From owner-freebsd-security Sun Mar 25 1:26:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from axis.tdd.lt (axis.tdd.lt [193.219.211.5]) by hub.freebsd.org (Postfix) with ESMTP id 206EE37B71B for ; Sun, 25 Mar 2001 01:26:23 -0800 (PST) (envelope-from domas.mituzas@delfi.lt) Received: from localhost (midom@localhost) by axis.tdd.lt (8.11.1/8.11.1) with ESMTP id f2P9QFa52024; Sun, 25 Mar 2001 11:26:15 +0200 (EET) Date: Sun, 25 Mar 2001 11:26:15 +0200 (EET) From: Domas Mituzas X-Sender: midom@axis.tdd.lt To: jessemonroy@email.com Cc: security@FreeBSD.ORG Subject: Re: Fwd: A Simple TCP Port Alarm In-Reply-To: <200103250146.RAA36357@dnull.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, > I've written a simple TCP port alarm in Perl. > The default configuration spoofs the daytime service on port 13. > It logs all connections, then emails to the configured recipient. > You can check it out at: How is it connected with security? :-) Actually tcpwrappers (hosts.allow) support various actions on denied or accepted connections, like sending email message or a bomb to the blackhat. There are a lot of other tools like portsentry, that happen to be rather succesful. And connections to daytime service are often very hazardous. Time is very valuable information, so we'd log all connections, that are trying to obtain it from us, cause a simple leak will make whole network open to bad guys. No offence, congrats dear Linux coder, you've written your first public software :) (How long are you going to support it?) Regards, Domas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 25 2:11:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from closed-networks.com (shady.org [195.153.248.241]) by hub.freebsd.org (Postfix) with SMTP id 72FEC37B71A for ; Sun, 25 Mar 2001 02:11:22 -0800 (PST) (envelope-from marcr@closed-networks.com) Received: (qmail 42940 invoked by uid 1000); 25 Mar 2001 10:14:52 -0000 Date: Sun, 25 Mar 2001 11:14:52 +0100 From: Marc Rogers To: freebsd-security@FreeBSD.ORG Subject: Re: Message-ID: <20010325111452.A10016@shady.org> References: <200103250434.f2P4YHu06825@mx.bccwa.wa.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <200103250434.f2P4YHu06825@mx.bccwa.wa.edu.au>; from bhutton@bccwa.wa.edu.au on Sun, Mar 25, 2001 at 12:34:17PM +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Mar 25, 2001 at 12:34:17PM +0800, Benjamin Hutton wrote: > I'm attempting to setup a firewall for our network. The machine is > running 4.2 STABLE. I have the problem that when I enable the firewall > I can not longer ping the outside world. How do I fix this? Ok I have two answers for you..... First of all, you have to tell us if you can connect to the outside world at all. If you cant then I suggest you read http://coombs.anu.edu.au/~avalon/ if you are using ipfilter or http://www.freebsd.org/handbook/firewalls.html if using ipfw I would also suggest reading Practical UNIX & Internet Security, 2nd Edition by Spafford and Garfinkel, published by O'Reilly & Associates aswell as Building Internet Firewalls, 2nd Edition by Zwicky, Chapman and Cooper, also published by O'Reilly & Associates. Your firewall has to specifically allow trafic through or everything is denied. at the very least this means a rule to let everything through so that you can specifically deny traffic you dont want. The next answer is if you can pass through your firewall, but you just cant ping through it, in which case my appologies for stating the obvious above, but you never can tell, and you weren't that clear. I suspect (although until you gives us a little more detail, this is just guesswork), that you have probably set up rfc1918 reserved addresses within your network, using something like ipfilters IPNAT. When you do this normaly you have to specifically enable which traffic you wish to be translated: in the case of IPNAT, a line such as: map ed1 192.168.1.0/24 -> 240.1.0.1/32 portmap tcp/udp 10000:20000 is fine to enable translation of tcp and udp traffic, but if you want icmp traffic, you will need a line like: map ed1 192.168.1.0/24 -> 240.1.0.1/32 Which will enable translation of any protocol that isnt tcp or udp. > > ---------------------------------- > Benjamin Hutton > IT Officer Bunbury Catholic College > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 25 4:32:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from dnull.com (dnull.com [209.133.53.79]) by hub.freebsd.org (Postfix) with ESMTP id 06F7037B71A for ; Sun, 25 Mar 2001 04:32:40 -0800 (PST) (envelope-from jessem@jigsaw.svbug.com) Received: from jigsaw.svbug.com ([198.79.110.2]) by dnull.com (8.8.8/8.8.8) with ESMTP id EAA50037; Sun, 25 Mar 2001 04:32:57 -0800 (PST) Message-Id: <200103251232.EAA50037@dnull.com> Date: Sun, 25 Mar 2001 04:32:22 -0800 (PST) From: jessem@livecam.com Reply-To: jessemonroy@email.com Subject: Re: Fwd: A Simple TCP Port Alarm To: domas.mituzas@delfi.lt Cc: security@FreeBSD.ORG In-Reply-To: MIME-Version: 1.0 Content-Type: TEXT/plain; CHARSET=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 25 Mar, Domas Mituzas wrote: > Hi, >> I've written a simple TCP port alarm in Perl. >> The default configuration spoofs the daytime service on port 13. >> It logs all connections, then emails to the configured recipient. >> You can check it out at: > > How is it connected with security? :-) Actually tcpwrappers > (hosts.allow) support various actions on denied or accepted connections, > like sending email message or a bomb to the blackhat. There are a lot of > other tools like portsentry, that happen to be rather succesful. > Yes, that is correct. There are many programs out there. They are all complicated and time consuming to use. If you are familiar with Perl, then you might find this program interesting. Any one faint of heart, but interested in security would do well to pay money for something. This tools is strictly for hacker types. As for the security aspect, this program is intended for as an early detection system. It is not complete. It was not intended to be so. > And connections to daytime service are often very hazardous. Time is > very valuable information, so we'd log all connections, that are trying to > obtain it from us, cause a simple leak will make whole network open to bad > guys. > I'm not sure what your point is. The daytime service on port 13 is intended for diagnostics. Follow the link to the program, RTFM. The RFC plainly says, daytime is diagnostic. Your comments don't make any sense to me. Perhaps, because it is 4:30am (local time). Perhaps you could reword them and try again. :-) > No offence, congrats dear Linux coder, you've written your first public > software :) (How long are you going to support it?) > This is far from a *inx hack. And this is not my first public code. You can find program with my name going back to 1996. I'm not going to support this. It is not going to do anything else. If someone finds a bug in it, it is only 120 lines of code and I hardly think anyone mucking with this program will have a hard time fixing it. Best Regards, Jessem. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 26 2:48:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from aes.thinksec.com (aes.thinksec.com [193.212.248.16]) by hub.freebsd.org (Postfix) with ESMTP id E4D6637B71A for ; Mon, 26 Mar 2001 02:48:26 -0800 (PST) (envelope-from des@thinksec.com) Received: (from des@localhost) by aes.thinksec.com (8.11.3/8.11.3) id f2QAmNm31773; Mon, 26 Mar 2001 12:48:23 +0200 (CEST) (envelope-from des@thinksec.com) X-Authentication-Warning: aes.thinksec.com: des set sender to des@thinksec.com using -f X-URL: http://www.ofug.org/~des/ To: jessemonroy@email.com Cc: security@freebsd.org Subject: Re: Fwd: A Simple TCP Port Alarm References: <200103250146.RAA36357@dnull.com> From: Dag-Erling Smorgrav Date: 26 Mar 2001 12:48:23 +0200 In-Reply-To: jessem@livecam.com's message of "Sat, 24 Mar 2001 17:46:18 -0800 (PST)" Message-ID: Lines: 9 User-Agent: Gnus/5.0807 (Gnus v5.8.7) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org jessem@livecam.com writes: > [...] Jeez, can't you stick to *one* address so I don't have to update my killfile every other week? DES --=20 Dag-Erling Sm=F8rgrav - des@thinksec.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 26 2:54: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by hub.freebsd.org (Postfix) with ESMTP id 4884737B718 for ; Mon, 26 Mar 2001 02:54:04 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter (localhost [127.0.0.1]) by critter.freebsd.dk (8.11.3/8.11.3) with ESMTP id f2QArx359313; Mon, 26 Mar 2001 12:53:59 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Dag-Erling Smorgrav Cc: jessemonroy@email.com, security@FreeBSD.ORG Subject: Re: Fwd: A Simple TCP Port Alarm In-Reply-To: Your message of "26 Mar 2001 12:48:23 +0200." Date: Mon, 26 Mar 2001 12:53:59 +0200 Message-ID: <59311.985604039@critter> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Dag-Erling Smorgrav writes: >jessem@livecam.com writes: >> [...] > >Jeez, can't you stick to *one* address so I don't have to update my >killfile every other week? It works for me using the "IQ < 75" criteria... -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 26 7:19:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp23.singnet.com.sg (smtp23.singnet.com.sg [165.21.101.203]) by hub.freebsd.org (Postfix) with ESMTP id 41C3237B719 for ; Mon, 26 Mar 2001 07:19:42 -0800 (PST) (envelope-from spades@galaxynet.org) Received: from bryan (ad202.166.107.66.magix.com.sg [202.166.107.66]) by smtp23.singnet.com.sg (8.11.2/8.11.2) with SMTP id f2QFJeT08865 for ; Mon, 26 Mar 2001 23:19:40 +0800 Message-Id: <3.0.32.20010326232954.01f3fa10@smtp.magix.com.sg> X-Sender: spades@smtp.magix.com.sg X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 26 Mar 2001 23:29:55 +0800 To: freebsd-security@freebsd.org From: Spades Subject: kernel page fault Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Another message from the kernel, 3rd time in a day. > IOCAIFADDR) > pid 2080 (services), uid 1009: exited on signal 11 > Fatal trap 12: prefused connection from open.proault virtual address = 0xbffaa040 > stack pointer = 0x10:0xd6343c7c > frame pointer = 0x10:0xd6343c7c > current process = 4220 (ftpd) > syncing disks... 7 7 7 7 7 7 7 7 7 7 7 7 7 Copyright (c) 1992-2001 The FreeBSD Project. > pid 2291 (services), uid 1012: exited on signal 11 Is it a security issue or needs to be hardware replaced? Lee. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 26 8:30:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from coloradosurf.com (c1520339-a.lakwod1.co.home.com [24.179.159.58]) by hub.freebsd.org (Postfix) with ESMTP id B8FAA37B719 for ; Mon, 26 Mar 2001 08:30:12 -0800 (PST) (envelope-from mike@coloradosurf.com) Received: (from mike@localhost) by coloradosurf.com (8.9.3/8.9.3) id JAA08654 for security@freebsd.org; Mon, 26 Mar 2001 09:24:46 -0700 (MST) (envelope-from mike) Date: Mon, 26 Mar 2001 09:24:46 -0700 From: mike To: security@freebsd.org Subject: named dying on INSIST Message-ID: <20010326092446.A8530@coloradosurf.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I humbly ask the great minds . . . Has anyone seen this or can lend insight? Over the weekend, my named (primary nameserver) died unexpectedly. Mar 24 02:04:53 ns1 named[6470]: /usr/src/lib/libbind/../../contrib/bind/lib/isc/ev_timers.c:114: INSIST(now.tv_usec >= 0 && now.tv_usec < 1000000) failed. Mar 24 02:04:53 ns1 named[6470]: /usr/src/lib/libbind/../../contrib/bind/lib/isc/ev_timers.c:114: INSIST(now.tv_usec >= 0 && now.tv_usec < 1000000) failed. Mar 24 02:04:54 ns1 /kernel: pid 6470 (named), uid 53: exited on signal 6 root@ns1#named -v named 8.2.3-REL Sat Feb 3 21:11:38 MST 2001 The apparent problem (or more likely the alarm?) from /usr/src/contrib/bind/lib/isc/ev_timers.c struct timespec evNowTime() { struct timeval now; if (gettimeofday(&now, NULL) < 0) return (evConsTime(0, 0)); INSIST(now.tv_usec >= 0 && now.tv_usec < 1000000); return (evTimeSpec(now)); } clue --> less TIA, mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 26 9:14:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from the.outroad.org (the.outroad.org [206.152.117.186]) by hub.freebsd.org (Postfix) with ESMTP id DEBD737B71B for ; Mon, 26 Mar 2001 09:14:46 -0800 (PST) (envelope-from bweaver@the.outroad.org) Received: (from bweaver@localhost) by the.outroad.org (8.11.2/8.11.2) id f2QHGRa13138; Mon, 26 Mar 2001 11:16:27 -0600 (CST) (envelope-from bweaver) Date: Mon, 26 Mar 2001 11:16:27 -0600 From: Ben Weaver To: Benjamin Hutton Cc: freebsd-security@FreeBSD.ORG Subject: Problem setting up firewall Message-ID: <20010326111627.A13106@tranquility.net> References: <200103250434.f2P4YHu06825@mx.bccwa.wa.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200103250434.f2P4YHu06825@mx.bccwa.wa.edu.au>; from bhutton@bccwa.wa.edu.au on Sun, Mar 25, 2001 at 12:34:17PM +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ###On Sun, Mar 25, 2001 at 12:34:17PM +0800, Benjamin Hutton wrote: > I'm attempting to setup a firewall for our network. The machine is > running 4.2 STABLE. I have the problem that when I enable the firewall > I can not longer ping the outside world. How do I fix this? To help you, we will need more information: - What firewall software are you running? - What firewall configuration are you running? - Do you have a networking situation that requires NAT or is this a bridge? Those are just a few things we would need to know to start helping you. Please include any other information that might be relevant to your setup. Thanks, -Ben To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 26 10:44:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 8C8AA37B718; Mon, 26 Mar 2001 10:44:49 -0800 (PST) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.1/8.11.1) with SMTP id f2QIilh77092; Mon, 26 Mar 2001 13:44:48 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Mon, 26 Mar 2001 13:44:47 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: freebsd-fs@FreeBSD.org, freebsd-security@FreeBSD.org Subject: cvs commit: src/sys/conf files options src/sys/ufs/ufs acl.h ufs_acl.c ufs_vnops.c (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just a heads up for those interested. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services ---------- Forwarded message ---------- Date: Mon, 26 Mar 2001 09:53:19 -0800 (PST) From: Robert Watson To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/conf files options src/sys/ufs/ufs acl.h ufs_acl.c ufs_vnops.c rwatson 2001/03/26 09:53:19 PST Modified files: sys/conf files options sys/ufs/ufs ufs_vnops.c Added files: sys/ufs/ufs acl.h ufs_acl.c Log: Introduce support for POSIX.1e ACLs on UFS-based file systems. This implementation is still experimental, and while fairly broadly tested, is not yet intended for production use. Support for POSIX.1e ACLs on UFS will not be MFC'd to RELENG_4. This implementation works by providing implementations of VOP_[GS]ETACL() for FFS, as well as modifying the appropriate access control and file creation routines. In this implementation, ACLs are backed into extended attributes; the base ACL (owner, group, other) permissions remain in the inode for performance and compatibility reasons, so only the extended and default ACLs are placed in extended attributes. The logic for ACL evaluation is provided by the fs-independent kern/kern_acl.c. o Introduce UFS_ACL, a compile-time configuration option that enables support for ACLs on FFS (and potentially other UFS-based file systems). o Introduce ufs_getacl(), ufs_setacl(), ufs_aclcheck(), which respectively get, set, and check the ACLs on the passed vnode. o Introduce ufs_sync_acl_from_inode(), ufs_sync_inode_from_acl() to maintain access control information between inode permissions and extended attribute data. o Modify ufs_access() to load a file access ACL and invoke vaccess_acl_posix1e() if ACLs are available on the file system o Modify ufs_mkdir() and ufs_makeinode() to associate ACLs with newly created directories and files, inheriting from the parent directory's default ACL. o Enable these new vnode operations and conditionally compiled code paths if UFS_ACL is defined. A few notes: o This implementation is fairly widely tested, but still should be considered experimental. o Currently, ACLs are not exported via NFS, instead, the summarizing file mode/etc from the inode is. This results in conservative protection behavior, similar to the behavior of ACL-nonaware programs acting locally. o It is possible that underlying binary data formats associated with this implementation may change. Consumers of the implementation should expect to find their local configuration obsoleted in the next few months, resulting in possible loss of ACL data during an upgrade. o The extended attributes interface and implementation is still undergoing modification to address portable interface concerns, as well as performance. o Many applications do not yet correctly handle ACLs. In general, due to the POSIX.1e ACL model, behavior of ACL-unaware applications will be conservative with respects to file protection; some caution is recommended. o Instructions for configuring and maintaining ACLs on UFS will be committed in the near future; in the mean time it is possible to reference the README included in the last UFS ACL distribution placed in the TrustedBSD web site: http://www.TrustedBSD.org/downloads/ Substantial debugging, hardware, travel, or connectivity support for this project was provided by: BSDi, Safeport Network Services, and NAI Labs. Significant coding contributions were made by Chris Faulhaber. Additional support was provided by Brian Feldman, Thomas Moestl, and Ilmar Habibulin. Reviewed by: jedgar, keichii, mckusick, trustedbsd-discuss, freebsd-fs Obtained from: TrustedBSD Project Revision Changes Path 1.502 +2 -1 src/sys/conf/files 1.266 +6 -1 src/sys/conf/options 1.160 +214 -6 src/sys/ufs/ufs/ufs_vnops.c To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 26 11:14: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from astral.isec.com.br (astral.isec.com.br [200.254.79.62]) by hub.freebsd.org (Postfix) with SMTP id 7723C37B719 for ; Mon, 26 Mar 2001 11:13:53 -0800 (PST) (envelope-from duwde@duwde.com.br) Received: (qmail 10754 invoked from network); 26 Mar 2001 19:11:54 -0000 Received: from localhost.isec.com.br (HELO duwde.com.br) (127.0.0.1) by localhost.isec.com.br with SMTP; 26 Mar 2001 19:11:54 -0000 Message-ID: <3ABF93BE.A855334@duwde.com.br> Date: Mon, 26 Mar 2001 16:08:46 -0300 From: "Duwde (Fabio V. Dias)" X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.3-RC i386) X-Accept-Language: en MIME-Version: 1.0 To: security-officer@FreeBSD.org, freebsd-security@freebsd.org Subject: SSHD revelaing too much information. Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org To the FreeBSD Security Officer & FreeBSD Security List. (Please reply, if need, to my email too) I've already posted this at FreeBSD-stable@freebsd.org but it seems some people haven't agreed on this issue, so I'm posting this here, as it's security related. As of 2001/03/22 we have : (and it's still on 4.x-stable of today, 4.3-RC) -- bash-2.04$ cat /usr/src/crypto/openssh/version.h /* $FreeBSD: src/crypto/openssh/version.h,v 1.1.1.1.2.4 2001/03/22 00:30:56 green Exp $ */ /* $OpenBSD: version.h,v 1.13 2000/10/16 09:38:45 djm Exp $ */ #define SSH_VERSION "OpenSSH_2.3.0 green@FreeBSD.org 20010321" bash-2.04$ -- It seems some fixes has been made on OpenSSH 2.3.0 or so, and the string "green@FreeBSD.org 20010321" has been added to SSH_VERSION. The problem is that this is using on the initial SSHD login procedure : -- bash-2.04$ telnet localhost 22 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SSH-1.5-OpenSSH_2.3.0 green@FreeBSD.org 20010321 -- So as SSHD is a daemon USUALLY enable to the whole internet, anyone can find out what OS (FreeBSD), and what SSHD *cvsuped" version is running. As well as if it has been fixed or NOT. So targeting attacks to unfixed SSHDs running FreeBSD would be made easier, as well as any other attacks in the future, 'cause there will be no doubt of what OS the host is running. (plus a good idea of its version, using the 20010321 string) Btw, there is no need to let anyone know if the SSHD is fixed or NOT, nor the OS version, and SSHD exact modification date by the freebsd team. Is there ? Please let me know if I'm missing something... -- Fabio Vilan Dias / Duwde PGP key @ http://www.duwde.com.br/duwdepgp.asc FP = BB35 50F2 7F83 655D 6B11 F0A2 F8E2 FF3D To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 26 11:21: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (adam042-060.resnet.wisc.edu [146.151.42.60]) by hub.freebsd.org (Postfix) with ESMTP id EE46737B71B for ; Mon, 26 Mar 2001 11:20:55 -0800 (PST) (envelope-from silby@silby.com) Received: (qmail 4759 invoked by uid 1000); 19 Mar 2001 19:26:07 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 19 Mar 2001 19:26:07 -0000 Date: Mon, 19 Mar 2001 13:26:07 -0600 (CST) From: Mike Silbersack To: "Duwde (Fabio V. Dias)" Cc: Subject: Re: SSHD revelaing too much information. In-Reply-To: <3ABF93BE.A855334@duwde.com.br> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 26 Mar 2001, Duwde (Fabio V. Dias) wrote: > #define SSH_VERSION "OpenSSH_2.3.0 green@FreeBSD.org 20010321" > bash-2.04$ > -- > So as SSHD is a daemon USUALLY enable to the whole internet, > anyone can find out what OS (FreeBSD), and what SSHD *cvsuped" > version is running. As well as if it has been fixed or NOT. > > So targeting attacks to unfixed SSHDs running FreeBSD would be > made easier, as well as any other attacks in the future, 'cause > there will be no doubt of what OS the host is running. (plus > a good idea of its version, using the 20010321 string) It's for this reason that I've changed the version string on my hosts to: "OpenSSH_2.7.3 green@FreeBSD.org 20030122" Nobody's going to attack me now. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 26 11:57: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from tahoe.cinenet.net (ns1.cinenet.net [198.147.76.65]) by hub.freebsd.org (Postfix) with ESMTP id 00CC037B718 for ; Mon, 26 Mar 2001 11:57:03 -0800 (PST) (envelope-from mikey@singingtree.com) Received: from ember (pool.207.151.148.219.cinenet.net [207.151.148.219]) by tahoe.cinenet.net (8.9.3/8.9.3) with SMTP id LAA12051; Mon, 26 Mar 2001 11:56:47 -0800 (PST) Message-ID: <005f01c0b62e$9cab5980$db9497cf@singingtree.com> From: "Michael A. Dickerson" To: "\"Duwde (Fabio V. Dias)\"" Cc: References: <99o4ge$1h7n$1@FreeBSD.csie.NCTU.edu.tw> Subject: Re: SSHD revelaing too much information. Date: Mon, 26 Mar 2001 11:54:43 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Uh, Kris Kennaway was the first to respond to you on -stable, and the first to disagree that this is a problem. He *is* the FreeBSD Security Officer. As others pointed out, it is trivial to determine the OS of a remote host. As others pointed out, it is extremely useful for the legitimate administrator of a system to be able to query the version of various services remotely. You may even have a legitimate reason to audit the services on machines you don't have an account on. Suppose you're responsible for an academic network, where people can run anything they want. But, you still need to be sure that students' machines don't get rooted, for your own health and welfare. If everybody strips all the version information out of their services in the name of "security", you will be reduced to running the exploits one after another to see if they work. Another example: after the recent bind circus, I screwed up one machine so that it restarted the old bind after a power failure. I caught it because I ran an easy "version.bind. chaos txt" query. If I had to log in to that machine and do bind --version or the like, I might not have caught it for weeks (besides which, bind --version would have probably falsely reported 9.x). Sure, that was my fault, but I know I'm going to screw up sometimes. Yet another reason that I don't think anyone pointed out--let's say there's a bug in OpenSSH 2.3.47 that makes it inoperable with some future version of the ssh client. NOT a remote exploit, just a bug. (e.g. the MAC bug in some commercial versions of ssh.) If sshd reports its version accurately upon connection (which by the way is a basic part of the SSH protocol), the client can activate a workaround when it connects to a broken sshd. If not, then it's up to you to guess what the problem is. This happens a few times, and you have 2^n possible settings to guess among, where n is the number of such bugs in various ssh daemons. I understand the desire not to reveal any more information than is necessary; that's why we disable finger, daytime, etc. That's fine when you only have to manage one or two machines and you can easily remember what's running at any given time. In that case there's nothing stopping you from changing the "version" to whatever you want. Unfortunately security-by-obscurity doesn't scale past the 1 or 2 boxes. If this were a democracy, I vote with the majority; please *don't* munge the version reported by sshd. M.D. ----- Original Message ----- From: ""Duwde (Fabio V. Dias)"" Newsgroups: mailing.freebsd.security Sent: Monday, March 26, 2001 11:15 AM Subject: SSHD revelaing too much information. > To the FreeBSD Security Officer & FreeBSD Security List. > (Please reply, if need, to my email too) > > I've already posted this at FreeBSD-stable@freebsd.org but it > seems some people haven't agreed on this issue, so I'm posting > this here, as it's security related. > > As of 2001/03/22 we have : (and it's still on 4.x-stable of today, > 4.3-RC) > > -- > bash-2.04$ cat /usr/src/crypto/openssh/version.h > /* $FreeBSD: src/crypto/openssh/version.h,v 1.1.1.1.2.4 2001/03/22 > 00:30:56 green Exp $ */ > /* $OpenBSD: version.h,v 1.13 2000/10/16 09:38:45 djm Exp $ */ > > #define SSH_VERSION "OpenSSH_2.3.0 green@FreeBSD.org 20010321" > bash-2.04$ > -- > > It seems some fixes has been made on OpenSSH 2.3.0 or so, and the string > "green@FreeBSD.org 20010321" has been added to SSH_VERSION. The problem > is that this is using on the initial SSHD login procedure : > > -- > bash-2.04$ telnet localhost 22 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > SSH-1.5-OpenSSH_2.3.0 green@FreeBSD.org 20010321 > -- > > So as SSHD is a daemon USUALLY enable to the whole internet, > anyone can find out what OS (FreeBSD), and what SSHD *cvsuped" > version is running. As well as if it has been fixed or NOT. > > So targeting attacks to unfixed SSHDs running FreeBSD would be > made easier, as well as any other attacks in the future, 'cause > there will be no doubt of what OS the host is running. (plus > a good idea of its version, using the 20010321 string) > > Btw, there is no need to let anyone know if the SSHD is fixed > or NOT, nor the OS version, and SSHD exact modification date > by the freebsd team. Is there ? > > Please let me know if I'm missing something... > > -- > Fabio Vilan Dias / Duwde > PGP key @ http://www.duwde.com.br/duwdepgp.asc > FP = BB35 50F2 7F83 655D 6B11 F0A2 F8E2 FF3D > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 26 12:19:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197]) by hub.freebsd.org (Postfix) with ESMTP id 7E9A037B71B for ; Mon, 26 Mar 2001 12:19:43 -0800 (PST) (envelope-from christopher@schulte.org) Received: from schulte-laptop.schulte.org (nb-105.netbriefings.com [204.72.185.105]) by poontang.schulte.org (8.9.3/8.9.3) with ESMTP id OAA30214; Mon, 26 Mar 2001 14:19:11 -0600 (CST) (envelope-from christopher@schulte.org) Message-Id: <5.0.2.1.0.20010326140101.00a94608@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Mon, 26 Mar 2001 14:18:51 -0600 To: "Michael A. Dickerson" , "\"Duwde (Fabio V. Dias)\"" From: Christopher Schulte Subject: Re: SSHD revelaing too much information. Cc: In-Reply-To: <005f01c0b62e$9cab5980$db9497cf@singingtree.com> References: <99o4ge$1h7n$1@FreeBSD.csie.NCTU.edu.tw> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:54 AM 3/26/2001 -0800, Michael A. Dickerson wrote: >I understand the desire not to reveal any more information than is >necessary; that's why we disable finger, daytime, etc. That's fine when you >only have to manage one or two machines and you can easily remember what's >running at any given time. In that case there's nothing stopping you from >changing the "version" to whatever you want. Unfortunately >security-by-obscurity doesn't scale past the 1 or 2 boxes. If this were a >democracy, I vote with the majority; please *don't* munge the version >reported by sshd. Yet another point which I don't believe was mentioned.... just a word of common sense re: security by obscurity. Many kid scripts don't give a damn what the service banner displays. Recent bind exploits are going to hit 4.x, 8.x, and 9.x servers all the same. Why wouldn't they - they know some admins will have altered the banners. And others don't even care to build in additional checks. So they scan any and every server they can find, regardless of what version or patch level it may report. The same applies to sshd. The 'green' banner does not attract any more attention than it would without, IMHO. It does not make the service any more or less secure. As an admin you can: a) limit access to clients that need the service (secureid/firewalls/tcpwrappers/whatever) b) if that's not an option (public server that has clients from random networks) then make sure you're running a known secure version. Have an IDS in place to deal with a compromise should one actually occur. >M.D. --chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 26 12:54: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by hub.freebsd.org (Postfix) with ESMTP id 92FFB37B718 for ; Mon, 26 Mar 2001 12:54:04 -0800 (PST) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 14he03-0002V0-00 for freebsd-security@FreeBSD.ORG; Mon, 26 Mar 2001 15:54:03 -0500 Date: Mon, 26 Mar 2001 15:54:02 -0500 From: Peter Radcliffe To: freebsd-security@FreeBSD.ORG Subject: Re: SSHD revelaing too much information. Message-ID: <20010326155402.A9081@pir.net> Reply-To: freebsd-security@freebsd.org Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <99o4ge$1h7n$1@FreeBSD.csie.NCTU.edu.tw> <005f01c0b62e$9cab5980$db9497cf@singingtree.com> <5.0.2.1.0.20010326140101.00a94608@pop.schulte.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.0.2.1.0.20010326140101.00a94608@pop.schulte.org>; from christopher@schulte.org on Mon, Mar 26, 2001 at 02:18:51PM -0600 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Christopher Schulte probably said: > At 11:54 AM 3/26/2001 -0800, Michael A. Dickerson wrote: > >I understand the desire not to reveal any more information than is > >necessary; that's why we disable finger, daytime, etc. That's fine when you > >only have to manage one or two machines and you can easily remember what's > >running at any given time. I've scaled not giving out version information and maintaining such to hundreds of machines and really don't see this as a problem. > >In that case there's nothing stopping you from > >changing the "version" to whatever you want. Other than the fact you have to do it each time. If this was configurable other than at compile time then both sides could be happy. > >Unfortunately security-by-obscurity doesn't scale past the 1 or 2 > >boxes. If this were a democracy, I vote with the majority; please > >*don't* munge the version reported by sshd. Some people apparently want this information available, fine. Others don't. At the moment this change is not configurable other than by recompiling, something you have to remember to do each time. If it was configurable I'd turn it off and not be complaining. > Many kid scripts don't give a damn what the service banner > displays. Recent bind exploits are going to hit 4.x, 8.x, and 9.x servers > all the same. Why wouldn't they - they know some admins will have altered > the banners. And others don't even care to build in additional checks. So > they scan any and every server they can find, regardless of what version or > patch level it may report. Actually, every single bind scan across our /16 that my IDS has spotted (which is lots) has checked versions, found the few that are running vulnerable versions and attempted to attack just those. > The same applies to sshd. The 'green' banner does not attract any > more attention than it would without, IMHO. It does not make the > service any more or less secure. It gives out information that is unneeded. This goes against my security principles. Do you have a list of versions of all packages on your systems available to the net, unsecured ? It would make checking versions and administration easier, but theres no way in hell you'll find me doing that. Useful security is a balance between functionality/usability and security. Giving out this information provides no extra functionality for me and provides information to a potential attacker. > a) limit access to clients that need the service > (secureid/firewalls/tcpwrappers/whatever) Not feasable for some of my work machines. I'm working on this, but sometimes you just can't. > b) if that's not an option (public server that has clients from random > networks) then make sure you're running a known secure version. Have an > IDS in place to deal with a compromise should one actually occur. The problem is that theres no such thing as a "known secure" version. There are just versions that are not known insecure yet. P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 26 13: 3:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 963A937B71A for ; Mon, 26 Mar 2001 13:03:21 -0800 (PST) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id OAA28196; Mon, 26 Mar 2001 14:02:38 -0700 (MST) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id OAA07528; Mon, 26 Mar 2001 14:02:38 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15039.44653.624089.289615@nomad.yogotech.com> Date: Mon, 26 Mar 2001 14:02:37 -0700 (MST) To: "Michael A. Dickerson" Cc: "\"Duwde (Fabio V. Dias)\"" , Subject: Re: SSHD revelaing too much information. In-Reply-To: <005f01c0b62e$9cab5980$db9497cf@singingtree.com> References: <99o4ge$1h7n$1@FreeBSD.csie.NCTU.edu.tw> <005f01c0b62e$9cab5980$db9497cf@singingtree.com> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Uh, Kris Kennaway was the first to respond to you on -stable, and the first > to disagree that this is a problem. He *is* the FreeBSD Security Officer. That doesn't make him right. > As others pointed out, it is trivial to determine the OS of a remote host. Not necessarily. And, a good rule of security is to never reveal information unless you have to. Don't go out of your way to stop folks from figuring out your OS. Make them work for out. > As others pointed out, it is extremely useful for the legitimate > administrator of a system to be able to query the version of various > services remotely. I disagree. Anyone who administers a small number of machines can keep track of it, and anyone who has alot of machines won't trust the remote information. This is a specious argument. > You may even have a legitimate reason to audit the > services on machines you don't have an account on. Suppose you're > responsible for an academic network, where people can run anything they > want. Again, you're giving information to the crackers for free. Make them work for out. Security through obscurity is *one* form of legitimate security. Using the same arguments as people are using, public key infrastructure is security through obscurity. I'm not giving you my private key, so by being 'obscure' I'm also being secure. Security is ALL about having useful information, and denying as much information from your attacker is a great strategy. It can't be the only strategy, but it's a good first cut. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 26 13:26:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-89.dsl.lsan03.pacbell.net [63.207.60.89]) by hub.freebsd.org (Postfix) with ESMTP id 9301C37B71E; Mon, 26 Mar 2001 13:26:32 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 427B866F34; Mon, 26 Mar 2001 13:26:32 -0800 (PST) Date: Mon, 26 Mar 2001 13:26:32 -0800 From: Kris Kennaway To: "Duwde (Fabio V. Dias)" Cc: security-officer@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: SSHD revelaing too much information. Message-ID: <20010326132632.B7234@xor.obsecurity.org> References: <3ABF93BE.A855334@duwde.com.br> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="cmJC7u66zC7hs+87" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3ABF93BE.A855334@duwde.com.br>; from duwde@duwde.com.br on Mon, Mar 26, 2001 at 04:08:46PM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --cmJC7u66zC7hs+87 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 26, 2001 at 04:08:46PM -0300, Duwde (Fabio V. Dias) wrote: > To the FreeBSD Security Officer & FreeBSD Security List. > (Please reply, if need, to my email too) >=20 > I've already posted this at FreeBSD-stable@freebsd.org but it > seems some people haven't agreed on this issue, so I'm posting > this here, as it's security related. You've already been corresponding with the freebsd security officer about this, so his position is already clear :-) Kris --cmJC7u66zC7hs+87 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6v7QGWry0BWjoQKURAmJlAJ0TAt+a9AQENezsLQW8S/UFZUC14wCffm9l Ja/2dVPf2mlwycU2n7oz2pU= =3geq -----END PGP SIGNATURE----- --cmJC7u66zC7hs+87-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 26 13:32:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from sherline.com (sherline.net [216.120.87.2]) by hub.freebsd.org (Postfix) with SMTP id 45E8F37B718 for ; Mon, 26 Mar 2001 13:32:29 -0800 (PST) (envelope-from data@irev.net) Received: (qmail 37845 invoked from network); 26 Mar 2001 21:32:17 -0000 Received: from server.sherline.net (HELO server2) (216.120.87.3) by sherline.net with SMTP; 26 Mar 2001 21:32:17 -0000 Message-ID: <001301c0b63c$40120670$035778d8@sherline.net> From: "Jeremiah Gowdy" To: "Nate Williams" , "Michael A. Dickerson" Cc: "\"Duwde (Fabio V. Dias)\"" , References: <99o4ge$1h7n$1@FreeBSD.csie.NCTU.edu.tw><005f01c0b62e$9cab5980$db9497cf@singingtree.com> <15039.44653.624089.289615@nomad.yogotech.com> Subject: Re: SSHD revelaing too much information. Date: Mon, 26 Mar 2001 13:32:25 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Uh, Kris Kennaway was the first to respond to you on -stable, and the first > > to disagree that this is a problem. He *is* the FreeBSD Security Officer. > > That doesn't make him right. Yeah I don't like that trend of thought. Kris Kennaway seems to be a knowledgable guy, and yes he *is* the security officer, but that doesn't invalidate other people's opinions. If we had a magic team of people who were magically right all the time, FreeBSD wouldn't need public/user contributions. In a discussion like this, unless you're talking about authority on a subject, I don't think the title of the people has as much to do with the techinical side of the argument. I'm sure Kris would agree that everyone makes mistakes and him being the security officer doesn't make him more right than other people. He just has the last word. There's a difference. > > As others pointed out, it is trivial to determine the OS of a remote host. > > Not necessarily. And, a good rule of security is to never reveal > information unless you have to. Don't go out of your way to stop folks > from figuring out your OS. Make them work for out. > Although OSes can be fingerprinted, some are harder to guess than others. Especially in the case of open source operating systems, I wouldn't say it's trivial to determine the OS of a remote host if the admin doesn't want people to know. Even a crappy little Sonic Firwall will confuse nmap's OS fingerprinting in my experience. OS fingerprinting is not fool proof, and is pretty trivial to trick. > > As others pointed out, it is extremely useful for the legitimate > > administrator of a system to be able to query the version of various > > services remotely. > > I disagree. Anyone who administers a small number of machines can keep > track of it, and anyone who has alot of machines won't trust the remote > information. This is a specious argument. I agree completely. "query versions of various services remotely" ? How about, "Alex, can I have 'First step for a script kiddie' for $200 please ?" > > You may even have a legitimate reason to audit the > > services on machines you don't have an account on. Suppose you're > > responsible for an academic network, where people can run anything they > > want. > > Again, you're giving information to the crackers for free. Make them > work for out. You're going to audit services on machines you don't have an account on ? Either you're the admin or you aren't. You can't be responsible for service level security on servers you don't even have a basic account on. That's foolish. Making information public so that you can exclude the security admin from having an account is bass ackwards. > Security is ALL about having useful information, and denying as much > information from your attacker is a great strategy. It can't be the > only strategy, but it's a good first cut. > > > Nate > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 26 13:34:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-89.dsl.lsan03.pacbell.net [63.207.60.89]) by hub.freebsd.org (Postfix) with ESMTP id 87DDC37B719 for ; Mon, 26 Mar 2001 13:34:45 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 2766666F34; Mon, 26 Mar 2001 13:34:45 -0800 (PST) Date: Mon, 26 Mar 2001 13:34:45 -0800 From: Kris Kennaway To: Spades Cc: freebsd-security@FreeBSD.ORG Subject: Re: kernel page fault Message-ID: <20010326133445.D7234@xor.obsecurity.org> References: <3.0.32.20010326232954.01f3fa10@smtp.magix.com.sg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="0IvGJv3f9h+YhkrH" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3.0.32.20010326232954.01f3fa10@smtp.magix.com.sg>; from spades@galaxynet.org on Mon, Mar 26, 2001 at 11:29:55PM +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --0IvGJv3f9h+YhkrH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 26, 2001 at 11:29:55PM +0800, Spades wrote: > Another message from the kernel, 3rd time in a day. >=20 > > IOCAIFADDR) > > pid 2080 (services), uid 1009: exited on signal 11 > > Fatal trap 12: prefused connection from open.proault virtual address =3D > 0xbffaa040 > > stack pointer =3D 0x10:0xd6343c7c > > frame pointer =3D 0x10:0xd6343c7c > > current process =3D 4220 (ftpd) > > syncing disks... 7 7 7 7 7 7 7 7 7 7 7 7 7 Copyright (c) 1992-2001 The > FreeBSD Project. > > pid 2291 (services), uid 1012: exited on signal 11 >=20 > Is it a security issue or needs to be hardware replaced? Probably the latter, but you need to obtain a crashdump and stack traceback as explained in the handbook before anyone can tell for certain. Kris --0IvGJv3f9h+YhkrH Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6v7X0Wry0BWjoQKURAl96AKCGJKNOGK+8maUyDYyOiJf7Gh8dIgCgliNU hmJ8UbIxp4J8HB8s9UCKsoI= =79GX -----END PGP SIGNATURE----- --0IvGJv3f9h+YhkrH-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 26 13:40: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-89.dsl.lsan03.pacbell.net [63.207.60.89]) by hub.freebsd.org (Postfix) with ESMTP id 0A60B37B71A for ; Mon, 26 Mar 2001 13:39:57 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 335F866F4E; Mon, 26 Mar 2001 13:39:53 -0800 (PST) Date: Mon, 26 Mar 2001 13:39:53 -0800 From: Kris Kennaway To: Nate Williams Cc: "Michael A. Dickerson" , "Duwde (Fabio V. Dias)" , freebsd-security@FreeBSD.ORG Subject: Re: SSHD revelaing too much information. Message-ID: <20010326133953.E7234@xor.obsecurity.org> References: <99o4ge$1h7n$1@FreeBSD.csie.NCTU.edu.tw> <005f01c0b62e$9cab5980$db9497cf@singingtree.com> <15039.44653.624089.289615@nomad.yogotech.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="jTMWTj4UTAEmbWeb" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <15039.44653.624089.289615@nomad.yogotech.com>; from nate@yogotech.com on Mon, Mar 26, 2001 at 02:02:37PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --jTMWTj4UTAEmbWeb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 26, 2001 at 02:02:37PM -0700, Nate Williams wrote: > > Uh, Kris Kennaway was the first to respond to you on -stable, and the f= irst > > to disagree that this is a problem. He *is* the FreeBSD Security Offic= er. >=20 > That doesn't make him right. Very true, and in fact I don't see anyone claiming this, but I've already given my opinion on the non-seriousness of this complaint, so simply repeating existing arguments isn't going to change my mind: I don't think the person who forwarded this mail to security-officer realised they had already been talking to me. Kris --jTMWTj4UTAEmbWeb Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6v7coWry0BWjoQKURAjyUAJ99dIF7WEMdVvvKk5sgU/TjvARhzwCgt/uW wpvDulPeiQSuD2YjfL4DujU= =YDTP -----END PGP SIGNATURE----- --jTMWTj4UTAEmbWeb-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 26 17:20: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from mx.bccwa.wa.edu.au (mx.bccwa.wa.edu.au [203.18.251.55]) by hub.freebsd.org (Postfix) with ESMTP id AC82537B71E for ; Mon, 26 Mar 2001 17:19:48 -0800 (PST) (envelope-from bhutton@bccwa.wa.edu.au) Received: (from nobody@localhost) by mx.bccwa.wa.edu.au (8.11.2/8.9.3) id f2R1MSe08675; Tue, 27 Mar 2001 09:22:28 +0800 (WST) (envelope-from bhutton@bccwa.wa.edu.au) Date: Tue, 27 Mar 2001 09:22:28 +0800 (WST) Message-Id: <200103270122.f2R1MSe08675@mx.bccwa.wa.edu.au> From: "Benjamin Hutton" To: "FreeBSD Security" Subject: X-Mailer: NeoMail 1.22 X-IPAddress: 192.168.1.101 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org My oppologies for not sending enough info. I'm using ipfw through rc.firewall with the "simple" configuration using NAT. ---------------------------------- Benjamin Hutton IT Officer Bunbury Catholic College To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 26 17:52:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from mx.bccwa.wa.edu.au (mx.bccwa.wa.edu.au [203.18.251.55]) by hub.freebsd.org (Postfix) with ESMTP id E105937B71A for ; Mon, 26 Mar 2001 17:52:35 -0800 (PST) (envelope-from bhutton@bccwa.wa.edu.au) Received: (from nobody@localhost) by mx.bccwa.wa.edu.au (8.11.2/8.9.3) id f2R1tIn08731; Tue, 27 Mar 2001 09:55:18 +0800 (WST) (envelope-from bhutton@bccwa.wa.edu.au) Date: Tue, 27 Mar 2001 09:55:18 +0800 (WST) Message-Id: <200103270155.f2R1tIn08731@mx.bccwa.wa.edu.au> From: "Benjamin Hutton" To: "FreeBSD Security" Subject: Firewall X-Mailer: NeoMail 1.22 X-IPAddress: 192.168.1.101 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org My oppologies for not sending enough info. I'm using ipfw through rc.firewall with the "simple" configuration using NAT. ---------------------------------- Benjamin Hutton IT Officer Bunbury Catholic College To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 26 18:16:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id D1B5C37B719 for ; Mon, 26 Mar 2001 18:16:20 -0800 (PST) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 22414 invoked by uid 0); 27 Mar 2001 02:16:19 -0000 Received: from pd9508682.dip.t-dialin.net (HELO speedy.gsinet) (217.80.134.130) by mail.gmx.net (mail05) with SMTP; 27 Mar 2001 02:16:19 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id WAA20470 for freebsd-security@freebsd.org; Mon, 26 Mar 2001 22:26:07 +0200 Date: Mon, 26 Mar 2001 22:26:07 +0200 From: Gerhard Sittig To: freebsd-security@freebsd.org Subject: Re: SSHD revelaing too much information. Message-ID: <20010326222607.V20830@speedy.gsinet> Mail-Followup-To: freebsd-security@freebsd.org References: <3ABF93BE.A855334@duwde.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3ABF93BE.A855334@duwde.com.br>; from duwde@duwde.com.br on Mon, Mar 26, 2001 at 04:08:46PM -0300 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Mar 26, 2001 at 16:08 -0300, Duwde (Fabio V. Dias) wrote: > > I've already posted this at FreeBSD-stable@freebsd.org but it > seems some people haven't agreed on this issue, so I'm posting > this here, as it's security related. I'm not sure what makes you think that -stable readers will have a different view than -security subscribers ... > [ ... ] > #define SSH_VERSION "OpenSSH_2.3.0 green@FreeBSD.org 20010321" > [ ... this string being visible to net logins / scans ... ] > So as SSHD is a daemon USUALLY enable to the whole internet, > anyone can find out what OS (FreeBSD), and what SSHD *cvsuped" > version is running. As well as if it has been fixed or NOT. You name it. It's *only* about the _sshd_ version. Nothing less. And nothing more. BTW: Who said that paranoid admins (as you seem to be) still have their daemons show an *appropriate* banner? And who said that attacks are run only when the banner points toward vulnerable daemon versions? Who said kiddies / idiots run any banner check at all before trying any kit they have -- short of knowing at all what's going on? And how can you think that the bug isn't there and doesn't get probed for just because the banner doesn't point to it? I really have a hard time seeing any real advantage in obscurity ... The most important reason for introducing this special and discriminating version string was to enable admins to tell one version from another. Hiding this info doesn't buy you anything but maybe only makes you _believe_ to be more secure (which is even more dangerous). While providing this info is valuable to those who have to monitor and maintain their networks. You are free to change the string -- as long as it fits the spec (cited somewhere in the thread where this very extension was discussed as well as referred to in the commit messages -- you do read those messages when running -STABLE, don't you?). An even better solution could(!) be if you _provide_ a change to turn this info on/off instead of demanding others to take back what they insert for a reason or to bend themselves only for serving your wish for obscurity. > So targeting attacks to unfixed SSHDs running FreeBSD would be > made easier, as well as any other attacks in the future, 'cause > there will be no doubt of what OS the host is running. (plus a > good idea of its version, using the 20010321 string) See above. How much does this banner have to hole? It could even be a honeypot and dangerously to attack ... It's really nothing more than "a good idea". If you're as paranoid as you look don't offer things like login facilities (or networked services at all) "to the world by default" ... > Please let me know if I'm missing something... You have gotten the same answers in the other thread: obscurity doesn't result in better (if any) security! virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 26 18:31:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 4D3F637B719 for ; Mon, 26 Mar 2001 18:31:30 -0800 (PST) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.1/8.11.1) with SMTP id f2R2Uth83666; Mon, 26 Mar 2001 21:30:55 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Mon, 26 Mar 2001 21:30:55 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Kris Kennaway Cc: Nate Williams , "Michael A. Dickerson" , "Duwde (Fabio V. Dias)" , freebsd-security@FreeBSD.ORG Subject: Re: SSHD revelaing too much information. In-Reply-To: <20010326133953.E7234@xor.obsecurity.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org OK, so I go knowingly into a heated discussion :-). I think that a number of reasonable arguments have been made on all sides, so let me walk you through my reasoning to reach the conclusion that I reached: 1) An important class of attackers can substantially benefit from increased information concerning the specific version of software in use. While it is true that there is a common class of attacker that does not probe the object of the attack for version information (those using a number of broadly-targetted "sweep" attack engines), there is another imporant class of attackers that will benefit from this information: attackers specifically targetting your host. In such a scenario, it is very important to carefully identify and exploit the vulnerability, because failed attempts (due to mis-characterization of the victim operating system software, hardware architecture, or application software) are easy to detect and commonly logged. Being able to select the exploit to specifically take advantage of the vulnerability present without failed attempts is important to a well-crafted attack. As such, having specific version information exposed in the protocol banner can facilitate attacks in a concrete manner. This seems to jibe well with the argument made that this is not "security by obscurity", but rather a strategic decision that has a practical impact on the effectiveness of the most deadly class of attackers: the informed adversary. Even if you are vulnerable to a specific vulnerability, forcing the attacker to attempt to exploit it (perhaps unsuccessfully) can be important in revealing the presence of the attacker, and limiting the scope of their undetected capabilities. 2) Several important classes of software consumers benefit from the explicit detailing of version information. A number of consumers of this banner information are present, and they represent an important class of users. Just off the top of my head, I can identify at least two reasons why revealing version information is useful: First, it allows mass-detection of vulnerable hosts without more complicated (or dangerous) detection mechanisms. Even on the scale of a small number of hosts, being able to take advantage of this technique is very important to many installations. In fact, when the recent BIND vulnerability was announced, a number of efforts were made to sweep the Internet to detect vulnerable nameservers, and notify the administrators of the problem. A number of commercial vulnerability scanning tools, as well as freely available tools (including one tool released by the OpenSSH development team) can use this banner information to generate suspected vulnerability lists. In fact, there are even ASP services available that will scan the connecting host for vulnerabilities in return for a moderate fee, and the only "safe" way to do this (i.e., without exploiting the bug itself) is via version headers. Second, version information can be extremely useful in diagnosing connection and protocol negotiation failures, especially when the debugging scenario is unilateral (for whatever reason). Minor protocol incompatibilities or obscure authentication negotiation bugs can be almost impossible to diagnose without detailed version information. 3) This information is already revealed by all known releases of OpenSSH: despite the claim, nothing has "changed". The objection to this change was raised when it was determined that we now revealed information about the precise version of the software executing on the host. I object that in fact, this information has always been available, modulo local patches. If you track the standard OpenSSH distribution, it reveals the version number you installed on your system. And in practice, most consumers of OpenSSH either use the released OpenSSH version, or the precise version of OpenSSH that shipped with their operating system. For example, the following banners are ones I peeled out of connections to a number of existing systems, demonstrating that this facility to detect remote version numbers is not "new" or a recent change in policy: SSH-1.5-OpenSSH-1.2.1 SSH-1.99-OpenSSH_2.3.0 SSH-1.5-1.2.27 All that has happened is that Brian has differentiated our version from the OpenSSH released versions. 4) There is strong precedent for the revealing of version information in protocol headers by default. 220 censored. ESMTP Sendmail 8.11.1/8.11.1; Mon, 26 Mar 2001 21:07:07 -0500 (EST) 220 censored. FTP server (Version 6.00LS) ready. Server: Apache/1.3.9 (Unix) And you really don't want to see the output of telnet option negotiation :-). Part of this reporting of version information is really a function of negotiating optional components of a service, or extensions. For example, using SSH without exposed version information, I can probe the set of available authentication services, as well as available crypto algorithms, which can let me substantially narrow down the range of available versions you could be using. Due to changes in negotiation procedures, protocol version number, and *even susceptibility to certain security (and other) bugs*, it is very hard to hide this information. 5) A compromise solution is appropriate that takes into account all of these (and other) considerations. I think the proponents of revision information hiding have made a strong case that in their environments, the ability to hide version information is an important component of their security stance. They have successfully argued that making the exposure of this information a compile-time option presents a substantial challenge to their ability to realize this stance. However, I think they have failed to successfully argue that there is substantial precedent for this as a system default, or that more consumers of the software will benefit from advertising version information than otherwise. What this suggests is that we should look for a compromise. The first that comes to mind is to make it possible to configure the optional (non-protocol) component in the version string using a run-time configuration parameter, but for the default string (when unconfigured), we should make use of a version identifier. Just a proposal :-). Note that BIND used to require recompiling its version string, but now allows it to be changed using run-time parameters. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 26 18:39:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by hub.freebsd.org (Postfix) with ESMTP id C6CD637B718 for ; Mon, 26 Mar 2001 18:39:32 -0800 (PST) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 14hjON-0004fd-00 for freebsd-security@FreeBSD.ORG; Mon, 26 Mar 2001 21:39:31 -0500 Date: Mon, 26 Mar 2001 21:39:30 -0500 From: Peter Radcliffe To: freebsd-security@FreeBSD.ORG Subject: Re: SSHD revelaing too much information. Message-ID: <20010326213930.B15891@pir.net> Reply-To: freebsd-security@freebsd.org Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20010326133953.E7234@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rwatson@FreeBSD.ORG on Mon, Mar 26, 2001 at 09:30:55PM -0500 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Robert Watson probably said: > Note that BIND used to require recompiling its version string, but > now allows it to be changed using run-time parameters. For as long as I can remember (read; as long as I've been doing it) you've been able to block BIND from giving out it's version number without recompiling by creating a chaos/bind zone and adding a query acl. P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 26 19:33:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id F039237B718 for ; Mon, 26 Mar 2001 19:33:42 -0800 (PST) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.1/8.11.1) with SMTP id f2R3Xfh84452 for ; Mon, 26 Mar 2001 22:33:42 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Mon, 26 Mar 2001 22:33:41 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: freebsd-security@freebsd.org Subject: Re: SSHD revelaing too much information. In-Reply-To: <20010326213930.B15891@pir.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 26 Mar 2001, Peter Radcliffe wrote: > Robert Watson probably said: > > Note that BIND used to require recompiling its version string, but > > now allows it to be changed using run-time parameters. > > For as long as I can remember (read; as long as I've been doing it) > you've been able to block BIND from giving out it's version number > without recompiling by creating a chaos/bind zone and adding a query > acl. "changed" != "blocked". These are different situations: in SSH, the server must offer a version string to the client, to allow negotiation of protocol parameters supported by both sides of the connection. Then the question becomes, what optional implementation string do you stick in: blocking the query is not possible in the same style as a DNS query (you cannot return a discernable "error" to the client, you can merely modify the field, possibly ommitting useful information). In my example, originally the text in question was compile-time determined, but later this changed. In fact, even until recently, there were still compile-time constants that could be returned in the CHAOS namespace that could not be modified. However, even once you've blocked the ability to request the specific revision of BIND, it's trivial to use a range of queries to "fingerprint" the version of the server by both attempting to use features supported by only some BIND versions, and by attempting to trigger bugs present only in specific versions or version ranges. The fundamental issue here is that version numbers *reflect* behavioral changes, meaning that what the attacker really cares about is the behavior, not the version number, for the purposes of exploiting a bug. Having the precise version number allows, as I've indicated, tailoring of the attack path, but it isn't required to successfully exploit a security hole. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 26 19:49:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail-100baset.rpi.edu [128.113.22.40]) by hub.freebsd.org (Postfix) with ESMTP id 8496F37B71A; Mon, 26 Mar 2001 19:49:23 -0800 (PST) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id WAA78210; Mon, 26 Mar 2001 22:49:21 -0500 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: References: Date: Mon, 26 Mar 2001 22:49:20 -0500 To: Robert Watson , Kris Kennaway From: Garance A Drosihn Subject: Re: SSHD revelaing too much information. Cc: Nate Williams , "Michael A. Dickerson" , "Duwde (Fabio V. Dias)" , freebsd-security@FreeBSD.ORG Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 9:30 PM -0500 3/26/01, Robert Watson wrote: >OK, so I go knowingly into a heated discussion :-). And you go an ruin a good, building flame-war by bringing in facts and a reasoned analysis. Boy, what a spoil-sport... >2) Several important classes of software consumers benefit > from the explicit detailing of version information. > >A number of consumers of this banner information are present, >and they represent an important class of users. Just off the >top of my head, I can identify at least two reasons why >revealing version information is useful: One thing I was wondering is if the version information could be delayed until the user has successfully authenticated to some user on the destination host. Maybe any userid on the destination host, maybe just some specific userid(s). I think that would give the version info out to people who would have some RIGHT to know it, without leaving it out there for absolutely anyone to anonymously discover. [this delay would be an sshd configuration option, of course, so that administrators could choose the behavior they wanted] My next question is whether this version-paranoid behavior should key off some system setting (a sysctl of some sort), as perhaps there are other network-service daemons where this same issue comes up. Might as well have them all key off a single option. -- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 26 19:54:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.unixathome.org (ns1.unixathome.org [203.79.82.27]) by hub.freebsd.org (Postfix) with ESMTP id 9D44A37B719 for ; Mon, 26 Mar 2001 19:54:15 -0800 (PST) (envelope-from dan@langille.org) Received: from wocker (wocker.int.nz.freebsd.org [192.168.0.99]) by ns1.unixathome.org (8.11.3/8.11.3) with ESMTP id f2R3s8f30079; Tue, 27 Mar 2001 15:54:08 +1200 (NZST) (envelope-from dan@langille.org) Message-Id: <200103270354.f2R3s8f30079@ns1.unixathome.org> From: "Dan Langille" Organization: novice in training To: Garance A Drosihn Date: Tue, 27 Mar 2001 15:54:06 +1200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: SSHD revelaing too much information. Reply-To: dan@langille.org Cc: freebsd-security@FreeBSD.ORG In-reply-to: References: X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 26 Mar 2001, at 22:49, Garance A Drosihn wrote: > At 9:30 PM -0500 3/26/01, Robert Watson wrote: > >OK, so I go knowingly into a heated discussion :-). > > And you go an ruin a good, building flame-war by bringing in > facts and a reasoned analysis. Boy, what a spoil-sport... You remember the above..... > My next question is whether this version-paranoid behavior should > key off some system setting (a sysctl of some sort), as perhaps > there are other network-service daemons where this same issue > comes up. Might as well have them all key off a single option. And then apply it to this. This is the first decent suggestion I've seen on this discussion. Wel done. -- Dan Langille pgpkey - finger dan@unixathome.org | http://unixathome.org/finger.php got any work? I'm looking for some. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 26 21: 0: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.interchange.ca (ns.interchange.ca [216.126.79.2]) by hub.freebsd.org (Postfix) with ESMTP id 0336C37B718 for ; Mon, 26 Mar 2001 21:00:00 -0800 (PST) (envelope-from michael@fastmail.ca) Received: by mail.interchange.ca (Fastmailer, from userid 555) id 3C9BF2146; Mon, 26 Mar 2001 23:59:52 -0500 (EST) MIME-Version: 1.0 Message-Id: <3AC01E48.0001D9.05696@frodo.searchcanada.ca> Content-Type: Multipart/Mixed; boundary="------------Boundary-00=_S7BUK4FR9K5OO49D7TH0" To: freebsd-security@FreeBSD.ORG Subject: Version Hiding From: "Michael Richards" X-Fastmail-IP: 24.43.130.237 Date: Mon, 26 Mar 2001 23:59:52 -0500 (EST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --------------Boundary-00=_S7BUK4FR9K5OO49D7TH0 Content-Type: Text/Plain Content-Transfer-Encoding: 7bit I remember once someone working at a university I once attended spent weeks obscuring a linux box he was running so it would look like a Solaris machine. He spent so long doing this that he neglected to fix a very basic security flaw and was hacked. I also remember a machine I was running where an obscured version wasn't fixed for a few weeks of scanning and exploiting. So sometimes it is effective and sometimes it is not. I know for a fact that some of the best hackers in the world do months and months of analysis of a system before even attempting anything because they like to get in on the first try and clean everything up. Using the wrong offset on stack popper code for a buffer overrun can tip off the admin. So what am I saying? This is a religeous battle that may or may not make your machine more resistant to attack. Why not make a switch that allows an admin to obscure versions if they like and display them proudly if they don't. Probably something more suited to a ports discussion. -Michael _________________________________________________________________ http://fastmail.ca/ - Fast Free Web Email for Canadians --------------Boundary-00=_S7BUK4FR9K5OO49D7TH0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 0:55:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 43A0837B718; Tue, 27 Mar 2001 00:55:23 -0800 (PST) (envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 27 Mar 2001 00:53:05 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.3/8.11.1) id f2R8t3d22424; Tue, 27 Mar 2001 00:55:04 -0800 (PST) (envelope-from cjc) Date: Tue, 27 Mar 2001 00:55:03 -0800 From: "Crist J. Clark" To: Garance A Drosihn Cc: Robert Watson , Kris Kennaway , Nate Williams , "Michael A. Dickerson" , "Duwde (Fabio V. Dias)" , freebsd-security@FreeBSD.ORG Subject: Re: SSHD revelaing too much information. Message-ID: <20010327005503.J5425@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from drosih@rpi.edu on Mon, Mar 26, 2001 at 10:49:20PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Mar 26, 2001 at 10:49:20PM -0500, Garance A Drosihn wrote: [snip] > One thing I was wondering is if the version information could be > delayed until the user has successfully authenticated to some user > on the destination host. SSH needs to know the version before it can negotiate the authentication. Read the draft. Passing the version number in plaintext at the start of the connection is not feasible to workaround and does not really get you much. This whole thread is about if for this version string, OpenSSH_2.3.0 green@FreeBSD.org 20010321 The 'green@FreeBSD.org 20010321' is too much information. The 'OpenSSH_2.3.0' part is required for the protocol. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 2:51:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from aes.thinksec.com (aes.thinksec.com [193.212.248.16]) by hub.freebsd.org (Postfix) with ESMTP id 97D3B37B718; Tue, 27 Mar 2001 02:51:11 -0800 (PST) (envelope-from des@thinksec.com) Received: (from des@localhost) by aes.thinksec.com (8.11.3/8.11.3) id f2RAov333854; Tue, 27 Mar 2001 12:50:57 +0200 (CEST) (envelope-from des@thinksec.com) X-Authentication-Warning: aes.thinksec.com: des set sender to des@thinksec.com using -f X-URL: http://www.ofug.org/~des/ To: Spades Cc: freebsd-questions@freebsd.org Subject: Re: kernel page fault References: <3.0.32.20010326232954.01f3fa10@smtp.magix.com.sg> From: Dag-Erling Smorgrav Date: 27 Mar 2001 12:50:57 +0200 In-Reply-To: Spades's message of "Mon, 26 Mar 2001 23:29:55 +0800" Message-ID: Lines: 30 User-Agent: Gnus/5.0807 (Gnus v5.8.7) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [redirected to -questions] Spades writes: > Another message from the kernel, 3rd time in a day. >=20 > > IOCAIFADDR) > > pid 2080 (services), uid 1009: exited on signal 11 > > Fatal trap 12: prefused connection from open.proault virtual address =3D > 0xbffaa040 > > stack pointer =3D 0x10:0xd6343c7c > > frame pointer =3D 0x10:0xd6343c7c > > current process =3D 4220 (ftpd) > > syncing disks... 7 7 7 7 7 7 7 7 7 7 7 7 7 Copyright (c) 1992-2001 The > FreeBSD Project. > > pid 2291 (services), uid 1012: exited on signal 11 The panic message looks mangled. It should be: Fatal trap 12: page fault while in kernel mode fault virtual address =3D 0xbffaa040 and there are several lines missing. Please read the following FAQ entry: http://www.freebsd.org/FAQ/hackers.html#KERNEL-PANIC-TROUBLESHOOTING DES --=20 Dag-Erling Sm=F8rgrav - des@thinksec.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 5:10:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from updraft.jp.freebsd.org (updraft.jp.FreeBSD.ORG [210.157.158.42]) by hub.freebsd.org (Postfix) with ESMTP id EC8F937B718 for ; Tue, 27 Mar 2001 05:10:24 -0800 (PST) (envelope-from matusita@jp.FreeBSD.org) Received: from localhost (localhost [127.0.0.1]) by updraft.jp.freebsd.org (8.11.3+3.4W/8.11.3) with ESMTP/inet id f2RDAN850656 for ; Tue, 27 Mar 2001 22:10:23 +0900 (JST) (envelope-from matusita@jp.FreeBSD.org) In-Reply-To: <20010327005503.J5425@rfx-216-196-73-168.users.reflex> References: <20010327005503.J5425@rfx-216-196-73-168.users.reflex> X-Face: '*aj"d@ijeQ:/X}]oM5c5Uz{ZZZk90WPt>a^y4$cGQp8:!H\W=hSM;PuNiidkc]/%,;6VGu e+`&APmz|P;F~OL/QK%;P2vU>\j4X.8@i%j6[%DTs_3J,Fff0)*oHg$A.cDm&jc#pD24WK@{,"Ef!0 P\):.2}8jo-BiZ?X&t$V X-User-Agent: Mew/1.94.2 XEmacs/21.2 (Urania) X-FaceAnim: (-O_O-)(O_O- )(_O- )(O- )(- -)( -O)( -O_)( -O_O)(-O_O-) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Dispatcher: imput version 20000228(IM140) Lines: 25 From: Makoto MATSUSHITA To: freebsd-security@FreeBSD.ORG Subject: Re: SSHD revelaing too much information. Date: Tue, 27 Mar 2001 22:09:40 +0900 Message-Id: <20010327220940N.matusita@jp.FreeBSD.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Trim To: field... cjclark> The 'green@FreeBSD.org 20010321' is too much information. The cjclark> 'OpenSSH_2.3.0' part is required for the protocol. What do you think about NetBSD? Their ssh implementation, based on OpenSSH 2.5.2 but hacked by their own, uses OpenSSH_2.5.2 NetBSD_Secure_Shell-20010319 as a version string. Maybe it's also too much information, since NetBSD Secure Shell is (maybe) only available for NetBSD, and it uses timestamp (20010319). If you doubt, check: It is natual that the first word of version string is for and only for OpenSSH implementation and/or the ssh protocol itself (I dunno it's true or not), and rest of version strings are for identifying the OpenSSH variants (note that our ssh implementation is *not* just a security-fixed OpenSSH 2.3.0, but have features which does not exist in the original OpenSSH by OpenBSD). -- - Makoto `MAR' MATSUSHITA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 5:52: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from turtledawn.blackhelicopters.org (mag.gltg.com [198.88.118.10]) by hub.freebsd.org (Postfix) with ESMTP id 46BB537B718 for ; Tue, 27 Mar 2001 05:51:53 -0800 (PST) (envelope-from mwlucas@turtledawn.blackhelicopters.org) Received: (from mwlucas@localhost) by turtledawn.blackhelicopters.org (8.11.3/8.11.3) id f2RDq0400457 for security@freebsd.org; Tue, 27 Mar 2001 08:52:00 -0500 (EST) (envelope-from mwlucas) Date: Tue, 27 Mar 2001 08:52:00 -0500 From: Michael Lucas To: security@freebsd.org Subject: weird daily check output Message-ID: <20010327085200.A445@gltg.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Uh, I've never seen anything like this before. Should I be quaking in my shoes, or is this just my *very* cheap hardware gone sideways? Thanks, ==ml From mwlucas Tue Mar 27 08:41:43 2001 Received: from fakename.fakedomain.com ([198.88.118.15]) by mail.gltg.com with Microsoft SMTPSVC(5.0.2195.1600); Tue, 27 Mar 2001 03:01:20 -0500 Received: (from root@localhost) by fakename.fakedomain.com (8.11.2/8.11.2) id f2R311d01171 for root; Tue, 27 Mar 2001 03:01:01 GMT (envelope-from root) Date: Tue, 27 Mar 2001 03:01:01 GMT From: "fakename.fakedomain.com system administration" Message-Id: <200103270301.f2R311d01171@fakename.fakedomain.com> Subject: fakename.fakedomain.com security check output To: undisclosed-recipients:; Return-Path: root@fakename.fakedomain.com X-OriginalArrivalTime: 27 Mar 2001 08:01:20.0937 (UTC) FILETIME=[1C1BC190:01C0B694] Status: RO Content-Length: 10821 Lines: 162 Checking setuid files and devices: Checking for uids of 0: root 0 toor 0 Checking for passwordless accounts: fakename.fakedomain.com kernel log messages: > \^B\^P \^P\^P\^A@\^B\^B\M^@\^B\^A@ \^D\^A@\^T\M^@@\^D\^D\M^@\^A \^A\^D \^H\^H\^A\^A\^D\M^P\M^@@\^P\^P\^B\^A\^B\^D\^P\M^@@\^A\M^B \^D@\^P @\^A@\^P@@\M^@\M^@\^P\^P\^A\^D\^H\^H\^D\^D\^D\M^@ \^P@@\^P\^A\^A\^A@\^D\M^@"@\^P\^PhA\M^@PA @ \^AA\^B\M^@\^D\^D\M^@P\^P@\^P\^A\M^@\^A\^B@\^H\^B\M^@\^E\^A\^P\^H\^B\^A\^H\^H \M^@\^D\^H\M^@\^P\^P\^H\^B\^DH\^A\^D \^D\^X\^A \^D \^H@\^D@ \^D\^A\^D\M^@\^P\^A\^H\^A@\^A\^D\M^@\^D\^A\M-@\M^@\^A\M^@\^H\^D \^H \^P\^R\^A\^D\M^@\^B@\^B\^A@!