 (PST) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id OAA04001; Wed, 14 Feb 2001 14:00:25 -0700 (MST) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id OAA26029; Wed, 14 Feb 2001 14:00:23 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14986.61927.680205.227406@nomad.yogotech.com> Date: Wed, 14 Feb 2001 14:00:23 -0700 (MST) To: Stefan Cc: freebsd-security@FreeBSD.ORG Subject: Re: Abnormal behaviour of "established" rule with ipfw? In-Reply-To: <4.1.20010214211242.0094ac90@pop.iae.nl> References: <4.1.20010214211242.0094ac90@pop.iae.nl> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Theoretically, I think, the following firewall rules for ipfw would never > allow any > tcp connection simply because a connection can not be setup: > > ipfw list: > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 30000 allow tcp from any to any established > 65535 deny ip from any to any > > However, the opposite appears to be true: > ipfw show: > 00100 0 0 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 30000 212 15669 allow tcp from any to any established > 65535 0 0 deny ip from any to any > > Connections can be setup without a problem! > I'm using FreeBSD 4.1 Release with the security patches of January applied. > Verified this on my workstation (above example) after observing incoming > connections on my firewallbox (same version and patches). > > As a workaround I moved a deny incoming rule before the allow established rule > but according the examples in the tutorial and handbook this should not be > necessary. > > Is this a security vulnerability or do I understand things wrong? Were these packets from connections setup before the firewall rule was in place? If so, they are already established. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 13:12:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from amsmta04-svc.chello.nl (mail-out.chello.nl [213.46.240.7]) by hub.freebsd.org (Postfix) with ESMTP id 6FF5437B4EC for ; Wed, 14 Feb 2001 13:12:53 -0800 (PST) Received: from devon ([212.83.73.144]) by amsmta04-svc.chello.nl (InterMail vK.4.02.00.10 201-232-116-110 license a3a2682fa4a9abbd0742aa9624d87426) with SMTP id <20010214211435.TAPJ4610.amsmta04-svc@devon>; Wed, 14 Feb 2001 22:14:35 +0100 Message-Id: <4.1.20010214220858.009477a0@pop.iae.nl> X-Sender: roijers@pop.iae.nl X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 14 Feb 2001 22:13:02 +0100 To: nate@yogotech.com (Nate Williams) From: Stefan Subject: Re: Abnormal behaviour of "established" rule with ipfw? Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <14986.61927.680205.227406@nomad.yogotech.com> References: <4.1.20010214211242.0094ac90@pop.iae.nl> <4.1.20010214211242.0094ac90@pop.iae.nl> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 14:00 14-2-01 -0700, Nate Williams wrote: >Were these packets from connections setup before the firewall rule was >in place? If so, they are already established. No, as far as I can see really setup packets can pass through. My firewall was accepting incoming telnet when there was a deny all from any to any in via xl0 setup line after the allow established from any to any line. Stefan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 13:27:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from gwdu42.gwdg.de (gwdu42.gwdg.de [134.76.10.26]) by hub.freebsd.org (Postfix) with ESMTP id E71D437B401 for ; Wed, 14 Feb 2001 13:27:50 -0800 (PST) Received: from ras23-039.gwdg.de ([134.76.23.39] helo=[192.168.0.98]) by gwdu42.gwdg.de with esmtp (Exim 3.14 #18) id 14T9Sn-0006Dl-00; Wed, 14 Feb 2001 22:27:49 +0100 Mime-Version: 1.0 X-Sender: rbeer@popper.gwdg.de Message-Id: In-Reply-To: References: Date: Wed, 14 Feb 2001 22:27:45 +0100 To: freebsd-security@freebsd.org From: Ragnar Beer Subject: Re: security settings documentation Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Very good idea! It's the default setting in OpenBSD. Ragnar >Also, for the "High" security setting, shouldn't this be in there: > > variable_set2("sendmail_flags", "-q30m", 1); > >That way sendmail doesn't open port 25. > >Robert Simmons >Systems Administrator >http://www.wlcg.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 13:28:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from sonar.noops.org (adsl-63-195-97-84.dsl.snfc21.pacbell.net [63.195.97.84]) by hub.freebsd.org (Postfix) with ESMTP id A943337B69B for ; Wed, 14 Feb 2001 13:28:04 -0800 (PST) Received: from localhost (root@localhost) by sonar.noops.org (8.9.3/8.9.3) with ESMTP id NAA01594; Wed, 14 Feb 2001 13:28:20 -0800 (PST) (envelope-from root@noops.org) Date: Wed, 14 Feb 2001 13:28:20 -0800 (PST) From: Thomas Cannon To: Kris Kennaway Cc: freebsd-security@FreeBSD.ORG Subject: Re: cithaeron security check output (fwd) In-Reply-To: <20010214125000.A74993@mollari.cthul.hu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Some other people have reported their named 8.2.3-REL crashing. We > don't at this time believe it to be an exploitable bug, but hope to > learn more when someone can provide us with a core and/or traceback. FWIW, I've got a 4.0-R machine running 8.2.3 compiled from source from ISC that likes to fall over with a sig 6 leaving this in the logs: messages.5.gz:Feb 13 15:54:02 spoon named[96]: ns_main.c:537: INSIST(errno == EINTR): Invalid argument failed. messages.5.gz:Feb 13 15:54:02 spoon named[96]: ns_main.c:537: INSIST(errno == EINTR): Invalid argument failed. I know this isn't a freebsd sanctioned setup, but I figure the input wouldn't hurt. -tcannon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 13:28:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from gwdu42.gwdg.de (gwdu42.gwdg.de [134.76.10.26]) by hub.freebsd.org (Postfix) with ESMTP id 0CB3B37B401 for ; Wed, 14 Feb 2001 13:28:00 -0800 (PST) Received: from ras23-039.gwdg.de ([134.76.23.39] helo=[192.168.0.98]) by gwdu42.gwdg.de with esmtp (Exim 3.14 #18) id 14T9Sv-0006Ep-00; Wed, 14 Feb 2001 22:27:57 +0100 Mime-Version: 1.0 X-Sender: rbeer@popper.gwdg.de Message-Id: In-Reply-To: <20010214122432.A76375@core.atomicbluebear.org> References: <20010214092909.B72301@mollari.cthul.hu> <20010214122432.A76375@core.atomicbluebear.org> Date: Wed, 14 Feb 2001 22:27:54 +0100 To: freebsd-security@freebsd.org From: Ragnar Beer Subject: Re: security settings documentation Content-Type: multipart/Related; boundary="============_-1229936418==_mr============" ; type="text/html" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --============_-1229936418==_mr============ Content-Type: multipart/alternative; boundary="============_-1229936418==_ma============" --============_-1229936418==_ma============ Content-Type: text/plain; charset="us-ascii" ; format="flowed" Thanks a lot! Ragnar > > >*** PGP Signature Status: not verified (signing key missing) >*** Signer: 0x8A90644C >*** Signed: N/A at N/A >*** Verified: 14.02.2001 at 21:53 Uhr > >On Wed, 14 Feb 2001, Kris Kennaway wrote: > >> Then write up some documentation for us and send it to doc@freebsd.org > >Somewhat terse, but here's a little "feature" matrix: > > Fascist High Moderate Low >inetd NO NO YES YES >sendmail NO YES YES YES >sshd NO YES YES YES >portmap NO NO * YES >nfs_server NO NO ** *** >securelevel YES (2) YES (1) NO NO > >Any other configuration setting are, as near as I can tell, left unchanged. >For details on securelevel, see the init(8) man page. > >NOTES: >* Portmap is enabled if the machine has been configured as either an NFS > client or an NFS server earlier in the installation process. >** If the machine has been configured as an NFS server, NFS will only run > on a reserved port. >*** No changes are made to the NFS configuration. > >- Mike --============_-1229936418==_ma============ Content-Type: text/html; charset="us-ascii" Re: security settings documentation
Thanks a lot!

Ragnar



*** PGP Signature Status: not verified (signing key missing)
*** Signer: 0x8A90644C
*** Signed: N/A at N/A
*** Verified: 14.02.2001 at 21:53 Uhr

On Wed, 14 Feb 2001, Kris Kennaway wrote:

> Then write up some documentation for us and send it to doc@freebsd.org

Somewhat terse, but here's a little "feature" matrix:

               Fascist        High           Moderate       Low
inetd          NO             NO             YES            YES
sendmail       NO             YES            YES            YES
sshd           NO             YES            YES            YES
portmap        NO             NO             *              YES
nfs_server     NO             NO             **             ***
securelevel    YES (2)        YES (1)        NO             NO

Any other configuration setting are, as near as I can tell, left unchanged.
For details on securelevel, see the init(8) man page.

NOTES:
*   Portmap is enabled if the machine has been configured as either an NFS
    client or an NFS server earlier in the installation process.
**  If the machine has been configured as an NFS server, NFS will only run
    on a reserved port.
*** No changes are made to the NFS configuration.

- Mike

--============_-1229936418==_ma============-- --============_-1229936418==_mr============ Content-Id: Received: by gwdu42 (mbox rbeer) (with Cubic Circle's cucipop (v1.31 1998/05/13) Wed Feb 14 21:49:05 2001) X-From_: mlea@atomicbluebear.org Wed Feb 14 19:24:56 2001 Return-path: Envelope-to: rbeer@uni-goettingen.de Delivery-date: Wed, 14 Feb 2001 19:24:56 +0100 Received: from core.atomicbluebear.org ([64.4.83.19]) by gwdu42.gwdg.de with esmtp (Exim 3.14 #18) id 14T6bk-00089v-00 for rbeer@uni-goettingen.de; Wed, 14 Feb 2001 19:24:52 +0100 Received: (qmail 77348 invoked by uid 1001); 14 Feb 2001 18:24:34 -0000 Date: Wed, 14 Feb 2001 12:24:33 -0600 From: Michael Lea To: Kris Kennaway Cc: Rob Simmons , Ragnar Beer , freebsd-security@FreeBSD.ORG Subject: Re: security settings documentation Message-ID: <20010214122432.A76375@core.atomicbluebear.org> Mail-Followup-To: Kris Kennaway , Rob Simmons , Ragnar Beer , freebsd-security@FreeBSD.ORG References: <20010214092909.B72301@mollari.cthul.hu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="nFreZHaLTZJo0R7j" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010214092909.B72301@mollari.cthul.hu>; from kris@obsecurity.org on Wed, Feb 14, 2001 at 09:29:09AM -0800 --nFreZHaLTZJo0R7j Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, 14 Feb 2001, Kris Kennaway wrote: > Then write up some documentation for us and send it to doc@freebsd.org Somewhat terse, but here's a little "feature" matrix: Fascist High Moderate Low inetd NO NO YES YES sendmail NO YES YES YES sshd NO YES YES YES portmap NO NO * YES nfs_server NO NO ** *** securelevel YES (2) YES (1) NO NO Any other configuration setting are, as near as I can tell, left unchanged. For details on securelevel, see the init(8) man page. NOTES: * Portmap is enabled if the machine has been configured as either an NFS client or an NFS server earlier in the installation process. ** If the machine has been configured as an NFS server, NFS will only run on a reserved port. *** No changes are made to the NFS configuration. - Mike --nFreZHaLTZJo0R7j Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjqKzVwACgkQc9EFi4qQZEySTACgppRgyLkWRA+LJ7fIv8AYuM7T W3UAoIQeTHPbvK2WXMzN2/tYYTPMIJpW =TMdX -----END PGP SIGNATURE----- --nFreZHaLTZJo0R7j-- --============_-1229936418==_mr============-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 13:32: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from eros.cs.brandeis.edu (eros.cs.brandeis.edu [129.64.3.177]) by hub.freebsd.org (Postfix) with ESMTP id E96B637B401 for ; Wed, 14 Feb 2001 13:31:53 -0800 (PST) Received: from localhost (meshko@localhost) by eros.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id QAA01089; Wed, 14 Feb 2001 16:31:49 -0500 Date: Wed, 14 Feb 2001 16:31:49 -0500 (EST) From: Mikhail Kruk To: Ragnar Beer Cc: Subject: Re: security settings documentation In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have sendmail_flags="-bd -q30m" # -bd is pretty mandatory. and it seems that it has been default at least since 2.2.8, may be before. > Very good idea! It's the default setting in OpenBSD. > > Ragnar > > >Also, for the "High" security setting, shouldn't this be in there: > > > > variable_set2("sendmail_flags", "-q30m", 1); > > > >That way sendmail doesn't open port 25. > > > >Robert Simmons > >Systems Administrator > >http://www.wlcg.com/ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 13:33:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from eros.cs.brandeis.edu (eros.cs.brandeis.edu [129.64.3.177]) by hub.freebsd.org (Postfix) with ESMTP id 1F1D037B69D for ; Wed, 14 Feb 2001 13:33:41 -0800 (PST) Received: from localhost (meshko@localhost) by eros.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id QAA01140 for ; Wed, 14 Feb 2001 16:33:40 -0500 Date: Wed, 14 Feb 2001 16:33:40 -0500 (EST) From: Mikhail Kruk Cc: Subject: Re: security settings documentation In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org nevermind, misread your post sorry :/ > I have > sendmail_flags="-bd -q30m" # -bd is pretty mandatory. > and it seems that it has been default at least since 2.2.8, may be > before. > > > Very good idea! It's the default setting in OpenBSD. > > > > Ragnar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 13:45:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id C881237B491 for ; Wed, 14 Feb 2001 13:45:04 -0800 (PST) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.2/8.11.2) with ESMTP id f1ELhwa36850; Wed, 14 Feb 2001 16:43:58 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Wed, 14 Feb 2001 16:43:58 -0500 (EST) From: Rob Simmons To: Mikhail Kruk Cc: Ragnar Beer , freebsd-security@FreeBSD.ORG Subject: Re: security settings documentation In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I would disagree with -bd being mandatory. Sure it is needed if the server is a mailserver or needs to recieve mail for some reason. I agree that it should be "-bd -q30m" in /etc/defaults/rc.conf, but I think the "High" security profile should have only -q30m. In fact I think the Fascist level should have this setting instead of disabling sendmail altogether. If you disable sendmail altogether, doesn't that keep the daily/weekly root mails from being sent? Robert Simmons Systems Administrator http://www.wlcg.com/ On Wed, 14 Feb 2001, Mikhail Kruk wrote: > I have > sendmail_flags="-bd -q30m" # -bd is pretty mandatory. > and it seems that it has been default at least since 2.2.8, may be > before. > > > Very good idea! It's the default setting in OpenBSD. > > > > Ragnar > > > > >Also, for the "High" security setting, shouldn't this be in there: > > > > > > variable_set2("sendmail_flags", "-q30m", 1); > > > > > >That way sendmail doesn't open port 25. > > > > > >Robert Simmons > > >Systems Administrator > > >http://www.wlcg.com/ > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 13:48: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id 288FB37B401 for ; Wed, 14 Feb 2001 13:47:51 -0800 (PST) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id <16LS2MDC>; Wed, 14 Feb 2001 13:47:49 -0800 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA0166D640@goofy.epylon.lan> From: Jason DiCioccio To: 'Rob Simmons' , Mikhail Kruk Cc: Ragnar Beer , freebsd-security@FreeBSD.ORG Subject: RE: security settings documentation Date: Wed, 14 Feb 2001 13:47:42 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C096CF.C1F43E60" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C096CF.C1F43E60 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C096CF.C1F43E60" ------_=_NextPart_001_01C096CF.C1F43E60 Content-Type: text/plain; charset="iso-8859-1" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Not as far as I can remember.. I've used boxes with no mailserver and still gotten the security outputs etc. I think it just uses mail.local directly. Cheers, - -JD- - ------- Jason DiCioccio Evil Genius Unix BOFH mailto:jasond@epylon.com 415-593-2761 Direct & Fax 415-593-2900 Main Epylon Corporation 645 Harrison Street, Suite 200 San Francisco, CA 94107 www.epylon.com BSD is for people who love Unix - Linux is for people who hate Microsoft - -----Original Message----- From: Rob Simmons [mailto:rsimmons@wlcg.com] Sent: Wednesday, February 14, 2001 1:44 PM To: Mikhail Kruk Cc: Ragnar Beer; freebsd-security@FreeBSD.ORG Subject: Re: security settings documentation I would disagree with -bd being mandatory. Sure it is needed if the server is a mailserver or needs to recieve mail for some reason. I agree that it should be "-bd -q30m" in /etc/defaults/rc.conf, but I think the "High" security profile should have only -q30m. In fact I think the Fascist level should have this setting instead of disabling sendmail altogether. If you disable sendmail altogether, doesn't that keep the daily/weekly root mails from being sent? Robert Simmons Systems Administrator http://www.wlcg.com/ On Wed, 14 Feb 2001, Mikhail Kruk wrote: > I have > sendmail_flags="-bd -q30m" # -bd is pretty mandatory. > and it seems that it has been default at least since 2.2.8, may be > before. > > > Very good idea! It's the default setting in OpenBSD. > > > > Ragnar > > > > >Also, for the "High" security setting, shouldn't this be in > > >there: > > > > > > variable_set2("sendmail_flags", "-q30m", 1); > > > > > >That way sendmail doesn't open port 25. > > > > > >Robert Simmons > > >Systems Administrator > > >http://www.wlcg.com/ > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOor9YVCmU62pemyaEQI0/wCfVdXjFaYV1LsdxVjN/f1lFiv3FNYAoNdY 37kezwCPvsTqfh6V2B7jdAxv =p9BS -----END PGP SIGNATURE----- ------_=_NextPart_001_01C096CF.C1F43E60 Content-Type: text/html; charset="iso-8859-1" RE: security settings documentation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Not as far as I can remember.. I've used boxes with no mailserver and
still gotten the security outputs etc. I think it just uses
mail.local directly.

Cheers,
- -JD-


- -------
Jason DiCioccio
Evil Genius
Unix BOFH

mailto:jasond@epylon.com

415-593-2761          Direct & Fax
415-593-2900          Main

Epylon Corporation
645 Harrison Street, Suite 200
San Francisco, CA 94107
www.epylon.com

BSD is for people who love Unix -
Linux is for people who hate Microsoft


- -----Original Message-----
From: Rob Simmons [mailto:rsimmons@wlcg.com]
Sent: Wednesday, February 14, 2001 1:44 PM
To: Mikhail Kruk
Cc: Ragnar Beer; freebsd-security@FreeBSD.ORG
Subject: Re: security settings documentation


I would disagree with -bd being mandatory.  Sure it is needed if the
server is a mailserver or needs to recieve mail for some reason.  I
agree
that it should be "-bd -q30m" in /etc/defaults/rc.conf, but I think
the
"High" security profile should have only -q30m.  In fact I think the
Fascist level should have this setting instead of disabling sendmail
altogether.

If you disable sendmail altogether, doesn't that keep the
daily/weekly
root mails from being sent?

