From owner-freebsd-security Sun Apr 29 6:22:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from gilberto.physik.rwth-aachen.de (gilberto.physik.rwth-aachen.de [137.226.30.2]) by hub.freebsd.org (Postfix) with ESMTP id C9BF237B423 for ; Sun, 29 Apr 2001 06:22:47 -0700 (PDT) (envelope-from kuku@gilberto.physik.rwth-aachen.de) Received: (from kuku@localhost) by gilberto.physik.rwth-aachen.de (8.11.1/8.9.3) id f3TDMjJ46784 for security@freebsd.org; Sun, 29 Apr 2001 15:22:45 +0200 (CEST) (envelope-from kuku) Date: Sun, 29 Apr 2001 15:22:45 +0200 From: Christoph Kukulies To: security@freebsd.org Subject: [The@FreeBSD.ORG: ] Message-ID: <20010429152245.A46753@gil.physik.rwth-aachen.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I received this spam. ----- Forwarded message from The@FreeBSD.ORG, Slot@FreeBSD.ORG, Shop@FreeBSD.ORG ----- From: The@FreeBSD.ORG, Slot@FreeBSD.ORG, Shop@FreeBSD.ORG Date: Sun, 29 Apr 2001 04:45:51 To: kuku@FreeBSD.ORG Subject: ----- End forwarded message ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 29 6:27:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe27.law8.hotmail.com [216.33.240.84]) by hub.freebsd.org (Postfix) with ESMTP id C522137B424; Sun, 29 Apr 2001 06:27:51 -0700 (PDT) (envelope-from tjtee@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sun, 29 Apr 2001 06:27:51 -0700 X-Originating-IP: [203.164.3.167] From: "TJ" To: "FreeBSD questions" , "FreeBSD security" , "ipfilter" Subject: can http-gw proxy used to protect against port number? Date: Sun, 29 Apr 2001 23:29:19 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Message-ID: X-OriginalArrivalTime: 29 Apr 2001 13:27:51.0755 (UTC) FILETIME=[30C719B0:01C0D0B0] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have successfully get http-gw-proxy running. I was reading the man page. However didn't seems to find anything related to how I could set this proxy to prohibit access to some dangerous website. Is there a way of doing so? (or is there any other proxy that runs on FreeBSD and have this capability?) How can I also open other ports besides the one I specified for http-gw. Do I have to run another instance for say RealAudio application? Thanks for advicing. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 29 16: 3:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id 0F4DD37B42C for ; Sun, 29 Apr 2001 16:03:44 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id AECB366DB9; Sun, 29 Apr 2001 16:03:43 -0700 (PDT) Date: Sun, 29 Apr 2001 16:03:43 -0700 From: Kris Kennaway To: Christoph Kukulies Cc: security@freebsd.org Subject: Re: [The@FreeBSD.ORG: ] Message-ID: <20010429160343.A90168@xor.obsecurity.org> References: <20010429152245.A46753@gil.physik.rwth-aachen.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="y0ulUmNC+osPPQO6" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010429152245.A46753@gil.physik.rwth-aachen.de>; from kuku@gilberto.physik.RWTH-Aachen.DE on Sun, Apr 29, 2001 at 03:22:45PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --y0ulUmNC+osPPQO6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Apr 29, 2001 at 03:22:45PM +0200, Christoph Kukulies wrote: > Hi, >=20 > I received this spam.=20 And how is this a security matter? Kris --y0ulUmNC+osPPQO6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE67J3PWry0BWjoQKURAoS/AJ4uO4rcdLcUp7+xhBR//MYZmX/LBwCfX0Tx Z9Gz7KdM5jO6I7aLzvFM6I8= =nFcr -----END PGP SIGNATURE----- --y0ulUmNC+osPPQO6-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 30 1:59:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from rafiu.psi-domain.co.uk (rafiu.psi-domain.co.uk [212.87.84.199]) by hub.freebsd.org (Postfix) with ESMTP id D93C037B423 for ; Mon, 30 Apr 2001 01:59:30 -0700 (PDT) (envelope-from heckfordj@psi-domain.co.uk) Received: from smtp.psi-domain.co.uk (mail.trident-uk.co.uk [195.166.16.10]) by rafiu.psi-domain.co.uk (8.11.3/8.11.3) with SMTP id f3U8stX47963; Mon, 30 Apr 2001 09:55:00 +0100 (BST) Date: Mon, 30 Apr 2001 10:57:11 +0100 From: Jamie Heckford To: Wes Peters Cc: freebsd-security@freebsd.org Subject: Re: User-Agent Message-ID: <20010430105711.A44631@storm.psi-domain.co.uk> Reply-To: heckfordj@psi-domain.co.uk References: <3AE7F976.D6F3CAC2@infovia.com.ar> <20010426074117.A87916@peitho.fxp.org> <20010426154956.I37575@storm.psi-domain.co.uk> <3AE82DED.7798C0A1@softweyr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit In-Reply-To: <3AE82DED.7798C0A1@softweyr.com>; from wes@softweyr.com on Thu, Apr 26, 2001 at 15:17:17 +0100 X-Mailer: Balsa 1.1.1 Lines: 51 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Not really fussed - more of a question that came out of curiosity. Cant see any *decent* reason to change this anyway! Jamie On 2001.04.26 15:17 Wes Peters wrote: > Jamie Heckford wrote: > > > > Hmm. > > > > Attempting to modify these values return: > > > > sysctl: oid 'kern.version' is read only > > > > Any way of changing these then? > > Recompile your kernel after editing the appropriate parts of the source. > I'm certainly not going to bother tracking those down for such a silly > exercise. > > -- > "Where am I, and what am I doing in this handbasket?" > > Wes Peters > Softweyr LLC > wes@softweyr.com > http://softweyr.com/ > > -- Jamie Heckford Network Operations Manager Psi-Domain - Innovative Linux Solutions. Ask Us How. FreeBSD - The power to serve Join our mailing list and stay informed by emailing majordomo@psi-domain.co.uk with the line: subscribe collective ===================================== email: heckfordj@psi-domain.co.uk web: http://www.psi-domain.co.uk/ tel: +44 (0)1737 789 246 fax: +44 (0)1737 789 245 mobile: +44 (0)7866 724 224 ===================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 30 11:23:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from mercury.ipdvbnet.com (adsl-216-100-228-204.dsl.snfc21.pacbell.net [216.100.228.204]) by hub.freebsd.org (Postfix) with ESMTP id 382A737B423 for ; Mon, 30 Apr 2001 11:23:45 -0700 (PDT) (envelope-from Greg.Haa@amux.com) Received: from sunking.ipdvbnet.com (sunking2 [192.168.255.16]) by mercury.ipdvbnet.com (8.11.1/8.11.1) with ESMTP id f3UINho11279 for ; Mon, 30 Apr 2001 11:23:43 -0700 (PDT) (envelope-from Greg.Haa@amux.com) Received: by SUNKING with Internet Mail Service (5.5.2650.21) id ; Mon, 30 Apr 2001 11:23:42 -0700 Message-ID: <2BFD35C3F1F9D31185CE00B0D02023028386D1@SUNKING> From: Greg Haa To: "'freebsd-security@FreeBSD.ORG'" Subject: Named Security Date: Mon, 30 Apr 2001 11:23:39 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello my name is greg. I am writing because I think someone inside my company is attacking named and crashing it. Now I am upgrading to 9.1.0 to get rid of the problem but I wanted to know if there is a peice of software to allow me to track connections and what took place during the connection to determine where this is coming from. So I can break some knee caps. Also as I try this upgrade I am getting permission denied errors. During bootup named will not start---> Doing additional network setup: named/etc/rc: /usr/local/sbin: permission denied portmap Any ideas? Freebsd 4.2--RELEASE and self built bind-9.1.0 Thanks in advance Greg Haa To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 30 15:14:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from dialup.ptt.ru (dialup.ptt.ru [195.34.0.100]) by hub.freebsd.org (Postfix) with SMTP id 45CCF37B423 for ; Mon, 30 Apr 2001 15:14:32 -0700 (PDT) (envelope-from void@void.ru) Received: (qmail 41377 invoked from network); 30 Apr 2001 22:21:35 -0000 Received: from unknown (HELO solist.ru) (195.42.77.50) by dialup.ptt.ru with SMTP; 30 Apr 2001 22:21:35 -0000 Received: by solist.ru ( IA Mail Server Version: 3.2.1. Build: 1083 ) ) ; Tue, 01 May 2001 02:19:09 +0300 Date: Tue, 1 May 2001 02:15:35 +0400 From: duke X-Mailer: The Bat! (v1.45) UNREG / CD5BF9353B3B7091 Reply-To: duke X-Priority: 3 (Normal) Message-ID: <954018880.20010501021535@void.ru> To: Jamie Heckford Cc: freebsd-security@FreeBSD.ORG Subject: Re[2]: User-Agent In-reply-To: <20010430105711.A44631@storm.psi-domain.co.uk> References: <3AE7F976.D6F3CAC2@infovia.com.ar> <20010426074117.A87916@peitho.fxp.org> <20010426154956.I37575@storm.psi-domain.co.uk> <3AE82DED.7798C0A1@softweyr.com> <20010430105711.A44631@storm.psi-domain.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> Recompile your kernel after editing the appropriate parts of the source. Don't do it - it will screw up many configure scripts which take kernel version from uname. I suggest you to use securebsd.org patches which enable user to modify kern.version dynamically so you can solve the task of uname changing and will be able to swith this off when installing something. /duke To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 30 16: 2:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from hawk.mail.pas.earthlink.net (hawk.mail.pas.earthlink.net [207.217.120.22]) by hub.freebsd.org (Postfix) with ESMTP id 011E837B424 for ; Mon, 30 Apr 2001 16:02:42 -0700 (PDT) (envelope-from dhagan@colltech.com) Received: from colltech.com (1Cust46.tnt3.clarksburg.wv.da.uu.net [63.15.38.46]) by hawk.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id QAA26833; Mon, 30 Apr 2001 16:02:35 -0700 (PDT) Message-ID: <3AEDEFEC.206204BE@colltech.com> Date: Mon, 30 Apr 2001 19:06:20 -0400 From: Daniel Hagan X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Greg Haa Cc: "'freebsd-security@FreeBSD.ORG'" Subject: Re: Named Security References: <2BFD35C3F1F9D31185CE00B0D02023028386D1@SUNKING> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greg Haa wrote: > > ... I wanted to know if there is a peice of > software to allow me to track connections and what took place during the > connection to determine where this is coming from. So I can break some > knee caps. Tcpdump or some other packet sniffer would allow you to track the traffic to and from the machine. BIND also has an option to track what queries are being generated and from whence they came (don't recall how to enable it from memory). > Also as I try this upgrade I am getting permission denied > errors. During bootup named will not start---> > > Doing additional network setup: named/etc/rc: /usr/local/sbin: permission > denied portmap Sorry, don't think I can help you there. What startup scripts are you using? Daniel -- Consultant, Collective Technologies http://www.collectivetech.com/ Use PGP for confidential e-mail. http://www.pgp.com/products/freeware/ Key Id: 0xD44F15B1 3FA0 D899 4530 702F 72B0 5A17 C2A5 2C2B D22F 15B1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 30 17:28: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by hub.freebsd.org (Postfix) with ESMTP id 61E3137B423 for ; Mon, 30 Apr 2001 17:27:52 -0700 (PDT) (envelope-from marka@nominum.com) Received: from nominum.com (localhost.dv.isc.org [127.0.0.1]) by drugs.dv.isc.org (8.11.3/8.11.2) with ESMTP id f410Quv50871; Tue, 1 May 2001 10:27:02 +1000 (EST) (envelope-from marka@nominum.com) Message-Id: <200105010027.f410Quv50871@drugs.dv.isc.org> To: Greg Haa Cc: "'freebsd-security@FreeBSD.ORG'" From: Mark.Andrews@nominum.com Subject: Re: Named Security In-reply-to: Your message of "Mon, 30 Apr 2001 11:23:39 MST." <2BFD35C3F1F9D31185CE00B0D02023028386D1@SUNKING> Date: Tue, 01 May 2001 10:26:55 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Hello my name is greg. I am writing because I think someone inside my > company is attacking named and crashing it. Now I am upgrading to 9.1.0 BIND 9.1.1 is the current release and it works around some bugs found after BIND 9.1.0 was release in FreeBSD 4.2 tcp implementation. > to get rid of the problem but I wanted to know if there is a peice of > software to allow me to track connections and what took place during the > connection to determine where this is coming from. So I can break some > knee caps. Also as I try this upgrade I am getting permission denied > errors. During bootup named will not start---> > > Doing additional network setup: named/etc/rc: /usr/local/sbin: permission > denied portmap check /etc/rc.conf /etc/rc.conf: named_enable="YES" named_program="/usr/local/sbin/named" named_flags="" > > Any ideas? Freebsd 4.2--RELEASE and self built bind-9.1.0 > > Thanks in advance > > Greg Haa > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Mark Andrews, Nominum Inc. 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 30 23:52:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from open.prop.or.jp (open.prop.or.jp [210.237.124.203]) by hub.freebsd.org (Postfix) with ESMTP id E929C37B422 for ; Mon, 30 Apr 2001 23:52:34 -0700 (PDT) (envelope-from tiba-yamamoto@open.prop.or.jp) Received: from ibaraki3.open.prop.or.jp (host-i2.soj.gr.jp [210.189.22.178]) by open.prop.or.jp (8.9.3+3.2W/3.7W) with SMTP id PAA32644 for ; Tue, 1 May 2001 15:52:26 +0900 Message-Id: <200105010649.AA00324@ibaraki3.open.prop.or.jp> From: tiba-yamamoto@open.prop.or.jp (=?ISO-2022-JP?B?GyRCMHFMWiEhGyhK?=\ =?ISO-2022-JP?B?GyRCQkBPOhsoQg==?=) Date: Tue, 01 May 2001 15:49:27 +0900 To: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 X-Mailer: AL-Mail32 Version 1.11 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org auth 20aa31d1 subscribe freebsd-security tiba-yamamoto@open.prop.or.jp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 1 13:16:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from ldc.ro (ldc-gw.pub.ro [192.129.3.227]) by hub.freebsd.org (Postfix) with SMTP id 7254737B423 for ; Tue, 1 May 2001 13:16:27 -0700 (PDT) (envelope-from razor@ldc.ro) Received: (qmail 40265 invoked by uid 666); 1 May 2001 20:16:16 -0000 Date: Tue, 1 May 2001 23:16:16 +0300 From: Alex Popa To: security@FreeBSD.org Subject: OpenSSH accepts any RSA key from host 127.0.0.1, even on non-default ports Message-ID: <20010501231616.A40227@ldc.ro> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The reason why this bothers me is that I sometimes use ssh to tunnel ssh connections (blowfish encryption in a 3DES tunnel, anyone?) to hosts I cannot otherwise reach (ie non-routable address space, 192.168.0.0/16) or to hosts which only accept connections from certain IPs. I do not sometimes fully trust the hosts I use as relays, so it would be nice if SSH could show me the key fingerprint and let me decide if I want to connect, not just accept any key. Example: (setting up the support tunnel) #ssh some.host.example.org -l me -C -L 222:192.168.1.2:22 (connects OK) (switch VT's) # ssh 127.0.0.1 -v -C -l root -p 222 SSH Version OpenSSH_2.3.0 green@FreeBSD.org 20010321, protocol versions 1.5/2.0. Compiled with SSL (0x0090600f). debug: Reading configuration data /etc/ssh/ssh_config debug: ssh_connect: getuid 0 geteuid 0 anon 0 debug: Connecting to (null) [127.0.0.1] port 222. debug: Allocated local port 1015. debug: Connection established. debug: Remote protocol version 1.5, remote software version 1.2.27 debug: no match: 1.2.27 debug: Local version string SSH-1.5-OpenSSH_2.3.0 green@FreeBSD.org 20010321 debug: Waiting for server public key. debug: Received server public key (1152 bits) and host key (1024 bits). --- debug: Forcing accepting of host key for loopback/localhost. --- debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Remote: Server does not permit empty password login. debug: Doing password authentication. root@127.0.0.1's password: As you can see from the separated line, ssh does not even ask if I want to accept the key. If I set up a different tunnel, I get no warning message about the key change. Is there a way to tell ssh to ask me about that key, and even keep different keys in my known_hosts file, for example for 127.0.0.1, 127.1, 127.0.1 (which are the same IP, but in different formats so I can store the kays once, and then leave ssh to check if they are unchanged). [Sorry if I do not make a lot of sense, this has been a long day] Have Fun! ------------+------------------------------------------ Alex Popa, | "Artificial Intelligence is razor@ldc.ro| no match for Natural Stupidity" ------------+------------------------------------------ "It took the computing power of three C-64s to fly to the Moon. It takes a 486 to run Windows 95. Something is wrong here." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 1 13:24: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from bootp-20-219.bootp.virginia.edu (bootp-20-219.bootp.Virginia.EDU [128.143.20.219]) by hub.freebsd.org (Postfix) with ESMTP id ED27337B424 for ; Tue, 1 May 2001 13:24:01 -0700 (PDT) (envelope-from mipam@virginia.edu) Received: by bootp-20-219.bootp.virginia.edu (Postfix) id F03311D001; Tue, 1 May 2001 16:23:54 -0400 (EDT) Date: Tue, 1 May 2001 16:23:54 -0400 From: Mipam To: Alex Popa Cc: security@FreeBSD.ORG Subject: Re: OpenSSH accepts any RSA key from host 127.0.0.1, even on non-default ports Message-ID: <20010501162354.A282@bootp-20-219.bootp.virginia.edu> Reply-To: mipam@ibb.net References: <20010501231616.A40227@ldc.ro> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010501231616.A40227@ldc.ro>; from razor@ldc.ro on Tue, May 01, 2001 at 11:16:16PM +0300 X-Operating-System: BSD Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, May 01, 2001 at 11:16:16PM +0300, Alex Popa wrote: > The reason why this bothers me is that I sometimes use ssh to tunnel ssh > connections (blowfish encryption in a 3DES tunnel, anyone?) Some ppl think that using encryption to encrypt allrdy encrypted data is dubble secure. This is in general certainly not true. Instead, sometimes it becomes only easier to crack it. So i wouldnt advice to use ssh in a ssh tunnel to aviod possible problems like that. Bye, Mipam. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 1 14: 4:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from femail8.sdc1.sfba.home.com (femail8.sdc1.sfba.home.com [24.0.95.88]) by hub.freebsd.org (Postfix) with ESMTP id 90D2B37B43F for ; Tue, 1 May 2001 14:04:51 -0700 (PDT) (envelope-from graywane@home.com) Received: from cg392862-a.adubn1.nj.home.com ([65.2.79.221]) by femail8.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP id <20010501210451.IUSC1607.femail8.sdc1.sfba.home.com@cg392862-a.adubn1.nj.home.com> for ; Tue, 1 May 2001 14:04:51 -0700 Received: (from graywane@localhost) by cg392862-a.adubn1.nj.home.com (8.11.3/8.11.3) id f41L4o493055 for security@FreeBSD.ORG; Tue, 1 May 2001 17:04:50 -0400 (EDT) (envelope-from graywane) Date: Tue, 1 May 2001 17:04:50 -0400 From: Graywane To: security@FreeBSD.ORG Subject: Re: OpenSSH accepts any RSA key from host 127.0.0.1, even on non-default ports Message-ID: <20010501170450.A93007@home.com> References: <20010501231616.A40227@ldc.ro> <20010501162354.A282@bootp-20-219.bootp.virginia.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010501162354.A282@bootp-20-219.bootp.virginia.edu>; from mipam@ibb.net on Tue, May 01, 2001 at 04:23:54PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, May 01, 2001 at 04:23:54PM -0400, Mipam wrote: > On Tue, May 01, 2001 at 11:16:16PM +0300, Alex Popa wrote: > > The reason why this bothers me is that I sometimes use ssh to tunnel ssh > > connections (blowfish encryption in a 3DES tunnel, anyone?) > > Some ppl think that using encryption to encrypt allrdy encrypted data > is dubble secure. This is in general certainly not true. > Instead, sometimes it becomes only easier to crack it. > So i wouldnt advice to use ssh in a ssh tunnel to aviod possible > problems like that. You are missing the point. Lets say you are connecting from machine A to machine B using ssh. You setup a port forward so that connections to machine B at port 9999 are forwarded to machine A at port 22. Now you connect from machine C to port 9999 of machine B using ssh. As long as you trust ssh on machine C and sshd on machine A then encrypting the second tunnel avoids problems with the marginally trusted machine B (assuming you check your host key fingerprints). It also allows you to bind sshd on machine A to 127.0.0.1 rather than 0.0.0.0 -- Note: See http://www.members.home.net/graywane/ for PGP information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 1 14:10:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from mls.gtonet.net (mls.gtonet.net [216.112.90.195]) by hub.freebsd.org (Postfix) with ESMTP id 106B737B422 for ; Tue, 1 May 2001 14:10:22 -0700 (PDT) (envelope-from oldfart@gtonet.net) Received: from pld (pld.gtonet.net [216.112.90.200]) by mls.gtonet.net (8.11.3/8.11.3) with SMTP id f41LAMS65166 for ; Tue, 1 May 2001 14:10:22 -0700 (PDT) (envelope-from oldfart@gtonet.net) Reply-To: From: "Charles Ulysses Farley" To: "security@FreeBSD. ORG" Subject: RE: OpenSSH accepts any RSA key from host 127.0.0.1, even on non-default ports Date: Tue, 1 May 2001 14:10:21 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20010501162354.A282@bootp-20-219.bootp.virginia.edu> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It *may* be less secure to ssh through a ssh tunnel but it is sometimes necessary if the machine on the other end of the tunnel has telnet closed and only allows ssh. Charles > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Mipam > Sent: Tuesday, May 01, 2001 1:24 PM > To: Alex Popa > Cc: security@FreeBSD.ORG > Subject: Re: OpenSSH accepts any RSA key from host 127.0.0.1, even on > non-default ports > > > On Tue, May 01, 2001 at 11:16:16PM +0300, Alex Popa wrote: > > The reason why this bothers me is that I sometimes use ssh to tunnel ssh > > connections (blowfish encryption in a 3DES tunnel, anyone?) > > Some ppl think that using encryption to encrypt allrdy encrypted data > is dubble secure. This is in general certainly not true. > Instead, sometimes it becomes only easier to crack it. > So i wouldnt advice to use ssh in a ssh tunnel to aviod possible > problems like that. > Bye, > > Mipam. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 1 17:33: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from falcon.mail.pas.earthlink.net (falcon.mail.pas.earthlink.net [207.217.120.74]) by hub.freebsd.org (Postfix) with ESMTP id 99A2537B423 for ; Tue, 1 May 2001 17:33:01 -0700 (PDT) (envelope-from dhagan@colltech.com) Received: from colltech.com (1Cust216.tnt1.clarksburg.wv.da.uu.net [63.21.114.216]) by falcon.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id RAA00779; Tue, 1 May 2001 17:32:56 -0700 (PDT) Message-ID: <3AEF5699.9CE7939A@colltech.com> Date: Tue, 01 May 2001 20:36:41 -0400 From: Daniel Hagan X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: oldfart@gtonet.net Cc: "security@FreeBSD. ORG" Subject: Re: OpenSSH accepts any RSA key from host 127.0.0.1, even on non-default ports References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Double encryption is only a big problem when done using the same cipher system (as I recall). I suspect using different ciphers, as the original author indicated, would be fine. As far as the original question: Try setting StrictHostKeyChecking to 'yes' either in your configuration file or on the command line (with -o ...). You'll have to manually update the known_hosts file when you change tunnels (or run ssh w/o the SHKC directive). I suspect you could manually change the IP's in the known_hosts file to other 127.x.x.x ones as long as you remembered which IP went to which tunnel. See ssh(1) manpage for more info. I haven't tested this, so YMMV. Daniel Charles Ulysses Farley wrote: > > It *may* be less secure to ssh through a ssh tunnel but it is sometimes > necessary if the machine on the other end of the tunnel has telnet closed > and only allows ssh. > > Charles > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Mipam > > > > Some ppl think that using encryption to encrypt allrdy encrypted data > > is dubble secure. This is in general certainly not true. > > Instead, sometimes it becomes only easier to crack it. > > So i wouldnt advice to use ssh in a ssh tunnel to aviod possible > > problems like that. > > Bye, > > > > Mipam. -- Consultant, Collective Technologies http://www.collectivetech.com/ Use PGP for confidential e-mail. http://www.pgp.com/products/freeware/ Key Id: 0xD44F15B1 3FA0 D899 4530 702F 72B0 5A17 C2A5 2C2B D22F 15B1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 1 22: 2:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 992CC37B424 for ; Tue, 1 May 2001 22:02:37 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 74178 invoked by uid 1000); 2 May 2001 05:00:46 -0000 Date: Wed, 2 May 2001 08:00:45 +0300 From: Peter Pentchev To: Daniel Hagan Cc: oldfart@gtonet.net, "security@FreeBSD. ORG" Subject: Re: OpenSSH accepts any RSA key from host 127.0.0.1, even on non-default ports Message-ID: <20010502080045.A73979@ringworld.oblivion.bg> Mail-Followup-To: Daniel Hagan , oldfart@gtonet.net, "security@FreeBSD. ORG" References: <3AEF5699.9CE7939A@colltech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AEF5699.9CE7939A@colltech.com>; from dhagan@colltech.com on Tue, May 01, 2001 at 08:36:41PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, May 01, 2001 at 08:36:41PM -0400, Daniel Hagan wrote: > Double encryption is only a big problem when done using the same cipher > system (as I recall). I suspect using different ciphers, as the > original author indicated, would be fine. > > As far as the original question: Try setting StrictHostKeyChecking to > 'yes' either in your configuration file or on the command line (with -o > ...). You'll have to manually update the known_hosts file when you > change tunnels (or run ssh w/o the SHKC directive). I suspect you could > manually change the IP's in the known_hosts file to other 127.x.x.x ones > as long as you remembered which IP went to which tunnel. See ssh(1) > manpage for more info. > > I haven't tested this, so YMMV. Actually, I don't think this will help; looking around lines 490-500 of src/crypto/openssh/sshconnect.c, it seems the localhost check forces acceptance of the key regardless of any options. I just tested this, and indeed, StrictHostKeyChecking has no effect on localhost connections :( If the original poster took his fix from a newer OpenSSH source, then I guess it will be imported into FreeBSD with the next OpenSSH import. G'luck, Peter -- I had to translate this sentence into English because I could not read the original Sanskrit. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 1 22:23:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from cotdazr.org (cotdazr.org [209.239.229.90]) by hub.freebsd.org (Postfix) with SMTP id CD00637B422 for ; Tue, 1 May 2001 22:23:18 -0700 (PDT) (envelope-from efb@cotdazr.org) Received: (qmail 14372 invoked by uid 1001); 2 May 2001 05:23:17 -0000 Date: Tue, 1 May 2001 22:23:17 -0700 From: Everett F Batey To: security@freebsd.org Cc: efb-all@cotdazr.org Subject: Re: [GorrellCD@phdnswc.navy.mil: ] Message-ID: <20010501222316.B14264@cotdazr.org> Reply-To: efb-all@vhwy.com References: <20010501220704.A14264@cotdazr.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.5i In-Reply-To: <20010501220704.A14264@cotdazr.org>; from Everett F Batey on Tue, May 01, 2001 at 10:07:04PM -0700 X-Operating-System: gcpacix.cotdazr.org FreeBSD X-Tele: +1 805 985.3146 / 805 340.6471 Pg 888 522-VHWY X-URL: http://www.cotdazr.