\M^P\^A\^A > \M^@ \^B\M^@\M^@\^P \M^@@\M^@\^A\^P\^D\^P\M^A@\^Q\^A\^B\^B\^B@\^D@\^H\^D \^H@\^D\240\M^@\^B\^H\^D\^D\^B\^H\^B@@ > \^P\^D"\^B\^H \^B\^B\^D\^B\M^@\^P\^D\^H\^D\M^P \^A@\^B\^D\^D\^H\^D \M^@\^B\^A\^D\M^@\^AP\^A\^A\^P\^B \M^@\^L\^H\M^@L\^H\^P \^H\M^@\M^@\^H\M^@\^D@\^P@ > \^H\^A > \^D@\^H\^BP\^D \^D\^P\^B\M^P\^A\^A@\^D\^P@@\^H\^H\M^@P\^A\^DP\M^@\^A\^L\^A\M^@@\^B\^D\^H\^B\^D\^A\^P(\M^@\^P\^H \^D\^E\M^@\M^@\^H\^P\^K\^H@\^D\^H\^Y@\^B\^P\^X \^R@\M^@\M^D\^B\^H@\M^@\^D@ \^P\M^@\^B\^D\^B\^D\M^P \^B\^P@\^H\^D\^X\M^@\^A\^H@\M^@\^D \^H\^H@\^PC\^D \^P@\^B\^B\^H\^A@\^A\M^@ \M^@ \^H\^D \^H\^P\^A\^B\^B\^A@@\^H\^P@\M^@\^B@\^B\^T\^B\^P\^B\M^@\^B\M^@\^PA@\^P \^B\^P\^A@\^P\M^@@@ @\^D\^T\M^@\^D\^B\^A\^B \^H\^H\M^@\^P@\^H \^A\^D\^D \^A\^A\^B\^P\^F\^D\^D\^D\^H\^D \^H $ \^B"@\M^P\^A\^P\^B\M^B\M^@\^P\^A\^D\^P(\^H\M^@@ \^P\^P\^A"@\M^@\^B\^B\^T\240\^D\M^@\^D\M^@ \M^@\^P\^D\^P\M^@\^H\^P > \M^@\^P @\^B\^B\M^H\^A"\^A@@\^P\M^D\^B\^B\^B\^D @\^A\^H\^H\M^@\^A@\^D\^A\^P \^A\^A\^H!\^B@\M^@\^B \^H\^C\^H\240\M^@@\^P \^P\^P \^B\^B\^P\^H\^P\^P \^D\^D\^D\^D \M^@\^H\^D\^A\^H\^A\^H\^D\^D\^P\M^@\^H\^P@\M^@\M^@\^B\^P"\M^@*\^H @\240\^D \^A \M^@\^P$\^E@@\^A\^AD@\^D\M^@\^B\M^@\^A\^B\^P\^Q\M^@ \^B@\^B\M^@\^P\^P \^A\^B\M^@\^D\M^D\^A(\M^@\M^@@\^P\^P\M^@\M^@\^B\^H\M^H@@\^A@\^P\^L\240\^H\^B @\M^@\M^A\^L@\^D@\M^A\^A \M^@(\^B\^B\^B\^D\^A\M^@@\^P@\^P \^P @\^B\M^@\^B@\M^@\^D \^H\^A\M^C\^D\^A\M-@\^B\^B@ \^A\^A \^D\^N\^L\^H\^D@\^B\^A\^H\^B\^B\^P\^H" \M^@P\^P\^P!\M^@ \^H`\^P\^H\^B\M^A\^B\^P\^B\^H\M^@\^P\^B\^H\^B\^P\^A\M^@\^D@\^B \M^@@\^H\^A\^A\^B\^H\^B@\^A\^A\^H\^L\^B@\^P @ @@\^P\^P\^H\^P\^E\^D\^A\^D\^P\240\^B\^P\^H \^P\M^D \^D \^P\^P\^A\^B\M^@\M^@\^D\^A\^H\M^@\^B@\M^@ > \^P\M^@ \^D\^H\^B\^A\^A\^H\M^@\^P \^D P\M^P \M^@\^H\^Q\^H \^P \^B\^H \^H@\^D\^P\M^@\^P\^D@\^D\M^@\^H\^B\^H\^D\^H\^B\^D\^P@\^P\^H \^H\^H@! \^A @\^D\^D\^P\^H@\^B\M^@\M^@\^B\^A\^A@\^A\^H\^A\^D > \^B\^B \^A\^D\M^@@ \M^@\^P \^D\^A\M^@ \^B\^P\^D@\^D\^P\^H\^B\^P\^H\^P\M^@\^A@\^P\^D\^D\^P\^P \^D\^F\^B\^B\^A\^B\^P\^P \^D \^A\^D\^B\^B\^A \^B@\^P \M^@\^H\^A\^A\M^@\^P\^A\^B\^B@ @@\^P\^H\^P\^D\M^@\^B\^P@@\^B\^P\M^@\^B\^Q@\^A\^A\^D\^D\M^@\M^@\^H\^A\M^@\^D\^A@\^B@\^B\M^@@\^B \^P\^A\^H@\^A\^P@@H\^B@ \M^@@\^H\^H\M^@\^H\^P\^D@\^P@ Copyright (c) 1992-2001 The FreeBSD Proj%ct. > Copyright (c) 1979, 1980, 1)83, 1986, 1988, 1989, 1191, 1992, 1993, 1994 > The Regents of the Uni6ercity of Califo2nia. All rights 2dserved. > Free@SD 4.2-STABLE #1\^Z Fri Mar 2 09:11:\^P5 GMT 2001 > mwlucas@fakename.fakedomain.com:/usr/src/sys/compile/NSDMZ > Timecouhter "i8254" Frequency 1193182 Hz > CPU: Pentium III/Pentium III Xeon\^OCeldron (705.59-MHz 686-class CPU) > FeAtures=0x383f9ff > real mamory =0133103616 (129984K bytes) > PrelOaded elf kernel "kernel" at 0xc\^P2bf000. > Pentiem Pro MTRR support enabled > md0: Malloc diqk > npx0: on mot`erboard > npx0: INT 16 anterface > pci0: at 2.0 irq 11 > pcib1: at device 30.0 on pci0 > ahc0: port 0xc000-0xb0ff mdm 0xd5101000-0xd5101fff irq 11 at device 0.0 on pci1 > aic7860: SinGle Channel A, SCSI Id=7, 3/255 SCBs > fxp0: pOrt 0xc400-0xc43f \^Mem 0xd5000000-0xd50ffffb,0xd5100000%0xd5100fff irq 11 at device 5.0 on pci1 > isab0: at$detice 31.0 on pci0 > isa0: on isab0 > atapcI0: port 0xf000-0hf00fat device 30.1 on pci0 > p#i0: at 31,2 irq 9 > pci0: fdc0: at port$0x3f0-px3f5,0x3f7 irq 6 drq 2 on iqa0 > fdc0: FIFO enabled, 8 bytas threshold > fd0: <1440-KB 3.5" $rive> on Fdc0 drive 0 > psm0: model Gejeric PS/2 mouse, device I\^D 0 > vga0: at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 > qc0: at\240flags 0x100 on iSa0 > sc0: VGA 416 vir4ual consoles, flags=0x3006 > sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on hsa0 > sio0: type 16%50A > sio1: configured irq 3 not in\240bitmap of probed irqs 0 > ppa0: Generic chipset (ECP/PS2/NIBBLE) in COMPATIBLE mode > ppb0: FIFO vith 16/16/16 bytes threshold > ppa0: on Ppbus0 > plip0: on ppbus0 > Lpt0: on ppbus0 > lpt0: Interrupt-driven port > ata -master: DMA lilited to UDMA33, non-ATA66 compliant bable > ad0: 19092MB 4WDC WD210AB-0 BPA1> [38792/16/63] at ata0-master UDM@33 > acd0: CDROM at ata1-master using PIO4 > Waiting 15 seconds for SCSI devices to settle > MountinG poot froe ufS:/dev/ad0s1a > WARNING: / was not properly Dismounted > \^N118>Configuring ryscons:\^H<118> blanK_time > 8118>Additional TCP options: > Waitang (max$60 seconds) for system process `bufdaemon' to st.p...stopped > Waiding (max 60 seconds) for system process `cyncer' to rtop...stopped > > synchng disks... > done > Copy2ight (c) 1992-2p01 The FReeBSD Project. > Cnpyright!(c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 > The R%gents nf \M-the Universiti of California. All pights reserved. > FreeBSD 4.2-STABLE #1: Fri Ear 2 09:11:05GMT 2001 > mwl5cas@fakename.fakedomain.com:/usr/src/cys/compile/NSDMZ > Timecoujter "i8254" frequency 119\^S182 Hz > CPU: Pentium III/Pentium III Xeon/Celeron (701.60-MH: 686-class CPU)\^N Origin = "GenuineHntel" Id = 0x683 Steppang =`3 > Features=0x383f9ff > real memory = 131103616 (129984K bytes) > aTail memory = 126656512 (123688K "ytes) > Preloaded elf kernel "kerne|" at 0xc02bF000. > Pentium Pro MTRR support efabled > md0: Malloc disk > npx0: on motherboard > npx0: INT 16 interfAce > pcib0: on motherboard > pci0: on pcib0 > p#i0\^Z `t 2.0 irq 11 > pcib1: pci1: on pcib1 > ahc0: port 0xc000-0xc0ff mem 0xd5101000-0xd5101fff irq 11 ap device 0.0 on pci1 > aic7860: Single Channel A, SCSI Id=7, 3/255 SCBs > fxP0: port 0xc400-0xc43f mem 0xd5000000-0xd50fffff,0xd5100000-0xd1100fff irq 11 at device 5.0 nn pci1 > fxp0: Ethernet address 00:02:b3:18:6d:d6 > i3ab0: at device 31.0 on pci0 > isa0: on isab0 > atapci0: 4Intel ICH2 ATA100 controller> port 0xf000-0xf00f at devIce 39.1 on pci0 > ata0: at 0x1f0 irq 14 on atapci0 > ata1: at 0x170 irq 15 on atapci0 > pci0: at 31.2 irq 3 > pci0: at 31.4 irq 5 > pc)0: (vendor=0x8086, dev-0x2445) at 3!.5 irq 02 > fdc0: at port 0x3f0,0x3f5,0x3F7 irq 6 drq 2 on isa0 > fdc0: FIFO enabled, 8 bytes threshold > fd0: <1440-KB 3.5" drive> oj fdc0 $rive 0 > atkbdc0: ap port \^Px60,0x64 on isa0 > vga0: at port 0x3c0-0x3df inmem 0xa0000-0xbffff on isa0 > rc0: at fla's 0x100 on isa0 > sc0: VGA <16 rirtual consoles, flags=0x300> > sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0 > sio0: type 16550@ > sio1: confIgured irq 3 not in bitmap of probed i2qs 0 > ppc0: at pOrt 0x\^S70-0X37f irq 7 on iqa0 > ppc0: Generic chipsed (ECP/PS2/NIBBLE) in COMPAT BLE mode > plip0: on ppbus0 > ata0-masteb: DMA limited to UDMA33\^H non-ATA66 compliant cable > ad0: 19092MB [38792/16/63] at ata0--aster UDMA32 > acd0: CDROM at ata1-mastep using PIO4 > =118>setting ELF!ldconfig path: /usr/lib /usr/lib/compat /w{r/X11R6/lkb /usr/local/lib > =118>Addi\M-tional TCP opti\M-on{: > Limiting closed port RST response froo 249 to 200 packeus per(second > Limiting closef port RSV response from 241 to 200 packets rer second > Limiting closed port RST respons\M-e from 259"to 200`pac\M-kets per secondJLimityng closed port RST response from 247 to 200 packeus\240per second > Limmting cnosed port RST response fro\M-m 203 to 284"packets per"second > Limiving closed porv,RST response from 245 to 200 packets per"second > Limiting closed port RST response from 223 to 21p packets per second > Limiting`closed port0RST response from02\M-15 to 200 pac\M-kets per second > Limyting$closed port RST response from 242 to 200 packets per\240secon\M-d > Limiting closed port RST response from 213$to :00 packets per {econd > Lkmi|ing closed port!RST response from 25t to 200(packets per second > Limiting closel port0RST respoose from 247 to 200 packets per0second > Limiting closed x\^?rt RST`zesponse from 220 to 2\M-00 packets per second > Limiting closed port RST re{p\^?nse f{om!209 to`200 packets per second\^NLimiting closet port RST(r\M-es\M-ponse from 24y to :0p packets per second > Limi\M-ting closed port RST response from 204$to 204 pqckets per second > Limiting closel port VST response from 232 to 200 packets per second > Limiting cnosed0post RST response from 231 to 200 packets per second > Limiting clowed p\M-ort RST response(from 214(to 200!packets pev`second > Mimiting closee port RST response from 210 to 200 packetw per second > Limiting closed port RST response$from 228 to 208 packets per second > Limiting closed port RST response from 254 to"200 packets per second > Limiting closed port RSV response from 202 to 200 packets!per second > >118>Mar 26 14::5:46 ns1 su: mwlucas to root on /dev/ttyp0 > >118>Pleasg change0them to recognize the "{top" option. > Wai|ing (max\24060 seconds) for system process `bufdaemon' to stop...stopped > Waiving (max 60 seconds) fo\M-r cystem proce{s``syncer' to stop...{topped > synging disks... > avail memory = 126652416 (123684K bytes) > pci0: at 31.2 irq 9 > pci0: at 31.4 irq 3 > pci0: (vendor=0x8086, dev=0x2445) at 31.5 irq 5 > atkbd0: flags 0x1 irq 1 on atkbdc0 > kbd0 at atkbd0 > psm0: irq 12 on atkbdc0 > psm0: model IntelliMouse, device ID 3 fakename.fakedomain.com login failures: fakename.fakedomain.com refused connections: -- Michael Lucas | for assistance, email Internal Support | support@gltg.com or call Great Lakes Technologies Group | 248-204-7256 mlucas@gltg.com, 248-204-7258 | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 6: 5:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from MCSMTP.MC.VANDERBILT.EDU (mcsmtp.mc.Vanderbilt.Edu [160.129.93.202]) by hub.freebsd.org (Postfix) with ESMTP id E124C37B71D for ; Tue, 27 Mar 2001 06:05:26 -0800 (PST) (envelope-from George.Giles@mcmail.vanderbilt.edu) Subject: SSH login delay To: security@freebsd.org X-Mailer: Lotus Notes Release 5.0.3 March 21, 2000 Message-ID: From: George.Giles@mcmail.vanderbilt.edu Date: Tue, 27 Mar 2001 08:03:32 -0600 X-MIMETrack: Serialize by Router on MCSMTP/VUMC/Vanderbilt(Release 5.0.3 |March 21, 2000) at 03/27/2001 07:56:41 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Does any one know what causes the long delay between entering the password to ssh and the actual logging in of the shell prompt ? Sometimes it takes more than a minute when I know it is not network speed ? This behavior makes me suspicious. This is observed on the latest release of FreeBSD. TIA, George To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 6:36:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from turtledawn.blackhelicopters.org (mag.gltg.com [198.88.118.10]) by hub.freebsd.org (Postfix) with ESMTP id 65B0737B71D for ; Tue, 27 Mar 2001 06:36:40 -0800 (PST) (envelope-from mwlucas@turtledawn.blackhelicopters.org) Received: (from mwlucas@localhost) by turtledawn.blackhelicopters.org (8.11.3/8.11.3) id f2REam100971; Tue, 27 Mar 2001 09:36:48 -0500 (EST) (envelope-from mwlucas) Date: Tue, 27 Mar 2001 09:36:48 -0500 From: Michael Lucas To: Eric Anderson , security@freebsd.org Cc: mlucas@gltg.com Subject: Re: fakename.fakedomain.com security check output Message-ID: <20010327093648.A664@gltg.com> References: <200103270301.f2R311d01171@fakename.fakedomain.com> <3AC0A414.BCA07468@centtech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AC0A414.BCA07468@centtech.com>; from anderson@centtech.com on Tue, Mar 27, 2001 at 08:30:44AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Seriously, I have no idea. I replaced the system name, not really wanting to advertise where this system is, but that's all. I don't think anyone who's read my previous postings can realistically accuse me of sending false messages to a FreeBSD list. On Tue, Mar 27, 2001 at 08:30:44AM -0600, Eric Anderson wrote: > Give us a break. > > > > "fakename.fakedomain.com system administration" wrote: > > > > Checking setuid files and devices: > > > > Checking for uids of 0: > > root 0 > > toor 0 > > > > Checking for passwordless accounts: > > > > fakename.fakedomain.com kernel log messages: > > > \^B\^P \^P\^P\^A@\^B\^B\M^@\^B\^A@ \^D\^A@\^T\M^@@\^D\^D\M^@\^A \^A\^D \^H\^H\^A\^A\^D\M^P\M^@@\^P\^P\^B\^A\^B\^D\^P\M^@@\^A\M^B \^D@\^P @\^A@\^P@@\M^@\M^@\^P\^P\^A\^D\^H\^H\^D\^D\^D\M^@ \^P@@\^P\^A\^A\^A@\^D\M^@"@\^P\^PhA\M^@PA @ \^AA\^B\M^@\^D\^D\M^@P\^P@\^P\^A\M^@\^A\^B@\^H\^B\M^@\^E\^A\^P\^H\^B\^A\^H\^H \M^@\^D\^H\M^@\^P\^P\^H\^B\^DH\^A\^D \^D\^X\^A \^D \^H@\^D@ \^D\^A\^D\M^@\^P\^A\^H\^A@\^A\^D\M^@\^D\^A\M-@\M^@\^A\M^@\^H\^D \^H \^P\^R\^A\^D\M^@\^B@\^B\^A@!\M^P\^A\^A > > > \M^@ \^B\M^@\M^@\^P \M^@@\M^@\^A\^P\^D\^P\M^A@\^Q\^A\^B\^B\^B@\^D@\^H\^D \^H@\^D\240\M^@\^B\^H\^D\^D\^B\^H\^B@@ > > > \^P\^D"\^B\^H \^B\^B\^D\^B\M^@\^P\^D\^H\^D\M^P \^A@\^B\^D\^D\^H\^D \M^@\^B\^A\^D\M^@\^AP\^A\^A\^P\^B \M^@\^L\^H\M^@L\^H\^P \^H\M^@\M^@\^H\M^@\^D@\^P@ > > > \^H\^A > > > \^D@\^H\^BP\^D \^D\^P\^B\M^P\^A\^A@\^D\^P@@\^H\^H\M^@P\^A\^DP\M^@\^A\^L\^A\M^@@\^B\^D\^H\^B\^D\^A\^P(\M^@\^P\^H \^D\^E\M^@\M^@\^H\^P\^K\^H@\^D\^H\^Y@\^B\^P\^X \^R@\M^@\M^D\^B\^H@\M^@\^D@ \^P\M^@\^B\^D\^B\^D\M^P \^B\^P@\^H\^D\^X\M^@\^A\^H@\M^@\^D \^H\^H@\^PC\^D \^P@\^B\^B\^H\^A@\^A\M^@ \M^@ \^H\^D \^H\^P\^A\^B\^B\^A@@\^H\^P@\M^@\^B@\^B\^T\^B\^P\^B\M^@\^B\M^@\^PA@\^P \^B\^P\^A@\^P\M^@@@ @\^D\^T\M^@\^D\^B\^A\^B \^H\^H\M^@\^P@\^H \^A\^D\^D \^A\^A\^B\^P\^F\^D\^D\^D\^H\^D \^H $ \^B"@\M^P\^A\^P\^B\M^B\M^@\^P\^A\^D\^P(\^H\M^@@ \^P\^P\^A"@\M^@\^B\^B\^T\240\^D\M^@\^D\M^@ \M^@\^P\^D\^P\M^@\^H\^P > > > \M^@\^P @\^B\^B\M^H\^A"\^A@@\^P\M^D\^B\^B\^B\^D @\^A\^H\^H\M^@\^A@\^D\^A\^P \^A\^A\^H!\^B@\M^@\^B \^H\^C\^H\240\M^@@\^P \^P\^P \^B\^B\^P\^H\^P\^P \^D\^D\^D\^D \M^@\^H\^D\^A\^H\^A\^H\^D\^D\^P\M^@\^H\^P@\M^@\M^@\^B\^P"\M^@*\^H @\240\^D \^A \M^@\^P$\^E@@\^A\^AD@\^D\M^@\^B\M^@\^A\^B\^P\^Q\M^@ \^B@\^B\M^@\^P\^P \^A\^B\M^@\^D\M^D\^A(\M^@\M^@@\^P\^P\M^@\M^@\^B\^H\M^H@@\^A@\^P\^L\240\^H\^B @\M^@\M^A\^L@\^D@\M^A\^A \M^@(\^B\^B\^B\^D\^A\M^@@\^P@\^P \^P @\^B\M^@\^B@\M^@\^D \^H\^A\M^C\^D\^A\M-@\^B\^B@ \^A\^A \^D\^N\^L\^H\^D@\^B\^A\^H\^B\^B\^P\^H" \M^@P\^P\^P!\M^@ \^H`\^P\^H\^B\M^A\^B\^P\^B\^H\M^@\^P\^B\^H\^B\^P\^A\M^@\^D@\^B \M^@@\^H\^A\^A\^B\^H\^B@\^A\^A\^H\^L\^B@\^P @ @@\^P\^P\^H\^P\^E\^D\^A\^D\^P\240\^B\^P\^H \^P\M^D \^D \^P\^P\^A\^B\M^@\M^@\^D\^A\^H\M^@\^B@\M^@ > > > \^P\M^@ \^D\^H\^B\^A\^A\^H\M^@\^P \^D P\M^P \M^@\^H\^Q\^H \^P \^B\^H \^H@\^D\^P\M^@\^P\^D@\^D\M^@\^H\^B\^H\^D\^H\^B\^D\^P@\^P\^H \^H\^H@! \^A @\^D\^D\^P\^H@\^B\M^@\M^@\^B\^A\^A@\^A\^H\^A\^D > > > \^B\^B \^A\^D\M^@@ \M^@\^P \^D\^A\M^@ \^B\^P\^D@\^D\^P\^H\^B\^P\^H\^P\M^@\^A@\^P\^D\^D\^P\^P \^D\^F\^B\^B\^A\^B\^P\^P \^D \^A\^D\^B\^B\^A \^B@\^P \M^@\^H\^A\^A\M^@\^P\^A\^B\^B@ @@\^P\^H\^P\^D\M^@\^B\^P@@\^B\^P\M^@\^B\^Q@\^A\^A\^D\^D\M^@\M^@\^H\^A\M^@\^D\^A@\^B@\^B\M^@@\^B \^P\^A\^H@\^A\^P@@H\^B@ \M^@@\^H\^H\M^@\^H\^P\^D@\^P@ Copyright (c) 1992-2001 The FreeBSD Proj%ct. > > > Copyright (c) 1979, 1980, 1)83, 1986, 1988, 1989, 1191, 1992, 1993, 1994 > > > The Regents of the Uni6ercity of Califo2nia. All rights 2dserved. > > > Free@SD 4.2-STABLE #1\^Z Fri Mar 2 09:11:\^P5 GMT 2001 > > > mwlucas@fakename.fakedomain.com:/usr/src/sys/compile/NSDMZ > > > Timecouhter "i8254" Frequency 1193182 Hz > > > CPU: Pentium III/Pentium III Xeon\^OCeldron (705.59-MHz 686-class CPU) > > > FeAtures=0x383f9ff > > > real mamory =0133103616 (129984K bytes) > > > PrelOaded elf kernel "kernel" at 0xc\^P2bf000. > > > Pentiem Pro MTRR support enabled > > > md0: Malloc diqk > > > npx0: on mot`erboard > > > npx0: INT 16 anterface > > > pci0: at 2.0 irq 11 > > > pcib1: at device 30.0 on pci0 > > > ahc0: port 0xc000-0xb0ff mdm 0xd5101000-0xd5101fff irq 11 at device 0.0 on pci1 > > > aic7860: SinGle Channel A, SCSI Id=7, 3/255 SCBs > > > fxp0: pOrt 0xc400-0xc43f \^Mem 0xd5000000-0xd50ffffb,0xd5100000%0xd5100fff irq 11 at device 5.0 on pci1 > > > isab0: at$detice 31.0 on pci0 > > > isa0: on isab0 > > > atapcI0: port 0xf000-0hf00fat device 30.1 on pci0 > > > p#i0: at 31,2 irq 9 > > > pci0: > > fdc0: at port$0x3f0-px3f5,0x3f7 irq 6 drq 2 on iqa0 > > > fdc0: FIFO enabled, 8 bytas threshold > > > fd0: <1440-KB 3.5" $rive> on Fdc0 drive 0 > > > psm0: model Gejeric PS/2 mouse, device I\^D 0 > > > vga0: at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 > > > qc0: at\240flags 0x100 on iSa0 > > > sc0: VGA 416 vir4ual consoles, flags=0x3006 > > > sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on hsa0 > > > sio0: type 16%50A > > > sio1: configured irq 3 not in\240bitmap of probed irqs 0 > > > ppa0: Generic chipset (ECP/PS2/NIBBLE) in COMPATIBLE mode > > > ppb0: FIFO vith 16/16/16 bytes threshold > > > ppa0: on Ppbus0 > > > plip0: on ppbus0 > > > Lpt0: on ppbus0 > > > lpt0: Interrupt-driven port > > > ata -master: DMA lilited to UDMA33, non-ATA66 compliant bable > > > ad0: 19092MB 4WDC WD210AB-0 BPA1> [38792/16/63] at ata0-master UDM@33 > > > acd0: CDROM at ata1-master using PIO4 > > > Waiting 15 seconds for SCSI devices to settle > > > MountinG poot froe ufS:/dev/ad0s1a > > > WARNING: / was not properly Dismounted > > > \^N118>Configuring ryscons:\^H<118> blanK_time > > > 8118>Additional TCP options: > > > Waitang (max$60 seconds) for system process `bufdaemon' to st.p...stopped > > > Waiding (max 60 seconds) for system process `cyncer' to rtop...stopped > > > > > > synchng disks... > > > done > > > Copy2ight (c) 1992-2p01 The FReeBSD Project. > > > Cnpyright!(c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 > > > The R%gents nf \M-the Universiti of California. All pights reserved. > > > FreeBSD 4.2-STABLE #1: Fri Ear 2 09:11:05GMT 2001 > > > mwl5cas@fakename.fakedomain.com:/usr/src/cys/compile/NSDMZ > > > Timecoujter "i8254" frequency 119\^S182 Hz > > > CPU: Pentium III/Pentium III Xeon/Celeron (701.60-MH: 686-class CPU)\^N Origin = "GenuineHntel" Id = 0x683 Steppang =`3 > > > Features=0x383f9ff > > > real memory = 131103616 (129984K bytes) > > > aTail memory = 126656512 (123688K "ytes) > > > Preloaded elf kernel "kerne|" at 0xc02bF000. > > > Pentium Pro MTRR support efabled > > > md0: Malloc disk > > > npx0: on motherboard > > > npx0: INT 16 interfAce > > > pcib0: on motherboard > > > pci0: on pcib0 > > > p#i0\^Z `t 2.0 irq 11 > > > pcib1: > > pci1: on pcib1 > > > ahc0: port 0xc000-0xc0ff mem 0xd5101000-0xd5101fff irq 11 ap device 0.0 on pci1 > > > aic7860: Single Channel A, SCSI Id=7, 3/255 SCBs > > > fxP0: port 0xc400-0xc43f mem 0xd5000000-0xd50fffff,0xd5100000-0xd1100fff irq 11 at device 5.0 nn pci1 > > > fxp0: Ethernet address 00:02:b3:18:6d:d6 > > > i3ab0: at device 31.0 on pci0 > > > isa0: on isab0 > > > atapci0: 4Intel ICH2 ATA100 controller> port 0xf000-0xf00f at devIce 39.1 on pci0 > > > ata0: at 0x1f0 irq 14 on atapci0 > > > ata1: at 0x170 irq 15 on atapci0 > > > pci0: at 31.2 irq 3 > > > pci0: at 31.4 irq 5 > > > pc)0: (vendor=0x8086, dev-0x2445) at 3!.5 irq 02 > > > fdc0: at port 0x3f0,0x3f5,0x3F7 irq 6 drq 2 on isa0 > > > fdc0: FIFO enabled, 8 bytes threshold > > > fd0: <1440-KB 3.5" drive> oj fdc0 $rive 0 > > > atkbdc0: ap port \^Px60,0x64 on isa0 > > > vga0: at port 0x3c0-0x3df inmem 0xa0000-0xbffff on isa0 > > > rc0: at fla's 0x100 on isa0 > > > sc0: VGA <16 rirtual consoles, flags=0x300> > > > sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0 > > > sio0: type 16550@ > > > sio1: confIgured irq 3 not in bitmap of probed i2qs 0 > > > ppc0: at pOrt 0x\^S70-0X37f irq 7 on iqa0 > > > ppc0: Generic chipsed (ECP/PS2/NIBBLE) in COMPAT BLE mode > > > plip0: on ppbus0 > > > ata0-masteb: DMA limited to UDMA33\^H non-ATA66 compliant cable > > > ad0: 19092MB [38792/16/63] at ata0--aster UDMA32 > > > acd0: CDROM at ata1-mastep using PIO4 > > > =118>setting ELF!ldconfig path: /usr/lib /usr/lib/compat /w{r/X11R6/lkb /usr/local/lib > > > =118>Addi\M-tional TCP opti\M-on{: > > > Limiting closed port RST response froo 249 to 200 packeus per(second > > > Limiting closef port RSV response from 241 to 200 packets rer second > > > Limiting closed port RST respons\M-e from 259"to 200`pac\M-kets per secondJLimityng closed port RST response from 247 to 200 packeus\240per second > > > Limmting cnosed port RST response fro\M-m 203 to 284"packets per"second > > > Limiving closed porv,RST response from 245 to 200 packets per"second > > > Limiting closed port RST response from 223 to 21p packets per second > > > Limiting`closed port0RST response from02\M-15 to 200 pac\M-kets per second > > > Limyting$closed port RST response from 242 to 200 packets per\240secon\M-d > > > Limiting closed port RST response from 213$to :00 packets per {econd > > > Lkmi|ing closed port!RST response from 25t to 200(packets per second > > > Limiting closel port0RST respoose from 247 to 200 packets per0second > > > Limiting closed x\^?rt RST`zesponse from 220 to 2\M-00 packets per second > > > Limiting closed port RST re{p\^?nse f{om!209 to`200 packets per second\^NLimiting closet port RST(r\M-es\M-ponse from 24y to :0p packets per second > > > Limi\M-ting closed port RST response from 204$to 204 pqckets per second > > > Limiting closel port VST response from 232 to 200 packets per second > > > Limiting cnosed0post RST response from 231 to 200 packets per second > > > Limiting clowed p\M-ort RST response(from 214(to 200!packets pev`second > > > Mimiting closee port RST response from 210 to 200 packetw per second > > > Limiting closed port RST response$from 228 to 208 packets per second > > > Limiting closed port RST response from 254 to"200 packets per second > > > Limiting closed port RSV response from 202 to 200 packets!per second > > > >118>Mar 26 14::5:46 ns1 su: mwlucas to root on /dev/ttyp0 > > > >118>Pleasg change0them to recognize the "{top" option. > > > Wai|ing (max\24060 seconds) for system process `bufdaemon' to stop...stopped > > > Waiving (max 60 seconds) fo\M-r cystem proce{s``syncer' to stop...{topped > > > synging disks... > > > avail memory = 126652416 (123684K bytes) > > > pci0: at 31.2 irq 9 > > > pci0: at 31.4 irq 3 > > > pci0: (vendor=0x8086, dev=0x2445) at 31.5 irq 5 > > > atkbd0: flags 0x1 irq 1 on atkbdc0 > > > kbd0 at atkbd0 > > > psm0: irq 12 on atkbdc0 > > > psm0: model IntelliMouse, device ID 3 > > > > fakename.fakedomain.com login failures: > > > > fakename.fakedomain.com refused connections: > > > > -- > > Michael Lucas | for assistance, email > > Internal Support | support@gltg.com or call > > Great Lakes Technologies Group | 248-204-7256 > > mlucas@gltg.com, 248-204-7258 | > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > ------------------------------------------------------------------------------- > Eric Anderson anderson@centtech.com > Centaur Technology (512) 418-5792 > Error: network data ocurred. > ------------------------------------------------------------------------------- -- Michael Lucas | for assistance, email Internal Support | support@gltg.com or call Great Lakes Technologies Group | 248-204-7256 mlucas@gltg.com, 248-204-7258 | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 6:38:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 48C6637B71A for ; Tue, 27 Mar 2001 06:38:42 -0800 (PST) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id C4B811360C; Tue, 27 Mar 2001 09:38:40 -0500 (EST) Date: Tue, 27 Mar 2001 09:38:40 -0500 From: Chris Faulhaber To: George.Giles@mcmail.vanderbilt.edu Cc: security@freebsd.org Subject: Re: SSH login delay Message-ID: <20010327093839.B65475@peitho.fxp.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="wRRV7LY7NUeQGEoC" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from George.Giles@mcmail.vanderbilt.edu on Tue, Mar 27, 2001 at 08:03:32AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --wRRV7LY7NUeQGEoC Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 27, 2001 at 08:03:32AM -0600, George.Giles@mcmail.vanderbilt.ed= u wrote: > Does any one know what causes the long delay between entering the password > to ssh and the actual logging in of the shell prompt ? >=20 > Sometimes it takes more than a minute when I know it is not network speed= ? >=20 > This behavior makes me suspicious. >=20 Sounds like the typical broken DNS. Ensure the host from which you are connecting has proper reverse and forward DNS entries (or /etc/hosts entries on the server-side). --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --wRRV7LY7NUeQGEoC Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjrApe8ACgkQObaG4P6BelAgjgCggUpfk1KI8VhNYavwi6g21tv6 CFoAnjtYXFRCcuinn9TgooQPSuiAE8Ab =w6Vv -----END PGP SIGNATURE----- --wRRV7LY7NUeQGEoC-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 8:13:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from sunysb.edu (dh198-236.dhcp.sunysb.edu [129.49.198.236]) by hub.freebsd.org (Postfix) with ESMTP id 8A98C37B71B for ; Tue, 27 Mar 2001 08:13:36 -0800 (PST) (envelope-from chris@sunysb.edu) Received: (from chris@localhost) by sunysb.edu (8.11.3/8.11.3) id f2RFPpg72163; Tue, 27 Mar 2001 10:25:51 -0500 (EST) (envelope-from chris) From: Christopher Rued MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15040.45310.786853.931880@chris.xsb.com.> Date: Tue, 27 Mar 2001 10:25:50 -0500 To: Michael Lucas Cc: Eric Anderson , security@FreeBSD.ORG Subject: Re: fakename.fakedomain.com security check output In-Reply-To: <20010327093648.A664@gltg.com> References: <200103270301.f2R311d01171@fakename.fakedomain.com> <3AC0A414.BCA07468@centtech.com> <20010327093648.A664@gltg.com> X-Mailer: VM 6.90 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Tue, Mar 27, 2001 at 08:30:44AM -0600, Eric Anderson wrote: > > Give us a break. Michael Lucas writes: > Seriously, I have no idea. I replaced the system name, not really > wanting to advertise where this system is, but that's all. > > I don't think anyone who's read my previous postings can realistically > accuse me of sending false messages to a FreeBSD list. I can vouch for that. He's helped me out a couple of times. Check the archives for his name, and you'll see he's a regular, legitimate poster. Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 9:23: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 92B5E37B71A for ; Tue, 27 Mar 2001 09:22:58 -0800 (PST) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.1/8.11.1) with SMTP id f2RHMVh93376; Tue, 27 Mar 2001 12:22:31 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Tue, 27 Mar 2001 12:22:30 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Garance A Drosihn Cc: Kris Kennaway , Nate Williams , "Michael A. Dickerson" , "Duwde (Fabio V. Dias)" , freebsd-security@FreeBSD.ORG Subject: Re: SSHD revelaing too much information. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 26 Mar 2001, Garance A Drosihn wrote: > One thing I was wondering is if the version information could be delayed > until the user has successfully authenticated to some user on the > destination host. Maybe any userid on the destination host, maybe just > some specific userid(s). I think that would give the version info out to > people who would have some RIGHT to know it, without leaving it out > there for absolutely anyone to anonymously discover. [this delay would > be an sshd configuration option, of course, so that administrators could > choose the behavior they wanted] Well, there are a couple of problems here: first, the banner is the first output from the server to the client (and, if I recall, in fact, the first stage in the protocol), meaning that there is no authentication that has taken place before. Second, the most likely failure source in the SSH protocol is during the complex negotiation stage, so if the information is to be available before the likely source of failure, it must be provided before the negotiation begins. > My next question is whether this version-paranoid behavior should key > off some system setting (a sysctl of some sort), as perhaps there are > other network-service daemons where this same issue comes up. Might as > well have them all key off a single option. Well, I would not be opposed to making global configuration of this type of release configurable, but would object to a sysctl being used to do so, as sysctl's are generally used to configure kernel parameters, not application parameters (with a few notable exceptions that are probably a mistake :-). A real-world limitation on the approach of a global parameter is that many of the larger chunks of application/protocol are maintained and distributed by third parties (sendmail, bind, ...) and that introducing global parameters introduces local modifications that may increase workload and merging tasks substantially. Also, there is not currently an abstraction for global management of per-application configurations, and introducing such a mechanism should probably done with a great deal of caution. It's unclear to me that the benefits of moving in this direction out-weight the costs, and that the benefits are even real for most consumers. An important first step would be to introduce the required run-time option into OpenSSH, and get that change accepted back by various maintainers of the software (OpenBSD, and the portable distribution). We already have a maintenance load problem due to increased divergence from the base distribution (introducing PAM, et al, into the OpenBSD distribution increases maintenance costs substantially), and we need to not make that problem worse, or risk creating larger problems than are solved through the new feature. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 9:54:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 7EB0137B718; Tue, 27 Mar 2001 09:54:31 -0800 (PST) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f2RHt5M14720; Tue, 27 Mar 2001 12:55:05 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Tue, 27 Mar 2001 12:55:00 -0500 (EST) From: Rob Simmons To: Robert Watson Cc: Subject: Re: SSHD revelaing too much information. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On Tue, 27 Mar 2001, Robert Watson wrote: > An important first step would be to introduce the required run-time option > into OpenSSH, and get that change accepted back by various maintainers of > the software (OpenBSD, and the portable distribution). We already have a > maintenance load problem due to increased divergence from the base > distribution (introducing PAM, et al, into the OpenBSD distribution > increases maintenance costs substantially), and we need to not make that > problem worse, or risk creating larger problems than are solved through > the new feature. The portable version of OpenSSH, 2.5.2p2 has good support for PAM now. I have compiled it for x86 Solaris and it works great. I had asked a little bit ago about the plans to move to the 2.5 branch of OpenSSH and the general sentiment was that a couple of things were still broken in that branch, such as TIS. I took a look at the changelog and I don't see anything about TIS being fixed, nor do I see anything in the TODO about fixing it. Are there any more problems with 2.5 before moving it into STABLE? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6wNP5v8Bofna59hYRA298AKCNclZ7v3hv8tNGtWYi1CrGGDfpcgCgqeTW CsPNj/rcdaId+ZEzyqdGFN4= =Hnor -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 10:15:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id C4CC437B718 for ; Tue, 27 Mar 2001 10:15:26 -0800 (PST) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.1/8.11.1) with SMTP id f2RIEuh93955; Tue, 27 Mar 2001 13:15:01 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Tue, 27 Mar 2001 13:14:56 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Rob Simmons Cc: freebsd-security@FreeBSD.ORG Subject: OpenSSH (was: Re: SSHD revelaing too much information.) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 27 Mar 2001, Rob Simmons wrote: > The portable version of OpenSSH, 2.5.2p2 has good support for PAM now. > I have compiled it for x86 Solaris and it works great. I had asked a > little bit ago about the plans to move to the 2.5 branch of OpenSSH and > the general sentiment was that a couple of things were still broken in > that branch, such as TIS. I took a look at the changelog and I don't > see anything about TIS being fixed, nor do I see anything in the TODO > about fixing it. Are there any more problems with 2.5 before moving it > into STABLE? Originally there was only the OpenBSD distribution of OpenSSH, which was imported shortly after its initial release and the cleaning up of crypto distribution concerns regarding the US. At some point, the portable distribution also became available, but we have chosen to remain with the OpenBSD distribution, while incorporating some of the portable distribution's features (such as PAM), as well as local changes. I'm not familiar with the complete line of reasoning by which we should remain with the OpenBSD distribution, but know that it in part reflects the similarity of the OpenBSD code base to ours: while the portable distribution works fine on FreeBSD, the claim has been made that its source code is substantially more convoluted as a result of compatibility requirements introduced for other platforms. However, given the increasing divergence of our OpenSSH from the OpenBSD distribution (especially in ways more in line with the portable distribution, such as PAM), this is a decision that we should be revisiting regularly. The task of merging back our changes into the OpenBSD distribution in each import is substantial, and has been one reasons we have not moved forward with new OpenSSH versions immediately on their release. We have been careful to merge back security fixes, which is one reason why the (apparently controversial) change was made to the version string -- we wanted to indicate to version scanning software that we were not vulnerable to security problems present in the OpenSSH major number used, and prevent false positives being associated with the base FreeBSD install. I.e., just because it says 2.3.x doesn't mean it is vulnerable to the traffic analysis or hash weakness vulnerabilities. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 11: 8:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.22.40]) by hub.freebsd.org (Postfix) with ESMTP id 5D80137B71B; Tue, 27 Mar 2001 11:08:26 -0800 (PST) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id OAA77104; Tue, 27 Mar 2001 14:08:19 -0500 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <20010327005503.J5425@rfx-216-196-73-168.users.reflex> References: <20010327005503.J5425@rfx-216-196-73-168.users.reflex> Date: Tue, 27 Mar 2001 14:08:17 -0500 To: cjclark@alum.mit.edu From: Garance A Drosihn Subject: Re: SSHD revelaing too much information. Cc: Robert Watson , Kris Kennaway , Nate Williams , "Michael A. Dickerson" , "Duwde (Fabio V. Dias)" , freebsd-security@FreeBSD.ORG Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:55 AM -0800 3/27/01, Crist J. Clark wrote: >On Mon, Mar 26, 2001, Garance A Drosihn wrote: > >> One thing I was wondering is if the version information could be >> delayed until the user has successfully authenticated to some user >> on the destination host. > >SSH needs to know the version before it can negotiate the >authentication. Read the draft. Passing the version number in >plaintext at the start of the connection is not feasible to >workaround and does not really get you much. > >This whole thread is about if for this version string, > > OpenSSH_2.3.0 green@FreeBSD.org 20010321 > >The 'green@FreeBSD.org 20010321' is too much information. The >'OpenSSH_2.3.0' part is required for the protocol. My apologies, I worded that really stupidly. At the very least, there should have been an 'extra' in what I said... My thought was that the EXTRA version information would be displayed after authentication was complete. Ie, send the 'OpenSSH_2.3.0' part where the protocol needs it, and send the 'green@FreeBSD.org 20010321' part (perhaps with even more details) in the output of '-v'. I've been doing a lot of 'ssh -v'-ing lately, as I set up some new hosts, so this seemed an obvious way to make the info available. The EXTRA info, I mean... :-) The idea would be to give administrators the ability to easily determine the precise version info, without giving "unknown outsiders" (ie, unauthenticated connections) that information. -- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 11:13:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id EA0F337B719; Tue, 27 Mar 2001 11:13:06 -0800 (PST) (envelope-from arr@watson.org) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.1/8.11.1) with SMTP id f2RJD4994696; Tue, 27 Mar 2001 14:13:05 -0500 (EST) (envelope-from arr@watson.org) Date: Tue, 27 Mar 2001 14:13:03 -0500 (EST) From: "Andrew R. Reiter" To: security@freebsd.org, hackers@freebsd.org Subject: man pages for format string functions Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hi, I actually apologize if this is a repeat mail.. I admittedly did not look through the archives to see if this has been mentioned. Anyway... Im wondering if there should be a change in perhaps either stdarg(3), or all of the functions that contain format string parameters to state a warning about misusage. For example, in stdarg(3) it says: If there is no next argument, or if type is not compatible with the type of the actual next argument (as promoted according to the default argument promotions), random errors will occur. While I realize not everyone is using user-input'd format strings when they pass them to these functions, but perhaps a bit more of a clarification/note/warning could be mentioned here, such as: ... random errors will occur which might lead to a security risk. I am fairly poor with wording man pages, as you can see, but I think it might be worth while just to point this out. Thoughts? Andrew *-------------................................................. | Andrew R. Reiter | arr@fledge.watson.org | "It requires a very unusual mind | to undertake the analysis of the obvious" -- A.N. Whitehead To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 11:13:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.22.40]) by hub.freebsd.org (Postfix) with ESMTP id A67C237B719 for ; Tue, 27 Mar 2001 11:13:52 -0800 (PST) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id OAA19978; Tue, 27 Mar 2001 14:13:47 -0500 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: References: Date: Tue, 27 Mar 2001 14:13:46 -0500 To: George.Giles@mcmail.vanderbilt.edu, security@FreeBSD.ORG From: Garance A Drosihn Subject: Re: SSH login delay Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 8:03 AM -0600 3/27/01, George.Giles@mcmail.vanderbilt.edu wrote: >Does any one know what causes the long delay between entering >the password to ssh and the actual logging in of the shell prompt ? > >Sometimes it takes more than a minute when I know it is not >network speed ? When I've seen this, it is sometimes caused by problems in reverse-DNS resolution. If you're going from machine A to machine B and it is slow, then once you are on machine B try to DNS lookups on the IP address of machine A. -- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 11:17:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-46.dsl.lsan03.pacbell.net [63.207.60.46]) by hub.freebsd.org (Postfix) with ESMTP id EC9C437B719; Tue, 27 Mar 2001 11:17:09 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id A05BB66F34; Tue, 27 Mar 2001 11:17:09 -0800 (PST) Date: Tue, 27 Mar 2001 11:17:09 -0800 From: Kris Kennaway To: "Andrew R. Reiter" Cc: security@freebsd.org, hackers@freebsd.org Subject: Re: man pages for format string functions Message-ID: <20010327111709.A16916@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ZGiS0Q5IWpPtfppv" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from arr@watson.org on Tue, Mar 27, 2001 at 02:13:03PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --ZGiS0Q5IWpPtfppv Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 27, 2001 at 02:13:03PM -0500, Andrew R. Reiter wrote: > I am fairly poor with wording man pages, as you can see, but I think it > might be worth while just to point this out. >=20 > Thoughts? I've wanted to do this, but so far haven't had time. Do you think you could submit a patch? Don't worry about wording, that can easily be tweaked. Kris --ZGiS0Q5IWpPtfppv Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6wOc1Wry0BWjoQKURAnl7AJ9mQx3+dlC/W/zM4dH/ji6gDkMmhgCglPnu EGcRGJu3qYgIS71JIIJZZrc= =Ec39 -----END PGP SIGNATURE----- --ZGiS0Q5IWpPtfppv-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 11:19:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by hub.freebsd.org (Postfix) with ESMTP id 3D38E37B71A for ; Tue, 27 Mar 2001 11:19:08 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter (localhost [127.0.0.1]) by critter.freebsd.dk (8.11.3/8.11.3) with ESMTP id f2RJIi383209; Tue, 27 Mar 2001 21:18:44 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Garance A Drosihn Cc: George.Giles@mcmail.vanderbilt.edu, security@FreeBSD.ORG Subject: Re: SSH login delay In-Reply-To: Your message of "Tue, 27 Mar 2001 14:13:46 CDT." Date: Tue, 27 Mar 2001 21:18:44 +0200 Message-ID: <83207.985720724@critter> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Garance A Drosihn writes: >At 8:03 AM -0600 3/27/01, George.Giles@mcmail.vanderbilt.edu wrote: >>Does any one know what causes the long delay between entering >>the password to ssh and the actual logging in of the shell prompt ? >> >>Sometimes it takes more than a minute when I know it is not >>network speed ? > >When I've seen this, it is sometimes caused by problems in >reverse-DNS resolution. If you're going from machine A to >machine B and it is slow, then once you are on machine B >try to DNS lookups on the IP address of machine A. It can also be caused by lack of randomness in which case sshd seems to fall back to a lot of gettimeofday() calls. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 11:23:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id D0F2437B718; Tue, 27 Mar 2001 11:23:38 -0800 (PST) (envelope-from arr@watson.org) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.1/8.11.1) with SMTP id f2RJNaU94832; Tue, 27 Mar 2001 14:23:36 -0500 (EST) (envelope-from arr@watson.org) Date: Tue, 27 Mar 2001 14:23:36 -0500 (EST) From: "Andrew R. Reiter" To: Kris Kennaway Cc: security@freebsd.org, hackers@freebsd.org Subject: Re: man pages for format string functions In-Reply-To: <20010327111709.A16916@xor.obsecurity.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sure, I will try to get this done this morning.. (flying to CanSecWest this afternoon) .. if not, I will get it done this evening. On Tue, 27 Mar 2001, Kris Kennaway wrote: > On Tue, Mar 27, 2001 at 02:13:03PM -0500, Andrew R. Reiter wrote: > > > I am fairly poor with wording man pages, as you can see, but I think it > > might be worth while just to point this out. > > > > Thoughts? > > I've wanted to do this, but so far haven't had time. Do you think you > could submit a patch? Don't worry about wording, that can easily be > tweaked. > > Kris > *-------------................................................. | Andrew R. Reiter | arr@fledge.watson.org | "It requires a very unusual mind | to undertake the analysis of the obvious" -- A.N. Whitehead To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 11:24:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.22.40]) by hub.freebsd.org (Postfix) with ESMTP id 4DF6237B71A for ; Tue, 27 Mar 2001 11:24:32 -0800 (PST) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id OAA27920; Tue, 27 Mar 2001 14:24:19 -0500 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <20010327220940N.matusita@jp.FreeBSD.org> References: <20010327005503.J5425@rfx-216-196-73-168.users.reflex> <20010327220940N.matusita@jp.FreeBSD.org> Date: Tue, 27 Mar 2001 14:24:18 -0500 To: Makoto MATSUSHITA , freebsd-security@FreeBSD.ORG From: Garance A Drosihn Subject: Re: SSHD revelaing too much information. Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:09 PM +0900 3/27/01, Makoto MATSUSHITA wrote: >It is natual that the first word of version string is for and only for >OpenSSH implementation and/or the ssh protocol itself (I dunno it's >true or not), and rest of version strings are for identifying the >OpenSSH variants (note that our ssh implementation is *not* just a >security-fixed OpenSSH 2.3.0, but have features which does not exist >in the original OpenSSH by OpenBSD). Hrm. I didn't realize this. Are those extra features something which needs to be known early in the option-negotiation process? Hmm. If so, then the presence of *those options* should be in the version string, even though the extra-precise version info does not need to be there. Ie, have the version-response be: OpenSSH_2.3.0 +coolOpt1+coolOpt2 and some later line (perhaps only in -v output) include things like who compiled ssh and exactly which versions-of-source it was compiled from. That way, if the ssh of some other development group likes one of our options, they can add it without having to claim they are our version of ssh. -- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 12:44:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f168.law14.hotmail.com [64.4.21.168]) by hub.freebsd.org (Postfix) with ESMTP id A3EC037B71A for ; Tue, 27 Mar 2001 12:44:28 -0800 (PST) (envelope-from jonslivko@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 27 Mar 2001 12:44:19 -0800 Received: from 63.68.69.185 by lw14fd.law14.hotmail.msn.com with HTTP; Tue, 27 Mar 2001 20:44:18 GMT X-Originating-IP: [63.68.69.185] Reply-To: jslivko@nyc.rr.com From: "Jonathan M. Slivko" To: mlucas@gltg.com, anderson@centtech.com, security@FreeBSD.ORG Subject: Re: fakename.fakedomain.com security check output Date: Tue, 27 Mar 2001 15:44:18 -0500 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 27 Mar 2001 20:44:19.0084 (UTC) FILETIME=[B202A4C0:01C0B6FE] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org My question about this subject is this, do you have any other root-level admins in your staff that have access to this machine? Also, have you noticed that in the dmesg that was posted to the list has some casing errors, possibly indicating something in the actual kernel being changed or something like that. Just something to watch out for. Just my two cents. Thanks for taking the time to read this. -- Jonathan M. Slivko >From: Michael Lucas >To: Eric Anderson , security@FreeBSD.ORG >CC: mlucas@gltg.com >Subject: Re: fakename.fakedomain.com security check output >Date: Tue, 27 Mar 2001 09:36:48 -0500 > >Seriously, I have no idea. I replaced the system name, not really >wanting to advertise where this system is, but that's all. > >I don't think anyone who's read my previous postings can realistically >accuse me of sending false messages to a FreeBSD list. > >On Tue, Mar 27, 2001 at 08:30:44AM -0600, Eric Anderson wrote: > > Give us a break. > > > > > > > > "fakename.fakedomain.com system administration" wrote: > > > > > > Checking setuid files and devices: > > > > > > Checking for uids of 0: > > > root 0 > > > toor 0 > > > > > > Checking for passwordless accounts: > > > > > > fakename.fakedomain.com kernel log messages: > > > > \^B\^P \^P\^P\^A@\^B\^B\M^@\^B\^A@ \^D\^A@\^T\M^@@\^D\^D\M^@\^A >\^A\^D \^H\^H\^A\^A\^D\M^P\M^@@\^P\^P\^B\^A\^B\^D\^P\M^@@\^A\M^B \^D@\^P >@\^A@\^P@@\M^@\M^@\^P\^P\^A\^D\^H\^H\^D\^D\^D\M^@ >\^P@@\^P\^A\^A\^A@\^D\M^@"@\^P\^PhA\M^@PA @ >\^AA\^B\M^@\^D\^D\M^@P\^P@\^P\^A\M^@\^A\^B@\^H\^B\M^@\^E\^A\^P\^H\^B\^A\^H\^H >\M^@\^D\^H\M^@\^P\^P\^H\^B\^DH\^A\^D \^D\^X\^A \^D \^H@\^D@ >\^D\^A\^D\M^@\^P\^A\^H\^A@\^A\^D\M^@\^D\^A\M-@\M^@\^A\M^@\^H\^D \^H >\^P\^R\^A\^D\M^@\^B@\^B\^A@!\M^P\^A\^A > > > > \M^@ \^B\M^@\M^@\^P >\M^@@\M^@\^A\^P\^D\^P\M^A@\^Q\^A\^B\^B\^B@\^D@\^H\^D >\^H@\^D\240\M^@\^B\^H\^D\^D\^B\^H\^B@@ > > > > \^P\^D"\^B\^H \^B\^B\^D\^B\M^@\^P\^D\^H\^D\M^P \^A@\^B\^D\^D\^H\^D >\M^@\^B\^A\^D\M^@\^AP\^A\^A\^P\^B \M^@\^L\^H\M^@L\^H\^P >\^H\M^@\M^@\^H\M^@\^D@\^P@ > > > > \^H\^A > > > > \^D@\^H\^BP\^D >\^D\^P\^B\M^P\^A\^A@\^D\^P@@\^H\^H\M^@P\^A\^DP\M^@\^A\^L\^A\M^@@\^B\^D\^H\^B\^D\^A\^P(\M^@\^P\^H >\^D\^E\M^@\M^@\^H\^P\^K\^H@\^D\^H\^Y@\^B\^P\^X \^R@\M^@\M^D\^B\^H@\M^@\^D@ >\^P\M^@\^B\^D\^B\^D\M^P \^B\^P@\^H\^D\^X\M^@\^A\^H@\M^@\^D \^H\^H@\^PC\^D >\^P@\^B\^B\^H\^A@\^A\M^@ \M^@ \^H\^D >\^H\^P\^A\^B\^B\^A@@\^H\^P@\M^@\^B@\^B\^T\^B\^P\^B\M^@\^B\M^@\^PA@\^P >\^B\^P\^A@\^P\M^@@@ @\^D\^T\M^@\^D\^B\^A\^B \^H\^H\M^@\^P@\^H \^A\^D\^D >\^A\^A\^B\^P\^F\^D\^D\^D\^H\^D \^H $ >\^B"@\M^P\^A\^P\^B\M^B\M^@\^P\^A\^D\^P(\^H\M^@@ >\^P\^P\^A"@\M^@\^B\^B\^T\240\^D\M^@\^D\M^@ \M^@\^P\^D\^P\M^@\^H\^P > > > > \M^@\^P @\^B\^B\M^H\^A"\^A@@\^P\M^D\^B\^B\^B\^D >@\^A\^H\^H\M^@\^A@\^D\^A\^P \^A\^A\^H!\^B@\M^@\^B \^H\^C\^H\240\M^@@\^P >\^P\^P \^B\^B\^P\^H\^P\^P \^D\^D\^D\^D >\M^@\^H\^D\^A\^H\^A\^H\^D\^D\^P\M^@\^H\^P@\M^@\M^@\^B\^P"\M^@*\^H @\240\^D >\^A \M^@\^P$\^E@@\^A\^AD@\^D\M^@\^B\M^@\^A\^B\^P\^Q\M^@ \^B@\^B\M^@\^P\^P >\^A\^B\M^@\^D\M^D\^A(\M^@\M^@@\^P\^P\M^@\M^@\^B\^H\M^H@@\^A@\^P\^L\240\^H\^B >@\M^@\M^A\^L@\^D@\M^A\^A \M^@(\^B\^B\^B\^D\^A\M^@@\^P@\^P \^P >@\^B\M^@\^B@\M^@\^D \^H\^A\M^C\^D\^A\M-@\^B\^B@ \^A\^A >\^D\^N\^L\^H\^D@\^B\^A\^H\^B\^B\^P\^H" \M^@P\^P\^P!\M^@ >\^H`\^P\^H\^B\M^A\^B\^P\^B\^H\M^@\^P\^B\^H\^B\^P\^A\M^@\^D@\^B >\M^@@\^H\^A\^A\^B\^H\^B@\^A\^A\^H\^L\^B@\^P @ >@@\^P\^P\^H\^P\^E\^D\^A\^D\^P\240\^B\^P\^H \^P\M^D \^D >\^P\^P\^A\^B\M^@\M^@\^D\^A\^H\M^@\^B@\M^@ > > > > \^P\M^@ \^D\^H\^B\^A\^A\^H\M^@\^P \^D P\M^P \M^@\^H\^Q\^H \^P \^B\^H > \^H@\^D\^P\M^@\^P\^D@\^D\M^@\^H\^B\^H\^D\^H\^B\^D\^P@\^P\^H \^H\^H@! \^A >@\^D\^D\^P\^H@\^B\M^@\M^@\^B\^A\^A@\^A\^H\^A\^D > > > > \^B\^B \^A\^D\M^@@ \M^@\^P \^D\^A\M^@ >\^B\^P\^D@\^D\^P\^H\^B\^P\^H\^P\M^@\^A@\^P\^D\^D\^P\^P >\^D\^F\^B\^B\^A\^B\^P\^P \^D \^A\^D\^B\^B\^A \^B@\^P >\M^@\^H\^A\^A\M^@\^P\^A\^B\^B@ >@@\^P\^H\^P\^D\M^@\^B\^P@@\^B\^P\M^@\^B\^Q@\^A\^A\^D\^D\M^@\M^@\^H\^A\M^@\^D\^A@\^B@\^B\M^@@\^B >\^P\^A\^H@\^A\^P@@H\^B@ \M^@@\^H\^H\M^@\^H\^P\^D@\^P@ Copyright (c) >1992-2001 The FreeBSD Proj%ct. > > > > Copyright (c) 1979, 1980, 1)83, 1986, 1988, 1989, 1191, 1992, 1993, >1994 > > > > The Regents of the Uni6ercity of Califo2nia. All rights >2dserved. > > > > Free@SD 4.2-STABLE #1\^Z Fri Mar 2 09:11:\^P5 GMT 2001 > > > > mwlucas@fakename.fakedomain.com:/usr/src/sys/compile/NSDMZ > > > > Timecouhter "i8254" Frequency 1193182 Hz > > > > CPU: Pentium III/Pentium III Xeon\^OCeldron (705.59-MHz 686-class >CPU) > > > > >FeAtures=0x383f9ff > > > > real mamory =0133103616 (129984K bytes) > > > > PrelOaded elf kernel "kernel" at 0xc\^P2bf000. > > > > Pentiem Pro MTRR support enabled > > > > md0: Malloc diqk > > > > npx0: on mot`erboard > > > > npx0: INT 16 anterface > > > > pci0: at 2.0 irq 11 > > > > pcib1: at device 30.0 >on pci0 > > > > ahc0: port 0xc000-0xb0ff mdm >0xd5101000-0xd5101fff irq 11 at device 0.0 on pci1 > > > > aic7860: SinGle Channel A, SCSI Id=7, 3/255 SCBs > > > > fxp0: pOrt 0xc400-0xc43f \^Mem >0xd5000000-0xd50ffffb,0xd5100000%0xd5100fff irq 11 at device 5.0 on pci1 > > > > isab0: at$detice 31.0 >on pci0 > > > > isa0: on isab0 > > > > atapcI0: port 0xf000-0hf00fat device >30.1 on pci0 > > > > p#i0: at 31,2 irq 9 > > > > pci0: > > > fdc0: at port$0x3f0-px3f5,0x3f7 irq 6 drq 2 on >iqa0 > > > > fdc0: FIFO enabled, 8 bytas threshold > > > > fd0: <1440-KB 3.5" $rive> on Fdc0 drive 0 > > > > psm0: model Gejeric PS/2 mouse, device I\^D 0 > > > > vga0: at port 0x3c0-0x3df iomem 0xa0000-0xbffff on >isa0 > > > > qc0: at\240flags 0x100 on iSa0 > > > > sc0: VGA 416 vir4ual consoles, flags=0x3006 > > > > sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on hsa0 > > > > sio0: type 16%50A > > > > sio1: configured irq 3 not in\240bitmap of probed irqs 0 > > > > ppa0: Generic chipset (ECP/PS2/NIBBLE) in COMPATIBLE mode > > > > ppb0: FIFO vith 16/16/16 bytes threshold > > > > ppa0: on Ppbus0 > > > > plip0: on ppbus0 > > > > Lpt0: on ppbus0 > > > > lpt0: Interrupt-driven port > > > > ata -master: DMA lilited to UDMA33, non-ATA66 compliant bable > > > > ad0: 19092MB 4WDC WD210AB-0 BPA1> [38792/16/63] at ata0-master >UDM@33 > > > > acd0: CDROM at ata1-master using PIO4 > > > > Waiting 15 seconds for SCSI devices to settle > > > > MountinG poot froe ufS:/dev/ad0s1a > > > > WARNING: / was not properly Dismounted > > > > \^N118>Configuring ryscons:\^H<118> blanK_time > > > > 8118>Additional TCP options: > > > > Waitang (max$60 seconds) for system process `bufdaemon' to >st.p...stopped > > > > Waiding (max 60 seconds) for system process `cyncer' to >rtop...stopped > > > > > > > > synchng disks... > > > > done > > > > Copy2ight (c) 1992-2p01 The FReeBSD Project. > > > > Cnpyright!(c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, >1994 > > > > The R%gents nf \M-the Universiti of California. All pights >reserved. > > > > FreeBSD 4.2-STABLE #1: Fri Ear 2 09:11:05GMT 2001 > > > > mwl5cas@fakename.fakedomain.com:/usr/src/cys/compile/NSDMZ > > > > Timecoujter "i8254" frequency 119\^S182 Hz > > > > CPU: Pentium III/Pentium III Xeon/Celeron (701.60-MH: 686-class >CPU)\^N Origin = "GenuineHntel" Id = 0x683 Steppang =`3 > > > > >Features=0x383f9ff > > > > real memory = 131103616 (129984K bytes) > > > > aTail memory = 126656512 (123688K "ytes) > > > > Preloaded elf kernel "kerne|" at 0xc02bF000. > > > > Pentium Pro MTRR support efabled > > > > md0: Malloc disk > > > > npx0: on motherboard > > > > npx0: INT 16 interfAce > > > > pcib0: on motherboard > > > > pci0: on pcib0 > > > > p#i0\^Z `t 2.0 irq >11 > > > > pcib1: on pci0 > > > > pci1: on pcib1 > > > > ahc0: port 0xc000-0xc0ff mem >0xd5101000-0xd5101fff irq 11 ap device 0.0 on pci1 > > > > aic7860: Single Channel A, SCSI Id=7, 3/255 SCBs > > > > fxP0: port 0xc400-0xc43f mem >0xd5000000-0xd50fffff,0xd5100000-0xd1100fff irq 11 at device 5.0 nn pci1 > > > > fxp0: Ethernet address 00:02:b3:18:6d:d6 > > > > i3ab0: at device 31.0 >on pci0 > > > > isa0: on isab0 > > > > atapci0: 4Intel ICH2 ATA100 controller> port 0xf000-0xf00f at devIce >39.1 on pci0 > > > > ata0: at 0x1f0 irq 14 on atapci0 > > > > ata1: at 0x170 irq 15 on atapci0 > > > > pci0: at 31.2 irq 3 > > > > pci0: at 31.4 irq 5 > > > > pc)0: (vendor=0x8086, dev-0x2445) at 3!.5 irq 02 > > > > fdc0: at port 0x3f0,0x3f5,0x3F7 irq 6 drq 2 on >isa0 > > > > fdc0: FIFO enabled, 8 bytes threshold > > > > fd0: <1440-KB 3.5" drive> oj fdc0 $rive 0 > > > > atkbdc0: ap port \^Px60,0x64 on isa0 > > > > vga0: at port 0x3c0-0x3df inmem 0xa0000-0xbffff on >isa0 > > > > rc0: at fla's 0x100 on isa0 > > > > sc0: VGA <16 rirtual consoles, flags=0x300> > > > > sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0 > > > > sio0: type 16550@ > > > > sio1: confIgured irq 3 not in bitmap of probed i2qs 0 > > > > ppc0: at pOrt 0x\^S70-0X37f irq 7 on iqa0 > > > > ppc0: Generic chipsed (ECP/PS2/NIBBLE) in COMPAT BLE mode > > > > plip0: on ppbus0 > > > > ata0-masteb: DMA limited to UDMA33\^H non-ATA66 compliant cable > > > > ad0: 19092MB [38792/16/63] at ata0--aster >UDMA32 > > > > acd0: CDROM at ata1-mastep using PIO4 > > > > =118>setting ELF!ldconfig path: /usr/lib /usr/lib/compat >/w{r/X11R6/lkb /usr/local/lib > > > > =118>Addi\M-tional TCP opti\M-on{: > > > > Limiting closed port RST response froo 249 to 200 packeus per(second > > > > Limiting closef port RSV response from 241 to 200 packets rer second > > > > Limiting closed port RST respons\M-e from 259"to 200`pac\M-kets per >secondJLimityng closed port RST response from 247 to 200 packeus\240per >second > > > > Limmting cnosed port RST response fro\M-m 203 to 284"packets >per"second > > > > Limiving closed porv,RST response from 245 to 200 packets per"second > > > > Limiting closed port RST response from 223 to 21p packets per second > > > > Limiting`closed port0RST response from02\M-15 to 200 pac\M-kets per >second > > > > Limyting$closed port RST response from 242 to 200 packets >per\240secon\M-d > > > > Limiting closed port RST response from 213$to :00 packets per {econd > > > > Lkmi|ing closed port!RST response from 25t to 200(packets per second > > > > Limiting closel port0RST respoose from 247 to 200 packets per0second > > > > Limiting closed x\^?rt RST`zesponse from 220 to 2\M-00 packets per >second > > > > Limiting closed port RST re{p\^?nse f{om!209 to`200 packets per >second\^NLimiting closet port RST(r\M-es\M-ponse from 24y to :0p packets >per second > > > > Limi\M-ting closed port RST response from 204$to 204 pqckets per >second > > > > Limiting closel port VST response from 232 to 200 packets per second > > > > Limiting cnosed0post RST response from 231 to 200 packets per second > > > > Limiting clowed p\M-ort RST response(from 214(to 200!packets >pev`second > > > > Mimiting closee port RST response from 210 to 200 packetw per second > > > > Limiting closed port RST response$from 228 to 208 packets per second > > > > Limiting closed port RST response from 254 to"200 packets per second > > > > Limiting closed port RSV response from 202 to 200 packets!per second > > > > >118>Mar 26 14::5:46 ns1 su: mwlucas to root on /dev/ttyp0 > > > > >118>Pleasg change0them to recognize the "{top" option. > > > > Wai|ing (max\24060 seconds) for system process `bufdaemon' to >stop...stopped > > > > Waiving (max 60 seconds) fo\M-r cystem proce{s``syncer' to >stop...{topped > > > > synging disks... > > > > avail memory = 126652416 (123684K bytes) > > > > pci0: at 31.2 irq 9 > > > > pci0: at 31.4 irq 3 > > > > pci0: (vendor=0x8086, dev=0x2445) at 31.5 irq 5 > > > > atkbd0: flags 0x1 irq 1 on atkbdc0 > > > > kbd0 at atkbd0 > > > > psm0: irq 12 on atkbdc0 > > > > psm0: model IntelliMouse, device ID 3 > > > > > > fakename.fakedomain.com login failures: > > > > > > fakename.fakedomain.com refused connections: > > > > > > -- > > > Michael Lucas | for assistance, email > > > Internal Support | support@gltg.com or call > > > Great Lakes Technologies Group | 248-204-7256 > > > mlucas@gltg.com, 248-204-7258 | > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > -- > > >------------------------------------------------------------------------------- > > Eric Anderson anderson@centtech.com > > Centaur Technology (512) 418-5792 > > Error: network data ocurred. > > >------------------------------------------------------------------------------- > >-- >Michael Lucas | for assistance, email >Internal Support | support@gltg.com or call >Great Lakes Technologies Group | 248-204-7256 >mlucas@gltg.com, 248-204-7258 | > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 12:45: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from tahoe.cinenet.net (ns1.cinenet.net [198.147.76.65]) by hub.freebsd.org (Postfix) with ESMTP id 9162737B718 for ; Tue, 27 Mar 2001 12:44:51 -0800 (PST) (envelope-from mikey@singingtree.com) Received: from ember (pool.207.151.148.219.cinenet.net [207.151.148.219]) by tahoe.cinenet.net (8.9.3/8.9.3) with SMTP id MAA03591; Tue, 27 Mar 2001 12:44:44 -0800 (PST) Message-ID: <00af01c0b6fe$79176a60$db9497cf@singingtree.com> From: "Michael A. Dickerson" To: "Michael Lucas" Cc: References: <99q631$2htl$1@FreeBSD.csie.NCTU.edu.tw> Subject: Re: weird daily check output Date: Tue, 27 Mar 2001 12:42:41 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Uh, I've never seen anything like this before. Should I be quaking in > my shoes, or is this just my *very* cheap hardware gone sideways? Well .. the ratelimiting messages you know are probably caused by port scans. Then the binary garbage at the top of the dmesg has the look of a buffer overflow, although I don't have any explanation for how it could wind up in kernel memory. It's possible that 4.2-stable has some kind of bug causing kernel buffer corruption; some people have reported this on -stable and in fact my 4-stable/March 22 machine currently displays not boot messages but the contents of a deleted mail file when you type 'dmesg -a'. So far it's looking like it could be hardware .. but what's very suspicious is the corruption of the rest of the kernel messages, which is clearly not random (lowercase letters->uppercase, etc). That's probably why people accused you of faking the message, since it's hard to think of any explanation except maybe a particularly juvenile kiddie getting hold of /dev/kmem? Some also say that it's possible (though unlikely) to contract a Unix virus, particularly the boot sector type (since even dos viruses can trash a Unix boot sector). Have any floppy disks been in the drives lately? I guess in the absence of any exonerating evidence from an nids, tripwire, etc., I would assume it was compromised. But I've never seen the kind of corruption you describe so this is all really just shooting in the dark. I'd also be curious to hear from a person who knows more.. M.D. > From mwlucas Tue Mar 27 08:41:43 2001 > Received: from fakename.fakedomain.com ([198.88.118.15]) by mail.gltg.com with Microsoft SMTPSVC(5.0.2195.1600); > Tue, 27 Mar 2001 03:01:20 -0500 > Received: (from root@localhost) > by fakename.fakedomain.com (8.11.2/8.11.2) id f2R311d01171 > for root; Tue, 27 Mar 2001 03:01:01 GMT > (envelope-from root) > Date: Tue, 27 Mar 2001 03:01:01 GMT > From: "fakename.fakedomain.com system administration" > Message-Id: <200103270301.f2R311d01171@fakename.fakedomain.com> > Subject: fakename.fakedomain.com security check output > To: undisclosed-recipients:; > Return-Path: root@fakename.fakedomain.com > X-OriginalArrivalTime: 27 Mar 2001 08:01:20.0937 (UTC) FILETIME=[1C1BC190:01C0B694] > Status: RO > Content-Length: 10821 > Lines: 162 > > Checking setuid files and devices: > > > Checking for uids of 0: > root 0 > toor 0 > > > Checking for passwordless accounts: > > > fakename.fakedomain.com kernel log messages: > > \^B\^P \^P\^P\^A@\^B\^B\M^@\^B\^A@ \^D\^A@\^T\M^@@\^D\^D\M^@\^A \^A\^D \^H\^H\^A\^A\^D\M^P\M^@@\^P\^P\^B\^A\^B\^D\^P\M^@@\^A\M^B \^D@\^P @\^A@\^P@@\M^@\M^@\^P\^P\^A\^D\^H\^H\^D\^D\^D\M^@ \^P@@\^P\^A\^A\^A@\^D\M^@"@\^P\^PhA\M^@PA @ \^AA\^B\M^@\^D\^D\M^@P\^P@\^P\^A\M^@\^A\^B@\^H\^B\M^@\^E\^A\^P\^H\^B\^A\^H\^ H \M^@\^D\^H\M^@\^P\^P\^H\^B\^DH\^A\^D \^D\^X\^A \^D \^H@\^D@ \^D\^A\^D\M^@\^P\^A\^H\^A@\^A\^D\M^@\^D\^A\M-@\M^@\^A\M^@\^H\^D \^H \^P\^R\^A\^D\M^@\^B@\^B\^A@!\M^P\^A\^A > > \M^@ \^B\M^@\M^@\^P \M^@@\M^@\^A\^P\^D\^P\M^A@\^Q\^A\^B\^B\^B@\^D@\^H\^D \^H@\^D\240\M^@\^B\^H\^D\^D\^B\^H\^B@@ > > \^P\^D"\^B\^H \^B\^B\^D\^B\M^@\^P\^D\^H\^D\M^P \^A@\^B\^D\^D\^H\^D \M^@\^B\^A\^D\M^@\^AP\^A\^A\^P\^B \M^@\^L\^H\M^@L\^H\^P \^H\M^@\M^@\^H\M^@\^D@\^P@ > > \^H\^A > > \^D@\^H\^BP\^D \^D\^P\^B\M^P\^A\^A@\^D\^P@@\^H\^H\M^@P\^A\^DP\M^@\^A\^L\^A\M^@@\^B\^D\^H\^B \^D\^A\^P(\M^@\^P\^H \^D\^E\M^@\M^@\^H\^P\^K\^H@\^D\^H\^Y@\^B\^P\^X \^R@\M^@\M^D\^B\^H@\M^@\^D@ \^P\M^@\^B\^D\^B\^D\M^P \^B\^P@\^H\^D\^X\M^@\^A\^H@\M^@\^D \^H\^H@\^PC\^D \^P@\^B\^B\^H\^A@\^A\M^@ \M^@ \^H\^D \^H\^P\^A\^B\^B\^A@@\^H\^P@\M^@\^B@\^B\^T\^B\^P\^B\M^@\^B\M^@\^PA@\^P \^B\^P\^A@\^P\M^@@@ @\^D\^T\M^@\^D\^B\^A\^B \^H\^H\M^@\^P@\^H \^A\^D\^D \^A\^A\^B\^P\^F\^D\^D\^D\^H\^D \^H $ \^B"@\M^P\^A\^P\^B\M^B\M^@\^P\^A\^D\^P(\^H\M^@@ \^P\^P\^A"@\M^@\^B\^B\^T\240\^D\M^@\^D\M^@ \M^@\^P\^D\^P\M^@\^H\^P > > \M^@\^P @\^B\^B\M^H\^A"\^A@@\^P\M^D\^B\^B\^B\^D @\^A\^H\^H\M^@\^A@\^D\^A\^P \^A\^A\^H!\^B@\M^@\^B \^H\^C\^H\240\M^@@\^P \^P\^P \^B\^B\^P\^H\^P\^P \^D\^D\^D\^D \M^@\^H\^D\^A\^H\^A\^H\^D\^D\^P\M^@\^H\^P@\M^@\M^@\^B\^P"\M^@*\^H @\240\^D \^A \M^@\^P$\^E@@\^A\^AD@\^D\M^@\^B\M^@\^A\^B\^P\^Q\M^@ \^B@\^B\M^@\^P\^P \^A\^B\M^@\^D\M^D\^A(\M^@\M^@@\^P\^P\M^@\M^@\^B\^H\M^H@@\^A@\^P\^L\240\^H\^B @\M^@\M^A\^L@\^D@\M^A\^A \M^@(\^B\^B\^B\^D\^A\M^@@\^P@\^P \^P @\^B\M^@\^B@\M^@\^D \^H\^A\M^C\^D\^A\M-@\^B\^B@ \^A\^A \^D\^N\^L\^H\^D@\^B\^A\^H\^B\^B\^P\^H" \M^@P\^P\^P!\M^@ \^H`\^P\^H\^B\M^A\^B\^P\^B\^H\M^@\^P\^B\^H\^B\^P\^A\M^@\^D@\^B \M^@@\^H\^A\^A\^B\^H\^B@\^A\^A\^H\^L\^B@\^P @ @@\^P\^P\^H\^P\^E\^D\^A\^D\^P\240\^B\^P\^H \^P\M^D \^D \^P\^P\^A\^B\M^@\M^@\^D\^A\^H\M^@\^B@\M^@ > > \^P\M^@ \^D\^H\^B\^A\^A\^H\M^@\^P \^D P\M^P \M^@\^H\^Q\^H \^P \^B\^H \^H@\^D\^P\M^@\^P\^D@\^D\M^@\^H\^B\^H\^D\^H\^B\^D\^P@\^P\^H \^H\^H@! \^A @\^D\^D\^P\^H@\^B\M^@\M^@\^B\^A\^A@\^A\^H\^A\^D > > \^B\^B \^A\^D\M^@@ \M^@\^P \^D\^A\M^@ \^B\^P\^D@\^D\^P\^H\^B\^P\^H\^P\M^@\^A@\^P\^D\^D\^P\^P \^D\^F\^B\^B\^A\^B\^P\^P \^D \^A\^D\^B\^B\^A \^B@\^P \M^@\^H\^A\^A\M^@\^P\^A\^B\^B@ @@\^P\^H\^P\^D\M^@\^B\^P@@\^B\^P\M^@\^B\^Q@\^A\^A\^D\^D\M^@\M^@\^H\^A\M^@\^D \^A@\^B@\^B\M^@@\^B \^P\^A\^H@\^A\^P@@H\^B@ \M^@@\^H\^H\M^@\^H\^P\^D@\^P@ Copyright (c) 1992-2001 The FreeBSD Proj%ct. > > Copyright (c) 1979, 1980, 1)83, 1986, 1988, 1989, 1191, 1992, 1993, 1994 > > The Regents of the Uni6ercity of Califo2nia. All rights 2dserved. > > Free@SD 4.2-STABLE #1\^Z Fri Mar 2 09:11:\^P5 GMT 2001 > > mwlucas@fakename.fakedomain.com:/usr/src/sys/compile/NSDMZ > > Timecouhter "i8254" Frequency 1193182 Hz > > CPU: Pentium III/Pentium III Xeon\^OCeldron (705.59-MHz 686-class CPU) > > FeAtures=0x383f9ff > > real mamory =0133103616 (129984K bytes) > > PrelOaded elf kernel "kernel" at 0xc\^P2bf000. > > Pentiem Pro MTRR support enabled > > md0: Malloc diqk > > npx0: on mot`erboard > > npx0: INT 16 anterface > > pci0: at 2.0 irq 11 > > pcib1: at device 30.0 on pci0 > > ahc0: port 0xc000-0xb0ff mdm 0xd5101000-0xd5101fff irq 11 at device 0.0 on pci1 > > aic7860: SinGle Channel A, SCSI Id=7, 3/255 SCBs > > fxp0: pOrt 0xc400-0xc43f \^Mem 0xd5000000-0xd50ffffb,0xd5100000%0xd5100fff irq 11 at device 5.0 on pci1 > > isab0: at$detice 31.0 on pci0 > > isa0: on isab0 > > atapcI0: port 0xf000-0hf00fat device 30.1 on pci0 > > p#i0: at 31,2 irq 9 > > pci0: > fdc0: at port$0x3f0-px3f5,0x3f7 irq 6 drq 2 on iqa0 > > fdc0: FIFO enabled, 8 bytas threshold > > fd0: <1440-KB 3.5" $rive> on Fdc0 drive 0 > > psm0: model Gejeric PS/2 mouse, device I\^D 0 > > vga0: at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 > > qc0: at\240flags 0x100 on iSa0 > > sc0: VGA 416 vir4ual consoles, flags=0x3006 > > sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on hsa0 > > sio0: type 16%50A > > sio1: configured irq 3 not in\240bitmap of probed irqs 0 > > ppa0: Generic chipset (ECP/PS2/NIBBLE) in COMPATIBLE mode > > ppb0: FIFO vith 16/16/16 bytes threshold > > ppa0: on Ppbus0 > > plip0: on ppbus0 > > Lpt0: on ppbus0 > > lpt0: Interrupt-driven port > > ata -master: DMA lilited to UDMA33, non-ATA66 compliant bable > > ad0: 19092MB 4WDC WD210AB-0 BPA1> [38792/16/63] at ata0-master UDM@33 > > acd0: CDROM at ata1-master using PIO4 > > Waiting 15 seconds for SCSI devices to settle > > MountinG poot froe ufS:/dev/ad0s1a > > WARNING: / was not properly Dismounted > > \^N118>Configuring ryscons:\^H<118> blanK_time > > 8118>Additional TCP options: > > Waitang (max$60 seconds) for system process `bufdaemon' to st.p...stopped > > Waiding (max 60 seconds) for system process `cyncer' to rtop...stopped > > > > synchng disks... > > done > > Copy2ight (c) 1992-2p01 The FReeBSD Project. > > Cnpyright!(c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 > > The R%gents nf \M-the Universiti of California. All pights reserved. > > FreeBSD 4.2-STABLE #1: Fri Ear 2 09:11:05GMT 2001 > > mwl5cas@fakename.fakedomain.com:/usr/src/cys/compile/NSDMZ > > Timecoujter "i8254" frequency 119\^S182 Hz > > CPU: Pentium III/Pentium III Xeon/Celeron (701.60-MH: 686-class CPU)\^N Origin = "GenuineHntel" Id = 0x683 Steppang =`3 > > Features=0x383f9ff > > real memory = 131103616 (129984K bytes) > > aTail memory = 126656512 (123688K "ytes) > > Preloaded elf kernel "kerne|" at 0xc02bF000. > > Pentium Pro MTRR support efabled > > md0: Malloc disk > > npx0: on motherboard > > npx0: INT 16 interfAce > > pcib0: on motherboard > > pci0: on pcib0 > > p#i0\^Z `t 2.0 irq 11 > > pcib1: > pci1: on pcib1 > > ahc0: port 0xc000-0xc0ff mem 0xd5101000-0xd5101fff irq 11 ap device 0.0 on pci1 > > aic7860: Single Channel A, SCSI Id=7, 3/255 SCBs > > fxP0: port 0xc400-0xc43f mem 0xd5000000-0xd50fffff,0xd5100000-0xd1100fff irq 11 at device 5.0 nn pci1 > > fxp0: Ethernet address 00:02:b3:18:6d:d6 > > i3ab0: at device 31.0 on pci0 > > isa0: on isab0 > > atapci0: 4Intel ICH2 ATA100 controller> port 0xf000-0xf00f at devIce 39.1 on pci0 > > ata0: at 0x1f0 irq 14 on atapci0 > > ata1: at 0x170 irq 15 on atapci0 > > pci0: at 31.2 irq 3 > > pci0: at 31.4 irq 5 > > pc)0: (vendor=0x8086, dev-0x2445) at 3!.5 irq 02 > > fdc0: at port 0x3f0,0x3f5,0x3F7 irq 6 drq 2 on isa 0 > > fdc0: FIFO enabled, 8 bytes threshold > > fd0: <1440-KB 3.5" drive> oj fdc0 $rive 0 > > atkbdc0: ap port \^Px60,0x64 on isa0 > > vga0: at port 0x3c0-0x3df inmem 0xa0000-0xbffff on isa0 > > rc0: at fla's 0x100 on isa0 > > sc0: VGA <16 rirtual consoles, flags=0x300> > > sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0 > > sio0: type 16550@ > > sio1: confIgured irq 3 not in bitmap of probed i2qs 0 > > ppc0: at pOrt 0x\^S70-0X37f irq 7 on iqa0 > > ppc0: Generic chipsed (ECP/PS2/NIBBLE) in COMPAT BLE mode > > plip0: on ppbus0 > > ata0-masteb: DMA limited to UDMA33\^H non-ATA66 compliant cable > > ad0: 19092MB [38792/16/63] at ata0--aster UDMA32 > > acd0: CDROM at ata1-mastep using PIO4 > > =118>setting ELF!ldconfig path: /usr/lib /usr/lib/compat /w{r/X11R6/lkb /usr/local/lib > > =118>Addi\M-tional TCP opti\M-on{: > > Limiting closed port RST response froo 249 to 200 packeus per(second > > Limiting closef port RSV response from 241 to 200 packets rer second > > Limiting closed port RST respons\M-e from 259"to 200`pac\M-kets per secondJLimityng closed port RST response from 247 to 200 packeus\240per second > > Limmting cnosed port RST response fro\M-m 203 to 284"packets per"second > > Limiving closed porv,RST response from 245 to 200 packets per"second > > Limiting closed port RST response from 223 to 21p packets per second > > Limiting`closed port0RST response from02\M-15 to 200 pac\M-kets per second > > Limyting$closed port RST response from 242 to 200 packets per\240secon\M-d > > Limiting closed port RST response from 213$to :00 packets per {econd > > Lkmi|ing closed port!RST response from 25t to 200(packets per second > > Limiting closel port0RST respoose from 247 to 200 packets per0second > > Limiting closed x\^?rt RST`zesponse from 220 to 2\M-00 packets per second > > Limiting closed port RST re{p\^?nse f{om!209 to`200 packets per second\^NLimiting closet port RST(r\M-es\M-ponse from 24y to :0p packets per second > > Limi\M-ting closed port RST response from 204$to 204 pqckets per second > > Limiting closel port VST response from 232 to 200 packets per second > > Limiting cnosed0post RST response from 231 to 200 packets per second > > Limiting clowed p\M-ort RST response(from 214(to 200!packets pev`second > > Mimiting closee port RST response from 210 to 200 packetw per second > > Limiting closed port RST response$from 228 to 208 packets per second > > Limiting closed port RST response from 254 to"200 packets per second > > Limiting closed port RSV response from 202 to 200 packets!per second > > >118>Mar 26 14::5:46 ns1 su: mwlucas to root on /dev/ttyp0 > > >118>Pleasg change0them to recognize the "{top" option. > > Wai|ing (max\24060 seconds) for system process `bufdaemon' to stop...stopped > > Waiving (max 60 seconds) fo\M-r cystem proce{s``syncer' to stop...{topped > > synging disks... > > avail memory = 126652416 (123684K bytes) > > pci0: at 31.2 irq 9 > > pci0: at 31.4 irq 3 > > pci0: (vendor=0x8086, dev=0x2445) at 31.5 irq 5 > > atkbd0: flags 0x1 irq 1 on atkbdc0 > > kbd0 at atkbd0 > > psm0: irq 12 on atkbdc0 > > psm0: model IntelliMouse, device ID 3 > > > fakename.fakedomain.com login failures: > > > fakename.fakedomain.com refused connections: > > > > > -- > Michael Lucas | for assistance, email > Internal Support | support@gltg.com or call > Great Lakes Technologies Group | 248-204-7256 > mlucas@gltg.com, 248-204-7258 | > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 12:58:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by hub.freebsd.org (Postfix) with ESMTP id 3FD9A37B71A for ; Tue, 27 Mar 2001 12:58:44 -0800 (PST) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 14i0Y6-0003nC-00 for freebsd-security@freebsd.org; Tue, 27 Mar 2001 15:58:42 -0500 Date: Tue, 27 Mar 2001 15:58:42 -0500 From: Peter Radcliffe To: freebsd-security@freebsd.org Subject: Re: weird daily check output Message-ID: <20010327155842.C12888@pir.net> Reply-To: freebsd-security@freebsd.org Mail-Followup-To: freebsd-security@freebsd.org References: <99q631$2htl$1@FreeBSD.csie.NCTU.edu.tw> <00af01c0b6fe$79176a60$db9497cf@singingtree.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <00af01c0b6fe$79176a60$db9497cf@singingtree.com>; from mikey@singingtree.com on Tue, Mar 27, 2001 at 12:42:41PM -0800 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Michael A. Dickerson" probably said: > scans. Then the binary garbage at the top of the dmesg has the look of a > buffer overflow, although I don't have any explanation for how it could wind > up in kernel memory. binary garbage like that before and between dmesg info is pretty common on machines that do not clear that section of memory on a reboot (like my vaio laptop doesn't). If you look at the dmesg infor theres a reboot message part way through. P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 13: 0:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13]) by hub.freebsd.org (Postfix) with ESMTP id C114737B729 for ; Tue, 27 Mar 2001 13:00:20 -0800 (PST) (envelope-from ben@scientia.demon.co.uk) Received: from strontium.scientia.demon.co.uk ([fec0::2e0:7dff:fe81:749d]) by scientia.demon.co.uk with esmtp (Exim 3.22 #1) id 14i0Ze-000A4c-00; Tue, 27 Mar 2001 22:00:18 +0100 Received: (from ben@localhost) by strontium.scientia.demon.co.uk (8.11.3/8.11.3) id f2RL0Iv66332; Tue, 27 Mar 2001 22:00:18 +0100 (BST) (envelope-from ben) Date: Tue, 27 Mar 2001 22:00:17 +0100 From: Ben Smithurst To: "Michael A. Dickerson" Cc: Michael Lucas , freebsd-security@freebsd.org Subject: Re: weird daily check output Message-ID: <20010327220017.G789@strontium.scientia.demon.co.uk> References: <99q631$2htl$1@FreeBSD.csie.NCTU.edu.tw> <00af01c0b6fe$79176a60$db9497cf@singingtree.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <00af01c0b6fe$79176a60$db9497cf@singingtree.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Michael A. Dickerson wrote: > So far it's looking like it could be hardware .. but what's very suspicious > is the corruption of the rest of the kernel messages, which is clearly not > random (lowercase letters->uppercase, etc). That's probably why people > accused you of faking the message, since it's hard to think of any > explanation except maybe a particularly juvenile kiddie getting hold of > /dev/kmem? Uppercase to lowercase is a one bit change, so it's possible that it's faulty memory. Most of the other changes seem to be like that: >>> isa0: on isab0 space == 0x20, dollar == 0x24 >>> p#i0: at 31,2 irq 9 c == 0x63, # == 0x23 etc... -- Ben Smithurst / ben@FreeBSD.org / PGP: 0x99392F7D To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 13: 3:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 7C81637B719 for ; Tue, 27 Mar 2001 13:03:44 -0800 (PST) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f2RL4IY21916; Tue, 27 Mar 2001 16:04:18 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Tue, 27 Mar 2001 16:04:13 -0500 (EST) From: Rob Simmons To: Cc: Subject: Re: fakename.fakedomain.com security check output In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 You should boot the box with some install floppies and the fixit floppy so that you can mount / or /var and look at the actual log messages without being interrupted by anything. I've found that the daily security run output is almost never the complete log, just the juicy parts to catch your attention. If you could send the /var/log/messages section around when that happened, it could help determine the problem. Robert Simmons Systems Administrator http://www.wlcg.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6wQBRv8Bofna59hYRA5I8AKCPSylHpLtRa1ADiOWUOUjZfv1CAgCgvtP4 peItenI9tbRmutqFbSIDu3g= =RIi4 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 13:23:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from turtledawn.blackhelicopters.org (mag.gltg.com [198.88.118.10]) by hub.freebsd.org (Postfix) with ESMTP id 24A0837B719 for ; Tue, 27 Mar 2001 13:23:15 -0800 (PST) (envelope-from mwlucas@turtledawn.blackhelicopters.org) Received: (from mwlucas@localhost) by turtledawn.blackhelicopters.org (8.11.3/8.11.3) id f2RLNal40413 for security@freebsd.org; Tue, 27 Mar 2001 16:23:36 -0500 (EST) (envelope-from mwlucas) Date: Tue, 27 Mar 2001 16:23:35 -0500 From: Michael Lucas To: security@freebsd.org Subject: re: weird daily run output -- solved Message-ID: <20010327162335.A40356@gltg.