Robert Simmons
Systems Administrator
http://www.wlcg.com/

On Wed, 14 Feb 2001, Mikhail Kruk wrote:

> I have
> sendmail_flags="-bd -q30m" # -bd is pretty mandatory.
> and it seems that it has been default at least since 2.2.8, may be
> before.
>
> > Very good idea! It's the default setting in OpenBSD.
> >
> > Ragnar
> >
> > >Also, for the "High" security setting, shouldn't this be in
> > >there: 
> > >
> > >     variable_set2("sendmail_flags", "-q30m", 1);
> > >
> > >That way sendmail doesn't open port 25.
> > >
> > >Robert Simmons
> > >Systems Administrator
> > >http://www.wlcg.com/
> >
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> >
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBOor9YVCmU62pemyaEQI0/wCfVdXjFaYV1LsdxVjN/f1lFiv3FNYAoNdY
37kezwCPvsTqfh6V2B7jdAxv
=p9BS
-----END PGP SIGNATURE-----

  ------_=_NextPart_001_01C096CF.C1F43E60-- ------_=_NextPart_000_01C096CF.C1F43E60 Content-Type: application/octet-stream; name="Jason DiCioccio.vcf" Content-Disposition: attachment; filename="Jason DiCioccio.vcf" BEGIN:VCARD VERSION:2.1 N:DiCioccio;Jason FN:Jason DiCioccio ORG:epylon.com;operations TITLE:UNIX ADMIN ADR;WORK:;;645 Harrison St;San Francisco;CA;94107;usa LABEL;WORK;ENCODING=QUOTED-PRINTABLE:645 Harrison St=0D=0ASan Francisco, CA 94107=0D=0Ausa EMAIL;PREF;INTERNET:Jason.DiCioccio@Epylon.com REV:19990105T135529Z END:VCARD ------_=_NextPart_000_01C096CF.C1F43E60-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 13:56:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (Postfix) with ESMTP id CEBA837B684 for ; Wed, 14 Feb 2001 13:56:31 -0800 (PST) Received: (from smap@localhost) by whistle.com (8.10.0/8.10.0) id f1ELuVw16563 for ; Wed, 14 Feb 2001 13:56:31 -0800 (PST) Received: from pau-amma.whistle.com( 207.76.205.64) by whistle.com via smap (V2.0) id xma016559; Wed, 14 Feb 2001 13:56:07 -0800 Received: (from dhw@localhost) by pau-amma.whistle.com (8.11.1/8.11.1) id f1ELu7P63294 for freebsd-security@FreeBSD.ORG; Wed, 14 Feb 2001 13:56:07 -0800 (PST) Date: Wed, 14 Feb 2001 13:56:07 -0800 (PST) From: David Wolfskill Message-Id: <200102142156.f1ELu7P63294@pau-amma.whistle.com> Subject: Re: security settings documentation Cc: freebsd-security@FreeBSD.ORG In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Date: Wed, 14 Feb 2001 16:43:58 -0500 (EST) >From: Rob Simmons >I would disagree with -bd being mandatory. Sure it is needed if the >server is a mailserver or needs to recieve mail for some reason. I agree >that it should be "-bd -q30m" in /etc/defaults/rc.conf, but I think the >"High" security profile should have only -q30m. In fact I think the >Fascist level should have this setting instead of disabling sendmail >altogether. >If you disable sendmail altogether, doesn't that keep the daily/weekly >root mails from being sent? -bd says to start sendmail as a daemon, listening on TCP/25 (SMTP). -q30m says to automatically "run the queue" (check the queue for undelivered mail and try to deliver it) every 30 minutes. It is not necessary to run a sendmail daemon at all in order to merely send locally-generated mail, and it is only necessary to run the queue if mail gets stuck there. (An alternative to having the daemon run the queue periodically is to fire up "sendmail -q" via cron.) (My news server does not have anything listening on TCP/25, nor is sendmail configured to run the queue; it sends the daily, weekly, & monthly reports to me just fine.) Cheers, david -- David Wolfskill dhw@whistle.com UNIX System Administrator Desk: 650/577-7158 TIE: 8/499-7158 Cell: 650/759-0823 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 14:11:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from ramstind.gtf.ol.no (ramstind.gtf.ol.no [128.39.174.16]) by hub.freebsd.org (Postfix) with ESMTP id 1E10637B491 for ; Wed, 14 Feb 2001 14:11:18 -0800 (PST) Received: from localhost (trond@localhost) by ramstind.gtf.ol.no (8.9.3/8.9.3) with ESMTP id XAA44882; Wed, 14 Feb 2001 23:11:07 +0100 (CET) (envelope-from trond@ramstind.gtf.ol.no) Date: Wed, 14 Feb 2001 23:11:07 +0100 (CET) From: =?ISO-8859-1?Q?Trond_Endrest=F8l?= To: Rob Simmons Cc: Mikhail Kruk , Ragnar Beer , Subject: Re: security settings documentation In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 14 Feb 2001, Rob Simmons wrote: > If you disable sendmail altogether, doesn't that keep the daily/weekly > root mails from being sent? No. Take a look at /etc/crontab: # do daily/weekly/monthly maintenance 59 1 * * * root periodic daily 2>&1 | sendmail root 30 3 * * 6 root periodic weekly 2>&1 | sendmail root 30 5 1 * * root periodic monthly 2>&1 | sendmail root As you can see, sendmail is run explicitly for the daily, weekly, and monthly runs. The security output is normally part of the daily run job. -- ---------------------------------------------------------------------- Trond Endrestøl | trond@ramstind.gtf.ol.no Patron of The Art of Computer Programming| FreeBSD 3.5-S & Pine 4.31 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 14:19: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from linux.intcon.net (linux.intcon.net [206.230.48.2]) by hub.freebsd.org (Postfix) with ESMTP id 8E6B237B4EC for ; Wed, 14 Feb 2001 14:18:55 -0800 (PST) Received: from geoenergycorp.com (ip1.geoenergycorp.com [206.230.53.65]) by linux.intcon.net (8.11.0/8.11.0) with ESMTP id f1EMInj05600; Wed, 14 Feb 2001 16:18:50 -0600 Received: from hercules.geoenergycorp.com (hercules.geoenergycorp.com [149.180.115.18]) by geoenergycorp.com (8.9.3/8.9.3) with ESMTP id QAA41199; Wed, 14 Feb 2001 16:18:45 -0600 (CST) (envelope-from steve@geoenergycorp.com) Received: (from steve@localhost) by hercules.geoenergycorp.com (8.9.3+Sun/8.9.3) id QAA14724; Wed, 14 Feb 2001 16:18:44 -0600 (CST) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14987.1092.683632.479952@hercules.geoenergycorp.com> Date: Wed, 14 Feb 2001 16:18:44 -0600 (CST) To: Stefan From: steve@megahack.com Subject: Abnormal behaviour of "established" rule with ipfw? In-Reply-To: <97157568@toto.iv> X-Mailer: VM 6.75 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid Cc: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Stefan" == Stefan writes: Stefan> Abnormal behaviour of "established" rule with ipfw? Stefan> Theoretically, I think, the following firewall rules for Stefan> ipfw would never allow any tcp connection simply because a Stefan> connection can not be setup: If you cvsup'ed between Feb 1 and Feb 2, your ipfw is badly broken: http://docs.freebsd.org/cgi/getmsg.cgi?fetch=5604+0+archive/2001/freebsd-security-notifications/20010211.freebsd-security-notifications Steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 14:19:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 4299237B4EC for ; Wed, 14 Feb 2001 14:19:20 -0800 (PST) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.2/8.11.2) with ESMTP id f1EMHcR38215; Wed, 14 Feb 2001 17:17:42 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Wed, 14 Feb 2001 17:17:38 -0500 (EST) From: Rob Simmons To: =?ISO-8859-1?Q?Trond_Endrest=F8l?= Cc: Mikhail Kruk , Ragnar Beer , freebsd-security@FreeBSD.ORG Subject: Re: security settings documentation In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ok. Then having sendmail disabled in Fascist profile would be ok. But the High profile should still have sendmail_flags=3D"-q30m" as I said in my earlier mail. release/sysinstall/config.c 515a516 > variable_set2("sendmail_flags", "-q30m", 1); Robert Simmons Systems Administrator http://www.wlcg.com/ On Wed, 14 Feb 2001, [ISO-8859-1] Trond Endrest=F8l wrote: > On Wed, 14 Feb 2001, Rob Simmons wrote: >=20 > > If you disable sendmail altogether, doesn't that keep the daily/weekly > > root mails from being sent? >=20 > No. Take a look at /etc/crontab: >=20 > # do daily/weekly/monthly maintenance > 59=091=09*=09*=09*=09root=09periodic daily 2>&1 | sendmail root > 30=093=09*=09*=096=09root=09periodic weekly 2>&1 | sendmail root > 30=095=091=09*=09*=09root=09periodic monthly 2>&1 | sendmail root >=20 > As you can see, sendmail is run explicitly for the daily, weekly, and > monthly runs. The security output is normally part of the daily run > job. >=20 > --=20 > ---------------------------------------------------------------------- > Trond Endrest=F8l | trond@ramstind.gtf.ol.no > Patron of The Art of Computer Programming| FreeBSD 3.5-S & Pine 4.31 >=20 >=20 >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 14:21:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.unixathome.org (ns1.unixathome.org [203.79.82.27]) by hub.freebsd.org (Postfix) with ESMTP id C290537B65D for ; Wed, 14 Feb 2001 14:21:19 -0800 (PST) Received: from wocker (wocker.int.nz.freebsd.org [192.168.0.99]) by ns1.unixathome.org (8.11.1/8.11.1) with ESMTP id f1EMKoo15140; Thu, 15 Feb 2001 11:20:50 +1300 (NZDT) (envelope-from dan@langille.org) Message-Id: <200102142220.f1EMKoo15140@ns1.unixathome.org> From: "Dan Langille" Organization: novice in training To: Trond Endrestøl Date: Thu, 15 Feb 2001 11:20:36 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: Quoted-printable Subject: Re: security settings documentation Reply-To: dan@langille.org Cc: Mikhail Kruk , Ragnar Beer , References: In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 14 Feb 2001, at 23:11, Trond Endrest=F8l wrote: > On Wed, 14 Feb 2001, Rob Simmons wrote: > > > If you disable sendmail altogether, doesn't that keep the daily/weekly > > root mails from being sent? > > No. Take a look at /etc/crontab: > > # do daily/weekly/monthly maintenance > 59 1 * * * root periodic daily 2>&1 | sendmail root > 30 3 * * 6 root periodic weekly 2>&1 | sendmail root > 30 5 1 * * root periodic monthly 2>&1 | sendmail root > > As you can see, sendmail is run explicitly for the daily, weekly, and > monthly runs. The security output is normally part of the daily run > job. Thats not the latest /etc/crontab: # do daily/weekly/monthly maintenance 1 3 * * * root periodic daily 15 4 * * 6 root periodic weekly 30 5 1 * * root periodic monthly -- Dan Langille pgpkey - finger dan@unixathome.org | http://unixathome.org/finger.php got any work? I'm looking for some. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 14:41:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from gwdu42.gwdg.de (gwdu42.gwdg.de [134.76.10.26]) by hub.freebsd.org (Postfix) with ESMTP id D503837B401 for ; Wed, 14 Feb 2001 14:41:51 -0800 (PST) Received: from ras23-155.gwdg.de ([134.76.23.155] helo=[192.168.0.98]) by gwdu42.gwdg.de with esmtp (Exim 3.14 #18) id 14TAcP-0001KJ-00; Wed, 14 Feb 2001 23:41:49 +0100 Mime-Version: 1.0 X-Sender: rbeer@popper.gwdg.de Message-Id: In-Reply-To: References: Date: Wed, 14 Feb 2001 23:41:41 +0100 To: Rob Simmons From: Ragnar Beer Subject: Re: security settings documentation Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'd also disagree. Taking sendmails security record and difficult configuration into account I'd say that running sendmail in daemon mode out of the box is "moderate" security at most and only "-q30m" or "NO" go with higher security levels. But that actually doesn't touch the issue whether sendmail is mandatory or not. I'd say ssh is absolutely mandatory but it's ok that the daemon doesn't get started when "extreme" security was chosen. I wonder if there could be something intermedia e.g. with a well configured postfix daemon. According to what I _heard_ about it it's very secure. Ragnar >I would disagree with -bd being mandatory. Sure it is needed if the >server is a mailserver or needs to recieve mail for some reason. I agree >that it should be "-bd -q30m" in /etc/defaults/rc.conf, but I think the >"High" security profile should have only -q30m. In fact I think the >Fascist level should have this setting instead of disabling sendmail >altogether. > >If you disable sendmail altogether, doesn't that keep the daily/weekly >root mails from being sent? > >Robert Simmons >Systems Administrator >http://www.wlcg.com/ > >On Wed, 14 Feb 2001, Mikhail Kruk wrote: > >> I have >> sendmail_flags="-bd -q30m" # -bd is pretty mandatory. >> and it seems that it has been default at least since 2.2.8, may be >> before. >> >> > Very good idea! It's the default setting in OpenBSD. >> > >> > Ragnar >> > >> > >Also, for the "High" security setting, shouldn't this be in there: >> > > >> > > variable_set2("sendmail_flags", "-q30m", 1); >> > > >> > >That way sendmail doesn't open port 25. >> > > >> > >Robert Simmons >> > >Systems Administrator >> > >http://www.wlcg.com/ >> > >> > >> > >> > To Unsubscribe: send mail to majordomo@FreeBSD.org >> > with "unsubscribe freebsd-security" in the body of the message >> > >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 15:41:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from router.drapple.com (c1024475-b.salem1.or.home.com [24.10.78.207]) by hub.freebsd.org (Postfix) with ESMTP id 558FC37B401 for ; Wed, 14 Feb 2001 15:41:24 -0800 (PST) Received: (from mark@localhost) by router.drapple.com (8.9.3/8.9.3) id PAA48752 for freebsd-security@freebsd.org; Wed, 14 Feb 2001 15:43:43 -0800 (PST) (envelope-from mark) Date: Wed, 14 Feb 2001 15:43:43 -0800 From: Mark Hartley To: freebsd-security@freebsd.org Subject: Syslogd stops working Message-ID: <20010214154342.A48740@router.drapple.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have several different FreeBSD servers which I've upgraded recently through cvsup and rebuilding world due to the bind, ipfw, and ssh holes. However, I have one machine which I cvsupped and rebuilt on Jan 29th which has stopped logging to syslog. I've checked my syslog.conf file and everything seems fine. I had just been noticing a lack of people "banging" on my firewall. I got to looking, and syslog has not been functioning since that point. This is a very serious issue for me as I've potentially missed several important syslog notices. I checked, and syslogd is in fact running. Any ideas why this is happening and what I can do to remedy it? Mark. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 15:44:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.numachi.com (numachi.numachi.com [198.175.254.2]) by hub.freebsd.org (Postfix) with SMTP id C83A737B491 for ; Wed, 14 Feb 2001 15:44:30 -0800 (PST) Received: (qmail 17561 invoked by uid 3001); 14 Feb 2001 23:44:28 -0000 Received: from natto.numachi.com (198.175.254.216) by numachi.numachi.com with SMTP; 14 Feb 2001 23:44:28 -0000 Received: (qmail 31991 invoked by uid 1001); 14 Feb 2001 23:44:28 -0000 Date: Wed, 14 Feb 2001 18:44:28 -0500 From: Brian Reichert To: Mark Hartley Cc: freebsd-security@freebsd.org Subject: Re: Syslogd stops working Message-ID: <20010214184428.U91352@numachi.com> References: <20010214154342.A48740@router.drapple.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010214154342.A48740@router.drapple.com>; from freebsd@drapple.com on Wed, Feb 14, 2001 at 03:43:43PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Feb 14, 2001 at 03:43:43PM -0800, Mark Hartley wrote: > I have several different FreeBSD servers which I've upgraded recently > through cvsup and rebuilding world due to the bind, ipfw, and ssh holes. > > However, I have one machine which I cvsupped and rebuilt on Jan 29th > which has stopped logging to syslog. I've checked my syslog.conf file > and everything seems fine. I had just been noticing a lack of people > "banging" on my firewall. I got to looking, and syslog has not been > functioning since that point. This is a very serious issue for me > as I've potentially missed several important syslog notices. I checked, > and syslogd is in fact running. > > Any ideas why this is happening and what I can do to remedy it? I've had issues with syslog logging to a serial console. It that you are doing? > > > Mark. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Brian 'you Bastard' Reichert 37 Crystal Ave. #303 Daytime number: (603) 434-6842 Derry NH 03038-1713 USA Intel architecture: the left-hand path To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 15:54:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from sonar.noops.org (adsl-63-195-97-84.dsl.snfc21.pacbell.net [63.195.97.84]) by hub.freebsd.org (Postfix) with ESMTP id B50AC37B401 for ; Wed, 14 Feb 2001 15:54:35 -0800 (PST) Received: from localhost (root@localhost) by sonar.noops.org (8.9.3/8.9.3) with ESMTP id PAA02640; Wed, 14 Feb 2001 15:54:18 -0800 (PST) (envelope-from root@noops.org) Date: Wed, 14 Feb 2001 15:54:18 -0800 (PST) From: Thomas Cannon To: Mark Hartley Cc: freebsd-security@FreeBSD.ORG Subject: Re: Syslogd stops working In-Reply-To: <20010214154342.A48740@router.drapple.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Are you 100% positively certain that there are no spaces in your syslogd.conf file, and that everything in there is tab delimited? -tcannon > However, I have one machine which I cvsupped and rebuilt on Jan 29th > which has stopped logging to syslog. I've checked my syslog.conf file > and everything seems fine. I had just been noticing a lack of people > "banging" on my firewall. I got to looking, and syslog has not been > functioning since that point. This is a very serious issue for me > as I've potentially missed several important syslog notices. I checked, > and syslogd is in fact running. > > Any ideas why this is happening and what I can do to remedy it? > > > Mark. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 15:55:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from router.drapple.com (c1024475-b.salem1.or.home.com [24.10.78.207]) by hub.freebsd.org (Postfix) with ESMTP id 0EA3637B491 for ; Wed, 14 Feb 2001 15:55:45 -0800 (PST) Received: (from mark@localhost) by router.drapple.com (8.9.3/8.9.3) id PAA48810 for freebsd-security@freebsd.org; Wed, 14 Feb 2001 15:58:04 -0800 (PST) (envelope-from mark) Date: Wed, 14 Feb 2001 15:58:04 -0800 From: Mark Hartley To: freebsd-security@freebsd.org Subject: Re: Syslogd stops working Message-ID: <20010214155804.B48740@router.drapple.com> References: <20010214154342.A48740@router.drapple.com> <20010214184428.U91352@numachi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20010214184428.U91352@numachi.com>; from reichert@numachi.com on Wed, Feb 14, 2001 at 06:44:28PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Feb 14, 2001 at 06:44:28PM -0500, Brian Reichert wrote: > On Wed, Feb 14, 2001 at 03:43:43PM -0800, Mark Hartley wrote: > > I have several different FreeBSD servers which I've upgraded recently > > through cvsup and rebuilding world due to the bind, ipfw, and ssh holes. > > > > However, I have one machine which I cvsupped and rebuilt on Jan 29th > > which has stopped logging to syslog. I've checked my syslog.conf file > > and everything seems fine. I had just been noticing a lack of people > > "banging" on my firewall. I got to looking, and syslog has not been > > functioning since that point. This is a very serious issue for me > > as I've potentially missed several important syslog notices. I checked, > > and syslogd is in fact running. > > > > Any ideas why this is happening and what I can do to remedy it? > > I've had issues with syslog logging to a serial console. It that you are > doing? > No, I'm logging to a couple of files. Here is the relevant snippet from my /etc/syslog.conf file !ftpd *.* /var/log/ftpd.log !sshd *.* /var/log/sshd.log !su *.* /var/log/su.log !ipfw *.