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear FreeBSD Security Guru, I need some guidance. My employer with which I have had problems over the past 5 years has suggested I (or my IP) am(/is) trying to attack hisIP space on UPD 111, and sent me the below attached log file. I am running a pretty sanitized version of FreeBSD 2.2.8, at my home, with many patches. Hope soon to be able to go 4.X but can NOT now. I am concerned of several possibilities: (1) I could have been root kitted, (2) someone could be spoofing my primary address, or (3) I am getting some fully B/s stories about what is showing up at the far end on their firewall.. I do not know of anything that I do which would cause my FBsd to poke at port 111 on the supposed system at the far end. (per attachment). That IP IS a computer running Solaris which I have done work INSIDE semi firewalled 137.24/16. The admin of that system advises me there are port 111 assaults on his firewall from me, from Navy NCIS, 199 something, from oxnardsd.org, where I used to do volunteer work some years ago. I would appreciate if you could help me assess those possibilities. For Item (1) I understand a rootkit involves replacing some or all of ls, ps, netstat, ifconfig, md5. AT THIS time MD5 reports the following .. gcpacix:~{138} foreach i ( ls ps netstat md5 ifconfig ) foreach? md5 `which $i` foreach? end MD5 (/bin/ls) = b09da2ac24e0597ee5437a106a9973b0 MD5 (/bin/ps) = 606cf612681a75162100d6ddcfec3a70 MD5 (/usr/bin/netstat) = 0613ecb7d018d0b058396562b2abf065 MD5 (/sbin/md5) = e38c532609c44bb01ad627952d495cf0 MD5 (/sbin/ifconfig) = d87d850c07066ba90ac9e7340c425619 Are any of these values possibly correct for FreeBSD 228 ? Can you point me at where I can download replacements of .. ls ps netstat md5 ifconfig to retest that I have not been Root-Kitted ? For item (2) can you tell me if you have seen many reports of anyone attacking port 111 with spoofed IP source address ??? Appreciate any help or guidance you can offer me. /Everett Batey/ 800 545-6998 -- + http://www.vhwy.com efb@vhwy.com WA6CRE@arrl.net http://www.cotdazr.org + + PocketNet Mail to efbatey@mobile.att.net / Cell/VoiceMail 805 340-6471 + + Unix BSD, Sun, HP SCO Linux Security Cisco Routing DataFellows QMail DNS + > Received: from MAINS2.PHDNSWC.NAVY.MIL (root@mains2.phdnswc.navy.mil [137.24.144.30]) > Subject: > Date: Tue, 1 May 2001 13:34:32 -0700 > > Ev, > > Please call me regarding the traffic below. 8-0701 > > CG... > > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65422 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65423 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65424 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65425 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65426 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65427 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65428 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65429 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65430 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65431 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65432 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65433 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65434 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65435 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65436 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65437 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65438 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65439 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65440 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65441 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65442 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65443 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65444 UDP > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65445 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34004 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34005 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34006 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34007 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34008 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34009 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34010 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34011 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34012 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34013 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34014 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34015 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34016 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34017 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34018 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34019 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34020 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34021 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34022 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34023 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34024 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34025 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34026 UDP > May 1 09:54:55 209.239.229.90:111 -> 137.24.124.222:34027 UDP To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 1 22:33:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from crate.alongtheway.com (crate.alongtheway.com [208.176.94.56]) by hub.freebsd.org (Postfix) with ESMTP id B8F9237B422 for ; Tue, 1 May 2001 22:33:35 -0700 (PDT) (envelope-from jamesb-freebsd-security@alongtheway.com) Received: (qmail 16510 invoked from network); 2 May 2001 05:33:37 -0000 Received: from localhost (HELO tarkin.dyndns.org) (nobody@127.0.0.1) by localhost with DES-CBC3-SHA encrypted SMTP; 2 May 2001 05:33:37 -0000 Received: (qmail 1333 invoked by user); 2 May 2001 05:34:05 -0000 Date: Wed, 2 May 2001 05:34:05 +0000 From: Jim Breton To: "'freebsd-security@FreeBSD.ORG'" Subject: Re: Named Security Message-ID: <20010502053405.B1027@alongtheway.com> Mail-Followup-To: "'freebsd-security@FreeBSD.ORG'" References: <2BFD35C3F1F9D31185CE00B0D02023028386D1@SUNKING> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2BFD35C3F1F9D31185CE00B0D02023028386D1@SUNKING>; from Greg.Haa@amux.com on Mon, Apr 30, 2001 at 11:23:39AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Apr 30, 2001 at 11:23:39AM -0700, Greg Haa wrote: > get rid of the problem You might want to look at alternative DNS implementations as well, for example: http://cr.yp.to/djbdns.html http://cr.yp.to/djbdns/ad/security.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 0:42:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from inexistent.dnsalias.net (ont-cvx1-173.linkline.com [64.30.217.173]) by hub.freebsd.org (Postfix) with ESMTP id 7602137B422 for ; Wed, 2 May 2001 00:42:20 -0700 (PDT) (envelope-from slaktaren@inexistent.dnsalias.net) Received: from abyss.192.168.0.14 (abyss [192.168.0.13]) by inexistent.dnsalias.net (Postfix) with SMTP id AD872270 for ; Wed, 2 May 2001 00:40:01 -0700 (PDT) Subject: freezing problem From: slaktaren Reply-To: slaktaren Message-ID: <0003834c72612fdc_mailit@192.168.0.14> Date: Wed, 02 May 2001 00:41:29 -0700 X-Mailer: BeatWare Mail-It 3.0 X-BeOS-Platform: Intel or clone To: freebsd-security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org since i upgraded to 4.3-stable a couple days ago, ive been having lockup problems since then... about every 10 hours or so the box locks solid... before it locks up though, it gets swap pager errors, ill put the lines from the log file (/var/log/messages) in here, notice the times they happen... Apr 30 05:00:15 inexistent /kernel: swap_pager: out of swap space Apr 30 05:00:15 inexistent /kernel: swap_pager_getswapspace: failed Apr 30 15:05:21 inexistent /kernel: swap_pager_getswapspace: failed Apr 30 15:05:21 inexistent last message repeated 24 times Apr 30 22:40:22 inexistent /kernel: swap_pager_getswapspace: failed Apr 30 22:40:22 inexistent last message repeated 117 times May 1 08:00:20 inexistent /kernel: swap_pager: out of swap space May 1 08:00:20 inexistent /kernel: swap_pager_getswapspace: failed and this is where it sits now... is there an exploit that causes this or what? when it locks up, the cpu usage shoots up to 100%, and the harddrive goes crazy (writing im assuming) for about 15 seconds before it locks solid. the swap size in that box is 250mb... i have 96mb of ram in that box... but this has never caused a problem before... i think the harddrive goes like crazy cause its all of a sudden filling up the swap, then it gets too full and locks... if anyway could help me as soon as possible, id really appreciate it, thanks --dj To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 3:46:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from routeur.pol.local (nas1-116.gre.club-internet.fr [195.36.211.116]) by hub.freebsd.org (Postfix) with ESMTP id 14D9737B423 for ; Wed, 2 May 2001 03:46:04 -0700 (PDT) (envelope-from poizat@partsonline.fr) Received: from PARTSERVER.partsonline.fr (partserver.pol.local [172.16.10.10]) by routeur.pol.local (8.11.1/8.11.1) with ESMTP id f42Ak1476911 for ; Wed, 2 May 2001 12:46:02 +0200 (CEST) (envelope-from poizat@partsonline.fr) Message-Id: <5.0.2.1.0.20010502123120.01b68310@127.0.0.1> X-Sender: pop9405/pop.partsonline.fr@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Wed, 02 May 2001 12:34:07 +0200 To: freebsd-security@FreeBSD.ORG From: Guy Poizat Subject: Re: Named Security In-Reply-To: <3AEDEFEC.206204BE@colltech.com> References: <2BFD35C3F1F9D31185CE00B0D02023028386D1@SUNKING> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:06 01/05/2001, you wrote: >BIND also has an option to track what >queries are being generated and from whence they came (don't recall how >to enable it from memory). Put a 'severity' level of 'info' in the 'logging section of /etc/namedb/named.conf : "severity info;" -- Guy Poizat poizat@partsonline.fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 4: 2:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from ady.warpnet.ro (ady.warpnet.ro [194.102.224.8]) by hub.freebsd.org (Postfix) with ESMTP id 4443B37B422; Wed, 2 May 2001 04:02:48 -0700 (PDT) (envelope-from ady@warpnet.ro) Received: from localhost (ady@localhost) by ady.warpnet.ro (8.9.3/8.9.3) with ESMTP id OAA00700; Wed, 2 May 2001 14:06:06 +0300 (EEST) (envelope-from ady@warpnet.ro) Date: Wed, 2 May 2001 14:06:06 +0300 (EEST) From: Adrian Penisoara To: freebsd-isp@freebsd.org Cc: freebsd-security@freebsd.org Subject: Automating flood filtering Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I am interested in some way of automating the process of detecting and installing firewall filters for the various kinds of floods undergoing in today's (net)world. Is there any project or package targeted at this ? Thanks & regards, Ady (@warpnet.ro) __________________________________________________________________ | "Be vewy vewy quiet, I'm hunting wuntime ewwors!" - Elmer Fudd | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 4:33:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.euroweb.hu (mail.euroweb.hu [193.226.220.4]) by hub.freebsd.org (Postfix) with ESMTP id D103C37B423 for ; Wed, 2 May 2001 04:33:09 -0700 (PDT) (envelope-from hu006co@mail.euroweb.hu) Received: (from hu006co@localhost) by mail.euroweb.hu (8.8.5/8.8.5) id NAA24380; Wed, 2 May 2001 13:33:04 +0200 (MET DST) Received: (from zgabor@localhost) by zg.CoDe.hu (8.11.1/8.11.1) id f42BRrA00235; Wed, 2 May 2001 11:27:53 GMT (envelope-from zgabor) Date: Wed, 2 May 2001 11:27:53 +0000 From: Gabor Zahemszky To: freebsd-security@freebsd.org Cc: Casey Jones Subject: Re: Boot Security Message-ID: <20010502112753.A220@zg.CoDe.hu> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from bill@catastrophe.net on Sat, Apr 28, 2001 at 01:08:18PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Apr 28, 2001 at 01:08:18PM -0500, Casey Jones wrote: > > Hello - > > I was hoping some of you could share your thoughts on how to best > secure the FreeBSD boot process. I've taken the time to harden the > system and verify that console and the like are "insecure", but I > would also like to limit anyone from even getting to the "ok" > prompt. echo 'password="12345678"' >> /boot/loader.conf But it's not too secure, as it's in loader, so we can stop booting in the previous level. ZGabor at CoDe dot HU -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 4:35:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-26.dsl.lsan03.pacbell.net [63.207.60.26]) by hub.freebsd.org (Postfix) with ESMTP id 1B6B237B423 for ; Wed, 2 May 2001 04:35:35 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 3ECD067006; Wed, 2 May 2001 04:35:34 -0700 (PDT) Date: Wed, 2 May 2001 04:35:34 -0700 From: Kris Kennaway To: slaktaren Cc: freebsd-security@FreeBSD.ORG Subject: Re: freezing problem Message-ID: <20010502043533.A4100@xor.obsecurity.org> References: <0003834c72612fdc_mailit@192.168.0.14> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="cWoXeonUoKmBZSoM" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <0003834c72612fdc_mailit@192.168.0.14>; from slaktaren@inexistent.dnsalias.net on Wed, May 02, 2001 at 12:41:29AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --cWoXeonUoKmBZSoM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, May 02, 2001 at 12:41:29AM -0700, slaktaren wrote: > is there an exploit that causes this or what? The "exploit" is called "running out of swap space". Find out what's using all your memory and stop it. Kris --cWoXeonUoKmBZSoM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE67/EFWry0BWjoQKURAnqYAKD3K4c6ZnEDUswwIXtoiCLoQaywNgCdFtm6 LI5lnljrr162pHXxjc1JiBI= =2SBb -----END PGP SIGNATURE----- --cWoXeonUoKmBZSoM-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 7: 9:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailgate.kechara.net (mailgate.kechara.net [62.49.139.2]) by hub.freebsd.org (Postfix) with ESMTP id EFD2C37B422 for ; Wed, 2 May 2001 07:09:23 -0700 (PDT) (envelope-from lee@kechara.net) Received: from area57 (lan-fw.kechara.net [62.49.139.3]) by mailgate.kechara.net (8.9.3/8.9.3) with SMTP id QAA25034 for ; Wed, 2 May 2001 16:25:30 +0100 Message-Id: <200105021525.QAA25034@mailgate.kechara.net> Date: Wed, 02 May 2001 15:12:01 +0100 To: freebsd-security@freebsd.org From: Lee Smallbone Subject: useradd/adduser Reply-To: lee@kechara.net Organization: Kechara Internet X-Mailer: Opera 5.02 build 856a X-Priority: 3 (Normal) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, To my surprise, useradd isn't shipped with 4.3-STABLE (at least, not that I can see.) Is there any way to use adduser in a non-interative state (run from scripts)? i.e. $ adduser -d /home2/testuser -u testuser -p password (pardon any syntax errors, that is for example only.) Failing that, where can I get adduser? Thanks -- Lee Smallbone Kechara Internet lee@kechara.net www.kechara.net Tel: (01243) 869 969 Fax: (01243) 866 685 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 7:13:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id E677B37B422 for ; Wed, 2 May 2001 07:13:17 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 89813 invoked by uid 1000); 2 May 2001 14:11:26 -0000 Date: Wed, 2 May 2001 17:11:26 +0300 From: Peter Pentchev To: Lee Smallbone Cc: freebsd-security@freebsd.org Subject: Re: useradd/adduser Message-ID: <20010502171126.A88365@ringworld.oblivion.bg> Mail-Followup-To: Lee Smallbone , freebsd-security@freebsd.org References: <200105021525.QAA25034@mailgate.kechara.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200105021525.QAA25034@mailgate.kechara.net>; from lee@kechara.net on Wed, May 02, 2001 at 03:12:01PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, May 02, 2001 at 03:12:01PM +0100, Lee Smallbone wrote: > Hi, > > To my surprise, useradd isn't shipped with 4.3-STABLE (at least, not that I can see.) > Is there any way to use adduser in a non-interative state (run from scripts)? > > i.e. $ adduser -d /home2/testuser -u testuser -p password > (pardon any syntax errors, that is for example only.) > > Failing that, where can I get adduser? 'adduser' is the interactive utility; the non-interactive one is pw(8). G'luck, Peter -- If you think this sentence is confusing, then change one pig. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 7:14:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from lists01.iafrica.com (lists01.iafrica.com [196.7.0.141]) by hub.freebsd.org (Postfix) with ESMTP id EDBE737B440 for ; Wed, 2 May 2001 07:14:08 -0700 (PDT) (envelope-from sheldonh@uunet.co.za) Received: from nwl.fw.uunet.co.za ([196.31.2.162]) by lists01.iafrica.com with esmtp (Exim 3.12 #2) id 14uxOE-0006X3-00; Wed, 02 May 2001 16:14:02 +0200 Received: (from nobody@localhost) by nwl.fw.uunet.co.za (8.8.8/8.6.9) id QAA12171; Wed, 2 May 2001 16:14:00 +0200 (SAST) Received: by nwl.fw.uunet.co.za via recvmail id 12005; Wed May 2 16:13:20 2001 Received: from sheldonh (helo=axl.fw.uunet.co.za) by axl.fw.uunet.co.za with local-esmtp (Exim 3.22 #1) id 14uxNX-0000hL-00; Wed, 02 May 2001 16:13:19 +0200 To: lee@kechara.net Cc: freebsd-security@freebsd.org Subject: Re: useradd/adduser In-reply-to: Your message of "Wed, 02 May 2001 15:12:01 +0100." <200105021525.QAA25034@mailgate.kechara.net> Date: Wed, 02 May 2001 16:13:19 +0200 Message-ID: <2686.988812799@axl.fw.uunet.co.za> From: Sheldon Hearn Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 02 May 2001 15:12:01 +0100, Lee Smallbone wrote: > Is there any way to use adduser in a non-interative state (run from > scripts)? Yes, with the pw(8) command. If your scripts gain knowledge of the passwords for accounts somewhere, you can feed the passwords to pw(8) using its -h option. Don't be daunted by the manual page. It's pretty easy going once you've gotten past the synopsis. :-) Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 7:16:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from heechee.tobez.org (254.adsl0.ryv.worldonline.dk [213.237.10.254]) by hub.freebsd.org (Postfix) with ESMTP id 9398137B423 for ; Wed, 2 May 2001 07:16:19 -0700 (PDT) (envelope-from tobez@tobez.org) Received: by heechee.tobez.org (Postfix, from userid 1001) id 430285411; Wed, 2 May 2001 16:16:16 +0200 (CEST) Date: Wed, 2 May 2001 16:16:16 +0200 From: Anton Berezin To: Lee Smallbone Cc: freebsd-security@freebsd.org Subject: Re: useradd/adduser Message-ID: <20010502161616.F70104@heechee.tobez.org> Mail-Followup-To: freebsd-questions@freebsd.org References: <200105021525.QAA25034@mailgate.kechara.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200105021525.QAA25034@mailgate.kechara.net>; from lee@kechara.net on Wed, May 02, 2001 at 03:12:01PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [In the future, please direct such questions to freebsd-questions mailing list. Thank you. Followups set.] On Wed, May 02, 2001 at 03:12:01PM +0100, Lee Smallbone wrote: > To my surprise, useradd isn't shipped with 4.3-STABLE (at least, not that I can see.) > Is there any way to use adduser in a non-interative state (run from scripts)? > > i.e. $ adduser -d /home2/testuser -u testuser -p password > (pardon any syntax errors, that is for example only.) pw is much better suited for non-interactive account manipulation. man 8 pw -- May the tuna salad be with you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 7:57:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailgate.kechara.net (mailgate.kechara.net [62.49.139.2]) by hub.freebsd.org (Postfix) with ESMTP id AF1C437B423 for ; Wed, 2 May 2001 07:57:12 -0700 (PDT) (envelope-from lee@kechara.net) Received: from area57 (lan-fw.kechara.net [62.49.139.3]) by mailgate.kechara.net (8.9.3/8.9.3) with SMTP id RAA25130 for ; Wed, 2 May 2001 17:13:19 +0100 Message-Id: <200105021613.RAA25130@mailgate.kechara.net> Date: Wed, 02 May 2001 15:59:50 +0100 To: freebsd-security@freebsd.org From: Lee Smallbone Subject: Re: useradd/adduser Reply-To: lee@kechara.net Organization: Kechara Internet X-Mailer: Opera 5.02 build 856a X-Priority: 3 (Normal) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I see what you mean about the synopsis...! From what I can see it isn't possible to supply the password to pw? I'm using md5 passwords, and can easily have the script in question encode the password prior to calling pw, so is it possible to use (in the verse of pw), something along the lines of: pw useradd -n test -c "Test User" -d /home2/test -m -s sh $md5encpass ? Thanks for your help thus far..! 02/05/2001 19:13:19, Sheldon Hearn wrote: > >On Wed, 02 May 2001 15:12:01 +0100, Lee Smallbone wrote: > >> Is there any way to use adduser in a non-interative state (run from >> scripts)? > >Yes, with the pw(8) command. If your scripts gain knowledge of the >passwords for accounts somewhere, you can feed the passwords to pw(8) >using its -h option. > >Don't be daunted by the manual page. It's pretty easy going once you've >gotten past the synopsis. :-) > >Ciao, >Sheldon. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > -- Lee Smallbone Kechara Internet lee@kechara.net www.kechara.net Tel: (01243) 869 969 Fax: (01243) 866 685 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 8: 0: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 0337137B423 for ; Wed, 2 May 2001 08:00:02 -0700 (PDT) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id MAA03118; Wed, 2 May 2001 12:02:55 -0300 (ART) From: Fernando Schapachnik Message-Id: <200105021502.MAA03118@ns1.via-net-works.net.ar> Subject: Re: useradd/adduser In-Reply-To: <200105021613.RAA25130@mailgate.kechara.net> "from Lee Smallbone at May 2, 2001 03:59:50 pm" To: lee@kechara.net Date: Wed, 2 May 2001 12:02:55 -0300 (ART) Cc: freebsd-security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Lee Smallbone escribió: > I see what you mean about the synopsis...! > > From what I can see it isn't possible to supply the password to pw? It IS possible: echo cleartextpass | pw user add testuser -h 0 (or something like that) Good luck! Fernando P. Schapachnik Planificación de red y tecnología VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Tel.: (54-11) 4323-3381 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 8: 4:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 3ED1437B423 for ; Wed, 2 May 2001 08:04:49 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 90483 invoked by uid 1000); 2 May 2001 15:02:57 -0000 Date: Wed, 2 May 2001 18:02:57 +0300 From: Peter Pentchev To: Lee Smallbone Cc: freebsd-security@freebsd.org Subject: Re: useradd/adduser Message-ID: <20010502180257.B88365@ringworld.oblivion.bg> Mail-Followup-To: Lee Smallbone , freebsd-security@freebsd.org References: <200105021613.RAA25130@mailgate.kechara.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200105021613.RAA25130@mailgate.kechara.net>; from lee@kechara.net on Wed, May 02, 2001 at 03:59:50PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, May 02, 2001 at 03:59:50PM +0100, Lee Smallbone wrote: > I see what you mean about the synopsis...! > > From what I can see it isn't possible to supply the password to pw? > I'm using md5 passwords, and can easily have the script in question encode > the password prior to calling pw, so is it possible to use (in the verse of > pw), something along the lines of: > > pw useradd -n test -c "Test User" -d /home2/test -m -s sh $md5encpass > > ? You can't supply an *encrypted* pass; but then, you can't do this with adduser, either. You *can* supply a cleartext password to pw(8), just as Sheldon said, using the -h option: echo unf | pw useradd testuser -h 0 ..just tell it to read the password from fd 0 (stdin). G'luck, Peter -- I am the meaning of this sentence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 8: 7:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 2DC0237B423 for ; Wed, 2 May 2001 08:07:34 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 90544 invoked by uid 1000); 2 May 2001 15:05:43 -0000 Date: Wed, 2 May 2001 18:05:43 +0300 From: Peter Pentchev To: Lee Smallbone Cc: freebsd-security@freebsd.org Subject: Re: useradd/adduser Message-ID: <20010502180543.C88365@ringworld.oblivion.bg> Mail-Followup-To: Lee Smallbone , freebsd-security@freebsd.org References: <200105021613.RAA25130@mailgate.kechara.net> <20010502180257.B88365@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010502180257.B88365@ringworld.oblivion.bg>; from roam@orbitel.bg on Wed, May 02, 2001 at 06:02:57PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, May 02, 2001 at 06:02:57PM +0300, Peter Pentchev wrote: > On Wed, May 02, 2001 at 03:59:50PM +0100, Lee Smallbone wrote: > > I see what you mean about the synopsis...! > > > > From what I can see it isn't possible to supply the password to pw? > > I'm using md5 passwords, and can easily have the script in question encode > > the password prior to calling pw, so is it possible to use (in the verse of > > pw), something along the lines of: > > > > pw useradd -n test -c "Test User" -d /home2/test -m -s sh $md5encpass > > > > ? > > You can't supply an *encrypted* pass; but then, you can't do this with > adduser, either. You *can* supply a cleartext password to pw(8), just > as Sheldon said, using the -h option: > > echo unf | pw useradd testuser -h 0 > > ..just tell it to read the password from fd 0 (stdin). And if you're really, really interested, I could give you a little patch I made some time ago, to add a -H encrypted pass option to pw(8), which should do exactly what you need :) G'luck, Peter -- I've heard that this sentence is a rumor. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 8:58:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from arka.gdansk.mtl.pl (arka.gdansk.mtl.pl [195.117.181.4]) by hub.freebsd.org (Postfix) with ESMTP id 6D7F537B424 for ; Wed, 2 May 2001 08:58:41 -0700 (PDT) (envelope-from grota@gdansk.mtl.pl) Received: by arka.gdansk.mtl.pl (Postfix, from userid 1037) id F12965D007; Wed, 2 May 2001 17:58:50 +0200 (CEST) Date: Wed, 2 May 2001 17:58:50 +0200 From: Andrzej Groth To: freebsd-security@freebsd.org Subject: Re: useradd/adduser Message-ID: <20010502175850.A81681@arka.gdansk.mtl.pl> References: <200105021613.RAA25130@mailgate.kechara.net> <20010502180257.B88365@ringworld.oblivion.bg> <20010502180543.C88365@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010502180543.C88365@ringworld.oblivion.bg>; from roam@orbitel.bg on Wed, May 02, 2001 at 06:05:43PM +0300 X-Operating-System: FreeBSD 4.3-STABLE i386 Organization: MAKOR Computer. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 02 May 2001, Peter Pentchev wrote: > On Wed, May 02, 2001 at 06:02:57PM +0300, Peter Pentchev wrote: > > On Wed, May 02, 2001 at 03:59:50PM +0100, Lee Smallbone wrote: > > > I see what you mean about the synopsis...! > > > > > > From what I can see it isn't possible to supply the password to pw? > > > I'm using md5 passwords, and can easily have the script in question encode > > > the password prior to calling pw, so is it possible to use (in the verse of > > > pw), something along the lines of: > > > > > > pw useradd -n test -c "Test User" -d /home2/test -m -s sh $md5encpass > > > > > > ? so... pw useradd -n test -c "Test User" -d /home2/test -s /bin/sh; chpass -p $md5encpass test ? ;-) br. -- Andrzej Groth Administrator MULTINET S.A. http://www.multinet.pl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 9: 7:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 9935737B422 for ; Wed, 2 May 2001 09:07:30 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 91452 invoked by uid 1000); 2 May 2001 16:05:39 -0000 Date: Wed, 2 May 2001 19:05:39 +0300 From: Peter Pentchev To: Andrzej Groth Cc: freebsd-security@freebsd.org Subject: Re: useradd/adduser Message-ID: <20010502190539.E88365@ringworld.oblivion.bg> Mail-Followup-To: Andrzej Groth , freebsd-security@freebsd.org References: <200105021613.RAA25130@mailgate.kechara.net> <20010502180257.B88365@ringworld.oblivion.bg> <20010502180543.C88365@ringworld.oblivion.bg> <20010502175850.A81681@arka.gdansk.mtl.