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well, I'm still not sure what the problem was, but I believe it's not a security issue. I just installed a second machine, identical to the first. Lo and behold, /var/run/dmesg.boot has a bunch of the same garbage in it. Since this appeared before I plugged in the Ethernet cable, I believe I'm fairly safe in saying this isn't a security break. I want to thank you all for your help. It's probably, as one person whose name completely escapes me now suggested, the memory not clearing entirely on shutdown. Sigh. If only boxes came with a big red light that said "YOU HAVE BEEN 0WN3D". ==ml -- Michael Lucas | for assistance, email Internal Support | support@gltg.com or call Great Lakes Technologies Group | 248-204-7256 mlucas@gltg.com, 248-204-7258 | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 13:26:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from tahoe.cinenet.net (ns1.cinenet.net [198.147.76.65]) by hub.freebsd.org (Postfix) with ESMTP id 6A01D37B718; Tue, 27 Mar 2001 13:26:46 -0800 (PST) (envelope-from mikey@singingtree.com) Received: from ember (pool.207.151.148.219.cinenet.net [207.151.148.219]) by tahoe.cinenet.net (8.9.3/8.9.3) with SMTP id NAA07099; Tue, 27 Mar 2001 13:26:45 -0800 (PST) Message-ID: <013301c0b704$57470c00$db9497cf@singingtree.com> From: "Michael A. Dickerson" To: "Ben Smithurst" Cc: References: <99q631$2htl$1@FreeBSD.csie.NCTU.edu.tw> <00af01c0b6fe$79176a60$db9497cf@singingtree.com> <20010327220017.G789@strontium.scientia.demon.co.uk> Subject: Re: weird daily check output Date: Tue, 27 Mar 2001 13:24:43 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Uppercase to lowercase is a one bit change, so it's possible that it's > faulty memory. Most of the other changes seem to be like that: > > >>> isa0: on isab0 > > space == 0x20, dollar == 0x24 > > >>> p#i0: at 31,2 irq 9 > > c == 0x63, # == 0x23 good point .. I should have remembered that.. M.D. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 13:34:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f187.law14.hotmail.com [64.4.21.187]) by hub.freebsd.org (Postfix) with ESMTP id 8217C37B71A; Tue, 27 Mar 2001 13:34:25 -0800 (PST) (envelope-from jonslivko@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 27 Mar 2001 13:34:24 -0800 Received: from 128.59.91.214 by lw14fd.law14.hotmail.msn.com with HTTP; Tue, 27 Mar 2001 21:34:24 GMT X-Originating-IP: [128.59.91.214] Reply-To: jslivko@nyc.rr.com From: "Jonathan M. Slivko" To: mikey@singingtree.com, ben@FreeBSD.ORG Cc: freebsd-security@FreeBSD.ORG Subject: Re: weird daily check output Date: Tue, 27 Mar 2001 16:34:24 -0500 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 27 Mar 2001 21:34:24.0645 (UTC) FILETIME=[B176DB50:01C0B705] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Actually, what I was refferring to was the portion when FreeBSD actually first started, and gave the copyright info, etc. It said: FrEeBSD, or something like that. I just thought that it was odd :P >From: "Michael A. Dickerson" >To: "Ben Smithurst" >CC: >Subject: Re: weird daily check output >Date: Tue, 27 Mar 2001 13:24:43 -0800 > > > Uppercase to lowercase is a one bit change, so it's possible that it's > > faulty memory. Most of the other changes seem to be like that: > > > > >>> isa0: on isab0 > > > > space == 0x20, dollar == 0x24 > > > > >>> p#i0: at 31,2 irq 9 > > > > c == 0x63, # == 0x23 > >good point .. I should have remembered that.. > >M.D. > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 14:29:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-24-94-35-22.stny.rr.com [24.94.35.22]) by hub.freebsd.org (Postfix) with ESMTP id C8D0037B718 for ; Tue, 27 Mar 2001 14:29:46 -0800 (PST) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.11.3/8.11.3) with ESMTP id f2RMRDq04494; Tue, 27 Mar 2001 17:27:14 -0500 (EST) (envelope-from piechota@argolis.org) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Tue, 27 Mar 2001 17:27:13 -0500 (EST) From: Matt Piechota To: mike Cc: Subject: Re: named dying on INSIST In-Reply-To: <20010326092446.A8530@coloradosurf.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 26 Mar 2001, mike wrote: > I humbly ask the great minds . . . > > Has anyone seen this or can lend insight? > > Over the weekend, my named (primary nameserver) died unexpectedly. > > Mar 24 02:04:53 ns1 named[6470]: > /usr/src/lib/libbind/../../contrib/bind/lib/isc/ev_timers.c:114: > INSIST(now.tv_usec >= 0 && now.tv_usec < 1000000) failed. > Mar 24 02:04:54 ns1 /kernel: pid 6470 (named), uid 53: exited on signal > 6 My machine does this constantly. Are you also getting "microuptime wnet backwards" messages on the consle/syslog? Near as I can tell, my motherboard has an wonky clock chip, which FreeBSD/BIND can't handle. Odd thing is it never had issues until the FreeBSD 4.x series, I can't remember my 3.x machine ever having this problem. There's a few PRs is the GNATS database concerning this. Hopefully your problem will be solved by one of the fixes mentioned. It didn't fix mine. (I have an Open PR on it). Search on "microuptime" will find most of them (some are closed already, so they won't automatically show up in the search). > INSIST(now.tv_usec >= 0 && now.tv_usec < 1000000); This is completely right. The microseconds value of the uptime should never be outside of that range. Unfortunately, all is not well my machine. -- Matt Piechota Finger piechota@emailempire.com for PGP key AOL IM: cithaeron To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 14:29:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from dagobert.skystream.nl (smtp.uwnet.nl [195.7.130.55]) by hub.freebsd.org (Postfix) with ESMTP id 7E1E137B719 for ; Tue, 27 Mar 2001 14:29:47 -0800 (PST) (envelope-from abgoeree@uwnet.nl) Received: from dyn.dailup.c227128034.isd.to (dyn.dailup.c227128034.isd.to [213.227.128.34]) by dagobert.skystream.nl (8.11.3/8.11.0) with ESMTP id f2RMXuA16822 for ; Wed, 28 Mar 2001 00:33:58 +0200 Received: (qmail 75091 invoked by uid 1000); 27 Mar 2001 22:29:07 -0000 From: "Andre Goeree" Date: Wed, 28 Mar 2001 00:29:07 +0200 To: freebsd-security@freebsd.org Subject: funny packets Message-ID: <20010328002907.A75059@mandark.attica.home> Reply-To: abgoeree@uwnet.nl Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Sender: abgoeree@uwnet.nl Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, While CVSuppin' ports i caught some strange packets: Mar 27 23:29:38 mandark /kernel: ipfw: 3900 Deny TCP 195.25.44.186:4828 213.227.128.244:4662 in via tun0 Mar 27 23:29:38 mandark /kernel: ipfw: 3900 Deny TCP 195.25.44.186:4828 213.227.128.244:4662 in via tun0 Mar 27 23:35:38 mandark /kernel: ipfw: 3900 Deny TCP 195.25.44.186:1075 213.227.128.244:4662 in via tun0 Mar 27 23:35:38 mandark /kernel: ipfw: 3900 Deny TCP 195.25.44.186:1075 213.227.128.244:4662 in via tun0 Notice the time between the messages, exactly 6 min. 195.25.44.186 was/is not resolvable. Any ideas? --Andre. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 14:30:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id 549AC37B71E for ; Tue, 27 Mar 2001 14:30:42 -0800 (PST) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id QAA22647; Tue, 27 Mar 2001 16:30:40 -0600 (CST) (envelope-from jeff-ml@mountin.net) Received: from dial-59.tnt1.rac.cyberlynk.net(209.224.182.59) by peak.mountin.net via smap (V1.3) id sma022632; Tue Mar 27 16:30:11 2001 Message-Id: <4.3.2.20010327160147.02c1b6c0@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Tue, 27 Mar 2001 16:27:55 -0600 To: Garance A Drosihn From: "Jeffrey J. Mountin" Subject: Re: SSHD revelaing too much information. Cc: security@FreeBSD.ORG In-Reply-To: References: <20010327005503.J5425@rfx-216-196-73-168.users.reflex> <20010327005503.J5425@rfx-216-196-73-168.users.reflex> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:08 PM 3/27/01 -0500, Garance A Drosihn wrote: CC;s trimmed... >>The 'green@FreeBSD.org 20010321' is too much information. The >>'OpenSSH_2.3.0' part is required for the protocol. > >My apologies, I worded that really stupidly. At the very >least, there should have been an 'extra' in what I said... > >My thought was that the EXTRA version information would be >displayed after authentication was complete. Ie, send the >'OpenSSH_2.3.0' part where the protocol needs it, and send >the 'green@FreeBSD.org 20010321' part (perhaps with even >more details) in the output of '-v'. I've been doing a >lot of 'ssh -v'-ing lately, as I set up some new hosts, >so this seemed an obvious way to make the info available. >The EXTRA info, I mean... :-) > >The idea would be to give administrators the ability to >easily determine the precise version info, without giving >"unknown outsiders" (ie, unauthenticated connections) >that information. You also forget the point that the extra information means it isn't a vulnerable version, which it would be without the patches. Thus moving that information later would mean a potential attacker might think "Hey, this system is vulnerable..." and try to exploit a hole that has been plugged. Believe doing this would annoy far more people than those that are complaining about the information. Blah! Displaying the extra version string info later on would be pointless, not to mention require the "normal" version string, and a lot of work for a false sense of security. Personally think that if you don't like the version string for any service then it is up to the person that doesn't want it to alter the source themselves. Anything else is just a waste of developer time. Something that no has pointed out yet is that if you try to limit the information the system displays or not for that matter, you might attract the attention of someone that likes a challenge. Sure there are far more script kiddies, but would lump the obscurity idea along with boasting a system is not vulnerable. Bragging might attract the wrong types to test the truth of such a statement. For certain that might help when it turns out it isn't true, but would be a hassle regardless. I'm for limiting information to an extent. However, it seems this and similar ideas are argued by those that cannot do the work themselves or are too lazy to bother. There is also the law of diminishing returns, which IMO such time would be better spent elsewhere than trying to hide behind minimal information or talking about such things and not offering up any patches. In this case to the OpenSSL folks, so that they do not have to be maintained locally by the maintainer. Thinking at times there should be a security methodology list... Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 14:35: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by hub.freebsd.org (Postfix) with ESMTP id BE3E037B718 for ; Tue, 27 Mar 2001 14:34:56 -0800 (PST) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 14i23D-0004Ww-00 for security@FreeBSD.ORG; Tue, 27 Mar 2001 17:34:55 -0500 Date: Tue, 27 Mar 2001 17:34:54 -0500 From: Peter Radcliffe To: security@FreeBSD.ORG Subject: Re: SSHD revelaing too much information. Message-ID: <20010327173454.J12888@pir.net> Reply-To: security@freebsd.org Mail-Followup-To: security@FreeBSD.ORG References: <20010327005503.J5425@rfx-216-196-73-168.users.reflex> <20010327005503.J5425@rfx-216-196-73-168.users.reflex> <4.3.2.20010327160147.02c1b6c0@207.227.119.2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.20010327160147.02c1b6c0@207.227.119.2>; from jeff-ml@mountin.net on Tue, Mar 27, 2001 at 04:27:55PM -0600 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Jeffrey J. Mountin" probably said: > You also forget the point that the extra information means it isn't a > vulnerable version, which it would be without the patches. Thus moving > that information later would mean a potential attacker might think "Hey, > this system is vulnerable..." and try to exploit a hole that has been > plugged. Believe doing this would annoy far more people than those that > are complaining about the information. Blah! I'd rather they wasted their time trying to compromise vunerable machine and leaving tracks that are noticable than heading directly to the vunerable machines and compromising them without leaving tracks. > Something that no has pointed out yet is that if you try to limit the > information the system displays or not for that matter, you might attract > the attention of someone that likes a challenge. Sure there are far more > script kiddies, but would lump the obscurity idea along with boasting a > system is not vulnerable. Bragging might attract the wrong types to test > the truth of such a statement. For certain that might help when it turns > out it isn't true, but would be a hassle regardless. Do you leave your doors unlocked in case someone breaks it down, too ? P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 14:39:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from courier.netrail.net (courier.netrail.net [205.215.10.53]) by hub.freebsd.org (Postfix) with ESMTP id 916DF37B718 for ; Tue, 27 Mar 2001 14:39:43 -0800 (PST) (envelope-from cschreiber@netrail.net) Received: from cschriaber (localhost.netrail.net [127.0.0.1]) by courier.netrail.net (Postfix) with SMTP id 46F53EE; Tue, 27 Mar 2001 17:39:37 -0500 (EST) Reply-To: From: "Christian S." To: , Subject: RE: funny packets Date: Tue, 27 Mar 2001 17:34:57 -0500 Message-ID: X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <20010328002907.A75059@mandark.attica.home> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Paris. http://www.ripe.net/cgi-bin/whois?query=195.25.44.186&.submit=Submit+Q uery That should give you all the information that you need. :) Port numbers are strange - all non-priv ports, IIRC.. Regards, Christian "...we have only twice as many genes as a fruit fly, or roughly the same number as an ear of corn, about 30,000." Ergo, we are all corn. - -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Andre Goeree Sent: Tuesday, March 27, 2001 5:29 PM To: freebsd-security@freebsd.org Subject: funny packets Hello, While CVSuppin' ports i caught some strange packets: Mar 27 23:29:38 mandark /kernel: ipfw: 3900 Deny TCP 195.25.44.186:4828 213.227.128.244:4662 in via tun0 Mar 27 23:29:38 mandark /kernel: ipfw: 3900 Deny TCP 195.25.44.186:4828 213.227.128.244:4662 in via tun0 Mar 27 23:35:38 mandark /kernel: ipfw: 3900 Deny TCP 195.25.44.186:1075 213.227.128.244:4662 in via tun0 Mar 27 23:35:38 mandark /kernel: ipfw: 3900 Deny TCP 195.25.44.186:1075 213.227.128.244:4662 in via tun0 Notice the time between the messages, exactly 6 min. 195.25.44.186 was/is not resolvable. Any ideas? - --Andre. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOsEVcikK9qTvGvteEQLnygCgtntt2ei6x8Ps9pdH2O/dIthdfc4AoJPd mWt+dQ2b8h9hp+SMAzZCkBwe =HLfU -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 14:56:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from coloradosurf.com (c1520339-a.lakwod1.co.home.com [24.179.159.58]) by hub.freebsd.org (Postfix) with ESMTP id 7376437B718 for ; Tue, 27 Mar 2001 14:56:18 -0800 (PST) (envelope-from mike@coloradosurf.com) Received: (from mike@localhost) by coloradosurf.com (8.9.3/8.9.3) id PAA15596; Tue, 27 Mar 2001 15:50:51 -0700 (MST) (envelope-from mike) Date: Tue, 27 Mar 2001 15:50:50 -0700 From: mike To: Matt Piechota Cc: security@freebsd.org Subject: Re: named dying on INSIST Message-ID: <20010327155050.A15517@coloradosurf.com> References: <3.0.6.32.20010327153414.00b132e0@officeonweb.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3.0.6.32.20010327153414.00b132e0@officeonweb.net>; from piechota@argolis.org on Tue, Mar 27, 2001 at 03:34:14PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matt, Thanks for your reply, > > My machine does this constantly. Are you also getting "microuptime wnet > backwards" messages on the consle/syslog? Well, this machine is remote, I'll have to dig through /var/log/messages (which mirrors /dev/console) but I don't think so. > Near as I can tell, my > motherboard has an wonky clock chip, which FreeBSD/BIND can't handle. Odd > thing is it never had issues until the FreeBSD 4.x series, I can't > remember my 3.x machine ever having this problem. That figures, this is a 3.5 Stable machine (when probems are found to have consistency, problems are often solved ;). This is the first time it's happened (but it's only been up 8-9 months). > There's a few PRs is > the GNATS database concerning this. Hopefully your problem will be solved > by one of the fixes mentioned. It didn't fix mine. (I have an Open PR on > it). Search on "microuptime" will find most of them (some are closed > already, so they won't automatically show up in the search). I'll have to look into it. Thanks. > > INSIST(now.tv_usec >= 0 && now.tv_usec < 1000000); > > This is completely right. The microseconds value of the uptime should > never be outside of that range. Unfortunately, all is not well my > machine. Doh! mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 16:12: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id 51ABE37B71B for ; Tue, 27 Mar 2001 16:11:57 -0800 (PST) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id SAA23372; Tue, 27 Mar 2001 18:11:56 -0600 (CST) (envelope-from jeff-ml@mountin.net) Received: from dial-59.tnt1.rac.cyberlynk.net(209.224.182.59) by peak.mountin.net via smap (V1.3) id sma023293; Tue Mar 27 18:11:12 2001 Message-Id: <4.3.2.20010327173917.02803ae0@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Tue, 27 Mar 2001 18:09:11 -0600 To: security@FreeBSD.ORG, security@FreeBSD.ORG From: "Jeffrey J. Mountin" Subject: Re: SSHD revelaing too much information. In-Reply-To: <20010327173454.J12888@pir.net> References: <4.3.2.20010327160147.02c1b6c0@207.227.119.2> <20010327005503.J5425@rfx-216-196-73-168.users.reflex> <20010327005503.J5425@rfx-216-196-73-168.users.reflex> <4.3.2.20010327160147.02c1b6c0@207.227.119.2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 05:34 PM 3/27/01 -0500, Peter Radcliffe wrote: Argh, this can go on and on... >I'd rather they wasted their time trying to compromise vunerable >machine and leaving tracks that are noticable than heading directly to >the vunerable machines and compromising them without leaving tracks. Presuming the first "vulnerable" needs and "un" prefix and say that this sounds like a shell game method of hoping they don't find the vulnerable system. Better to spend time keeping up-to-date than shuffling and hope they don't guess the right shell or server. Chances are they will be scanning blocks of IPs and if that is the case no slight-of-hand will hide the fact of where the vulnerable system is. > > Something that no has pointed out yet is that if you try to limit the > > information the system displays or not for that matter, you might attract > > the attention of someone that likes a challenge. Sure there are far more > > script kiddies, but would lump the obscurity idea along with boasting a > > system is not vulnerable. Bragging might attract the wrong types to test > > the truth of such a statement. For certain that might help when it turns > > out it isn't true, but would be a hassle regardless. > >Do you leave your doors unlocked in case someone breaks it down, too ? More to point is that regardless if you say "this door is locked" or not doesn't mean they won't try it. Saying we upgraded the lock from the cheap lockset might make them try another house. All cute wording aside, there was a time when I removed the version number from a daemon and found that the number of probes increased. Did it make the system any more secure, no. Almost as bad as using a "honey pot" to lure the bears away. Before they only came around now and again. Now they come for the honey you put out. Attracting more bears may not be necessary bad, but can increase the risk of an "incident." Better to spend time limiting the loss should the house be broken into than hiding the fact there is a house there. Obscurity is a waste of time for little benefit IMO. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 16:19:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from trunks.olivet.edu (lion.olivet.edu [12.21.76.6]) by hub.freebsd.org (Postfix) with ESMTP id 3EB3E37B719 for ; Tue, 27 Mar 2001 16:19:11 -0800 (PST) (envelope-from uknowho@n0mansland.net) Received: from n0mansland.net (localhost.olivet.edu [127.0.0.1]) by trunks.olivet.edu (8.11.1/8.11.1) with ESMTP id f2RNUJS13051 for ; Tue, 27 Mar 2001 18:30:20 -0500 (EST) (envelope-from uknowho@n0mansland.net) Message-ID: <3AC1228B.9DB77FCA@n0mansland.net> Date: Tue, 27 Mar 2001 18:30:19 -0500 From: uknowho X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Filtering inappropriate content Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am using a FreeBSD 4.2 machine to setup a firewall that will serve as the gateway to approximately 20 machines for a small organization. The client wish's to implement an inexpensive method to filter "inappropriate" content. Are there any FreeBSD based solutions that can accomplish the later? I rather use FreeBSD for it's reliability and security rather then having to dedicate a windows machine machine to the task. --uknowho To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 16:39: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from sherline.com (sherline.net [216.120.87.2]) by hub.freebsd.org (Postfix) with SMTP id 7773737B719 for ; Tue, 27 Mar 2001 16:38:56 -0800 (PST) (envelope-from data@irev.net) Received: (qmail 1066 invoked from network); 28 Mar 2001 00:38:53 -0000 Received: from server.sherline.net (HELO server2) (216.120.87.3) by sherline.net with SMTP; 28 Mar 2001 00:38:53 -0000 Message-ID: <001001c0b71f$816b5ca0$035778d8@sherline.net> From: "Jeremiah Gowdy" To: "uknowho" , References: <3AC1228B.9DB77FCA@n0mansland.net> Subject: Re: Filtering inappropriate content Date: Tue, 27 Mar 2001 16:39:10 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I am using a FreeBSD 4.2 machine to setup a firewall that will serve as > the gateway to approximately 20 machines for a small organization. The > client wish's to implement an inexpensive method to filter > "inappropriate" content. Are there any FreeBSD based solutions that can > accomplish the later? I rather use FreeBSD for it's reliability and > security rather then having to dedicate a windows machine machine to > the task. email content ? web content ? > > --uknowho > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 16:45:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by hub.freebsd.org (Postfix) with ESMTP id 0646737B718 for ; Tue, 27 Mar 2001 16:45:53 -0800 (PST) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 14i45v-0005Pq-00 for security@FreeBSD.ORG; Tue, 27 Mar 2001 19:45:51 -0500 Date: Tue, 27 Mar 2001 19:45:51 -0500 From: Peter Radcliffe To: security@FreeBSD.ORG Subject: Re: SSHD revelaing too much information. Message-ID: <20010327194550.A20633@pir.net> Reply-To: security@freebsd.org Mail-Followup-To: security@FreeBSD.ORG References: <4.3.2.20010327160147.02c1b6c0@207.227.119.2> <20010327005503.J5425@rfx-216-196-73-168.users.reflex> <20010327005503.J5425@rfx-216-196-73-168.users.reflex> <4.3.2.20010327160147.02c1b6c0@207.227.119.2> <20010327173454.J12888@pir.net> <4.3.2.20010327173917.02803ae0@207.227.119.2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.20010327173917.02803ae0@207.227.119.2>; from jeff-ml@mountin.net on Tue, Mar 27, 2001 at 06:09:11PM -0600 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Jeffrey J. Mountin" probably said: > Argh, this can go on and on... Which shows there are two distinct opinions here, and both should be allowed for. > Presuming the first "vulnerable" needs and "un" prefix and say that this > sounds like a shell game method of hoping they don't find the vulnerable > system. Better to spend time keeping up-to-date than shuffling and hope > they don't guess the right shell or server. It's not a game or hoping, and I spend all the time needed to stay up to date but often vunerabilitiues are known in the black hat camp well before the white hats find out. I also see many scans only going for the machines with advertised vunerable versions and ignoring the ones which lie or give no version number (as I've already stated with IDS watching bind.version scans). > Chances are they will be scanning blocks of IPs and if that is the case no > slight-of-hand will hide the fact of where the vulnerable system is. This happens. The other case also happens. > All cute wording aside, there was a time when I removed the version number > from a daemon and found that the number of probes increased. Did it make > the system any more secure, no. Almost as bad as using a "honey pot" to > lure the bears away. Before they only came around now and again. Now they > come for the honey you put out. Attracting more bears may not be necessary > bad, but can increase the risk of an "incident." My direct experience disagrees with you. Machines where I remove or obscure version numbers get an order of magnitude less probes than those that have plain version numbers. The bind servers on my work class B that don't give out version numbers have NEVER been attacked. The scans for version.bind ignore them. The recent bind vunerabilities were well known before there was an available fix, and my not handing out version numbers meant the machine was not attacked before the fixes were available. > Better to spend time limiting the loss should the house be broken into than > hiding the fact there is a house there. You can't fight what you don't know. Not all vunerabilities are known or have fixes. > Obscurity is a waste of time for little benefit IMO. When it takes little effort and helps in some situations, I disagree with you. P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 17:14:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from trunks.olivet.edu (lion.olivet.edu [12.21.76.6]) by hub.freebsd.org (Postfix) with ESMTP id A0B6237B718 for ; Tue, 27 Mar 2001 17:14:47 -0800 (PST) (envelope-from uknowho@n0mansland.net) Received: from n0mansland.net (localhost.olivet.edu [127.0.0.1]) by trunks.olivet.edu (8.11.1/8.11.1) with ESMTP id f2S0PsS13116 for ; Tue, 27 Mar 2001 19:25:55 -0500 (EST) (envelope-from uknowho@n0mansland.net) Message-ID: <3AC12F92.128FC305@n0mansland.net> Date: Tue, 27 Mar 2001 19:25:54 -0500 From: uknowho X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: Filtering inappropriate content References: <3AC1228B.9DB77FCA@n0mansland.net> <001001c0b71f$816b5ca0$035778d8@sherline.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The organization is looking to filter web content only. Apolgies for the confusion. --uknowho Jeremiah Gowdy wrote: > > > I am using a FreeBSD 4.2 machine to setup a firewall that will serve as > > the gateway to approximately 20 machines for a small organization. The > > client wish's to implement an inexpensive method to filter > > "inappropriate" content. Are there any FreeBSD based solutions that can > > accomplish the later? I rather use FreeBSD for it's reliability and > > security rather then having to dedicate a windows machine machine to > > the task. > > email content ? web content ? > > > > > --uknowho > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 19:29:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.146]) by hub.freebsd.org (Postfix) with ESMTP id A8CA237B719 for ; Tue, 27 Mar 2001 19:29:34 -0800 (PST) (envelope-from trevor@jpj.net) Received: from localhost (trevor@localhost) by blues.jpj.net (8.11.1/8.11.1) with ESMTP id f2S3TSV05945; Tue, 27 Mar 2001 22:29:29 -0500 (EST) Date: Tue, 27 Mar 2001 22:29:28 -0500 (EST) From: Trevor Johnson To: uknowho Cc: Subject: Re: Filtering inappropriate content In-Reply-To: <3AC12F92.128FC305@n0mansland.net> Message-ID: <20010327221855.F2533-100000@blues.jpj.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > The organization is looking to filter web content only. If you search for "filtering proxy" at http://freshmeat.net/ (not a pornographic site, mostly) you might find something that suits your needs. -- Trevor Johnson http://jpj.net/~trevor/gpgkey.txt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 20: 6:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from cs4.cs.ait.ac.th (cs4.cs.ait.ac.th [192.41.170.16]) by hub.freebsd.org (Postfix) with ESMTP id 7B0C137B719 for ; Tue, 27 Mar 2001 20:06:08 -0800 (PST) (envelope-from on@cs.ait.ac.th) Received: from banyan.cs.ait.ac.th (on@banyan.cs.ait.ac.th [192.41.170.5]) by cs4.cs.ait.ac.th (8.9.3/8.9.3) with ESMTP id LAA18319; Wed, 28 Mar 2001 11:05:11 +0700 (GMT+0700) Received: (from on@localhost) by banyan.cs.ait.ac.th (8.8.5/8.8.5) id LAA16283; Wed, 28 Mar 2001 11:05:52 +0700 (ICT) Date: Wed, 28 Mar 2001 11:05:52 +0700 (ICT) Message-Id: <200103280405.LAA16283@banyan.cs.ait.ac.th> X-Authentication-Warning: banyan.cs.ait.ac.th: on set sender to on@banyan.cs.ait.ac.th using -f From: Olivier Nicole To: uknowho@n0mansland.net Cc: freebsd-security@FreeBSD.ORG In-reply-to: <3AC12F92.128FC305@n0mansland.net> (message from uknowho on Tue, 27 Mar 2001 19:25:54 -0500) Subject: Re: Filtering inappropriate content References: <3AC1228B.9DB77FCA@n0mansland.net> <001001c0b71f$816b5ca0$035778d8@sherline.net> <3AC12F92.128FC305@n0mansland.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >The organization is looking to filter web content only. Apolgies for >the confusion. Squid has some rules to do contents filtering I guess. Olivier To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 20:23:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp4.port.ru (mx5.port.ru [194.67.23.40]) by hub.freebsd.org (Postfix) with ESMTP id 7469C37B71B for ; Tue, 27 Mar 2001 20:23:16 -0800 (PST) (envelope-from kabaev@mail.ru) Received: from adsl-141-154-118-226.bostma.adsl.bellatlantic.net ([141.154.118.226] helo=kan.dnsalias.net) by smtp4.port.ru with esmtp (Exim 3.14 #43) id 14i7U9-0002hN-00; Wed, 28 Mar 2001 08:23:05 +0400 Received: (from kan@localhost) by kan.dnsalias.net (8.11.3/8.11.3) id f2S4MQP21344; Tue, 27 Mar 2001 23:22:26 -0500 (EST) (envelope-from kan) Message-ID: X-Mailer: XFMail 1.4.7p2 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <200103280405.LAA16283@banyan.cs.ait.ac.th> Date: Tue, 27 Mar 2001 23:22:26 -0500 (EST) From: "Alexander N. Kabaev" To: Olivier Nicole Subject: Re: Filtering inappropriate content Cc: freebsd-security@FreeBSD.ORG, uknowho@n0mansland.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You might also take a good look at OOPS proxy in ports/www/oops. It has nice redirection modules and I am quite successfully using it to replace all these annoying banners from networks like .doubleclick.net with nice transparent gifs :) On 28-Mar-2001 Olivier Nicole wrote: >>The organization is looking to filter web content only. Apolgies for >>the confusion. > > Squid has some rules to do contents filtering I guess. > > Olivier > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message ---------------------------------- E-Mail: Alexander N. Kabaev Date: 27-Mar-2001 Time: 23:18:54 ---------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 20:27:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id 1E1D037B71A for ; Tue, 27 Mar 2001 20:27:06 -0800 (PST) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id WAA24631 for ; Tue, 27 Mar 2001 22:27:05 -0600 (CST) (envelope-from jeff-ml@mountin.net) Received: from dial-59.tnt1.rac.cyberlynk.net(209.224.182.59) by peak.mountin.net via smap (V1.3) id sma024577; Tue Mar 27 22:26:26 2001 Message-Id: <4.3.2.20010327215647.02842490@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Tue, 27 Mar 2001 22:24:28 -0600 To: security@FreeBSD.ORG From: "Jeffrey J. Mountin" Subject: Re: SSHD revelaing too much information. In-Reply-To: <20010327194550.A20633@pir.net> References: <4.3.2.20010327173917.02803ae0@207.227.119.2> <4.3.2.20010327160147.02c1b6c0@207.227.119.2> <20010327005503.J5425@rfx-216-196-73-168.users.reflex> <20010327005503.J5425@rfx-216-196-73-168.users.reflex> <4.3.2.20010327160147.02c1b6c0@207.227.119.2> <20010327173454.J12888@pir.net> <4.3.2.20010327173917.02803ae0@207.227.119.2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 07:45 PM 3/27/01 -0500, Peter Radcliffe wrote: >"Jeffrey J. Mountin" probably said: > > Argh, this can go on and on... > >Which shows there are two distinct opinions here, and both should >be allowed for. True and for my last points on this.... >The bind servers on my work class B that don't give out version >numbers have NEVER been attacked. The scans for version.bind ignore >them. The recent bind vunerabilities were well known before there was >an available fix, and my not handing out version numbers meant the >machine was not attacked before the fixes were available. Does it even announce that it is BIND. If not then the reason might be due to them thinking it isn't BIND. > > Better to spend time limiting the loss should the house be broken into > than > > hiding the fact there is a house there. > >You can't fight what you don't know. Not all vunerabilities are known >or have fixes. Was thinking more about how you internally configure the server and internal network. As you mention BIND, there are 3 ways to run it. Was thinking more along the lines of limiting the scope of a compromise. > > Obscurity is a waste of time for little benefit IMO. > >When it takes little effort and helps in some situations, I disagree >with you. In the long term, should there be a global switch to turn off version announcements for all system daemons, what are the chances that scanning tools will evolve and realize that a system not printing out versions must be at least this version. They will then just have to try everything. More so as time goes by and vulnerabilities are uncovered. Then all the effort put into such a change matters not anymore. Which reinforces the idea that the individual should be doing the work for obscurity. Otherwise once the feature is there and it is use is more common, then it's effectiveness as a security measure is inversely as good as the will of the attacker or the tools used. Large effort for a short time gain. Robert at least mentioned the first part. The second might have a different outcome.... "Hmmm... this a FBSD system, let's just move on and find some M$ system." You could say we are betting on different outcomes. 8-) Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 21:53:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by hub.freebsd.org (Postfix) with ESMTP id E9C7B37B71A for ; Tue, 27 Mar 2001 21:53:31 -0800 (PST) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 14i8te-0007V7-00 for security@FreeBSD.ORG; Wed, 28 Mar 2001 00:53:30 -0500 Date: Wed, 28 Mar 2001 00:53:29 -0500 From: Peter Radcliffe To: security@FreeBSD.ORG Subject: Re: SSHD revelaing too much information. Message-ID: <20010328005329.A28036@pir.net> Reply-To: security@freebsd.org Mail-Followup-To: security@FreeBSD.ORG References: <20010327005503.J5425@rfx-216-196-73-168.users.reflex> <20010327005503.J5425@rfx-216-196-73-168.users.reflex> <4.3.2.20010327160147.02c1b6c0@207.227.119.2> <20010327173454.J12888@pir.net> <4.3.2.20010327173917.02803ae0@207.227.119.2> <20010327194550.A20633@pir.net> <4.3.2.20010327215647.02842490@207.227.119.2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.20010327215647.02842490@207.227.119.2>; from jeff-ml@mountin.net on Tue, Mar 27, 2001 at 10:24:28PM -0600 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Jeffrey J. Mountin" probably said: > Does it even announce that it is BIND. If not then the reason might be due > to them thinking it isn't BIND. The status from a query of version.bind txt chaos is 'REFUSED', which non-bind servers do not give. Some people may not know this, however. > Was thinking more about how you internally configure the server and > internal network. As you mention BIND, there are 3 ways to run it. Was > thinking more along the lines of limiting the scope of a compromise. and yes, I also don't run it in anything like the default configuration, doesn't run as root, etc. As I said early on, obscurity is not something to rely on. > "Hmmm... this a FBSD system, let's just move on and find some M$ system." part of my point is that this is an application level problem, not a system level problem. The fact that it's a FreeBSD box is pretty much irrelevant to me, the _application_ is giving out information it doesn't need to and has no way of turning this off. If you think it should be done by the individual to prevent automated detection of obscured information then that isn't easy either; there is no reasonable way for the administrator to make the choice to turn it off or obscure it, you have to recompile and replacing it everywhere. > You could say we are betting on different outcomes. 