From owner-freebsd-security Sun Jul 29 0:56:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailout00.sul.t-online.de (mailout00.sul.t-online.com [194.25.134.16]) by hub.freebsd.org (Postfix) with ESMTP id 13A5E37B401 for ; Sun, 29 Jul 2001 00:56:48 -0700 (PDT) (envelope-from haribeau@gmx.de) Received: from fwd00.sul.t-online.de by mailout00.sul.t-online.de with smtp id 15QlRP-0002D2-00; Sun, 29 Jul 2001 09:56:47 +0200 Received: from asterix.local (320080844193-0001@[217.80.84.89]) by fmrl00.sul.t-online.com with smtp id 15QlRO-0vjRcuC; Sun, 29 Jul 2001 09:56:46 +0200 Received: (qmail 414 invoked from network); 29 Jul 2001 07:56:45 -0000 Received: from homer.local (HELO homer.local.nlocal) (192.168.1.50) by 0 with SMTP; 29 Jul 2001 07:56:45 -0000 Received: (nullmailer pid 1134 invoked by uid 1100); Sun, 29 Jul 2001 07:56:45 -0000 Date: Sun, 29 Jul 2001 09:56:45 +0200 From: Clemens Hermann To: FreeBSD security ML Subject: proxy recommendation Message-ID: <20010729095645.A1048@homer.local> Mail-Followup-To: Clemens Hermann , FreeBSD security ML Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Mailer: Mutt 1.2.5i (FreeBSD 4.3-RELEASE i386) Organization: Linuxlupe InternetSolutions X-Sender: 320080844193-0001@t-dialin.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, to build an application Gateway I am looking for proxys for the following services: - http - https - smtp - pop3 (if exists, pop3 via ssl) - ftp - dns I have found some tools (especially tis which has only some of the proxys I am looking for) but I am not sure which one to take and would appreciate a hint a lot. The far most important issue is security and not performance. Second: There is one thing I do not understand: Commercial proxys offer https/pop3 via ssl etc. How does this work together with the end to end conection of ssl? How can the proxy be able to interfere these "secure" connections? It does not have the ssl certificate and can not pretend to be the ssl-server to the client application so - how is the proxying done? can one do all the scanning on the proxy that you can do with non-encryptet connection (e.g http compared to https)? thanks for any hint /ch -- "Contrary to popular belief, Unix is user friendly. It just happens to be selective about who it makes friends with." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 29 10:40:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from turtle.looksharp.net (cc360882-d.strhg1.mi.home.com [24.13.43.207]) by hub.freebsd.org (Postfix) with ESMTP id 6DE6437B401 for ; Sun, 29 Jul 2001 10:40:14 -0700 (PDT) (envelope-from bsdx@looksharp.net) Received: by turtle.looksharp.net (Postfix, from userid 1002) id 02D0E3E23; Sun, 29 Jul 2001 13:40:26 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by turtle.looksharp.net (Postfix) with ESMTP id DD9A2BA7E; Sun, 29 Jul 2001 13:40:26 -0400 (EDT) Date: Sun, 29 Jul 2001 13:40:26 -0400 (EDT) From: Adam To: alexus Cc: Chris Byrnes , Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? In-Reply-To: <005d01c1107a$b6f57a40$0d00a8c0@alexus> Message-ID: <20010729134005.U45945-100000@turtle.looksharp.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Looks to me like it was already compiled so it just installed it. Try make clean first On Thu, 19 Jul 2001, alexus wrote: >su-2.05# cd /usr/src/libexec/telnetd/ >su-2.05# make all install >install -c -s -o root -g wheel -m 555 telnetd /usr/libexec >install -c -o root -g wheel -m 444 telnetd.8.gz /usr/share/man/man8 >su-2.05# > >hmm that's it? seems like too short compilation .. is it supposed to be li= ke >this? > >----- Original Message ----- >From: "Chris Byrnes" >To: "alexus" >Cc: >Sent: Thursday, July 19, 2001 1:39 PM >Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? > > >root# cd /usr/src/libexec/telnetd ; make all install ; killall -HUP inetd > > >Chris Byrnes, Managing Member >JEAH Communications, LLC > >On Thu, 19 Jul 2001, alexus wrote: > >> uh. ok:) >> >> this part is done.. should i recompile telnetd now somehow? if so then >> how?:) >> >> ----- Original Message ----- >> From: "Pierre-Luc Lesp=E9rance" >> To: >> Sent: Thursday, July 19, 2001 1:28 PM >> Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? >> >> >> > alexus wrote: >> > > >> > > could you also include some sort of instruction how to apply it? >> > > >> > > thanks in advance >> > > >> > > ----- Original Message ----- >> > > From: "Ruslan Ermilov" >> > > To: "Przemyslaw Frasunek" >> > > Cc: >> > > Sent: Thursday, July 19, 2001 1:14 PM >> > > Subject: [PATCH] Re: FreeBSD remote root exploit ? >> > > >> > > > On Thu, Jul 19, 2001 at 11:03:53AM +0200, Przemyslaw Frasunek wrot= e: >> > > > > > Posted to bugtraq is a notice about telnetd being remotely roo= t >> > > > > > exploitable. Does anyone know if it is true ? >> > > > > >> > > > > Yes, telnetd is vulnerable. >> > > > > >> > > > The patch is available at: >> > > > >> > > > http://people.FreeBSD.org/~ru/telnetd.patch >> > > > >> > > > >> > > > Cheers, >> > > > -- >> > > > Ruslan Ermilov Oracle Developer/DBA, >> > > > ru@sunbay.com Sunbay Software AG, >> > > > ru@FreeBSD.org FreeBSD committer, >> > > > +380.652.512.251 Simferopol, Ukraine >> > > > >> > > > http://www.FreeBSD.org The Power To Serve >> > > > http://www.oracle.com Enabling The Information Age >> > > > >> > > > To Unsubscribe: send mail to majordomo@FreeBSD.org >> > > > with "unsubscribe freebsd-security" in the body of the message >> > > > >> > > >> > > To Unsubscribe: send mail to majordomo@FreeBSD.org >> > > with "unsubscribe freebsd-security" in the body of the message >> > go to /usr/src/crypto/telnet/telnetd >> > and type >> > shell~# patch -p < /where/is/the/file.patch >> > >> > To Unsubscribe: send mail to majordomo@FreeBSD.org >> > with "unsubscribe freebsd-security" in the body of the message >> > >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 29 15:53:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from chrome.jdl.com (chrome.jdl.com [209.39.144.2]) by hub.freebsd.org (Postfix) with ESMTP id 6EC9637B401 for ; Sun, 29 Jul 2001 15:53:22 -0700 (PDT) (envelope-from jdl@chrome.jdl.com) Received: from chrome.jdl.com (localhost [127.0.0.1]) by chrome.jdl.com (8.9.1/8.9.1) with ESMTP id RAA21644; Sun, 29 Jul 2001 17:58:31 -0500 (CDT) (envelope-from jdl@chrome.jdl.com) Message-Id: <200107292258.RAA21644@chrome.jdl.com> To: Peter Pentchev Cc: "Antoine Beaupre (LMC)" , security@freebsd.org Subject: Re: Some Followup on that ypchfn mess of mine In-reply-to: Your message of "Fri, 27 Jul 2001 20:25:27 +0300." <20010727202527.E1105@ringworld.oblivion.bg> Clarity-Index: null Threat-Level: none Software-Engineering-Dead-Seriousness: There's no excuse for unreadable code. Net-thought: If you meet the Buddha on the net, put him in your Kill file. Date: Sun, 29 Jul 2001 17:58:30 -0500 From: Jon Loeliger Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org So, like Peter Pentchev was saying to me just the other day: > > > > OK, I'll state it publicly: > > > > This machine will be rebuilt from sources. > > The old disk will be completely reformatted. > > I'm putting a new firewall in place first. > > Sorry to be a pain ;) But sometimes, a rebuild from sources might > not be enough: I wasn't clear. I will take a stock 4.3 release and install that onto _new_ disk. I will then rebuild world with some uprev'ed sources and install that. I will format the old, compromised disk and newfs it straight up. > you'll have to perform at least the install on > the machine in question (unless you take off the hard disk, mount > it on another machine, build from sources, and install with a DESTDIR > pointing to this machine's filesystems). > This still poses a risk, > albeit unlikely, of somebody having compromised your compiler, make(1), > install(1), perl, and whatever else is running on the machine before > the installation starts using the newly-compiled binaries. In any event, these all go too. I've downloaded a 4.3 release from ftp2.FreeBSD.org already and have started that install and "make world" onto an entirely _new_ disk. > This is why I - following the advice of others, including > http://www.FreeBSD.org/security/ - recommended backing up the data, > then reinstalling from a CD (or over the net; the point is, reinstalling > from a install medium completely unrelated to the compromised machine). Absolutley. Yes. jdl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 29 22: 9:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.siat.ru (ns.siat.ru [195.239.171.34]) by hub.freebsd.org (Postfix) with ESMTP id D9F3737B403 for ; Sun, 29 Jul 2001 22:09:11 -0700 (PDT) (envelope-from slava@siat.ru) Received: from siat.ru (slava.siat.ru [195.239.171.36]) by ns.siat.ru (8.11.4/8.11.4) with ESMTP id f6U599605008 for ; Mon, 30 Jul 2001 13:09:09 +0800 (KRSS) Message-ID: <3B64EC08.E77C3D9@siat.ru> Date: Mon, 30 Jul 2001 13:09:28 +0800 From: "Viacheslav E.Voytovich" Reply-To: slava@siat.ru Organization: Siat Travel X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.14-6.1.1 i586) X-Accept-Language: en MIME-Version: 1.0 To: security@freebsd.org Subject: Strange treating RCPT TO:'s address Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi ! I found strange behaviour of my sendmail. When I send command 'RCPT TO: "paradise ; Mon, 30 Jul 2001 07:38:55 -0700 (PDT) (envelope-from jim@federation.addy.com) Received: from localhost (jim@localhost) by federation.addy.com (8.9.3/8.9.3) with ESMTP id KAA68897 for ; Mon, 30 Jul 2001 10:39:14 -0400 (EDT) (envelope-from jim@federation.addy.com) Date: Mon, 30 Jul 2001 10:39:14 -0400 (EDT) From: Jim Sander Cc: freebsd-security@FreeBSD.ORG Subject: Re: Telnet exploit & 3.4-RELEASE In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Paul Hart wrote: > The exploit posted to Bugtraq DOES work on FreeBSD 3.4-RELEASE but only if > you selected to install an encrypting telnetd when you set the machine up. > [...] > The "regular" telnetd still has the overflow (which may or may not be > exploitable) Exactly the kind of info I was looking for. My tests with the patched non-crypto telnetd seem to indicate all the problems are fixed, but again that may be my own lack of understanding. Thanks to you, and to the others that replied off-list with other information, both valuable and simply amusing. -=Jim=- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 30 8:17:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from mydomain.com (1Cust57.tnt2.cph3.da.uu.net [213.116.21.57]) by hub.freebsd.org (Postfix) with ESMTP id E774F37B496; Mon, 30 Jul 2001 08:17:31 -0700 (PDT) (envelope-from xxxsensation@funkytimes.com) Date: Mon, 30 Jul 2001 17:17:29 +0100 From: XXXSENSATION To: XXXSENSATION@FreeBSD.ORG Subject: THE GREATEST NO.1 SHOWS ON THE NET ! Message-Id: <20010730151731.E774F37B496@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dear Ladies & Gentlemen, Welcome to the GREATEST SEX SHOW on the ENTIRE NET ! We now offer you to ENTER to worldīs No.1 voted SEX-SERVER on the WEB ! By far the largest and most incredible content of LIVE SEX is now served to users WORLDWIDE! EVERYTHING is offered 100% ANONOMOUSLY & you donīt need to sign-up or have a creditcard ... The way it should be ! PLUGIN RIGHT HERE AT: http://siam.to/worldclass ... If this Site does not open properly ... please try http://cyberu.to/worldclass Or this one, if you just love true LESBIAN SEX, CHAT and MORE from Sunny Ibiza in Spain: http://siam.to/classbabes ... If this Site does not open properly ... please try http://cyberu.to/hotbabes and get access to something you with guarantee NEVER have seen before ! Yours truly, XXXSENSATION Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 30 8:45:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from kira.epconline.net (kira2.epconline.net [209.83.132.2]) by hub.freebsd.org (Postfix) with ESMTP id AD60837B403 for ; Mon, 30 Jul 2001 08:45:02 -0700 (PDT) (envelope-from carock@epconline.net) Received: from therock (betterguard.epconline.net [207.206.185.193]) by kira.epconline.net (8.11.4/8.11.4) with SMTP id f6UFj2226027 for ; Mon, 30 Jul 2001 10:45:02 -0500 (CDT) From: "Chuck Rock" To: Subject: RE: I'm having problems getting this patch installed.... Date: Mon, 30 Jul 2001 10:45:02 -0500 Message-ID: <004301c1190e$986b7420$1805010a@epconline.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: <006d01c11533$90452310$1805010a@epconline.net> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org OK, I've found what the problem is, now I need to know how to fix it. I have two boxes with 4.2 release. The one I'm having a problem with does not have this directory structure... /usr/src/libexec/telnetd/ The other one does. I'm guessing that's why the patch keeps asking me what files I want to patch, because the directory to the files it's looking for doesn't exist. It has this... /usr/src/crypto/heimdal/appl/telnet/telnetd/ /usr/src/crypto/kerberosIV/appl/telnet/telnetd/ /usr/src/crypto/telnet/telnetd/ How do I get the correct directory structure on the machine I'm having dificulties with? Thanks, Chuck > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Chuck Rock > Sent: Wednesday, July 25, 2001 1:00 PM > To: security@FreeBSD.ORG > Subject: RE: I'm having problems getting this patch installed.... > > > I haven't gotten that far. I'm on line 2 in the SA-01:49 "how to install > this patch" procedure. > > It's asking me a question I don't know how to answer. > > On your problem, is that from the make depend, or make install? > > Chuck > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Michael Dowdell > > Sent: Wednesday, July 25, 2001 12:43 PM > > To: security@FreeBSD.ORG > > Subject: Re: I'm having problems getting this patch installed.... > > > > > > is your problem with the patch or the compile? i have 4.2 release and > > get the following make errors for make all after applying the patch. > > haven't figured this out yet... > > > > > > cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON > > -DENV_HACK -DAUTHENTICATION -DENCRYPTION > > -I/usr/src/secure/libexec/telnetd/../../../crypto/telnet -DINET6 > > -DNO_IDEA -o telnetd global.o slc.o state.o sys_term.o telnetd.o > > termstat.o utility.o authenc.o -lutil -ltermcap > > -L/usr/src/secure/libexec/telnetd/../../lib/libtelnet -ltelnet -lcrypto > > -lcrypt -lmp > > /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_init': > > kerberos.o(.text+0x114): undefined reference to > > `krb_get_default_keyfile' > > /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_send': > > kerberos.o(.text+0x1a6): undefined reference to `krb_get_phost' > > kerberos.o(.text+0x1e3): undefined reference to `krb_realmofhost' > > kerberos.o(.text+0x21a): undefined reference to `krb_mk_req' > > kerberos.o(.text+0x22b): undefined reference to `krb_err_txt' > > kerberos.o(.text+0x24d): undefined reference to `krb_get_cred' > > kerberos.o(.text+0x25e): undefined reference to `krb_err_txt' > > /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_is': > > kerberos.o(.text+0x456): undefined reference to `krb_get_lrealm' > > kerberos.o(.text+0x53c): undefined reference to `krb_rd_req' > > kerberos.o(.text+0x56c): undefined reference to `krb_err_txt' > > kerberos.o(.text+0x5a2): undefined reference to `krb_kntoln' > > kerberos.o(.text+0x5c1): undefined reference to `kuserok' > > /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_status': > > kerberos.o(.text+0x89e): undefined reference to `kuserok' > > *** Error code 1 > > > > Stop in /usr/src/secure/libexec/telnetd. > > > > > > -- > > thanks, > > > > just mike > > > > Upgrade n. A painful crisis which belatedly restores one's faith > > in the previous system. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 30 9:30:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from web13308.mail.yahoo.com (web13308.mail.yahoo.com [216.136.175.44]) by hub.freebsd.org (Postfix) with SMTP id A685937B403 for ; Mon, 30 Jul 2001 09:30:22 -0700 (PDT) (envelope-from ewancarr@yahoo.com) Message-ID: <20010730163022.96220.qmail@web13308.mail.yahoo.com> Received: from [158.234.10.144] by web13308.mail.yahoo.com; Mon, 30 Jul 2001 17:30:22 BST Date: Mon, 30 Jul 2001 17:30:22 +0100 (BST) From: =?iso-8859-1?q?Ewan=20Carr?= Subject: PFKEY/test-pfkey To: FreeBSD-Security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is there any test code out there for playing with the PFKEY API. I'd like to be able to have my userland program send a PF_GET message to the "key engine" (I take this is just a fancy name for the SPD ?). I've found the file test-pfkey.c on the cvs tree at freebsd but...'scuse me for being a bit thick here but it seems to send the different types of PFKEY message types but I dont see where it handles the responses e.g. when sending the PF_GET where is the return message handled...any help/pointers appreciated Cheers E p.s. please reply to me too cos im not on the list - thanks ____________________________________________________________ Do You Yahoo!? Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk or your free @yahoo.ie address at http://mail.yahoo.ie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 30 9:56:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from icmp.dhs.org (e-135-33-res1.mts.net [206.45.135.33]) by hub.freebsd.org (Postfix) with ESMTP id 9DB8A37B403 for ; Mon, 30 Jul 2001 09:56:26 -0700 (PDT) (envelope-from modulus@rcmp.ca) Received: from localhost (modulus@localhost) by icmp.dhs.org (8.11.4/8.11.3) with ESMTP id f6UGuKV18817 for ; Mon, 30 Jul 2001 11:56:21 -0500 (CDT) (envelope-from modulus@rcmp.ca) X-Authentication-Warning: icmp.dhs.org: modulus owned process doing -bs Date: Mon, 30 Jul 2001 11:56:19 -0500 (CDT) From: "Detective S.R. Ross Computer Crime division" X-X-Sender: To: Subject: IPFW & natd vs ipfilter & ipnat Message-ID: <20010730115455.D18246-100000@icmp.dhs.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I was wondering if there have ever been any benchmarking done for the the performance differences between IPFW & IPF & their counter parts. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 30 10:49:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from icmp.dhs.org (e-135-33-res1.mts.net [206.45.135.33]) by hub.freebsd.org (Postfix) with ESMTP id 5EA7B37B403 for ; Mon, 30 Jul 2001 10:49:13 -0700 (PDT) (envelope-from modulus@icmp.dhs.org) Received: from localhost (modulus@localhost) by icmp.dhs.org (8.11.4/8.11.3) with ESMTP id f6UHn8637650 for ; Mon, 30 Jul 2001 12:49:08 -0500 (CDT) (envelope-from modulus@icmp.dhs.org) Date: Mon, 30 Jul 2001 12:49:08 -0500 (CDT) From: modulus To: Subject: RE: IPFW & natd vs ipnat & ipfilter Message-ID: <20010730124701.F36200-100000@icmp.dhs.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Please Ignore the "Detective S.R. ..." from the RCMP. It seems a friend thought it would be funny to change my .pinerc file & fool with my real-name / domain. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 30 11:39:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id DA81D37B401 for ; Mon, 30 Jul 2001 11:39:07 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simoeon.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by smtp1.sentex.ca (8.11.2/8.11.1) with ESMTP id f6UId7S74947 for ; Mon, 30 Jul 2001 14:39:07 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20010730143219.04cbbad0@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 30 Jul 2001 14:33:11 -0400 To: From: Mike Tancsa Subject: Re: IPFW & natd vs ipfilter & ipnat In-Reply-To: <20010730115455.D18246-100000@icmp.dhs.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Nothing formal, but on my 486 at home, I do get about 33% better throughput on NATed connections via ipnat vs. natd using DSL and PPPoE. ---Mike At 11:56 AM 7/30/01 -0500, Detective S.R. Ross Computer Crime division wrote: >I was wondering if there have ever been any benchmarking done for >the the performance differences between IPFW & IPF & their counter parts. > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 30 14:13:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-69.dsl.lsan03.pacbell.net [63.207.60.69]) by hub.freebsd.org (Postfix) with ESMTP id 3A58437B403 for ; Mon, 30 Jul 2001 14:13:21 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id D3F1766B04; Mon, 30 Jul 2001 14:13:19 -0700 (PDT) Date: Mon, 30 Jul 2001 14:13:18 -0700 From: Kris Kennaway To: Chuck Rock Cc: security@FreeBSD.ORG Subject: Re: I'm having problems getting this patch installed.... Message-ID: <20010730141318.H68654@xor.obsecurity.org> References: <006d01c11533$90452310$1805010a@epconline.net> <004301c1190e$986b7420$1805010a@epconline.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ik0NlRzMGhMnxrMX" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <004301c1190e$986b7420$1805010a@epconline.net>; from carock@epconline.net on Mon, Jul 30, 2001 at 10:45:02AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --ik0NlRzMGhMnxrMX Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jul 30, 2001 at 10:45:02AM -0500, Chuck Rock wrote: > OK, I've found what the problem is, now I need to know how to fix it. >=20 > I have two boxes with 4.2 release. >=20 > The one I'm having a problem with does not have this directory structure.