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010502175850.A81681@arka.gdansk.mtl.pl>; from A.Groth@gdansk.multinet.pl on Wed, May 02, 2001 at 05:58:50PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, May 02, 2001 at 05:58:50PM +0200, Andrzej Groth wrote: > On Wed, 02 May 2001, Peter Pentchev wrote: > > > On Wed, May 02, 2001 at 06:02:57PM +0300, Peter Pentchev wrote: > > > On Wed, May 02, 2001 at 03:59:50PM +0100, Lee Smallbone wrote: > > > > I see what you mean about the synopsis...! > > > > > > > > From what I can see it isn't possible to supply the password to pw? > > > > I'm using md5 passwords, and can easily have the script in question encode > > > > the password prior to calling pw, so is it possible to use (in the verse of > > > > pw), something along the lines of: > > > > > > > > pw useradd -n test -c "Test User" -d /home2/test -m -s sh $md5encpass > > > > > > > > ? > > so... > pw useradd -n test -c "Test User" -d /home2/test -s /bin/sh; chpass -p > $md5encpass test > > ? ;-) Er.. Touche! :) G'luck, Peter -- I am jealous of the first word in this sentence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 9:19:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from inexistent.dnsalias.net (ont-cvx1-241.linkline.com [64.30.217.241]) by hub.freebsd.org (Postfix) with ESMTP id D538037B423 for ; Wed, 2 May 2001 09:19:45 -0700 (PDT) (envelope-from slaktaren@inexistent.dnsalias.net) Received: from abyss.192.168.0.14 (abyss [192.168.0.13]) by inexistent.dnsalias.net (Postfix) with SMTP id CAA599A2 for ; Wed, 2 May 2001 09:17:24 -0700 (PDT) Subject: Re: freezing problem From: slaktaren Reply-To: slaktaren Message-ID: <00038353a99935f5_mailit@192.168.0.14> References: <200105021133.IAA67289@ns1.via-net-works.net.ar> Date: Wed, 02 May 2001 09:18:01 -0700 X-Mailer: BeatWare Mail-It 3.0 X-BeOS-Platform: Intel or clone To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org its happened three more times since i posted the message May 1 21:35:10 inexistent /kernel: swap_pager_getswapspace: failed May 1 21:35:10 inexistent last message repeated 5 times May 2 04:20:15 inexistent /kernel: swap_pager_getswapspace: failed May 2 04:20:15 inexistent last message repeated 159 times May 2 04:30:15 inexistent /kernel: swap_pager_getswapspace: failed May 2 04:30:16 inexistent last message repeated 109 times everything had been running fine prior to putting 4.3-stable on the box... i dont know what changed in a sudden that causes it to eat the swap instantly... in /etc/crontab i think i have what mergemaster put there for 4.3 */5 * * * * root /usr/libexec/atrun 0 * * * * root newsyslog 1 3 * * * root periodic daily 15 4 * * 6 root periodic weekly 30 5 1 * * root periodic monthly 1,31 0-5 * * * root adjkerntz -a in roots crontab i have four things run... 15 0 * * * /usr/local/bin/cvsup /etc/ports-supfile */10 * * * * /usr/local/sbin/ddupcron.sh inexistent.dnsalias.net tun0 > /dev/ null 2>&1 */5 * * * * /usr/local/bin/mrtg /usr/local/etc/mrtg/mrtg.cfg >/dev/null 2>&1 */60 * * * * /usr/local/bin/webalizer >/dev/null 2>&1 in another users crontab file, there is... */10 * * * * /home/unez/bot/botchk >/dev/null 2>&1 so theres nothing i can see that causes the swap to just get eaten instantly... is there any other places to look for clues than /var/log/messages? >Try adding more swap (on a file). Look at your crontab to see what is >getting ran at these times. > >Good luck! > >En un mensaje anterior, slaktaren escribió: >> since i upgraded to 4.3-stable a couple days ago, ive been having lockup >> problems since then... >> about every 10 hours or so the box locks solid... >> before it locks up though, it gets swap pager errors, ill put the lines >from >> the log file (/var/log/messages) in here, notice the times they happen... >> >> Apr 30 05:00:15 inexistent /kernel: swap_pager: out of swap space >> Apr 30 05:00:15 inexistent /kernel: swap_pager_getswapspace: failed >> >> Apr 30 15:05:21 inexistent /kernel: swap_pager_getswapspace: failed >> Apr 30 15:05:21 inexistent last message repeated 24 times >> >> Apr 30 22:40:22 inexistent /kernel: swap_pager_getswapspace: failed >> Apr 30 22:40:22 inexistent last message repeated 117 times >> >> May 1 08:00:20 inexistent /kernel: swap_pager: out of swap space >> May 1 08:00:20 inexistent /kernel: swap_pager_getswapspace: failed >> >> and this is where it sits now... >> >> is there an exploit that causes this or what? >> >> when it locks up, the cpu usage shoots up to 100%, and the harddrive goes >> crazy (writing im assuming) for about 15 seconds before it locks solid. >> >> the swap size in that box is 250mb... i have 96mb of ram in that box... but >> this has never caused a problem before... i think the harddrive goes like >> crazy cause its all of a sudden filling up the swap, then it gets too full >> and locks... >> >> if anyway could help me as soon as possible, id really appreciate it, >thanks >> >> --dj >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > > > > >Fernando P. Schapachnik >Planificación de red y tecnología >VIA NET.WORKS ARGENTINA S.A. >fschapachnik@vianetworks.com.ar >Tel.: (54-11) 4323-3381 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 9:22:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by hub.freebsd.org (Postfix) with ESMTP id B93EB37B424 for ; Wed, 2 May 2001 09:22:36 -0700 (PDT) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.11.3/8.11.3) id f42GMQt51175; Wed, 2 May 2001 09:22:26 -0700 (PDT) (envelope-from emechler) Date: Wed, 2 May 2001 09:22:26 -0700 From: Erick Mechler To: slaktaren Cc: freebsd-security@FreeBSD.ORG Subject: Re: freezing problem Message-ID: <20010502092226.A51131@techometer.net> References: <200105021133.IAA67289@ns1.via-net-works.net.ar> <00038353a99935f5_mailit@192.168.0.14> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <00038353a99935f5_mailit@192.168.0.14>; from slaktaren on Wed, May 02, 2001 at 09:18:01AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :: is there any other places to look for clues than /var/log/messages? Try using systat(1), or top(1). Both of them should tell you a little bit more about what's going on. --Erick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 9:37: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 519C037B423 for ; Wed, 2 May 2001 09:37:02 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id MAA94174; Wed, 2 May 2001 12:36:39 -0400 (EDT) (envelope-from wollman) Date: Wed, 2 May 2001 12:36:39 -0400 (EDT) From: Garrett Wollman Message-Id: <200105021636.MAA94174@khavrinen.lcs.mit.edu> To: Peter Pentchev Cc: Lee Smallbone , freebsd-security@FreeBSD.ORG Subject: Re: useradd/adduser In-Reply-To: <20010502180257.B88365@ringworld.oblivion.bg> References: <200105021613.RAA25130@mailgate.kechara.net> <20010502180257.B88365@ringworld.oblivion.bg> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > You can't supply an *encrypted* pass; but then, you can't do this with > adduser, either. But you *can* do it with `chpass'. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 10: 2:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 5F81537B422 for ; Wed, 2 May 2001 10:02:32 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from root@localhost) by lariat.org (8.9.3/8.9.3) id LAA24669 for security@freebsd.org; Wed, 2 May 2001 11:02:20 -0600 (MDT) Date: Wed, 2 May 2001 11:02:20 -0600 (MDT) From: Brett Glass Message-Id: <200105021702.LAA24669@lariat.org> To: security@freebsd.org Subject: What do folks think of this article? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org http://www.businessweek.com/bwdaily/dnflash/apr2001/nf2001051_727.htm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 10: 7:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtpout.mac.com (smtpout.mac.com [204.179.120.89]) by hub.freebsd.org (Postfix) with ESMTP id 4698037B422 for ; Wed, 2 May 2001 10:07:49 -0700 (PDT) (envelope-from btman@mac.com) Received: by smtpout.mac.com; Wed, 2 May 2001 10:07:19 -0700 (PDT) Message-Id: <200105021707.KAA06632@smtpout.mac.com> Received: from asmtp01.mac.com ([10.13.10.65]) by smtp-relay01.mac.com (Netscape Messaging Server 4.15) with ESMTP id GCPWW700.2G1 for ; Wed, 2 May 2001 10:07:19 -0700 Received: from localhost ([64.2.43.44]) by asmtp01.mac.com (Netscape Messaging Server 4.15) with ESMTP id GCPWW700.LOB for ; Wed, 2 May 2001 10:07:19 -0700 Date: Wed, 2 May 2001 10:07:18 -0700 Content-Type: text/plain; format=flowed; charset=us-ascii X-Mailer: Apple Mail (2.388) From: Brian Tiemann To: freebsd-security@FreeBSD.ORG Mime-Version: 1.0 (Apple Message framework v388) In-Reply-To: <20010502175850.A81681@arka.gdansk.mtl.pl> Subject: Re: useradd/adduser Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wednesday, May 2, 2001, at 08:58 AM, Andrzej Groth wrote: >>>> From what I can see it isn't possible to supply the password to pw? >>>> I'm using md5 passwords, and can easily have the script in question >>>> encode >>>> the password prior to calling pw, so is it possible to use (in the >>>> verse of >>>> pw), something along the lines of: >>>> >>>> pw useradd -n test -c "Test User" -d /home2/test -m -s sh >>>> $md5encpass >>>> >>>> ? > > so... > pw useradd -n test -c "Test User" -d /home2/test -s /bin/sh; chpass -p > $md5encpass test Okay, so... maybe I'm missing something, but how does one go about encrypting the password in a way compatible with master.passwd? Straight md5 doesn't do it... how do you get the "$1$7tGUS$teGz..." string? Thanks... Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 10:35:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from ambar.ofermundo.com.ar (h066060007247.isol.net.ar [66.60.7.247]) by hub.freebsd.org (Postfix) with ESMTP id 4AC1137B43C for ; Wed, 2 May 2001 10:35:19 -0700 (PDT) (envelope-from freebsd@grunblatt.com.ar) Received: from dialup204.icatel.net (dialup204.icatel.net [200.47.39.204]) by ambar.ofermundo.com.ar (8.9.3/8.8.7) with ESMTP id OAA08562; Wed, 2 May 2001 14:35:24 -0300 Date: Wed, 2 May 2001 17:37:00 -0300 (ART) From: Daniel X-X-Sender: To: Brian Tiemann Cc: Subject: Re: useradd/adduser In-Reply-To: <200105021707.KAA06632@smtpout.mac.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org man 3 crypt On Wed, 2 May 2001, Brian Tiemann wrote: > Date: Wed, 2 May 2001 10:07:18 -0700 > From: Brian Tiemann > To: freebsd-security@FreeBSD.ORG > Subject: Re: useradd/adduser > > > On Wednesday, May 2, 2001, at 08:58 AM, Andrzej Groth wrote: > > >>>> From what I can see it isn't possible to supply the password to pw? > >>>> I'm using md5 passwords, and can easily have the script in question > >>>> encode > >>>> the password prior to calling pw, so is it possible to use (in the > >>>> verse of > >>>> pw), something along the lines of: > >>>> > >>>> pw useradd -n test -c "Test User" -d /home2/test -m -s sh > >>>> $md5encpass > >>>> > >>>> ? > > > > so... > > pw useradd -n test -c "Test User" -d /home2/test -s /bin/sh; chpass -p > > $md5encpass test > > Okay, so... maybe I'm missing something, but how does one go about > encrypting the password in a way compatible with master.passwd? Straight > md5 doesn't do it... how do you get the "$1$7tGUS$teGz..." string? > > Thanks... > > Brian > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 10:35:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 3A2ED37B423 for ; Wed, 2 May 2001 10:35:28 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GCPY6H00.J6V; Wed, 2 May 2001 10:35:05 -0700 Message-ID: <3AF0455D.C242B1F7@globalstar.com> Date: Wed, 02 May 2001 10:35:25 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: efb-all@vhwy.com Cc: security@FreeBSD.ORG, efb-all@cotdazr.org Subject: Re: [GorrellCD@phdnswc.navy.mil: ] References: <20010501220704.A14264@cotdazr.org> <20010501222316.B14264@cotdazr.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Everett F Batey wrote: > > Dear FreeBSD Security Guru, > > I need some guidance. My employer with which I have had problems over > the past 5 years has suggested I (or my IP) am(/is) trying to attack > hisIP space on UPD 111, and sent me the below attached log file. > > I am running a pretty sanitized version of FreeBSD 2.2.8, at my home, > with many patches. Hope soon to be able to go 4.X but can NOT now. I > am concerned of several possibilities: (1) I could have been root > kitted, (2) someone could be spoofing my primary address, or (3) I am > getting some fully B/s stories about what is showing up at the far end > on their firewall.. > > I do not know of anything that I do which would cause my FBsd to poke > at port 111 on the supposed system at the far end. (per attachment). > That IP IS a computer running Solaris which I have done work INSIDE > semi firewalled 137.24/16. > > The admin of that system advises me there are port 111 assaults on his > firewall from me, from Navy NCIS, 199 something, from oxnardsd.org, > where I used to do volunteer work some years ago. [snip] Uhhh... > > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65422 UDP > > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65423 UDP These look like responses from port 111 on _your_ system (cotdazr.org is yours?) to queries made _by_ 137.24.124.222. If there is an attack, it looks like 137.24.124.222 (NSWC) is trying to attack you. Either that or the owner of 137.24.124.222 is curious why his machine seems to be trying to contact yours. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 10:44:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from bluenugget.net (babyviolence.com [64.3.150.188]) by hub.freebsd.org (Postfix) with ESMTP id 2FFC137B424 for ; Wed, 2 May 2001 10:44:32 -0700 (PDT) (envelope-from geniusj@bluenugget.net) Received: by bluenugget.net (Postfix, from userid 1000) id AD3731362F; Wed, 2 May 2001 10:49:25 -0700 (PDT) Date: Wed, 2 May 2001 10:49:25 -0700 From: Jason DiCioccio To: Brett Glass Cc: security@freebsd.org Subject: Re: What do folks think of this article? Message-ID: <20010502104925.A81038@bluenugget.net> References: <200105021702.LAA24669@lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200105021702.LAA24669@lariat.org>; from brett@lariat.org on Wed, May 02, 2001 at 11:02:20AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I agree for the most part with it. Apple does need some sort of mailing list and response team at least. There are some things in there that aren't necessarily true, but for the most part I agree. Cheers, -JD- On Wed, May 02, 2001 at 11:02:20AM -0600, Brett Glass wrote: > http://www.businessweek.com/bwdaily/dnflash/apr2001/nf2001051_727.htm > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 10:47:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 9677937B423 for ; Wed, 2 May 2001 10:47:52 -0700 (PDT) (envelope-from bright@fw.wintelcom.net) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f42Hlnf11738; Wed, 2 May 2001 10:47:49 -0700 (PDT) Date: Wed, 2 May 2001 10:47:49 -0700 From: Alfred Perlstein To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: What do folks think of this article? Message-ID: <20010502104749.O18676@fw.wintelcom.net> References: <200105021702.LAA24669@lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200105021702.LAA24669@lariat.org>; from brett@lariat.org on Wed, May 02, 2001 at 11:02:20AM -0600 X-all-your-base: are belong to us. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Brett Glass [010502 10:02] wrote: > http://www.businessweek.com/bwdaily/dnflash/apr2001/nf2001051_727.htm As usual someone is trying to raise an issue that's already common knowledge. I mean: So, where security was concerned, Apple users enjoyed a free ride. Same with virus attacks. Mac users avoided the carnage of the I Love You virus in May, 2000. Nor did they have to worry about nasty Trojan-horse attacks, such as the SubSeven variety that could give hackers remote control of a computer. Mac users lived in a digital Garden of Eden, a simpler place free of serpents. The "I Love You virus" ? Because it's a Unix like OS? Afaik "I Love You" was a Microsoft Outhouse^H^H^H^H^Hlook problem, not a Unix one. Sure making a Macintosh actually useful by having it run an Unix like OS might make a more interesting _target_, it sure doesn't mean that it has to run all the same services. I imagine if Apple was smart, the default "desktop configuration" wouldn't be running any services to expose it to this kind of risk. I do agree that Apple should invest some resources into security on OS X, but I doubt they aren't already in the process of procuring those resources if they haven't done it already. As far as getting the word out on bugs, I find it terribly annoying that Bugtraq is now a vendor's forum to spam about security updates, it's really irritating to hear about some vulnerability and then recieve about 20 emails from different Linux and other Unix distributors about the exact same bug. -- -Alfred Perlstein - [alfred@freebsd.org] Daemon News Magazine in your snail-mail! http://magazine.daemonnews.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 11:20:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from daphne.unloved.org (daphne.unloved.org [62.58.62.165]) by hub.freebsd.org (Postfix) with ESMTP id 8FF3A37B422 for ; Wed, 2 May 2001 11:20:53 -0700 (PDT) (envelope-from ashp@unloved.org) Received: by daphne.unloved.org (Postfix, from userid 1001) id 52EC01172F; Wed, 2 May 2001 20:21:57 +0200 (CEST) Date: Wed, 2 May 2001 20:21:57 +0200 From: Ashley Penney To: Peter Pentchev Cc: Lee Smallbone , freebsd-security@freebsd.org Subject: Re: useradd/adduser Message-ID: <20010502202157.A76656@daphne.unloved.org> Mail-Followup-To: Ashley Penney , Peter Pentchev , Lee Smallbone , freebsd-security@freebsd.org References: <200105021613.RAA25130@mailgate.kechara.net> <20010502180257.B88365@ringworld.oblivion.bg> <20010502180543.C88365@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010502180543.C88365@ringworld.oblivion.bg>; from roam@orbitel.bg on Wed, May 02, 2001 at 06:05:43PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, May 02, 2001 at 06:05:43PM +0300, Peter Pentchev said: > And if you're really, really interested, I could give you a little > patch I made some time ago, to add a -H encrypted pass option to pw(8), > which should do exactly what you need :) What's wrong with chpass -p "crypthere" user ? -- "People who bite the hand that feeds them usually lick the boot that kicks them." -- Unknown. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 11:42:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 3FD9F37B422 for ; Wed, 2 May 2001 11:42:23 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 92583 invoked by uid 1000); 2 May 2001 18:40:32 -0000 Date: Wed, 2 May 2001 21:40:32 +0300 From: Peter Pentchev To: freebsd-security@freebsd.org Subject: Re: useradd/adduser Message-ID: <20010502214032.F88365@ringworld.oblivion.bg> Mail-Followup-To: freebsd-security@freebsd.org References: <200105021613.RAA25130@mailgate.kechara.net> <20010502180257.B88365@ringworld.oblivion.bg> <20010502180543.C88365@ringworld.oblivion.bg> <20010502202157.A76656@daphne.unloved.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010502202157.A76656@daphne.unloved.org>; from ashp@unloved.org on Wed, May 02, 2001 at 08:21:57PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, May 02, 2001 at 08:21:57PM +0200, Ashley Penney wrote: > On Wed, May 02, 2001 at 06:05:43PM +0300, Peter Pentchev said: > > > And if you're really, really interested, I could give you a little > > patch I made some time ago, to add a -H encrypted pass option to pw(8), > > which should do exactly what you need :) > > What's wrong with chpass -p "crypthere" user ? OK, several people pointed that out already :) I didn't know chpass could do that, ok? :) G'luck, Peter -- No language can express every thought unambiguously, least of all this one. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 12:30:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.wnm.net (earth.wnm.net [208.246.240.243]) by hub.freebsd.org (Postfix) with ESMTP id 0662E37B422 for ; Wed, 2 May 2001 12:30:54 -0700 (PDT) (envelope-from alex@wnm.net) Received: from localhost (alex@localhost) by earth.wnm.net (8.11.0/8.11.0) with ESMTP id f42JYHd24623; Wed, 2 May 2001 14:34:17 -0500 (CDT) Date: Wed, 2 May 2001 14:34:17 -0500 (CDT) From: Alex Charalabidis To: Cc: , Subject: Re: [GorrellCD@phdnswc.navy.mil: ] In-Reply-To: <20010501222316.B14264@cotdazr.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 1 May 2001, Everett F Batey wrote: > Dear FreeBSD Security Guru, > > I need some guidance. My employer with which I have had problems over > the past 5 years has suggested I (or my IP) am(/is) trying to attack > hisIP space on UPD 111, and sent me the below attached log file. > > > > > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65422 UDP > > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65423 UDP Oddly enough, I got a virtually identical complaint today regarding traffic to a Dutch network we've never had transactions with before, apparently originating from an unassigned IP address that was briefly used by a Linux test machine on our network. I haven't had time to investigate myself but a colleague mentioned the possibility of something meant to confuse/overload IDS systems as a smokescreen for real attacks. -ac -- =================================================================== Alex Charalabidis Worldspice Technologies 5050 Poplar Ave. Memphis, TN, USA +1 901 432 6000 Opinions expressed are mine alone but may be yours for a small fee. =================================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 12:45:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from cpimssmtpu13.email.msn.com (cpimssmtpu13.email.msn.com [207.46.181.88]) by hub.freebsd.org (Postfix) with ESMTP id D029337B423 for ; Wed, 2 May 2001 12:45:18 -0700 (PDT) (envelope-from JHowie@msn.com) Received: from x86w2kw1 ([216.103.48.12]) by cpimssmtpu13.email.msn.com with Microsoft SMTPSVC(5.0.2195.3225); Wed, 2 May 2001 12:45:17 -0700 Message-ID: <00ac01c0d341$0f8cbaf0$0101a8c0@development.local> From: "John Howie" To: "Alex Charalabidis" , Cc: , References: Subject: Re: [GorrellCD@phdnswc.navy.mil: ] Date: Wed, 2 May 2001 12:49:54 -0700 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-OriginalArrivalTime: 02 May 2001 19:45:17.0683 (UTC) FILETIME=[6A0ABC30:01C0D340] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Folks, 111/tcp and 111/udp are the Sun ONC RPC ports. Perhaps someone is running an rpc service like rusers, NIS, NFS, etc, or querying RPC services using rpcinfo. john... ----- Original Message ----- From: "Alex Charalabidis" To: Cc: ; Sent: Wednesday, May 02, 2001 12:34 PM Subject: Re: [GorrellCD@phdnswc.navy.mil: ] > On Tue, 1 May 2001, Everett F Batey wrote: > > > Dear FreeBSD Security Guru, > > > > I need some guidance. My employer with which I have had problems over > > the past 5 years has suggested I (or my IP) am(/is) trying to attack > > hisIP space on UPD 111, and sent me the below attached log file. > > > > > > > > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65422 UDP > > > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65423 UDP > > Oddly enough, I got a virtually identical complaint today regarding > traffic to a Dutch network we've never had transactions with before, > apparently originating from an unassigned IP address that was briefly used > by a Linux test machine on our network. > > I haven't had time to investigate myself but a colleague mentioned the > possibility of something meant to confuse/overload IDS systems as a > smokescreen for real attacks. > > -ac > > > -- > =================================================================== > Alex Charalabidis Worldspice Technologies > 5050 Poplar Ave. Memphis, TN, USA +1 901 432 6000 > Opinions expressed are mine alone but may be yours for a small fee. > =================================================================== > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 13:28:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from nisser.com (c0039.upc-c.chello.nl [212.187.0.39]) by hub.freebsd.org (Postfix) with ESMTP id 75F5F37B423 for ; Wed, 2 May 2001 13:28:28 -0700 (PDT) (envelope-from roelof@eboa.com) Received: from eboa.com (roelof [10.0.0.2]) by nisser.com (8.9.3/8.9.2) with ESMTP id WAA21496; Wed, 2 May 2001 22:28:24 +0200 (CEST) (envelope-from roelof@eboa.com) Message-ID: <3AF06DE8.B1640026@eboa.com> Date: Wed, 02 May 2001 22:28:24 +0200 From: Roelof Osinga Organization: eBOA - Programming the Web X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Brian Tiemann Cc: freebsd-security@FreeBSD.ORG Subject: Re: useradd/adduser References: <200105021707.KAA06632@smtpout.mac.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brian Tiemann wrote: > > ... > Okay, so... maybe I'm missing something, but how does one go about > encrypting the password in a way compatible with master.passwd? Straight > md5 doesn't do it... how do you get the "$1$7tGUS$teGz..." string? The '1$1' denotes the encryption method used, being MD5. There's a nice PHP scriptlet I stumbled onto that works fine. It's on http://www.php.net/manual/en/function.crypt.php by rtdean@cytherianage.net. What you're missing is probably the right amount of salt. Roelof PS there's probably code all over the place but this I had handy -- ----------------------------------------------------------------------- eBOA® est. 1982 tel. +31-58-2123014 web. http://eBOA.com/ fax. +31-58-2160293 mail info@eBOA.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 13:40:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-26.dsl.lsan03.pacbell.net [63.207.60.26]) by hub.freebsd.org (Postfix) with ESMTP id 0A12F37B424 for ; Wed, 2 May 2001 13:40:08 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 01FC7678A1; Wed, 2 May 2001 13:40:06 -0700 (PDT) Date: Wed, 2 May 2001 13:40:06 -0700 From: Kris Kennaway To: Brett Glass Cc: security@freebsd.org Subject: Re: What do folks think of this article? Message-ID: <20010502134006.C67270@xor.obsecurity.org> References: <200105021702.LAA24669@lariat.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="WplhKdTI2c8ulnbP" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200105021702.LAA24669@lariat.org>; from brett@lariat.org on Wed, May 02, 2001 at 11:02:20AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --WplhKdTI2c8ulnbP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, May 02, 2001 at 11:02:20AM -0600, Brett Glass wrote: > http://www.businessweek.com/bwdaily/dnflash/apr2001/nf2001051_727.htm The first half of that article is weird: "Hackers like UNIX, therefore hackers might be motivated to attack MacOS X", but the second half raises valid points (about Apple's security process). In fact though, we've already been addressing these concerns, and the freebsd security officer team will be working closely with the apple security team to coordinate fixing and disclosure of vulnerabilities. We're hoping to pass on some of our experience doing this for the last n years to help streamline Apple's security process as they adjust to supporting the new OS. Kris --WplhKdTI2c8ulnbP Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE68HCmWry0BWjoQKURAv8AAKCVmAkAlxOuEygpyEt1G4e1k4b2DwCeKcEG CMsZqsDL795fZ/nYcqzAWWs= =aSTU -----END PGP SIGNATURE----- --WplhKdTI2c8ulnbP-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 13:49: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from nisser.com (c0039.upc-c.chello.nl [212.187.0.39]) by hub.freebsd.org (Postfix) with ESMTP id 19C8837B422 for ; Wed, 2 May 2001 13:48:59 -0700 (PDT) (envelope-from roelof@eboa.com) Received: from eboa.com (roelof [10.0.0.2]) by nisser.com (8.9.3/8.9.2) with ESMTP id WAA21593; Wed, 2 May 2001 22:48:52 +0200 (CEST) (envelope-from roelof@eboa.com) Message-ID: <3AF072B4.E65D4EEB@eboa.com> Date: Wed, 02 May 2001 22:48:52 +0200 From: Roelof Osinga Organization: eBOA - Programming the Web X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: What do folks think of this article? References: <200105021702.LAA24669@lariat.org> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass wrote: > > http://www.businessweek.com/bwdaily/dnflash/apr2001/nf2001051_727.htm "Free BSD (Berkeley System Distribution) ..." System? Ah well. "Here's why: Due to the underlying similarity of all Unix systems, a vulnerability in one type of Unix system can often be to compromise another." Somehow they all seem to miss that little detail about kernels. The mach microkernel is quite a different beastie. That in itself should throw some wrenches into the gears. As to the rest... Well... Being a security risk sure didn't harm NT on its way to popularity. Compared to - at least - early NT releases OS X looks a security bullwark. Roelof -- ----------------------------------------------------------------------- eBOA® est. 1982 tel. +31-58-2123014 web. http://eBOA.com/ fax. +31-58-2160293 mail info@eBOA.