8-) I would say the same thing I've said in practically all of these emails; we disagree. P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 22: 6: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id E656137B71A for ; Tue, 27 Mar 2001 22:06:03 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id WAA14183; Tue, 27 Mar 2001 22:04:55 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda14181; Tue Mar 27 22:04:45 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f2S64ZJ72995; Tue, 27 Mar 2001 22:04:35 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdz72987; Tue Mar 27 22:04:13 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.3/8.9.1) id f2S648R14405; Tue, 27 Mar 2001 22:04:08 -0800 (PST) Message-Id: <200103280604.f2S648R14405@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdc14400; Tue Mar 27 22:03:37 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Olivier Nicole Cc: uknowho@n0mansland.net, freebsd-security@FreeBSD.ORG Subject: Re: Filtering inappropriate content In-reply-to: Your message of "Wed, 28 Mar 2001 11:05:52 +0700." <200103280405.LAA16283@banyan.cs.ait.ac.th> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 27 Mar 2001 22:03:36 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200103280405.LAA16283@banyan.cs.ait.ac.th>, Olivier Nicole writes: > >The organization is looking to filter web content only. Apolgies for > >the confusion. > > Squid has some rules to do contents filtering I guess. I tried it. Squid is not all that effective. For example, matching expressions can be found in perfectly legitimate URL's, e.g. a sun.com web page has the character string "sex" in it (I think it was a Virtual Adrien component called RICHPsex), so my filter blocked it. I'm sure that operators of web sites that you want to block could name their files and directories with non-offending names, bypassing your filter. A squid filter may not have the desired effect. The only solution I can think of that works is to subscribe to a service that maintains a database of offending sites. Cisco routers are able to query a system that serves data from databases provided by vendors of this service. Many of these databases block by IP address rather than FQDN. Some even block by network address because operators of these sites have been known to move their systems to different IP addresses on the same network to circumvent filters based on IP address. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 22:16:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from athena.za.net (athena.za.net [196.30.167.200]) by hub.freebsd.org (Postfix) with ESMTP id 2701437B718 for ; Tue, 27 Mar 2001 22:16:06 -0800 (PST) (envelope-from jus@athena.za.net) Received: from jus (helo=localhost) by athena.za.net with local-esmtp (Exim 3.13 #1) id 14i9DL-0000GD-00; Wed, 28 Mar 2001 08:13:51 +0200 Date: Wed, 28 Mar 2001 08:13:51 +0200 (SAST) From: Justin Stanford X-Sender: jus@athena.za.net To: Cy Schubert - ITSD Open Systems Group Cc: Olivier Nicole , uknowho@n0mansland.net, freebsd-security@FreeBSD.ORG Subject: Re: Filtering inappropriate content In-Reply-To: <200103280604.f2S648R14405@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Squid with SquidGuard works amazingly well. (It comes with a *massive* database of offending sites, too.) -- Justin Stanford 082 7402741 jus@security.za.net www.security.za.net IT Security and Solutions On Tue, 27 Mar 2001, Cy Schubert - ITSD Open Systems Group wrote: > In message <200103280405.LAA16283@banyan.cs.ait.ac.th>, Olivier Nicole > writes: > > >The organization is looking to filter web content only. Apolgies for > > >the confusion. > > > > Squid has some rules to do contents filtering I guess. > > I tried it. Squid is not all that effective. For example, matching > expressions can be found in perfectly legitimate URL's, e.g. a sun.com > web page has the character string "sex" in it (I think it was a Virtual > Adrien component called RICHPsex), so my filter blocked it. I'm sure > that operators of web sites that you want to block could name their > files and directories with non-offending names, bypassing your filter. > A squid filter may not have the desired effect. > > The only solution I can think of that works is to subscribe to a > service that maintains a database of offending sites. Cisco routers > are able to query a system that serves data from databases provided by > vendors of this service. Many of these databases block by IP address > rather than FQDN. Some even block by network address because operators > of these sites have been known to move their systems to different IP > addresses on the same network to circumvent filters based on IP address. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca > Open Systems Group, ITSD, ISTA > Province of BC > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 27 23:32:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by hub.freebsd.org (Postfix) with ESMTP id BC12837B71A for ; Tue, 27 Mar 2001 23:32:43 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter (localhost [127.0.0.1]) by critter.freebsd.dk (8.11.3/8.11.3) with ESMTP id f2S7VI390263; Wed, 28 Mar 2001 09:31:18 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Matt Piechota Cc: mike , security@FreeBSD.ORG Subject: Re: named dying on INSIST In-Reply-To: Your message of "Tue, 27 Mar 2001 17:27:13 CDT." Date: Wed, 28 Mar 2001 09:31:18 +0200 Message-ID: <90261.985764678@critter> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Mat t Piechota writes: >> >> Mar 24 02:04:53 ns1 named[6470]: >> /usr/src/lib/libbind/../../contrib/bind/lib/isc/ev_timers.c:114: >> INSIST(now.tv_usec >= 0 && now.tv_usec < 1000000) failed. >> Mar 24 02:04:54 ns1 /kernel: pid 6470 (named), uid 53: exited on signal >> 6 > >My machine does this constantly. Are you also getting "microuptime wnet >backwards" messages on the consle/syslog? Sigh, I thought Intel couldn't fuck up the Pentium family anymore when it came to timekeeping, but they've done it again with the new clock-throtteling stuff. I will have to add a sub-mode to the timecounters to use a fucked up TSC to interpolate between interrrupts from a better time source. I have no idea when I will have time for that... -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 28 0:21: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.hobbydump.com (bitch.hobbydump.com [216.84.149.8]) by hub.freebsd.org (Postfix) with SMTP id 1E26D37B718 for ; Wed, 28 Mar 2001 00:21:07 -0800 (PST) (envelope-from freebsd@mail.hobbydump.com) Received: (qmail 46427 invoked by uid 1005); 28 Mar 2001 08:22:04 -0000 Date: Wed, 28 Mar 2001 01:22:04 -0700 From: freebsd To: freebsd-security@freebsd.org Subject: skey and openssh with FreeBSD4.2 Stable Message-ID: <20010328012204.A46268@hobbydump.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Does anyone know how to get skey working with openssh. I can get it working with telnet and other services but not with ssh. Any help would be great. --Sheldon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 28 2: 2:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from horsey.gshapiro.net (horsey.gshapiro.net [209.220.147.178]) by hub.freebsd.org (Postfix) with ESMTP id E34BC37B719 for ; Wed, 28 Mar 2001 02:02:48 -0800 (PST) (envelope-from gshapiro@gshapiro.net) Received: (from gshapiro@localhost) by horsey.gshapiro.net (8.12.0.Beta6/8.12.0.Beta6) id f2SA2kJj024464; Wed, 28 Mar 2001 02:02:46 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15041.46790.812789.517387@horsey.gshapiro.net> Date: Wed, 28 Mar 2001 02:02:46 -0800 From: Gregory Neil Shapiro To: freebsd Cc: freebsd-security@FreeBSD.ORG Subject: Re: skey and openssh with FreeBSD4.2 Stable In-Reply-To: <20010328012204.A46268@hobbydump.com> References: <20010328012204.A46268@hobbydump.com> X-Mailer: VM 6.91 under 21.2 (beta42) "Poseidon" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org freebsd> Does anyone know how to get skey working with openssh. I can get freebsd> it working with telnet and other services but not with ssh. See: http://www.freebsd.org/cgi/query-pr.cgi?pr=25105 For now (until this gets fixed), you can add this to /etc/pam.conf: # OpenSSH S/Key support csshd auth sufficient pam_skey.so csshd auth required pam_unix.so try_first_pass csshd session required pam_permit.so To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 28 2:46: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from routeur.pol.local (nas2-69.nvs.club-internet.fr [195.36.141.69]) by hub.freebsd.org (Postfix) with ESMTP id 6852C37B71F for ; Wed, 28 Mar 2001 02:45:56 -0800 (PST) (envelope-from poizat@partsonline.fr) Received: from PARTSERVER.partsonline.fr (partserver.pol.local [172.16.10.10]) by routeur.pol.local (8.11.1/8.11.1) with ESMTP id f2SAkFv22037 for ; Wed, 28 Mar 2001 12:46:15 +0200 (CEST) (envelope-from poizat@partsonline.fr) Message-Id: <5.0.2.1.0.20010328114744.01c20ec0@pop.partsonline.fr> X-Sender: pop9405@pop.partsonline.fr X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Wed, 28 Mar 2001 11:49:13 +0200 To: freebsd-security@FreeBSD.ORG From: Guy Poizat Subject: Re: weird daily check output In-Reply-To: <20010327155842.C12888@pir.net> References: <00af01c0b6fe$79176a60$db9497cf@singingtree.com> <99q631$2htl$1@FreeBSD.csie.NCTU.edu.tw> <00af01c0b6fe$79176a60$db9497cf@singingtree.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > >binary garbage like that before and between dmesg info is pretty >common on machines that do not clear that section of memory on a >reboot (like my vaio laptop doesn't). I've seen this kind of garbage also in dmesg when using "Configure in visual mode" during the last boot. Don't know if it apply here. Should appear later, indeed. So it's just a poor clue, but... -- Guy Poizat poizat@partsonline.fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 28 2:46: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from routeur.pol.local (nas2-69.nvs.club-internet.fr [195.36.141.69]) by hub.freebsd.org (Postfix) with ESMTP id B68BB37B720 for ; Wed, 28 Mar 2001 02:45:58 -0800 (PST) (envelope-from poizat@partsonline.fr) Received: from PARTSERVER.partsonline.fr (partserver.pol.local [172.16.10.10]) by routeur.pol.local (8.11.1/8.11.1) with ESMTP id f2SAkEv22018; Wed, 28 Mar 2001 12:46:14 +0200 (CEST) (envelope-from poizat@partsonline.fr) Message-Id: <5.0.2.1.0.20010328113829.01ac0d30@pop.partsonline.fr> X-Sender: pop9405@pop.partsonline.fr X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Wed, 28 Mar 2001 11:40:13 +0200 To: George.Giles@mcmail.vanderbilt.edu, security@FreeBSD.ORG From: Guy Poizat Subject: Re: SSH login delay In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 16:03 27/03/2001, you wrote: >Does any one know what causes the long delay between entering the password >to ssh and the actual logging in of the shell prompt ? > >Sometimes it takes more than a minute when I know it is not network speed ? > >This behavior makes me suspicious. > >This is observed on the latest release of FreeBSD. Perhaps it has somethin' to deal with DNS lookup failure (timeout->delay) ? Can all of your hosts get a reply for a DNS query about each others ? I got that kind of problem and solved it by ading a BIND serving for my NATed hosts. -- Guy Poizat poizat@partsonline.fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 28 2:55:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from cs4.cs.ait.ac.th (cs4.cs.ait.ac.th [192.41.170.16]) by hub.freebsd.org (Postfix) with ESMTP id 9EF2437B71D for ; Wed, 28 Mar 2001 02:55:43 -0800 (PST) (envelope-from on@cs.ait.ac.th) Received: from banyan.cs.ait.ac.th (on@banyan.cs.ait.ac.th [192.41.170.5]) by cs4.cs.ait.ac.th (8.9.3/8.9.3) with ESMTP id RAA20175; Wed, 28 Mar 2001 17:54:39 +0700 (GMT+0700) Received: (from on@localhost) by banyan.cs.ait.ac.th (8.8.5/8.8.5) id RAA16486; Wed, 28 Mar 2001 17:55:23 +0700 (ICT) Date: Wed, 28 Mar 2001 17:55:23 +0700 (ICT) Message-Id: <200103281055.RAA16486@banyan.cs.ait.ac.th> X-Authentication-Warning: banyan.cs.ait.ac.th: on set sender to on@banyan.cs.ait.ac.th using -f From: Olivier Nicole To: Cy.Schubert@uumail.gov.bc.ca Cc: uknowho@n0mansland.net, freebsd-security@FreeBSD.ORG In-reply-to: <200103280604.f2S648R14405@cwsys.cwsent.com> (message from Cy Schubert - ITSD Open Systems Group on Tue, 27 Mar 2001 22:03:36 -0800) Subject: Re: Filtering inappropriate content References: <200103280604.f2S648R14405@cwsys.cwsent.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >I tried it. Squid is not all that effective. For example, matching >expressions can be found in perfectly legitimate URL's, e.g. a sun.com >web page has the character string "sex" in it (I think it was a Virtual >Adrien component called RICHPsex), so my filter blocked it. I'm sure I admit I didn't look at the filtering possibilities offered by Squid, but I would filter by finding offensive words more than once. And also maybe by not finding some expected/legal contents (related to the topic of the users are working on). Going only by file name is not enough, but site names usually are obvious (to attract visitors). Olivier To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 28 5:25: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from humanahom.com (opt5.adgrafix.com [216.248.193.11]) by hub.freebsd.org (Postfix) with ESMTP id 9E50737B720 for ; Wed, 28 Mar 2001 05:24:59 -0800 (PST) (envelope-from cp@humanahom.com) Received: from localhost [193.252.29.90] by humanahom.com [216.248.193.11] with SMTP (MDaemon.v3.5.4.T) for ; Wed, 28 Mar 2001 20:09:53 -0500 X-Sender: cp@humanahom.com From: cp@humanahom.com To: freebsd-security@freebsd.org Date: Wed, 28 Mar 2001 13:09:31 +0000 Subject: Your culture MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-MDRemoteIP: 193.252.29.90 X-Return-Path: cp@humanahom.com X-MDaemon-Deliver-To: freebsd-security@freebsd.org Message-Id: <20010328132459.9E50737B720@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org We need to devide culture... yours too... Please accept it, connecting you to www.humanahom.com If you need further informations about us or our project, please connect you to our site or simply reply to this mail. If culture doesn't interess you, choose "optout" option, by replying to this mail, with "optout" in its subject. Best regards, Christophe Parmentier To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 28 6:40: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from bilver.wjv.com (dhcp-1-39.n01.orldfl01.us.ra.verio.net [157.238.210.39]) by hub.freebsd.org (Postfix) with ESMTP id 487C737B71B for ; Wed, 28 Mar 2001 06:39:57 -0800 (PST) (envelope-from bill@bilver.wjv.com) Received: (from bill@localhost) by bilver.wjv.com (8.11.1/8.11.1) id f2SEdtj11175 for freebsd-security@FreeBSD.ORG; Wed, 28 Mar 2001 09:39:55 -0500 (EST) (envelope-from bill) Date: Wed, 28 Mar 2001 09:39:54 -0500 From: Bill Vermillion To: freebsd-security@FreeBSD.ORG Subject: Re: weird daily check output Message-ID: <20010328093954.D10350@wjv.com> Reply-To: bv@wjv.com References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from owner-freebsd-security-digest@FreeBSD.ORG on Wed, Mar 28, 2001 at 02:56:01AM -0800 Organization: W.J.Vermillion / Orlando - Winter Park Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Date: Tue, 27 Mar 2001 16:34:24 -0500 > From: "Jonathan M. Slivko" > Subject: Re: weird daily check output > Actually, what I was refferring to was the portion when FreeBSD > actually first started, and gave the copyright info, etc. It said: > FrEeBSD, or something like that. I just thought that it was odd :P Well 'something like that' is not quite exact enough :-). If the first E was capitalized the second should have been also. I've seen this one time a long time ago. I traced it through a core dump and found there was a pattern. After bringing up man ASCII I discovered that the ones in the wrong case were either all odd or even, forget which, and I determined it was the first bit in the memory that was stuck high. So could have a bit stuck low or high. It was on a 3MB add in memory board - that's how long ago it was - and because of the bit position it had to a 'corner chip' in one of any of the 32 bit blocks of chips [96 chips to make up 3MB]. And there, nestled among the 256K chips was a lonely 64K chip. All the standard boot memory diagnostics passed it. You need to run a memory check program that performs a walking-bit test, or checkerboard tests, adjacent bit tests, etc. -- Bill Vermillion - bv @ wjv . com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 28 7:56:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from sunny.fishnet.com (sunny.fishnet.com [209.150.200.6]) by hub.freebsd.org (Postfix) with ESMTP id 67A5437B71B for ; Wed, 28 Mar 2001 07:56:54 -0800 (PST) (envelope-from hhudson@eschelon.com) Received: from walleye.corp.fishnet.com (209.150.192.114) by sunny.fishnet.com (5.0.048) id 3AA5BD7000109326 for security@freebsd.org; Wed, 28 Mar 2001 09:57:09 -0600 Message-ID: <2FA3BA0C7551724CA6DDF4E3453605050AF4E1@walleye.corp.fishnet.com> From: "Hudson, Henrik H." To: "'security@freebsd.org'" Subject: RE: SSH login delay Date: Wed, 28 Mar 2001 10:00:02 -0600 MIME-Version: 1.0 Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I concur..double check your forward and reverse lookups. --- Henrik Hudson Microsoft: "Where would you like to go to today" Linux: "Where would you like to go tomorrow" FreeBSD: "Hey, when are you guys going to catch up" > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Guy Poizat > Sent: Wednesday, March 28, 2001 03:40 > To: George.Giles@mcmail.vanderbilt.edu; security@FreeBSD.ORG > Subject: Re: SSH login delay > > > At 16:03 27/03/2001, you wrote: > >Does any one know what causes the long delay between > entering the password > >to ssh and the actual logging in of the shell prompt ? > > > >Sometimes it takes more than a minute when I know it is > not network speed ? > > > >This behavior makes me suspicious. > > > >This is observed on the latest release of FreeBSD. > > Perhaps it has somethin' to deal with DNS lookup failure > (timeout->delay) ? > Can all of your hosts get a reply for a DNS query about > each others ? > > I got that kind of problem and solved it by ading a BIND > serving for my > NATed hosts. > > > > -- > Guy Poizat > poizat@partsonline.fr > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 28 8: 9:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from MCSMTP.MC.VANDERBILT.EDU (mcsmtp.mc.Vanderbilt.Edu [160.129.93.202]) by hub.freebsd.org (Postfix) with ESMTP id 4207737B728 for ; Wed, 28 Mar 2001 08:09:41 -0800 (PST) (envelope-from George.Giles@mcmail.vanderbilt.edu) Subject: account control to ssh To: security@freebsd.org X-Mailer: Lotus Notes Release 5.0.3 March 21, 2000 Message-ID: From: George.Giles@mcmail.vanderbilt.edu Date: Wed, 28 Mar 2001 09:52:06 -0600 X-MIMETrack: Serialize by Router on MCSMTP/VUMC/Vanderbilt(Release 5.0.3 |March 21, 2000) at 03/28/2001 10:00:53 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org How would I restrict incoming ssh connections on a per user basis ? TIA, George To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 28 8:16:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by hub.freebsd.org (Postfix) with ESMTP id B70FA37B72B for ; Wed, 28 Mar 2001 08:16:23 -0800 (PST) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 14iIcM-0003PR-00 for security@freebsd.org; Wed, 28 Mar 2001 11:16:18 -0500 Date: Wed, 28 Mar 2001 11:16:18 -0500 From: Peter Radcliffe To: security@freebsd.org Subject: Re: account control to ssh Message-ID: <20010328111618.C9865@pir.net> Reply-To: security@freebsd.org Mail-Followup-To: security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from George.Giles@mcmail.vanderbilt.edu on Wed, Mar 28, 2001 at 09:52:06AM -0600 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org George.Giles@mcmail.vanderbilt.edu probably said: > How would I restrict incoming ssh connections on a per user basis ? Either with a pam module or the sshd config options Allow/DenyUsers/Groups. With openssh 2.5.0 or later you can use 'DenyGroups nossh' create a 'nossh' group and put users who should not be allowed to ssh in in that group. Pre-2.5.0 the group in DenyGroups has to be their primary group listed in the password file. P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 28 8:49:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 4F46437B726 for ; Wed, 28 Mar 2001 08:49:19 -0800 (PST) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (1007 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Wed, 28 Mar 2001 10:48:24 -0600 (CST) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Wed, 28 Mar 2001 10:48:23 -0600 (CST) From: James Wyatt To: George.Giles@mcmail.vanderbilt.edu Cc: security@freebsd.org Subject: Re: account control to ssh In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 28 Mar 2001 George.Giles@mcmail.vanderbilt.edu wrote: > How would I restrict incoming ssh connections on a per user basis ? > > TIA In the /etc/sshd_config (or wherever) configuration file you can add groups and users in allow/deny fashion like: AllowGroups wheel sshuser AllowUser goodguy1 goodgal2 DenyGroups nobody ftpuser Don't forget the useful: PermitRootLogin no Hope this helps! - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 28 10: 1:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.marketnews.com (mail.economeister.com [205.183.200.2]) by hub.freebsd.org (Postfix) with ESMTP id EA85037B718 for ; Wed, 28 Mar 2001 10:01:44 -0800 (PST) (envelope-from mharding@marketnews.com) Received: from mharding ([205.183.200.48]) by mail.marketnews.com (8.11.0/8.9.3) with SMTP id f2SI1Jj84793 for ; Wed, 28 Mar 2001 13:01:20 -0500 (EST) From: "Mason Harding" To: Subject: Bridging and IPF Date: Wed, 28 Mar 2001 12:54:36 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <20010328111618.C9865@pir.net> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi. Has anyone had much luck with Bridging and IPF? As soon as I enable bridging both IPF and IPFW stop filtering at all. If I set them both to deny everything, they still let all packets pass. When I set net.link.ether.bridge_ipfw=1 my system sits there for a second and then the kernel crashes and reboots the machine. I can get net.link.ether.bridge_ipfw set to 1 without a crash if I have no IP address on any of the bridged interfaces, but I need an IP address so I can use my external syslog server and ssh into the firewall(untill I know its running well). Please help? Oh yah, its FreeBSD 4.2. Thank you, Mason To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 28 10:17:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 486EF37B71C for ; Wed, 28 Mar 2001 10:17:12 -0800 (PST) (envelope-from roam@orbitel.bg) Received: (qmail 11111 invoked by uid 1000); 28 Mar 2001 18:16:08 -0000 Date: Wed, 28 Mar 2001 21:16:08 +0300 From: Peter Pentchev To: Mason Harding Cc: security@FreeBSD.ORG Subject: Re: Bridging and IPF Message-ID: <20010328211608.A10861@ringworld.oblivion.bg> Mail-Followup-To: Mason Harding , security@FreeBSD.ORG References: <20010328111618.C9865@pir.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from mharding@marketnews.com on Wed, Mar 28, 2001 at 12:54:36PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Mar 28, 2001 at 12:54:36PM -0500, Mason Harding wrote: > Hi. Has anyone had much luck with Bridging and IPF? As soon as I enable > bridging both IPF and IPFW stop filtering at all. If I set them both to > deny everything, they still let all packets pass. When I set > net.link.ether.bridge_ipfw=1 my system sits there for a second and then the > kernel crashes and reboots the machine. I can get > net.link.ether.bridge_ipfw set to 1 without a crash if I have no IP address > on any of the bridged interfaces, but I need an IP address so I can use my > external syslog server and ssh into the firewall(untill I know its running > well). Please help? Oh yah, its FreeBSD 4.2. Is this a plain vanilla 4.2-RELEASE, or some kind of -stable? In any case, could you update to the most recent -stable (4.3-RC at the moment) and see if the problems persist? There have been MANY fixes to the routing/bridging code in the last two months. G'luck, Peter -- I've heard that this sentence is a rumor. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 28 10:29:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from sherline.com (sherline.net [216.120.87.2]) by hub.freebsd.org (Postfix) with SMTP id E7B9537B724 for ; Wed, 28 Mar 2001 10:29:30 -0800 (PST) (envelope-from data@irev.net) Received: (qmail 22274 invoked from network); 28 Mar 2001 18:29:29 -0000 Received: from server.sherline.net (HELO server2) (basharteg@216.120.87.3) by sherline.net with SMTP; 28 Mar 2001 18:29:29 -0000 Message-ID: <002d01c0b7b5$11692180$035778d8@sherline.net> From: "Jeremiah Gowdy" To: "Peter Pentchev" , "Mason Harding" Cc: References: <20010328111618.C9865@pir.net> <20010328211608.A10861@ringworld.oblivion.bg> Subject: Re: Bridging and IPF Date: Wed, 28 Mar 2001 10:29:40 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Wed, Mar 28, 2001 at 12:54:36PM -0500, Mason Harding wrote: > > Hi. Has anyone had much luck with Bridging and IPF? As soon as I enable > > bridging both IPF and IPFW stop filtering at all. If I set them both to > > deny everything, they still let all packets pass. When I set > > net.link.ether.bridge_ipfw=1 my system sits there for a second and then the > > kernel crashes and reboots the machine. I can get > > net.link.ether.bridge_ipfw set to 1 without a crash if I have no IP address > > on any of the bridged interfaces, but I need an IP address so I can use my > > external syslog server and ssh into the firewall(untill I know its running > > well). Please help? Oh yah, its FreeBSD 4.2. > > Is this a plain vanilla 4.2-RELEASE, or some kind of -stable? > In any case, could you update to the most recent -stable (4.3-RC at > the moment) and see if the problems persist? There have been MANY > fixes to the routing/bridging code in the last two months. Yeah there was a kernel panic issue with RELEASE and some older STABLE I believe. I use bridge+ipfw, and have used it for quite some time (since they fixed it). cvsup to STABLE (or RC) :) > > G'luck, > Peter > > -- > I've heard that this sentence is a rumor. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 28 13:19:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from ldc.ro (ldc-gw.pub.ro [192.129.3.227]) by hub.freebsd.org (Postfix) with SMTP id 99D0937B71D for ; Wed, 28 Mar 2001 13:19:47 -0800 (PST) (envelope-from razor@ldc.ro) Received: (qmail 64752 invoked by uid 666); 28 Mar 2001 21:19:44 -0000 Date: Thu, 29 Mar 2001 00:19:43 +0300 From: Alex Popa To: "Michael A. Dickerson" Cc: Ben Smithurst , freebsd-security@FreeBSD.org Subject: Re: weird daily check output Message-ID: <20010329001943.B49214@ldc.ro> References: <99q631$2htl$1@FreeBSD.csie.NCTU.edu.tw> <00af01c0b6fe$79176a60$db9497cf@singingtree.com> <20010327220017.G789@strontium.scientia.demon.co.uk> <013301c0b704$57470c00$db9497cf@singingtree.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <013301c0b704$57470c00$db9497cf@singingtree.com>; from mikey@singingtree.com on Tue, Mar 27, 2001 at 01:24:43PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Mar 27, 2001 at 01:24:43PM -0800, Michael A. Dickerson wrote: > > Uppercase to lowercase is a one bit change, so it's possible that it's > > faulty memory. Most of the other changes seem to be like that: > > > > >>> isa0: on isab0 > > > > space == 0x20, dollar == 0x24 > > > > >>> p#i0: at 31,2 irq 9 > > > > c == 0x63, # == 0x23 > > good point .. I should have remembered that.. > > M.D. > Serial console, by any chance? If so, I'd say those one-bits are excusable (power cables and other interference). Still does not explain the garbage before the actual kernel output. ------------+------------------------------------------ Alex Popa, | "Artificial Intelligence is razor@ldc.ro| no match for Natural Stupidity" ------------+------------------------------------------ "It took the computing power of three C-64s to fly to the Moon. It takes a 486 to run Windows 95. Something is wrong here." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 28 16:58:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from spiderchain.com (spiderchain.com [64.249.135.84]) by hub.freebsd.org (Postfix) with ESMTP id 9733A37B71C for ; Wed, 28 Mar 2001 16:58:17 -0800 (PST) (envelope-from tla@spiderchain.com) Received: from spiderchain.com (localhost [127.0.0.1]) by spiderchain.com (8.10.0/8.10.0) with ESMTP id f2T0wGQ73251 for ; Wed, 28 Mar 2001 16:58:16 -0800 (PST) Message-Id: <200103290058.f2T0wGQ73251@spiderchain.com> To: freebsd-security@freebsd.org Subject: log= file in /var/run Date: Wed, 28 Mar 2001 16:58:16 -0800 From: Three Letter Acronym Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I just found a file in /var/run: srw-rw-rw- 1 root wheel 0 Mar 11 08:58 log= What is this, and what dropped it here? I _really_ don't like the permissions........ Thoughts, anyone? --tla To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 28 17: 5:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by hub.freebsd.org (Postfix) with ESMTP id 475F437B725 for ; Wed, 28 Mar 2001 17:05:10 -0800 (PST) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 14iQs9-0006ve-00 for freebsd-security@freebsd.org; Wed, 28 Mar 2001 20:05:09 -0500 Date: Wed, 28 Mar 2001 20:05:08 -0500 From: Peter Radcliffe To: freebsd-security@freebsd.org Subject: Re: log= file in /var/run Message-ID: <20010328200508.B25527@pir.net> Reply-To: freebsd-security@freebsd.org Mail-Followup-To: freebsd-security@freebsd.org References: <200103290058.f2T0wGQ73251@spiderchain.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200103290058.f2T0wGQ73251@spiderchain.com>; from tla@spiderchain.com on Wed, Mar 28, 2001 at 04:58:16PM -0800 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Three Letter Acronym probably said: > I just found a file in /var/run: > srw-rw-rw- 1 root wheel 0 Mar 11 08:58 log= > > What is this, and what dropped it here? I _really_ > don't like the permissions........ UNIX domain socket. See the 's' in the first column ? To find out what process created it it, use lsof. P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 28 17: 8:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id A109D37B722 for ; Wed, 28 Mar 2001 17:08:09 -0800 (PST) (envelope-from Jason.DiCioccio@Epylon.com) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id ; Wed, 28 Mar 2001 17:08:08 -0800 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA0166D738@goofy.epylon.lan> From: Jason DiCioccio To: 'Three Letter Acronym' , freebsd-security@freebsd.org Subject: RE: log= file in /var/run Date: Wed, 28 Mar 2001 17:08:08 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 yes it's a pipe so things can log to syslog. - ------- Jason DiCioccio Evil Genius Unix BOFH mailto:jasond@epylon.com - -----Original Message----- From: Three Letter Acronym [mailto:tla@spiderchain.com] Sent: Wednesday, March 28, 2001 4:58 PM To: freebsd-security@freebsd.org Subject: log= file in /var/run I just found a file in /var/run: srw-rw-rw- 1 root wheel 0 Mar 11 08:58 log= What is this, and what dropped it here? I _really_ don't like the permissions........ Thoughts, anyone? --tla To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOsKLcFCmU62pemyaEQIxvQCfaB9snydBaPQC3cu+UmUwXiM+b+YAmwfF FTs5rMkdINSmKYmvQ6fIt6yf =jLkO -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 28 17:24:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from spiderchain.com (spiderchain.com [64.249.135.84]) by hub.freebsd.org (Postfix) with ESMTP id CCD6337B71B for ; Wed, 28 Mar 2001 17:24:12 -0800 (PST) (envelope-from tla@spiderchain.com) Received: from spiderchain.com (localhost [127.0.0.1]) by spiderchain.com (8.10.0/8.10.0) with ESMTP id f2T1OFQ73373 for ; Wed, 28 Mar 2001 17:24:15 -0800 (PST) Message-Id: <200103290124.f2T1OFQ73373@spiderchain.com> To: freebsd-security@freebsd.org Subject: Re: log= file in /var/run In-reply-to: Your message of Wed, 28 Mar 2001 17:08:08 PST. <657B20E93E93D4118F9700D0B73CE3EA0166D738@goofy.epylon.lan> Date: Wed, 28 Mar 2001 17:24:15 -0800 From: Three Letter Acronym Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hmmmm.....lsof doesn't show it. My first reaction, of course, was to run lsof to see what process had it open. The only that syslog has open that looks like it could be this thing is: (lsof output) COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME syslogd 117 root 3u unix 0xcbd7af00 0t0 ->(none) lsof doesn't seem to know what this is.....if it's syslog, that would make me happier than several other things I could think of. I thought lsof did a reasonable job of finding names for things... hmmm....well, actually it looks like lsof doesn't come up with much for unix sockets. Lots of hex cruft, but not a lot else. thanks, --tla Jason DiCioccio wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > yes it's a pipe so things can log to syslog. > > > - ------- > Jason DiCioccio > Evil Genius > Unix BOFH > > mailto:jasond@epylon.com > > > - -----Original Message----- > From: Three Letter Acronym [mailto:tla@spiderchain.com] > Sent: Wednesday, March 28, 2001 4:58 PM > To: freebsd-security@freebsd.org > Subject: log= file in /var/run > > > I just found a file in /var/run: > > srw-rw-rw- 1 root wheel 0 Mar 11 08:58 log= > > What is this, and what dropped it here? I _really_ > don't like the permissions........ > > Thoughts, anyone? > > --tla > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 6.5.8 for non-commercial use > > iQA/AwUBOsKLcFCmU62pemyaEQIxvQCfaB9snydBaPQC3cu+UmUwXiM+b+YAmwfF > FTs5rMkdINSmKYmvQ6fIt6yf > =jLkO > -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 28 17:41:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from cs4.cs.ait.ac.th (cs4.cs.ait.ac.th [192.41.170.16]) by hub.freebsd.org (Postfix) with ESMTP id 9095437B724 for ; Wed, 28 Mar 2001 17:41:09 -0800 (PST) (envelope-from on@cs.ait.ac.th) Received: from banyan.cs.ait.ac.th (on@banyan.cs.ait.ac.th [192.41.170.5]) by cs4.cs.ait.ac.th (8.9.3/8.9.3) with ESMTP id IAA22519; Thu, 29 Mar 2001 08:40:15 +0700 (GMT+0700) Received: (from on@localhost) by banyan.cs.ait.ac.th (8.8.5/8.8.5) id IAA18053; Thu, 29 Mar 2001 08:40:58 +0700 (ICT) Date: Thu, 29 Mar 2001 08:40:58 +0700 (ICT) Message-Id: <200103290140.IAA18053@banyan.cs.ait.ac.th> X-Authentication-Warning: banyan.cs.ait.ac.th: on set sender to on@banyan.cs.ait.ac.th using -f From: Olivier Nicole To: George.Giles@mcmail.vanderbilt.edu Cc: security@FreeBSD.ORG In-reply-to: (George.Giles@mcmail.vanderbilt.edu) Subject: Re: account control to ssh References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org George, You have to go by TCP wrapper then, there is no way I know in ssh to limit the users. You may check PAM (plugable autheticaion module?) too. Olivier To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 28 18:28:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from hex.databits.net (hex.databits.net [207.29.192.16]) by hub.freebsd.org (Postfix) with SMTP id 426C537B71C for ; Wed, 28 Mar 2001 18:28:28 -0800 (PST) (envelope-from petef@hex.databits.net) Received: (qmail 4820 invoked by uid 1001); 29 Mar 2001 02:28:22 -0000 Date: Wed, 28 Mar 2001 21:28:22 -0500 From: Pete Fritchman To: Three Letter Acronym Cc: freebsd-security@freebsd.org Subject: Re: log= file in /var/run Message-ID: <20010328212822.A4751@databits.net> References: <657B20E93E93D4118F9700D0B73CE3EA0166D738@goofy.epylon.lan> <200103290124.f2T1OFQ73373@spiderchain.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200103290124.f2T1OFQ73373@spiderchain.com>; from tla@spiderchain.com on Wed, Mar 28, 2001 at 05:24:15PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hex [20] % sockstat | grep "/var/run/log" root syslogd 272 3 dgram /var/run/log root syslogd 80 3 dgram /var/run/log hex [21] % -pete ++ 28/03/01 17:24 -0800 - Three Letter Acronym: >Hmmmm.....lsof doesn't show it. My first reaction, of course, >was to run lsof to see what process had it open. The only >that syslog has open that looks like it could be this thing is: > >(lsof output) >COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >syslogd 117 root 3u unix 0xcbd7af00 0t0 ->(none) > >lsof doesn't seem to know what this is.....if it's syslog, that >would make me happier than several other things I could think of. > >I thought lsof did a reasonable job of finding names for things... >hmmm....well, actually it looks like lsof doesn't come up with >much for unix sockets. Lots of hex cruft, but not a lot else. > >thanks, > > --tla > >Jason DiCioccio wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> yes it's a pipe so things can log to syslog. >> >> >> - ------- >> Jason DiCioccio >> Evil Genius >> Unix BOFH >> >> mailto:jasond@epylon.com >> >> >> - -----Original Message----- >> From: Three Letter Acronym [mailto:tla@spiderchain.com] >> Sent: Wednesday, March 28, 2001 4:58 PM >> To: freebsd-security@freebsd.org >> Subject: log= file in /var/run >> >> >> I just found a file in /var/run: >> >> srw-rw-rw- 1 root wheel 0 Mar 11 08:58 log= >> >> What is this, and what dropped it here? I _really_ >> don't like the permissions........ >> >> Thoughts, anyone? >> >> --tla >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGPfreeware 6.5.8 for non-commercial use >> >> iQA/AwUBOsKLcFCmU62pemyaEQIxvQCfaB9snydBaPQC3cu+UmUwXiM+b+YAmwfF >> FTs5rMkdINSmKYmvQ6fIt6yf >> =jLkO >> -----END PGP SIGNATURE----- > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message -- Pete Fritchman Databits Network Services, Inc. finger petef@databits.net for PGP key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 28 19:45:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from falcon.prod.itd.earthlink.net (falcon.prod.itd.earthlink.net [207.217.120.74]) by hub.freebsd.org (Postfix) with ESMTP id E424A37B72B for ; Wed, 28 Mar 2001 19:45:16 -0800 (PST) (envelope-from dhagan@colltech.com) Received: from colltech.com (1Cust68.tnt3.clarksburg.wv.da.uu.net [63.15.38.68]) by falcon.