= .. > /usr/src/libexec/telnetd/ [...] > How do I get the correct directory structure on the machine I'm having > dificulties with? Install the libexec source code (sysinstall, cvsup, etc). Kris --ik0NlRzMGhMnxrMX Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7Zc3tWry0BWjoQKURAsKjAJ4hoYyNNSMr2/43C+7bUTHDVLhG/wCfYTd1 C9oa3C2ASOqJiVJdNj0vHUE= =lzFQ -----END PGP SIGNATURE----- --ik0NlRzMGhMnxrMX-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 30 14:53: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from deimos.frii.net (deimos.frii.com [216.17.128.2]) by hub.freebsd.org (Postfix) with ESMTP id 7869B37B401 for ; Mon, 30 Jul 2001 14:52:57 -0700 (PDT) (envelope-from jott@frii.net) Received: from io.frii.com (jott@io.frii.com [216.17.128.3]) by deimos.frii.net (8.11.4/8.11.4) with ESMTP id f6ULqtF87903; Mon, 30 Jul 2001 15:52:55 -0600 (MDT) Date: Mon, 30 Jul 2001 15:52:56 -0600 (MDT) From: Jake Ott X-Sender: To: Mike Tancsa Cc: Subject: Re: IPFW & natd vs ipfilter & ipnat In-Reply-To: <5.1.0.14.0.20010730143219.04cbbad0@marble.sentex.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Because of CPU or because of protocol? -Jake On Mon, 30 Jul 2001, Mike Tancsa wrote: > > Nothing formal, but on my 486 at home, I do get about 33% better throughput > on NATed connections via ipnat vs. natd using DSL and PPPoE. > > ---Mike > > > At 11:56 AM 7/30/01 -0500, Detective S.R. Ross Computer Crime division wrote: > > >I was wondering if there have ever been any benchmarking done for > >the the performance differences between IPFW & IPF & their counter parts. > > > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 30 14:58:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from deimos.frii.net (deimos.frii.com [216.17.128.2]) by hub.freebsd.org (Postfix) with ESMTP id 90B1C37B401 for ; Mon, 30 Jul 2001 14:58:09 -0700 (PDT) (envelope-from jott@frii.net) Received: from io.frii.com (jott@io.frii.com [216.17.128.3]) by deimos.frii.net (8.11.4/8.11.4) with ESMTP id f6ULw8F91840; Mon, 30 Jul 2001 15:58:08 -0600 (MDT) Date: Mon, 30 Jul 2001 15:58:07 -0600 (MDT) From: Jake Ott X-Sender: To: Mike Tancsa Cc: Subject: Re: IPFW & natd vs ipfilter & ipnat In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ahem, I just read my wonderful response and thought I'd clarify. Was the performance gain because of hardware utilization, or not? It's monday, don't expect that much from me :) -Jake On Mon, 30 Jul 2001, Jake Ott wrote: > Because of CPU or because of protocol? > > -Jake > > On Mon, 30 Jul 2001, Mike Tancsa wrote: > > > > > Nothing formal, but on my 486 at home, I do get about 33% better throughput > > on NATed connections via ipnat vs. natd using DSL and PPPoE. > > > > ---Mike > > > > > > At 11:56 AM 7/30/01 -0500, Detective S.R. Ross Computer Crime division wrote: > > > > >I was wondering if there have ever been any benchmarking done for > > >the the performance differences between IPFW & IPF & their counter parts. > > > > > > > > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > > >with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 30 15: 2:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from netau1.alcanet.com.au (ntp.alcanet.com.au [203.62.196.27]) by hub.freebsd.org (Postfix) with ESMTP id B242337B403 for ; Mon, 30 Jul 2001 15:02:13 -0700 (PDT) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: from mfg1.cim.alcatel.com.au (mfg1.cim.alcatel.com.au [139.188.23.1]) by netau1.alcanet.com.au (8.9.3 (PHNE_22672)/8.9.3) with ESMTP id IAA25374; Tue, 31 Jul 2001 08:02:10 +1000 (EST) Received: from gsmx07.alcatel.com.au by cim.alcatel.com.au (PMDF V5.2-32 #37640) with ESMTP id <01K6KNV42NY8VLW5YT@cim.alcatel.com.au>; Tue, 31 Jul 2001 08:02:08 +1000 Received: (from jeremyp@localhost) by gsmx07.alcatel.com.au (8.11.1/8.11.1) id f6UM27083403; Tue, 31 Jul 2001 08:02:07 +1000 (EST envelope-from jeremyp) Content-return: prohibited Date: Tue, 31 Jul 2001 08:02:07 +1000 From: Peter Jeremy Subject: Re: IPFW & natd vs ipfilter & ipnat In-reply-to: ; from jott@frii.net on Mon, Jul 30, 2001 at 03:52:56PM -0600 To: Jake Ott Cc: Mike Tancsa , freebsd-security@FreeBSD.ORG Mail-Followup-To: Jake Ott , Mike Tancsa , freebsd-security@FreeBSD.ORG Message-id: <20010731080207.L506@gsmx07.alcatel.com.au> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-disposition: inline User-Agent: Mutt/1.2.5i References: <5.1.0.14.0.20010730143219.04cbbad0@marble.sentex.ca> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2001-Jul-30 15:52:56 -0600, Jake Ott wrote: >Because of CPU or because of protocol? > >-Jake > >On Mon, 30 Jul 2001, Mike Tancsa wrote: > >> >> Nothing formal, but on my 486 at home, I do get about 33% better throughput >> on NATed connections via ipnat vs. natd using DSL and PPPoE. >> >> ---Mike ipnat runs in the kernel. natd runs in userland - every packet must be copied from kernel to userland and back again. This makes natd far more CPU intensive. If you're using userland PPP, you're better off using the NAT in ppp(8) - this saves a kernel->userland->kernel transition. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 30 15: 9:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from cp976378-a.mtgmry1.md.home.com (cp976378-a.mtgmry1.md.home.com [65.14.173.93]) by hub.freebsd.org (Postfix) with ESMTP id B6E2037B401 for ; Mon, 30 Jul 2001 15:09:35 -0700 (PDT) (envelope-from visethp@cp976378-a.mtgmry1.md.home.com) Received: (from visethp@localhost) by cp976378-a.mtgmry1.md.home.com (8.11.3/8.11.3) id f6UM9TC10067; Mon, 30 Jul 2001 18:09:29 -0400 (EDT) (envelope-from visethp) Date: Mon, 30 Jul 2001 18:09:29 -0400 (EDT) From: Viseth Peang Message-Id: <200107302209.f6UM9TC10067@cp976378-a.mtgmry1.md.home.com> To: carock@epconline.net, kris@obsecurity.org Subject: Re: I'm having problems getting this patch installed.... Cc: security@FreeBSD.ORG In-Reply-To: <20010730141318.H68654@xor.obsecurity.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Take a look at the latest advisory relating to this patch version 1.1. They have detailed directions on how to install the patch with/without source. Viseth To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 30 16: 7:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id A0C2937B401; Mon, 30 Jul 2001 16:07:05 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f6UN75R92831; Mon, 30 Jul 2001 16:07:05 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Mon, 30 Jul 2001 16:07:05 -0700 (PDT) Message-Id: <200107302307.f6UN75R92831@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:51.openssl Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:51 Security Advisory FreeBSD, Inc. Topic: OpenSSL 0.9.6a and earlier contain flaw in PRNG Category: core Module: openssl Announced: 2001-07-30 Credits: Markku-Juhani O. Saarinen The OpenSSL Project Affects: All releases of FreeBSD 4.x prior to 4.4, FreeBSD 4.3-STABLE prior to the correction date Corrected: 2001-07-19 21:00:45 UTC (FreeBSD 4.3-STABLE) 2001-07-19 21:01:08 UTC (FreeBSD 4.3-SECURITY aka RELENG_4_3) FreeBSD only: NO I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description A flaw in the pseudo-random number generator (PRNG) of OpenSSL versions previous to 0.9.6b allows an attacker to determine the PRNG state and future output under certain restricted conditions, thereby weakening the strength of the PRNG and any cryptographic protection which is derived from it. In effect, the flaw is that a portion of the PRNG state is incorrectly used as the PRNG output, allowing attackers to gain knowledge of the internal state of the PRNG by observing the output if they can sample it in a certain way. An attack taking advantage of this flaw has been identified that can recover the complete state of the PRNG from the output of one carefully sized PRNG request followed by a few hundred consecutive 1-byte PRNG requests. This access pattern is not typically obtainable in real-world uses of the PRNG in cryptographic protocols, and no exploit against a protocol supported by OpenSSL is currently known. III. Impact By successfully exploiting a flaw in the PRNG, an attacker can gain important information that may allow him to deduce nonces (leading to the compromise of the protocol session) or encryption keys (allowing the attacker to obtain the plaintext of the encrypted data). Whether or not this flaw is exploitable depends upon the specifics of the application using OpenSSL. No vulnerable applications or protocols are currently known. IV. Workaround None applicable. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.3-STABLE or the 4.3-SECURITY (aka RELENG_4_3) security branch after the respective correction dates. 2) FreeBSD 4.x systems prior to the correction date: The following patch have been verified to apply to FreeBSD 4.2-RELEASE, 4.3-RELEASE and 4.3-STABLE dated prior to the correction date. These patches may or may not apply to older, unsupported releases of FreeBSD. Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:51/openssl.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:51/openssl.patch.asc # cd /usr/src/ # patch -p < /path/to/patch # cd /usr/src/lib/libcrypto/ # make depend && make all install One must also recompile any statically linked applications that use OpenSSL's PRNG. There are no such applications in the base system. 3) FreeBSD 4.3-RELEASE systems: An experimental upgrade package is available for users who wish to provide testing and feedback on the binary upgrade process. This package may be installed on FreeBSD 4.3-RELEASE systems only, and is intended for use on systems for which source patching is not practical or convenient. If you use the upgrade package, feedback (positive or negative) to security-officer@FreeBSD.org is requested so we can improve the process for future advisories. During the installation procedure, backup copies are made of the files which are replaced by the package. These backup copies will be reinstalled if the package is removed, reverting the system to a pre-patched state. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:51/security-patch-openssl-01.51.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:51/security-patch-openssl-01.51.