* /var/log/ipfw.log I have it log all of those events to those log files, which do exist and which have not had their permissions modified since I created them (root:wheel) with mode 640. By the way, I am tracking 4.2-STABLE. I've checked the -STABLE mailing list archives and I saw some work being done with syslog, but nothing like what I'm experiencing was mentioned. Mark. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 19: 5:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-67.dsl.lsan03.pacbell.net [63.207.60.67]) by hub.freebsd.org (Postfix) with ESMTP id 91E2137B4EC for ; Wed, 14 Feb 2001 19:05:53 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 1D3B666B26; Wed, 14 Feb 2001 19:05:53 -0800 (PST) Date: Wed, 14 Feb 2001 19:05:53 -0800 From: Kris Kennaway To: Nate Williams Cc: Kris Kennaway , Igor Roshchin , security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:24.ssh Message-ID: <20010214190552.C78224@mollari.cthul.hu> References: <200102140320.WAA59845@giganda.komkon.org> <20010213193348.C61478@mollari.cthul.hu> <14986.57825.251227.67134@nomad.yogotech.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Pk6IbRAofICFmK5e" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <14986.57825.251227.67134@nomad.yogotech.com>; from nate@yogotech.com on Wed, Feb 14, 2001 at 12:52:01PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --Pk6IbRAofICFmK5e Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 14, 2001 at 12:52:01PM -0700, Nate Williams wrote: > I agree that 'support' is one thing, but at least mentioning which > releases are effected by this bug would be good. >=20 > Most of the other vendors list all of their 'effected' releases as being > effected or not, and since most of the deployed FreeBSD systems are > *NOT* running 4.2R, this is of great benefit to the users. > Other information that would have been useful is a mention of whether > the 'ssh1/ssh2' ports (www.ssh.org) in FreeBSD are vulnerable, etc... I appreciate the feedback, but as far as I can tell all this information was actually present in the advisory: Affects: FreeBSD 4.x, 4.2-STABLE prior to the correction date Ports collection prior to the correction date. Corrected: OpenSSH [FreeBSD 4.x base system]: 2000-12-05 (Vulnerability 1) 2001-02-11 (Vulnerability 2) OpenSSH [ports]: 2001-02-09 (Vulnerability 1) 2001-02-11 (Vulnerability 2) ssh [ports]: 2001-02-09 (Vulnerability 1) 2001-02-09 (Vulnerability 2) =2E.. OpenSSH is installed if you chose to install the 'crypto' distribution at install-time or when compiling from source, and is installed and enabled by default as of FreeBSD 4.1.1-RELEASE. By default SSH1 protocol support is enabled. =2E.. An SSH1 client/server (ssh) from ssh.com is included in the ports collection. This software is not available free of charge for all uses, and the FreeBSD Security Officer does not recommend its use. =2E.. If SSH1 protocol support has been disabled in OpenSSH, it is not vulnerable to these attacks. They do not affect implementations of the SSH2 protocol, such as OpenSSH run in SSH2-only mode. Versions of the OpenSSH port prior to openssh-2.2.0_2, and versions of the ssh port prior to ssh-1.2.27_3 are vulnerable to these attacks. Kris --Pk6IbRAofICFmK5e Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6i0eQWry0BWjoQKURAjymAKD5ASZjmnZNvJ8nz2BB7RvWTIJl9QCfcJl0 l1UGVFXTpUghQ9Ecwbp/IWc= =UzEk -----END PGP SIGNATURE----- --Pk6IbRAofICFmK5e-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 20:16:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id 8D15F37B491 for ; Wed, 14 Feb 2001 20:16:09 -0800 (PST) Received: (from str@localhost) by giganda.komkon.org (8.9.3/8.9.3) id XAA86821; Wed, 14 Feb 2001 23:16:03 -0500 (EST) (envelope-from str) Date: Wed, 14 Feb 2001 23:16:03 -0500 (EST) From: Igor Roshchin Message-Id: <200102150416.XAA86821@giganda.komkon.org> To: freebsd@drapple.com, root@noops.org Subject: Re: Syslogd stops working Cc: freebsd-security@FreeBSD.ORG In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org That's irrelevant. Although it used to be an issue, since early stages of 4.x and 3.x syslog.conf in FreeBSD can work with spaces as well. (a comment in /etc/syslog.conf is not quite correct. It's a leftover that was inserted in there while the fix for syslogd was in progress) Read man pages for syslog.conf(5) for the correct information. Igor > Date: Wed, 14 Feb 2001 15:54:18 -0800 (PST) > From: Thomas Cannon > To: Mark Hartley > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: Syslogd stops working > > > Are you 100% positively certain that there are no spaces in your > syslogd.conf file, and that everything in there is tab delimited? > > -tcannon > > > However, I have one machine which I cvsupped and rebuilt on Jan 29th > > which has stopped logging to syslog. I've checked my syslog.conf file > > and everything seems fine. I had just been noticing a lack of people > > "banging" on my firewall. I got to looking, and syslog has not been > > functioning since that point. This is a very serious issue for me > > as I've potentially missed several important syslog notices. I checked, > > and syslogd is in fact running. > > > > Any ideas why this is happening and what I can do to remedy it? > > > > > > Mark. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 20:52:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from mine.kame.net (kame195.kame.net [203.178.141.195]) by hub.freebsd.org (Postfix) with ESMTP id 5EB3937B401 for ; Wed, 14 Feb 2001 20:52:26 -0800 (PST) Received: from localhost ([3ffe:501:4819:1000:260:1dff:fe1e:f7d4]) by mine.kame.net (8.9.3+3.2W/3.7W) with ESMTP id OAA32309; Thu, 15 Feb 2001 14:02:55 +0900 (JST) To: samwun@yahoo.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: log message for ipsec/vpn connection? In-Reply-To: Your message of "Wed, 14 Feb 2001 14:11:22 +1100" <3A89F75A.21FFEFA5@yahoo.com> References: <3A89F75A.21FFEFA5@yahoo.com> X-Mailer: Cue version 0.6 (010125-0306/sakane) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-Id: <20010215135447C.sakane@ydc.co.jp> Date: Thu, 15 Feb 2001 13:54:47 +0900 From: "Shoichi 'Ne' Sakane" X-Dispatcher: imput version 990905(IM130) Lines: 10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I would like to write a script utility to monitor the ipsec connection, just like > watching the msg generated by ipmon in the syslog. How this can be done? Could you explain me what the ipsec connection is in detail ? If you use the key exchange daemon, racoon(8), you can find logs in the log file of racoon. If you use the static keying, setkey(8), you can see the message between the kernel and setkey by using setkey with -x option. # sektey -x To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 22:27:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from winston.osd.bsdi.com (winston.osd.bsdi.com [204.216.27.229]) by hub.freebsd.org (Postfix) with ESMTP id BC24A37B491 for ; Wed, 14 Feb 2001 22:27:28 -0800 (PST) Received: from winston.osd.bsdi.com (jkh@localhost [127.0.0.1]) by winston.osd.bsdi.com (8.11.2/8.11.1) with ESMTP id f1F6QxH90508; Wed, 14 Feb 2001 22:27:00 -0800 (PST) (envelope-from jkh@winston.osd.bsdi.com) To: Michael Lea Cc: Kris Kennaway , Rob Simmons , Ragnar Beer , freebsd-security@FreeBSD.ORG Subject: Re: security settings documentation In-Reply-To: Message from Michael Lea of "Wed, 14 Feb 2001 12:24:33 CST." <20010214122432.A76375@core.atomicbluebear.org> Date: Wed, 14 Feb 2001 22:26:59 -0800 Message-ID: <90504.982218419@winston.osd.bsdi.com> From: Jordan Hubbard Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This looks like a really good start for at least a one-pager inside of sysinstall which comes up when the user hits F1 at the appropriate menu. I'll see what I can turn it into. - Jordan > > --nFreZHaLTZJo0R7j > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > > On Wed, 14 Feb 2001, Kris Kennaway wrote: > > > Then write up some documentation for us and send it to doc@freebsd.org > > Somewhat terse, but here's a little "feature" matrix: > > Fascist High Moderate Low > inetd NO NO YES YES > sendmail NO YES YES YES > sshd NO YES YES YES > portmap NO NO * YES > nfs_server NO NO ** *** > securelevel YES (2) YES (1) NO NO > > Any other configuration setting are, as near as I can tell, left unchanged. > For details on securelevel, see the init(8) man page. > > NOTES: > * Portmap is enabled if the machine has been configured as either an NFS > client or an NFS server earlier in the installation process. > ** If the machine has been configured as an NFS server, NFS will only run > on a reserved port. > *** No changes are made to the NFS configuration. > > - Mike > > --nFreZHaLTZJo0R7j > Content-Type: application/pgp-signature > Content-Disposition: inline > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.4 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iEYEARECAAYFAjqKzVwACgkQc9EFi4qQZEySTACgppRgyLkWRA+LJ7fIv8AYuM7T > W3UAoIQeTHPbvK2WXMzN2/tYYTPMIJpW > =TMdX > -----END PGP SIGNATURE----- > > --nFreZHaLTZJo0R7j-- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-doc" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 22:59:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 227DE37B4EC for ; Wed, 14 Feb 2001 22:59:54 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Wed, 14 Feb 2001 22:58:00 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f1F6xjO66353; Wed, 14 Feb 2001 22:59:45 -0800 (PST) (envelope-from cjc) Date: Wed, 14 Feb 2001 22:59:45 -0800 From: "Crist J. Clark" To: Mark Hartley Cc: freebsd-security@FreeBSD.ORG Subject: Re: Syslogd stops working Message-ID: <20010214225944.R62368@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <20010214154342.A48740@router.drapple.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010214154342.A48740@router.drapple.com>; from freebsd@drapple.com on Wed, Feb 14, 2001 at 03:43:43PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Feb 14, 2001 at 03:43:43PM -0800, Mark Hartley wrote: > I have several different FreeBSD servers which I've upgraded recently > through cvsup and rebuilding world due to the bind, ipfw, and ssh holes. > > However, I have one machine which I cvsupped and rebuilt on Jan 29th > which has stopped logging to syslog. I've checked my syslog.conf file > and everything seems fine. I had just been noticing a lack of people > "banging" on my firewall. I got to looking, and syslog has not been > functioning since that point. This is a very serious issue for me > as I've potentially missed several important syslog notices. I checked, > and syslogd is in fact running. > > Any ideas why this is happening and what I can do to remedy it? Run it in debug mode, -d, and if you can't figure it out from there, post the output to the list (this actually may be more of a -questions issue if it turns out to be a configuration problem). Preferably, use logger(1) to send some messages to get logged if none pop up on their own while it is running. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 14 23:21:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id ED61F37B401 for ; Wed, 14 Feb 2001 23:21:49 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Wed, 14 Feb 2001 23:19:54 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f1F7LXU66520; Wed, 14 Feb 2001 23:21:33 -0800 (PST) (envelope-from cjc) Date: Wed, 14 Feb 2001 23:21:28 -0800 From: "Crist J. Clark" To: Michael Lea Cc: Kris Kennaway , Rob Simmons , Ragnar Beer , freebsd-security@FreeBSD.ORG Subject: Re: security settings documentation Message-ID: <20010214232128.S62368@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <20010214092909.B72301@mollari.cthul.hu> <20010214122432.A76375@core.atomicbluebear.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010214122432.A76375@core.atomicbluebear.org>; from mlea@atomicbluebear.org on Wed, Feb 14, 2001 at 12:24:33PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Feb 14, 2001 at 12:24:33PM -0600, Michael Lea wrote: > On Wed, 14 Feb 2001, Kris Kennaway wrote: > > > Then write up some documentation for us and send it to doc@freebsd.org > > Somewhat terse, but here's a little "feature" matrix: > > Fascist High Moderate Low > inetd NO NO YES YES > sendmail NO YES YES YES > sshd NO YES YES YES > portmap NO NO * YES > nfs_server NO NO ** *** > securelevel YES (2) YES (1) NO NO ^^^^^^^^^^^ ^^^ ^^^ Noooooooooooooooo! Setting securelevel is silly. We're just going to get a _lot_ of people wondering why they can't install a new kernel, load kernel modules, set ipfw rules sending messages to -questions, etc. But their boxes really aren't that much more secure. Without setting quite a few files schg, it does not really add much security. Effectively implementing securelevel(8) is non-trivial. Anyone who can do it is more than capable of figuring out how to turn it on. As for the other stuff, kewl. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 15 0:31:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from lists01.iafrica.com (lists01.iafrica.com [196.7.0.141]) by hub.freebsd.org (Postfix) with ESMTP id 12E7D37B401 for ; Thu, 15 Feb 2001 00:31:20 -0800 (PST) Received: from nwl.fw.uunet.co.za ([196.31.2.162]) by lists01.iafrica.com with esmtp (Exim 3.12 #2) id 14TJoq-0000KA-00; Thu, 15 Feb 2001 10:31:16 +0200 Received: (from nobody@localhost) by nwl.fw.uunet.co.za (8.8.8/8.6.9) id KAA04884; Thu, 15 Feb 2001 10:31:14 +0200 (SAST) Received: by nwl.fw.uunet.co.za via recvmail id 4662; Thu Feb 15 10:30:08 2001 Received: from sheldonh (helo=axl.fw.uunet.co.za) by axl.fw.uunet.co.za with local-esmtp (Exim 3.16 #1) id 14TJnk-00030f-00; Thu, 15 Feb 2001 10:30:08 +0200 To: "Sean Roth" Cc: freebsd-security@freebsd.org Subject: Re: ftpd permissions question In-reply-to: Your message of "Wed, 14 Feb 2001 15:06:33 EST." Date: Thu, 15 Feb 2001 10:30:08 +0200 Message-ID: <11572.982225808@axl.fw.uunet.co.za> From: Sheldon Hearn Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 14 Feb 2001 15:06:33 EST, "Sean Roth" wrote: > I have a system configured with a user account (johndoe for the sake of = > conversation) who is in the operator group. This is not a good idea, as group operator is allowed to do things like shut the system down. Accounts used to access the system via insecure protocols should not be given high priveleges. Use guest or a unique group name. The rest of your questions are better asked of the freebsd-questions mailing list. Good luck! Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 15 1:13:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f47.law3.hotmail.com [209.185.241.47]) by hub.freebsd.org (Postfix) with ESMTP id 8C92437B491 for ; Thu, 15 Feb 2001 01:13:17 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 15 Feb 2001 01:13:17 -0800 Received: from 194.205.105.217 by lw3fd.law3.hotmail.msn.com with HTTP; Thu, 15 Feb 2001 09:13:17 GMT X-Originating-IP: [194.205.105.217] From: "The Pea!" To: freebsd-security@freebsd.org Date: Thu, 15 Feb 2001 09:13:17 -0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 15 Feb 2001 09:13:17.0440 (UTC) FILETIME=[886BD800:01C0972F] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 15 2:19:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from gwdu42.gwdg.de (gwdu42.gwdg.de [134.76.10.26]) by hub.freebsd.org (Postfix) with ESMTP id F187237B491 for ; Thu, 15 Feb 2001 02:19:50 -0800 (PST) Received: from partner.uni-psych.gwdg.de ([134.76.136.114]) by gwdu42.gwdg.de with esmtp (Exim 3.14 #18) id 14TLVs-00041a-00 for freebsd-security@freebsd.org; Thu, 15 Feb 2001 11:19:49 +0100 Mime-Version: 1.0 X-Sender: rbeer@popper.gwdg.de Message-Id: Date: Thu, 15 Feb 2001 11:19:44 +0100 To: freebsd-security@freebsd.org From: Ragnar Beer Subject: More security settings documentation Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Howdy again! Another thought: Wouldn't it be nice to extend the idea of the choice of security levels? E.g. I think I'd like to be asked whether I want log-file-rotation disabled and the sappnd flag set for logfiles. Why don't we collect a list of what could/should be done to protect 4.2 then collect information about the why's and howto's which would also be quite a good educational thing and maybe finally turn it into a shell-script that asks a couple of questions and then does a couple of actions based on the answers? Or maybe extend the install script. Or is there already something like that? Ragnar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 15 3: 7:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from klapaucius.zer0.org (klapaucius.zer0.org [204.152.186.45]) by hub.freebsd.org (Postfix) with ESMTP id 86CE337B491 for ; Thu, 15 Feb 2001 03:07:44 -0800 (PST) Received: by klapaucius.zer0.org (Postfix, from userid 1001) id 50055239AAB; Thu, 15 Feb 2001 03:07:42 -0800 (PST) Date: Thu, 15 Feb 2001 03:07:42 -0800 From: Gregory Sutter To: Wes Peters Cc: Len Conrad , freebsd-security@freebsd.org Subject: Re: Secure Servers (SMTP, POP3, FTP) Message-ID: <20010215030742.P656@klapaucius.zer0.org> References: <3A885F40.9C6AD285@acm.org> <5.0.0.25.0.20010213090218.04eaa7a0@mail.Go2France.com> <3A897683.FCB8E651@softweyr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A897683.FCB8E651@softweyr.com>; from wes@softweyr.com on Tue, Feb 13, 2001 at 11:01:40AM -0700 Organization: Zer0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 2001-02-13 11:01 -0700, Wes Peters wrote: > > As for my comments about the documentation: > > bash-2.04# pwd > /usr/local/share/doc/postfix > bash-2.04# !gr > grep -i mail_spool_directory * > bash-2.04# > > Yeah, I'll count that as "opaque". apropos postfix man 8 local We'll convert you yet. Greg -- Gregory S. Sutter "I think not," said Descartes... mailto:gsutter@zer0.org and promptly disappeared. http://www.zer0.org/~gsutter/ hkp://wwwkeys.pgp.net/0x845DFEDD To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 15 3:30:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from dirac.th.physik.uni-bonn.de (dirac.th.physik.uni-bonn.de [131.220.161.119]) by hub.freebsd.org (Postfix) with SMTP id 52FB237B4EC for ; Thu, 15 Feb 2001 03:30:22 -0800 (PST) Received: (qmail 42036 invoked from network); 15 Feb 2001 11:30:21 -0000 Received: from merlin.th.physik.uni-bonn.de (131.220.161.121) by dirac.th.physik.uni-bonn.de with SMTP; 15 Feb 2001 11:30:21 -0000 Received: (qmail 41755 invoked by uid 145); 15 Feb 2001 11:30:20 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 15 Feb 2001 11:30:20 -0000 Date: Thu, 15 Feb 2001 12:30:20 +0100 (CET) From: Jan Conrad To: Cc: Ralph Schreyer Subject: Why does openssh protocol default to 2? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, for quite a long time now I cannot understand why people encourage others for using ssh2 by default and I wanted to ask the readers of this list for their opinion. Even though I believe people saying that ssh2 is much more secure for root accounts and servers etc. I don't see why this should be true in general. Especially on bigger, say university networks as ours, where you often find BNC segments or the switches are more or less acessible to everyone (who really wants to...) in my opinion ssh2 is much more insecure as ssh1. My problem simply is that the id_dsa file is stored in user home dirs, which typically are mounted via NFS. So ssh2, in contrast to ssh1 with RSAAuthentication disabled, allows sniffers to access your system even without *actively* attacking your system, all you need is the id_dsa file.... Even if that file is protected by a passphrase, you don't gain much... In conclusion, I would like to have the ssh protocol defaulted to 1 with RSAAuthentication disabled; of course, people who install servers and security specific stuff should know not to use that for their uses, but most other people simply install the default. best regards Jan -- Physikalisches Institut der Universitaet Bonn Nussallee 12 D-53115 Bonn GERMANY To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 15 3:32: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id 8D29D37B491 for ; Thu, 15 Feb 2001 03:31:53 -0800 (PST) Received: from algroup.co.uk ([192.168.192.1]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id LAA02877; Thu, 15 Feb 2001 11:30:23 GMT Message-ID: <3A8BBDC4.D9CE6E4D@algroup.co.uk> Date: Thu, 15 Feb 2001 11:30:12 +0000 From: Adam Laurie X-Mailer: Mozilla 4.7 [en-gb] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Joseph Stein Cc: freebsd-security@freebsd.org Subject: Re: ipfw rules References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Joseph Stein wrote: > > I'm looking for some peer-review to a firewall ruleset I've written based > on the O'Reilly book "Building Internet Firewalls" and the "default" > rc.firewall script > > Here it is. I would gladly accept any comments; this is merely what > "works" on my system; if it breaks some paradigm, I'd like to hear about > why (please mail me privately, and I'll summarize if there is enough > interest). > > I do have one specific question.... > > The last 20 or so lines are there specifically to allow ICQ to work > properly (I couldn't get ICQ to work succesfully with out them). Any > ideas on how to eliminate some of that mess? > > Any other ideas? don't have time to read this thoroughly, but here's an old favourite... > > # Allow access to DNS > ${fwcmd} add pass tcp from any to ${oip} 53 setup > ${fwcmd} add pass udp from any to ${oip} 53 > ${fwcmd} add pass udp from ${oip} 53 to any > ${fwcmd} add pass udp from any 53 to ${oip} ^^^^^^ by setting my source port to 53, i can connect from anywhere to any udp service on your ${oip}. e.g. NFS, syslog, whatever. this would be bad - you should never filter based on source port. cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 Voysey House http://www.thebunker.net Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 15 3:34:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-67.dsl.lsan03.pacbell.net [63.207.60.67]) by hub.freebsd.org (Postfix) with ESMTP id A785C37B4EC for ; Thu, 15 Feb 2001 03:34:11 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 2748766B00; Thu, 15 Feb 2001 03:34:11 -0800 (PST) Date: Thu, 15 Feb 2001 03:34:10 -0800 From: Kris Kennaway To: Jan Conrad Cc: freebsd-security@freebsd.org, Ralph Schreyer Subject: Re: Why does openssh protocol default to 2? Message-ID: <20010215033410.A86524@mollari.cthul.hu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="OXfL5xGRrasGEqWY" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from conrad@th.physik.uni-bonn.de on Thu, Feb 15, 2001 at 12:30:20PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --OXfL5xGRrasGEqWY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 15, 2001 at 12:30:20PM +0100, Jan Conrad wrote: > Hello, >=20 > for quite a long time now I cannot understand why people encourage others > for using ssh2 by default and I wanted to ask the readers of this list for > their opinion. SSH1 has fundamental protocol flaws. SSH2 doesn't, that we know of. > Even though I believe people saying that ssh2 is much more secure for root > accounts and servers etc. I don't see why this should be true in general. >=20 > Especially on bigger, say university networks as ours, where you often > find BNC segments or the switches are more or less acessible to everyone > (who really wants to...) in my opinion ssh2 is much more insecure as ssh1. >=20 > My problem simply is that the id_dsa file is stored in user home dirs, > which typically are mounted via NFS. So ssh2, in contrast to ssh1 with > RSAAuthentication disabled, allows sniffers to access your system even > without *actively* attacking your system, all you need is the id_dsa > file.... >=20 > Even if that file is protected by a passphrase, you don't gain much... I don't understand your complaint. If you don't want to use SSH2 with RSA/DSA keys, don't do that. Use the UNIX password or some other PAM authentication module (OPIE, etc) Kris --OXfL5xGRrasGEqWY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6i76yWry0BWjoQKURAv5JAKC0kj0vrQlqcZxyip7DpbCrnvsFFwCeKqJZ woGtt4htbjFc0igIyCRABKw= =5/tV -----END PGP SIGNATURE----- --OXfL5xGRrasGEqWY-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 15 3:54:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id DB60E37B401 for ; Thu, 15 Feb 2001 03:54:16 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id MAA08267; Thu, 15 Feb 2001 12:54:11 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Thomas T. Veldhouse" Cc: "lifo" , Subject: Re: ipfilter 3.4.16 + freebsd 4.2 crash ! References: <015301c095da$790f0310$1405a8c0@goliath> <002101c095e5$29dbbd50$3028680a@tgt.com> From: Dag-Erling Smorgrav Date: 15 Feb 2001 12:54:11 +0100 In-Reply-To: "Thomas T. Veldhouse"'s message of "Tue, 13 Feb 2001 11:48:24 -0600" Message-ID: Lines: 10 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Thomas T. Veldhouse" writes: > Uhm -- FreeBSD 4.2-STABLE has IPFilter 3.4.8, not 3.4.16? Is this a custom > hack that you have done yourself? No. Darren Reed, the author of IPFilter, maintains FreeBSD's version of IPFilter himself. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 15 4:19: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from dirac.th.physik.uni-bonn.de (dirac.th.physik.uni-bonn.de [131.220.161.119]) by hub.freebsd.org (Postfix) with SMTP id E849637B401 for ; Thu, 15 Feb 2001 04:18:47 -0800 (PST) Received: (qmail 42290 invoked from network); 15 Feb 2001 12:18:45 -0000 Received: from merlin.th.physik.uni-bonn.de (131.220.161.121) by dirac.th.physik.uni-bonn.de with SMTP; 15 Feb 2001 12:18:45 -0000 Received: (qmail 42024 invoked by uid 145); 15 Feb 2001 12:18:45 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 15 Feb 2001 12:18:45 -0000 Date: Thu, 15 Feb 2001 13:18:45 +0100 (CET) From: Jan Conrad To: Kris Kennaway Cc: , Ralph Schreyer Subject: Re: Why does openssh protocol default to 2? In-Reply-To: <20010215033410.A86524@mollari.cthul.hu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 15 Feb 2001, Kris Kennaway wrote: > On Thu, Feb 15, 2001 at 12:30:20PM +0100, Jan Conrad wrote: > > Hello, > > > > for quite a long time now I cannot understand why people encourage others > > for using ssh2 by default and I wanted to ask the readers of this list for > > their opinion. > > SSH1 has fundamental protocol flaws. SSH2 doesn't, that we know of. I knew that statement... Could you give me a good reference for a detailed discussion on that? > > > Even though I believe people saying that ssh2 is much more secure for root > > accounts and servers etc. I don't see why this should be true in general. > > > > Especially on bigger, say university networks as ours, where you often > > find BNC segments or the switches are more or less acessible to everyone > > (who really wants to...) in my opinion ssh2 is much more insecure as ssh1. > > > > My problem simply is that the id_dsa file is stored in user home dirs, > > which typically are mounted via NFS. So ssh2, in contrast to ssh1 with > > RSAAuthentication disabled, allows sniffers to access your system even > > without *actively* attacking your system, all you need is the id_dsa > > file.... > > > > Even if that file is protected by a passphrase, you don't gain much... > > I don't understand your complaint. If you don't want to use SSH2 with > RSA/DSA keys, don't do that. Use the UNIX password or some other PAM > authentication module (OPIE, etc) Sorry - I did not want to complain... (really :-) What would you suggest for NFS mounted home dirs as a reasonable solution? (To store keys I mean..) > > Kris > Jan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 15 4:28:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id BDE4537B401 for ; Thu, 15 Feb 2001 04:28:15 -0800 (PST) Received: (qmail 4572 invoked by uid 1000); 15 Feb 2001 12:26:24 -0000 Date: Thu, 15 Feb 2001 14:26:24 +0200 From: Peter Pentchev To: Dag-Erling Smorgrav Cc: "Thomas T. Veldhouse" , lifo , freebsd-security@FreeBSD.ORG Subject: Re: ipfilter 3.4.16 + freebsd 4.2 crash ! Message-ID: <20010215142624.F382@ringworld.oblivion.bg> Mail-Followup-To: Dag-Erling Smorgrav , "Thomas T. Veldhouse" , lifo , freebsd-security@FreeBSD.ORG References: <015301c095da$790f0310$1405a8c0@goliath> <002101c095e5$29dbbd50$3028680a@tgt.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from des@ofug.org on Thu, Feb 15, 2001 at 12:54:11PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Feb 15, 2001 at 12:54:11PM +0100, Dag-Erling Smorgrav wrote: > "Thomas T. Veldhouse" writes: > > Uhm -- FreeBSD 4.2-STABLE has IPFilter 3.4.8, not 3.4.16? Is this a custom > > hack that you have done yourself? > > No. Darren Reed, the author of IPFilter, maintains FreeBSD's version > of IPFilter himself. I'd think that the 'custom hack' question referred to the original poster's using IPFilter 3.4.16 on -stable. G'luck, Peter -- If wishes were fishes, the antecedent of this conditional would be true. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 15 6:24:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id E89F637B503 for ; Thu, 15 Feb 2001 06:24:19 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA29710; Thu, 15 Feb 2001 06:22:59 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda29706; Thu Feb 15 06:22:42 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f1FEMbK62209; Thu, 15 Feb 2001 06:22:37 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdV62128; Thu Feb 15 06:22:02 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.2/8.9.1) id f1FEM1J70621; Thu, 15 Feb 2001 06:22:01 -0800 (PST) Message-Id: <200102151422.f1FEM1J70621@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdY70474; Thu Feb 15 06:21:23 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Rob Simmons Cc: Mikhail Kruk , Ragnar Beer , freebsd-security@FreeBSD.ORG Subject: Re: security settings documentation In-reply-to: Your message of "Wed, 14 Feb 2001 16:43:58 EST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 15 Feb 2001 06:21:23 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Rob Simmon s writes: > I would disagree with -bd being mandatory. Sure it is needed if the > server is a mailserver or needs to recieve mail for some reason. I agree > that it should be "-bd -q30m" in /etc/defaults/rc.conf, but I think the > "High" security profile should have only -q30m. In fact I think the > Fascist level should have this setting instead of disabling sendmail > altogether. > > If you disable sendmail altogether, doesn't that keep the daily/weekly > root mails from being sent? Rather than have the sendmail daemon taking memory for 30 minutes doing nothing, why not run it out of cron with -q. Agreed, -bd is not mandatory. One could run Sendmail out of inetd using -bs or hide it behind Obtuse Systems Smtpd (smtpd) port, which implements a Qmail-like or postfix-like approach using Sendmail. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 15 9:38: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 1E97937B401 for ; Thu, 15 Feb 2001 09:37:56 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f1FHbpV26117; Thu, 15 Feb 2001 09:37:51 -0800 (PST) Date: Thu, 15 Feb 2001 09:37:51 -0800 From: Alfred Perlstein To: Jan Conrad Cc: Kris Kennaway , freebsd-security@FreeBSD.ORG, Ralph Schreyer Subject: Re: Why does openssh protocol default to 2? Message-ID: <20010215093751.E3274@fw.wintelcom.net> References: <20010215033410.A86524@mollari.cthul.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from conrad@th.physik.uni-bonn.de on Thu, Feb 15, 2001 at 01:18:45PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Jan Conrad [010215 04:19] wrote: > On Thu, 15 Feb 2001, Kris Kennaway wrote: > > > On Thu, Feb 15, 2001 at 12:30:20PM +0100, Jan Conrad wrote: > > > Hello, > > > > > > for quite a long time now I cannot understand why people encourage others > > > for using ssh2 by default and I wanted to ask the readers of this list for > > > their opinion. > > > > SSH1 has fundamental protocol flaws. SSH2 doesn't, that we know of. > > I knew that statement... Could you give me a good reference for a > detailed discussion on that? > > > > > > Even though I believe people saying that ssh2 is much more secure for root > > > accounts and servers etc. I don't see why this should be true in general. > > > > > > Especially on bigger, say university networks as ours, where you often > > > find BNC segments or the switches are more or less acessible to everyone > > > (who really wants to...) in my opinion ssh2 is much more insecure as ssh1. > > > > > > My problem simply is that the id_dsa file is stored in user home dirs, > > > which typically are mounted via NFS. So ssh2, in contrast to ssh1 with > > > RSAAuthentication disabled, allows sniffers to access your system even > > > without *actively* attacking your system, all you need is the id_dsa > > > file.... > > > > > > Even if that file is protected by a passphrase, you don't gain much... > > > > I don't understand your complaint. If you don't want to use SSH2 with > > RSA/DSA keys, don't do that. Use the UNIX password or some other PAM > > authentication module (OPIE, etc) > > Sorry - I did not want to complain... (really :-) > > What would you suggest for NFS mounted home dirs as a reasonable solution? > (To store keys I mean..) Don't store the public key in on an NFS shared disk especially if it's not encrpyted. What you do is keep a copy of .ssh/authorized_keys2 only on the NFS shares, you then fire up an agent remotely on a trusted machine (your laptop) and hop from machine to machine taking into account that if you choose to forward authentication root can hijack you authentication on any box between your trusted host and the final destination. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 15 11:32:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.redshells.net (mail.redshells.net [208.189.113.190]) by hub.freebsd.org (Postfix) with SMTP id 7B5BD37B503 for ; Thu, 15 Feb 2001 11:32:23 -0800 (PST) Received: (qmail 58230 invoked from network); 15 Feb 2001 19:32:22 -0000 Received: from unknown (HELO redshells.net) (208.189.113.150) by mail.redshells.net with SMTP; 15 Feb 2001 19:32:22 -0000 Message-ID: <3A8C2CC0.1DDC4857@redshells.net> Date: Thu, 15 Feb 2001 13:23:44 -0600 From: Chris X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.org Subject: zmodem protocol? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Has anybody heard anything about possible security flaws in "lrzsz" ? Heres a short desciption from the website: "lrzsz is a unix communication package providing the XMODEM, YMODEM ZMODEM file transfer protocols." And the website: http://www.ohse.de/uwe/software/lrzsz.html Thanks Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 15 11:57:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.146]) by hub.freebsd.org (Postfix) with ESMTP id 4C09137B503 for ; Thu, 15 Feb 2001 11:57:10 -0800 (PST) Received: from localhost (trevor@localhost) by blues.jpj.net (8.11.1/8.11.1) with ESMTP id f1FJv2c29061; Thu, 15 Feb 2001 14:57:02 -0500 (EST) Date: Thu, 15 Feb 2001 14:57:02 -0500 (EST) From: Trevor Johnson To: Chris Cc: Subject: Re: zmodem protocol? In-Reply-To: <3A8C2CC0.1DDC4857@redshells.net> Message-ID: <20010215144346.M27297-100000@blues.jpj.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Has anybody heard anything about possible security flaws in "lrzsz" ? > Heres a short desciption from the website: "lrzsz is a unix > communication package providing the XMODEM, YMODEM ZMODEM file transfer > protocols." And the website: http://www.ohse.de/uwe/software/lrzsz.html Could you be thinking of the Omen Technology programs that do the same thing? @Remove rzsz, I've tolerated this for far too long but when it starts mailing stuff out automatically, it is just too much. Please use lrzsz, zmtx-zmrx or any other free alternative. If nothing else works, you can always compile rzsz from the original source. --(the former) ports/comms/rzsz/Attic/Makefile,v As I recall, the Omen programs sent e-mail back to Omen if the user hadn't registered the software properly. -- Trevor Johnson http://jpj.net/~trevor/gpgkey.txt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 15 12:23:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 82AF637B491 for ; Thu, 15 Feb 2001 12:23:45 -0800 (PST) Received: from bsdie.rwsystems.net([209.197.223.2]) (2089 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Thu, 15 Feb 2001 14:23:29 -0600 (CST) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Thu, 15 Feb 2001 14:23:25 -0600 (CST) From: James Wyatt To: Chris Cc: freebsd-security@FreeBSD.org Subject: Re: zmodem protocol? In-Reply-To: <3A8C2CC0.1DDC4857@redshells.