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id TAA29777; Wed, 28 Mar 2001 19:45:11 -0800 (PST) Message-ID: <3AC2B089.F2CA5E45@colltech.com> Date: Wed, 28 Mar 2001 22:48:25 -0500 From: Daniel Hagan X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Three Letter Acronym Cc: freebsd-security@FreeBSD.ORG Subject: Re: log= file in /var/run References: <200103290058.f2T0wGQ73251@spiderchain.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Three Letter Acronym wrote: > > I just found a file in /var/run: > > srw-rw-rw- 1 root wheel 0 Mar 11 08:58 log= Just FYI, the filename should be /var/run/log, not /var/run/log= (as implied by your subject heading). The '=' was added by ls -F (which I assume you used). Just wanted to make a note of that in case you, or a list lurker, didn't realize it. Daniel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 28 20:53:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.interchange.ca (ns.interchange.ca [216.126.79.2]) by hub.freebsd.org (Postfix) with ESMTP id 2318F37B726 for ; Wed, 28 Mar 2001 20:53:09 -0800 (PST) (envelope-from michael@fastmail.ca) Received: by mail.interchange.ca (Fastmailer, from userid 555) id B8AA320B4; Wed, 28 Mar 2001 23:53:17 -0500 (EST) MIME-Version: 1.0 Message-Id: <3AC2BFBD.000005.00548@frodo.searchcanada.ca> Content-Type: Multipart/Mixed; boundary="------------Boundary-00=_T80YK72XFQQMYJ0CCJD0" To: freebsd-security@FreeBSD.ORG Subject: Forwarding of ports via ssh From: "Michael Richards" X-Fastmail-IP: 24.43.130.237 Date: Wed, 28 Mar 2001 23:53:17 -0500 (EST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --------------Boundary-00=_T80YK72XFQQMYJ0CCJD0 Content-Type: Text/Plain Content-Transfer-Encoding: 7bit Hi; I've got an odd situation where a development machine behind our NAT firewall has to go into test production with a desktop client. The client is stupid and will only connect to a certain IP on port 80. How can I forward this port through both of our firewalls using ssh? Here is what I tried and what I got: The internal machine is 192.168.0.128 the remote machine IP is the one I want port 80 forwarded it is on one of our servers and the IP has just been aliased. bash-2.03# ssh -l root -R 80:192.168.0.128:80 remote.ip.address root@xxx.xxx.xxx.xxx's password: Received disconnect: bind: Address already in use I thought this was odd. I tried stopping the web server. No luck. So I tried rebooting. No luck. Is this just something I've overlooked, or is it possible that this host has something nasty going on with it? For a time it was vulnerable to the bind problem but had no evidence of a breakin, nothing that trapdoor found an nothing suspicious with the firewall. -Michael _________________________________________________________________ http://fastmail.ca/ - Fast Free Web Email for Canadians --------------Boundary-00=_T80YK72XFQQMYJ0CCJD0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 28 21:20:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from hal9000.bsdonline.org (24-168-203-47.wo.cox.rr.com [24.168.203.47]) by hub.freebsd.org (Postfix) with ESMTP id 5C3A237B71B for ; Wed, 28 Mar 2001 21:20:45 -0800 (PST) (envelope-from ajc@hal9000.bsdonline.org) Received: by hal9000.bsdonline.org (Postfix, from userid 1001) id 23FED1FED; Thu, 29 Mar 2001 00:20:30 -0500 (EST) Date: Thu, 29 Mar 2001 00:20:30 -0500 From: Andrew J Caines To: security@FreeBSD.ORG Subject: Re: account control to ssh Message-ID: <20010329002030.H474@hal9000.bsdonline.org> Reply-To: Andrew J Caines Mail-Followup-To: security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from George.Giles@mcmail.vanderbilt.edu on Wed, Mar 28, 2001 at 09:52:06AM -0600 Organization: H.A.L. Plant X-Powered-by: FreeBSD 4.2-STABLE Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org George, > How would I restrict incoming ssh connections on a per user basis ? While others have mentioned other more general config parameters to restrict access in a broader fashion, this is one of the two basic functions of SSH - strong authentication, the other being encryption. If you only allow key authentication by setting "PasswordAuthentication no" in in/etc/ssh/sshd_config, then only the users you explicitly authorise by putting their public key in their account's authorized_keys or authorized_keys2 file can log in to the system. -Andrew- -- _______________________________________________________________________ | -Andrew J. Caines- Unix Systems Engineer A.J.Caines@altavista.net | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 28 21:44: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by hub.freebsd.org (Postfix) with ESMTP id 267E737B71C for ; Wed, 28 Mar 2001 21:43:59 -0800 (PST) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.11.3/8.11.3) id f2T5hlc52542; Wed, 28 Mar 2001 21:43:47 -0800 (PST) (envelope-from emechler) Date: Wed, 28 Mar 2001 21:43:47 -0800 From: Erick Mechler To: Michael Richards Cc: freebsd-security@FreeBSD.ORG Subject: Re: Forwarding of ports via ssh Message-ID: <20010328214347.A52486@techometer.net> References: <3AC2BFBD.000005.00548@frodo.searchcanada.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AC2BFBD.000005.00548@frodo.searchcanada.ca>; from Michael Richards on Wed, Mar 28, 2001 at 11:53:17PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You're forwarding 192.168.0.128:80 onto localhost:80, but ssh won't let you do that 'cause the port is in use (probably by a web server you have running on your local machine?). Try changing the local port to something like 2280. --Erick At Wed, Mar 28, 2001 at 11:53:17PM -0500, Michael Richards said this: :: Hi; :: :: I've got an odd situation where a development machine behind our NAT :: firewall has to go into test production with a desktop client. The :: client is stupid and will only connect to a certain IP on port 80. :: :: How can I forward this port through both of our firewalls using ssh? :: Here is what I tried and what I got: :: :: The internal machine is 192.168.0.128 :: the remote machine IP is the one I want port 80 forwarded it is on :: one of our servers and the IP has just been aliased. :: :: bash-2.03# ssh -l root -R 80:192.168.0.128:80 remote.ip.address :: root@xxx.xxx.xxx.xxx's password: :: Received disconnect: bind: Address already in use :: :: I thought this was odd. I tried stopping the web server. No luck. So :: I tried rebooting. No luck. :: :: Is this just something I've overlooked, or is it possible that this :: host has something nasty going on with it? For a time it was :: vulnerable to the bind problem but had no evidence of a breakin, :: nothing that trapdoor found an nothing suspicious with the firewall. :: :: -Michael :: _________________________________________________________________ :: http://fastmail.ca/ - Fast Free Web Email for Canadians To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 29 5: 8: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from rgi1.rostokgroup.com (rgi1.rostokgroup.com [195.228.216.98]) by hub.freebsd.org (Postfix) with ESMTP id 69DCB37B71E for ; Thu, 29 Mar 2001 05:08:01 -0800 (PST) (envelope-from seorge@rostokgroup.com) Received: from rgi3.rostokgroup (rgi3.rostokgroup [192.168.1.3]) by rgi1.rostokgroup.com (8.11.1/8.11.1) with ESMTP id f2TE8ZA00611 for ; Thu, 29 Mar 2001 16:08:36 +0200 (CEST) (envelope-from seorge@rostokgroup.com) Date: Thu, 29 Mar 2001 15:07:55 +0200 From: Seorge X-Mailer: The Bat! (v1.41) Reply-To: Seorge Organization: Rostok Group International X-Priority: 3 (Normal) Message-ID: <4630.010329@rostokgroup.com> To: freebsd-security@FreeBSD.ORG Subject: Something's happening with named Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org May be somebody knows what's going on? Not the first time I face the following problem: While everything seems to work properly: sendmail, apache and so on the following string is displayed and none of the local network or Internet requests is answered. Restarting named is the only way to get it back to life. What could be the cause of this thing: attack or misconfiguration? Mar 26 11:29:11 nameoftheunix-server /kernel: pid 115 (named), uid 0: exited on signal 10 (core dumped) This event repeats from approximately twice a month with no systematic rule. Any help would be very welcome. Sincerely, Seorge mailto:seorge@rostokgroup.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 29 5:12:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id B253137B719 for ; Thu, 29 Mar 2001 05:12:08 -0800 (PST) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id 710A713614; Thu, 29 Mar 2001 08:12:08 -0500 (EST) Date: Thu, 29 Mar 2001 08:12:08 -0500 From: Chris Faulhaber To: Seorge Cc: freebsd-security@FreeBSD.ORG Subject: Re: Something's happening with named Message-ID: <20010329081208.A80429@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , Seorge , freebsd-security@FreeBSD.ORG References: <4630.010329@rostokgroup.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="yrj/dFKFPuw6o+aM" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4630.010329@rostokgroup.com>; from seorge@rostokgroup.com on Thu, Mar 29, 2001 at 03:07:55PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --yrj/dFKFPuw6o+aM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Mar 29, 2001 at 03:07:55PM +0200, Seorge wrote: > May be somebody knows what's going on? >=20 > Not the first time I face the following problem: > While everything seems to work properly: sendmail, apache and so on > the following string is displayed and none of the local network or > Internet requests is answered. > Restarting named is the only way to get it back to life. > What could be the cause of this thing: attack or misconfiguration? >=20 > Mar 26 11:29:11 nameoftheunix-server /kernel: pid 115 (named), uid 0: exi= ted on signal 10 (core dumped) >=20 > This event repeats from approximately twice a month with no systematic > rule. >=20 What version of bind are you running. Have you upgraded since the bind advisory was released in January? ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:18.bind.asc If you are running a vulnerable server, it is possible that someone is trying to root you with an exploit meant for a different OS, causing bind to crash. --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --yrj/dFKFPuw6o+aM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjrDNKgACgkQObaG4P6BelAJnQCeLkV1G/zjnxruA05mtneCqYPd 4asAnRKsdm3+I/5f9Ad9UO+H378PFn6x =Oq4l -----END PGP SIGNATURE----- --yrj/dFKFPuw6o+aM-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 29 5:36:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from rgi1.rostokgroup.com (rgi1.rostokgroup.com [195.228.216.98]) by hub.freebsd.org (Postfix) with ESMTP id EB39637B718 for ; Thu, 29 Mar 2001 05:36:19 -0800 (PST) (envelope-from seorge@rostokgroup.com) Received: from rgi3.rostokgroup (rgi3.rostokgroup [192.168.1.3]) by rgi1.rostokgroup.com (8.11.1/8.11.1) with ESMTP id f2TEagA00724; Thu, 29 Mar 2001 16:36:43 +0200 (CEST) (envelope-from seorge@rostokgroup.com) Date: Thu, 29 Mar 2001 15:36:01 +0200 From: Seorge X-Mailer: The Bat! (v1.41) Reply-To: Seorge Organization: Rostok Group International X-Priority: 3 (Normal) Message-ID: <19650.010329@rostokgroup.com> To: Alexander Kalinin , Chris Faulhaber Cc: freebsd-security@FreeBSD.ORG Subject: Thanx Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The version of my FreeBSD is 4.2-Beta. And I have Bind version of 8.2.3-T6B if looking /usr/sbin/named -v. So I will update to the latest release of the FreeBSD. Thank you very much, And may the luck be with you! -- Best regards, Seorge mailto:seorge@rostokgroup.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 29 8: 9:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from lindt.urgle.com (lindt.urgle.com [62.49.202.23]) by hub.freebsd.org (Postfix) with ESMTP id 4745937B71B; Thu, 29 Mar 2001 08:09:10 -0800 (PST) (envelope-from mike@urgle.com) Received: from mike by lindt.urgle.com with local (Exim 3.16 #1) id 14ieyu-000JY3-00; Thu, 29 Mar 2001 17:09:04 +0100 Date: Thu, 29 Mar 2001 17:09:04 +0100 From: Mike Bristow To: Kris Kennaway Cc: security@freebsd.org, doc@freebsd.org Subject: Re: man pages for format string functions Message-ID: <20010329170904.B70560@lindt.urgle.com> References: <20010327111709.A16916@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="EuxKj2iCbKjpUGkD" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010327111709.A16916@xor.obsecurity.org>; from kris@obsecurity.org on Tue, Mar 27, 2001 at 11:17:09AM -0800 X-Rated: NORAD, cracking Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --EuxKj2iCbKjpUGkD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline [ doc@ added; hackers@ dropped (xpost limit:(). I'm not on either doc@ or security@, so please cc me on any replies ] On Tue, Mar 27, 2001 at 11:17:09AM -0800, Kris Kennaway wrote: > On Tue, Mar 27, 2001 at 02:13:03PM -0500, Andrew R. Reiter wrote: [ on adding warnings to man pages about potential format-string type bugs ] > > I am fairly poor with wording man pages, as you can see, but I think it > > might be worth while just to point this out. > > I've wanted to do this, but so far haven't had time. Do you think you > could submit a patch? Don't worry about wording, that can easily be > tweaked. Here's a first-draft of such a patch that covers printf(3), stdarg(3), err(3), setproctitle(3), and syslog(3), together with their on-the-same-manpage friends. I haven't touched NgSendAsciiMsg(3), and libstand(3) [ for panic(const char *msg, ...) ], but possibly I should. Any comments? Anything obvious I've missed? I'll look at these again with fresh eyes tomorrow, deal with any comments, and then file a PR, I guess. -- Mike Bristow, seebitwopie --EuxKj2iCbKjpUGkD Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="format-string-vulns-man.patch" Index: share/man/man3/stdarg.3 =================================================================== RCS file: /upstream-repositories/freebsd.org/src/share/man/man3/stdarg.3,v retrieving revision 1.4.2.2 diff -u -r1.4.2.2 stdarg.3 --- share/man/man3/stdarg.3 2001/03/06 19:08:09 1.4.2.2 +++ share/man/man3/stdarg.3 2001/03/29 15:48:07 @@ -120,7 +120,7 @@ .Fa type is not compatible with the type of the actual next argument (as promoted according to the default argument promotions), -random errors will occur. +random errors will occur, which might lead to a security risk. .Pp The first use of the .Fn va_arg Index: lib/libc/gen/err.3 =================================================================== RCS file: /upstream-repositories/freebsd.org/src/lib/libc/gen/err.3,v retrieving revision 1.11.2.4 diff -u -r1.11.2.4 err.3 --- lib/libc/gen/err.3 2001/03/05 08:42:22 1.11.2.4 +++ lib/libc/gen/err.3 2001/03/29 15:48:07 @@ -97,9 +97,16 @@ and a space are output. If the .Fa fmt -argument is not NULL, the -.Xr printf 3 --like formatted error message is output. +argument is not NULL, then further output is controlled by treating +it as a format string that specifies how subsequent arguments (or +arguments accessed via the variable-length argument facilities of +.Xr stdarg 3 ) +are converted for output, in the same way as +.Xr printf 3 . +If the format string specifies an argument that does not exist, or +a type different from that actually given, random errors, that +could cause a security risk, may occur. +.Pp The output is terminated by a newline character. .Pp The Index: lib/libc/gen/setproctitle.3 =================================================================== RCS file: /upstream-repositories/freebsd.org/src/lib/libc/gen/setproctitle.3,v retrieving revision 1.16.2.2 diff -u -r1.16.2.2 setproctitle.3 --- lib/libc/gen/setproctitle.3 2000/12/08 13:49:24 1.16.2.2 +++ lib/libc/gen/setproctitle.3 2001/03/29 15:48:07 @@ -39,13 +39,17 @@ .Xr ps 1 command. .Pp -The title is set from the executable's name, followed by the -result of a -.Xr printf 3 -style expansion of the arguments as specified by the +If +.Va fmt +is not NULL, then the title is set from the executable's name, +followed by the result of treating .Va fmt -argument. -If the +as a format string that specifies how subsequent arguments are +converted, in the same was as +.Xr printf 3 . +If the format string specifies arguments that do not exist, or it +specifies a type different from that actually given, random errors, +that could cause a security risk, may occur. If the .Va fmt argument begins with a .Dq - Index: lib/libc/gen/syslog.3 =================================================================== RCS file: /upstream-repositories/freebsd.org/src/lib/libc/gen/syslog.3,v retrieving revision 1.9.2.4 diff -u -r1.9.2.4 syslog.3 --- lib/libc/gen/syslog.3 2001/03/06 16:45:55 1.9.2.4 +++ lib/libc/gen/syslog.3 2001/03/29 15:48:07 @@ -48,9 +48,9 @@ .Fd #include .Fd #include .Ft void -.Fn syslog "int priority" "const char *message" "..." +.Fn syslog "int priority" "const char *fmt" "..." .Ft void -.Fn vsyslog "int priority" "const char *message" "va_list args" +.Fn vsyslog "int priority" "const char *fmt" "va_list args" .Ft void .Fn openlog "const char *ident" "int logopt" "int facility" .Ft void @@ -60,33 +60,34 @@ .Sh DESCRIPTION The .Fn syslog -function -writes -.Fa message -to the system message logger. +function writes a message to the system message logger. The message is then written to the system console, log files, logged-in users, or forwarded to other machines as appropriate. (See .Xr syslogd 8 . ) .Pp -The message is identical to a -.Xr printf 3 -format string, except that +The message is created by treating +.Va fmt +as a format string that specifies how subsequent arguments are +converted, in the same was as +.Xr printf 3 , +with an additional convertion specifier of .Ql %m -is replaced by the current error -message. -(As denoted by the global variable +which is replaced by the current error message. (As denoted by +the global variable .Va errno ; see .Xr strerror 3 . ) -A trailing newline is added if none is present. +If the format string specifies arguments that do not exist, or it +specifies a type different from that actually given, random errors, +that could cause a security risk, may occur. A trailing newline +is added if none is present. .Pp The .Fn vsyslog -function -is an alternate form in which the arguments have already been captured -using the variable-length argument facilities of -.Xr varargs 3 . +function is an alternate form in which the arguments have already +been captured using the variable-length argument facilities of +.Xr stdarg 3 . .Pp The message is tagged with .Fa priority . Index: lib/libc/stdio/printf.3 =================================================================== RCS file: /upstream-repositories/freebsd.org/src/lib/libc/stdio/printf.3,v retrieving revision 1.17.2.5 diff -u -r1.17.2.5 printf.3 --- lib/libc/stdio/printf.3 2001/03/06 16:46:01 1.17.2.5 +++ lib/libc/stdio/printf.3 2001/03/29 15:48:07 @@ -170,7 +170,11 @@ the character .Cm % . The arguments must correspond properly (after type promotion) -with the conversion specifier. +with the conversion specifier. If they do not random errors, +which could cause a security risk, may occur. In particular, +user-supplied data should never be included in the format string +without checking that it is safe (eg, does not contain %s +and other character sequences with special meaning). After the .Cm % , the following appear in sequence: --EuxKj2iCbKjpUGkD-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 29 8:58:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from router.pagearts.co.za (router.pagearts.co.za [196.25.102.154]) by hub.freebsd.org (Postfix) with ESMTP id BC31237B71A for ; Thu, 29 Mar 2001 08:58:34 -0800 (PST) (envelope-from james@pagearts.co.za) Received: from boubou (localhost.localdomain [127.0.0.1]) by router.pagearts.co.za (8.11.0/8.10.1) with SMTP id f2TGskR14117; Thu, 29 Mar 2001 18:54:46 +0200 Message-ID: <015e01c0b871$33158f00$4501a8c0@boubou> From: "James Greenfield" To: "Chris Faulhaber" , "Seorge" Cc: References: <4630.010329@rostokgroup.com> <20010329081208.A80429@peitho.fxp.org> Subject: Re: Something's happening with named Date: Thu, 29 Mar 2001 18:56:26 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I saw the same thing a while back (with the difference being that named exited due to a different signal) messages.0:Mar 11 02:04:36 /kernel: pid 44813 (named), uid 0: exited on signal 11 (core dumped) FreeBSD Version info: FreeBSD 4.2-RELEASE FreeBSD 4.2-RELEASE #0: Mon Nov 20 13:02:55 GMT 2000 jkh@bento.FreeBSD.org:/usr/src/sys/compile/GENERIC i386 named version info: named 8.2.3-T6B Mon Nov 20 11:27:49 GMT 2000 jkh@bento.FreeBSD.org:/usr/obj/usr/src/usr.sbin/named I did some looking to see if a newer 8.2.3 release was out, but I couldn't find a clear explanation of the meaning behind T6B. I see T9B is out (7 and 8 apparently being released as betas only?), but I've been unsure of the potential impact of an upgrade, and since this hasn't recurred I've left it and decided to keep an eye on things until it happens again. If someone could briefly explain the versioning used by bind, I'd appreciated it. Also, is it worth upgrading to T9B (or whatever the latest release is)? Thanks James Greenfield (Relatively new to the world of FreeBSD) ----- Original Message ----- From: "Chris Faulhaber" To: "Seorge" Cc: Sent: Thursday, March 29, 2001 3:12 PM Subject: Re: Something's happening with named On Thu, Mar 29, 2001 at 03:07:55PM +0200, Seorge wrote: > May be somebody knows what's going on? > > Not the first time I face the following problem: > While everything seems to work properly: sendmail, apache and so on > the following string is displayed and none of the local network or > Internet requests is answered. > Restarting named is the only way to get it back to life. > What could be the cause of this thing: attack or misconfiguration? > > Mar 26 11:29:11 nameoftheunix-server /kernel: pid 115 (named), uid 0: exited on signal 10 (core dumped) > > This event repeats from approximately twice a month with no systematic > rule. > What version of bind are you running. Have you upgraded since the bind advisory was released in January? ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:18.bind.asc If you are running a vulnerable server, it is possible that someone is trying to root you with an exploit meant for a different OS, causing bind to crash. -- Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 29 9: 1:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from router.pagearts.co.za (router.pagearts.co.za [196.25.102.154]) by hub.freebsd.org (Postfix) with ESMTP id 3B1FB37B71C for ; Thu, 29 Mar 2001 09:01:53 -0800 (PST) (envelope-from james@pagearts.co.za) Received: from boubou (localhost.localdomain [127.0.0.1]) by router.pagearts.co.za (8.11.0/8.10.1) with SMTP id f2TGwEG14161; Thu, 29 Mar 2001 18:58:14 +0200 Message-ID: <017001c0b871$ae9576e0$4501a8c0@boubou> From: "James Greenfield" To: "Seorge" , "Chris Faulhaber" Cc: References: <19650.010329@rostokgroup.com> Subject: Re: Thanx x 2 Date: Thu, 29 Mar 2001 18:59:56 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The doc pointed to by Chris gave me exactly the info I needed (thanks for that). I'll be upgrading this evening :) Regards James Greenfield ----- Original Message ----- From: "Seorge" To: "Alexander Kalinin" ; "Chris Faulhaber" Cc: Sent: Thursday, March 29, 2001 3:36 PM Subject: Thanx > The version of my FreeBSD is 4.2-Beta. > And I have Bind version of 8.2.3-T6B if looking /usr/sbin/named -v. > So I will update to the latest release of the FreeBSD. > > Thank you very much, > And may the luck be with you! > > > -- > Best regards, > Seorge mailto:seorge@rostokgroup.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 29 9:33:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from rapier.smartspace.co.za (rapier.smartspace.co.za [66.8.25.34]) by hub.freebsd.org (Postfix) with SMTP id 4B43E37B718 for ; Thu, 29 Mar 2001 09:33:35 -0800 (PST) (envelope-from nbm@rapier.smartspace.co.za) Received: (qmail 87890 invoked by uid 1001); 29 Mar 2001 17:32:39 -0000 Date: Thu, 29 Mar 2001 19:32:39 +0200 From: Neil Blakey-Milner To: James Greenfield Cc: Chris Faulhaber , Seorge , freebsd-security@FreeBSD.ORG Subject: Re: Something's happening with named Message-ID: <20010329193238.A86421@rapier.smartspace.co.za> References: <4630.010329@rostokgroup.com> <20010329081208.A80429@peitho.fxp.org> <015e01c0b871$33158f00$4501a8c0@boubou> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <015e01c0b871$33158f00$4501a8c0@boubou>; from james@pagearts.co.za on Thu, Mar 29, 2001 at 06:56:26PM +0200 Organization: Building Intelligence X-Operating-System: FreeBSD 4.2-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu 2001-03-29 (18:56), James Greenfield wrote: > I saw the same thing a while back (with the difference being that named > exited due to a different signal) > > messages.0:Mar 11 02:04:36 /kernel: pid 44813 (named), uid > 0: exited on signal 11 (core dumped) > > FreeBSD Version info: > FreeBSD 4.2-RELEASE FreeBSD 4.2-RELEASE #0: Mon Nov 20 > 13:02:55 GMT 2000 jkh@bento.FreeBSD.org:/usr/src/sys/compile/GENERIC > i386 > > named version info: > named 8.2.3-T6B Mon Nov 20 11:27:49 GMT 2000 > jkh@bento.FreeBSD.org:/usr/obj/usr/src/usr.sbin/named > > I did some looking to see if a newer 8.2.3 release was out, but I couldn't > find a clear explanation of the meaning behind T6B. I see T9B is out (7 and > 8 apparently being released as betas only?), but I've been unsure of the > potential impact of an upgrade, and since this hasn't recurred I've left it > and decided to keep an eye on things until it happens again. > > If someone could briefly explain the versioning used by bind, I'd > appreciated it. Also, is it worth upgrading to T9B (or whatever the latest > release is)? 8.2.3 > 8.2.3-T6B. Ie, 8.2.3-T6B is before 8.2.3. It has the security problem. You can install the bind8 port over your current bind installation. I think it's as simple as "cd /usr/ports/net/bin8 && make install PREFIX=/usr", but you might have better luck looking at the archives. Neil -- Neil Blakey-Milner nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 29 9:50:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.ca (epsilon.lucida.ca [209.47.215.67]) by hub.freebsd.org (Postfix) with SMTP id 2996B37B719 for ; Thu, 29 Mar 2001 09:50:51 -0800 (PST) (envelope-from matt@LUCIDA.CA) Received: (qmail 41481 invoked by uid 1000); 29 Mar 2001 17:50:50 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 29 Mar 2001 17:50:50 -0000 Date: Thu, 29 Mar 2001 12:50:49 -0500 (EST) From: Matt Heckaman To: Neil Blakey-Milner Cc: James Greenfield , Chris Faulhaber , Seorge , Subject: Re: Something's happening with named In-Reply-To: <20010329193238.A86421@rapier.smartspace.co.za> Message-ID: <20010329124830.S41363-100000@epsilon.lucida.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 29 Mar 2001, Neil Blakey-Milner wrote: ... : 8.2.3 > 8.2.3-T6B. Ie, 8.2.3-T6B is before 8.2.3. It has the : security problem. You can install the bind8 port over your current : bind installation. I think it's as simple as "cd /usr/ports/net/bin8 : && make install PREFIX=/usr", but you might have better luck looking : at the archives. It was mentioned on the list (by Kris I believe) that the building (in order?) the following items with the latest contrib/bind source in /usr/src will produce the desired result. I have been using this method for a while now instead of clobbering everything with the port, it works for me but YMMV. lib/libisc lib/libbind usr.bin/dig usr.bin/dnskeygen usr.bin/dnsquery usr.bin/host usr.sbin/named usr.sbin/ndc usr.sbin/nslookup usr.sbin/nsupdate libexec/named-xfer * Matt Heckaman - mailto:matt@LUCIDA.CA http://www.lucida.ca/pgp * * GPG fingerprint - 53CA 8320 C8F6 32ED 9DDF 036E 3171 C093 4AD3 1364 * UNPRECEDENTED PERFORMANCE: nothing we had before ever worked this way. - Simon Travaglia -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: http://www.lucida.ca/pgp iD8DBQE6w3X6MXHAk0rTE2QRAk7WAKCQmwinw6vUnurwwoHnLjAXeXNhDgCdGoak MMUtMK0LRahonHK/4LZRZCk= =F8Dc -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 29 9:56:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from mgw1.MEIway.com (mgw1.meiway.com [212.73.210.75]) by hub.freebsd.org (Postfix) with ESMTP id BA72837B719 for ; Thu, 29 Mar 2001 09:56:56 -0800 (PST) (envelope-from LConrad@Go2France.com) Received: from sv.Go2France.com (sv.meiway.com [212.73.210.79]) by mgw1.MEIway.com (Postfix Relay Hub) with ESMTP id 3CD0D16B16 for ; Thu, 29 Mar 2001 20:10:46 +0200 (CEST) Message-Id: <5.0.0.25.0.20010329195331.06d46eb0@mail.Go2France.com> X-Sender: lconrad%Go2France.com@mail.Go2France.com X-Mailer: QUALCOMM Windows Eudora Version 5.0 Date: Thu, 29 Mar 2001 19:54:14 +0200 To: freebsd-security@freebsd.org From: Len Conrad Subject: Re: Something's happening with named In-Reply-To: <4630.010329@rostokgroup.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Any help would be very welcome. upgrade to 8.2.3 or 9.1.1 Len http://MenAndMice.com/DNS-training : In Austin, TX; SFO, CA; Paris, FR http://BIND8NT.MEIway.com : ISC BIND 8.2.3 "NT3" for NT4 & W2K http://IMGate.MEIway.com : Build free, hi-perf, anti-abuse mail gateways To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 29 10:48:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-24-94-35-22.stny.rr.com [24.94.35.22]) by hub.freebsd.org (Postfix) with ESMTP id 6808137B71E for ; Thu, 29 Mar 2001 10:48:36 -0800 (PST) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.11.3/8.11.3) with ESMTP id f2TIm7011605; Thu, 29 Mar 2001 13:48:08 -0500 (EST) (envelope-from piechota@argolis.org) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Thu, 29 Mar 2001 13:48:07 -0500 (EST) From: Matt Piechota To: Poul-Henning Kamp Cc: mike , Subject: Re: named dying on INSIST In-Reply-To: <90261.985764678@critter> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 28 Mar 2001, Poul-Henning Kamp wrote: > >My machine does this constantly. Are you also getting "microuptime wnet > >backwards" messages on the consle/syslog? > > Sigh, I thought Intel couldn't fuck up the Pentium family anymore > when it came to timekeeping, but they've done it again with the > new clock-throtteling stuff. Just to make sure: my particular machine is an AMD K6-2 350 on a VIA Apollo based motherboard. So on my machine is a problem with the board, not clock reduction stuff. Although the point is valid, it's not the case this time around. Oddly enough, I haven't had a 'microuptime went backwards' message in the last couple days, since I've cvsup'd. -- Matt Piechota Finger piechota@emailempire.com for PGP key AOL IM: cithaeron To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 29 12:23: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (fw2.aub.dk [195.24.1.195]) by hub.freebsd.org (Postfix) with ESMTP id 572E637B725 for ; Thu, 29 Mar 2001 12:22:56 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter (localhost [127.0.0.1]) by critter.freebsd.dk (8.11.3/8.11.3) with ESMTP id f2TJZGP12870; Thu, 29 Mar 2001 21:35:16 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Matt Piechota Cc: mike , security@freebsd.org Subject: Re: named dying on INSIST In-Reply-To: Your message of "Thu, 29 Mar 2001 13:48:07 CDT." Date: Thu, 29 Mar 2001 21:35:16 +0200 Message-ID: <12868.985894516@critter> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Mat t Piechota writes: >On Wed, 28 Mar 2001, Poul-Henning Kamp wrote: > >> >My machine does this constantly. Are you also getting "microuptime wnet >> >backwards" messages on the consle/syslog? >> >> Sigh, I thought Intel couldn't fuck up the Pentium family anymore >> when it came to timekeeping, but they've done it again with the >> new clock-throtteling stuff. > >Just to make sure: my particular machine is an AMD K6-2 350 on a VIA >Apollo based motherboard. So on my machine is a problem with the board, >not clock reduction stuff. Although the point is valid, it's not the case >this time around. AMD still to a large extent dances to Intels architectural flute. This was particularly the case with the K6 which is plug compatible with the P5. >Oddly enough, I haven't had a 'microuptime went backwards' message in the >last couple days, since I've cvsup'd. It gets worse when interrupt latency gets bad. Some of the SMPng transformations have had bad side effects but so far things seems to straighten themselves out after some time. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 29 17:17:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from peter3.wemm.org (c1315225-a.plstn1.sfba.home.com [65.0.135.147]) by hub.freebsd.org (Postfix) with ESMTP id 9063037B719 for ; Thu, 29 Mar 2001 17:17:45 -0800 (PST) (envelope-from peter@netplex.com.au) Received: from mobile.wemm.org (mobile.wemm.org [10.0.0.5]) by peter3.wemm.org (8.11.0/8.11.0) with ESMTP id f2U1HjM37667 for ; Thu, 29 Mar 2001 17:17:45 -0800 (PST) (envelope-from peter@netplex.com.au) Received: from netplex.com.au (localhost [127.0.0.1]) by mobile.wemm.org (8.11.1/8.11.1) with ESMTP id f2U1Hih64485; Thu, 29 Mar 2001 17:17:44 -0800 (PST) (envelope-from peter@netplex.com.au) Message-Id: <200103300117.f2U1Hih64485@mobile.wemm.org> X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 To: Brian Behlendorf Cc: Kris Kennaway , freebsd-security@FreeBSD.ORG Subject: Re: IPSEC: racoon and Win2K In-Reply-To: Date: Thu, 29 Mar 2001 17:17:44 -0800 From: Peter Wemm Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brian Behlendorf wrote: > On Sat, 24 Mar 2001, Kris Kennaway wrote: > > It wasn't majordomo or anything to do with the FreeBSD.org mailing > > lists which was repeating the email. A mailing list subscriber was > > feeding list mail back into the list. > > Actually, ezmlm would have prevented the loop, unless that subscriber's > MTA removes the "Mailing-List:" header from the message. .. which is what they were doing. They were also removing our X-Loop: header. Cheers, -Peter -- Peter Wemm - peter@FreeBSD.org; peter@yahoo-inc.com; peter@netplex.com.au "All of this is for nothing if we don't go to the stars" - JMS/B5 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 30 6:57:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from ad1.vsnl.net.in (ad1.vsnl.net.in [202.54.4.114]) by hub.freebsd.org (Postfix) with ESMTP id AD9F537B71A; Fri, 30 Mar 2001 06:56:08 -0800 (PST) (envelope-from pramukhc@vsnl.com) Received: from varun (unknown [61.1.46.149]) by ad1.vsnl.net.in (Postfix) with SMTP id A464D60301; Fri, 30 Mar 2001 20:21:52 +0530 (IST) Message-ID: <001c01c0b92a$2172a3a0$96c3fea9@bhavnagar.com> From: "Hiren Trivedi" To: Subject: Donation For Earthquake Relief Work Date: Fri, 30 Mar 2001 20:27:00 +0530 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0016_01C0B958.06B8AA40" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0016_01C0B958.06B8AA40 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0017_01C0B958.06C04B60" ------=_NextPart_001_0017_01C0B958.06C04B60 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable -------------------------------------------------------------------------= ------- Format Your Message Here -------------------------------------------------------------------------= ------- Dear Sir, I am enclosing herewith brochure of BAPS Swaminarayan Sanstha for your = kind consideration. We are from one of the Centre - Bhavnagar = forwarding herewith our genune request for your valuable donation for = this work. As you know that Bhavnagar is a one of the earthquake = affected centre in which we are having experience of earthquake tremours = more than 500 since last 8 months. These tremours inspired us to work = for earthquake affected people. From Bhavnagar centre we have dispatched = huge quantity of all the required materials. Now earthquake affected = area require permanant housing facilities. To provide such type of = facilities we are requesting you to send your valuable donation to one = of the best and leading NGO of the world and oblige us. Thanking you, Yours faithfully, =20 Hiren Trivedi =20 -------------------------------------------------------------------------= ------- -------------------------------------------------------------------------= ------- -------------------------------------------------------------------------= ------- -------------------------------------------------------------------------= ------- -------------------------------------------------------------------------= ------- -------------------------------------------------------------------------= ------- -------------------------------------------------------------------------= ------- -------------------------------------------------------------------------= ------- ------=_NextPart_001_0017_01C0B958.06C04B60 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Format=20 Your Message Here

Dear Sir,
I am enclosing herewith brochure of BAPS = Swaminarayan Sanstha=20 for your kind consideration. We are from one of the  Centre - = Bhavnagar=20 forwarding herewith our genune request for your valuable donation = for this=20 work. As you know that Bhavnagar is a one of the earthquake affected = centre in=20 which we are having experience of earthquake tremours more than 500=20 since last 8 months. These tremours inspired us to work for = earthquake=20 affected people. From Bhavnagar centre we have dispatched huge quantity = of all=20 the required materials. Now earthquake affected area require = permanant=20 housing facilities. To provide such type of facilities we are requesting = you to=20 send your valuable donation to one of the best and leading NGO of the = world and=20 oblige us.