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-openssl-01.51.tgz VI. Correction details The following list contains the revision numbers of each file that was corrected for the maintained versions of FreeBSD. FreeBSD Version and CVS Tag Path Revision - ------------------------------------------------------------------------- FreeBSD 4.3-SECURITY (tag: RELENG_4_3) src/crypto/openssl/crypto/rand/md_rand.c 1.1.1.1.2.2.2.1 FreeBSD 4.3-STABLE (tag: RELENG_4) src/crypto/openssl/crypto/rand/md_rand.c 1.1.1.1.2.4 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO2XkmVUuHi5z0oilAQFtJgP/WG21Z4Z61Lm2g9DPyvfXuPP9y4CjWl7J NqRPnIDoohXAGDm6KSybuNJ5DJ9jkdo4KW81S51w+aIMK6CvNb6yx1u+IDQsyuUD D6kzRid/RVhryBvG6W93VsLSw5wxZAyxDXZztdypemaEGWVXVJ3DKabTbJRfOFXH QlzWH/UvxDI= =KGqc -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 30 16:22:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.ca (epsilon.lucida.ca [209.47.215.67]) by hub.freebsd.org (Postfix) with SMTP id 15E2637B403 for ; Mon, 30 Jul 2001 16:22:27 -0700 (PDT) (envelope-from matt@LUCIDA.CA) Received: (qmail 59453 invoked by uid 1000); 30 Jul 2001 23:22:26 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 30 Jul 2001 23:22:26 -0000 Date: Mon, 30 Jul 2001 19:22:24 -0400 (EDT) From: Matt Heckaman To: FreeBSD-SECURITY Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:51.openssl In-Reply-To: <200107302307.f6UN75R92831@freefall.freebsd.org> Message-ID: <20010730192031.M59043-100000@epsilon.lucida.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [ not cc'd to Kris since I know he's on this list :) ] On Mon, 30 Jul 2001, FreeBSD Security Advisories wrote: ... : # cd /usr/src/ : # patch -p < /path/to/patch : # cd /usr/src/lib/libcrypto/ ^^^^^^^^^^^^^^^^^^^^^^^ Shouldn't this be /usr/src/secure/lib/libcrypto ? At least that is where it's located on my 4.3-STABLE machine of April 21 2001. * Matt Heckaman - mailto:matt@LUCIDA.CA http://www.lucida.ca/gpg * * GPG fingerprint - 53CA 8320 C8F6 32ED 9DDF 036E 3171 C093 4AD3 1364 * The Universe is run by the complex interweaving of three elements: energy, matter, and enlightened self-interest. -- G'Kar, "Survivors" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: http://www.lucida.ca/gpg iD8DBQE7ZewxMXHAk0rTE2QRAtXMAJ9i5ughcdoKD8Pw1V31eOY3n5Z66wCeIyak 3XgSgXYtipGBKf1z7tgOwmw= =Z0+U -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 30 16:30:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-69.dsl.lsan03.pacbell.net [63.207.60.69]) by hub.freebsd.org (Postfix) with ESMTP id 24DBA37B401 for ; Mon, 30 Jul 2001 16:30:43 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 32EE166B39; Mon, 30 Jul 2001 16:30:42 -0700 (PDT) Date: Mon, 30 Jul 2001 16:30:41 -0700 From: Kris Kennaway To: Matt Heckaman Cc: FreeBSD-SECURITY Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:51.openssl Message-ID: <20010730163041.A12270@xor.obsecurity.org> References: <200107302307.f6UN75R92831@freefall.freebsd.org> <20010730192031.M59043-100000@epsilon.lucida.ca> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="LZvS9be/3tNcYl/X" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010730192031.M59043-100000@epsilon.lucida.ca>; from matt@LUCIDA.CA on Mon, Jul 30, 2001 at 07:22:24PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --LZvS9be/3tNcYl/X Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Jul 30, 2001 at 07:22:24PM -0400, Matt Heckaman wrote: > [ not cc'd to Kris since I know he's on this list :) ] For future reference, CC security/advisory matters to security-officer@, not this list or me personally. > On Mon, 30 Jul 2001, FreeBSD Security Advisories wrote: > ... > : # cd /usr/src/ > : # patch -p < /path/to/patch > : # cd /usr/src/lib/libcrypto/ > ^^^^^^^^^^^^^^^^^^^^^^^ > Shouldn't this be /usr/src/secure/lib/libcrypto ? At least that is where > it's located on my 4.3-STABLE machine of April 21 2001. *sigh* yes. Kris --LZvS9be/3tNcYl/X Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7Ze4hWry0BWjoQKURAprKAKDtx9sLmlk8RVTrBgwRdLnJuUsQpgCgvJF+ L7p/f6pqrikfQHu3j/lcECM= =lr98 -----END PGP SIGNATURE----- --LZvS9be/3tNcYl/X-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 30 16:47:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from vl7.net (OL51-141.fibertel.com.ar [24.232.141.51]) by hub.freebsd.org (Postfix) with ESMTP id DF88837B401 for ; Mon, 30 Jul 2001 16:47:35 -0700 (PDT) (envelope-from fox@vl7.net) Received: from localhost (fox@localhost) by vl7.net (8.11.3/8.11.3) with ESMTP id f6UNpLN68089; Mon, 30 Jul 2001 20:51:22 -0300 (ART) (envelope-from fox@vl7.net) Date: Mon, 30 Jul 2001 20:51:21 -0300 (ART) From: Vladimir To: Kris Kennaway Cc: FreeBSD-SECURITY Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:51.openssl In-Reply-To: <20010730163041.A12270@xor.obsecurity.org> Message-ID: <20010730203920.T68046-100000@vl7.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! I found only same folder /usr/src/lib/libcrypt/ I think this is correct(?), and patch was installed correctly, but... I don't know what is up after update. In my 4.3-R, I have had "short" password: /etc/passwd (vipw): other_account:##########################:100:... my_account:##############:101:..... Real password length is 6 charters. After update, I was NOT able to login to my account. For this accounts I have different "login.conf" items, but same records password_format=md5. Any ideas? Thank you. Regards, Vladimir. P.S. Thanks for ".rhosts" On Mon, 30 Jul 2001, Kris Kennaway wrote: > > On Mon, 30 Jul 2001, FreeBSD Security Advisories wrote: > > ... > > : # cd /usr/src/ > > : # patch -p < /path/to/patch > > : # cd /usr/src/lib/libcrypto/ > > ^^^^^^^^^^^^^^^^^^^^^^^ > > Shouldn't this be /usr/src/secure/lib/libcrypto ? At least that is where > > it's located on my 4.3-STABLE machine of April 21 2001. > > *sigh* yes. > > Kris > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 30 18:14:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-69.dsl.lsan03.pacbell.net [63.207.60.69]) by hub.freebsd.org (Postfix) with ESMTP id 6FB9F37B401 for ; Mon, 30 Jul 2001 18:14:21 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 5637566B39; Mon, 30 Jul 2001 18:14:20 -0700 (PDT) Date: Mon, 30 Jul 2001 18:14:19 -0700 From: Kris Kennaway To: Vladimir Cc: Kris Kennaway , FreeBSD-SECURITY Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:51.openssl Message-ID: <20010730181419.A62969@xor.obsecurity.org> References: <20010730163041.A12270@xor.obsecurity.org> <20010730203920.T68046-100000@vl7.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="3MwIy2ne0vdjdPXF" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010730203920.T68046-100000@vl7.net>; from fox@vl7.net on Mon, Jul 30, 2001 at 08:51:21PM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --3MwIy2ne0vdjdPXF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jul 30, 2001 at 08:51:21PM -0300, Vladimir wrote: > Hi! >=20 > I found only same folder /usr/src/lib/libcrypt/ > I think this is correct(?), and patch was installed correctly, but... No, reread the message you're replying to. > I don't know what is up after update. > In my 4.3-R, I have had "short" password: > /etc/passwd (vipw): > other_account:##########################:100:... > my_account:##############:101:..... >=20 > Real password length is 6 charters. >=20 > After update, I was NOT able to login to my account. >=20 > For this accounts I have different "login.conf" items, but same records > password_format=3Dmd5. >=20 > Any ideas? Not at this time. There have been several other reports of a problem with the patch/package, but I haven't managed to identify a problem or replicate it myself yet. Kris --3MwIy2ne0vdjdPXF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7ZgZrWry0BWjoQKURAlIwAJ4mhQR71I6R7+lQF2MysKKgXe66CgCfWeXx G8qsp36XVElisSIwy9l5h7E= =Fyrg -----END PGP SIGNATURE----- --3MwIy2ne0vdjdPXF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 30 18:19:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from vl7.net (OL51-141.fibertel.com.ar [24.232.141.51]) by hub.freebsd.org (Postfix) with ESMTP id BB3F737B401 for ; Mon, 30 Jul 2001 18:19:49 -0700 (PDT) (envelope-from fox@vl7.net) Received: from localhost (fox@localhost) by vl7.net (8.11.3/8.11.3) with ESMTP id f6V1O3e68405; Mon, 30 Jul 2001 22:24:04 -0300 (ART) (envelope-from fox@vl7.net) Date: Mon, 30 Jul 2001 22:24:03 -0300 (ART) From: Vladimir To: Chris Cc: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:51.openssl In-Reply-To: <3B66047A.9853EC9A@redshells.net> Message-ID: <20010730221722.L68357-100000@vl7.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Chris! You have just to change your password after update, but before you have to login :( I logged in to the system by "open" host in my ".rhosts". "password" problem did not touched users that has made after any updates in "login.conf". I think better solution, make "passwd" after update!! Best regards, Vladimir. On Mon, 30 Jul 2001, Chris wrote: > Vladmir, > > I did the same thing :( Now the password hashs are all messed up. I hope > there is an easy solution to this problem. > > Regards, > Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 30 18:24:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-69.dsl.lsan03.pacbell.net [63.207.60.69]) by hub.freebsd.org (Postfix) with ESMTP id 9707137B401 for ; Mon, 30 Jul 2001 18:24:14 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 96F0166B39; Mon, 30 Jul 2001 18:24:13 -0700 (PDT) Date: Mon, 30 Jul 2001 18:24:13 -0700 From: Kris Kennaway To: Vladimir Cc: Chris , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:51.openssl Message-ID: <20010730182412.B62969@xor.obsecurity.org> References: <3B66047A.9853EC9A@redshells.net> <20010730221722.L68357-100000@vl7.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="tsOsTdHNUZQcU9Ye" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010730221722.L68357-100000@vl7.net>; from fox@vl7.net on Mon, Jul 30, 2001 at 10:24:03PM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --tsOsTdHNUZQcU9Ye Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jul 30, 2001 at 10:24:03PM -0300, Vladimir wrote: > Hi, Chris! >=20 > You have just to change your password after update, but before you have to > login :( >=20 > I logged in to the system by "open" host in my ".rhosts". "password" > problem did not touched users that has made after any updates in > "login.conf". >=20 > I think better solution, make "passwd" after update!! I'm at a loss as to how you guys are seeing this. Did you try and apply the patch to something in lib/libcrypt instead? That could certainly mess up your ability to log in to the system, although I'm surprised any of the patch hunks would have actually compiled. Kris --tsOsTdHNUZQcU9Ye Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7Zgi8Wry0BWjoQKURAk9rAKDu2YUZARD3S8n7c0xjhngwG9dZIgCbBlhl lQl51k5OKcvIF3jxdvDFY6M= =NQ+z -----END PGP SIGNATURE----- --tsOsTdHNUZQcU9Ye-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 30 18:30:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-69.dsl.lsan03.pacbell.net [63.207.60.69]) by hub.freebsd.org (Postfix) with ESMTP id AB37B37B401; Mon, 30 Jul 2001 18:30:40 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id AD17B66B39; Mon, 30 Jul 2001 18:30:39 -0700 (PDT) Date: Mon, 30 Jul 2001 18:30:39 -0700 From: Kris Kennaway To: Hank Wethington Cc: Kris Kennaway , security-officer@freebsd.org, security@FreeBSD.org