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 15 Feb 2001, Chris wrote: > Has anybody heard anything about possible security flaws in "lrzsz" ? > Heres a short desciption from the website: "lrzsz is a unix > communication package providing the XMODEM, YMODEM ZMODEM file transfer > protocols." And the website: http://www.ohse.de/uwe/software/lrzsz.html I still have to support X/Y/Z-modem for EDI dialin customers and several other misc uses. The thing that comes to mind immediately is that Z-modem allows running of a remote program unless you neuter the source code. The code was not even expert friendly, IIRC, and was hell to pipe-fit to code that did processing I needed performed on the files and managed the modem ports. While I do not know of any specific buffer overflow bugs, given the quality of what I saw, I think it would be pretty "chewy" to audit it. The code runs non-suid, so you would only be risky if the user running the {r,s}{x,b,z} commands wasn't who was on the other end of the communicaions flow - not a problem with shell accounts using them on the command line. I had to worry about it because my EDI users had no shell accounts. FWIW, there isn't much in the X-modem stuff to break, but Z-modem allowed pushing of the filename, the aforementioned remote command, and some other stuff that would be ripe for buffer bugs. It was definately quicker than building X/Y/Z-modem support from scratch and from the various conflicting specs and I really appreciated that the code *worked*, it was just hard to turn into an API and maintain. - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 15 13:42:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from amsmta04-svc.chello.nl (mail-out.chello.nl [213.46.240.7]) by hub.freebsd.org (Postfix) with ESMTP id 603DD37B491 for ; Thu, 15 Feb 2001 13:42:38 -0800 (PST) Received: from devon ([212.83.73.144]) by amsmta04-svc.chello.nl (InterMail vK.4.02.00.10 201-232-116-110 license a3a2682fa4a9abbd0742aa9624d87426) with SMTP id <20010215214421.FDLX4610.amsmta04-svc@devon>; Thu, 15 Feb 2001 22:44:21 +0100 Message-Id: <4.1.20010215223737.00948470@pop.iae.nl> X-Sender: roijers@pop.iae.nl X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Thu, 15 Feb 2001 22:42:47 +0100 To: Sheldon Hearn From: Stefan Subject: Re: Abnormal behaviour of "established" rule with ipfw? Cc: security@freebsd.org In-Reply-To: <11651.982225965@axl.fw.uunet.co.za> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:32 15-2-01 +0200, you wrote: > > >Do you use any bridging between lo0 and another interface? No, I'm using an almost 'default' configuration according the book. Using natd makes no difference (tested with and without) I think it has something to do with the combination of 4.1-Release and the patch The patch I think has been created and tested with 4.2-Release Just having some friends verifying this.. I'm going to upgrade to 4.2-release with patches, so I can see if the problem then still exists. Thanks for answering, Stefan > >Ciao, >Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 15 13:58:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-49.dsl.lsan03.pacbell.net [64.165.226.49]) by hub.freebsd.org (Postfix) with ESMTP id 6CD5E37B65D for ; Thu, 15 Feb 2001 13:57:58 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id D24EE66E6A; Thu, 15 Feb 2001 13:30:00 -0800 (PST) Date: Thu, 15 Feb 2001 13:30:00 -0800 From: Kris Kennaway To: Jan Conrad Cc: Kris Kennaway , freebsd-security@freebsd.org, Ralph Schreyer Subject: Re: Why does openssh protocol default to 2? Message-ID: <20010215133000.A12807@mollari.cthul.hu> References: <20010215033410.A86524@mollari.cthul.hu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="tKW2IUtsqtDRztdT" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from conrad@th.physik.uni-bonn.de on Thu, Feb 15, 2001 at 01:18:45PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --tKW2IUtsqtDRztdT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 15, 2001 at 01:18:45PM +0100, Jan Conrad wrote: > On Thu, 15 Feb 2001, Kris Kennaway wrote: >=20 > > On Thu, Feb 15, 2001 at 12:30:20PM +0100, Jan Conrad wrote: > > > Hello, > > > > > > for quite a long time now I cannot understand why people encourage ot= hers > > > for using ssh2 by default and I wanted to ask the readers of this lis= t for > > > their opinion. > > > > SSH1 has fundamental protocol flaws. SSH2 doesn't, that we know of. >=20 > I knew that statement... Could you give me a good reference for a > detailed discussion on that? www.core-sdi.com probably has some information - there are recently discovered flaws and a number of older ones. > > I don't understand your complaint. If you don't want to use SSH2 with > > RSA/DSA keys, don't do that. Use the UNIX password or some other PAM > > authentication module (OPIE, etc) >=20 > Sorry - I did not want to complain... (really :-) >=20 > What would you suggest for NFS mounted home dirs as a reasonable solution? > (To store keys I mean..) If you have people sniffing your NFS traffic then you're in trouble anyway since they can probably spoof things very easily. Consider what's really your threat model here. If you really don't want people to use DSA authentication (it's not a security risk unless they use a weak passphrase) then disable it with the appropriate configuration directive in /etc/ssh/sshd_config. Kris --tKW2IUtsqtDRztdT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6jEpYWry0BWjoQKURAjZNAJ9V7ZplA2uRJuJ8MiVrwW2vni4kogCgzTBd RuXFUjziVxqKWsgDLAjODrE= =lVKz -----END PGP SIGNATURE----- --tKW2IUtsqtDRztdT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 15 16:57: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from torgut.com (torgut.com [207.159.140.87]) by hub.freebsd.org (Postfix) with ESMTP id A21CE37B698; Thu, 15 Feb 2001 16:56:34 -0800 (PST) Received: from aks011 (host-216-77-209-212.fll.bellsouth.net [216.77.209.212]) by torgut.com (8.9.3/8.9.3) with SMTP id AAA15561; Fri, 16 Feb 2001 00:56:06 GMT Date: Fri, 16 Feb 2001 00:56:06 GMT From: Youthful21@costa.de Message-Id: <200102160056.AAA15561@torgut.com> To: Youthful21@costa.de Subject: REVERSE the AGING PROCESS 10 - 20 Years! MIME-Version: 1.0 Content-Type: text/plain; charset=unknown-8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org HAVE YOU HEARD OF HUMAN GROWTH HORMONE (HGH)??? Released by your own pituitary gland, HGH starts declining in your 20s, even more in your 30s and 40s, eventually resulting in the shrinkage of major organs-plus all other symptoms related to old age. THIS CAN NOW BE REVERSED!!! IN THOUSANDS OF CLINICAL STUDIES, HGH HAS BEEN SHOWN TO ACCOMPLISH THE FOLLOWING: * Reduce Body Fat Without Dieting Build Lean Muscle WITHOUT EXERCISE! * Enhance Sexual Performance * Remove Wrinkles and Cellulite * Lower Blood Pressure and improve Cholesterol Profile * Improve Sleep, Vision and Memory * Restore Hair Color and Growth * Strengthen the Immune System * Increase Energy and Cardiac Output * Turn back your body's Biological Time Clock 10-20 years in 6 months of usage !!! You don't have to spend thousands of dollars on shots. You don't have to spend the $139.00 per bottle that HGH is selling for at some Clinics in the United States. For the next 30 Days, you can obtain a complete one-month supply of our HGH releaser for our special "New Customers" price of just $69.95 plus $6.00 shipping and handling. To ensure a constant supply and to SAVE EVEN MORE, you can order with confidence 3 bottles of HGH and GET 1 FREE - that's just $209.85 for 4 bottles, plus $6.00 shipping and handling. You SAVE $69.95! ORDER TODAY! Payment Methods You may FAX or Postal Mail Checks, MasterCard, Visa, & American Express payments. Money Orders are accepted only by Postal Mail. Step 1: Place a check by your desired quanity. ______ 1 Bottle of HGH $69.95 ______ 2 Bottles of HGH $131.90 ($65.95 a bottle) ______ 4 Bottles of HGH (Buy 3 get 1 FREE. SAVE $69.95) $209.85 Please add $6 shipping and handling for any size order. [ Total cost including shipping & handling, 1 bottle=$75.95, 2 bottles=$137.90, 4 bottles=$215.85 ] International shipping, please add $35 for any size order [ Total cost including shipping & handling, 1 bottle=$104.95, 2 bottles=$166.90, 4 bottles=$244.85 ] Foreign checks are not accepted. Credit cards & international money orders only. Step 2: Place a check by your desired payment method and complete fields if necessary. _____Check or CHECK-BY-FAX [details below] _____Money Order _____American Express Account Number__________________ Exp____/____ _____Visa Account Number__________________ Exp____/____ _____MasterCard Account Number__________________ Exp____/____ Please make your check or money order payable to "LSN". Step 3: Please complete and print the following fields clearly. Name ___________________________________________________ Address _________________________________________________ City ____________________________________________________ State ___________________________________________________ Zip _____________________________________________________ E-mail __________________________________________________ Signature _________________________________________________ [ required for check and credit card orders] Toll Free FAX Order Line: 1-800-940-6590 If faxing in your order, please state whether you require a fax, email, or no confirmation at all. Allow up to one day for confirmation, if requested. FAX orders are processed immediately. Or, print & mail to: LSN 273 S. State Rd. 7 #193 Margate, FL 33068-5727 ______________________________________________________ *CHECK BY FAX ORDERS: Complete the check as normal. Tape the check in the area below. Below the check, clearly write the check number, all numbers at the bottom of the check, & your name. Tape the check below and fax the check to the toll free FAX number above. Void the check. Our merchant will electronically debit your account for the amount of the check; your reference number for this transaction will be your check number. Nothing could be safer & easier ! TAPE CHECK BELOW _____________________________________________________________ This is a one time mailing: Removal is automatic and no further contact is necessary. Please Note: HGH is not intended to diagnose, treat, cure or prevent any disease. The FDA has not evaluated these statements. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 15 17:58:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from macalpine.cornfed.com (sdsl-216-36-86-82.dsl.iad.megapath.net [216.36.86.82]) by hub.freebsd.org (Postfix) with ESMTP id 23CA937B401 for ; Thu, 15 Feb 2001 17:58:46 -0800 (PST) Received: (from fwmiller@localhost) by macalpine.cornfed.com (8.9.2/8.9.2) id TAA21074; Thu, 15 Feb 2001 19:50:51 -0500 (EST) (envelope-from fwmiller) From: "Frank W. Miller" Message-Id: <200102160050.TAA21074@macalpine.cornfed.com> Subject: ftpd question To: freebsd-security@freebsd.org Date: Thu, 15 Feb 2001 19:50:50 -0500 (EST) Cc: fwmiller@macalpine.cornfed.com (Frank W. Miller) X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is probably a simple question but I'm a newbie at sys admin so... I've had some people logging into my ftp server and dumping files lately. Is there a way to prevent anonymous users from uploading files while still allowing regular users to upload? Please respond via email to fwmiller@cornfed.com. Thanks, FM -- Frank W. Miller Cornfed Systems Inc www.cornfed.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 15 18: 7: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (lc4-lfd32.law5.hotmail.com [216.32.243.54]) by hub.freebsd.org (Postfix) with ESMTP id BC29037B401 for ; Thu, 15 Feb 2001 18:07:04 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 15 Feb 2001 18:07:04 -0800 Received: from 192.122.209.42 by www.hotmail.msn.com with HTTP; Fri, 16 Feb 2001 02:07:04 GMT X-Originating-IP: [192.122.209.42] From: "Edward W. M." To: des@ofug.org Cc: nbm@mithrandr.moria.org, dominic_marks@hotmail.com, freebsd-security@FreeBSD.ORG Subject: Re: Secure Servers (SMTP, POP3, FTP) Date: Thu, 15 Feb 2001 18:07:04 -0800 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 16 Feb 2001 02:07:04.0656 (UTC) FILETIME=[28446D00:01C097BD] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dag-Erling Smorgrav writes: >Neil Blakey-Milner writes: > > On Mon 2001-02-12 (15:51), Edward W. M. wrote: > > > > Mail Options: > > > > 1. Qmail - Secure, written for FreeBSD (Qwest?), Fast, > > > > Configurable > > > I would advise against qmail, as I've had reliability issues > > > with > > > it. > > Like? >I can't speak for Edward, but here are some of the reliability >problems I've run into with QMail: > >Stock QMail (without the large-queue patches) will not handle even >moderate loads gracefully. For some inexplicable reason (read: >gratuitious design flaw), directories which ought to be split into >buckets aren't, so you end up with flat directories holding one file >per queue entry. Also, the default number of buckets (23) is >ridiculously small, unless you're just setting up qmail on your DSL >box to handle mail for yourself, your four months old kitten, and >her pet rock. Right after installing the out-of-the-box stock version of qmail, I ran a stress test and let me just say that you are exaggerating. There is no way it could handle so much mail, four month old kittens are much more advanced nowadays and I hear that pet rocks are quite avid mailing list readers as well. :-)) >Once hell has broken loose, repairing broken QMail queues is fairly >non-trivial. Even moving a broken queue aside and later merging it >into the running queue is nearly impossible without some heavy >scripting; the documented way of doing this is to compile and >install a separate QMail installation configured to run from a >separate directory and process the secondary queue. I gave up on qmail during the testing stage when I was faced with repairing broken queues. IMHO, many people are very happy with their patched versions of qmail because they never ran into serious problems like that in a production environment. Those who continue to run qmail after experiencing such problems either become developers (err, patch contributors) or have no other choice because somebody else has the say over which MTA is to be used (I feel your pain people). The license also makes qmail a far worse piece of software than it could be. Before you can get the desired functionality, you have to apply half a dozen patches and hope that they apply cleanly. Often they do not and you have to dig into the source code to fix things manually, if you can stomach the poor coding style, that is. So what's wrong with that, you may ask, if you want a race car, you have to spend some time tuning it and it is not what the engine looks like on the inside, but how well it performs that counts. I agree, but there is a difference between tuning a car and assembling it from scratch using a builders kit and parts that look odd. Not to mention that I am a bit dismayed when the brakes on such a car give out. This is just my opinion based on personal experience, YMMV. Edward W. M. P.S.: Eventhough it seems that way, I am not a car mechanic. :-) _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 15 19:37:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from castle.dreaming.org (castle.dreaming.org [216.221.214.170]) by hub.freebsd.org (Postfix) with ESMTP id BAC0A37B491 for ; Thu, 15 Feb 2001 19:37:21 -0800 (PST) Received: from Laptop (cr592943-a.bloor1.on.wave.home.com [24.156.38.199]) by castle.dreaming.org (8.11.2/8.11.2) with SMTP id f1G3b6u72295; Thu, 15 Feb 2001 22:37:16 -0500 (EST) (envelope-from services@freemail.dreaming.org) From: "The Dreaming Network Freemail Service" To: "Frank W. Miller" , Subject: RE: ftpd question Date: Thu, 15 Feb 2001 22:35:34 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <200102160050.TAA21074@macalpine.cornfed.com> Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I may be mistaken, but i think that if you remove the ftp entry in /etc/master.passwd (vi vipw of course) that anonymous logins will no longer work, but regular users can still get in. Source: ftpd man page... "6. If the user name is ``anonymous'' or ``ftp'', an anonymous ftp account must be present in the password file (user ``ftp'')." of course, in case i'm wrong, save a copy of that entry in master.passwd somewhere ;-) grep ftp: /etc/master.passwd > /root/backup.ftpentry Cheers, Mit :-----Original Message----- :From: owner-freebsd-security@FreeBSD.ORG :[mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Frank W. Miller :Sent: February 15, 2001 19:51 PM :To: freebsd-security@FreeBSD.ORG :Cc: Frank W. Miller :Subject: ftpd question : : : : :This is probably a simple question but I'm a newbie at sys admin so... :I've had some people logging into my ftp server and dumping files :lately. Is there a way to prevent anonymous users from uploading :files while still allowing regular users to upload? Please respond :via email to fwmiller@cornfed.com. : :Thanks, :FM : :-- :Frank W. Miller :Cornfed Systems Inc :www.cornfed.com : : :To Unsubscribe: send mail to majordomo@FreeBSD.org :with "unsubscribe freebsd-security" in the body of the message : To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 15 20:37:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id A5B4A37B4EC for ; Thu, 15 Feb 2001 20:37:40 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Thu, 15 Feb 2001 20:35:47 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f1G4bUg74255; Thu, 15 Feb 2001 20:37:30 -0800 (PST) (envelope-from cjc) Date: Thu, 15 Feb 2001 20:37:24 -0800 From: "Crist J. Clark" To: Jan Conrad Cc: Kris Kennaway , freebsd-security@FreeBSD.ORG, Ralph Schreyer Subject: Re: Why does openssh protocol default to 2? Message-ID: <20010215203724.X62368@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <20010215033410.A86524@mollari.cthul.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from conrad@th.physik.uni-bonn.de on Thu, Feb 15, 2001 at 01:18:45PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Feb 15, 2001 at 01:18:45PM +0100, Jan Conrad wrote: > On Thu, 15 Feb 2001, Kris Kennaway wrote: > > > On Thu, Feb 15, 2001 at 12:30:20PM +0100, Jan Conrad wrote: [snip] > > > My problem simply is that the id_dsa file is stored in user home dirs, > > > which typically are mounted via NFS. So ssh2, in contrast to ssh1 with > > > RSAAuthentication disabled, allows sniffers to access your system even > > > without *actively* attacking your system, all you need is the id_dsa > > > file.... > > > > > > Even if that file is protected by a passphrase, you don't gain much... > > > > I don't understand your complaint. If you don't want to use SSH2 with > > RSA/DSA keys, don't do that. Use the UNIX password or some other PAM > > authentication module (OPIE, etc) > > Sorry - I did not want to complain... (really :-) > > What would you suggest for NFS mounted home dirs as a reasonable solution? > (To store keys I mean..) I am still trying to understand why you believe that SSH1 is somehow more secure than SSH2. You can disable DSA-key authentication in the same way you can disable RSA-keys. You can read the RSA stuff a user has in .ssh just as easily as the DSA stuff when the home directory is an NFS volume. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 15 20:40:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-49.dsl.lsan03.pacbell.net [64.165.226.49]) by hub.freebsd.org (Postfix) with ESMTP id 40A7E37B491 for ; Thu, 15 Feb 2001 20:40:53 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id BA9AD66E6A; Thu, 15 Feb 2001 20:40:52 -0800 (PST) Date: Thu, 15 Feb 2001 20:40:52 -0800 From: Kris Kennaway To: cjclark@alum.mit.edu Cc: Jan Conrad , Kris Kennaway , freebsd-security@FreeBSD.ORG, Ralph Schreyer Subject: Re: Why does openssh protocol default to 2? Message-ID: <20010215204052.A28966@mollari.cthul.hu> References: <20010215033410.A86524@mollari.cthul.hu> <20010215203724.X62368@rfx-216-196-73-168.users.reflex> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="zhXaljGHf11kAtnf" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010215203724.X62368@rfx-216-196-73-168.users.reflex>; from cjclark@reflexnet.net on Thu, Feb 15, 2001 at 08:37:24PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --zhXaljGHf11kAtnf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 15, 2001 at 08:37:24PM -0800, Crist J. Clark wrote: > On Thu, Feb 15, 2001 at 01:18:45PM +0100, Jan Conrad wrote: > > On Thu, 15 Feb 2001, Kris Kennaway wrote: > >=20 > > > On Thu, Feb 15, 2001 at 12:30:20PM +0100, Jan Conrad wrote: >=20 > [snip] >=20 > > > > My problem simply is that the id_dsa file is stored in user home di= rs, > > > > which typically are mounted via NFS. So ssh2, in contrast to ssh1 w= ith > > > > RSAAuthentication disabled, allows sniffers to access your system e= ven > > > > without *actively* attacking your system, all you need is the id_dsa > > > > file.... > > > > > > > > Even if that file is protected by a passphrase, you don't gain much= ... > > > > > > I don't understand your complaint. If you don't want to use SSH2 with > > > RSA/DSA keys, don't do that. Use the UNIX password or some other PAM > > > authentication module (OPIE, etc) > >=20 > > Sorry - I did not want to complain... (really :-) > >=20 > > What would you suggest for NFS mounted home dirs as a reasonable soluti= on? > > (To store keys I mean..) >=20 > I am still trying to understand why you believe that SSH1 is somehow > more secure than SSH2. You can disable DSA-key authentication in the > same way you can disable RSA-keys. You can read the RSA stuff a user > has in .ssh just as easily as the DSA stuff when the home directory is > an NFS volume. An alternative is to use IPSEC with ESP to protect the NFS traffic, which defends against the more general problem of people sniffing NFS traffic, if you're worried about that. Kris --zhXaljGHf11kAtnf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6jK9UWry0BWjoQKURAiGwAKDGgnnFtbz2snO5c+GP49W4M470+gCePj0c 4pak7adOFE2j9egG2gUSkq4= =PXLn -----END PGP SIGNATURE----- --zhXaljGHf11kAtnf-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 16 1:27:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from virginia.yamato.ibm.co.jp (virginia.yamato.ibm.co.jp [203.141.89.165]) by hub.freebsd.org (Postfix) with ESMTP id 60EBD37B4EC; Fri, 16 Feb 2001 01:27:11 -0800 (PST) Received: from ns.trl.ibm.com (ns.trl.ibm.com [9.116.48.18]) by virginia.yamato.ibm.co.jp (8.9.3/3.7W/GW3.3) with ESMTP id SAA11170; Fri, 16 Feb 2001 18:26:26 +0900 Received: from localhost by ns.trl.ibm.com (8.9.3/TRL4.5SRV) id SAA15404; Fri, 16 Feb 2001 18:26:25 +0900 To: security@FreeBSD.ORG Cc: kris@FreeBSD.ORG, ash@lab.poc.net, kjm@rins.ryukoku.ac.jp, iwamura@muraoka.info.waseda.ac.jp Subject: Base system with gcc stack-smashing protector In-Reply-To: <20001117154551.A77867@citusc17.usc.edu> X-Mailer: Mew version 1.94b48 on Emacs 20.5 / Mule 4.0 (HANANOEN) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20010216182625I.etoh@trl.ibm.com> Date: Fri, 16 Feb 2001 18:26:25 +0900 From: Hiroaki Etoh X-Dispatcher: imput version 990813(IM119) Lines: 31 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 17 Nov, Kris Kennaway wrote: > This was trivial to get working on FreeBSD, but here is a patch > against the system gcc in 4.x which will compile a ProPolice-enabled > version, so FreeBSD users can start easily making use of this. The > patch is the same for 5.x users except you will need to replace > "contrib/gcc" with "contrib/gcc.295" in the diff. > > http://www.freebsd.org/~kris/protector.patch Iwamura-san and Etoh have finished to build the stack protected version of FreeBSD base system! Iwamura-san fixed several linkage errors generated from the above patch. We confirmed the protected system blocked the bind TSIG exploit which is announced from CERT, 31 Jan, 2001. Here is a patch against the system 4.2-RELEASE. http://www.trl.ibm.co.jp/projects/security/ssp/protector.patch See http://www.trl.ibm.co.jp/projects/security/ssp/buildfreebsd.html for details. We are still working on building the protected version of kernel. Hiroaki Etoh, Tokyo Research Laboratory, IBM Japan Makoto Iwamura, Muraoka Lab., Waseda University To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 16 2:56:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.marketnews.com (mail.economeister.com [205.183.200.2]) by hub.freebsd.org (Postfix) with ESMTP id 4F8AC37B65D for ; Fri, 16 Feb 2001 02:56:21 -0800 (PST) Received: from mharding ([213.219.53.82]) by mail.marketnews.com (8.11.0/8.9.3) with SMTP id f1GAtmd45168; Fri, 16 Feb 2001 05:55:49 -0500 (EST) From: "Mason Harding" To: "Mark Hartley" , Subject: RE: Syslogd stops working Date: Fri, 16 Feb 2001 12:33:20 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <20010214154342.A48740@router.drapple.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have this problem as well, but have never looked into it too much. I have a FreeBSD 4.2 stable syslog server, logging from about 5 machines. About once a week syslogd stops working. The daemon continues to run, and a killall -HUP doesn't fix it. Only when I kill and restart it does it work again...for another week or two. I think this is defiantly a security issue. If someone can knock out the remote syslog server before they hack a box and clean out the local logs, then they are home free. Mason -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Mark Hartley Sent: Thursday, February 15, 2001 12:44 AM To: freebsd-security@FreeBSD.ORG Subject: Syslogd stops working I have several different FreeBSD servers which I've upgraded recently through cvsup and rebuilding world due to the bind, ipfw, and ssh holes. However, I have one machine which I cvsupped and rebuilt on Jan 29th which has stopped logging to syslog. I've checked my syslog.conf file and everything seems fine. I had just been noticing a lack of people "banging" on my firewall. I got to looking, and syslog has not been functioning since that point. This is a very serious issue for me as I've potentially missed several important syslog notices. I checked, and syslogd is in fact running. Any ideas why this is happening and what I can do to remedy it? Mark. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 16 5:15:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from gwdu42.gwdg.de (gwdu42.gwdg.de [134.76.10.26]) by hub.freebsd.org (Postfix) with ESMTP id 1385437B503 for ; Fri, 16 Feb 2001 05:15:38 -0800 (PST) Received: from partner.uni-psych.gwdg.de ([134.76.136.114]) by gwdu42.gwdg.de with esmtp (Exim 3.14 #18) id 14TkjY-00049H-00 for freebsd-security@freebsd.org; Fri, 16 Feb 2001 14:15:36 +0100 Mime-Version: 1.0 X-Sender: rbeer@popper.gwdg.de Message-Id: Date: Fri, 16 Feb 2001 14:15:31 +0100 To: freebsd-security@freebsd.org From: Ragnar Beer Subject: File flags Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Howdy! I'm wondering which files I should protect with file flags. So far I only protected a couple of flags in /var/log but last week I read that someone suggested making files in the /bin /sbin /etc directories immutable. How much sense does that make? Ragnar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 16 5:34:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from macalpine.cornfed.com (sdsl-216-36-86-82.dsl.iad.megapath.net [216.36.86.82]) by hub.freebsd.org (Postfix) with ESMTP id 862C637B65D for ; Fri, 16 Feb 2001 05:34:15 -0800 (PST) Received: (from fwmiller@localhost) by macalpine.cornfed.com (8.9.2/8.9.2) id HAA22233; Fri, 16 Feb 2001 07:26:16 -0500 (EST) (envelope-from fwmiller) From: "Frank W. Miller" Message-Id: <200102161226.HAA22233@macalpine.cornfed.com> Subject: ftpd To: freebsd-security@freebsd.org Date: Fri, 16 Feb 2001 07:26:16 -0500 (EST) Cc: fwmiller@macalpine.cornfed.com (Frank W. Miller) X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks for all the replies! The replies I got can be summarized as: 1) Disallow access for anonymous users by either removing the ftp user from the password file or adding ftp to /etc/ftpusers 2) Change the write permissions on pub (which is the directory I want to protect) to disallow writes. The first solution does not solve my problem. I want to allow anonymous users to download from my machine but I dont want them to be able to upload files or create directories. The second solution doesnt work might work. I had my permission set as 755 on the pub directory and have changed them to 555. That seems to disallow creating directories and I can still copy files to the directory as root. Thanks again for the help! FM -- Frank W. Miller Cornfed Systems Inc www.cornfed.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 16 6:17: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from osiris.ipform.ru (osiris.ipform.ru [212.158.165.98]) by hub.freebsd.org (Postfix) with ESMTP id 6B03137B65D; Fri, 16 Feb 2001 06:16:51 -0800 (PST) Received: from wp2 (localhost.ipform.ru [127.0.0.1]) by osiris.ipform.ru (8.11.2/8.11.2) with SMTP id f1GEGn257844; Fri, 16 Feb 2001 17:16:49 +0300 (MSK) (envelope-from matrix@ipform.ru) Message-ID: <004201c09823$1a423dc0$0c00a8c0@ipform.ru> From: "Artem Koutchine" To: Cc: Subject: rpc.statd attack Date: Fri, 16 Feb 2001 17:16:47 +0300 Organization: IP Form MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! I am regulary getting this: Feb 16 15:01:39 osiris rpc.statd: invalid hostname to sm_stat: ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y ÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n %192x%nM-^ PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM -^PM-^PM-^ PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM -^PM-^PM-^ PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM -^PM-^PM-^ PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- What port should i close or log to detect the connection? I am sure this is a script kiddie, so no IP spoffing or anything tricky is envolved. I'd like log it with ipfw and kick that junkie butt. So, what port is it or as always with RPC it is a tricky business? Regards, Artem To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 16 6:26:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id 6611E37B65D for ; Fri, 16 Feb 2001 06:26:17 -0800 (PST) Received: (qmail 12802 invoked by uid 1000); 16 Feb 2001 14:24:07 -0000 Date: Fri, 16 Feb 2001 16:24:07 +0200 From: Peter Pentchev To: Artem Koutchine Cc: questions@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: rpc.statd attack Message-ID: <20010216162407.D474@ringworld.oblivion.bg> Mail-Followup-To: Artem Koutchine , questions@FreeBSD.ORG, security@FreeBSD.ORG References: <004201c09823$1a423dc0$0c00a8c0@ipform.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <004201c09823$1a423dc0$0c00a8c0@ipform.ru>; from matrix@ipform.ru on Fri, Feb 16, 2001 at 05:16:47PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Feb 16, 2001 at 05:16:47PM +0300, Artem Koutchine wrote: > Hi! > > I am regulary getting this: > [snip (unsuccessful, useless against fbsd) attack log] > > What port should i close or log to detect the connection? I am sure > this is a script > kiddie, so no IP spoffing or anything tricky is envolved. I'd like log > it with ipfw and > kick that junkie butt. So, what port is it or as always with RPC it is > a tricky business? If you consider rpcinfo -p | egrep -e 'udp.*status$' | awk '{print $4}' to be a tricky business, then yes, it is a tricky business ;) G'luck, Peter -- When you are not looking at it, this sentence is in Spanish. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 16 6:45:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id 936B437B401 for ; Fri, 16 Feb 2001 06:45:17 -0800 (PST) Received: (qmail 13012 invoked by uid 1000); 16 Feb 2001 14:43:19 -0000 Date: Fri, 16 Feb 2001 16:43:18 +0200 From: Peter Pentchev To: Artem Koutchine , questions@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: rpc.statd attack Message-ID: <20010216164318.F474@ringworld.oblivion.bg> Mail-Followup-To: Artem Koutchine , questions@FreeBSD.ORG, security@FreeBSD.ORG References: <004201c09823$1a423dc0$0c00a8c0@ipform.ru> <20010216162407.D474@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010216162407.D474@ringworld.oblivion.bg>; from roam@orbitel.bg on Fri, Feb 16, 2001 at 04:24:07PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Feb 16, 2001 at 04:24:07PM +0200, Peter Pentchev wrote: > On Fri, Feb 16, 2001 at 05:16:47PM +0300, Artem Koutchine wrote: > > Hi! > > > > I am regulary getting this: > > > [snip (unsuccessful, useless against fbsd) attack log] > > > > What port should i close or log to detect the connection? I am sure > > this is a script > > kiddie, so no IP spoffing or anything tricky is envolved. I'd like log > > it with ipfw and > > kick that junkie butt. So, what port is it or as always with RPC it is > > a tricky business? > > If you consider rpcinfo -p | egrep -e 'udp.*status$' | awk '{print $4}' > to be a tricky business, then yes, it is a tricky business ;) Well, as people pointed out, I'm not awake yet :) rpcinfo -p | awk '($3 == "udp") && ($5 == "status") {print $4 }' ..works just as well, or even better, with less false alarms and more efficiency :) G'luck, Peter -- I had to translate this sentence into English because I could not read the original Sanskrit. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 16 6:46:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from kobayashi.uits.iupui.edu (kobayashi.uits.iupui.edu [134.68.5.17]) by hub.freebsd.org (Postfix) with ESMTP id E6B2B37B698 for ; Fri, 16 Feb 2001 06:46:24 -0800 (PST) Received: from localhost (ajk@localhost) by kobayashi.uits.iupui.edu (8.11.1/8.11.1) with ESMTP id f1GEk3057784; Fri, 16 Feb 2001 09:46:03 -0500 (EST) (envelope-from ajk@iu.edu) Date: Fri, 16 Feb 2001 09:46:03 -0500 (EST) From: "Andrew J. Korty" X-X-Sender: To: Mason Harding Cc: Mark Hartley , Subject: RE: Syslogd stops working Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I had the same problem when I specified multiple domains from which to accept log messages using the -a option to syslogd with wildcards. When I stopped using -a, the problem went away. -- Andrew J. Korty, Principal Security Engineer Office of the Vice President for Information Technology Indiana University To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 16 6:49:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from dirac.th.physik.uni-bonn.de (dirac.th.physik.uni-bonn.de [131.220.161.119]) by hub.freebsd.org (Postfix) with SMTP id 621BC37B503 for ; Fri, 16 Feb 2001 06:49:07 -0800 (PST) Received: (qmail 50078 invoked from network); 16 Feb 2001 14:49:05 -0000 Received: from merlin.th.physik.uni-bonn.de (131.220.161.121) by dirac.th.physik.uni-bonn.de with SMTP; 16 Feb 2001 14:49:05 -0000 Received: (qmail 52593 invoked by uid 145); 16 Feb 2001 14:49:04 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 16 Feb 2001 14:49:04 -0000 Date: Fri, 16 Feb 2001 15:49:04 +0100 (CET) From: Jan Conrad To: Kris Kennaway Cc: , Ralph Schreyer Subject: Re: Why does openssh protocol default to 2? In-Reply-To: <20010215133000.A12807@mollari.cthul.hu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 15 Feb 2001, Kris Kennaway wrote: > On Thu, Feb 15, 2001 at 01:18:45PM +0100, Jan Conrad wrote: > > On Thu, 15 Feb 2001, Kris Kennaway wrote: > > > > > On Thu, Feb 15, 2001 at 12:30:20PM +0100, Jan Conrad wrote: > > > > Hello, > > > > > > > > for quite a long time now I cannot understand why people encourage others > > > > for using ssh2 by default and I wanted to ask the readers of this list for > > > > their opinion. > > > > > > SSH1 has fundamental protocol flaws. SSH2 doesn't, that we know of. > > > > I knew that statement... Could you give me a good reference for a > > detailed discussion on that? > > www.core-sdi.com probably has some information - there are recently > discovered flaws and a number of older ones. > > > > I don't understand your complaint. If you don't want to use SSH2 with > > > RSA/DSA keys, don't do that. Use the UNIX password or some other PAM > > > authentication module (OPIE, etc) > > > > Sorry - I did not want to complain... (really :-) > > > > What would you suggest for NFS mounted home dirs as a reasonable solution? > > (To store keys I mean..) > > If you have people sniffing your NFS traffic then you're in trouble > anyway since they can probably spoof things very easily. Consider > what's really your threat model here. OK - that's the point here, precisely! Don't you think in such an environment using SSH1 with RhostsRSAAuthentication would be reasonable (of course only if you *need* to provide users with an rsh like automatic login). Sure - you can be spoofed etc., the SSH connection could be attacked and whatnot but I would consider that to be harmless compared to the possibility to collect keys just by sniffing the net (and most people usually have keys without passphrases..). I mean I just checked some University systems running ssh2 and ssh1 and I found really *lots* of keys in NFS mounted users homes... (sometimes 10% of the users had keys in their homes....) Maybe the conclusion is to put a warning into the manpages or into the default sshd_config saying something like 'be sure to switch xxxAuthentication of if you have NFS mounted homes'... What I would find reasonable is something like an .shosts mechanism for ssh2 or, better, but more complicated, having the keys themselves encrypted by some private key of the machine. Why should a user have access to a plain key? > > If you really don't want people to use DSA authentication (it's not a > security risk unless they use a weak passphrase) then disable it with > the appropriate configuration directive in /etc/ssh/sshd_config. sure > > Kris > Jan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 16 7: 3:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from post.mail.nl.demon.net (post-10.mail.nl.demon.net [194.159.73.20]) by hub.freebsd.org (Postfix) with ESMTP id D667137B401; Fri, 16 Feb 2001 07:03:46 -0800 (PST) Received: from [195.11.243.26] (helo=Debug) by post.mail.nl.demon.net with smtp (Exim 3.14 #2) id 14TmQC-0006Ip-00; Fri, 16 Feb 2001 15:03:44 +0000 To: Peter Pentchev , Artem Koutchine , questions@FreeBSD.ORG, security@FreeBSD.ORG From: Cliff Sarginson Subject: Efficiency [Was: Re: rpc.statd attack] Date: Fri, 16 Feb 2001 15:03:44 GMT X-Mailer: www.webmail.nl.demon.net X-Sender: postmaster@btvs.demon.nl X-Originating-IP: 192.250.25.251 Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Fri, Feb 16, 2001 at 04:24:07PM +0200, Peter Pentchev wrote: > > On Fri, Feb 16, 2001 at 05:16:47PM +0300, Artem Koutchine wrote: > > > Hi! > > > > > > I am regulary getting this: > > > > > [snip (unsuccessful, useless against fbsd) attack log] > > > > > > What port should i close or log to detect the connection? I am sure > > > this is a script > > > kiddie, so no IP spoffing or anything tricky is envolved. I'd like log > > > it with ipfw and > > > kick that junkie butt. So, what port is it or as always with RPC it is > > > a tricky business? > > > > If you consider rpcinfo -p | egrep -e 'udp.*status$' | awk '{print $4}' > > to be a tricky business, then yes, it is a tricky business ;) > > Well, as people pointed out, I'm not awake yet :) > > rpcinfo -p | awk '($3 == "udp") && ($5 == "status") {print $4 }' > > ...works just as well, or even better, with less false alarms and more > efficiency :) > As you can see makes all the difference :) But this is under Solaris ... $ time rpcinfo -p | egrep -e 'udp.*status$' | awk '{print $4}' 32790 real 0m0.12s user 0m0.04s sys 0m0.07s $ time rpcinfo -p | awk '($3 == "udp") && ($5 == "status") {print $4 }' 32790 real 0m0.11s user 0m0.05s sys 0m0.04s Cliff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 16 7:14:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id AE8C237B4EC for ; Fri, 16 Feb 2001 07:13:58 -0800 (PST) Received: (qmail 13282 invoked by uid 1000); 16 Feb 2001 15:12:03 -0000 Date: Fri, 16 Feb 2001 17:12:03 +0200 From: Peter Pentchev To: Cliff Sarginson Cc: Artem Koutchine , questions@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Efficiency [Was: Re: rpc.statd attack] Message-ID: <20010216171203.G474@ringworld.oblivion.bg> Mail-Followup-To: Cliff Sarginson , Artem Koutchine , questions@FreeBSD.ORG, security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from cliff@raggedclown.net on Fri, Feb 16, 2001 at 03:03:44PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Feb 16, 2001 at 03:03:44PM +0000, Cliff Sarginson wrote: > > On Fri, Feb 16, 2001 at 04:24:07PM +0200, Peter Pentchev wrote: > > > On Fri, Feb 16, 2001 at 05:16:47PM +0300, Artem Koutchine wrote: > > > > Hi! > > > > > > > > I am regulary getting this: > > > > > > > [snip (unsuccessful, useless against fbsd) attack log] > > > > > > > > What port should i close or log to detect the connection? I am sure > > > > this is a script > > > > kiddie, so no IP spoffing or anything tricky is envolved. I'd like log > > > > it with ipfw and > > > > kick that junkie butt. So, what port is it or as always with RPC it is > > > > a tricky business? > > > > > > If you consider rpcinfo -p | egrep -e 'udp.