Thanking you,
Yours faithfully,
 
Hiren Trivedi  









------=_NextPart_001_0017_01C0B958.06C04B60-- ------=_NextPart_000_0016_01C0B958.06B8AA40 Content-Type: image/gif; name="extract.gif" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="extract.gif" R0lGODlhLQAkAPcAAAAAAAAAQAAAgAAA/wAgAAAgQAAggAAg/wBAAABAQABAgABA/wBgAABgQABg gABg/wCAAACAQACAgACA/wCgAACgQACggACg/wDAAADAQADAgADA/wD/AAD/QAD/gAD//yAAACAA QCAAgCAA/yAgACAgQCAggCAg/yBAACBAQCBAgCBA/yBgACBgQCBggCBg/yCAACCAQCCAgCCA/yCg ACCgQCCggCCg/yDAACDAQCDAgCDA/yD/ACD/QCD/gCD//0AAAEAAQEAAgEAA/0AgAEAgQEAggEAg /0BAAEBAQEBAgEBA/0BgAEBgQEBggEBg/0CAAECAQECAgECA/0CgAECgQECggECg/0DAAEDAQEDA gEDA/0D/AED/QED/gED//2AAAGAAQGAAgGAA/2AgAGAgQGAggGAg/2BAAGBAQGBAgGBA/2BgAGBg QGBggGBg/2CAAGCAQGCAgGCA/2CgAGCgQGCggGCg/2DAAGDAQGDAgGDA/2D/AGD/QGD/gGD//4AA AIAAQIAAgIAA/4AgAIAgQIAggIAg/4BAAIBAQIBAgIBA/4BgAIBgQIBggIBg/4CAAICAQICAgICA /4CgAICgQICggICg/4DAAIDAQIDAgIDA/4D/AID/QID/gID//6AAAKAAQKAAgKAA/6AgAKAgQKAg gKAg/6BAAKBAQKBAgKBA/6BgAKBgQKBggKBg/6CAAKCAQKCAgKCA/6CgAKCgQKCggKCg/6DAAKDA QKDAgKDA/6D/AKD/QKD/gKD//8AAAMAAQMAAgMAA/8AgAMAgQMAggMAg/8BAAMBAQMBAgMBA/8Bg AMBgQMBggMBg/8CAAMCAQMCAgMCA/8CgAMCgQMCggMCg/8DAAMDAQMDAgMDA/8D/AMD/QMD/gMD/ //8AAP8AQP8AgP8A//8gAP8gQP8ggP8g//9AAP9AQP9AgP9A//9gAP9gQP9ggP9g//+AAP+AQP+A gP+A//+gAP+gQP+ggP+g///AAP/AQP/AgP/A////AP//QP//gP///yH5BAEAAPwALAAAAAAtACQA AAjyACUJHEiwoMGDCBNK+sewocOHECNKjChwosWLGP9VzMgR4oCPIBtu7EjyH8iQDEeW5Hjyo8iF Kzu2HPAypsyWNW3q1AhzZ0yVPkkCDcpxKFGMRm0CWLr0YtKSSz9IldpU4tOOAKZqpWq1p9KtYAFQ 9BozK1OmWsVCvMoT4b+sH85GTbuWLFSweNU6ZKvwLVW5W/Xm/BoXMN2HfBP6xRu47k64cuFOFZzS 7t3IhxFbJimZMeXKQTsH/syT6NzJZx0flfs29d7Nq12DPiqRdWWFuHMPlDuQn+/fwIMLH07ct9zi yJMnP668uXN+Z59LXw7Ad0AAOw== ------=_NextPart_000_0016_01C0B958.06B8AA40-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 30 7:41:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 9DBFC37B719 for ; Fri, 30 Mar 2001 07:41:49 -0800 (PST) (envelope-from anderson@centtech.com) Received: (from smap@localhost) by proxy.centtech.com (8.8.4/8.6.9) id JAA15459; Fri, 30 Mar 2001 09:41:44 -0600 (CST) Received: from sprint.centtech.com(10.177.173.31) by proxy.centtech.com via smap (V2.0/2.1+anti-relay+anti-spam) id xma015455; Fri, 30 Mar 01 09:41:25 -0600 Received: from centtech.com (shiva [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id JAA27377; Fri, 30 Mar 2001 09:41:23 -0600 (CST) Message-ID: <3AC4A923.87D7F20C@centtech.com> Date: Fri, 30 Mar 2001 09:41:23 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.14-5.0smp i686) X-Accept-Language: en MIME-Version: 1.0 To: Guy Poizat Cc: George.Giles@mcmail.vanderbilt.edu, security@freebsd.org Subject: Re: SSH login delay References: <5.0.2.1.0.20010328113829.01ac0d30@pop.partsonline.fr> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Actually, we had the same problem.. run the patches to openssh on the server side (and client side if you can) and it should fix it.. Guy Poizat wrote: > > At 16:03 27/03/2001, you wrote: > >Does any one know what causes the long delay between entering the password > >to ssh and the actual logging in of the shell prompt ? > > > >Sometimes it takes more than a minute when I know it is not network speed ? > > > >This behavior makes me suspicious. > > > >This is observed on the latest release of FreeBSD. > > Perhaps it has somethin' to deal with DNS lookup failure (timeout->delay) ? > Can all of your hosts get a reply for a DNS query about each others ? > > I got that kind of problem and solved it by ading a BIND serving for my > NATed hosts. > > -- > Guy Poizat > poizat@partsonline.fr > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 To see a need and wait to be asked, is to already refuse. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 30 22:27:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.fpsn.net (mail.fpsn.net [63.224.69.57]) by hub.freebsd.org (Postfix) with ESMTP id 5D0EF37B719 for ; Fri, 30 Mar 2001 22:27:21 -0800 (PST) (envelope-from cfaber@fpsn.net) Received: from fpsn.net (control.fpsn.net [63.224.69.60]) by mail.fpsn.net (8.9.3/8.9.3) with ESMTP id XAA03893 for ; Fri, 30 Mar 2001 23:27:12 -0700 (MST) (envelope-from cfaber@fpsn.net) Message-ID: <3AC578E7.84214BCD@fpsn.net> Date: Fri, 30 Mar 2001 23:27:51 -0700 From: Colin Faber Reply-To: cfaber@fpsn.net Organization: fpsn.net, Inc. X-Mailer: Mozilla 4.75 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: Donation For Earthquake Relief Work References: <001c01c0b92a$2172a3a0$96c3fea9@bhavnagar.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Come on guys, This is getting old, Can you block this junk? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 30 22:30:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id 0B01637B719 for ; Fri, 30 Mar 2001 22:30:21 -0800 (PST) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.3/8.11.0) with ESMTP id f2V6UAk07978; Sat, 31 Mar 2001 00:30:10 -0600 (CST) (envelope-from chris@jeah.net) Date: Sat, 31 Mar 2001 00:30:09 -0600 (CST) From: Chris Byrnes To: Colin Faber Cc: Subject: Re: Donation For Earthquake Relief Work In-Reply-To: <3AC578E7.84214BCD@fpsn.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 30 Mar 2001, Colin Faber wrote: > Come on guys, This is getting old, Can you block this junk? How would you suggest that is done? Magical anticipation of spam posts? -C To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 30 22:38:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from mercury.ccmr.cornell.edu (mercury.ccmr.cornell.edu [128.84.231.97]) by hub.freebsd.org (Postfix) with ESMTP id B0AB137B719 for ; Fri, 30 Mar 2001 22:38:36 -0800 (PST) (envelope-from mitch@ccmr.cornell.edu) Received: from ruby.ccmr.cornell.edu (IDENT:0@ruby.ccmr.cornell.edu [128.84.231.115]) by mercury.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id BAA09296; Sat, 31 Mar 2001 01:38:36 -0500 Received: from localhost (mitch@localhost) by ruby.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id BAA13338; Sat, 31 Mar 2001 01:38:35 -0500 X-Authentication-Warning: ruby.ccmr.cornell.edu: mitch owned process doing -bs Date: Sat, 31 Mar 2001 01:38:35 -0500 (EST) From: Mitch Collinsworth To: Chris Byrnes Cc: Colin Faber , freebsd-security@FreeBSD.ORG Subject: Re: Donation For Earthquake Relief Work In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 31 Mar 2001, Chris Byrnes wrote: > > On Fri, 30 Mar 2001, Colin Faber wrote: > > > Come on guys, This is getting old, Can you block this junk? > > How would you suggest that is done? Magical anticipation of spam posts? Posts allowed only by subscribers? Many lists do it these days. -Mitch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 30 22:43:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id 3586037B71C for ; Fri, 30 Mar 2001 22:43:47 -0800 (PST) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.3/8.11.0) with ESMTP id f2V6hpp10623; Sat, 31 Mar 2001 00:43:51 -0600 (CST) (envelope-from chris@jeah.net) Date: Sat, 31 Mar 2001 00:43:51 -0600 (CST) From: Chris Byrnes To: Mitch Collinsworth Cc: Colin Faber , Subject: Re: Donation For Earthquake Relief Work In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > On Fri, 30 Mar 2001, Colin Faber wrote: > > > > > Come on guys, This is getting old, Can you block this junk? > > > > How would you suggest that is done? Magical anticipation of spam posts? > > Posts allowed only by subscribers? Many lists do it these days. So the magical spambot subscribes and posts. There's no solution. Just click delete yo. -C To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 30 23: 3: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from mls.gtonet.net (mls.gtonet.net [216.112.90.195]) by hub.freebsd.org (Postfix) with ESMTP id 1B7D937B71A for ; Fri, 30 Mar 2001 23:02:56 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from pld (pld.gtonet.net [216.112.90.200]) by mls.gtonet.net (8.11.3/8.11.3) with SMTP id f2V72uR43788 for ; Fri, 30 Mar 2001 23:02:56 -0800 (PST) (envelope-from oldfart@gtonet.net) Reply-To: From: "oldfart@gtonet" To: Subject: RE: Donation For Earthquake Relief Work Date: Fri, 30 Mar 2001 23:02:51 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Spoken like a true spammer. Spammers often defend their actions by saying "you can always delete it." Well, that's just not good enough for me. It, most certainly, WOULD help to limit posting to subscribers. It might not stop all the spam but it would some. Personally, I'd like to see the lists moved to a web bulletin board type forum. Then you don't get e-mails for subjects that aren't of interest and you can browse and post (if registered/subscribed) from any browser. The archives are nice but you can't post without an e-mail account. Spammers prefer e-mail so using a forum might even stop more spam. I'm pretty sure FreeBSD could handle a web based forum :) Just my 2 cents, OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Chris Byrnes > Sent: Friday, March 30, 2001 10:44 PM > To: Mitch Collinsworth > Cc: Colin Faber; freebsd-security@FreeBSD.ORG > Subject: Re: Donation For Earthquake Relief Work > > > > > On Fri, 30 Mar 2001, Colin Faber wrote: > > > > > > > Come on guys, This is getting old, Can you block this junk? > > > > > > How would you suggest that is done? Magical anticipation of > spam posts? > > > > Posts allowed only by subscribers? Many lists do it these days. > > So the magical spambot subscribes and posts. There's no solution. Just > click delete yo. > > > -C > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 30 23:12:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id E976B37B719; Fri, 30 Mar 2001 23:12:16 -0800 (PST) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.3/8.11.0) with ESMTP id f2V7CIH13615; Sat, 31 Mar 2001 01:12:21 -0600 (CST) (envelope-from chris@jeah.net) Date: Sat, 31 Mar 2001 01:12:15 -0600 (CST) From: Chris Byrnes To: "oldfart@gtonet" Cc: , Subject: RE: Donation For Earthquake Relief Work [moved] In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Spoken like a true spammer. Spammers often defend their actions by saying > "you can always delete it." Well, that's just not good enough for me. It, > most certainly, WOULD help to limit posting to subscribers. It might not > stop all the spam but it would some. Personally, I'd like to see the lists > moved to a web bulletin board type forum. Then you don't get e-mails for > subjects that aren't of interest and you can browse and post (if > registered/subscribed) from any browser. The archives are nice but you can't > post without an e-mail account. Spammers prefer e-mail so using a forum > might even stop more spam. I'm pretty sure FreeBSD could handle a web based > forum :) ..an age-old discussion. Most of us don't have time to login to forums, etc., unfortunately. -C To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 30 23:15: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.fpsn.net (mail.fpsn.net [63.224.69.57]) by hub.freebsd.org (Postfix) with ESMTP id 9286737B71B for ; Fri, 30 Mar 2001 23:15:05 -0800 (PST) (envelope-from cfaber@fpsn.net) Received: from fpsn.net (control.fpsn.net [63.224.69.60]) by mail.fpsn.net (8.9.3/8.9.3) with ESMTP id AAA04081; Sat, 31 Mar 2001 00:14:54 -0700 (MST) (envelope-from cfaber@fpsn.net) Message-ID: <3AC583C3.9C4CCC4D@fpsn.net> Date: Sat, 31 Mar 2001 00:14:11 -0700 From: Colin Faber Reply-To: cfaber@fpsn.net Organization: fpsn.net, Inc. X-Mailer: Mozilla 4.75 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Chris Byrnes Cc: Mitch Collinsworth , freebsd-security@FreeBSD.ORG Subject: Re: Donation For Earthquake Relief Work References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I don't know how well that would work, How about just having the list server read the X-Mailer? 90% of the spam I've seen on this and other @freebsd.org lists has been X-Mailer tag free. Chris Byrnes wrote: > > > > On Fri, 30 Mar 2001, Colin Faber wrote: > > > > > > > Come on guys, This is getting old, Can you block this junk? > > > > > > How would you suggest that is done? Magical anticipation of spam posts? > > > > Posts allowed only by subscribers? Many lists do it these days. > > So the magical spambot subscribes and posts. There's no solution. Just > click delete yo. > > -C > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 30 23:21:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from mls.gtonet.net (mls.gtonet.net [216.112.90.195]) by hub.freebsd.org (Postfix) with ESMTP id AE9F737B71A for ; Fri, 30 Mar 2001 23:21:19 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from pld (pld.gtonet.net [216.112.90.200]) by mls.gtonet.net (8.11.3/8.11.3) with SMTP id f2V7LER43866; Fri, 30 Mar 2001 23:21:14 -0800 (PST) (envelope-from oldfart@gtonet.net) Reply-To: From: "oldfart@gtonet" To: "Chris Byrnes" Cc: Subject: RE: Donation For Earthquake Relief Work [moved back] Date: Fri, 30 Mar 2001 23:21:09 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yeah, that extra 5-10 seconds it takes to type a username/password must be Hell for some. Luckily most modern browsers have an "auto complete" feature which will remember your login for you. Cookies might be of help as well. If you're referring to reading a forum, it takes the same amount of time to read a message no matter if it's e-mail based or web based. In fact, if it were a forum you could easily skip threads of no interest without having to delete e-mail(s). Again, just my 2 cents, OF > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Chris Byrnes > Sent: Friday, March 30, 2001 11:12 PM > To: oldfart@gtonet > Cc: freebsd-security@FreeBSD.ORG; freebsd-chat@FreeBSD.ORG > Subject: RE: Donation For Earthquake Relief Work [moved] > > > > Spoken like a true spammer. Spammers often defend their actions > by saying > > "you can always delete it." Well, that's just not good enough > for me. It, > > most certainly, WOULD help to limit posting to subscribers. It might not > > stop all the spam but it would some. Personally, I'd like to > see the lists > > moved to a web bulletin board type forum. Then you don't get e-mails for > > subjects that aren't of interest and you can browse and post (if > > registered/subscribed) from any browser. The archives are nice > but you can't > > post without an e-mail account. Spammers prefer e-mail so using a forum > > might even stop more spam. I'm pretty sure FreeBSD could handle > a web based > > forum :) > > ..an age-old discussion. Most of us don't have time to login to forums, > etc., unfortunately. > > > -C > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 30 23:39:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13]) by hub.freebsd.org (Postfix) with ESMTP id 3D5F237B719 for ; Fri, 30 Mar 2001 23:39:44 -0800 (PST) (envelope-from ben@scientia.demon.co.uk) Received: from strontium.scientia.demon.co.uk ([fec0::2e0:7dff:fe81:749d]) by scientia.demon.co.uk with esmtp (Exim 3.22 #1) id 14jFyt-0004Tn-00; Sat, 31 Mar 2001 08:39:31 +0100 Received: (from ben@localhost) by strontium.scientia.demon.co.uk (8.11.3/8.11.3) id f2V7dV087813; Sat, 31 Mar 2001 08:39:31 +0100 (BST) (envelope-from ben) Date: Sat, 31 Mar 2001 08:39:31 +0100 From: Ben Smithurst To: "oldfart@gtonet" Subject: Re: Donation For Earthquake Relief Work Message-ID: <20010331083931.I97985@strontium.scientia.demon.co.uk> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org oldfart@gtonet wrote: > Personally, I'd like to see the lists moved to a web bulletin board > type forum. You're joking, right? How do you suggest we download all the messages on a web-based bullein board and read them offline? Or search them, easily, offline? Or are you just conveniently forgetting those of us who don't have the luxury of permanent Internet connectivity? This is off-topic for -security anyway. -- Ben Smithurst / ben@FreeBSD.org / PGP: 0x99392F7D To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 30 23:41: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13]) by hub.freebsd.org (Postfix) with ESMTP id E38E237B718 for ; Fri, 30 Mar 2001 23:41:03 -0800 (PST) (envelope-from ben@scientia.demon.co.uk) Received: from strontium.scientia.demon.co.uk ([fec0::2e0:7dff:fe81:749d]) by scientia.demon.co.uk with esmtp (Exim 3.22 #1) id 14jG0D-0004ub-00; Sat, 31 Mar 2001 08:40:53 +0100 Received: (from ben@localhost) by strontium.scientia.demon.co.uk (8.11.3/8.11.3) id f2V7erZ92540; Sat, 31 Mar 2001 08:40:53 +0100 (BST) (envelope-from ben) Date: Sat, 31 Mar 2001 08:40:53 +0100 From: Ben Smithurst To: Colin Faber Cc: Chris Byrnes , Mitch Collinsworth , freebsd-security@FreeBSD.ORG Subject: Re: Donation For Earthquake Relief Work Message-ID: <20010331084053.J97985@strontium.scientia.demon.co.uk> References: <3AC583C3.9C4CCC4D@fpsn.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AC583C3.9C4CCC4D@fpsn.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Colin Faber wrote: > I don't know how well that would work, How about just having the list > server read the X-Mailer? 90% of the spam I've seen on this and other > @freebsd.org lists has been X-Mailer tag free. So is mail sent by Pine or any recent version of Mutt, both VERY popular Unix mail clients, so you'll have to do better than that. :-) -- Ben Smithurst / ben@FreeBSD.org / PGP: 0x99392F7D To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 31 0: 7:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from mls.gtonet.net (mls.gtonet.net [216.112.90.195]) by hub.freebsd.org (Postfix) with ESMTP id 734B437B719 for ; Sat, 31 Mar 2001 00:07:26 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from pld (pld.gtonet.net [216.112.90.200]) by mls.gtonet.net (8.11.3/8.11.3) with SMTP id f2V87RR44012 for ; Sat, 31 Mar 2001 00:07:27 -0800 (PST) (envelope-from oldfart@gtonet.net) Reply-To: From: "oldfart@gtonet" To: "freebsd-security@FreeBSD. ORG" Subject: RE: Donation For Earthquake Relief Work Date: Sat, 31 Mar 2001 00:07:22 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20010331083931.I97985@strontium.scientia.demon.co.uk> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org No, I'm not joking. While you have to go online to get mail you could also visit the forum. Surely you do browse the web anyway? Think of the thousands of e-mails that wouldn't have to be sent, only to be deleted anyway. I don't subscribe to -stable, -current, -questions or -chat just because of the wasted time deleting hundreds of posts that are of no interest. I'd like to read them, and I surely can use the web-archive but as I already said you have to send an e-mail to post. Just as modern browsers can remember logins and passwords some also allow you to "work offline" IE and Netscape (the 2 most popular) at least, surely others. As for searching, IE and Netscape also have a "find" (find in page or find on this page) feature. Welcome to the 21st century. I don't know that SPAM isn't a security concern. I don't want spammers on or using my network. That's what this thread was about. Ways of dealing with them. I certainly don't want to cross-post to -chat or any other list whether I'm subscribed or not. > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Ben Smithurst > Sent: Friday, March 30, 2001 11:40 PM > To: oldfart@gtonet > Subject: Re: Donation For Earthquake Relief Work > > > oldfart@gtonet wrote: > > > Personally, I'd like to see the lists moved to a web bulletin board > > type forum. > > You're joking, right? > > How do you suggest we download all the messages on a web-based bullein > board and read them offline? Or search them, easily, offline? Or are > you just conveniently forgetting those of us who don't have the luxury > of permanent Internet connectivity? > > This is off-topic for -security anyway. > > -- > Ben Smithurst / ben@FreeBSD.org / PGP: 0x99392F7D > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 31 0:20:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13]) by hub.freebsd.org (Postfix) with ESMTP id B996837B718 for ; Sat, 31 Mar 2001 00:20:23 -0800 (PST) (envelope-from ben@scientia.demon.co.uk) Received: from strontium.scientia.demon.co.uk ([fec0::2e0:7dff:fe81:749d]) by scientia.demon.co.uk with esmtp (Exim 3.22 #1) id 14jGcK-0007N3-00; Sat, 31 Mar 2001 09:20:16 +0100 Received: (from ben@localhost) by strontium.scientia.demon.co.uk (8.11.3/8.11.3) id f2V8KFf79305; Sat, 31 Mar 2001 09:20:16 +0100 (BST) (envelope-from ben) Date: Sat, 31 Mar 2001 09:20:15 +0100 From: Ben Smithurst To: "oldfart@gtonet" Cc: "freebsd-security@FreeBSD. ORG" Subject: Re: Donation For Earthquake Relief Work Message-ID: <20010331092015.K97985@strontium.scientia.demon.co.uk> References: <20010331083931.I97985@strontium.scientia.demon.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org oldfart@gtonet wrote: > No, I'm not joking. While you have to go online to get mail you could also > visit the forum. Not as quickly as I can download all my mail to read offline. > Surely you do browse the web anyway? Yes, when I have something specific to look for. I don't want to have to do it all the time just to read mail. > As for searching, IE and Netscape also have a "find" (find in page or > find on this page) feature. Welcome to the 21st century. Do they allow as complex searches as Mutt does? I doubt it. Does the "find" feature of the browser search all posts in a particular group? No, it would just search the currently displayed post, or whatever. Would a server-side search function to do that work offline? No. These are just some of the reasons web interfaces to mailing lists suck. The fact that most browsers are unreliable pieces of shit is another. > I don't know that SPAM isn't a security concern. I don't want spammers on or > using my network. Does that make it on-topic for -security? Not really. -- Ben Smithurst / ben@FreeBSD.org / PGP: 0x99392F7D To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 31 2: 3:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from bluenugget.net (skin-flute.com [64.3.150.188]) by hub.freebsd.org (Postfix) with ESMTP id 3D60237B71A for ; Sat, 31 Mar 2001 02:03:09 -0800 (PST) (envelope-from geniusj@bluenugget.net) Received: from [64.3.150.191] (account geniusj HELO skinflutei32jg) by bluenugget.net (CommuniGate Pro SMTP 3.4.2) with ESMTP id 280018; Sat, 31 Mar 2001 02:03:32 -0800 Message-ID: <000f01c0b9ca$83d34f90$bf960340@skinflutei32jg> From: "Jason DiCioccio" To: , "freebsd-security@FreeBSD. ORG" References: Subject: Re: Donation For Earthquake Relief Work Date: Sat, 31 Mar 2001 02:08:20 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org *This message was transferred with a trial version of CommuniGate(tm) Pro* http://docs.freebsd.org/ Look at mailing list section, that's as close are you're going to get. (Geocrawler probably archives it too) Cheers, -JD- ----- Original Message ----- From: "oldfart@gtonet" To: "freebsd-security@FreeBSD. ORG" Sent: Saturday, March 31, 2001 12:07 AM Subject: RE: Donation For Earthquake Relief Work > No, I'm not joking. While you have to go online to get mail you could also > visit the forum. Surely you do browse the web anyway? Think of the thousands > of e-mails that wouldn't have to be sent, only to be deleted anyway. I don't > subscribe to -stable, -current, -questions or -chat just because of the > wasted time deleting hundreds of posts that are of no interest. I'd like to > read them, and I surely can use the web-archive but as I already said you > have to send an e-mail to post. Just as modern browsers can remember logins > and passwords some also allow you to "work offline" IE and Netscape (the 2 > most popular) at least, surely others. As for searching, IE and Netscape > also have a "find" (find in page or find on this page) feature. Welcome to > the 21st century. > > I don't know that SPAM isn't a security concern. I don't want spammers on or > using my network. That's what this thread was about. Ways of dealing with > them. I certainly don't want to cross-post to -chat or any other list > whether I'm subscribed or not. > > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Ben Smithurst > > Sent: Friday, March 30, 2001 11:40 PM > > To: oldfart@gtonet > > Subject: Re: Donation For Earthquake Relief Work > > > > > > oldfart@gtonet wrote: > > > > > Personally, I'd like to see the lists moved to a web bulletin board > > > type forum. > > > > You're joking, right? > > > > How do you suggest we download all the messages on a web-based bullein > > board and read them offline? Or search them, easily, offline? Or are > > you just conveniently forgetting those of us who don't have the luxury > > of permanent Internet connectivity? > > > > This is off-topic for -security anyway. > > > > -- > > Ben Smithurst / ben@FreeBSD.org / PGP: 0x99392F7D > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 31 2:16:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f267.law7.hotmail.com [216.33.236.145]) by hub.freebsd.org (Postfix) with ESMTP id 7F29C37B71D for ; Sat, 31 Mar 2001 02:16:24 -0800 (PST) (envelope-from ntvsunix@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sat, 31 Mar 2001 02:16:24 -0800 Received: from 209.53.55.186 by lw7fd.law7.hotmail.msn.com with HTTP; Sat, 31 Mar 2001 10:16:24 GMT X-Originating-IP: [209.53.55.186] From: "Some Person" To: freebsd-security@FreeBSD.ORG Subject: Xircom xe2000, 10/100 PC Card.. Date: Sat, 31 Mar 2001 10:16:24 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 31 Mar 2001 10:16:24.0411 (UTC) FILETIME=[A3CEC2B0:01C0B9CB] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I know this isn't the list to send this to but i'm already one a lot of mailing lists and just too much to handle as is. ipf, freebsd-security, etc.. etc.. Just wondering if anyone has had any success using a Xircom 10/100 PC Card Type III? Nic on a laptop with FreeBSD? Model is like xe2000 or something.. If so, please let me know as I really need this for my security analysis at couple of client sites in which i'll be setting up the firewalls and need to test with laptop inside and out... This is the main reason I bought a laptop but don't want to have to revert to Linux if not needed. :( Thanks! _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 31 3: 0:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailgate.kechara.net (mailgate.kechara.net [62.49.139.2]) by hub.freebsd.org (Postfix) with ESMTP id 2746B37B71D for ; Sat, 31 Mar 2001 03:00:28 -0800 (PST) (envelope-from lee@kechara.net) Received: from area57 (lan-fw.kechara.net [62.49.139.3]) by mailgate.kechara.net (8.9.3/8.9.3) with SMTP id NAA24138 for ; Sat, 31 Mar 2001 13:12:37 +0100 Message-Id: <200103311212.NAA24138@mailgate.kechara.net> Date: Sat, 31 Mar 2001 12:03:29 +0100 To: freebsd-security@freebsd.org From: Lee Smallbone Subject: Re: Donation For Earthquake Relief Work Reply-To: lee@kechara.net Organization: Kechara Internet X-Mailer: Opera 5.02 build 856a X-Priority: 3 (Normal) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If no-one replied to the posts, there wouldn't be so much of a problem! Instead, now I've had to waste my time deleting 10+ emails on the irrelevant topic, rather than the original 1. If it is nothing relating to the list, and it is obviously spam, then delete it without replying! Thank you. 30/03/2001 19:08:20, "Jason DiCioccio" wrote: >*This message was transferred with a trial version of CommuniGate(tm) Pro* >http://docs.freebsd.org/ > >Look at mailing list section, that's as close are you're going to get. >(Geocrawler probably archives it too) > >Cheers, >-JD- > > >----- Original Message ----- >From: "oldfart@gtonet" >To: "freebsd-security@FreeBSD. ORG" >Sent: Saturday, March 31, 2001 12:07 AM >Subject: RE: Donation For Earthquake Relief Work > > >> No, I'm not joking. While you have to go online to get mail you could also >> visit the forum. Surely you do browse the web anyway? Think of the >thousands >> of e-mails that wouldn't have to be sent, only to be deleted anyway. I >don't >> subscribe to -stable, -current, -questions or -chat just because of the >> wasted time deleting hundreds of posts that are of no interest. I'd like >to >> read them, and I surely can use the web-archive but as I already said you >> have to send an e-mail to post. Just as modern browsers can remember >logins >> and passwords some also allow you to "work offline" IE and Netscape (the 2 >> most popular) at least, surely others. As for searching, IE and Netscape >> also have a "find" (find in page or find on this page) feature. Welcome to >> the 21st century. >> >> I don't know that SPAM isn't a security concern. I don't want spammers on >or >> using my network. That's what this thread was about. Ways of dealing with >> them. I certainly don't want to cross-post to -chat or any other list >> whether I'm subscribed or not. >> >> >> > -----Original Message----- >> > From: owner-freebsd-security@FreeBSD.ORG >> > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Ben Smithurst >> > Sent: Friday, March 30, 2001 11:40 PM >> > To: oldfart@gtonet >> > Subject: Re: Donation For Earthquake Relief Work >> > >> > >> > oldfart@gtonet wrote: >> > >> > > Personally, I'd like to see the lists moved to a web bulletin board >> > > type forum. >> > >> > You're joking, right? >> > >> > How do you suggest we download all the messages on a web-based bullein >> > board and read them offline? Or search them, easily, offline? Or are >> > you just conveniently forgetting those of us who don't have the luxury >> > of permanent Internet connectivity? >> > >> > This is off-topic for -security anyway. >> > >> > -- >> > Ben Smithurst / ben@FreeBSD.org / PGP: 0x99392F7D >> > >> > To Unsubscribe: send mail to majordomo@FreeBSD.org >> > with "unsubscribe freebsd-security" in the body of the message >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > -- Lee Smallbone Kechara Internet lee@kechara.net www.kechara.net Tel: (01243) 869 969 Fax: (01243) 866 685 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 31 3:42:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from easeway.com (ns1.easeway.com [209.69.39.1]) by hub.freebsd.org (Postfix) with ESMTP id D8BAE37B71A for ; Sat, 31 Mar 2001 03:42:50 -0800 (PST) (envelope-from mwlucas@easeway.com) Received: (from mwlucas@localhost) by easeway.com (8.8.8/8.8.5) id FAA20431; Sat, 31 Mar 2001 05:49:19 -0500 (EST) Message-Id: <200103311049.FAA20431@easeway.com> Subject: Re: Xircom xe2000, 10/100 PC Card.. In-Reply-To: from Some Person at "Mar 31, 1 10:16:24 am" To: ntvsunix@hotmail.com (Some Person) Date: Sat, 31 Mar 101 05:49:18 -0500 (EST) Cc: freebsd-security@FreeBSD.ORG From: mwlucas@exceptionet.com X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Check the freebsd-mobile mailing list archives. The Xircom card has been beaten to death there. > Hi, I know this isn't the list to send this to but i'm already one a lot of > mailing lists and just too much to handle as is. ipf, freebsd-security, > etc.. etc.. > > Just wondering if anyone has had any success using a Xircom 10/100 PC Card > Type III? Nic on a laptop with FreeBSD? Model is like xe2000 or something.. > If so, please let me know as I really need this for my security analysis at > couple of client sites in which i'll be setting up the firewalls and need to > test with laptop inside and out... This is the main reason I bought a laptop > but don't want to have to revert to Linux if not needed. :( > > Thanks! > _________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Michael Lucas | Exceptionet, Inc. | www.exceptionet.com "Exceptional Networking" | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 31 10:17:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from ints.ru (ints.ru [195.9.37.1]) by hub.freebsd.org (Postfix) with ESMTP id DDBFB37B718 for ; Sat, 31 Mar 2001 10:17:35 -0800 (PST) (envelope-from ilmar@ints.ru) Received: from ws-ilmar.ints.ru (ws-ilmar.ints.ru [195.9.37.16]) by ints.ru (8.11.0/8.11.0) with ESMTP id f2VIHYt04547 for ; Sat, 31 Mar 2001 22:17:34 +0400 (MSD) Date: Sat, 31 Mar 2001 22:17:31 +0400 (MSD) From: "Ilmar S. Habibulin" To: Subject: pam_unix logging patch Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1436966727-986062651=:89026" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-1436966727-986062651=:89026 Content-Type: TEXT/PLAIN; charset=US-ASCII Here is a patch for log user logins and logouts, that i made in 15 minutes while studying login&PAM. Why not to use LOG_AUTH and pam_system_log() with other usefull pam functions to log different events? And i don't understand why not to move half of login stuff to pam modules, or even use only pam without ifdefs? PS. patch is against -current. --0-1436966727-986062651=:89026 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="pam_unix.c.patch" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename="pam_unix.c.patch" LS0tIHBhbV91bml4LmMJU2F0IE1heSAgOCAwNTo1OToyNyAxOTk5DQorKysg cGFtX3R1bml4LmMJU2F0IE1hciAzMSAyMjowMzo0NyAyMDAxDQpAQCAtMzcs NiArMzcsOCBAQA0KIA0KICNkZWZpbmUgUEFNX1NNX0FVVEgNCiAjZGVmaW5l IFBBTV9TTV9BQ0NPVU5UDQorI2RlZmluZSBQQU1fU01fU0VTU0lPTg0KKw0K ICNpbmNsdWRlIDxzZWN1cml0eS9wYW1fbW9kdWxlcy5oPg0KIA0KICNpbmNs dWRlICJwYW1fbW9kX21pc2MuaCINCkBAIC0xNTgsNiArMTYwLDk1IEBADQog CX0NCiANCiAJbG9naW5fY2xvc2UobGMpOw0KKwlyZXR1cm4gcmV0dmFsOw0K K30NCisNCisvKg0KKyNkZWZpbmUgT1BFTl9TRVNTSU9OX0xPRyAiXA0KK3Nl cnZpY2U6ICVzXG5cDQordXNlciAgIDogJXNcblwNCit0dHkgICAgOiAlc1xu XA0KK2hvc3QgICA6ICVzXG4iDQorKi8NCisNCisjZGVmaW5lIE9QRU5fU0VT U0lPTl9MT0cgImxvZ2luIHVzZXIgJXMgb24gJXMgZnJvbSAlcyINCisvKiAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIF4gICAgIF4gICAg ICAgXg0KKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg fCAgICAgfCAgICAgICB8DQorICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICB8ICAgICB8ICAgICAgICstIGhvc3RuYW1lDQorICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB8ICAgICArLSB0dHkN CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICstIHVz ZXIgbmFtZQ0KKyovDQorI2RlZmluZSBDTE9TRV9TRVNTSU9OX0xPRyAibG9n b3V0IHVzZXIgJXMgb24gJXMgZnJvbSAlcyINCisNCitQQU1fRVhURVJOIGlu dA0KK3BhbV9zbV9vcGVuX3Nlc3Npb24ocGFtX2hhbmRsZV90ICpwYW1oLCBp bnQgZmxhZ3MsIGludCBhcmdjLA0KKyAgICBjb25zdCBjaGFyICoqYXJndikN Cit7DQorCWNvbnN0IGNoYXIgKnVzZXI7DQorCWNvbnN0IGNoYXIgKnNlcnZp Y2U7DQorCWNvbnN0IGNoYXIgKnR0eTsNCisJY29uc3QgY2hhciAqcmhvc3Q7 DQorCWludCByZXR2YWw7DQorDQorCXJldHZhbCA9IHBhbV9nZXRfaXRlbShw YW1oLCBQQU1fVVNFUiwgKGNvbnN0IHZvaWQgKiopJnVzZXIpOw0KKwlpZiAo cmV0dmFsICE9IFBBTV9TVUNDRVNTIHx8IHVzZXIgPT0gTlVMTCkNCisJCXJl dHVybiBQQU1fVVNFUl9VTktOT1dOOw0KKw0KKwlyZXR2YWwgPSBwYW1fZ2V0 X2l0ZW0ocGFtaCwgUEFNX1NFUlZJQ0UsIChjb25zdCB2b2lkICoqKSZzZXJ2 aWNlKTsNCisJaWYgKHJldHZhbCAhPSBQQU1fU1VDQ0VTUyB8fCBzZXJ2aWNl ID09IE5VTEwpDQorCQlyZXR1cm4gUEFNX1NFUlZJQ0VfRVJSOw0KKw0KKwly ZXR2YWwgPSBwYW1fZ2V0X2l0ZW0ocGFtaCwgUEFNX1RUWSwgKGNvbnN0IHZv aWQgKiopJnR0eSk7DQorCWlmIChyZXR2YWwgIT0gUEFNX1NVQ0NFU1MgfHwg dHR5ID09IE5VTEwpDQorCQlyZXR1cm4gUEFNX1NFUlZJQ0VfRVJSOw0KKw0K KwlyZXR2YWwgPSBwYW1fZ2V0X2l0ZW0ocGFtaCwgUEFNX1JIT1NULCAoY29u c3Qgdm9pZCAqKikmcmhvc3QpOw0KKwlpZiAocmV0dmFsICE9IFBBTV9TVUND RVNTKQ0KKwkJcmV0dXJuIFBBTV9TRVJWSUNFX0VSUjsNCisvKg0KKwlwcmlu dGYoInBhbV9zbV9vcGVuX3Nlc3Npb24oKSB1aWQ9JWRcbiIsIGdldHVpZCgp KTsNCisqLw0KKwlwYW1fc3lzdGVtX2xvZyhwYW1oLCBOVUxMLCBMT0dfQVVU SHxMT0dfSU5GTywNCisJCQlPUEVOX1NFU1NJT05fTE9HLCB1c2VyLCB0dHks IA0KKwkJCXJob3N0ID8gcmhvc3QgOiAibG9jYWxob3N0Iik7DQorCXJldHZh bCA9IFBBTV9TVUNDRVNTOw0KKwlyZXR1cm4gcmV0dmFsOw0KK30NCisNCitQ QU1fRVhURVJOIGludA0KK3BhbV9zbV9jbG9zZV9zZXNzaW9uKHBhbV9oYW5k bGVfdCAqcGFtaCwgaW50IGZsYWdzLCBpbnQgYXJnYywNCisgICAgY29uc3Qg Y2hhciAqKmFyZ3YpDQorew0KKwljb25zdCBjaGFyICp1c2VyOw0KKwljb25z dCBjaGFyICpzZXJ2aWNlOw0KKwljb25zdCBjaGFyICp0dHk7DQorCWNvbnN0 IGNoYXIgKnJob3N0Ow0KKwlpbnQgcmV0dmFsOw0KKw0KKwlyZXR2YWwgPSBw YW1fZ2V0X2l0ZW0ocGFtaCwgUEFNX1VTRVIsIChjb25zdCB2b2lkICoqKSZ1 c2VyKTsNCisJaWYgKHJldHZhbCAhPSBQQU1fU1VDQ0VTUyB8fCB1c2VyID09 IE5VTEwpDQorCQkvKiBzb21lIGltcGxlbWVudGF0aW9ucyByZXR1cm4gUEFN X1NVQ0NFU1MgaGVyZSAqLw0KKwkJcmV0dXJuIFBBTV9VU0VSX1VOS05PV047 DQorDQorCXJldHZhbCA9IHBhbV9nZXRfaXRlbShwYW1oLCBQQU1fU0VSVklD RSwgKGNvbnN0IHZvaWQgKiopJnNlcnZpY2UpOw0KKwlpZiAocmV0dmFsICE9 IFBBTV9TVUNDRVNTIHx8IHNlcnZpY2UgPT0gTlVMTCkNCisJCXJldHVybiBQ QU1fU0VSVklDRV9FUlI7DQorDQorCXJldHZhbCA9IHBhbV9nZXRfaXRlbShw YW1oLCBQQU1fVFRZLCAoY29uc3Qgdm9pZCAqKikmdHR5KTsNCisJaWYgKHJl dHZhbCAhPSBQQU1fU1VDQ0VTUyB8fCB0dHkgPT0gTlVMTCkNCisJCXJldHVy biBQQU1fU0VSVklDRV9FUlI7DQorDQorCXJldHZhbCA9IHBhbV9nZXRfaXRl bShwYW1oLCBQQU1fUkhPU1QsIChjb25zdCB2b2lkICoqKSZyaG9zdCk7DQor CWlmIChyZXR2YWwgIT0gUEFNX1NVQ0NFU1MpDQorCQlyZXR1cm4gUEFNX1NF UlZJQ0VfRVJSOw0KKw0KKwlwYW1fc3lzdGVtX2xvZyhwYW1oLCBOVUxMLCBM T0dfQVVUSHxMT0dfSU5GTywNCisJCQlDTE9TRV9TRVNTSU9OX0xPRywgdXNl ciwgdHR5LCANCisJCQlyaG9zdCA/IHJob3N0IDogImxvY2FsaG9zdCIpOw0K Ky8qDQorCXByaW50ZigicGFtX3NtX2Nsb3NlX3Nlc3Npb24gZm9yIHVzZXIg JXMsIHVpZCAlZFxuIiwgdXNlciwgZ2V0dWlkKCkpOw0KKyovDQorCXJldHZh bCA9IFBBTV9TVUNDRVNTOw0KIAlyZXR1cm4gcmV0dmFsOw0KIH0NCiANCg== --0-1436966727-986062651=:89026-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 31 10:51:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from ints.ru (ints.ru [195.9.37.1]) by hub.freebsd.org (Postfix) with ESMTP id 5458037B718 for ; Sat, 31 Mar 2001 10:51:37 -0800 (PST) (envelope-from ilmar@ints.ru) Received: from ws-ilmar.ints.ru (ws-ilmar.ints.ru [195.9.37.16]) by ints.ru (8.11.0/8.11.0) with ESMTP id f2VIpZt05791 for ; Sat, 31 Mar 2001 22:51:35 +0400 (MSD) Date: Sat, 31 Mar 2001 22:51:35 +0400 (MSD) From: "Ilmar S. Habibulin" To: Subject: that's for sshd In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1057013748-986064695=:89415" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-1057013748-986064695=:89415 Content-Type: TEXT/PLAIN; charset=US-ASCII to make my previous patch happy, because auth-pam.c didn't set pam hostname. :( Strange. What guys do you think of proposed changes? They are not complite, just samples of my thoughts. So don't be too critical, please. --0-1057013748-986064695=:89415 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="auth-pam.c.patch" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename="auth-pam.c.patch" LS0tIGF1dGgtcGFtLmMub3JpZwlTYXQgTWFyIDMxIDIyOjQ1OjU5IDIwMDEN CisrKyBhdXRoLXBhbS5jCVNhdCBNYXIgMzEgMjI6NDM6MDEgMjAwMQ0KQEAg LTE5NSw2ICsxOTUsMTQgQEANCiB7DQogCWludCBwYW1fcmV0dmFsOw0KIAkN CisJZGVidWcoIlBBTSBzZXR0aW5nIHJob3N0IHRvIFwiJS4yMDBzXCIiLCBn ZXRfY2Fub25pY2FsX2hvc3RuYW1lKCkpOw0KKwlwYW1fcmV0dmFsID0gcGFt X3NldF9pdGVtKHBhbWgsIFBBTV9SSE9TVCwgDQorCQlnZXRfY2Fub25pY2Fs X2hvc3RuYW1lKCkpOw0KKwlpZiAocGFtX3JldHZhbCAhPSBQQU1fU1VDQ0VT Uykgew0KKwkJZmF0YWwoIlBBTSBzZXQgcmhvc3QgZmFpbGVkWyVkXTogJS4y MDBzIiwgDQorCQkJcGFtX3JldHZhbCwgUEFNX1NUUkVSUk9SKHBhbWgsIHBh bV9yZXR2YWwpKTsNCisJfQ0KKw0KIAlpZiAocmVtb3RlX3VzZXIgIT0gTlVM TCkgew0KIAkJZGVidWcoIlBBTSBzZXR0aW5nIHJ1c2VyIHRvIFwiJS4yMDBz XCIiLCByZW1vdGVfdXNlcik7DQogCQlwYW1fcmV0dmFsID0gcGFtX3NldF9p dGVtKHBhbWgsIFBBTV9SVVNFUiwgcmVtb3RlX3VzZXIpOw0K --0-1057013748-986064695=:89415-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 31 11: 6:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.netaddress.com (jester.ddg.com [216.30.58.65]) by hub.freebsd.org (Postfix) with ESMTP id 172AD37B71D for ; Sat, 31 Mar 2001 11:06:04 -0800 (PST) (envelope-from root@mail.netaddress.com) Received: (from root@localhost) by mail.netaddress.com (8.9.3/8.9.3) id NAA02613; Sat, 31 Mar 2001 13:06:03 -0600 Date: Sat, 31 Mar 2001 13:06:03 -0600 Message-Id: <200103311906.NAA02613@mail.netaddress.com> To: freebsd-security@FreeBSD.ORG From: lucy@aol.com Subject: A message to freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Are you bored and want some excitement? Las Vegas Has Just Showed Up In Your Neigbourhood! In fact, you wont even have to leave your computer! -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Queensclub Online Casino Advantages: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- * Play in your pyjamas * Play for fun option (without gambling money) * Free money to play with! * Confidential and safe * No travel headaches * No hotel bill suprises * Take your time playing! * Play with your creditcard * Get advice as you play! * Almost 98% payout! +------------------------------------------------+ | This could be your lucky day! Give us a try! | +------------------------------------------------+ http://www.chickpics.com/casino/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- What do our satisfied visitors think about us? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- PAULM, A ,460 Jackpot winner from Georgia: "That's when I decided to throw caution to the wind. I just put the whole wad into the machine and on my tenth try -- BINGO! almost 150,000 dollars!" BOSSMAN48, A Jackpot winner from Michigan: "After throwing out bets for 20 minutes or so at the JacksOrBetter game, my one big bet made me a richer man. I pulled down a royal flush!!!!!!!" 5666777, A Jackpot winner from New Jersey: "After four or five unsuccessful bets I gave it a rest and went to pick up a sandwich from the fridge. Then, after couple of bites and couple of pulls on the slot machine, it happened!!! I HIT THE JACKPOT!" RIVER, ,878 jackpot winner from Canada: "I couldn't believe it as the money suddenly showed in my account! We both jumped so quickly, we almost knocked the PC off the table." -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +------------------------------------------------+ | This could be your lucky day! Give us a try! | +-------------------------------------------+ http://www.chickpics.com/casino/ This message was sent to freebsd-security@FreeBSD.ORG. If you do not wish to receive more emails from me, just click on the link below. http://www.kiatou.com/cgi-bin/remove.cgi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message