Subject: Re: OpenSSL patch applied and now locked out of machine. Message-ID: <20010730183039.A65218@xor.obsecurity.org> References: <20010730181222.C62788@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="VbJkn9YxBvnuCH5J" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from bsd@info-logix.com on Mon, Jul 30, 2001 at 06:25:07PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --VbJkn9YxBvnuCH5J Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jul 30, 2001 at 06:25:07PM -0700, Hank Wethington wrote: > As I can't see the error OpenSSH is giving (at least until I get to the > machine tonight), I can only say I'm getting a invalid password response > from my attempts to SSH into the machine. Also, vpopmail gives an invalid > password response as well. I will hopefully post more after I've seen the > machine. >=20 > To give a tad more info, the initial release of the update stated that the > directory was /usr/src/lib/libcrypto/ however the true directory was > /usr/src/secure/lib/libcrypto/ >=20 > As is the case with another user, I initially did the make depend && make > all install in the /usr/src/lib/libcrypt/ dir. Since the other user is > having a similar issue, perhaps they are related. I won't be to the machi= ne > until 10p PDT, so I won't have any more info. Aha..if you did this, you installed a libcrypt which can't handle DES passwords. The DES-capable library (under 4.3 and earlier, this has been changed in 4.3-STABLE) is under secure/lib/libcrypt. Kris --VbJkn9YxBvnuCH5J Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7Zgo+Wry0BWjoQKURAtXQAJsEEbJQ44nVstu5S81O1kihQZSBTwCfawK4 ARX5IlMEkMXqLac+Gj5N518= =pBcI -----END PGP SIGNATURE----- --VbJkn9YxBvnuCH5J-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 30 18:56:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from vl7.net (OL51-141.fibertel.com.ar [24.232.141.51]) by hub.freebsd.org (Postfix) with ESMTP id A4F0E37B401 for ; Mon, 30 Jul 2001 18:56:20 -0700 (PDT) (envelope-from fox@vl7.net) Received: from localhost (fox@localhost) by vl7.net (8.11.3/8.11.3) with ESMTP id f6V20Da68488; Mon, 30 Jul 2001 23:00:14 -0300 (ART) (envelope-from fox@vl7.net) Date: Mon, 30 Jul 2001 23:00:13 -0300 (ART) From: Vladimir To: Kris Kennaway Cc: Chris , Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:51.openssl In-Reply-To: <20010730182412.B62969@xor.obsecurity.org> Message-ID: <20010730224259.X68417-100000@vl7.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 30 Jul 2001, Kris Kennaway wrote: > I'm at a loss as to how you guys are seeing this. Did you try and > apply the patch to something in lib/libcrypt instead? That could > certainly mess up your ability to log in to the system, although I'm > surprised any of the patch hunks would have actually compiled. > > Kris I have 4.3-release, installed few month ago, I installed any patches, I have not crypto-telnet. I downloaded patch, after did: # cd /usr/src/ # patch -p < /path/to/patch # cd /usr/src/lib/libcrypto/ /* I changed this line to cd /usr/src/lib/libcrypt/ */ # make depend && make all install After I tryed to login, but can not. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 30 20:39:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-69.dsl.lsan03.pacbell.net [63.207.60.69]) by hub.freebsd.org (Postfix) with ESMTP id B0B9E37B50D for ; Mon, 30 Jul 2001 20:39:40 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 97BFA66B39; Mon, 30 Jul 2001 20:39:39 -0700 (PDT) Date: Mon, 30 Jul 2001 20:39:39 -0700 From: Kris Kennaway To: Vladimir Cc: Kris Kennaway , Chris , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:51.openssl Message-ID: <20010730203938.A94278@xor.obsecurity.org> References: <20010730182412.B62969@xor.obsecurity.org> <20010730224259.X68417-100000@vl7.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="envbJBWh7q8WU6mo" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010730224259.X68417-100000@vl7.net>; from fox@vl7.net on Mon, Jul 30, 2001 at 11:00:13PM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --envbJBWh7q8WU6mo Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jul 30, 2001 at 11:00:13PM -0300, Vladimir wrote: > On Mon, 30 Jul 2001, Kris Kennaway wrote: > > I'm at a loss as to how you guys are seeing this. Did you try and > > apply the patch to something in lib/libcrypt instead? That could > > certainly mess up your ability to log in to the system, although I'm > > surprised any of the patch hunks would have actually compiled. > > > > Kris >=20 > I have 4.3-release, installed few month ago, I installed any patches, I > have not crypto-telnet. >=20 > I downloaded patch, after did: >=20 > # cd /usr/src/ > # patch -p < /path/to/patch > # cd /usr/src/lib/libcrypto/ > /* I changed this line to > cd /usr/src/lib/libcrypt/ */ > # make depend && make all install >=20 > After I tryed to login, but can not. Yes, that was your mistake. See my other message from a while ago. Kris --envbJBWh7q8WU6mo Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7Zih6Wry0BWjoQKURAjxSAJ92MGrgzaXeO3xQZUb4IzMUqMdAKQCfWLto 3PRhL+roK5Z3o+IKm9P1rbY= =Fw4A -----END PGP SIGNATURE----- --envbJBWh7q8WU6mo-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 31 2: 1:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from mistral.beybol.pop3.pl (mistral.beybol.pop3.pl [195.216.106.9]) by hub.freebsd.org (Postfix) with ESMTP id 4505F37B401 for ; Tue, 31 Jul 2001 02:01:25 -0700 (PDT) (envelope-from mistral@beybol.pop3.pl) Received: from beybol.beybol.pop3.pl (beybol.gammanet.pl [10.216.113.102] (may be forged)) by mistral.beybol.pop3.pl (8.11.1/8.11.1) with ESMTP id f6VB8aJ62499 for ; Tue, 31 Jul 2001 11:08:37 GMT Message-Id: <5.1.0.14.0.20010731111116.03525410@mail.gammanet.pl> X-Sender: mistral@mail.beybol.pop3.pl X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 31 Jul 2001 11:12:32 +0200 To: freebsd-security@FreeBSD.ORG From: Mistral Subject: sendmail Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Does anyone knows about some antyvir software for sendmail? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 31 2: 4: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from tensor.ru (hq.yarnet.ru [213.24.206.3]) by hub.freebsd.org (Postfix) with SMTP id ECA7437B403 for ; Tue, 31 Jul 2001 02:04:03 -0700 (PDT) (envelope-from den@tensor.ru) Received: (qmail 3522 invoked by uid 1005); 31 Jul 2001 13:03:57 +0400 Received: from den@tensor.ru by hq.yarnet.ru with qmail-scanner-0.96 (. Clean. Processed in 2.110809 secs); 31 ÉĀĖ 2001 09:03:57 -0000 Received: from vicci.yarnet.ru (HELO tensor.ru) (@213.24.206.2) by hq.yarnet.ru with SMTP; 31 Jul 2001 13:03:53 +0400 Message-ID: <3B66747C.311AD1AC@tensor.ru> Date: Tue, 31 Jul 2001 13:03:56 +0400 From: Denis Tokarev Reply-To: den@tensor.ru Organization: Tensor X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Mistral Cc: freebsd-security@FreeBSD.ORG Subject: Re: sendmail References: <5.1.0.14.0.20010731111116.03525410@mail.gammanet.pl> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mistral wrote: > > Hello > > Does anyone knows about some antyvir software for sendmail? AVP(www.avp.ru), DrWeb(www.drweb.ru) for example. /dvt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 31 2: 4:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from obelix.thevillage.tlb.co.za (unknown [196.36.74.34]) by hub.freebsd.org (Postfix) with ESMTP id 9474D37B405 for ; Tue, 31 Jul 2001 02:04:04 -0700 (PDT) (envelope-from neil@cxchange.co.za) content-class: urn:content-classes:message Subject: RE: sendmail Date: Tue, 31 Jul 2001 11:06:10 +0200 X-MimeOLE: Produced By Microsoft Exchange V6.0.4417.0 Message-ID: <3BF3CA0F88DAC240B38323310408879905DF4E@obelix.thevillage.tlb.co.za> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: sendmail Thread-Index: AcEZn74sHia2D+4AQS65oRo5uMBuegAABAfA From: "Neil Fryer" To: "Mistral" , Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org 'ello Yeah, go to http://wwww.pldaniels.com have a look at amavis Cheers Neil Fryer Solaris Systems Administrator neil@cxchange.co.za -----Original Message----- From: Mistral [mailto:mistral@beybol.pop3.pl] Sent: 31 July 2001 11:13 To: freebsd-security@FreeBSD.ORG Subject: sendmail Hello Does anyone knows about some antyvir software for sendmail? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 31 2: 9: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 1C82A37B403 for ; Tue, 31 Jul 2001 02:09:05 -0700 (PDT) (envelope-from turbo23@gmx.net) Received: (qmail 14663 invoked by uid 0); 31 Jul 2001 09:09:03 -0000 Received: from pop-zh-9-2-dialup-143.freesurf.ch (HELO game.gmx.net) (194.230.193.143) by mail.gmx.net (mail09) with SMTP; 31 Jul 2001 09:09:03 -0000 Message-Id: <5.1.0.14.2.20010731110725.029f6530@pop.gmx.net> X-Sender: turbo23@gmx.net@pop.gmx.net X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 31 Jul 2001 11:10:04 +0200 To: freebsd-security@FreeBSD.ORG From: turbo Subject: Re: sendmail Cc: Mistral In-Reply-To: <5.1.0.14.0.20010731111116.03525410@mail.gammanet.pl> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Mistral You can find some examples at this website: http://www.freebsdzine.org/200105a/virusscan.php3 regards, thomas >Hello > >Does anyone knows about some antyvir software for sendmail? > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 31 3:29:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from web13304.mail.yahoo.com (web13304.mail.yahoo.com [216.136.175.40]) by hub.freebsd.org (Postfix) with SMTP id B41E637B403 for ; Tue, 31 Jul 2001 03:29:18 -0700 (PDT) (envelope-from ewancarr@yahoo.com) Message-ID: <20010731102918.95043.qmail@web13304.mail.yahoo.com> Received: from [158.234.10.144] by web13304.mail.yahoo.com; Tue, 31 Jul 2001 11:29:18 BST Date: Tue, 31 Jul 2001 11:29:18 +0100 (BST) From: =?iso-8859-1?q?Ewan=20Carr?= Subject: SPD on FreeBSD To: FreeBSD-Security@FreeBSD.Org In-Reply-To: <20010727174502Z.sakane@kame.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I note that the PF_KEY API can access the SAD but it does provide a facility to read the SPD. I read somewhere that an extension to the API was being planned so that SPD access (from userland !) could be performed too. Do you know whether this is the case or whether a user-land API exists to access the SPD. Thanks for any help/pointers Cheers Ewan --- Shoichi Sakane wrote: > > code that reads in the SA table - I would like to > do > > the same as IPSec but from my user-land security > > protocol. do you know where I can find the > relevant > > IPSec code ? > > if you have full kame tree. > ipsec code is in the directory, kame/sys/netinet6. > there are some files about ipsec, for example, > ipsec.c, > ah_input.c, esp_input.c and so on.. ____________________________________________________________ Do You Yahoo!? Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk or your free @yahoo.ie address at http://mail.yahoo.ie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 31 8:21:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from spice.eahd.or.ug (unknown [216.129.132.178]) by hub.freebsd.org (Postfix) with ESMTP id 2BB3737B403 for ; Tue, 31 Jul 2001 08:21:47 -0700 (PDT) (envelope-from semat@wawa.eahd.or.ug) Received: by spice.eahd.or.ug (Postfix at spice.eahd.or.ug, from userid 1013) id 3557CF2AE5; Tue, 31 Jul 2001 18:36:25 +0300 (EAT) Received: from localhost (localhost [127.0.0.1]) by spice.eahd.or.ug (Postfix at spice.eahd.or.ug) with ESMTP id 3404D758EF; Tue, 31 Jul 2001 18:36:25 +0300 (EAT) Date: Tue, 31 Jul 2001 18:36:25 +0300 (EAT) From: semat X-Sender: To: Mistral Cc: Subject: Re: sendmail In-Reply-To: <5.1.0.14.0.20010731111116.03525410@mail.gammanet.pl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Use amavis and any of the freely available scanners like innoculate, antivir etc Many of them are meant for linux but will work under freebsd as well amavis http://www.amavis.org Noah. On Tue, 31 Jul 2001, Mistral wrote: > Hello > > Does anyone knows about some antyvir software for sendmail? > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 31 9: 8:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 6490137B401 for ; Tue, 31 Jul 2001 09:08:07 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 95865 invoked by uid 1000); 31 Jul 2001 16:08:28 -0000 Date: Tue, 31 Jul 2001 18:08:28 +0200 From: "Karsten W. Rohrbach" To: Mike Silbersack Cc: "Nickolay A.Kritsky" , security@FreeBSD.ORG Subject: Re: accounting with ipfw (gid, uid riles) Message-ID: <20010731180828.I92506@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Mike Silbersack , "Nickolay A.Kritsky" , security@FreeBSD.ORG References: <15993079421.20010727191853@internethelp.ru> <20010727223026.D43808-100000@achilles.silby.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="TA4f0niHM6tHt3xR" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010727223026.D43808-100000@achilles.silby.com>; from silby@silby.com on Fri, Jul 27, 2001 at 10:43:00PM -0500 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --TA4f0niHM6tHt3xR Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Mike Silbersack(silby@silby.com)@2001.07.27 22:43:00 +0000: >=20 > On Fri, 27 Jul 2001, Nickolay A.Kritsky wrote: >=20 > > do you mean that after this code: > > //---------------------------------------------------------------- > > setuid(0); > > s=3Dsocket(...); > > listen(s,1); > > if (fork()!=3D-1) > > { > > setuid(1); > > k=3Daccept(s); > > } > > //---------------------------------------------------------------- > > socket pointed by k will be "owned" by root? >=20 > Yes. >=20 > > Anyway, it is not the main point of my question. Accounting httpd > > traffic is just a piece of cake - the port is fixed, the address is > > fixed. But I wanted to count Squid traffic. AFAIK Squid does not any > > setuid() voodoo, except for priviledges drop at startup. After that it > > runs strictly uid 'nobody'. But squid's traffic doesn't hit the > > counter!!! I wonder why. Maybe it is because of natd running on outer > > interface? But why then some packets hit the counter? >=20 > If squid runs the listen as root, all sockets created from that listen > socket will also be accounted to root. Same problem as the above. I do > not know how natd would affect connections in terms of uid accounting. squid's standard ports are higher than 1024, so it should not be a=20 problem to start it with a uid wrapper (setuidgid from daemontools=20 or similar), shouldn't it? then the socket belongs to the squid user=20 i think... /k --=20 > MCSE: Management Can't Send E-mail KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --TA4f0niHM6tHt3xR Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7Ztf8M0BPTilkv0YRAuWsAJ9UaTF4xk87nlhgl1q6b3Pola2drwCdGFJJ BuRKVDXY2ELiZPq0gBGEya8= =GyLo -----END PGP SIGNATURE----- --TA4f0niHM6tHt3xR-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 31 11:48:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 1C92E37B40D for ; Tue, 31 Jul 2001 11:48:46 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA03082; Tue, 31 Jul 2001 12:48:25 -0600 (MDT) Message-Id: <4.3.2.7.2.20010731124805.046f88b0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 31 Jul 2001 12:48:20 -0600 To: Mistral , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: sendmail In-Reply-To: <5.1.0.14.0.20010731111116.03525410@mail.gammanet.pl> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org See http://www.brettglass.com/spam/paper.html At 03:12 AM 7/31/2001, Mistral wrote: >Hello > >Does anyone knows about some antyvir software for sendmail? > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 31 12:27:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (unknown [198.92.199.5]) by hub.freebsd.org (Postfix) with ESMTP id E1FE737B426 for ; Tue, 31 Jul 2001 12:27:16 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.4/8.11.4) with ESMTP id f6VJQWB27936 for ; Tue, 31 Jul 2001 15:26:32 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Tue, 31 Jul 2001 15:26:28 -0400 (EDT) From: Rob Simmons To: Subject: ipfilter state tables Message-ID: <20010731151035.B11705-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 I noticed that the code around the IPSTATE_SIZE and IPSTATE_MAX constants in: src/contrib/ipfilter/ip_state.h src/sys/contrib/ipfilter/netinet/ip_state.h has changed and there was a line added to: src/contrib/ipfilter/HISTORY "allow state/nat table sizes to be externally influenced" I had suggested that a sysctl knob, or a kernel config file knob be added to control these. Does this mean that the knob exists? I looked in the man page for sysctl and did not see anything, nor did I see anything in LINT about it. Am I looking in the wrong place, or was that change just a preparation for adding the knob? Robert Simmons Systems Administrator http://www.wlcg.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7ZwZov8Bofna59hYRA03GAJ9ZvKVkrdo/NXwJfc1VT++2dtaGHACggIpc 9uQMgglQMZcI7FAzYHnKjnM= =/jwj -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 31 12:37: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 13D6F37B401; Tue, 31 Jul 2001 12:36:39 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f6VJadA17935; Tue, 31 Jul 2001 12:36:39 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Tue, 31 Jul 2001 12:36:39 -0700 (PDT) Message-Id: <200107311936.f6VJadA17935@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:51.openssl [REVISED] Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:51 Security Advisory FreeBSD, Inc. Topic: OpenSSL 0.9.6a and earlier contain flaw in PRNG [REVISED] Category: core Module: openssl Announced: 2001-07-30 Revised: 2001-07-31 Credits: Markku-Juhani O. Saarinen The OpenSSL Project Affects: All releases of FreeBSD 4.x prior to 4.4, FreeBSD 4.3-STABLE prior to the correction date Corrected: 2001-07-19 21:00:45 UTC (FreeBSD 4.3-STABLE) 2001-07-19 21:01:08 UTC (FreeBSD 4.3-SECURITY aka RELENG_4_3) FreeBSD only: NO 0. Revision History v1.0 2001-07-30 Initial release v1.1 2001-07-31 Corrected patch instructions I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description A flaw in the pseudo-random number generator (PRNG) of OpenSSL versions previous to 0.9.6b allows an attacker to determine the PRNG state and future output under certain restricted conditions, thereby weakening the strength of the PRNG and any cryptographic protection which is derived from it. In effect, the flaw is that a portion of the PRNG state is incorrectly used as the PRNG output, allowing attackers to gain knowledge of the internal state of the PRNG by observing the output if they can sample it in a certain way. An attack taking advantage of this flaw has been identified that can recover the complete state of the PRNG from the output of one carefully sized PRNG request followed by a few hundred consecutive 1-byte PRNG requests. This access pattern is not typically obtainable in real-world uses of the PRNG in cryptographic protocols, and no exploit against a protocol supported by OpenSSL is currently known. III. Impact By successfully exploiting a flaw in the PRNG, an attacker can gain important information that may allow him to deduce nonces (leading to the compromise of the protocol session) or encryption keys (allowing the attacker to obtain the plaintext of the encrypted data). Whether or not this flaw is exploitable depends upon the specifics of the application using OpenSSL. No vulnerable applications or protocols are currently known. IV. Workaround None applicable. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.3-STABLE or the 4.3-SECURITY (aka RELENG_4_3) security branch after the respective correction dates. 2) FreeBSD 4.x systems prior to the correction date: The following patch have been verified to apply to FreeBSD 4.2-RELEASE, 4.3-RELEASE and 4.3-STABLE dated prior to the correction date. These patches may or may not apply to older, unsupported releases of FreeBSD. Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:51/openssl.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:51/openssl.patch.asc # cd /usr/src/ # patch -p < /path/to/patch # cd /usr/src/secure/lib/libcrypto/ # make depend && make all install One must also recompile any statically linked applications that use OpenSSL's PRNG. There are no such applications in the base system. 3) FreeBSD 4.3-RELEASE systems: An experimental upgrade package is available for users who wish to provide testing and feedback on the binary upgrade process. This package may be installed on FreeBSD 4.3-RELEASE systems only, and is intended for use on systems for which source patching is not practical or convenient. If you use the upgrade package, feedback (positive or negative) to security-officer@FreeBSD.org is requested so we can improve the process for future advisories. During the installation procedure, backup copies are made of the files which are replaced by the package. These backup copies will be reinstalled if the package is removed, reverting the system to a pre-patched state. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:51/security-patch-openssl-01.51.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:51/security-patch-openssl-01.51.