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 14:20:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 41D5F37B422; Wed, 2 May 2001 14:20:01 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f42LK1386574; Wed, 2 May 2001 14:20:01 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Wed, 2 May 2001 14:20:01 -0700 (PDT) Message-Id: <200105022120.f42LK1386574@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:39.tcp-isn Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:39 Security Advisory FreeBSD, Inc. Topic: TCP initial sequence number generation contains statistical vulnerability Category: core Module: kernel Announced: 2001-05-02 Credits: Tim Newsham Niels Provos for the revised algorithm Affects: All released versions of FreeBSD 3.x, 4.x prior to 4.3. FreeBSD 3.5-STABLE prior to the correction date. FreeBSD 4.2-STABLE prior to the correction date. Corrected: 2001-05-02 (FreeBSD 3.5-STABLE) 2001-04-18 (FreeBSD 4.3-RC) FreeBSD only: NO I. Background TCP network connections use an initial sequence number as part of the connection handshaking. According to the TCP protocol, an acknowledgement packet from a remote host with the correct sequence number is trusted to come from the remote system with which an incoming connection is being established, and the connection is established. II. Problem Description It has long been known that an attacker who can guess the initial sequence number which a system will use for the next incoming TCP connection can spoof a TCP connection handshake coming from a machine to which he does not have access, and then send arbitrary data into the resulting TCP connection which will be accepted by the server as coming from the spoofed machine. The algorithm used to generate TCP initial sequence numbers was subject to statistical analysis, which allows an attacker to guess a range of values likely to be in use by a given server at a moment in time, based on observation of the value at a previous time (for example, by initiating a TCP connection to an open port on the server). Note that this vulnerability is different to the vulnerability described in Security Advisory 00:52 (which dealt with failure of the PRNG used in the ISN generation algorithm; this advisory relates to a higher-level weakness in the algorithm itself). In order for this to be successfully exploited, the attacker must also satisfy the following conditions: a) be able to initiate a TCP connection to an open port on the server. b) be able to prevent the spoofed client machine from responding to the packets sent to it from the server, by making use of an address which is offline or by executing a denial of service attack against it to prevent it from responding. c) make use of an application-level protocol on the server which authenticates or grants trust solely based on the IP address of the client, not any higher-level authentication mechanisms such as a password or cryptographic key. d) be able to guess or infer the return TCP data from the server to the spoofed client (if any), to which he will not have access. All versions of FreeBSD 3.x and 4.x prior to the correction date including 3.5.1-RELEASE and 4.2-RELEASE are vulnerable to this problem. The problem was corrected prior to the release of FreeBSD 4.3-RELEASE by using the TCP ISN generation algorithm obtained from OpenBSD, which uses a more sophisticated randomization method that is believed not to be vulnerable to the problem described here. A more satisfactory, long-term solution would be to implement the algorithm described in RFC 1948; plans are underway to implement this algorithm for FreeBSD, and it is likely that it will be included in future releases of FreeBSD. III. Impact Systems running insecure protocols which blindly trust a TCP connection which appears to come from a given IP address without requiring other authentication of the originator are vulnerable to spoofing by a remote attacker, potentially yielding privileges or access on the local system. Examples of such protcols and services are: the rlogin/rsh/rexec family when used to grant passwordless access (e.g. via .rhosts or hosts.equiv files); web server address-based access controls on scripts which do not require user authentication and which control privileged resources; tcp-wrappers host access controls around services which do not authenticate the connection further; lpr address-based access controls, and others. Note that the rlogin family of protocols when configured to use Kerberos or UNIX passwords are not vulnerable to this attack since they authenticate connections (using Kerberos tickets in the former case, and account passwords in the latter). Source address based authentication in the rlogin family of protocols is not used by default, and must be specifically enabled through use of a per-user .rhosts file, or a global /etc/hosts.equiv file. Attackers can also forge TCP connections to arbitrary TCP protocols (including protocols not vulnerable to the spoofing attack described above) and simulate the effects of failed remote access attempts from a target machine (e.g. repeated attempts to guess a password), potentially misleading the administrators of the server into thinking they are under attack from the spoofed client. IV. Workaround Possible workarounds for the vulnerability include one or more of the following: 1) Disable all insecure protocols and services including rlogin, rsh and rexec (if configured to use address-based authentication), or reconfigure them to not authenticate connections based solely on originating address. In general, the rlogin family should not be used anyway - the ssh family of commands (ssh, scp, slogin) provide a secure alternative which is included in FreeBSD 4.0 and above. As of FreeBSD 4.2-RELEASE these services were not enabled by default. To disable the rlogin family of protocols, make sure the /etc/inetd.conf file does not contain any of the following entries uncommented (i.e. if present in the inetd.conf file they should be commented out as shown below:) #shell stream tcp nowait root /usr/libexec/rshd rshd #login stream tcp nowait root /usr/libexec/rlogind rlogind #exec stream tcp nowait root /usr/libexec/rexecd rexecd Be sure to restart inetd by sending it a HUP signal after making any changes: # kill -HUP `cat /var/run/inetd.pid` Audit the use of other services including those noted in section III above and either disable the service, or if possible require it to use a stronger form of authentication. See workaround 3) below. 2) Impose IP-level packet filters on network perimeters (ingress filtering) or on local affected machines to prevent access from any outside party to a vulnerable internal service using a "privileged" source address. For example, if machines on the internal 10.0.0.0/24 network are allowed to obtain passwordless rlogin access to a server, then external users should be prevented from sending packets with 10.0.0.0/24 source addresses from the outside network into the internal network. This is standard good security policy. Note however that if an external address must be granted access to local resources then this type of filtering cannot be applied. It also does not defend against spoofing attacks from within the network perimeter. Consider disabling this service until the affected machines can be patched. 3) Enable the use of IPSEC to authenticate (and/or encrypt) vulnerable TCP connections at the IP layer. A system which requires authenticaion of all incoming connections to a port using IPSEC cannot be spoofed using the attack described in this advisory, nor can TCP sessions be hijacked by an attacker with access to the packet stream. FreeBSD 4.0 and later include IPSEC functionality in the kernel, and 4.1 and later include an IKE daemon, racoon, in the ports collection. Configuration of IPSEC is beyond the scope of this document, however see the following web resources: http://www.freebsd.org/handbook/ipsec.html http://www.netbsd.org/Documentation/network/ipsec/ http://www.kame.net/ V. Solution Note that address-based authentication is generally weak, and should be avoided even in environments running with the sequence numbering improvements. Instead, cryptographically-protected protocols and services should be used wherever possible. One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.3-RELEASE or 3.5.1-STABLE after the respective correction dates. 2) To patch your present system: download the relevant patch from the below location, and execute the following commands as root: [FreeBSD 4.1/4.2 base system] This patch has been verified to apply to FreeBSD 4.1 and 4.2 only. It may or may not apply to older releases. Users of FreeBSD 4.1 must apply the patch from advisory 00:52 before applying this patch. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:39/tcp-isn-4.2.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:39/tcp-isn-4.2.patch.asc Verify the detached PGP signature using your PGP utility. # cd /usr/src/sys/netinet # patch -p < /path/to/patch [ Recompile your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system ] [FreeBSD 3.5.1 base system] The following patch applies to FreeBSD 3.5.1-RELEASE which has already had the patch from advisory 00:52 applied. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:39/tcp-isn-3.5.1-stable.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:39/tcp-isn-3.5.1-stable.patch.asc The following patch applies to unpatched FreeBSD 3.5.1-RELEASE only. It may or may not apply to older, unsupported releases. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:39/tcp-isn-3.5.1-rel.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:39/tcp-isn-3.5.1-rel.patch.asc Verify the detached PGP signature using your PGP utility. # cd /usr/src/sys/netinet # patch -p < /path/to/patch [ Recompile your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOvB10FUuHi5z0oilAQETgAP/T7SbJS12PBczn9SRWPQ5exuZYMoj1VxR BJmeTafE1x3kBP195JkW3dF4klWynIgVakNtIndIH+pJvfBPe7Mo8PclKqRjEE2S JLGtPFPq7bYp0/tyaFy6wm26cLPye4/3x6qLthC04/WZVI4rqg6nY1qoiKAUBu7Z VFtFxTH+E/A= =CkM7 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 14:21:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from sol.cc.u-szeged.hu (sol.cc.u-szeged.hu [160.114.8.24]) by hub.freebsd.org (Postfix) with ESMTP id 6DE7F37B422 for ; Wed, 2 May 2001 14:21:07 -0700 (PDT) (envelope-from sziszi@petra.hos.u-szeged.hu) Received: from petra.hos.u-szeged.hu by sol.cc.u-szeged.hu (8.9.3+Sun/SMI-SVR4) id XAA10135; Wed, 2 May 2001 23:21:05 +0200 (MEST) Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian)) id 14v43V-0006vV-00 for ; Wed, 02 May 2001 23:21:05 +0200 Date: Wed, 2 May 2001 23:21:05 +0200 From: Szilveszter Adam To: security@freebsd.org Subject: Re: What do folks think of this article? Message-ID: <20010502232105.C24364@petra.hos.u-szeged.hu> Mail-Followup-To: Szilveszter Adam , security@freebsd.org References: <200105021702.LAA24669@lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200105021702.LAA24669@lariat.org>; from brett@lariat.org on Wed, May 02, 2001 at 11:02:20AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, May 02, 2001 at 11:02:20AM -0600, Brett Glass wrote: > http://www.businessweek.com/bwdaily/dnflash/apr2001/nf2001051_727.htm > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Hello, While the article contains quite some mix-matching and is spreading a great deal of FUD (just as any article that obscure "security experts" use to plug their services), the part about the state of Mac security response capabilities is true. In this respect, Apple is in the same shoes now as MS was when Internet access using Windows became commonplace. This was not even the case with the release of Win95, only later. It is only recently, for example, that MS security engineers are engaging into direct correspondence on BUGTRAQ wrt security problems. They too had to learn that this was the only way. Apple will IMHO go the same way, because it will be forced to do so. Waiting until the next release to fix that bug is no longer enough. As for other assertions of the article, they are at least "interesting". 1) The fact that there were only few Mac viruses (there were a few, and say macro viruses for MS Office sometimes were operable also on Macs) does not mean more than there are few Macs. 2) That there were not many Mac exploits is a) questionable: what is "many"? I have seen some. b) hacking a Mac under MacOS would have been approx. as much fun as hacking win3.11. Great. Easier to simply circumvent the login prompt:-) 3) UNIX type systems are not any more insecure than the Mac was. The fact that there are many advisories for them means that it actually makes sense to publish them and trying to patch the holes, while say for win95 or older, these efforts are largely wasted. 4) That UNIX attracts hackers is simply untrue, when used generally. What attracts them is insecure machines with known holes, and most of those happen to be from the Windows (and in lesser numbers from the commercial UNIX) variety. This sentiment merely reinforces those who think that security against intrusions is something that only UNIX admins need to concern themselves about. No. If you are on the Net, you must protect yourself. 5) Show me a UNIX virus. Not an email virus that can spread through a UNIX machine's MTA to windows machines, but an actual UNIX virus. Worms do not count. They are worms, not virii. Some other blatant errors have already been pointed out. It seems it is not only Apple that needs to read up on what the name of the game is. Also some PC centric allegedly technical mags must grow up to the task and stop that Windows centric attitude that says: "Either it is windows or at least it must look like and feel like windows (see most of their Linux coverage) otherwise we don't have a clue." -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 16:49:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from softweyr.com (mail.dobox.com [208.187.122.44]) by hub.freebsd.org (Postfix) with ESMTP id 1992B37B422 for ; Wed, 2 May 2001 16:49:26 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from localhost ([127.0.0.1] helo=softweyr.com ident=aa380c20f7dac6b26b9dc10fbe75d414) by softweyr.com with esmtp (Exim 3.16 #1) id 14ue1v-00007P-00; Tue, 01 May 2001 11:33:43 -0600 Message-ID: <3AEEF377.EC6E105B@softweyr.com> Date: Tue, 01 May 2001 11:33:43 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Greg Haa Cc: "'freebsd-security@FreeBSD.ORG'" Subject: Re: Named Security References: <2BFD35C3F1F9D31185CE00B0D02023028386D1@SUNKING> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greg Haa wrote: > > Hello my name is greg. I am writing because I think someone inside my > company is attacking named and crashing it. Now I am upgrading to 9.1.0 > to get rid of the problem but I wanted to know if there is a peice of > software to allow me to track connections and what took place during the > connection to determine where this is coming from. So I can break some > knee caps. Also as I try this upgrade I am getting permission denied > errors. During bootup named will not start---> > > Doing additional network setup: named/etc/rc: /usr/local/sbin: permission > denied portmap > > Any ideas? Freebsd 4.2--RELEASE and self built bind-9.1.0 Update your ports collection and install the bind9 port. You can update your ports collection using CVSup and a supfile like /usr/share/examples/cvsup/ports-supfile. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 17:18:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp011.mail.yahoo.com (smtp011.mail.yahoo.com [216.136.173.31]) by hub.freebsd.org (Postfix) with SMTP id 353D837B424 for ; Wed, 2 May 2001 17:18:23 -0700 (PDT) (envelope-from tjtee@yahoo.com) Received: from unknown (HELO co3018900a) (210.7.158.144) by smtp.mail.vip.sc5.yahoo.com with SMTP; 3 May 2001 00:18:22 -0000 X-Apparently-From: Message-ID: <001a01c0d366$cc72bb90$0100c8c8@co3018900a> From: "Tuan Jean TEE" To: "FreeBSD security" Subject: Any other proxy which I could open service Date: Thu, 3 May 2001 10:20:02 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I was wondering if there is any package in FreeBSD 4.2 which could allow me to run as a proxy and can specified the ports to the internet. The Http-gw proxy could only run on one open port. How could I enable ports say for RealAudio for my entire network? Thanks. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 18:13:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from malasada.lava.net (malasada.lava.net [64.65.64.17]) by hub.freebsd.org (Postfix) with ESMTP id CBFD537B423 for ; Wed, 2 May 2001 18:13:13 -0700 (PDT) (envelope-from newsham@lava.net) Received: from localhost (12055 bytes) by malasada.lava.net via sendmail with P:stdio/R:inet_hosts/T:smtp (sender: ) (ident using unix) id for ; Wed, 2 May 2001 15:13:07 -1000 (HST) (Smail-3.2.0.106 1999-Mar-31 #1 built 2000-May-15) Message-Id: From: newsham@lava.net (Tim Newsham) Subject: (fwd) FreeBSD Security Advisory FreeBSD-SA-01:39.tcp-isn (fwd) To: security@freebsd.org Date: Wed, 2 May 2001 15:13:07 -1000 (HST) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hmm.. I think you may have gotten the attack description and conditions wrong. Attacks are performed against live, already authenticated connections. As such, rsh and rlogin are no more susceptible to attack than other unencrypted sessions. All sessions, reguardless of use of encryption, are susceptible to being shut down prematurely. Filtering out priveledged ports will have no impact on this vulnerability. Tim N. > ============================================================================= > FreeBSD-SA-01:39 Security Advisory > FreeBSD, Inc. > > Topic: TCP initial sequence number generation contains > statistical vulnerability > > Category: core > Module: kernel > Announced: 2001-05-02 > Credits: Tim Newsham > Niels Provos for the revised algorithm > Affects: All released versions of FreeBSD 3.x, 4.x prior to 4.3. > FreeBSD 3.5-STABLE prior to the correction date. > FreeBSD 4.2-STABLE prior to the correction date. > Corrected: 2001-05-02 (FreeBSD 3.5-STABLE) > 2001-04-18 (FreeBSD 4.3-RC) > FreeBSD only: NO > > I. Background > > TCP network connections use an initial sequence number as part of the > connection handshaking. According to the TCP protocol, an > acknowledgement packet from a remote host with the correct sequence > number is trusted to come from the remote system with which an > incoming connection is being established, and the connection is > established. > > II. Problem Description > > It has long been known that an attacker who can guess the initial > sequence number which a system will use for the next incoming TCP > connection can spoof a TCP connection handshake coming from a machine > to which he does not have access, and then send arbitrary data into > the resulting TCP connection which will be accepted by the server as > coming from the spoofed machine. > > The algorithm used to generate TCP initial sequence numbers was > subject to statistical analysis, which allows an attacker to guess a > range of values likely to be in use by a given server at a moment in > time, based on observation of the value at a previous time (for > example, by initiating a TCP connection to an open port on the > server). > > Note that this vulnerability is different to the vulnerability > described in Security Advisory 00:52 (which dealt with failure of the > PRNG used in the ISN generation algorithm; this advisory relates to a > higher-level weakness in the algorithm itself). > > In order for this to be successfully exploited, the attacker must also > satisfy the following conditions: > > a) be able to initiate a TCP connection to an open port on the server. > > b) be able to prevent the spoofed client machine from responding to > the packets sent to it from the server, by making use of an address > which is offline or by executing a denial of service attack against > it to prevent it from responding. > > c) make use of an application-level protocol on the server which > authenticates or grants trust solely based on the IP address of the > client, not any higher-level authentication mechanisms such as a > password or cryptographic key. > > d) be able to guess or infer the return TCP data from the server to > the spoofed client (if any), to which he will not have access. > > All versions of FreeBSD 3.x and 4.x prior to the correction date > including 3.5.1-RELEASE and 4.2-RELEASE are vulnerable to this > problem. The problem was corrected prior to the release of FreeBSD > 4.3-RELEASE by using the TCP ISN generation algorithm obtained from > OpenBSD, which uses a more sophisticated randomization method that is > believed not to be vulnerable to the problem described here. > > A more satisfactory, long-term solution would be to implement the > algorithm described in RFC 1948; plans are underway to implement this > algorithm for FreeBSD, and it is likely that it will be included in > future releases of FreeBSD. > > III. Impact > > Systems running insecure protocols which blindly trust a TCP > connection which appears to come from a given IP address without > requiring other authentication of the originator are vulnerable to > spoofing by a remote attacker, potentially yielding privileges or > access on the local system. > > Examples of such protcols and services are: the rlogin/rsh/rexec > family when used to grant passwordless access (e.g. via .rhosts or > hosts.equiv files); web server address-based access controls on > scripts which do not require user authentication and which control > privileged resources; tcp-wrappers host access controls around > services which do not authenticate the connection further; lpr > address-based access controls, and others. > > Note that the rlogin family of protocols when configured to use > Kerberos or UNIX passwords are not vulnerable to this attack since > they authenticate connections (using Kerberos tickets in the former > case, and account passwords in the latter). Source address based > authentication in the rlogin family of protocols is not used by > default, and must be specifically enabled through use of a per-user > .rhosts file, or a global /etc/hosts.equiv file. > > Attackers can also forge TCP connections to arbitrary TCP protocols > (including protocols not vulnerable to the spoofing attack described > above) and simulate the effects of failed remote access attempts from > a target machine (e.g. repeated attempts to guess a password), > potentially misleading the administrators of the server into thinking > they are under attack from the spoofed client. > > IV. Workaround > > Possible workarounds for the vulnerability include one or more of the > following: > > 1) Disable all insecure protocols and services including rlogin, rsh > and rexec (if configured to use address-based authentication), or > reconfigure them to not authenticate connections based solely on > originating address. In general, the rlogin family should not be used > anyway - the ssh family of commands (ssh, scp, slogin) provide a > secure alternative which is included in FreeBSD 4.0 and above. As of > FreeBSD 4.2-RELEASE these services were not enabled by default. > > To disable the rlogin family of protocols, make sure the > /etc/inetd.conf file does not contain any of the following entries > uncommented (i.e. if present in the inetd.conf file they should be > commented out as shown below:) > > #shell stream tcp nowait root /usr/libexec/rshd rshd > #login stream tcp nowait root /usr/libexec/rlogind rlogind > #exec stream tcp nowait root /usr/libexec/rexecd rexecd > > Be sure to restart inetd by sending it a HUP signal after making any > changes: > > # kill -HUP `cat /var/run/inetd.pid` > > Audit the use of other services including those noted in section III > above and either disable the service, or if possible require it to use > a stronger form of authentication. See workaround 3) below. > > 2) Impose IP-level packet filters on network perimeters (ingress > filtering) or on local affected machines to prevent access from any > outside party to a vulnerable internal service using a "privileged" > source address. For example, if machines on the internal 10.0.0.0/24 > network are allowed to obtain passwordless rlogin access to a server, > then external users should be prevented from sending packets with > 10.0.0.0/24 source addresses from the outside network into the > internal network. This is standard good security policy. Note > however that if an external address must be granted access to local > resources then this type of filtering cannot be applied. It also does > not defend against spoofing attacks from within the network perimeter. > Consider disabling this service until the affected machines can be > patched. > > 3) Enable the use of IPSEC to authenticate (and/or encrypt) vulnerable > TCP connections at the IP layer. A system which requires authenticaion > of all incoming connections to a port using IPSEC cannot be spoofed > using the attack described in this advisory, nor can TCP sessions be > hijacked by an attacker with access to the packet stream. FreeBSD 4.0 > and later include IPSEC functionality in the kernel, and 4.1 and later > include an IKE daemon, racoon, in the ports collection. Configuration > of IPSEC is beyond the scope of this document, however see the > following web resources: > > http://www.freebsd.org/handbook/ipsec.html > http://www.netbsd.org/Documentation/network/ipsec/ > http://www.kame.net/ > > V. Solution > > Note that address-based authentication is generally weak, and should > be avoided even in environments running with the sequence numbering > improvements. Instead, cryptographically-protected protocols and > services should be used wherever possible. > > One of the following: > > 1) Upgrade your vulnerable FreeBSD system to 4.3-RELEASE or > 3.5.1-STABLE after the respective correction dates. > > 2) To patch your present system: download the relevant patch from the > below location, and execute the following commands as root: > > [FreeBSD 4.1/4.2 base system] > > This patch has been verified to apply to FreeBSD 4.1 and 4.2 only. It > may or may not apply to older releases. Users of FreeBSD 4.1 must > apply the patch from advisory 00:52 before applying this patch. > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:39/tcp-isn-4.2.patch > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:39/tcp-isn-4.2.patch.asc > > Verify the detached PGP signature using your PGP utility. > > # cd /usr/src/sys/netinet > # patch -p < /path/to/patch > > [ Recompile your kernel as described in > http://www.freebsd.org/handbook/kernelconfig.html and reboot the > system ] > > [FreeBSD 3.5.1 base system] > > The following patch applies to FreeBSD 3.5.1-RELEASE which has already > had the patch from advisory 00:52 applied. > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:39/tcp-isn-3.5.1-stable.patch > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:39/tcp-isn-3.5.1-stable.patch.asc > > The following patch applies to unpatched FreeBSD 3.5.1-RELEASE only. > It may or may not apply to older, unsupported releases. > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:39/tcp-isn-3.5.1-rel.patch > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:39/tcp-isn-3.5.1-rel.patch.asc > > Verify the detached PGP signature using your PGP utility. > > # cd /usr/src/sys/netinet > # patch -p < /path/to/patch > > [ Recompile your kernel as described in > http://www.freebsd.org/handbook/kernelconfig.html and reboot the > system ] > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.5 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iQCVAwUBOvB10FUuHi5z0oilAQETgAP/T7SbJS12PBczn9SRWPQ5exuZYMoj1VxR > BJmeTafE1x3kBP195JkW3dF4klWynIgVakNtIndIH+pJvfBPe7Mo8PclKqRjEE2S > JLGtPFPq7bYp0/tyaFy6wm26cLPye4/3x6qLthC04/WZVI4rqg6nY1qoiKAUBu7Z > VFtFxTH+E/A= > =CkM7 > -----END PGP SIGNATURE----- > > This is the moderated mailing list freebsd-announce. > The list contains announcements of new FreeBSD capabilities, > important events and project milestones. > See also the FreeBSD Web pages at http://www.freebsd.org > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-announce" in the body of the message > > ----- End forwarded message ----- > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 18:16:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.2600.org.au (phoenix.2600.org.au [203.202.88.125]) by hub.freebsd.org (Postfix) with ESMTP id 7816237B423 for ; Wed, 2 May 2001 18:16:45 -0700 (PDT) (envelope-from tim@rendrag.net) Received: from tim (unknown [172.16.2.60]) by phoenix.2600.org.au (Postfix) with SMTP id D7F3045CC2 for ; Thu, 3 May 2001 11:16:44 +1000 (EST) Message-ID: <00eb01c0d36e$4c5fe470$3c0210ac@bcmpartnership.com.au> From: "Tim Kent" To: Subject: Doubles of security advisories Date: Thu, 3 May 2001 11:12:23 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I always get two copies of the advisories, both identical but different times. Is this normal? As far as I know I have only signed up to the list once. Tim. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 18:19:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id E8D0E37B62B for ; Wed, 2 May 2001 18:19:40 -0700 (PDT) (envelope-from brdavis@odin.ac.hmc.edu) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id f431JV322553; Wed, 2 May 2001 18:19:31 -0700 Date: Wed, 2 May 2001 18:19:30 -0700 From: Brooks Davis To: Tim Kent Cc: freebsd-security@FreeBSD.ORG Subject: Re: Doubles of security advisories Message-ID: <20010502181930.A22115@Odin.AC.HMC.Edu> References: <00eb01c0d36e$4c5fe470$3c0210ac@bcmpartnership.com.au> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="AhhlLboLdkugWU4S" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <00eb01c0d36e$4c5fe470$3c0210ac@bcmpartnership.com.au>; from tim@rendrag.net on Thu, May 03, 2001 at 11:12:23AM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --AhhlLboLdkugWU4S Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, May 03, 2001 at 11:12:23AM +1000, Tim Kent wrote: > I always get two copies of the advisories, both identical but different > times. Is this normal? >=20 > As far as I know I have only signed up to the list once. One goes to security (actually security-notifications or something like that) and one goes to announce. At least, that's where my two copies come from. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --AhhlLboLdkugWU4S Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE68LIiXY6L6fI4GtQRAsLHAKCRC1lJK7Y9X6m6uZALYC9DYlWdywCguFW+ HS23aotQYMWTGUpfOzVwC0U= =ljn2 -----END PGP SIGNATURE----- --AhhlLboLdkugWU4S-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 18:20: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197]) by hub.freebsd.org (Postfix) with ESMTP id 4593937B422 for ; Wed, 2 May 2001 18:19:56 -0700 (PDT) (envelope-from christopher@schulte.org) Received: from TARMAP.schulte.org (tarmap.schulte.org [209.134.156.198]) by poontang.schulte.org (8.12.0.Beta7/8.12.0.Beta7) with ESMTP id f431Jn7Z066166; Wed, 2 May 2001 20:19:50 -0500 (CDT) Message-Id: <5.1.0.14.0.20010502201840.02e73dd8@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 02 May 2001 20:19:35 -0500 To: "Tim Kent" , From: Christopher Schulte Subject: Re: Doubles of security advisories In-Reply-To: <00eb01c0d36e$4c5fe470$3c0210ac@bcmpartnership.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Are you also signed up to freebsd-announce@freebsd.org? The advisories get posted there too. At 11:12 AM 5/3/2001 +1000, Tim Kent wrote: >I always get two copies of the advisories, both identical but different >times. Is this normal? > >As far as I know I have only signed up to the list once. > > >Tim. -- Christopher Schulte Finger for PGP key, or for UNIX impaired: http://noc.schulte.org/cgi-bin/noc/finger.cgi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 18:29:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-26.dsl.lsan03.pacbell.net [63.207.60.26]) by hub.freebsd.org (Postfix) with ESMTP id B4E9637B424 for ; Wed, 2 May 2001 18:29:16 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id EC1A167B84; Wed, 2 May 2001 18:29:15 -0700 (PDT) Date: Wed, 2 May 2001 18:29:15 -0700 From: Kris Kennaway To: Brooks Davis Cc: Tim Kent , freebsd-security@FreeBSD.ORG Subject: Re: Doubles of security advisories Message-ID: <20010502182915.A72379@xor.obsecurity.org> References: <00eb01c0d36e$4c5fe470$3c0210ac@bcmpartnership.com.au> <20010502181930.A22115@Odin.AC.HMC.Edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="4Ckj6UjgE2iN1+kY" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010502181930.A22115@Odin.AC.HMC.Edu>; from brooks@one-eyed-alien.net on Wed, May 02, 2001 at 06:19:30PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --4Ckj6UjgE2iN1+kY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 02, 2001 at 06:19:30PM -0700, Brooks Davis wrote: > On Thu, May 03, 2001 at 11:12:23AM +1000, Tim Kent wrote: > > I always get two copies of the advisories, both identical but different > > times. Is this normal? > >=20 > > As far as I know I have only signed up to the list once. >=20 > One goes to security (actually security-notifications or something like > that) and one goes to announce. At least, that's where my two copies > come from. All three locations, in fact (plus bugtraq). Kris --4Ckj6UjgE2iN1+kY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE68LRqWry0BWjoQKURAsgMAJsHuTOeD4OmW6n+9qTnCmEWr2kg3ACggSvr ysnIUZgwcWSSE0dQtM2nsHM= =dNNd -----END PGP SIGNATURE----- --4Ckj6UjgE2iN1+kY-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 18:33:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-26.dsl.lsan03.pacbell.net [63.207.60.26]) by hub.freebsd.org (Postfix) with ESMTP id 2128837B424 for ; Wed, 2 May 2001 18:33:50 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 925FA67B84; Wed, 2 May 2001 18:33:49 -0700 (PDT) Date: Wed, 2 May 2001 18:33:49 -0700 From: Kris Kennaway To: Tim Newsham Cc: security@freebsd.org Subject: Re: (fwd) FreeBSD Security Advisory FreeBSD-SA-01:39.tcp-isn (fwd) Message-ID: <20010502183349.B72379@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="NDin8bjvE/0mNLFQ" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from newsham@lava.net on Wed, May 02, 2001 at 03:13:07PM -1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --NDin8bjvE/0mNLFQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 02, 2001 at 03:13:07PM -1000, Tim Newsham wrote: >=20 > hmm.. I think you may have gotten the attack description > and conditions wrong. >=20 > Attacks are performed against live, already authenticated > connections. As such, rsh and rlogin are no more > susceptible to attack than other unencrypted sessions. > All sessions, reguardless of use of encryption, are > susceptible to being shut down prematurely. Even TCP connections protected with IPSEC AH? Knowing the TCP ISN (with some confidence level) allows you to do (at least) two classes of attack: 1) Reset existing connections, as was focused on in your paper (you need to know roughly how much data has been through the connection too). 2) Spoof new connections. > Filtering out priveledged ports will have no impact > on this vulnerability. It does protect against both 1) and 2) in the case where connections are between internal machines. Obviously there are limits to what you can do with ingress filtering, though. This is obviously a complex issue with many implications, and few good workarounds. Kris --NDin8bjvE/0mNLFQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE68LV8Wry0BWjoQKURAhHbAJ9/MYXDQv9VSE6HGl2Rbr2Ka/3O+wCdFR76 JTpfLXh3Ccuyje9HyPu+JUA= =bWr4 -----END PGP SIGNATURE----- --NDin8bjvE/0mNLFQ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 18:39:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.insweb.com (mail2.insweb.com [204.254.158.36]) by hub.freebsd.org (Postfix) with ESMTP id 7084237B422 for ; Wed, 2 May 2001 18:39:10 -0700 (PDT) (envelope-from fbsd-secure@ursine.com) Received: from ursine.com (dhcp-4-45-203.users.insweb.com [10.4.45.203]) by mail2.insweb.com (8.11.0/8.11.0) with ESMTP id f431cxT85224 for ; Wed, 2 May 2001 18:39:00 -0700 (PDT) (envelope-from fbsd-secure@ursine.com) Message-ID: <3AF0B6B3.A31020BF@ursine.com> Date: Wed, 02 May 2001 18:38:59 -0700 From: Michael Bryan X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: Doubles of security advisories References: <00eb01c0d36e$4c5fe470$3c0210ac@bcmpartnership.com.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Tim Kent wrote: > > I always get two copies of the advisories, both identical but different > times. Is this normal? > > As far as I know I have only signed up to the list once. Security notifications are sent to three separate lists, to the best of my knowledge: freebsd-security freebsd-security-notifications freebsd-announce You'll get one copy for each of those lists that you are subscribed to. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 18:59:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-26.dsl.lsan03.pacbell.net [63.207.60.26]) by hub.freebsd.org (Postfix) with ESMTP id 785FC37B423 for ; Wed, 2 May 2001 18:59:21 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id D6DFE67B84; Wed, 2 May 2001 18:59:20 -0700 (PDT) Date: Wed, 2 May 2001 18:59:20 -0700 From: Kris Kennaway To: slaktaren Cc: freebsd-security@FreeBSD.ORG Subject: Re: freezing problem Message-ID: <20010502185920.F74902@xor.obsecurity.org> References: <200105021133.IAA67289@ns1.via-net-works.net.ar> <00038353a99935f5_mailit@192.168.0.14> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="kbCYTQG2MZjuOjyn" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <00038353a99935f5_mailit@192.168.0.14>; from slaktaren@inexistent.dnsalias.net on Wed, May 02, 2001 at 09:18:01AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --kbCYTQG2MZjuOjyn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, May 02, 2001 at 09:18:01AM -0700, slaktaren wrote: > is there any other places to look for clues than /var/log/messages? Uh, yeah..run top(1) and other system monitoring tools to see what's eating it up. Kris --kbCYTQG2MZjuOjyn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE68Lt4Wry0BWjoQKURAl2UAKDvYRX+rwYYj28JBuxposuIoP6hAACfQSe5 yo/Fs34uiZ1/iS7PINB/PjA= =y0G8 -----END PGP SIGNATURE----- --kbCYTQG2MZjuOjyn-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 19:16:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 4365D37B423 for ; Wed, 2 May 2001 19:16:52 -0700 (PDT) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 11279 invoked by uid 0); 3 May 2001 02:16:51 -0000 Received: from pd950887c.dip.t-dialin.net (HELO speedy.gsinet) (217.80.136.124) by mail.gmx.net (mail02) with SMTP; 3 May 2001 02:16:51 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id VAA03609 for freebsd-security@freebsd.org; Wed, 2 May 2001 21:37:19 +0200 Date: Wed, 2 May 2001 21:37:19 +0200 From: Gerhard Sittig To: freebsd-security@freebsd.org Subject: Re: useradd/adduser Message-ID: <20010502213719.C253@speedy.gsinet> Mail-Followup-To: freebsd-security@freebsd.org References: <200105021613.RAA25130@mailgate.kechara.net> <20010502180257.B88365@ringworld.oblivion.bg> <20010502180543.C88365@ringworld.oblivion.bg> <20010502202157.A76656@daphne.unloved.org> <20010502214032.F88365@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20010502214032.F88365@ringworld.oblivion.bg>; from roam@orbitel.bg on Wed, May 02, 2001 at 09:40:32PM +0300 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, May 02, 2001 at 21:40 +0300, Peter Pentchev wrote: > On Wed, May 02, 2001 at 08:21:57PM +0200, Ashley Penney wrote: > > On Wed, May 02, 2001 at 06:05:43PM +0300, Peter Pentchev said: > > > > > And if you're really, really interested, I could give you a > > > little patch I made some time ago, to add a -H encrypted > > > pass option to pw(8), which should do exactly what you need > > > :) > > > > What's wrong with chpass -p "crypthere" user ? > > OK, several people pointed that out already :) I didn't know > chpass could do that, ok? :) Not quite in all respects. There's a short discussion in "man 8 pw" for how the -h option and feeding it from an fd is motivated. By using pw(8)'s -p option you end up specifying the crypted form on the command line, again. Whereas producing into an fd could be done any way you could think of ... To cut it short: I would be happy to see your (Peter's) -H option incorporated into pw(8). I assume it does what -h does, too, but bypasses the crypt(3) call. This should make the patch short and rather suitable for quick and smooth verification. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 2 20: 3:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 9F89137B423 for ; Wed, 2 May 2001 20:03:15 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.3/8.11.3) with SMTP id f4332tf76320; Wed, 2 May 2001 23:03:07 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Wed, 2 May 2001 23:02:55 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Alex Popa Cc: security@FreeBSD.org Subject: Re: OpenSSH accepts any RSA key from host 127.0.0.1, even on non-default ports In-Reply-To: <20010501231616.A40227@ldc.ro> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I reported this to the openssh maintainers at least a year or two ago, and was told it was a "feature" -- intended to allow people to "ssh localhost" without getting key errors when using NFS mounted home directories. Personally, I consider a security "don't" for precisely the reason you identify, and on my personal machines, I tend to re-enable checking for 127.0.0.1. However, since SSH's public key file format doesn't include a port field, there's not really a great way to handle forwarding from different ports securely -- really, it would be nice if there was a way to say: ssh -p 5646 -usekeyfor fledge.watson.org localhost I.e., connect to localhost:5646, but use the host key associated with fledge.watson.org in the keys file. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services On Tue, 1 May 2001, Alex Popa wrote: > The reason why this bothers me is that I sometimes use ssh to tunnel ssh > connections (blowfish encryption in a 3DES tunnel, anyone?) to hosts I > cannot otherwise reach (ie non-routable address space, 192.168.0.0/16) > or to hosts which only accept connections from certain IPs. > > I do not sometimes fully trust the hosts I use as relays, so it would be > nice if SSH could show me the key fingerprint and let me decide if I > want to connect, not just accept any key. > > Example: > (setting up the support tunnel) > #ssh some.host.example.org -l me -C -L 222:192.168.1.2:22 > (connects OK) > (switch VT's) > # ssh 127.0.0.1 -v -C -l root -p 222 > SSH Version OpenSSH_2.3.0 green@FreeBSD.org 20010321, protocol versions 1.5/2.0. > Compiled with SSL (0x0090600f). > debug: Reading configuration data /etc/ssh/ssh_config > debug: ssh_connect: getuid 0 geteuid 0 anon 0 > debug: Connecting to (null) [127.0.0.1] port 222. > debug: Allocated local port 1015. > debug: Connection established. > debug: Remote protocol version 1.5, remote software version 1.2.27 > debug: no match: 1.2.27 > debug: Local version string SSH-1.5-OpenSSH_2.3.0 green@FreeBSD.org 20010321 > debug: Waiting for server public key. > debug: Received server public key (1152 bits) and host key (1024 bits). > --- > debug: Forcing accepting of host key for loopback/localhost. > --- > debug: Encryption type: 3des > debug: Sent encrypted session key. > debug: Installing crc compensation attack detector. > debug: Received encrypted confirmation. > debug: Remote: Server does not permit empty password login. > debug: Doing password authentication. > root@127.0.0.1's password: > > As you can see from the separated line, ssh does not even ask if I want > to accept the key. If I set up a different tunnel, I get no warning > message about the key change. > > Is there a way to tell ssh to ask me about that key, and even keep > different keys in my known_hosts file, for example for 127.0.0.1, 127.1, > 127.0.1 (which are the same IP, but in different formats so I can store > the kays once, and then leave ssh to check if they are unchanged). > > [Sorry if I do not make a lot of sense, this has been a long day] > > Have Fun! > > ------------+------------------------------------------ > Alex Popa, | "Artificial Intelligence is > razor@ldc.ro| no match for Natural Stupidity" > ------------+------------------------------------------ > "It took the computing power of three C-64s to fly to the Moon. > It takes a 486 to run Windows 95. Something is wrong here." > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 3 1:55:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from male.aldigital.co.uk (male.aldigital.co.uk [194.128.162.11]) by hub.freebsd.org (Postfix) with ESMTP id 6417A37B422 for ; Thu, 3 May 2001 01:55:49 -0700 (PDT) (envelope-from adam@algroup.co.uk) Received: from algroup.co.uk (socks.aldigital.co.uk [194.128.162.10]) by male.aldigital.co.uk (Postfix) with ESMTP id 974BC6A141E; Thu, 3 May 2001 08:54:46 +0000 (GMT) Message-ID: <3AF11B82.1978A3DC@algroup.co.uk> Date: Thu, 03 May 2001 09:49:06 +0100 From: Adam Laurie X-Mailer: Mozilla 4.7 [en-gb] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Tuan Jean TEE Cc: FreeBSD security Subject: Re: Any other proxy which I could open service References: <001a01c0d366$cc72bb90$0100c8c8@co3018900a> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Tuan Jean TEE wrote: > > I was wondering if there is any package in FreeBSD 4.2 which could allow me > to run as a proxy and can specified the ports to the internet. The Http-gw > proxy could only run on one open port. How could I enable ports say for > RealAudio for my entire network? http://www.socks.nec.com/ cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 Voysey House http://www.thebunker.net Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 3 2:53: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from routeur.pol.local (nas1-122.gre.club-internet.fr [195.36.211.122]) by hub.freebsd.org (Postfix) with ESMTP id 334DE37B422 for ; Thu, 3 May 2001 02:53:02 -0700 (PDT) (envelope-from poizat@partsonline.fr) Received: from PARTSERVER.partsonline.fr (partserver.pol.local [172.16.10.10]) by routeur.pol.local (8.11.1/8.11.1) with ESMTP id f439qx478963; Thu, 3 May 2001 11:52:59 +0200 (CEST) (envelope-from poizat@partsonline.fr) Message-Id: <5.0.2.1.0.20010503110648.01a85c68@127.0.0.1> X-Sender: pop9405/pop.partsonline.fr@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Thu, 03 May 2001 11:25:59 +0200 To: freebsd-security@FreeBSD.ORG From: Guy Poizat Subject: Re: What do folks think of this article? Cc: BUGTRAQ@SECURITYFOCUS.COM In-Reply-To: <20010502104749.O18676@fw.wintelcom.net> References: <200105021702.LAA24669@lariat.org> <200105021702.LAA24669@lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There's some statements in that article which are subject to criticism. It could be (for instance) understood as "Don't wanna be hacked ? Don't use a unix !", and i think it's not really complete, should be "...Don't use a unix without planning you will need man-time to watch and update it." And BTW other OSes's security is subject to the same condition(at least). At 19:47 02/05/2001, you wrote: >* Brett Glass [010502 10:02] wrote: > > http://www.businessweek.com/bwdaily/dnflash/apr2001/nf2001051_727.htm > >As usual someone is trying to raise an issue that's >already common knowledge. > >I mean: > > "So, where security was concerned, Apple users enjoyed a free > ride. Same with virus attacks. Mac users avoided the carnage of > the I Love You virus in May, 2000. Nor did they have to worry > about nasty Trojan-horse attacks, such as the SubSeven variety > that could give hackers remote control of a computer. Mac users > lived in a digital Garden of Eden, a simpler place free of > serpents." "Digital Garden of Eden" ? Well... I think i met my first viruses on macintoshes. Moreover, it's easy to have a 'secured' system when no remote services nor security features (user identification..) are there. My ZX spectrum was 'secure', too (and especially when powered down !). I guess that if apple computers would have been as well-spreaded and popular as other platforms, they would have been subject to some 'show business friendly' security issues such as 'I Love you' & 'Melissa'... >As far as getting the word out on bugs, I find it terribly annoying >that Bugtraq is now a vendor's forum to spam about security updates, >it's really irritating to hear about some vulnerability and then >recieve about 20 emails from different Linux and other Unix >distributors about the exact same bug. That's true. If i WANT to get security advisories for a specific linux distro or whatever i CAN subscribe the dedicated mailing list. BTW, i could make my own little OS, full of bugs, and install it on one or two friend's computers, and have a website to make it 'popular'. Then i'll be allowed to flood Bugtraq with 'security bulletin' repeating what is already known, 'cos MY os also use that pretty ntp demon or this cool samba tool. Would be nice, no ?! I think there's something to do about it. Anyway we can't avoid reading stuff useless for our own purposes on Bugtraq, but at least let's not repeat 10 times the same info. this obviously is only my opinion :-) >-- >-Alfred Perlstein - [alfred@freebsd.org] >Daemon News Magazine in your snail-mail! http://magazine.daemonnews.org/ > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message -- Guy Poizat poizat@partsonline.fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 3 2:53:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from routeur.pol.local (nas1-122.gre.club-internet.fr [195.36.211.122]) by hub.freebsd.org (Postfix) with ESMTP id 4E28537B423 for ; Thu, 3 May 2001 02:53:02 -0700 (PDT) (envelope-from poizat@partsonline.fr) Received: from PARTSERVER.partsonline.fr (partserver.pol.local [172.16.10.10]) by routeur.pol.local (8.11.1/8.11.1) with ESMTP id f439r0478966 for ; Thu, 3 May 2001 11:53:00 +0200 (CEST) (envelope-from poizat@partsonline.fr) Message-Id: <5.0.2.1.0.20010503113004.01b93b50@127.0.0.1> X-Sender: pop9405/pop.partsonline.fr@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Thu, 03 May 2001 11:36:55 +0200 To: freebsd-security@FreeBSD.ORG From: Guy Poizat Subject: Re: Doubles of security advisories In-Reply-To: <00eb01c0d36e$4c5fe470$3c0210ac@bcmpartnership.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 03:12 03/05/2001, you wrote: >I always get two copies of the advisories, both identical but different >times. Is this normal? > >As far as I know I have only signed up to the list once. > > >Tim. I get each advisories 3 times. 1)Delivered-To: freebsd-announce@freebsd.org 2)Delivered-To: freebsd-security@freebsd.org 3)Delivered-To: freebsd-security-notifications@freebsd.org I forget bugtraq which is a fourth one At least, I've been warned, so. :-) -- Guy Poizat poizat@partsonline.fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 3 2:55:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from athena.za.net (athena.za.net [196.30.167.200]) by hub.freebsd.org (Postfix) with ESMTP id DE0D237B43C for ; Thu, 3 May 2001 02:55:37 -0700 (PDT) (envelope-from jus@athena.za.net) Received: from jus (helo=localhost) by athena.za.net with local-esmtp (Exim 3.13 #1) id 14vFp8-0004Z3-00; Thu, 03 May 2001 11:55:02 +0200 Date: Thu, 3 May 2001 11:55:02 +0200 (SAST) From: Justin Stanford X-Sender: jus@athena.za.net To: Guy Poizat Cc: freebsd-security@FreeBSD.ORG, BUGTRAQ@SECURITYFOCUS.COM Subject: Re: What do folks think of this article? In-Reply-To: <5.0.2.1.0.20010503110648.01a85c68@127.0.0.1> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Same could easily be said for Windows, NT especially.. in fact, you could probably more appropriately say - "Don't wanna be hacked? Don't use any computers!" to be safe. ;) -- Justin Stanford 082 7402741 jus@security.za.net www.security.za.net IT Security and Solutions On Thu, 3 May 2001, Guy Poizat wrote: > There's some statements in that article which are subject to criticism. > It could be (for instance) understood as "Don't wanna be hacked ? Don't use > a unix !", and i think it's not really complete, should be "...Don't use a > unix without planning you will need man-time to watch and update it." > And BTW other OSes's security is subject to the same condition(at least). > > At 19:47 02/05/2001, you wrote: > >* Brett Glass [010502 10:02] wrote: > > > http://www.businessweek.com/bwdaily/dnflash/apr2001/nf2001051_727.htm > > > >As usual someone is trying to raise an issue that's > >already common knowledge. > > > >I mean: > > > > "So, where security was concerned, Apple users enjoyed a free > > ride. Same with virus attacks. Mac users avoided the carnage of > > the I Love You virus in May, 2000. Nor did they have to worry > > about nasty Trojan-horse attacks, such as the SubSeven variety > > that could give hackers remote control of a computer. Mac users > > lived in a digital Garden of Eden, a simpler place free of > > serpents." > > "Digital Garden of Eden" ? Well... I think i met my first viruses on > macintoshes. > Moreover, it's easy to have a 'secured' system when no remote services nor > security features (user identification..) are there. My ZX spectrum was > 'secure', too (and especially when powered down !). > I guess that if apple computers would have been as well-spreaded and > popular as other platforms, they would have been subject to some 'show > business friendly' security issues such as 'I Love you' & 'Melissa'... > > >As far as getting the word out on bugs, I find it terribly annoying > >that Bugtraq is now a vendor's forum to spam about security updates, > >it's really irritating to hear about some vulnerability and then > >recieve about 20 emails from different Linux and other Unix > >distributors about the exact same bug. > > That's true. If i WANT to get security advisories for a specific linux > distro or whatever i CAN subscribe the dedicated mailing list. > BTW, i could make my own little OS, full of bugs, and install it on one or > two friend's computers, and have a website to make it 'popular'. Then i'll > be allowed to flood Bugtraq with 'security bulletin' repeating what is > already known, 'cos MY os also use that pretty ntp demon or this cool samba > tool. Would be nice, no ?! > I think there's something to do about it. > Anyway we can't avoid reading stuff useless for our own purposes on > Bugtraq, but at least let's not repeat 10 times the same info. > > this obviously is only my opinion :-) > > >-- > >-Alfred Perlstein - [alfred@freebsd.org] > >Daemon News Magazine in your snail-mail! http://magazine.daemonnews.org/ > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > -- > Guy Poizat > poizat@partsonline.fr > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 3 3:17:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 254F837B422; Thu, 3 May 2001 03:17:14 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id MAA28691; Thu, 3 May 2001 12:17:09 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Maciuszonek Artur" Cc: , Subject: Re: outlook express, ipx and ftp :) References: <001a01c0cfac$361bf3e0$0a036d18@ivideon.com> From: Dag-Erling Smorgrav Date: 03 May 2001 12:17:08 +0200 In-Reply-To: <001a01c0cfac$361bf3e0$0a036d18@ivideon.com> Message-ID: Lines: 10 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Maciuszonek Artur" writes: > Here is the dillema: It's not a dillemma. It might be a quandary (if you have a solution in mind but have doubts about its propriety), but is more likely a predicament, or, quite simply, a problem. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 3 3:19:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id D43DA37B423; Thu, 3 May 2001 03:19:06 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id MAA28703; Thu, 3 May 2001 12:19:03 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Maciuszonek Artur" Cc: , Subject: Re: outlook express, ipx and ftp :) References: <001a01c0cfac$361bf3e0$0a036d18@ivideon.com> From: Dag-Erling Smorgrav Date: 03 May 2001 12:19:02 +0200 In-Reply-To: Message-ID: Lines: 10 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dag-Erling Smorgrav writes: > "Maciuszonek Artur" writes: > > Here is the dillema: > It's not a dillemma. And look what you made me do! Dilemma is spelt with only one 'l'. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 3 5: 4: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailgate.kechara.net (mailgate.kechara.net [62.49.139.2]) by hub.freebsd.org (Postfix) with ESMTP id 5300E37B424 for ; Thu, 3 May 2001 05:03:56 -0700 (PDT) (envelope-from lee@kechara.net) Received: from area57 (lan-fw.kechara.net [62.49.139.3]) by mailgate.kechara.net (8.9.3/8.9.3) with SMTP id OAA27288 for ; Thu, 3 May 2001 14:20:09 +0100 Message-Id: <200105031320.OAA27288@mailgate.kechara.net> Date: Thu, 03 May 2001 13:06:33 +0100 To: freebsd-security@freebsd.org From: Lee Smallbone Subject: Re: useradd/adduser Reply-To: lee@kechara.net Organization: Kechara Internet X-Mailer: Opera 5.02 build 856a X-Priority: 3 (Normal) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As usual, your responses have blown me away, both in terms of knowledge and speed. Thank you very much indeed to everyone who replied, and also to those who pointed out the -h 0 pipe option, I either missed it or misunderstood when I read the man page. This kind of community truly does make FreeBSD stand out from the crowd. -- Lee Smallbone Kechara Internet lee@kechara.net www.kechara.net Tel: (01243) 869 969 Fax: (01243) 866 685 03/05/2001 00:37:19, Gerhard Sittig wrote: >On Wed, May 02, 2001 at 21:40 +0300, Peter Pentchev wrote: >> On Wed, May 02, 2001 at 08:21:57PM +0200, Ashley Penney wrote: >> > On Wed, May 02, 2001 at 06:05:43PM +0300, Peter Pentchev said: >> > >> > > And if you're really, really interested, I could give you a >> > > little patch I made some time ago, to add a -H encrypted >> > > pass option to pw(8), which should do exactly what you need >> > > :) >> > >> > What's wrong with chpass -p "crypthere" user ? >> >> OK, several people pointed that out already :) I didn't know >> chpass could do that, ok? :) > >Not quite in all respects. There's a short discussion in "man 8 >pw" for how the -h option and feeding it from an fd is motivated. >By using pw(8)'s -p option you end up specifying the crypted form >on the command line, again. Whereas producing into an fd could >be done any way you could think of ... > >To cut it short: I would be happy to see your (Peter's) -H >option incorporated into pw(8). I assume it does what -h does, >too, but bypasses the crypt(3) call. This should make the patch >short and rather suitable for quick and smooth verification. > > >virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 >Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net >-- > If you don't understand or are scared by any of the above > ask your parents or an adult to help you. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 3 5:39:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 846D137B424 for ; Thu, 3 May 2001 05:39:18 -0700 (PDT) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id JAA52108; Thu, 3 May 2001 09:41:57 -0300 (ART) From: Fernando Schapachnik Message-Id: <200105031241.JAA52108@ns1.via-net-works.net.ar> Subject: Re: What do folks think of this article? In-Reply-To: <20010502232105.C24364@petra.hos.u-szeged.hu> "from Szilveszter Adam at May 2, 2001 11:21:05 pm" To: Szilveszter Adam Date: Thu, 3 May 2001 09:41:57 -0300 (ART) Cc: security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Szilveszter Adam escribió: > 5) Show me a UNIX virus. Not an email virus that can spread through a UNIX > machine's MTA to windows machines, but an actual UNIX virus. Worms do not > count. They are worms, not virii. Just for fun (I know about being root && executing unknown binaries, please don't we start with that): www.avpve.com Linux.Bliss These are nonmemory resident parasitic viruses written in GNU C. They infect Linux OS only - infected files may be executed, and the virus may spread itself only under Linux. The viruses search for executable Linux files (ELF internal format) and infect them. While infecting the viruses shift the file body down, write themselves to the beginning of file and append to the end of file the ID-text: "Bliss.a": infected by bliss: 00010002:000045e4 "Bliss.b": infected by bliss: 00010004:000048ac It seems that the former hex number in these lines is a virus version, and the latter is the virus length - the virus lengths are 17892 and 18604 bytes. When an infected file is run, the "Bliss.a" virus searches for not more than three not infected files and affects them. "Bliss.b" infects more files (I see not how much). If there are no not infected files in the current directory, the virus scans the system and infects the files in other directories. After infecting the viruses return control to the host program, and it will work correctly. Linux is the access-protected system, i.e. users and programs may access only files that they have permission to. The same for virus - it may infect only the files and directories that are declared as "write-able" for current username. If current username has total access (system administrator), the virus will infect all files on computer. The viruses seem to be "under debugging" and while searching for files and infecting them they display several messages: already infected skipping, infected with same vers or different type replacing older version replacing ourselves with newer version infecting: bytes infect() returning success been to already! traversing our size is copy() returning success copy() returning failure disinfecting: not infected couldn't malloc bytes, skipping couldn't read() all bytes read bytes happy_commit() failed, skipping couldn't write() all bytes, hope you had backups! successfully (i hope) disinfected Debugging is ON Disinfecting files... using infection log: The viruses also contain the text strings: dedicated to rkd /tmp/.bliss asmlinkage int sys_umask(int mask) mask&023000 return if(mask&023000) current->uid = current->euid = current->suid = current->fsuid = 0; return old&023000} } bliss.%s.%d -l rsh%s%s %s 'cat>%s;chmod 777 %s;%s;rm -f %s' doing popen("%s" /.rhosts r %s %s .rhosts: %s, %s localhost doing do_worm_stuff() /etc/hosts.equiv hosts.equiv: %s HOME --bli ss- uninfect-files-please disinfect-files-please version %d.%d.%d (%.8x) Compiled on Sep 28 1996 at 22:24:03 Written by electric eel. dont-run-original just-run-bliss dont-run-virus dont-run-bliss just-run-original exec infect-file unsupported version help help? hah! read the source! /proc/loadavg %d. loadav is %d bliss was run %d sex ago, rep_wait=%d /tmp/.bliss-tmp.%d execv /bin PATH : /usr/spool/news /var/spool/news wow I also happen to have a description of another one if somebody is interested. Regards. Fernando P. Schapachnik Planificación de red y tecnología VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Tel.: (54-11) 4323-3381 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 3 5:39:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 54ABF37B424 for ; Thu, 3 May 2001 05:39:35 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 199 invoked by uid 1000); 3 May 2001 12:37:44 -0000 Date: Thu, 3 May 2001 15:37:44 +0300 From: Peter Pentchev To: Gerhard Sittig Cc: freebsd-security@freebsd.org Subject: Re: useradd/adduser Message-ID: <20010503153744.D98293@ringworld.oblivion.bg> Mail-Followup-To: Gerhard Sittig , freebsd-security@freebsd.org References: <200105021613.RAA25130@mailgate.kechara.net> <20010502180257.B88365@ringworld.oblivion.bg> <20010502180543.C88365@ringworld.oblivion.bg> <20010502202157.A76656@daphne.unloved.org> <20010502214032.F88365@ringworld.oblivion.bg> <20010502213719.C253@speedy.gsinet> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010502213719.C253@speedy.gsinet>; from Gerhard.Sittig@gmx.net on Wed, May 02, 2001 at 09:37:19PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, May 02, 2001 at 09:37:19PM +0200, Gerhard Sittig wrote: > On Wed, May 02, 2001 at 21:40 +0300, Peter Pentchev wrote: > > On Wed, May 02, 2001 at 08:21:57PM +0200, Ashley Penney wrote: > > > On Wed, May 02, 2001 at 06:05:43PM +0300, Peter Pentchev said: > > > > > > > And if you're really, really interested, I could give you a > > > > little patch I made some time ago, to add a -H encrypted > > > > pass option to pw(8), which should do exactly what you need > > > > :) > > > > > > What's wrong with chpass -p "crypthere" user ? > > > > OK, several people pointed that out already :) I didn't know > > chpass could do that, ok? :) > > Not quite in all respects. There's a short discussion in "man 8 > pw" for how the -h option and feeding it from an fd is motivated. > By using pw(8)'s -p option you end up specifying the crypted form > on the command line, again. Whereas producing into an fd could > be done any way you could think of ... > > To cut it short: I would be happy to see your (Peter's) -H > option incorporated into pw(8). I assume it does what -h does, > too, but bypasses the crypt(3) call. This should make the patch > short and rather suitable for quick and smooth verification. OK, here it is. For those who've seen a similar patch on -arch a couple of months ago, no, this one's not the same - the previous version had the password on the command line, just as chpass -p does. This one is similar to -h, and -H specifies an fd to read the encrypted password from. G'luck, Peter -- This sentence is false. Index: src/usr.sbin/pw/pw.8 =================================================================== RCS file: /home/ncvs/src/usr.sbin/pw/pw.8,v retrieving revision 1.23 diff -u -r1.23 pw.8 --- src/usr.sbin/pw/pw.8 2001/03/16 14:11:41 1.23 +++ src/usr.sbin/pw/pw.8 2001/05/03 12:32:15 @@ -50,6 +50,7 @@ .Op Fl s Ar shell .Op Fl o .Op Fl L Ar class +.Op Fl H Ar fd .Op Fl h Ar fd .Op Fl N .Op Fl P @@ -100,6 +101,7 @@ .Op Fl w Ar method .Op Fl s Ar shell .Op Fl L Ar class +.Op Fl H Ar fd .Op Fl h Ar fd .Op Fl N .Op Fl P @@ -128,6 +130,7 @@ .Op Fl g Ar gid .Op Fl M Ar members .Op Fl o +.Op Fl H Ar fd .Op Fl h Ar fd .Op Fl N .Op Fl P @@ -151,6 +154,7 @@ .Op Fl l Ar name .Op Fl M Ar members .Op Fl m Ar newmembers +.Op Fl H Ar fd .Op Fl h Ar fd .Op Fl N .Op Fl P @@ -468,8 +472,9 @@ See .Xr passwd 5 for details. +.It Fl H Ar fd .It Fl h Ar fd -This option provides a special interface by which interactive scripts can +These options provide a special interface by which interactive scripts can set an account password using .Nm . Because the command line and environment are fundamentally insecure mechanisms @@ -496,6 +501,18 @@ .Xr passwd 1 , this must be implemented as part of an interactive script that calls .Nm . +.Pp +If +.Fl h +is given, +.Nm +treats the read password as plaintext, and encrypts it using +.Xr crypt 3 . +If +.Fl H +is used, +.Nm +treats the read password as already encrypted, and stores it unchanged. .Pp If a value of .Ql \&- Index: src/usr.sbin/pw/pw.c =================================================================== RCS file: /home/ncvs/src/usr.sbin/pw/pw.c,v retrieving revision 1.24 diff -u -r1.24 pw.c --- src/usr.sbin/pw/pw.c 2001/03/14 03:24:30 1.24 +++ src/usr.sbin/pw/pw.c 2001/05/03 12:32:15 @@ -106,18 +106,18 @@ static const char *opts[W_NUM][M_NUM] = { { /* user */ - "V:C:qn:u:c:d:e:p:g:G:mk:s:oL:i:w:h:Db:NPy:Y", + "V:C:qn:u:c:d:e:p:g:G:mk:s:oL:i:w:h:H:Db:NPy:Y", "V:C:qn:u:rY", - "V:C:qn:u:c:d:e:p:g:G:ml:k:s:w:L:h:FNPY", + "V:C:qn:u:c:d:e:p:g:G:ml:k:s:w:L:h:H:FNPY", "V:C:qn:u:FPa7", "V:C:q", "V:C:q", "V:C:q" }, { /* grp */ - "V:C:qn:g:h:M:pNPY", + "V:C:qn:g:h:H:M:pNPY", "V:C:qn:g:Y", - "V:C:qn:g:l:h:FM:m:NPY", + "V:C:qn:g:l:h:H:FM:m:NPY", "V:C:qn:g:FPa", "V:C:q" } Index: src/usr.sbin/pw/pw_group.c =================================================================== RCS file: /home/ncvs/src/usr.sbin/pw/pw_group.c,v retrieving revision 1.13 diff -u -r1.13 pw_group.c --- src/usr.sbin/pw/pw_group.c 2000/06/22 16:48:41 1.13 +++ src/usr.sbin/pw/pw_group.c 2001/05/03 12:32:16 @@ -158,7 +158,11 @@ * software. */ - if ((arg = getarg(args, 'h')) != NULL) { + if ((getarg(args, 'h') != NULL) && (getarg(args, 'H') != NULL)) + err(EX_DATAERR, "-h and -H cannot be used simultaneously"); + + if (((arg = getarg(args, 'h')) != NULL) || + ((arg = getarg(args, 'H')) != NULL)) { if (strcmp(arg->val, "-") == 0) grp->gr_passwd = "*"; /* No access */ else { @@ -177,7 +181,10 @@ /* Disable echo */ n.c_lflag &= ~(ECHO); tcsetattr(fd, TCSANOW, &n); - printf("%sassword for group %s:", (mode == M_UPDATE) ? "New p" : "P", grp->gr_name); + printf("%sassword%s for group %s:", + (mode == M_UPDATE) ? "New p" : "P", + (arg->ch == 'H'? " (enc)": ""), + grp->gr_name); fflush(stdout); } } @@ -188,7 +195,7 @@ fflush(stdout); } if (b < 0) { - warn("-h file descriptor"); + warn("-%c file descriptor", arg->ch); return EX_OSERR; } line[b] = '\0'; @@ -196,7 +203,10 @@ *p = '\0'; if (!*line) errx(EX_DATAERR, "empty password read on file descriptor %d", fd); - grp->gr_passwd = pw_pwcrypt(line); + if (arg->ch == 'h') + grp->gr_passwd = pw_pwcrypt(line); + else + grp->gr_passwd = strdup(line); } } Index: src/usr.sbin/pw/pw_user.c =================================================================== RCS file: /home/ncvs/src/usr.sbin/pw/pw_user.c,v retrieving revision 1.46 diff -u -r1.46 pw_user.c --- src/usr.sbin/pw/pw_user.c 2001/03/21 13:46:09 1.46 +++ src/usr.sbin/pw/pw_user.c 2001/05/03 12:32:17 @@ -601,7 +601,11 @@ } } - if ((arg = getarg(args, 'h')) != NULL) { + if ((getarg(args, 'h') != NULL) && (getarg(args, 'H') != NULL)) + errx(EX_DATAERR, "-h and -H cannot be used simultaneously"); + + if (((arg = getarg(args, 'h')) != NULL) || + ((arg = getarg(args, 'H')) != NULL)) { if (strcmp(arg->val, "-") == 0) { if (!pwd->pw_passwd || *pwd->pw_passwd != '*') { pwd->pw_passwd = "*"; /* No access */ @@ -623,7 +627,10 @@ /* Disable echo */ n.c_lflag &= ~(ECHO); tcsetattr(fd, TCSANOW, &n); - printf("%sassword for user %s:", (mode == M_UPDATE) ? "New p" : "P", pwd->pw_name); + printf("%sassword%s for user %s:", + (mode == M_UPDATE) ? "New p" : "P", + (arg->ch == 'H'? " (enc)": ""), + pwd->pw_name); fflush(stdout); } } @@ -634,7 +641,7 @@ fflush(stdout); } if (b < 0) { - warn("-h file descriptor"); + warn("-%c file descriptor", arg->ch); return EX_IOERR; } line[b] = '\0'; @@ -647,7 +654,10 @@ login_setcryptfmt(lc, "md5", NULL) == NULL) warn("setting crypt(3) format"); login_close(lc); - pwd->pw_passwd = pw_pwcrypt(line); + if (arg->ch == 'h') + pwd->pw_passwd = pw_pwcrypt(line); + else + pwd->pw_passwd = strdup(line); edited = 1; } } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 3 5:50:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from nol.co.za (nol.co.za [196.33.45.2]) by hub.freebsd.org (Postfix) with ESMTP id 4A6D637B43C for ; Thu, 3 May 2001 05:50:11 -0700 (PDT) (envelope-from security@nol.co.za) Received: from cafe2.sz.co.za ([196.33.45.155] helo=netgod.nol.co.za) by nol.co.za with esmtp (Exim 3.13 #1) id 14vIYY-0007Is-00 for freebsd-security@freebsd.org; Thu, 03 May 2001 14:50:06 +0200 Message-Id: <5.0.2.1.2.20010503145244.00a12e50@nol.co.za> X-Sender: security@nol.co.za X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Thu, 03 May 2001 14:53:10 +0200 To: freebsd-security@freebsd.org From: "Timothy S. Bowers" Subject: reverse or not Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've been battling with this one for almost a few weeks now with no good outcome at all. Maby one of you guys can point out the problem. When I do this: # telnet 127.0.0.1 25 It takes around 30 seconds to connect to the local exim mail server. Actualy.. it takes long from anywhere. I thought the problem was that reverse DNS was not setup (correctly). I checked the DNS and it looks perfect. (This box has the exact setting of another box that is currently working) I have gone through all the ip's and checked the reverses just to make sure and all seems ok. /etc/resolve is set to localhost and 127.0.0.1 I've got 127.0.0.1 as localhost in the file /etc/hosts. Another thing: if I plug out all the network cables and reboot so that the box isn't connected to anything then "telnet 127.0.0.1 25" works perfectly. Why ? :( Did I maby forget to check something small ? Hope someone can help me. Timothy Bowers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 3 6:24:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from cyclone.tornadogroup.com (cyclone.tornadogroup.com [212.172.155.83]) by hub.freebsd.org (Postfix) with ESMTP id 6B67B37B424 for ; Thu, 3 May 2001 06:24:10 -0700 (PDT) (envelope-from matthew.seaman@tornadogroup.com) Received: from claudette.e1.tornadogroup.com (root@claudette.e1.tornadogroup.com [192.168.0.77]) by cyclone.tornadogroup.com (8.10.0.Beta10/8.10.0.Beta10) with ESMTP id f43DO3D05829; Thu, 3 May 2001 14:24:03 +0100 (BST) Received: from tornadogroup.com (matthew@localhost [127.0.0.1]) by claudette.e1.tornadogroup.com (8.11.3/8.11.3) with ESMTP id f43DO0536181; Thu, 3 May 2001 14:24:00 +0100 (BST) (envelope-from matthew.seaman@tornadogroup.com) Message-ID: <3AF15BF0.1AF76CF@tornadogroup.com> Date: Thu, 03 May 2001 14:24:00 +0100 From: Matthew Seaman X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.3-STABLE i386) X-Accept-Language: en-GB, en MIME-Version: 1.0 To: Brian Tiemann Cc: freebsd-security@FreeBSD.ORG Subject: Re: useradd/adduser References: <200105021707.KAA06632@smtpout.mac.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brian Tiemann wrote: > Okay, so... maybe I'm missing something, but how does one go about > encrypting the password in a way compatible with master.passwd? Straight > md5 doesn't do it... how do you get the "$1$7tGUS$teGz..." string? perl -e 'print crypt("plaintext", "\$1\$saltxxxx"), "\n"' Where `saltxxx' should typically be 8 random characters from the set [./0-9A-Za-z] Matthew -- Matthew Seaman Tel: 01628 498661 Certe, Toto, sentio nos in Kansate non iam adesse. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 3 9:18:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from krunk.geekazoid.com (cm226.62.234.24.lvcm.com [24.234.62.226]) by hub.freebsd.org (Postfix) with ESMTP id 0B43937B423 for ; Thu, 3 May 2001 09:18:12 -0700 (PDT) (envelope-from glenn@geekazoid.com) Received: from geekazoid.com (ws042.hq.geekazoid.com [172.16.250.42]) by krunk.geekazoid.com (8.11.0/8.9.3) with ESMTP id f43FuD302807 for ; Thu, 3 May 2001 08:56:14 -0700 (PDT) (envelope-from glenn@geekazoid.com) Message-ID: <3AF184D1.267A76D8@geekazoid.com> Date: Thu, 03 May 2001 09:18:25 -0700 From: Glenn G X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: security@FreeBSD.org Subject: Security Monitors Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Good Morning All! I have a quick question regarding security monitoring. We have a Linux server that was recently breeched (completely my fault btw. Never got around to securing it up very well.) To my point...FreeBSD has been much more secure in my limited experience than most other OS's out there. I would however like to install more monitoring software on the box so it will alert me if there has been an attack. I have been looking at "mon", "bro", and "logcheck". Can anyone give any recommendations? Experiences? Also, is it worthwhile to install "xinetd"? Again, any advice would be awesome. Any help is greatly appreciated!!! ;-) Happy Day, glenn PS - I am on the digest list so please be patient for any feedback from me. :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 3 9:42:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailgate.kechara.net (mailgate.kechara.net [62.49.139.2]) by hub.freebsd.org (Postfix) with ESMTP id A8A5A37B423 for ; Thu, 3 May 2001 09:42:09 -0700 (PDT) (envelope-from lee@kechara.net) Received: from area57 (lan-fw.kechara.net [62.49.139.3]) by mailgate.kechara.net (8.9.3/8.9.3) with SMTP id SAA27778 for ; Thu, 3 May 2001 18:58:23 +0100 Message-Id: <200105031758.SAA27778@mailgate.kechara.net> Date: Thu, 03 May 2001 17:44:46 +0100 To: freebsd-security@freebsd.org From: Lee Smallbone Subject: Re: Security Monitors Reply-To: lee@kechara.net Organization: Kechara Internet X-Mailer: Opera 5.02 build 856a X-Priority: 3 (Normal) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Generally I don't tend to rely (too) much on host-based security monitoring. Rather, I prefer the NIDS approach. (Network Intrusion Detection System). Every server here has some host based monitoring - logcheck, tripwire etc. - but the NIDS provides very high quality information that can be relied on (moreso) than host-based logs which can be tampered with. That is not to say the NIDS data cannot by tampered with, but chances are an attacker won't even know one is in place. As snort analyses packets as they travel through the network, even exploits that don't work are logged. Also 'pre-attack' signatures such as port scans, traceroutes, pings and so forth are also logged. In our particular case, we use snort and acid. (www.snort.org, http://www.cert.org/kb/acid/) hth, -- Lee Smallbone Kechara Internet lee@kechara.net www.kechara.net Tel: (01243) 869 969 Fax: (01243) 866 685 03/05/2001 03:18:25, Glenn G wrote: >Good Morning All! I have a quick question regarding security >monitoring. We have a Linux server that was recently breeched >(completely my fault btw. Never got around to securing it up very >well.) > >To my point...FreeBSD has been much more secure in my limited experience >than most other OS's out there. I would however like to install more >monitoring software on the box so it will alert me if there has been an >attack. I have been looking at "mon", "bro", and "logcheck". Can >anyone give any recommendations? Experiences? > >Also, is it worthwhile to install "xinetd"? Again, any advice would be >awesome. > >Any help is greatly appreciated!!! ;-) > >Happy Day, >glenn > >PS - I am on the digest list so please be patient for any feedback from >me. :-) > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 3 9:53:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from rgmail.regenstrief.org (rgmail.regenstrief.org [134.68.31.197]) by hub.freebsd.org (Postfix) with ESMTP id EBA2D37B424; Thu, 3 May 2001 09:53:27 -0700 (PDT) (envelope-from gunther@aurora.regenstrief.org) Received: from aurora.regenstrief.org (rgnout.regenstrief.org [134.68.31.38]) by rgmail.regenstrief.org (8.11.0/8.8.7) with ESMTP id f43GwCX16999; Thu, 3 May 2001 11:58:12 -0500 Message-ID: <3AF18D00.737F6121@aurora.regenstrief.org> Date: Thu, 03 May 2001 16:53:20 +0000 From: Gunther Schadow Organization: Regenstrief Institute for Health Care X-Mailer: Mozilla 4.75 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: snap-users@kame.net, freebsd-security@freebsd.org, freebsd-small@freebsd.org Cc: Soren Kristensen Subject: HiFn hardware encryption? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, again, at the risk of talking too much, a friend of ours who is a hardware engineer (Soeren Kristensen, www.soekris.com) has built a very cost-effective small low power consumption board with three ethernet devices, well suited for SOHO routers or IPng "bump-in-the- wire" boxes. Since this is an i486 class chip, the throughput with encryption is somewhat limited (at about 2 Mbps with 256 bit blowfish.) So, Soeren has planned for and is now putting together a plugin with a HiFn hardware encryption chip. This should be very effective without blowing up the price too much (may be his next releas of the board will include that chip on-board ;-). The question is, how will we be capitalizing on that hardware. For one, HiFn has very good technical documentation freely available, that will make driver-writing a breeze. Even I could do that. But the question is, how best would hardware encryption fit into the overall framework of FreeBSD and KAME? It would appear to me that there is not one single point to fit it in. You don't want it to be restricted to the ip_esp code, nor do you want it to be restricted to the kernel code (as racoon would greatly benefit from the chip's DH and RSA capabilities.) I could imagine throwing this behind the sys/crypto code. But that doesn't make racoon benefit, since racoon relies on OpenSSL. Would therefore need to put it both places, sys/crypto and as a userland device and modify OpenSSL to use this new facility. I thought about three device nodes: crdi - crypto data in crdo - crypto data out crcio - crypto control i/o I don't like ioctl's (can't be controlled through shell scripts) which is why I would do the crcio device that can be controlled by sending ASCII commands to it. But if this creates an outcry, we could use ioctls. May be we could get by with a single device node: crio that handles write(2) into the input queue, read(2) accessing the output queue and ioctl(2) doing the controlling. But then, of course, we could also make it a socket(2) domain ... may be the chip would also be a good candidate for being queue managed by ALTQ. Those are just thoughts. Are there other thoughts out there? Did someone attack this or plans to attack this in the near or not so near future? I might be able to allocate some dayjob time to this matter, but I have a certain learning curve to climb ... regards -Gunther -- Gunther Schadow, M.D., Ph.D. gschadow@regenstrief.org Medical Information Scientist Regenstrief Institute for Health Care Adjunct Assistent Professor Indiana University School of Medicine tel:1(317)630-7960 http://aurora.regenstrief.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 3 10:15:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id F1B6137B43F for ; Thu, 3 May 2001 10:15:51 -0700 (PDT) (envelope-from Jason.DiCioccio@Epylon.com) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id ; Thu, 3 May 2001 10:15:03 -0700 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA0166D820@goofy.epylon.lan> From: Jason DiCioccio To: 'Glenn G' , security@FreeBSD.org Subject: RE: Security Monitors Date: Thu, 3 May 2001 10:15:01 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I use mon here.. I am happy with it.. but setting it up is a fulltime job if you want to do anything special with it.. But it works great from what i've seen.. I use ucd-snmp and mon in combination and can extrapolate about anything from all the boxes :-).. And it's very reliable (well.. it IS perl..). Very flexible too.. Cheers, - -JD- >From: Glenn G [mailto:glenn@geekazoid.com] >Good Morning All! I have a quick question regarding security >monitoring. We have a Linux server that was recently breeched >(completely my fault btw. Never got around to securing it up very >well.) > >To my point...FreeBSD has been much more secure in my limited >experience than most other OS's out there. I would however like to >install more monitoring software on the box so it will alert me if >there has been an attack. I have been looking at "mon", "bro", and >"logcheck". Can >anyone give any recommendations? Experiences? > >Also, is it worthwhile to install "xinetd"? Again, any advice would >be awesome. > >Any help is greatly appreciated!!! ;-) > >Happy Day, >glenn > >PS - I am on the digest list so please be patient for any feedback >from me. :-) > > -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use iQA/AwUBOvGSvVCmU62pemyaEQKfNgCgjaz+XcIhUTc0T3KkVv+dfpOE4NkAoP5H OBLOSfH7ukhEAsC3xxei5BBn =DtCa -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 3 10:16:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id 17CEA37B422; Thu, 3 May 2001 10:16:25 -0700 (PDT) (envelope-from brdavis@odin.ac.hmc.edu) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id f43HG7q15281; Thu, 3 May 2001 10:16:07 -0700 Date: Thu, 3 May 2001 10:16:07 -0700 From: Brooks Davis To: Gunther Schadow Cc: snap-users@kame.net, freebsd-security@FreeBSD.ORG, freebsd-small@FreeBSD.ORG, Soren Kristensen Subject: Re: HiFn hardware encryption? Message-ID: <20010503101607.B10093@Odin.AC.HMC.Edu> References: <3AF18D00.737F6121@aurora.regenstrief.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="i0/AhcQY5QxfSsSZ" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AF18D00.737F6121@aurora.regenstrief.org>; from gunther@aurora.regenstrief.org on Thu, May 03, 2001 at 04:53:20PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --i0/AhcQY5QxfSsSZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, May 03, 2001 at 04:53:20PM +0000, Gunther Schadow wrote: > Are there other thoughts out there? Did someone attack this or plans > to attack this in the near or not so near future? I might be able to > allocate some dayjob time to this matter, but I have a certain learning > curve to climb ... Mark Murray has stated that he plans to import the OpenBSD kernel crypto API which will do all of this. Discussion of another API would probably be a large waste of effort. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --i0/AhcQY5QxfSsSZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE68ZJVXY6L6fI4GtQRAptyAJ4gitAJN3wj11+jKKUog6ddVC0hrwCfVC7M UHjFah/J1wdt5Gi0yGbMvqc= =+M31 -----END PGP SIGNATURE----- --i0/AhcQY5QxfSsSZ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 3 10:23: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id 02E5137B424 for ; Thu, 3 May 2001 10:20:48 -0700 (PDT) (envelope-from Jason.DiCioccio@Epylon.com) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id ; Thu, 3 May 2001 10:19:13 -0700 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA0166D821@goofy.epylon.lan> From: Jason DiCioccio To: 'Glenn G' , security@FreeBSD.org Subject: RE: Security Monitors Date: Thu, 3 May 2001 10:19:13 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Oops.. regarding my previous email.. I actually DON'T use mon for security.. I use it as a NOC to see when stuff is down, etc. I use a NIDS as well for security monitoring.. I actually use NFR (Network Flight Recorder) which is a commercial NIDS, which I am very happy with. It is basically a copy of OpenBSD on a bootable CD-ROM (the filesystem is read-only in this case).. So it is very hard to tamper with the data.. Not to mention it leaves basically no services open :).. Cheers, - -JD- - -----Original Message----- From: Glenn G [mailto:glenn@geekazoid.com] Sent: Thursday, May 03, 2001 9:18 AM To: security@FreeBSD.org Subject: Security Monitors Good Morning All! I have a quick question regarding security monitoring. We have a Linux server that was recently breeched (completely my fault btw. Never got around to securing it up very well.) To my point...FreeBSD has been much more secure in my limited experience than most other OS's out there. I would however like to install more monitoring software on the box so it will alert me if there has been an attack. I have been looking at "mon", "bro", and "logcheck". Can anyone give any recommendations? Experiences? Also, is it worthwhile to install "xinetd"? Again, any advice would be awesome. Any help is greatly appreciated!!! ;-) Happy Day, glenn PS - I am on the digest list so please be patient for any feedback from me. :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use iQA/AwUBOvGTuFCmU62pemyaEQL29gCglGRPRgo13f9AK4rJ4nbFMdFkBnIAoK9b t/5q2wZBxAjToY58lgfyoG/q =thPs -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 3 10:34:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from rgmail.regenstrief.org (rgmail.regenstrief.org [134.68.31.197]) by hub.freebsd.org (Postfix) with ESMTP id 73F3537B422; Thu, 3 May 2001 10:34:22 -0700 (PDT) (envelope-from gunther@aurora.regenstrief.org) Received: from aurora.regenstrief.org (rgnout.regenstrief.org [134.68.31.38]) by rgmail.regenstrief.org (8.11.0/8.8.7) with ESMTP id f43Hd5X17398; Thu, 3 May 2001 12:39:05 -0500 Message-ID: <3AF19696.F39F8FDD@aurora.regenstrief.org> Date: Thu, 03 May 2001 17:34:14 +0000 From: Gunther Schadow Organization: Regenstrief Institute for Health Care X-Mailer: Mozilla 4.75 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Brooks Davis Cc: snap-users@kame.net, freebsd-security@FreeBSD.ORG, freebsd-small@FreeBSD.ORG, Soren Kristensen Subject: Re: HiFn hardware encryption? References: <3AF18D00.737F6121@aurora.regenstrief.org> <20010503101607.B10093@Odin.AC.HMC.Edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brooks Davis wrote: > > On Thu, May 03, 2001 at 04:53:20PM +0000, Gunther Schadow wrote: > > Are there other thoughts out there? Did someone attack this or plans > > to attack this in the near or not so near future? I might be able to > > allocate some dayjob time to this matter, but I have a certain learning > > curve to climb ... > > Mark Murray has stated that he plans to import the OpenBSD kernel crypto > API which will do all of this. Discussion of another API would probably > be a large waste of effort. Great! Thanks for letting me know. Where can I see what's cooking? (web site or e-mail list, etc. ?) regards -Gunther -- Gunther Schadow, M.D., Ph.D. gschadow@regenstrief.org Medical Information Scientist Regenstrief Institute for Health Care Adjunct Assistent Professor Indiana University School of Medicine tel:1(317)630-7960 http://aurora.regenstrief.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 3 11:44:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail3.intermedia.net (mail3.intermedia.net [206.40.48.153]) by hub.freebsd.org (Postfix) with ESMTP id A7A8037B50C for ; Thu, 3 May 2001 11:43:45 -0700 (PDT) (envelope-from tonyg@crazynickels.com) Received: from mail.crazynickels.com (unverified [64.78.44.128]) by mail3.intermedia.net (Rockliffe SMTPRA 4.2.4) with ESMTP id for ; Thu, 3 May 2001 11:37:28 -0700 Message-ID: Content-type: text/plain Date: Thu, 03 May 2001 11:42:31 -0700 From: tonyg@crazynickels.com Subject: Web Development To: freebsd-security@FreeBSD.org X-mailer: CrazyNickels.Com Email Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, Hi, I do web development and database work out of Las Vegas. I was wondering if you needed any development done. I have been doing web work for 6 years. I know Cold Fusion, ASP, Oracle, SQL and Flash. Tony Grijalva 702.951.3051 Here's some the sites I've worked on: http://www.crazynickels.com - Complete site. Turned out in 3 days. http://www.woodtrim.com - Complete sites along with www.brushed aluminum.com as a content manager, shopping cart, FAQ, Referral Program. http://www.SchoolCity.com - Pre-IPO Company I did the Complete site. I can send you a complete document about this site. http://www.codernet.com - My own site with a bunch of guys here. I did the graphics. http://www.antennas.com - The graphics were given to me in PhotoShop format. I have to make them web ready and add functions. http://www.momentisgroup.com - Backend Cold Fusion work. http://www.isecinc.com - Their print company in Arizona sent me the project and related functions. I can walk you through a back door process. http://www.reoinc.com - Working on Now. http://www.arraybiopharma.com - Needed the site before they went public... I didn't do the flash but everything else and some cgi. http://www.linworth.com - Got PhotoShop files. Added Cold Fusion functions. Please let me know if you need any help...... Thank You for your time and consideration, Tony Grijalva 702.951.3051 tonyg@codernet.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 3 11:44:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from whiskey.klatsch.org (whiskey.klatsch.org [209.6.82.6]) by hub.freebsd.org (Postfix) with SMTP id 59ECF37B43C for ; Thu, 3 May 2001 11:44:54 -0700 (PDT) (envelope-from bene@klatsch.org) Received: (qmail 56586 invoked by uid 1001); 3 May 2001 18:44:41 -0000 Date: Thu, 3 May 2001 14:44:41 -0400 From: Ben Eisenbraun To: "Timothy S. Bowers" Cc: freebsd-security@freebsd.org Subject: Re: reverse or not Message-ID: <20010503144441.B52246@klatsch.org> References: <5.0.2.1.2.20010503145244.00a12e50@nol.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.0.2.1.2.20010503145244.00a12e50@nol.co.za>; from security@nol.co.za on Thu, May 03, 2001 at 02:53:10PM +0200 X-Disclaimer: I'm the only one foolish enough to claim these opinions. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, May 03, 2001 at 02:53:10PM +0200, Timothy S. Bowers wrote: > When I do this: # telnet 127.0.0.1 25 > It takes around 30 seconds to connect to the local exim mail server. > Actualy.. it takes long from anywhere. It might be waiting for an ident to timeout. Most of the major MTA's do an ident/auth check (TCP:113) when you connect to them, and if your machine is just dropping those requests, then the MTA waits for the request to timeout before displaying the banner. I can't think of a good reason it would do this for localhost connections though. Is the machine running a firewall? Maybe net.inet.tcp.restrict_rst: 1 would do it? To verify if this is actually the problem, you could fire up tcpdump and listen to see if Exim is initiating an ident request. You could also set the sysctl value net.inet.tcp.log_in_vain to 1, and connection attempts to closed ports will be logged. Good luck! -ben To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 3 11:52:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from casimir.physics.purdue.edu (casimir.physics.purdue.edu [128.210.146.111]) by hub.freebsd.org (Postfix) with ESMTP id 8AFAA37B43C; Thu, 3 May 2001 11:52:48 -0700 (PDT) (envelope-from will@physics.purdue.edu) Received: by casimir.physics.purdue.edu (Postfix, from userid 1000) id B2B071C0E3; Thu, 3 May 2001 13:48:24 -0500 (EST) Date: Thu, 3 May 2001 13:48:24 -0500 From: Will Andrews To: Gunther Schadow Cc: Brooks Davis , snap-users@kame.net, freebsd-security@FreeBSD.ORG, freebsd-small@FreeBSD.ORG, Soren Kristensen Subject: Re: HiFn hardware encryption? Message-ID: <20010503134824.U5017@casimir.physics.purdue.edu> Reply-To: Will Andrews References: <3AF18D00.737F6121@aurora.regenstrief.org> <20010503101607.B10093@Odin.AC.HMC.Edu> <3AF19696.F39F8FDD@aurora.regenstrief.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Zh8cApnN4lZdodaB" Content-Disposition: inline User-Agent: Mutt/1.3.15i In-Reply-To: <3AF19696.F39F8FDD@aurora.regenstrief.org>; from gunther@aurora.regenstrief.org on Thu, May 03, 2001 at 05:34:14PM +0000 X-Operating-System: Linux 2.2.18 sparc64 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --Zh8cApnN4lZdodaB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, May 03, 2001 at 05:34:14PM +0000, Gunther Schadow wrote: > Great! Thanks for letting me know. Where can I see what's cooking? > (web site or e-mail list, etc. ?) Email Mark , extract information from his brain, write up a webpage, and give him the URL. :-) --=20 wca --Zh8cApnN4lZdodaB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE68af4F47idPgWcsURAvqfAKCQj3RTg6EDJ1p+kYR1o4oXqt4G0QCeJPr8 5Y/Xou5KFVJh/AaAAa9ZpWE= =zuTs -----END PGP SIGNATURE----- --Zh8cApnN4lZdodaB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 3 12: 1:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from server.soekris.com (soekris.com [216.15.61.44]) by hub.freebsd.org (Postfix) with ESMTP id C255D37B43C; Thu, 3 May 2001 12:01:46 -0700 (PDT) (envelope-from soren@soekris.com) Received: from soekris.com ([192.168.1.4]) by server.soekris.com (8.9.2/8.9.2) with ESMTP id MAA21331; Thu, 3 May 2001 12:01:38 -0700 (PDT) (envelope-from soren@soekris.com) Message-ID: <3AF1AB0C.D0DF5362@soekris.com> Date: Thu, 03 May 2001 12:01:32 -0700 From: Soren Kristensen Organization: Soekris Engineering X-Mailer: Mozilla 4.75 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Will Andrews Cc: Gunther Schadow , Brooks Davis , snap-users@kame.net, freebsd-security@FreeBSD.ORG, freebsd-small@FreeBSD.ORG, markm@FreeBSD.ORG Subject: Re: HiFn hardware encryption? References: <3AF18D00.737F6121@aurora.regenstrief.org> <20010503101607.B10093@Odin.AC.HMC.Edu> <3AF19696.F39F8FDD@aurora.regenstrief.org> <20010503134824.U5017@casimir.physics.purdue.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Maybe we could get Mark to post a short note here with a little status information :-) Also, I will probably have prototype Hi/Fn 7951 boards avaliable in 2-3 weeks (both in Std PCI and MiniPCI type III versions), and will be happy to donate one for testing. Although there's no driver support for that new chip yest, OpenBSD will probably add it soon, as they will also get prototypes.... Regards, Soren Will Andrews wrote: > > On Thu, May 03, 2001 at 05:34:14PM +0000, Gunther Schadow wrote: > > Great! Thanks for letting me know. Where can I see what's cooking? > > (web site or e-mail list, etc. ?) > > Email Mark , extract information from his brain, > write up a webpage, and give him the URL. :-) > > -- > wca > > ------------------------------------------------------------------ > Part 1.2Type: application/pgp-signature To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 3 13:53:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from R181204.resnet.ucsb.edu (R181204.resnet.ucsb.edu [128.111.181.204]) by hub.freebsd.org (Postfix) with ESMTP id 804A637B423 for ; Thu, 3 May 2001 13:53:57 -0700 (PDT) (envelope-from mudman@R181204.resnet.ucsb.edu) Received: from localhost (mudman@localhost) by R181204.resnet.ucsb.edu (8.11.1/8.11.1) with ESMTP id f43L0qu26774; Thu, 3 May 2001 14:00:53 -0700 (PDT) (envelope-from mudman@R181204.resnet.ucsb.edu) Date: Thu, 3 May 2001 14:00:52 -0700 (PDT) From: mudman To: "Timothy S. Bowers" Cc: Subject: Re: reverse or not In-Reply-To: <5.0.2.1.2.20010503145244.00a12e50@nol.co.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Another thing: if I plug out all the network cables and reboot so that the box isn't connected to anything then "telnet 127.0.0.1 25" works perfectly. Some of the others will probably have much more useful insights. However, you seem to say: 1) I have slow response time 2) when I unplug from internet, response time increases. Someone hitting you with some kind of DoS or packet spam? I cannot say if it has anything to do with the resolver or not, but maybe some of the others can. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 3 14: 2: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from R181204.resnet.ucsb.edu (R181204.resnet.ucsb.edu [128.111.181.204]) by hub.freebsd.org (Postfix) with ESMTP id EA2E237B43F for ; Thu, 3 May 2001 14:01:58 -0700 (PDT) (envelope-from mudman@R181204.resnet.ucsb.edu) Received: from localhost (mudman@localhost) by R181204.resnet.ucsb.edu (8.11.1/8.11.1) with ESMTP id f43L8tG26791; Thu, 3 May 2001 14:08:55 -0700 (PDT) (envelope-from mudman@R181204.resnet.ucsb.edu) Date: Thu, 3 May 2001 14:08:54 -0700 (PDT) From: mudman To: "Timothy S. Bowers" Cc: Subject: Re: reverse or not In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 3 May 2001, mudman wrote: > > Another thing: if I plug out all the network cables and reboot so that the box isn't connected to anything then "telnet 127.0.0.1 25" works perfectly. > > Some of the others will probably have much more useful insights. > However, you seem to say: > 1) I have slow response time > 2) when I unplug from internet, response time increases. > > Someone hitting you with some kind of DoS or packet spam? > I cannot say if it has anything to do with the resolver or not, but maybe > some of the others can. Nevermind, I'm stupid. That doesn't make sense for localhost. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 3 14:11:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from threat.tjhsst.edu (threat.tjhsst.edu [198.38.16.9]) by hub.freebsd.org (Postfix) with ESMTP id 970AF37B422 for ; Thu, 3 May 2001 14:11:47 -0700 (PDT) (envelope-from abarros@threat.tjhsst.edu) Received: (from abarros@localhost) by threat.tjhsst.edu (8.11.3/8.11.3) id f43L0Rb12520; Thu, 3 May 2001 17:00:27 -0400 Date: Thu, 3 May 2001 17:00:27 -0400 From: Andrew Barros To: mudman Cc: "Timothy S. Bowers" , freebsd-security@FreeBSD.ORG Subject: Re: reverse or not Message-ID: <20010503170027.B9233@tjhsst.edu> Mail-Followup-To: mudman , "Timothy S. Bowers" , freebsd-security@FreeBSD.ORG References: <5.0.2.1.2.20010503145244.00a12e50@nol.co.za> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="0OAP2g/MAC+5xKAE" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from mudman@R181204.resnet.ucsb.edu on Thu, May 03, 2001 at 02:00:52PM -0700 X-Operating-System: Linux threat.tjhsst.edu 2.2.17 X-I-Graduate-In: 44.1085648148148 days Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --0OAP2g/MAC+5xKAE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I've had similar problems with sshd when my internet connection goes out. If you try to ssh into that machine, it takes _forever_ even if the local= =20 nameserver is running. -ajb On Thu, May 03, 2001 at 02:00:52PM -0700, mudman wrote: ->> Another thing: if I plug out all the network cables and reboot so that= the box isn't connected to anything then "telnet 127.0.0.1 25" works perfe= ctly. -> ->Some of the others will probably have much more useful insights. ->However, you seem to say: ->1) I have slow response time ->2) when I unplug from internet, response time increases. -> ->Someone hitting you with some kind of DoS or packet spam? ->I cannot say if it has anything to do with the resolver or not, but maybe ->some of the others can. -> -> -> ->To Unsubscribe: send mail to majordomo@FreeBSD.org ->with "unsubscribe freebsd-security" in the body of the message ---end quoted text--- --=20 Andrew Barros PGP Key Fingerprint: D3B8 0800 C45A 143E 5CF0 E112 0A1B AB36 B655 1FB8 --0OAP2g/MAC+5xKAE Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE68cbrChurNrZVH7gRAtUyAJ9AS4/+7+wBhZGT6pW3jJP5GklBiwCfe1wG f3IzfEX+mmkAmhe7lXhCM/U= =Wwh7 -----END PGP SIGNATURE----- --0OAP2g/MAC+5xKAE-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 3 15:31: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 4200C37B43C for ; Thu, 3 May 2001 15:31:01 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GCS6J300.NCX; Thu, 3 May 2001 15:30:39 -0700 Message-ID: <3AF1DC23.32BB39B3@globalstar.com> Date: Thu, 03 May 2001 15:30:59 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Andrew Barros Cc: mudman , "Timothy S. Bowers" , freebsd-security@FreeBSD.ORG Subject: Re: reverse or not References: <5.0.2.1.2.20010503145244.00a12e50@nol.co.za> <20010503170027.B9233@tjhsst.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Andrew Barros wrote: > > I've had similar problems with sshd when my internet connection goes out. > > If you try to ssh into that machine, it takes _forever_ even if the local > nameserver is running. Just because named is running does not mean DNS is configured correctly. ;) Run a tcpdump on the external interface to see if there are still queries going out for some reason, and you are waiting for them to timeout. Run ssh with the '-v' option to see where things are hanging. Possibly try sshd with '-d' as well. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 3 17: 2: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 38F4837B422 for ; Thu, 3 May 2001 17:02:03 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id RAA07855; Thu, 3 May 2001 17:01:40 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda07853; Thu May 3 17:01:22 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f4401Gk31994; Thu, 3 May 2001 17:01:16 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdc31992; Thu May 3 17:00:50 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.3/8.9.1) id f4400od16783; Thu, 3 May 2001 17:00:50 -0700 (PDT) Message-Id: <200105040000.f4400od16783@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdx16779; Thu May 3 17:00:43 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Glenn G Cc: security@FreeBSD.ORG Subject: Re: Security Monitors In-reply-to: Your message of "Thu, 03 May 2001 09:18:25 PDT." <3AF184D1.267A76D8@geekazoid.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 03 May 2001 17:00:43 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <3AF184D1.267A76D8@geekazoid.com>, Glenn G writes: > Good Morning All! I have a quick question regarding security > monitoring. We have a Linux server that was recently breeched > (completely my fault btw. Never got around to securing it up very > well.) > > To my point...FreeBSD has been much more secure in my limited experience > than most other OS's out there. I would however like to install more > monitoring software on the box so it will alert me if there has been an > attack. I have been looking at "mon", "bro", and "logcheck". Can > anyone give any recommendations? Experiences? Take a look at swatch in ports. Granted you'll need to define to swatch regular expressions in your logs that could trigger some action such as paging you on your cell phone/pager. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 3 19:12:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from ntt.net.id (besakih.ntt.net.id [202.171.1.130]) by hub.freebsd.org (Postfix) with SMTP id 3C90637B43C for ; Thu, 3 May 2001 19:12:48 -0700 (PDT) (envelope-from eko@ntt.net.id) Received: (qmail 26441 invoked by uid 201); 4 May 2001 02:12:47 -0000 Received: from unknown (HELO Eko) (202.171.15.254) by besakih.ntt.net.id with SMTP; 4 May 2001 02:12:47 -0000 Message-ID: <006501c0d43f$9e47aee0$1cffa8c0@Eko> From: "Stefanus Eko Yulianto" To: Subject: RSH Date: Fri, 4 May 2001 09:12:06 +0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear Netter, I wanto to use rsh to running some applications on other server. in example, I have server A and server B, in server A I want to view the file I use : # rsh serverB cat /usr/eko.txt >> /usr/local/eko.txt after that I have an error : Login incorrect but I have some login and password on both server Somebody can help me ? Eko To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 3 20:11:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by hub.freebsd.org (Postfix) with ESMTP id 8724337B424 for ; Thu, 3 May 2001 20:11:06 -0700 (PDT) (envelope-from marka@nominum.com) Received: from nominum.com (localhost.dv.isc.org [127.0.0.1]) by drugs.dv.isc.org (8.11.3/8.11.2) with ESMTP id f443Awv03674; Fri, 4 May 2001 13:10:59 +1000 (EST) (envelope-from marka@nominum.com) Message-Id: <200105040310.f443Awv03674@drugs.dv.isc.org> To: "Stefanus Eko Yulianto" Cc: freebsd-security@FreeBSD.ORG Reply-To: freebsd-questions@FreeBSD.ORG From: Mark.Andrews@nominum.com Subject: Re: RSH In-reply-to: Your message of "Fri, 04 May 2001 09:12:06 +0700." <006501c0d43f$9e47aee0$1cffa8c0@Eko> Date: Fri, 04 May 2001 13:10:58 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is off topic here. Reply-to has been set to freebsd-questions@FreeBSD.ORG. See: hosts.equiv and .rhosts Mark > > > Dear Netter, > > I wanto to use rsh to running some applications on other server. > in example, I have server A and server B, in server A I want to view the > file > I use : # rsh serverB cat /usr/eko.txt >> /usr/local/eko.txt > after that I have an error : Login incorrect > but I have some login and password on both server > > Somebody can help me ? > > > Eko > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Mark Andrews, Nominum Inc. 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 3 21:34:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp6.port.ru (mx6.port.ru [194.67.23.42]) by hub.freebsd.org (Postfix) with ESMTP id EA6D337B422 for ; Thu, 3 May 2001 21:34:16 -0700 (PDT) (envelope-from lists@mail.ru) Received: from du16-11.fibertel.com.ar ([24.232.11.16] helo=mail.ru) by smtp6.port.ru with esmtp (Exim 3.14 #6) id 14vXIE-000No1-00 for freebsd-security@freebsd.org; Fri, 04 May 2001 08:34:14 +0400 Message-ID: <3AF23077.55DEA3D8@mail.ru> Date: Fri, 04 May 2001 01:30:47 -0300 From: "lists@mail.ru" X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: reverse or not References: <5.0.2.1.2.20010503145244.00a12e50@nol.co.za> <20010503170027.B9233@tjhsst.edu> <3AF1DC23.32BB39B3@globalstar.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Crist Clark wrote: > > Andrew Barros wrote: > > > > I've had similar problems with sshd when my internet connection goes out. > > > > If you try to ssh into that machine, it takes _forever_ even if the local > > nameserver is running. When the SSH server accepts a connection it does a reverse lookup the client's IP address. If that IP address is not in your named configuration, the named will try to resolve it as usual in DNS queries, using other DNS servers. If the link is down, the SSH will return from the reverse lookup when the timeout of the reverse lookup expires. > > Just because named is running does not mean DNS is configured correctly. ;) > > Run a tcpdump on the external interface to see if there are still queries > going out for some reason, and you are waiting for them to timeout. Run ssh > with the '-v' option to see where things are hanging. Possibly try sshd with > '-d' as well. > -- > Crist J. Clark Network Security Engineer > crist.clark@globalstar.com Globalstar, L.P. > (408) 933-4387 FAX: (408) 933-4926 > > The information contained in this e-mail message is confidential, > intended only for the use of the individual or entity named above. If > the reader of this e-mail is not the intended recipient, or the employee > or agent responsible to deliver it to the intended recipient, you are > hereby notified that any review, dissemination, distribution or copying > of this communication is strictly prohibited. If you have received this > e-mail in error, please contact postmaster@globalstar.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Why don't you check if reverse lookups are resolved by your nameserver? Try it using "nslookup 127.0.0.1 127.0.0.1". If you are not resolving reverse queries for 127.0.0.1, nobody will do it and then the timeout will happen. - Agustin Azubel Friedman - aazubel@mail.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 3 23: 3:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 1A2D537B422 for ; Thu, 3 May 2001 23:03:18 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 13854 invoked by uid 1000); 4 May 2001 06:01:28 -0000 Date: Fri, 4 May 2001 09:01:27 +0300 From: Peter Pentchev To: Gunther Schadow Cc: freebsd-security@freebsd.org Subject: Re: HiFn hardware encryption? Message-ID: <20010504090127.B13382@ringworld.oblivion.bg> Mail-Followup-To: Gunther Schadow , freebsd-security@freebsd.org References: <3AF18D00.737F6121@aurora.regenstrief.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AF18D00.737F6121@aurora.regenstrief.org>; from gunther@aurora.regenstrief.org on Thu, May 03, 2001 at 04:53:20PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org (a very off-topic reply, CC's severely trimmed) On Thu, May 03, 2001 at 04:53:20PM +0000, Gunther Schadow wrote: > Hi, > > crdi - crypto data in > crdo - crypto data out > crcio - crypto control i/o > > I don't like ioctl's (can't be controlled through shell scripts) which > is why I would do the crcio device that can be controlled by sending > ASCII commands to it. But if this creates an outcry, we could use ioctls. Just as a side remark (others have already pointed you to markm's work): the FreeBSD way to let shell scripts use ioctl's to control devices is through *control(8) programs. Though yes, sending ASCII commands is not a bad idea, either :) G'luck, Peter -- If the meanings of 'true' and 'false' were switched, then this sentence wouldn't be false. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 4 5:40:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from threat.tjhsst.edu (threat.tjhsst.edu [198.38.16.9]) by hub.freebsd.org (Postfix) with ESMTP id 9846F37B424 for ; Fri, 4 May 2001 05:40:53 -0700 (PDT) (envelope-from abarros@threat.tjhsst.edu) Received: (from abarros@localhost) by threat.tjhsst.edu (8.11.3/8.11.3) id f44Ced001359; Fri, 4 May 2001 08:40:39 -0400 Date: Fri, 4 May 2001 08:40:39 -0400 From: Andrew Barros To: "lists@mail.ru" Cc: freebsd-security@FreeBSD.ORG Subject: Re: reverse or not Message-ID: <20010504084039.G9233@tjhsst.edu> Mail-Followup-To: "lists@mail.ru" , freebsd-security@FreeBSD.ORG References: <5.0.2.1.2.20010503145244.00a12e50@nol.co.za> <20010503170027.B9233@tjhsst.edu> <3AF1DC23.32BB39B3@globalstar.com> <3AF23077.55DEA3D8@mail.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="TU+u6i6jrDPzmlWF" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AF23077.55DEA3D8@mail.ru>; from lists@mail.ru on Fri, May 04, 2001 at 01:30:47AM -0300 X-Operating-System: Linux threat.tjhsst.edu 2.2.17 X-I-Graduate-In: 44.1085648148148 days Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --TU+u6i6jrDPzmlWF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable There are two things that I'm sure of 1) The boxes have correct reverse DNS 2) They use ns1.tjhsst.edu as their nameserver(a different box) which has the correct reverse DNS The problem is that while these things are true, and out T1 is up it works normally. When the T1 goes out, it takes a _long_ time. Telnet ,however, is unaffected by this. -ajb --=20 Andrew Barros PGP Key Fingerprint: D3B8 0800 C45A 143E 5CF0 E112 0A1B AB36 B655 1FB8 --TU+u6i6jrDPzmlWF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE68qNHChurNrZVH7gRAraRAJ9Z9XowQglL1d0K4w6Zs3CAQykrUQCfZHf7 bhINFFNfailFY2IWdREfmUE= =o+1O -----END PGP SIGNATURE----- --TU+u6i6jrDPzmlWF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 4 5:59:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 422D637B423 for ; Fri, 4 May 2001 05:59:16 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 18376 invoked by uid 1000); 4 May 2001 12:57:25 -0000 Date: Fri, 4 May 2001 15:57:25 +0300 From: Peter Pentchev To: Andrew Barros Cc: "lists@mail.ru" , freebsd-security@FreeBSD.ORG Subject: Re: reverse or not Message-ID: <20010504155725.Q13382@ringworld.oblivion.bg> Mail-Followup-To: Andrew Barros , "lists@mail.ru" , freebsd-security@FreeBSD.ORG References: <5.0.2.1.2.20010503145244.00a12e50@nol.co.za> <20010503170027.B9233@tjhsst.edu> <3AF1DC23.32BB39B3@globalstar.com> <3AF23077.55DEA3D8@mail.ru> <20010504084039.G9233@tjhsst.