*status$' | awk '{print $4}' > > > to be a tricky business, then yes, it is a tricky business ;) > > > > Well, as people pointed out, I'm not awake yet :) > > > > rpcinfo -p | awk '($3 == "udp") && ($5 == "status") {print $4 }' > > > > ...works just as well, or even better, with less false alarms and more > > efficiency :) > > > As you can see makes all the difference :) > But this is under Solaris ... > > $ time rpcinfo -p | egrep -e 'udp.*status$' | awk '{print $4}' > 32790 > > real 0m0.12s > user 0m0.04s > sys 0m0.07s > > $ time rpcinfo -p | awk '($3 == "udp") && ($5 == "status") {print $4 }' > 32790 > > real 0m0.11s > user 0m0.05s > sys 0m0.04s Well, I still think it might be more efficient, at least in terms of memory usage and forking. But even without the efficiency argument, it *is* cleaner :) G'luck, Peter -- .siht ekil ti gnidaer eb d'uoy ,werbeH ni erew ecnetnes siht fI To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 16 9:27: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-49.dsl.lsan03.pacbell.net [64.165.226.49]) by hub.freebsd.org (Postfix) with ESMTP id D636037B67D for ; Fri, 16 Feb 2001 09:27:03 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 0733D66ED1; Fri, 16 Feb 2001 09:27:02 -0800 (PST) Date: Fri, 16 Feb 2001 09:27:02 -0800 From: Kris Kennaway To: Ragnar Beer Cc: freebsd-security@freebsd.org Subject: Re: File flags Message-ID: <20010216092702.A93835@mollari.cthul.hu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="gBBFr7Ir9EOA20Yy" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rbeer@uni-goettingen.de on Fri, Feb 16, 2001 at 02:15:31PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --gBBFr7Ir9EOA20Yy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Feb 16, 2001 at 02:15:31PM +0100, Ragnar Beer wrote: > Howdy! >=20 > I'm wondering which files I should protect with file flags. So far I only > protected a couple of flags in /var/log but last week I read that someone > suggested making files in the /bin /sbin /etc directories immutable. How = much > sense does that make? This only makes a real difference to security if: a) You raise the system securelevel, so that flags cannot be removed, and: b) You make just about everything in /boot, /modules, /etc, /bin, /sbin, /usr/bin, /usr/sbin immutable - any file touched during the boot process before securelevel is raised, should be protected so that attackers who break root don't have the ability to reset the securelevel by modifying a non-protected file (e.g. /sbin/ifconfig, to pick one at random) to do their dirty work (e.g. removing flags from everything) when the system reboots. A full list of files is not known, and it is probably enough to make upgrading the system a total PITA. In other words, there are some pretty fatal flaws with the concept. It does however confuse the heck out of script kiddies :-D Kris --gBBFr7Ir9EOA20Yy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6jWLmWry0BWjoQKURAoVOAJwKzjnIzteEJ2EX/gU45ZytGHN29ACfcHUk 09yEGk7BIy1uZxABbpbnmB8= =JQ/K -----END PGP SIGNATURE----- --gBBFr7Ir9EOA20Yy-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 16 9:32:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns2.airlinksys.com (ns2.airlinksys.com [216.70.12.3]) by hub.freebsd.org (Postfix) with ESMTP id 81C2B37B491 for ; Fri, 16 Feb 2001 09:32:36 -0800 (PST) Received: by ns2.airlinksys.com (Postfix, from userid 1000) id 356815D6F; Fri, 16 Feb 2001 11:32:35 -0600 (CST) Date: Fri, 16 Feb 2001 11:32:35 -0600 From: Scott Johnson To: "Frank W. Miller" Cc: freebsd-security@FreeBSD.org Subject: Re: ftpd Message-ID: <20010216113235.A43414@ns2.airlinksys.com> Mail-Followup-To: "Frank W. Miller" , freebsd-security@FreeBSD.org References: <200102161226.HAA22233@macalpine.cornfed.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200102161226.HAA22233@macalpine.cornfed.com>; from fwmiller@macalpine.cornfed.com on Fri, Feb 16, 2001 at 07:26:16AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Quoth Frank W. Miller [fwmiller@macalpine.cornfed.com] on Fri, Feb 16, 2001 at 07:26:16AM -0500: > The replies I got can be summarized as: > > 1) Disallow access for anonymous users by either removing the ftp user > from the password file or adding ftp to /etc/ftpusers > > 2) Change the write permissions on pub (which is the directory I want to > protect) to disallow writes. > > The first solution does not solve my problem. I want to allow anonymous > users to download from my machine but I dont want them to be able to > upload files or create directories. The second solution doesnt work > might work. I had my permission set as 755 on the pub directory and have > changed them to 555. That seems to disallow creating directories and > I can still copy files to the directory as root. Anonymous users have the rights of user account ftp, while local users have the rights of that user. Your directory needs to be writable by local users, not anyone else. Create a group for the local users, and put the users in it. chown(8) the directory to root:ftpwriters, and give permissions 775. User ftp shouldn't be able to write to the directory. Scott Johnson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 16 9:40:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from serenity.mcc.ac.uk (serenity.mcc.ac.uk [130.88.200.93]) by hub.freebsd.org (Postfix) with ESMTP id AFAF937B65D for ; Fri, 16 Feb 2001 09:40:22 -0800 (PST) Received: from dogma.freebsd-uk.eu.org ([130.88.200.97] ident=root) by serenity.mcc.ac.uk with esmtp (Exim 2.05 #4) id 14Tl0u-000PnR-00 for security@freebsd.org; Fri, 16 Feb 2001 13:33:32 +0000 Received: (from rasputin@localhost) by dogma.freebsd-uk.eu.org (8.11.1/8.11.1) id f1GDXWu48046 for security@freebsd.org; Fri, 16 Feb 2001 13:33:32 GMT (envelope-from rasputin) Date: Fri, 16 Feb 2001 13:33:31 +0000 From: Rasputin To: security@freebsd.org Subject: Re: File flags Message-ID: <20010216133331.A48008@dogma.freebsd-uk.eu.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from rbeer@uni-goettingen.de on Fri, Feb 16, 2001 at 02:15:31PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Ragnar Beer [010216 13:17]: > Howdy! > > I'm wondering which files I should protect with file flags. So far I only > protected a couple of flags in /var/log but last week I read that someone Is that a good idea? What happens if they need ot be rotated? > suggested making files in the /bin /sbin /etc directories immutable. How much > sense does that make? Depends what securelevel you're in. Also there is a case for saying that this makes intrusions harder to detect, although that sounds to me like saying: "If the cupboards in your house are locked up, how are you supposedd to tell when you've been burgled?" -- Rasputin Jack of All Trades :: Master of Nuns To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 16 9:44:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 86FDC37B491 for ; Fri, 16 Feb 2001 09:44:39 -0800 (PST) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.2/8.11.2) with ESMTP id f1GHgnQ91569; Fri, 16 Feb 2001 12:42:49 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Fri, 16 Feb 2001 12:42:49 -0500 (EST) From: Rob Simmons To: Rasputin Cc: security@FreeBSD.ORG Subject: Re: File flags In-Reply-To: <20010216133331.A48008@dogma.freebsd-uk.eu.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Turn off log rotation and set the append only flag Robert Simmons Systems Administrator http://www.wlcg.com/ On Fri, 16 Feb 2001, Rasputin wrote: > * Ragnar Beer [010216 13:17]: > > Howdy! > > > > I'm wondering which files I should protect with file flags. So far I only > > protected a couple of flags in /var/log but last week I read that someone > > Is that a good idea? What happens if they need ot be rotated? > > > suggested making files in the /bin /sbin /etc directories immutable. How much > > sense does that make? > > Depends what securelevel you're in. > > Also there is a case for saying that this makes intrusions harder > to detect, although that sounds to me like saying: > "If the cupboards in your house are locked up, how are you > supposedd to tell when you've been burgled?" > > -- > Rasputin > Jack of All Trades :: Master of Nuns > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 16 12: 3:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from d156h168.resnet.uconn.edu (d156h168.resnet.uconn.edu [137.99.156.168]) by hub.freebsd.org (Postfix) with SMTP id A041637B491 for ; Fri, 16 Feb 2001 12:03:34 -0800 (PST) Received: (qmail 46793 invoked by alias); 16 Feb 2001 20:04:07 -0000 Received: from unknown (HELO sirmoobert) (137.99.158.30) by d156h168.resnet.uconn.edu with SMTP; 16 Feb 2001 20:04:07 -0000 Message-ID: <000701c09853$af44c0c0$1e9e6389@137.99.156.23> From: "Peter C. Lai" To: "Rasputin" , References: <20010216133331.A48008@dogma.freebsd-uk.eu.org> Subject: Re: File flags Date: Fri, 16 Feb 2001 15:04:34 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org your metaphor/analogy is flawed. It should read "if my cupboards are locked, how can I tell if my house has been bugged?" since in most cases backdoored binaries are installed and logs are modified, and aren't deleted. ----- Original Message ----- From: "Rasputin" To: Sent: Friday, February 16, 2001 8:33 AM Subject: Re: File flags > * Ragnar Beer [010216 13:17]: > > Howdy! > > > > I'm wondering which files I should protect with file flags. So far I only > > protected a couple of flags in /var/log but last week I read that someone > > Is that a good idea? What happens if they need ot be rotated? > > > suggested making files in the /bin /sbin /etc directories immutable. How much > > sense does that make? > > Depends what securelevel you're in. > > Also there is a case for saying that this makes intrusions harder > to detect, although that sounds to me like saying: > "If the cupboards in your house are locked up, how are you > supposedd to tell when you've been burgled?" > > -- > Rasputin > Jack of All Trades :: Master of Nuns > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 16 13:22: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (mail.dobox.com [208.187.122.44]) by hub.freebsd.org (Postfix) with ESMTP id 9506B37B401 for ; Fri, 16 Feb 2001 13:21:55 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14TouJ-00031H-00; Fri, 16 Feb 2001 10:42:59 -0700 Message-ID: <3A8D66A3.46C4AF65@softweyr.com> Date: Fri, 16 Feb 2001 10:42:59 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Gregory Sutter Cc: Len Conrad , freebsd-security@freebsd.org Subject: Re: Secure Servers (SMTP, POP3, FTP) References: <3A885F40.9C6AD285@acm.org> <5.0.0.25.0.20010213090218.04eaa7a0@mail.Go2France.com> <3A897683.FCB8E651@softweyr.com> <20010215030742.P656@klapaucius.zer0.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Gregory Sutter wrote: > > On 2001-02-13 11:01 -0700, Wes Peters wrote: > > > > As for my comments about the documentation: > > > > bash-2.04# pwd > > /usr/local/share/doc/postfix > > bash-2.04# !gr > > grep -i mail_spool_directory * > > bash-2.04# > > > > Yeah, I'll count that as "opaque". > > apropos postfix > man 8 local > > We'll convert you yet. Oh, I've got it running now, but I still think the documentation is weak. mail_spool_directory is a configuration file setting that is not mentioned anywhere in any of the Postfix documentation, and yet the comments in the sample/default configuration file make it seem quite important. I've sent that to Weitse as a documentation bug. Maybe an article about it in DN would encourage someone to update the docs? ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 16 13:46:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 2DF6937B4EC; Fri, 16 Feb 2001 13:46:26 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id NAA04042; Fri, 16 Feb 2001 13:45:46 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda04040; Fri Feb 16 13:45:44 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f1GLjcd77125; Fri, 16 Feb 2001 13:45:38 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdO77120; Fri Feb 16 13:44:48 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.2/8.9.1) id f1GLikr30835; Fri, 16 Feb 2001 13:44:46 -0800 (PST) Message-Id: <200102162144.f1GLikr30835@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdK30829; Fri Feb 16 13:44:28 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Hiroaki Etoh , kris@freebsd.org Cc: security@freebsd.org, ash@lab.poc.net, kjm@rins.ryukoku.ac.jp, iwamura@muraoka.info.waseda.ac.jp Subject: Re: Base system with gcc stack-smashing protector In-reply-to: Your message of "Fri, 16 Feb 2001 18:26:25 +0900." <20010216182625I.etoh@trl.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 16 Feb 2001 13:44:28 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Any idea when this might be merged into the base tree? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC In message <20010216182625I.etoh@trl.ibm.com>, Hiroaki Etoh writes: > On 17 Nov, Kris Kennaway wrote: > > This was trivial to get working on FreeBSD, but here is a patch > > against the system gcc in 4.x which will compile a ProPolice-enabled > > version, so FreeBSD users can start easily making use of this. The > > patch is the same for 5.x users except you will need to replace > > "contrib/gcc" with "contrib/gcc.295" in the diff. > > > > http://www.freebsd.org/~kris/protector.patch > > Iwamura-san and Etoh have finished to build the stack protected version > of FreeBSD base system! Iwamura-san fixed several linkage errors > generated from the above patch. > > We confirmed the protected system blocked the bind TSIG exploit which is > announced from CERT, 31 Jan, 2001. > > Here is a patch against the system 4.2-RELEASE. > http://www.trl.ibm.co.jp/projects/security/ssp/protector.patch > > See http://www.trl.ibm.co.jp/projects/security/ssp/buildfreebsd.html for > details. > > We are still working on building the protected version of kernel. > > Hiroaki Etoh, > Tokyo Research Laboratory, IBM Japan > > Makoto Iwamura, > Muraoka Lab., Waseda University > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 16 13:56:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from klapaucius.zer0.org (klapaucius.zer0.org [204.152.186.45]) by hub.freebsd.org (Postfix) with ESMTP id 7565D37B4EC for ; Fri, 16 Feb 2001 13:56:24 -0800 (PST) Received: by klapaucius.zer0.org (Postfix, from userid 1001) id 336BC239AAB; Fri, 16 Feb 2001 13:56:24 -0800 (PST) Date: Fri, 16 Feb 2001 13:56:24 -0800 From: Gregory Sutter To: Wes Peters Cc: freebsd-security@freebsd.org Subject: Re: Secure Servers (SMTP, POP3, FTP) Message-ID: <20010216135624.C15584@klapaucius.zer0.org> References: <3A885F40.9C6AD285@acm.org> <5.0.0.25.0.20010213090218.04eaa7a0@mail.Go2France.com> <3A897683.FCB8E651@softweyr.com> <20010215030742.P656@klapaucius.zer0.org> <3A8D66A3.46C4AF65@softweyr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A8D66A3.46C4AF65@softweyr.com>; from wes@softweyr.com on Fri, Feb 16, 2001 at 10:42:59AM -0700 Organization: Zer0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 2001-02-16 10:42 -0700, Wes Peters wrote: > Gregory Sutter wrote: > > > > On 2001-02-13 11:01 -0700, Wes Peters wrote: > > > > > > As for my comments about the documentation: > > > > > > bash-2.04# pwd > > > /usr/local/share/doc/postfix > > > bash-2.04# !gr > > > grep -i mail_spool_directory * > > > bash-2.04# > > > > > > Yeah, I'll count that as "opaque". > > > > apropos postfix > > man 8 local > > > > We'll convert you yet. > > Oh, I've got it running now, but I still think the documentation is weak. That's definitely true. It could really use a complete manual. I know someone who's writing one, to be published by a major house, though. So the docs are on the way. > mail_spool_directory is a configuration file setting that is not mentioned > anywhere in any of the Postfix documentation, and yet the comments in the > sample/default configuration file make it seem quite important. That's untrue! I pointed you to the local(8) man page because the mail_spool_directory parameter is documented there. > I've sent that to Weitse as a documentation bug. Maybe an article about > it in DN would encourage someone to update the docs? ;^) Can you have it ready for April? :) Greg -- Gregory S. Sutter Computing is a terminal addiction. mailto:gsutter@zer0.org http://www.zer0.org/~gsutter/ hkp://wwwkeys.pgp.net/0x845DFEDD To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 16 15:20:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-49.dsl.lsan03.pacbell.net [64.165.226.49]) by hub.freebsd.org (Postfix) with ESMTP id AB73537B4EC; Fri, 16 Feb 2001 15:20:42 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id DB61966F28; Fri, 16 Feb 2001 15:20:41 -0800 (PST) Date: Fri, 16 Feb 2001 15:20:41 -0800 From: Kris Kennaway To: Cy Schubert - ITSD Open Systems Group Cc: Hiroaki Etoh , kris@freebsd.org, security@freebsd.org, ash@lab.poc.net, kjm@rins.ryukoku.ac.jp, iwamura@muraoka.info.waseda.ac.jp Subject: Re: Base system with gcc stack-smashing protector Message-ID: <20010216152041.B97701@mollari.cthul.hu> References: <20010216182625I.etoh@trl.ibm.com> <200102162144.f1GLikr30835@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="24zk1gE8NUlDmwG9" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200102162144.f1GLikr30835@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Fri, Feb 16, 2001 at 01:44:28PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --24zk1gE8NUlDmwG9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Feb 16, 2001 at 01:44:28PM -0800, Cy Schubert - ITSD Open Systems Group wrote: > Any idea when this might be merged into the base tree? I'll be taking a look at it this weekend. We might not integrate it into the base system because of the difficulty in merging it with new gcc releases, but I'd like t provide some kind of support for it. Kris --24zk1gE8NUlDmwG9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6jbXIWry0BWjoQKURAt9aAKCPbsob3gKYYyQHvKjcTFOAfpYYXgCgubxI hlt00FYMrioXY9Zn6TLF/gw= =ci3Z -----END PGP SIGNATURE----- --24zk1gE8NUlDmwG9-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 16 16:39:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id B329A37B4EC for ; Fri, 16 Feb 2001 16:39:49 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id RAA15313; Fri, 16 Feb 2001 17:39:41 -0700 (MST) Message-Id: <4.3.2.7.2.20010216173625.04a9b2e0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 16 Feb 2001 17:39:35 -0700 To: "Frank W. Miller" , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: ftpd question Cc: fwmiller@macalpine.cornfed.com (Frank W. Miller) In-Reply-To: <200102160050.TAA21074@macalpine.cornfed.