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-openssl-01.51.tgz VI. Correction details The following list contains the revision numbers of each file that was corrected for the maintained versions of FreeBSD. FreeBSD Version and CVS Tag Path Revision - ------------------------------------------------------------------------- FreeBSD 4.3-SECURITY (tag: RELENG_4_3) src/crypto/openssl/crypto/rand/md_rand.c 1.1.1.1.2.2.2.1 FreeBSD 4.3-STABLE (tag: RELENG_4) src/crypto/openssl/crypto/rand/md_rand.c 1.1.1.1.2.4 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO2cIaFUuHi5z0oilAQHilgQAq8VsYlRClfALI5NLhJ5HPJpI+WZYr9wp rhPygQgYKuTsM89XYi3Cz3OUxNP7l4x1Zp846DHLS+9TVuOWxclxxWCvwybcIT/L 3uhqwTAVM225g7TqDdc3kq0sFVTs3NRb13PgPz84QUdl/DcYkikfH49SSbvrQvch hHGsw1Ohiao= =R/xp -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 31 13:46:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from mirage.nlink.com.br (unknown [200.249.195.3]) by hub.freebsd.org (Postfix) with SMTP id 0C49937B401 for ; Tue, 31 Jul 2001 13:46:18 -0700 (PDT) (envelope-from paulo@nlink.com.br) Received: (qmail 16782 invoked by uid 501); 31 Jul 2001 20:53:21 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 31 Jul 2001 20:53:21 -0000 Date: Tue, 31 Jul 2001 17:53:21 -0300 (BRT) From: Paulo Fragoso To: Subject: SSHD in JAIL Message-ID: <20010731174909.B5827-100000@mirage.nlink.com.br> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, We are making a jail using FBSD 4.3-RELEASE but in the jail sshd can't starting: ssh-keygen: no RSA support in libssl and libcrypto. See ssl(8). How we can buildworld with RSA support in libssl or libcrypto? Thanks, Paulo. -- __O _-\<,_ Why drive when you can bike? (_)/ (_) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 31 14:16:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-69.dsl.lsan03.pacbell.net [63.207.60.69]) by hub.freebsd.org (Postfix) with ESMTP id 1A71837B401 for ; Tue, 31 Jul 2001 14:16:15 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 1BDFB66B39; Tue, 31 Jul 2001 14:16:14 -0700 (PDT) Date: Tue, 31 Jul 2001 14:16:13 -0700 From: Kris Kennaway To: Paulo Fragoso Cc: security@FreeBSD.ORG Subject: Re: SSHD in JAIL Message-ID: <20010731141613.A37314@xor.obsecurity.org> References: <20010731174909.B5827-100000@mirage.nlink.com.br> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="DocE+STaALJfprDB" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010731174909.B5827-100000@mirage.nlink.com.br>; from paulo@nlink.com.br on Tue, Jul 31, 2001 at 05:53:21PM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --DocE+STaALJfprDB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jul 31, 2001 at 05:53:21PM -0300, Paulo Fragoso wrote: > Hi, >=20 > We are making a jail using FBSD 4.3-RELEASE but in the jail sshd can't > starting: >=20 > ssh-keygen: no RSA support in libssl and libcrypto. See ssl(8). >=20 > How we can buildworld with RSA support in libssl or libcrypto? The error message really means "I can't find /dev/urandom" :-) Kris --DocE+STaALJfprDB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7ZyAdWry0BWjoQKURAn3sAJ4hmjVjJANF09ZBQL4iYzCXrYR3hgCcC4mj PebXrC+AsImeu4WDnRP+duA= =kUpb -----END PGP SIGNATURE----- --DocE+STaALJfprDB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 31 14:28:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from mirage.nlink.com.br (unknown [200.249.195.3]) by hub.freebsd.org (Postfix) with SMTP id B057D37B405 for ; Tue, 31 Jul 2001 14:28:23 -0700 (PDT) (envelope-from paulo@nlink.com.br) Received: (qmail 24966 invoked by uid 501); 31 Jul 2001 21:35:28 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 31 Jul 2001 21:35:28 -0000 Date: Tue, 31 Jul 2001 18:35:28 -0300 (BRT) From: Paulo Fragoso To: Kris Kennaway Cc: Subject: Re: SSHD in JAIL In-Reply-To: <20010731141613.A37314@xor.obsecurity.org> Message-ID: <20010731183006.T5827-100000@mirage.nlink.com.br> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 31 Jul 2001, Kris Kennaway wrote: > On Tue, Jul 31, 2001 at 05:53:21PM -0300, Paulo Fragoso wrote: > > Hi, > > > > We are making a jail using FBSD 4.3-RELEASE but in the jail sshd can't > > starting: > > > > ssh-keygen: no RSA support in libssl and libcrypto. See ssl(8). > > > > How we can buildworld with RSA support in libssl or libcrypto? > > The error message really means "I can't find /dev/urandom" :-) How we can start sshd in the jail using jail directory mounted with nodev? Thanks, Paulo. > > Kris > -- __O _-\<,_ Why drive when you can bike? (_)/ (_) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 31 15:54:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id E144F37B401 for ; Tue, 31 Jul 2001 15:54:20 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 59004 invoked by uid 1000); 31 Jul 2001 22:54:18 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 31 Jul 2001 22:54:18 -0000 Date: Tue, 31 Jul 2001 17:54:18 -0500 (CDT) From: Mike Silbersack To: "Karsten W. Rohrbach" Cc: "Nickolay A.Kritsky" , Subject: Re: accounting with ipfw (gid, uid riles) In-Reply-To: <20010731180828.I92506@mail.webmonster.de> Message-ID: <20010731175236.A58983-100000@achilles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 31 Jul 2001, Karsten W. Rohrbach wrote: > > If squid runs the listen as root, all sockets created from that listen > > socket will also be accounted to root. Same problem as the above. I do > > not know how natd would affect connections in terms of uid accounting. > > squid's standard ports are higher than 1024, so it should not be a > problem to start it with a uid wrapper (setuidgid from daemontools > or similar), shouldn't it? then the socket belongs to the squid user > i think... > > /k I'm not familiar with how squid acts, but your idea sounds good to me. Tell us how it works. :) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 31 18:35:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-69.dsl.lsan03.pacbell.net [63.207.60.69]) by hub.freebsd.org (Postfix) with ESMTP id 48DCB37B401 for ; Tue, 31 Jul 2001 18:35:32 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 503D966B39; Tue, 31 Jul 2001 18:35:31 -0700 (PDT) Date: Tue, 31 Jul 2001 18:35:30 -0700 From: Kris Kennaway To: Paulo Fragoso Cc: Kris Kennaway , security@FreeBSD.ORG Subject: Re: SSHD in JAIL Message-ID: <20010731183530.A40773@xor.obsecurity.org> References: <20010731141613.A37314@xor.obsecurity.org> <20010731183006.T5827-100000@mirage.nlink.com.br> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="VbJkn9YxBvnuCH5J" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010731183006.T5827-100000@mirage.nlink.com.br>; from paulo@nlink.com.br on Tue, Jul 31, 2001 at 06:35:28PM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --VbJkn9YxBvnuCH5J Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jul 31, 2001 at 06:35:28PM -0300, Paulo Fragoso wrote: > On Tue, 31 Jul 2001, Kris Kennaway wrote: >=20 > > On Tue, Jul 31, 2001 at 05:53:21PM -0300, Paulo Fragoso wrote: > > > Hi, > > > > > > We are making a jail using FBSD 4.3-RELEASE but in the jail sshd can't > > > starting: > > > > > > ssh-keygen: no RSA support in libssl and libcrypto. See ssl(8). > > > > > > How we can buildworld with RSA support in libssl or libcrypto? > > > > The error message really means "I can't find /dev/urandom" :-) >=20 > How we can start sshd in the jail using jail directory mounted with nodev? You can't: it needs /dev/urandom. Kris --VbJkn9YxBvnuCH5J Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7Z1ziWry0BWjoQKURAmm3AKD/pF/krWZyhEt/iqyd5/iOFdy79wCfQh1J 03ZaNFkmF2pbmxA7R6dq3fY= =JohD -----END PGP SIGNATURE----- --VbJkn9YxBvnuCH5J-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 31 18:47:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from postoffice.aims.com.au (advanc2.lnk.telstra.net [139.130.119.73]) by hub.freebsd.org (Postfix) with ESMTP id BF9AB37B401 for ; Tue, 31 Jul 2001 18:47:02 -0700 (PDT) (envelope-from chris@aims.com.au) Received: from postoffice.aims.com.au (nts-ts1.aims.private [192.168.10.2]) by postoffice.aims.com.au with ESMTP id f711kxx33859 for ; Wed, 1 Aug 2001 11:46:59 +1000 (EST) (envelope-from chris@aims.com.au) Received: from ntsts1 by aims.com.au with SMTP (MDaemon.v3.5.3.R) for ; Wed, 01 Aug 2001 11:46:14 +1000 Reply-To: From: "Chris Knight" To: Subject: RE: SSHD in JAIL Date: Wed, 1 Aug 2001 11:46:12 +1000 Message-ID: <029d01c11a2b$bf360930$020aa8c0@aims.private> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20010731183530.A40773@xor.obsecurity.org> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 X-Return-Path: chris@aims.com.au X-MDaemon-Deliver-To: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Howdy, > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Kris Kennaway > Sent: Wednesday, 1 August 2001 11:36 > To: Paulo Fragoso > Cc: Kris Kennaway; security@FreeBSD.ORG > Subject: Re: SSHD in JAIL > > > On Tue, Jul 31, 2001 at 06:35:28PM -0300, Paulo Fragoso wrote: > > How we can start sshd in the jail using jail directory > > mounted with nodev? > > You can't: it needs /dev/urandom. > You need to chroot to your jail, cd to dev and run MAKEDEV jail. This will create /dev/urandom in the jail environment. Regards, Chris Knight Systems Administrator AIMS Independent Computer Professionals Tel: +61 3 6334 6664 Fax: +61 3 6331 7032 Mob: +61 419 528 795 Web: http://www.aims.com.au To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 31 20: 9:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id D608C37B403 for ; Tue, 31 Jul 2001 20:09:11 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 92845 invoked from network); 1 Aug 2001 03:09:06 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 1 Aug 2001 03:09:06 -0000 Message-ID: <001301c11a37$b654d1a0$0100a8c0@alexus> From: "alexus" To: Subject: Operation not permitted Date: Tue, 31 Jul 2001 23:11:52 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2479.0006 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2479.0006 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org su-2.05# sysctl -w kern.securelevel=-1 kern.securelevel: 1 sysctl: kern.securelevel: Operation not permitted su-2.05# id uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest) su-2.05# To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 31 20:11:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta01-svc.ntlworld.com (mta01-svc.ntlworld.com [62.253.162.41]) by hub.freebsd.org (Postfix) with ESMTP id F205837B401 for ; Tue, 31 Jul 2001 20:11:17 -0700 (PDT) (envelope-from greid@FreeBSD.org) Received: from sobek.lan ([62.252.8.20]) by mta01-svc.ntlworld.