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010504084039.G9233@tjhsst.edu>; from abarros@tjhsst.edu on Fri, May 04, 2001 at 08:40:39AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, May 04, 2001 at 08:40:39AM -0400, Andrew Barros wrote: > > There are two things that I'm sure of > > 1) The boxes have correct reverse DNS > > 2) They use ns1.tjhsst.edu as their nameserver(a different box) > which has the correct reverse DNS > > The problem is that while these things are true, and out T1 is up > it works normally. When the T1 goes out, it takes a _long_ time. Telnet > ,however, is unaffected by this. When you say 'correct reverse DNS', you do mean 127.0.0.1 too, right? And (a stupid question, but one that needs asking nevertheless) ns1.tjhsst.edu is reachable when your T1 goes down, right? G'luck, Peter -- If there were no counterfactuals, this sentence would not have been paradoxical. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 4 6: 4:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from threat.tjhsst.edu (threat.tjhsst.edu [198.38.16.9]) by hub.freebsd.org (Postfix) with ESMTP id 7942737B423 for ; Fri, 4 May 2001 06:04:35 -0700 (PDT) (envelope-from abarros@threat.tjhsst.edu) Received: (from abarros@localhost) by threat.tjhsst.edu (8.11.3/8.11.3) id f44D4W902167; Fri, 4 May 2001 09:04:32 -0400 Date: Fri, 4 May 2001 09:04:32 -0400 From: Andrew Barros To: "lists@mail.ru" , freebsd-security@FreeBSD.ORG Subject: Re: reverse or not Message-ID: <20010504090432.H9233@tjhsst.edu> Mail-Followup-To: "lists@mail.ru" , freebsd-security@FreeBSD.ORG References: <5.0.2.1.2.20010503145244.00a12e50@nol.co.za> <20010503170027.B9233@tjhsst.edu> <3AF1DC23.32BB39B3@globalstar.com> <3AF23077.55DEA3D8@mail.ru> <20010504084039.G9233@tjhsst.edu> <20010504155725.Q13382@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="TdkiTnkLhLQllcMS" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010504155725.Q13382@ringworld.oblivion.bg>; from roam@orbitel.bg on Fri, May 04, 2001 at 03:57:25PM +0300 X-Operating-System: Linux threat.tjhsst.edu 2.2.17 X-I-Graduate-In: 44.1085648148148 days Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --TdkiTnkLhLQllcMS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Yes, ns1.tjhsst.edu is on the same ethernet segment as the box. 127.0.0.1 is in /etc/hosts -ajb On Fri, May 04, 2001 at 03:57:25PM +0300, Peter Pentchev wrote: ->On Fri, May 04, 2001 at 08:40:39AM -0400, Andrew Barros wrote: ->>=20 ->> There are two things that I'm sure of ->>=20 ->> 1) The boxes have correct reverse DNS ->>=20 ->> 2) They use ns1.tjhsst.edu as their nameserver(a different box) ->> which has the correct reverse DNS ->>=20 ->> The problem is that while these things are true, and out T1 is up ->> it works normally. When the T1 goes out, it takes a _long_ time. Telnet ->> ,however, is unaffected by this. -> ->When you say 'correct reverse DNS', you do mean 127.0.0.1 too, right? ->And (a stupid question, but one that needs asking nevertheless) ns1.tjhss= t.edu ->is reachable when your T1 goes down, right? -> ->G'luck, ->Peter -> ->--=20 ->If there were no counterfactuals, this sentence would not have been parad= oxical. ---end quoted text--- --=20 Andrew Barros PGP Key Fingerprint: D3B8 0800 C45A 143E 5CF0 E112 0A1B AB36 B655 1FB8 --TdkiTnkLhLQllcMS Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE68qjgChurNrZVH7gRAiXEAJ96suTdlKDR/wAmNGp3WHdgvRkrOgCbBTcn 8d9+juq1c6J0QCE57ICh7Ps= =w0gM -----END PGP SIGNATURE----- --TdkiTnkLhLQllcMS-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 4 7:19:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 936FF37B423 for ; Fri, 4 May 2001 07:19:13 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 18645 invoked by uid 1000); 4 May 2001 14:17:23 -0000 Date: Fri, 4 May 2001 17:17:23 +0300 From: Peter Pentchev To: Andrew Barros Cc: "lists@mail.ru" , freebsd-security@FreeBSD.ORG Subject: Re: reverse or not Message-ID: <20010504171723.A18615@ringworld.oblivion.bg> Mail-Followup-To: Andrew Barros , "lists@mail.ru" , freebsd-security@FreeBSD.ORG References: <5.0.2.1.2.20010503145244.00a12e50@nol.co.za> <20010503170027.B9233@tjhsst.edu> <3AF1DC23.32BB39B3@globalstar.com> <3AF23077.55DEA3D8@mail.ru> <20010504084039.G9233@tjhsst.edu> <20010504155725.Q13382@ringworld.oblivion.bg> <20010504090432.H9233@tjhsst.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010504090432.H9233@tjhsst.edu>; from abarros@tjhsst.edu on Fri, May 04, 2001 at 09:04:32AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, May 04, 2001 at 09:04:32AM -0400, Andrew Barros wrote: > Yes, ns1.tjhsst.edu is on the same ethernet segment as the box. > > 127.0.0.1 is in /etc/hosts There is at least one MTA I know (qmail) that does not honor /etc/hosts. There might be others like that. Make sure a lookup for 127.0.0.1 is answered by your nameserver. Actually, this is something that I was going to ask about in my previous post, but I plain forgot ;) Yes, telnetd does honor /etc/hosts, some MTA's don't. Is 127.0.0.1 in DNS? G'luck, Peter -- When you are not looking at it, this sentence is in Spanish. > On Fri, May 04, 2001 at 03:57:25PM +0300, Peter Pentchev wrote: > ->On Fri, May 04, 2001 at 08:40:39AM -0400, Andrew Barros wrote: > ->> > ->> There are two things that I'm sure of > ->> > ->> 1) The boxes have correct reverse DNS > ->> > ->> 2) They use ns1.tjhsst.edu as their nameserver(a different box) > ->> which has the correct reverse DNS > ->> > ->> The problem is that while these things are true, and out T1 is up > ->> it works normally. When the T1 goes out, it takes a _long_ time. Telnet > ->> ,however, is unaffected by this. > -> > ->When you say 'correct reverse DNS', you do mean 127.0.0.1 too, right? > ->And (a stupid question, but one that needs asking nevertheless) ns1.tjhsst.edu > ->is reachable when your T1 goes down, right? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 4 7:27:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from threat.tjhsst.edu (threat.tjhsst.edu [198.38.16.9]) by hub.freebsd.org (Postfix) with ESMTP id A356537B424 for ; Fri, 4 May 2001 07:27:07 -0700 (PDT) (envelope-from abarros@threat.tjhsst.edu) Received: (from abarros@localhost) by threat.tjhsst.edu (8.11.3/8.11.3) id f44ER5405780; Fri, 4 May 2001 10:27:05 -0400 Date: Fri, 4 May 2001 10:27:05 -0400 From: Andrew Barros To: "lists@mail.ru" , freebsd-security@FreeBSD.ORG Subject: Re: reverse or not Message-ID: <20010504102705.I9233@tjhsst.edu> Mail-Followup-To: "lists@mail.ru" , freebsd-security@FreeBSD.ORG References: <5.0.2.1.2.20010503145244.00a12e50@nol.co.za> <20010503170027.B9233@tjhsst.edu> <3AF1DC23.32BB39B3@globalstar.com> <3AF23077.55DEA3D8@mail.ru> <20010504084039.G9233@tjhsst.edu> <20010504155725.Q13382@ringworld.oblivion.bg> <20010504090432.H9233@tjhsst.edu> <20010504171723.A18615@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="VbfcI4OLZ4XW0yH2" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010504171723.A18615@ringworld.oblivion.bg>; from roam@orbitel.bg on Fri, May 04, 2001 at 05:17:23PM +0300 X-Operating-System: Linux threat.tjhsst.edu 2.2.17 X-I-Graduate-In: 44.1085648148148 days Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --VbfcI4OLZ4XW0yH2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable It is. [abarros <@> cronos.tjhsst.edu 9:59] [103] #nslookup Default Server: ns1.tjhsst.edu Address: 198.38.16.40 > localhost.tjhsst.edu Server: ns1.tjhsst.edu Address: 198.38.16.40 Name: localhost.tjhsst.edu Address: 127.0.0.1 > 127.0.0.1 Server: ns1.tjhsst.edu Address: 198.38.16.40 Name: localhost.tjhsst.edu Address: 127.0.0.1 -ajb --=20 Andrew Barros PGP Key Fingerprint: D3B8 0800 C45A 143E 5CF0 E112 0A1B AB36 B655 1FB8 --VbfcI4OLZ4XW0yH2 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE68rw5ChurNrZVH7gRAkZ2AJsFgdcR8cdsHBKaJpn3ffNfE7uDIwCfc3wD B4s5kqCWyJef/UdjKoT+KnM= =9nZZ -----END PGP SIGNATURE----- --VbfcI4OLZ4XW0yH2-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 4 9:18: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from prox.centtech.com (moat2.centtech.com [206.196.95.21]) by hub.freebsd.org (Postfix) with ESMTP id 4B8D937B422 for ; Fri, 4 May 2001 09:18:01 -0700 (PDT) (envelope-from anderson@centtech.com) Received: (from smap@localhost) by prox.centtech.com (8.9.3+Sun/8.9.3) id IAA13802; Fri, 4 May 2001 08:17:11 -0500 (CDT) Received: from shiva.centtech.com(10.177.173.77) by prox via smap (V2.1+anti-relay+anti-spam) id xma013798; Fri, 4 May 01 08:17:00 -0500 Message-ID: <3AF2ABCC.B5776288@centtech.com> Date: Fri, 04 May 2001 08:17:00 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.14-5.0smp i686) X-Accept-Language: en MIME-Version: 1.0 To: Andrew Barros Cc: "lists@mail.ru" , freebsd-security@freebsd.org Subject: Re: reverse or not References: <5.0.2.1.2.20010503145244.00a12e50@nol.co.za> <20010503170027.B9233@tjhsst.edu> <3AF1DC23.32BB39B3@globalstar.com> <3AF23077.55DEA3D8@mail.ru> <20010504084039.G9233@tjhsst.edu> <20010504155725.Q13382@ringworld.oblivion.bg> <20010504090432.H9233@tjhsst.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I think if you have (in your /etc/host.conf) bind listed before hosts (meaning it will ask the dns server before looking at the hosts file), it would delay if the dns server doesn't have a reverse entry for 127.0.0.1, which would take a long time.. But it still doesn't sound right.. I had some similar problems with ssh, and patched it, which fixed the (similar) problem for me.. Eric Andrew Barros wrote: > > Yes, ns1.tjhsst.edu is on the same ethernet segment as the box. > > 127.0.0.1 is in /etc/hosts > > -ajb > On Fri, May 04, 2001 at 03:57:25PM +0300, Peter Pentchev wrote: > ->On Fri, May 04, 2001 at 08:40:39AM -0400, Andrew Barros wrote: > ->> > ->> There are two things that I'm sure of > ->> > ->> 1) The boxes have correct reverse DNS > ->> > ->> 2) They use ns1.tjhsst.edu as their nameserver(a different box) > ->> which has the correct reverse DNS > ->> > ->> The problem is that while these things are true, and out T1 is up > ->> it works normally. When the T1 goes out, it takes a _long_ time. Telnet > ->> ,however, is unaffected by this. > -> > ->When you say 'correct reverse DNS', you do mean 127.0.0.1 too, right? > ->And (a stupid question, but one that needs asking nevertheless) ns1.tjhsst.edu > ->is reachable when your T1 goes down, right? > -> > ->G'luck, > ->Peter > -> > ->-- > ->If there were no counterfactuals, this sentence would not have been paradoxical. > ---end quoted text--- > > -- > Andrew Barros > PGP Key Fingerprint: > D3B8 0800 C45A 143E 5CF0 E112 0A1B AB36 B655 1FB8 > > ------------------------------------------------------------------------ > Part 1.2Type: application/pgp-signature -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 The idea is to die young as late as possible. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 4 9:56:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from mdma.playboy.com (mdma.playboy.com [216.163.140.20]) by hub.freebsd.org (Postfix) with ESMTP id 3AD8137B43F for ; Fri, 4 May 2001 09:56:08 -0700 (PDT) (envelope-from jamie@playboy.com) Received: by mdma.playboy.com (Postfix, from userid 100) id C0AFD12794; Fri, 4 May 2001 11:56:03 -0500 (CDT) Date: Fri, 4 May 2001 11:56:03 -0500 From: jamie rishaw To: freebsd-security@freebsd.org Cc: jamie@playboy.com Subject: SecurID Message-ID: <20010504115603.C21698@playboy.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-No-Archive: yes Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I'm looking to chat either on- or off-list with people that have successfully integrated RSA's SecurID into FreeBSD. Specifically, the client side. There are no official clients, and when I try to compile commercial SSH with SecurID support, I get "File format not recognized" when the ssh daemon tries to link sdiclient.a symbols (sdiclient.a being the file that the ACE server generates/holds for clients to link in and talk/authenticate with). SSH.com has still yet to reply to my open ticket with them... I have searched high and low for real answers, yet I cannot find anyone that's been able to say, "Yes, I've done it, here's how". URLs, Pointers, etc., are all appreciated. thanks in advance, jamie -- jamie rishaw sr. wan/unix engineer/ninja // playboy enterprises inc. opinions stated are mine, and are not necessarily those of the bunny. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 4 11:32:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from mdma.playboy.com (mdma.playboy.com [216.163.140.20]) by hub.freebsd.org (Postfix) with ESMTP id B6EF637B423 for ; Fri, 4 May 2001 11:32:39 -0700 (PDT) (envelope-from jamie@playboy.com) Received: by mdma.playboy.com (Postfix, from userid 100) id 5FF5812794; Fri, 4 May 2001 13:32:28 -0500 (CDT) Date: Fri, 4 May 2001 13:32:28 -0500 From: jamie rishaw To: freebsd-security@freebsd.org Cc: jamie@playboy.com Subject: RSA SecurID Client on FreeBSD: Summary Message-ID: <20010504133228.D21698@playboy.com> References: <20010504115603.C21698@playboy.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010504115603.C21698@playboy.com>; from jrishaw@playboy.com on Fri, May 04, 2001 at 11:56:03AM -0500 X-No-Archive: yes Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I figured it out. I posted to the list after probably a week plus of hacking around, and while this isn't the most elegant solution, it works. I don't want to provide support, but for sake of list archives and other peoples sanity, here are the basic steps I took: - Grab Linux SecurID client off of RSA site at http://www.rsasecurity.com/download/linux/ - Un-tar/decompress - (Kludge) FreeBSD apparently doesnt have the linux "/bin/line" equiv, which is what the `sdsetup` program uses. So, change lines in sdsetup to substitute `$LINE_EXEC` (with quotes) to anticipated response, like 'y' for 'yes' and 'n' for 'no', and directory or pathnames as needed. (I'll include a diff at the end of this email) - Grab the sdconf.rec from /top/ace/.. on your SecurID server and put it in your $CWD - Run ./sdsetup -client - Add a test user with shell /top/ace/prog/sdshell - Add this box to your ACE/Server as a client and add user auth as you would any other new client - Verify, run, go. You need to be running Linux compatibility. I make no guarantees or warranties whatsoever; I am relaying how *I* got it to work on systems here. If you do it and lock yourself out of your own boxes, don't come running to me. This only protects interactive login, I still have yet to tackle FTP, SCP, etc. Good luck jamie -- begin diff -- 103,109d102 < if [ ! -f "$LINE_EXEC" ] < then < echo "#!/bin/sh" > /bin/line < echo "read i" >> /bin/line < echo "echo \$i" >> /bin/line < chmod 555 /bin/line < fi 207c200 < YESORNO=`$LINE_EXEC` --- > YESORNO='y' 1114c1107 < create=`$LINE_EXEC` --- > create='y' 1188c1181 < input=`$LINE_EXEC` --- > input='' 1281c1274 < test_owner=`$LINE_EXEC` --- > test_owner=rsa 1316c1309 < current_platform=`$LINE_EXEC` --- > current_platform=freebsd 1468c1461 < test_type=`$LINE_EXEC` --- > test_type=des 1508c1501 < test_path=`$LINE_EXEC` --- > test_path=/usr/local/rsa 1631c1624 < create=`$LINE_EXEC` --- > create='' -- end diff -- On Fri, May 04, 2001 at 11:56:03AM -0500, jamie rishaw wrote: > Hi, > > I'm looking to chat either on- or off-list with people that have > successfully integrated RSA's SecurID into FreeBSD. Specifically, > the client side. > > There are no official clients, and when I try to compile commercial > SSH with SecurID support, I get "File format not recognized" when the > ssh daemon tries to link sdiclient.a symbols (sdiclient.a being the > file that the ACE server generates/holds for clients to link in and > talk/authenticate with). SSH.com has still yet to reply to my open > ticket with them... > > I have searched high and low for real answers, yet I cannot find > anyone that's been able to say, "Yes, I've done it, here's how". > > URLs, Pointers, etc., are all appreciated. > > thanks in advance, > > jamie > -- > jamie rishaw > sr. wan/unix engineer/ninja // playboy enterprises inc. > opinions stated are mine, and are not necessarily those of the bunny. > -- jamie rishaw sr. wan/unix engineer/ninja // playboy enterprises inc. opinions stated are mine, and are not necessarily those of the bunny. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 4 12:14:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from h-209-91-79-2.gen.cadvision.com (h24-68-202-204.cg.shawcable.net [24.68.202.204]) by hub.freebsd.org (Postfix) with ESMTP id 5938C37B422 for ; Fri, 4 May 2001 12:14:56 -0700 (PDT) (envelope-from gtf@cirp.org) Received: from cirp.org (localhost [127.0.0.1]) by h-209-91-79-2.gen.cadvision.com (8.9.3/8.9.3) with ESMTP id NAA10067; Fri, 4 May 2001 13:14:47 -0600 (MDT) (envelope-from gtf@cirp.org) Message-Id: <200105041914.NAA10067@h-209-91-79-2.gen.cadvision.com> Date: Fri, 4 May 2001 13:14:46 -0600 (MDT) From: "Geoffrey T. Falk" Subject: Re: RSA SecurID Client on FreeBSD: Summary To: jamie rishaw Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20010504133228.D21698@playboy.com> MIME-Version: 1.0 Content-Type: TEXT/plain; CHARSET=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I bet you also need to have NTP set up, otherwise the token will be out of sync with your server.. :-) Geoffrey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 4 15:21:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from venus.terahertz.net (venus.terahertz.net [208.137.7.240]) by hub.freebsd.org (Postfix) with ESMTP id E999137B422 for ; Fri, 4 May 2001 15:21:27 -0700 (PDT) (envelope-from sideshow@terahertz.net) Received: from localhost (sideshow@localhost) by venus.terahertz.net (8.11.3/8.9.3) with ESMTP id f44MJ0C83054; Fri, 4 May 2001 17:19:01 -0500 (CDT) Date: Fri, 4 May 2001 17:19:00 -0500 (CDT) From: Matt Watson To: Andrew Barros Cc: "lists@mail.ru" , freebsd-security@FreeBSD.ORG Subject: Re: reverse or not In-Reply-To: <20010504102705.I9233@tjhsst.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have experienced this same problem before, what I have discovered to be the cause of it, is when the BSD machine cannot lookup its own _forward_ dns, so, what you should do is make sure that cronos.tjhsst.edu can be resolved to its correct IP. This problem seems to be common across all BSDs that i have used, not just freebsd. Anyhow, thats my 2 cents. -- Matt Watson On Fri, 4 May 2001, Andrew Barros wrote: > It is. > > > [abarros <@> cronos.tjhsst.edu 9:59] > > [103] #nslookup > Default Server: ns1.tjhsst.edu > Address: 198.38.16.40 > > > localhost.tjhsst.edu > Server: ns1.tjhsst.edu > Address: 198.38.16.40 > > Name: localhost.tjhsst.edu > Address: 127.0.0.1 > > > 127.0.0.1 > Server: ns1.tjhsst.edu > Address: 198.38.16.40 > > Name: localhost.tjhsst.edu > Address: 127.0.0.1 > > -ajb > > -- > Andrew Barros > PGP Key Fingerprint: > D3B8 0800 C45A 143E 5CF0 E112 0A1B AB36 B655 1FB8 > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 4 22:39:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp12.singnet.com.sg (smtp12.singnet.com.sg [165.21.6.32]) by hub.freebsd.org (Postfix) with ESMTP id 1B46F37B422 for ; Fri, 4 May 2001 22:39:28 -0700 (PDT) (envelope-from spades@galaxynet.org) Received: from bryan (ad202.166.107.246.magix.com.sg [202.166.107.246]) by smtp12.singnet.com.sg (8.11.2/8.11.2) with SMTP id f455dRQ27185 for ; Sat, 5 May 2001 13:39:27 +0800 (SGT) Message-Id: <3.0.32.20010505135125.01c87c2c@smtp.magix.com.sg> X-Sender: spades@smtp.magix.com.sg X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sat, 05 May 2001 13:51:25 +0800 To: freebsd-security@freebsd.org From: Spades Subject: Re: servname not supported for ai_socktype Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Anyone got this before? [snez@dsl snez]$ ftp localhost ftp: localhost: servname not supported for ai_socktype [snez@dsl snez]$ telnet localhost localhost: servname not supported for ai_socktype [snez@dsl snez]$ whois ff.com whois: com.whois-servers.net: servname not supported for ai_socktype To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 4 23:18: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id 8377737B422 for ; Fri, 4 May 2001 23:18:02 -0700 (PDT) (envelope-from itojun@itojun.org) Received: from itojun.org (localhost [127.0.0.1]) by coconut.itojun.org (Postfix) with ESMTP id B3A434B0B; Sat, 5 May 2001 15:17:48 +0900 (JST) To: Spades Cc: freebsd-security@freebsd.org In-reply-to: spades's message of Sat, 05 May 2001 13:51:25 +0800. <3.0.32.20010505135125.01c87c2c@smtp.magix.com.sg> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: servname not supported for ai_socktype From: itojun@iijlab.net Date: Sat, 05 May 2001 15:17:48 +0900 Message-ID: <618.989043468@itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Anyone got this before? you've removed/lost /etc/services, perhaps? itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 5 1:45:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from lists01.iafrica.com (lists01.iafrica.com [196.7.0.141]) by hub.freebsd.org (Postfix) with ESMTP id 5003437B423 for ; Sat, 5 May 2001 01:45:06 -0700 (PDT) (envelope-from sheldonh@uunet.co.za) Received: from nwl.fw.uunet.co.za ([196.31.2.162]) by lists01.iafrica.com with esmtp (Exim 3.12 #2) id 14vxgN-000536-00; Sat, 05 May 2001 10:44:55 +0200 Received: (from nobody@localhost) by nwl.fw.uunet.co.za (8.8.8/8.6.9) id KAA00175; Sat, 5 May 2001 10:44:54 +0200 (SAST) Received: by nwl.fw.uunet.co.za via recvmail id 169; Sat May 5 10:44:50 2001 Received: from sheldonh (helo=axl.fw.uunet.co.za) by axl.fw.uunet.co.za with local-esmtp (Exim 3.22 #1) id 14vxgI-000H55-00; Sat, 05 May 2001 10:44:50 +0200 To: anderson@centtech.com Cc: Andrew Barros , "lists@mail.ru" , freebsd-security@freebsd.org Subject: Re: reverse or not In-reply-to: Your message of "Fri, 04 May 2001 08:17:00 EST." <3AF2ABCC.B5776288@centtech.com> Date: Sat, 05 May 2001 10:44:50 +0200 Message-ID: <65662.989052290@axl.fw.uunet.co.za> From: Sheldon Hearn Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 04 May 2001 08:17:00 EST, Eric Anderson wrote: > I think if you have (in your /etc/host.conf) bind listed before hosts > (meaning it will ask the dns server before looking at the hosts file), > it would delay if the dns server doesn't have a reverse entry for > 127.0.0.1 [...] From a security perspective, I'm pretty sure that hosts should NEVER rely on any external source for resolution on the loopback network. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 5 6:57:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f53.law8.hotmail.com [216.33.241.53]) by hub.freebsd.org (Postfix) with ESMTP id 0F91A37B422 for ; Sat, 5 May 2001 06:57:30 -0700 (PDT) (envelope-from dominic_marks@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sat, 5 May 2001 06:57:29 -0700 Received: from 194.72.9.37 by lw8fd.law8.hotmail.msn.com with HTTP; Sat, 05 May 2001 13:57:29 GMT X-Originating-IP: [194.72.9.37] From: "Dominic Marks" To: freebsd-security@freebsd.org Subject: Login Permissions Date: Sat, 05 May 2001 13:57:29 -0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 05 May 2001 13:57:29.0368 (UTC) FILETIME=[52CBD180:01C0D56B] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Login can be executed by any user connected with a local or remote shell. Login could therefore be used as a forkbomb/dos attack which could be used to eat resources (and possbibly ttys?). Should login be set as chmod 700? After discussing this on IRC we couldn't think of a reason as to why this would break anything. Any thoughts/comments? Dominic Marks _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 5 11:24:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns2.eltex.ru (ns2.eltex.ru [212.119.162.4]) by hub.freebsd.org (Postfix) with ESMTP id 32EB637B423 for ; Sat, 5 May 2001 11:24:30 -0700 (PDT) (envelope-from ark@eltex.ru) Received: from eltex.ru (eltex-gw2.nw.ru [195.19.203.86] (may be forged)) by ns2.eltex.ru (8.9.3/8.9.3) with ESMTP id WAA88289 for ; Sat, 5 May 2001 22:24:16 +0400 (MSD) From: ark@eltex.ru Received: from yaksha.eltex.ru (root@yaksha.eltex.ru [195.19.198.2]) by eltex.ru (8.9.3/8.9.3) with SMTP id VAA44597; Fri, 4 May 2001 21:03:51 +0400 (MSD) Received: by yaksha.eltex.ru (ssmtp TIS-0.6alpha, 19 Jan 2000); Fri, 4 May 2001 21:05:33 +0400 Received: from undisclosed-intranet-sender id xmaZ27393; Fri, 4 May 01 21:05:17 +0400 Date: Fri, 4 May 2001 21:06:05 +0400 Message-Id: <200105041706.VAA03218@paranoid.eltex.ru> In-Reply-To: <20010504115603.C21698@playboy.com> from "jamie rishaw " Organization: "Klingon Imperial Intelligence Service" Subject: Re: SecurID To: jrishaw@playboy.com Cc: freebsd-security@FreeBSD.ORG, jamie@playboy.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, Why not just write SecurID server in software ;)? jamie rishaw said : > Hi, > > I'm looking to chat either on- or off-list with people that have > successfully integrated RSA's SecurID into FreeBSD. Specifically, > the client side. > > There are no official clients, and when I try to compile commercial > SSH with SecurID support, I get "File format not recognized" when the > ssh daemon tries to link sdiclient.a symbols (sdiclient.a being the > file that the ACE server generates/holds for clients to link in and > talk/authenticate with). SSH.com has still yet to reply to my open > ticket with them... > > I have searched high and low for real answers, yet I cannot find > anyone that's been able to say, "Yes, I've done it, here's how". > > URLs, Pointers, etc., are all appreciated. _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQCVAwUBOvLhfaH/mIJW9LeBAQFBowP/blPP1k+tjU+ypdAd/EA0nTSHNlLOOore vuDLZcrnxl4SSi3h7VPY6sb2pcH+DIspxG/PBCEl8tE1BNZ20Sg74WWc/x2UMSN0 AQ9ZTUKfGhf2wIG3gpvGaAfwQdE0re0NWYljcc19da3pO4gGX0na2ubDWIsFytkj YSCmyJNRT2A= =BcZV -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 5 18:35: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id B0BE837B43E for ; Sat, 5 May 2001 18:34:59 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id SAA16189; Sat, 5 May 2001 18:34:58 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda16187; Sat May 5 18:34:47 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f461YgB51796; Sat, 5 May 2001 18:34:42 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdb51794; Sat May 5 18:34:38 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.3/8.9.1) id f461YbJ03934; Sat, 5 May 2001 18:34:37 -0700 (PDT) Message-Id: <200105060134.f461YbJ03934@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdee3928; Sat May 5 18:34:18 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: "Dominic Marks" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Login Permissions In-reply-to: Your message of "Sat, 05 May 2001 13:57:29 -0000." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 05 May 2001 18:34:18 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , "Dominic Marks" writes: > Login can be executed by any user connected with a local or remote shell. > Login could therefore be used as a forkbomb/dos attack which could be used > to eat resources (and possbibly ttys?). > > Should login be set as chmod 700? A better solution would be to only allow login to be executed using the exec builtin from the lowest level shell as Solaris does: No utmpx entry. You must exec "login" from the lowest level "shell". Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message