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Interesting.... A fellow running a Win2K server here in town reported that his Internet connection had slowed to a crawl. Upon investigation, it was discovered that someone had dumped about 1 GB of files into a writable public directory via anonymous FTP. Someone's obviously scanning for writable anonymous FTP servers and pulling this schoolyard prank. I wonder what they hope to accomplish, other than tying up bandwidth and disk space until someone notices? --Brett At 05:50 PM 2/15/2001, Frank W. Miller wrote: >This is probably a simple question but I'm a newbie at sys admin so... >I've had some people logging into my ftp server and dumping files >lately. Is there a way to prevent anonymous users from uploading >files while still allowing regular users to upload? Please respond >via email to fwmiller@cornfed.com. > >Thanks, >FM > >-- >Frank W. Miller >Cornfed Systems Inc >www.cornfed.com > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 16 16:45: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from daedalus.cs.brandeis.edu (daedalus.cs.brandeis.edu [129.64.3.179]) by hub.freebsd.org (Postfix) with ESMTP id 76F6637B4EC for ; Fri, 16 Feb 2001 16:45:04 -0800 (PST) Received: from localhost (meshko@localhost) by daedalus.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id TAA06914; Fri, 16 Feb 2001 19:44:51 -0500 Date: Fri, 16 Feb 2001 19:44:51 -0500 (EST) From: Mikhail Kruk To: Brett Glass Cc: "Frank W. Miller" , Subject: Re: ftpd question In-Reply-To: <4.3.2.7.2.20010216173625.04a9b2e0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Someone's obviously scanning for writable anonymous FTP > servers and pulling this schoolyard prank. I wonder what they > hope to accomplish, other than tying up bandwidth and disk > space until someone notices? um... warez kids exchanging stolen movies and software? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 16 17: 7:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from cr592943-a.bloor1.on.wave.home.com (cr592943-a.bloor1.on.wave.home.com [24.156.38.199]) by hub.freebsd.org (Postfix) with ESMTP id 9A1BB37B401 for ; Fri, 16 Feb 2001 17:07:29 -0800 (PST) Received: from Laptop ([192.168.0.14]) by cr592943-a.bloor1.on.wave.home.com with Microsoft SMTPSVC(5.0.2195.1600); Fri, 16 Feb 2001 20:08:27 -0500 From: "Will Mitayai Keeso Rowe" To: "Brett Glass" , "Frank W. Miller" , Cc: "Frank W. Miller" Subject: RE: ftpd question Date: Fri, 16 Feb 2001 20:05:48 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <4.3.2.7.2.20010216173625.04a9b2e0@localhost> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal X-OriginalArrivalTime: 17 Feb 2001 01:08:27.0903 (UTC) FILETIME=[228840F0:01C0987E] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org this is nothing new. they even publish open FTP sites on warez web pages. :-----Original Message----- :From: owner-freebsd-security@FreeBSD.ORG :[mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Brett Glass :Sent: February 16, 2001 19:40 PM :To: Frank W. Miller; freebsd-security@FreeBSD.ORG :Cc: Frank W. Miller :Subject: Re: ftpd question : : :Interesting.... A fellow running a Win2K server here in town :reported that his Internet connection had slowed to a crawl. :Upon investigation, it was discovered that someone had dumped :about 1 GB of files into a writable public directory via :anonymous FTP. : :Someone's obviously scanning for writable anonymous FTP :servers and pulling this schoolyard prank. I wonder what they :hope to accomplish, other than tying up bandwidth and disk :space until someone notices? : :--Brett : :At 05:50 PM 2/15/2001, Frank W. Miller wrote: : :>This is probably a simple question but I'm a newbie at sys admin so... :>I've had some people logging into my ftp server and dumping files :>lately. Is there a way to prevent anonymous users from uploading :>files while still allowing regular users to upload? Please respond :>via email to fwmiller@cornfed.com. :> :>Thanks, :>FM :> :>-- :>Frank W. Miller :>Cornfed Systems Inc :>www.cornfed.com :> :> :>To Unsubscribe: send mail to majordomo@FreeBSD.org :>with "unsubscribe freebsd-security" in the body of the message : : : :To Unsubscribe: send mail to majordomo@FreeBSD.org :with "unsubscribe freebsd-security" in the body of the message : To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 16 17:42: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id C4F5037B503 for ; Fri, 16 Feb 2001 17:41:55 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id SAA16139; Fri, 16 Feb 2001 18:41:35 -0700 (MST) Message-Id: <4.3.2.7.2.20010216183709.0496a360@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 16 Feb 2001 18:41:30 -0700 To: Mikhail Kruk From: Brett Glass Subject: Re: ftpd question Cc: "Frank W. Miller" , In-Reply-To: References: <4.3.2.7.2.20010216173625.04a9b2e0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 05:44 PM 2/16/2001, Mikhail Kruk wrote: >um... warez kids exchanging stolen movies and software? Aha! Yep, I can see this. They'd better keep moving fast, though; it's pretty obvious that your bandwidth is being used when everything just about stops. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 17 0:26:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from allmaui.com (server25.aitcom.net [208.234.0.10]) by hub.freebsd.org (Postfix) with ESMTP id B820637B401 for ; Sat, 17 Feb 2001 00:26:09 -0800 (PST) Received: from allmaui.com (c756043-a.stcla1.sfba.home.com [24.20.23.203]) by allmaui.com (8.8.8/8.8.5) with ESMTP id DAA13767 for ; Sat, 17 Feb 2001 03:26:06 -0500 Message-ID: <3A8E35F5.628F772D@allmaui.com> Date: Sat, 17 Feb 2001 00:27:33 -0800 From: Craig Cowen X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: "freebsd-security@FreeBSD.ORG" Subject: IPF and a modem Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have IPFilter running on my cable modem. I would like to add a dialup modem to the mix. I would like to dialup to work and have addresses for work routed out the Dialup. When I dial up, my phone modem gets the cable modem's ip. How can I stop this from happening? TIA Craig To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 17 0:38: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from shell.youareata.org (youareata.org [209.99.47.122]) by hub.freebsd.org (Postfix) with ESMTP id 7A25337B503 for ; Sat, 17 Feb 2001 00:37:55 -0800 (PST) Received: (from bsd-mail@localhost) by shell.youareata.org (8.11.1/8.11.1) id f1H6eKi04509 for freebsd-security@freebsd.org; Sat, 17 Feb 2001 00:40:20 -0600 (CST) (envelope-from bsd-mail) Date: Sat, 17 Feb 2001 00:40:20 -0600 From: Michael Chavez To: freebsd-security@freebsd.org Subject: subscribe Message-ID: <20010217004020.C4488@youareata.org> Reply-To: Michael Chavez Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org subscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 17 14: 1:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from gwdu42.gwdg.de (gwdu42.gwdg.de [134.76.10.26]) by hub.freebsd.org (Postfix) with ESMTP id 95AA737B401 for ; Sat, 17 Feb 2001 14:01:30 -0800 (PST) Received: from ras23-187.gwdg.de ([134.76.23.187] helo=[192.168.0.98]) by gwdu42.gwdg.de with esmtp (Exim 3.14 #18) id 14UFQ0-0006yO-00 for freebsd-security@freebsd.org; Sat, 17 Feb 2001 23:01:29 +0100 Mime-Version: 1.0 X-Sender: rbeer@popper.gwdg.de (Unverified) Message-Id: Date: Sat, 17 Feb 2001 23:01:17 +0100 To: freebsd-security@freebsd.org From: Ragnar Beer Subject: Tripwire 2.3 Linux Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Howdy! Is it possible to compile and run the open source version of Tripwire 2.3 Linux on FreeBSD? What are the advantages over ASR 1.31? I haven't seen a comparison and also haven't found one at tripwire.com. Ragnar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 17 15:45:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from alchemistry.net (alchemistry.net [160.79.102.254]) by hub.freebsd.org (Postfix) with ESMTP id 6469437B491 for ; Sat, 17 Feb 2001 15:45:28 -0800 (PST) Received: from [192.168.0.1] (helo=ilya) by alchemistry.net with asmtp (TLSv1:RC4-MD5:128) (Exim 3.21 #6) id 14UH2d-000CaG-00 for freebsd-security@freebsd.org; Sat, 17 Feb 2001 18:45:27 -0500 Message-ID: <005801c0993b$b4feede0$0100a8c0@ilya> From: "Ilya" To: References: Subject: cracklib and passwd Date: Sat, 17 Feb 2001 18:45:27 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org does anyone has a patch for incorporating cracklib with passwd? thx To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 17 16:42:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id D172837B401 for ; Sat, 17 Feb 2001 16:42:27 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sat, 17 Feb 2001 16:40:28 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f1I0gDi33711; Sat, 17 Feb 2001 16:42:13 -0800 (PST) (envelope-from cjc) Date: Sat, 17 Feb 2001 16:42:12 -0800 From: "Crist J. Clark" To: "Frank W. Miller" Cc: freebsd-security@FreeBSD.ORG Subject: Re: ftpd Message-ID: <20010217164212.B62368@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <200102161226.HAA22233@macalpine.cornfed.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200102161226.HAA22233@macalpine.cornfed.com>; from fwmiller@macalpine.cornfed.com on Fri, Feb 16, 2001 at 07:26:16AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Feb 16, 2001 at 07:26:16AM -0500, Frank W. Miller wrote: [snip] > The second solution doesnt work > might work. I had my permission set as 755 on the pub directory and have > changed them to 555. That seems to disallow creating directories and > I can still copy files to the directory as root. root can always write to a file or directory regardless of the permissons. But your anonymous ftp user will not be able to. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 17 16:51:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 221D437B401; Sat, 17 Feb 2001 16:51:30 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sat, 17 Feb 2001 16:49:34 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f1I0pOr34264; Sat, 17 Feb 2001 16:51:24 -0800 (PST) (envelope-from cjc) Date: Sat, 17 Feb 2001 16:51:24 -0800 From: "Crist J. Clark" To: Cliff Sarginson Cc: Peter Pentchev , Artem Koutchine , questions@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Efficiency [Was: Re: rpc.statd attack] Message-ID: <20010217165124.C62368@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from cliff@raggedclown.net on Fri, Feb 16, 2001 at 03:03:44PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Feb 16, 2001 at 03:03:44PM +0000, Cliff Sarginson wrote: [snip] > As you can see makes all the difference :) > But this is under Solaris ... > > $ time rpcinfo -p | egrep -e 'udp.*status$' | awk '{print $4}' > 32790 > > real 0m0.12s > user 0m0.04s > sys 0m0.07s > > $ time rpcinfo -p | awk '($3 == "udp") && ($5 == "status") {print $4 }' > 32790 > > real 0m0.11s > user 0m0.05s > sys 0m0.04s Shocking. rpcinfo takes the same amount of time to run in both examples. You are not incuding the awk's and grep's in your measurements. ITYM, $ rpcinfo -p | time egrep -e 'udp.*status$' | time awk '{print $4}' 996 0.05 real 0.00 user 0.00 sys 0.04 real 0.00 user 0.00 sys $ rpcinfo -p | time awk '($3 == "udp") && ($5 == "status") {print $4 }' 996 0.03 real 0.00 user 0.00 sys -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 17 17: 9:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from apotheosis.org.za (apotheosis.org.za [137.158.128.27]) by hub.freebsd.org (Postfix) with ESMTP id 100A037B67D for ; Sat, 17 Feb 2001 17:09:10 -0800 (PST) Date: Sun, 18 Feb 2001 03:08:43 +0200 From: Matthew West To: Ilya Cc: freebsd-security@freebsd.org Subject: Re: cracklib and passwd Message-ID: <20010218030843.A67709@apotheosis.org.za> References: <005801c0993b$b4feede0$0100a8c0@ilya> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <005801c0993b$b4feede0$0100a8c0@ilya>; from "Ilya" on Sat, Feb 17, 2001 at 06:45:27PM Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Feb 17, 2001 at 06:45:27PM -0500, Ilya wrote: > does anyone has a patch for incorporating cracklib with passwd? some rudimentary work's available at: http://lucifer.ru.ac.za/stuffplayingwith.html -- mwest@uct.ac.za To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 17 17:18:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.fpsn.net (mail.fpsn.net [63.224.69.57]) by hub.freebsd.org (Postfix) with ESMTP id 49B6C37B503; Sat, 17 Feb 2001 17:18:31 -0800 (PST) Received: from fpsn.net (control.fpsn.net [63.224.69.60]) by mail.fpsn.net (8.9.3/8.9.3) with ESMTP id SAA67112; Sat, 17 Feb 2001 18:18:09 -0700 (MST) (envelope-from cfaber@fpsn.net) Message-ID: <3A8F22D4.E05E1BAE@fpsn.net> Date: Sat, 17 Feb 2001 18:18:12 -0700 From: Colin Faber Reply-To: cfaber@fpsn.net Organization: fpsn.net, Inc. X-Mailer: Mozilla 4.75 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: cjclark@alum.mit.edu Cc: Cliff Sarginson , Peter Pentchev , Artem Koutchine , questions@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Efficiency [Was: Re: rpc.statd attack] References: <20010217165124.C62368@rfx-216-196-73-168.users.reflex> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What is the point of this thread, I fail to see how its critical to freebsd security, If someone wants to waste cpu cycles its not hard. "Crist J. Clark" wrote: > On Fri, Feb 16, 2001 at 03:03:44PM +0000, Cliff Sarginson wrote: > > [snip] > > > As you can see makes all the difference :) > > But this is under Solaris ... > > > > $ time rpcinfo -p | egrep -e 'udp.*status$' | awk '{print $4}' > > 32790 > > > > real 0m0.12s > > user 0m0.04s > > sys 0m0.07s > > > > $ time rpcinfo -p | awk '($3 == "udp") && ($5 == "status") {print $4 }' > > 32790 > > > > real 0m0.11s > > user 0m0.05s > > sys 0m0.04s > > Shocking. rpcinfo takes the same amount of time to run in both > examples. You are not incuding the awk's and grep's in your > measurements. > > ITYM, > > $ rpcinfo -p | time egrep -e 'udp.*status$' | time awk '{print $4}' > 996 > 0.05 real 0.00 user 0.00 sys > 0.04 real 0.00 user 0.00 sys > > $ rpcinfo -p | time awk '($3 == "udp") && ($5 == "status") {print $4 }' > 996 > 0.03 real 0.00 user 0.00 sys > > -- > Crist J. Clark cjclark@alum.mit.edu > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 17 19:29:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from R181204.resnet.ucsb.edu (R181204.resnet.ucsb.edu [128.111.181.204]) by hub.freebsd.org (Postfix) with ESMTP id 4265D37B4EC for ; Sat, 17 Feb 2001 19:29:13 -0800 (PST) Received: from localhost (root@localhost) by R181204.resnet.ucsb.edu (8.11.1/8.11.1) with ESMTP id f1I3Wdg04615 for ; Sat, 17 Feb 2001 19:32:39 -0800 (PST) (envelope-from root@R181204.resnet.ucsb.edu) Date: Sat, 17 Feb 2001 19:32:39 -0800 (PST) From: System Admin To: Subject: hi Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org how do I subscribe to this thing? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 17 21: 3: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from flute.daconcepts.dyndns.org (wks-166-131-83.kscable.com [24.166.131.83]) by hub.freebsd.org (Postfix) with ESMTP id B5D1F37B401 for ; Sat, 17 Feb 2001 21:02:54 -0800 (PST) Received: from localhost (natedac@localhost) by flute.daconcepts.dyndns.org (8.11.1/8.11.1) with ESMTP id f1I52qY62453; Sat, 17 Feb 2001 23:02:52 -0600 (CST) (envelope-from natedac@kscable.com) X-Authentication-Warning: flute.daconcepts.dyndns.org: natedac owned process doing -bs Date: Sat, 17 Feb 2001 23:02:50 -0600 (CST) From: Nate Dannenberg X-Sender: natedac@flute.daconcepts.dyndns.org To: System Admin Cc: freebsd-security@FreeBSD.ORG Subject: Re: hi In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 17 Feb 2001, System Admin wrote: > how do I subscribe to this thing? Start by not doing sending email anymore as root (the address I am replying to is the address that shows as your "From" address, to all members of the list, including would-be crackers. Doing anything Internet related as root isn't a very good idea. Create yourself a user account (man adduser) and use this from now on for all of your daily activities. Don't use root for anything but system administration and testing. Anyways, try sending email (as a user, not root!) to: majordomo@FreeBSD.org ...with: subscribe freebsd-security ...in the body of the message. It will send back a confirmation notice with some security codes that you much Email back to majordomo with. Just follow the directions. See you on the list. > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Just fyi - All posts that go through the lists get a footer like this attached, so at least you know your message went to everyone in the list. -- ___________________________________ _____ _____ | _///@@@| | | natedac@kscable.com /'//ZZ@@|____ | | |'''/ |'/@7 | | http://home.kscable.com/natedac |`'| `~~' | | | `| .--. | | C64/C128 - What's *YOUR* hobby? | `\____|___\ | | \_ | | |___________________________________ \_____| _____| To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 17 23:47:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 7616937B401 for ; Sat, 17 Feb 2001 23:47:47 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sat, 17 Feb 2001 23:45:22 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f1I7lBU49901; Sat, 17 Feb 2001 23:47:11 -0800 (PST) (envelope-from cjc) Date: Sat, 17 Feb 2001 23:47:10 -0800 From: "Crist J. Clark" To: Jan Conrad Cc: Kris Kennaway , freebsd-security@FreeBSD.ORG, Ralph Schreyer Subject: Re: Why does openssh protocol default to 2? Message-ID: <20010217234710.D62368@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <20010215133000.A12807@mollari.cthul.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from conrad@th.physik.uni-bonn.de on Fri, Feb 16, 2001 at 03:49:04PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Feb 16, 2001 at 03:49:04PM +0100, Jan Conrad wrote: [snip] > Don't you think in such an environment using SSH1 with > RhostsRSAAuthentication would be reasonable (of course only if you *need* > to provide users with an rsh like automatic login). Sure - you can be > spoofed etc., the SSH connection could be attacked and whatnot but I would > consider that to be harmless compared to the possibility to collect keys > just by sniffing the net (and most people usually have keys without > passphrases..). Users can find a way to defeat most any system by choosing bad passwords, sharing passwords, etc. > I mean I just checked some University systems running ssh2 and ssh1 and I > found really *lots* of keys in NFS mounted users homes... (sometimes 10% > of the users had keys in their homes....) > > Maybe the conclusion is to put a warning into the manpages or into the > default sshd_config saying something like 'be sure to switch > xxxAuthentication of if you have NFS mounted homes'... > > > What I would find reasonable is something like an .shosts mechanism for > ssh2 or, better, but more complicated, having the keys themselves > encrypted by some private key of the machine. Why should a user have > access to a plain key? OK, I am still not understanding why you believe SSH1 has advantages over SSH2 when a user has NFS mounted home directories. The real vulnerability to SSHx with NFS home directories is the threat that an attacker may write to .ssh/authorized_keys*. If you can write to that file, you can write to .shosts or .rhosts. What attack is SSH2 vulnerable to which SSH1 is not? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message