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20010801031116.CITT15984.mta01-svc.ntlworld.com@sobek.lan>; Wed, 1 Aug 2001 04:11:16 +0100 Date: Wed, 1 Aug 2001 04:11:15 +0100 (BST) From: George Reid X-X-Sender: To: alexus Cc: Subject: Re: Operation not permitted In-Reply-To: <001301c11a37$b654d1a0$0100a8c0@alexus> Message-ID: <20010801041041.C92484-100000@sobek.lan> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 31 Jul 2001, alexus wrote: > su-2.05# sysctl -w kern.securelevel=-1 > kern.securelevel: 1 > sysctl: kern.securelevel: Operation not permitted > su-2.05# id > uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), > 5(operator), 20(staff), 31(guest) > su-2.05# init(8): The kernel runs with four different levels of security. Any super-user process can raise the security level, but no process can lower it. -- +-------------------+---------------------+ | George Reid | FreeBSD Committer | | +44 7740 197460 | greid@FreeBSD.org | +-------------------+---------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 31 20:16:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id F22EC37B403 for ; Tue, 31 Jul 2001 20:16:30 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 92976 invoked from network); 1 Aug 2001 03:16:26 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 1 Aug 2001 03:16:26 -0000 Message-ID: <006601c11a38$bc519b00$0100a8c0@alexus> From: "alexus" To: "George Reid" Cc: References: <20010801041041.C92484-100000@sobek.lan> Subject: Re: Operation not permitted Date: Tue, 31 Jul 2001 23:19:11 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2479.0006 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2479.0006 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org intersting... so basically what you sayin the only way to lower it is by seting my boot scripts to -1 and restart ? ----- Original Message ----- From: "George Reid" To: "alexus" Cc: Sent: Tuesday, July 31, 2001 11:11 PM Subject: Re: Operation not permitted > On Tue, 31 Jul 2001, alexus wrote: > > > su-2.05# sysctl -w kern.securelevel=-1 > > kern.securelevel: 1 > > sysctl: kern.securelevel: Operation not permitted > > su-2.05# id > > uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), > > 5(operator), 20(staff), 31(guest) > > su-2.05# > > init(8): > The kernel runs with four different levels of security. Any > super-user process can raise the security level, but no process > can lower it. > > -- > +-------------------+---------------------+ > | George Reid | FreeBSD Committer | > | +44 7740 197460 | greid@FreeBSD.org | > +-------------------+---------------------+ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 31 20:35:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from postoffice.aims.com.au (advanc2.lnk.telstra.net [139.130.119.73]) by hub.freebsd.org (Postfix) with ESMTP id 921F037B401 for ; Tue, 31 Jul 2001 20:35:33 -0700 (PDT) (envelope-from chris@aims.com.au) Received: from postoffice.aims.com.au (nts-ts1.aims.private [192.168.10.2]) by postoffice.aims.com.au with ESMTP id f713ZV661171 for ; Wed, 1 Aug 2001 13:35:31 +1000 (EST) (envelope-from chris@aims.com.au) Received: from ntsts1 by aims.com.au with SMTP (MDaemon.v3.5.3.R) for ; Wed, 01 Aug 2001 13:34:47 +1000 Reply-To: From: "Chris Knight" To: Cc: Subject: RE: SSHD in JAIL Date: Wed, 1 Aug 2001 13:34:45 +1000 Message-ID: <02b701c11a3a$e96e7480$020aa8c0@aims.private> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20010731210107.G47172@bsd.havk.org> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 X-Return-Path: chris@aims.com.au X-MDaemon-Deliver-To: security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Howdy, Er, yeah. "Sorry, this brain is full, please insert another brain". I didn't pay enough attention and missed the "mounted with nodev" line. Carry on. Regards, Chris Knight Systems Administrator AIMS Independent Computer Professionals Tel: +61 3 6334 6664 Fax: +61 3 6331 7032 Mob: +61 419 528 795 Web: http://www.aims.com.au > -----Original Message----- > From: Steve Price [mailto:steve@havk.org] > Sent: Wednesday, 1 August 2001 12:01 > To: Chris Knight > Subject: Re: SSHD in JAIL > > > On Wed, Aug 01, 2001 at 11:46:12AM +1000, Chris Knight wrote: > > >>> How we can start sshd in the jail using jail directory > >>> mounted with nodev? > >> > >> You can't: it needs /dev/urandom. > >> > > You need to chroot to your jail, cd to dev and run MAKEDEV > jail. This will > > create /dev/urandom in the jail environment. > > That's exactly Kris' point. With the jail directory mounted with > nodev there is no /dev. :) > > -steve > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 31 20:47:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-69.dsl.lsan03.pacbell.net [63.207.60.69]) by hub.freebsd.org (Postfix) with ESMTP id A35A337B401; Tue, 31 Jul 2001 20:47:50 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 8D82F66D5B; Tue, 31 Jul 2001 20:47:49 -0700 (PDT) Date: Tue, 31 Jul 2001 20:47:49 -0700 From: Kris Kennaway To: alexus Cc: George Reid , freebsd-security@FreeBSD.ORG Subject: Re: Operation not permitted Message-ID: <20010731204748.A42718@xor.obsecurity.org> References: <20010801041041.C92484-100000@sobek.lan> <006601c11a38$bc519b00$0100a8c0@alexus> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="tThc/1wpZn/ma/RB" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <006601c11a38$bc519b00$0100a8c0@alexus>; from ml@db.nexgen.com on Tue, Jul 31, 2001 at 11:19:11PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --tThc/1wpZn/ma/RB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Jul 31, 2001 at 11:19:11PM -0400, alexus wrote: > intersting... so basically what you sayin the only way to lower it is by > seting my boot scripts to -1 and restart ? Yes, that's the point ;-) It's also an intrinsic weakness in the securelevel concept, because anyone who can reboot your box can lower the securelevel. Yes, even if you chflags /etc/rc.conf (please see the archives if you're inclined to pursue this further, the topic has come up many times) Kris --tThc/1wpZn/ma/RB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7Z3vkWry0BWjoQKURAhYYAKCBObT4Jm3BXnhWFXAOJMguigCC/QCgteT7 jTIpcQC+XluK/SKPG9KKooM= =W0rm -----END PGP SIGNATURE----- --tThc/1wpZn/ma/RB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 1 0:59:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from thunder.shellsandhosting.com (HSE-Ottawa-ppp212881.sympatico.ca [64.228.151.180]) by hub.freebsd.org (Postfix) with ESMTP id DB4DB37B403 for ; Wed, 1 Aug 2001 00:59:08 -0700 (PDT) (envelope-from admin@shellsandhosting.com) Received: from critter (critter [192.164.0.1]) by thunder.shellsandhosting.com (8.11.4/8.11.3) with SMTP id f713vIa03813 for ; Wed, 1 Aug 2001 03:57:19 GMT (envelope-from admin@shellsandhosting.com) Message-ID: <001401c11a5f$aec3d710$033d5c41@critter> From: "ShellsAndHosting.com Administration" To: Subject: auth fda0113c subscribe freebsd-security admin@shellsandhosting.com Date: Wed, 1 Aug 2001 03:57:58 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0011_01C11A3E.26F32CD0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0011_01C11A3E.26F32CD0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable auth fda0113c subscribe freebsd-security admin@shellsandhosting.com ------=_NextPart_000_0011_01C11A3E.26F32CD0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
auth fda0113c subscribe = freebsd-security admin@shellsandhosting.com=
------=_NextPart_000_0011_01C11A3E.26F32CD0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 1 3:32:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 2C66B37B401 for ; Wed, 1 Aug 2001 03:32:26 -0700 (PDT) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id UAA24848; Wed, 1 Aug 2001 20:32:16 +1000 (EST) From: Darren Reed Message-Id: <200108011032.UAA24848@cairo.anu.edu.au> Subject: Re: ipfilter state tables To: rsimmons@wlcg.com (Rob Simmons) Date: Wed, 1 Aug 2001 20:32:16 +1000 (Australia/NSW) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20010731151035.B11705-100000@mail.wlcg.com> from "Rob Simmons" at Jul 31, 2001 03:26:28 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Rob Simmons, sie said: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > I noticed that the code around the IPSTATE_SIZE and IPSTATE_MAX constants > in: > src/contrib/ipfilter/ip_state.h > src/sys/contrib/ipfilter/netinet/ip_state.h > > has changed and there was a line added to: > src/contrib/ipfilter/HISTORY > > "allow state/nat table sizes to be externally influenced" > > I had suggested that a sysctl knob, or a kernel config file knob be added > to control these. Does this mean that the knob exists? I looked in the > man page for sysctl and did not see anything, nor did I see anything in > LINT about it. > > Am I looking in the wrong place, or was that change just a preparation for > adding the knob? There's no knob at present because you really need to stop (ipf -D) ipfilter, then change the values via sysctl, then start it (ipf -E). It's safer to enforce this by requiring a reboot (at present). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 1 6:14: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id 2296237B401 for ; Wed, 1 Aug 2001 06:13:48 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from IBMKA (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with ESMTP id RAA50311; Wed, 1 Aug 2001 17:13:28 +0400 (MSD) Date: Wed, 1 Aug 2001 17:13:00 +0400 From: "Nickolay A.Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A.Kritsky" Organization: IHelp X-Priority: 3 (Normal) Message-ID: <79100794374.20010801171300@internethelp.ru> To: Mike Silbersack Cc: "Karsten W. Rohrbach" , security@FreeBSD.ORG Subject: Re[2]: accounting with ipfw (gid, uid riles) In-reply-To: <20010731175236.A58983-100000@achilles.silby.com> References: <20010731175236.A58983-100000@achilles.silby.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Mike, Wednesday, August 01, 2001, 2:54:18 AM, you wrote: MS> On Tue, 31 Jul 2001, Karsten W. Rohrbach wrote: >> > If squid runs the listen as root, all sockets created from that listen >> > socket will also be accounted to root. Same problem as the above. I do >> > not know how natd would affect connections in terms of uid accounting. >> >> squid's standard ports are higher than 1024, so it should not be a >> problem to start it with a uid wrapper (setuidgid from daemontools >> or similar), shouldn't it? then the socket belongs to the squid user >> i think... >> >> /k MS> I'm not familiar with how squid acts, but your idea sounds good to me. MS> Tell us how it works. :) MS> Mike "Silby" Silbersack I fell that my first post was partly misunderstood: squid is running uid nobody on my host, which is not a problem at all - in my configuration file, it is said to be the default settings. this is from squid.conf: ;------------------------------------------------------------------ # TAG: cache_effective_user # TAG: cache_effective_group # # If the cache is run as root, it will change its effective/real # UID/GID to the UID/GID specified below. The default is to # change to UID to nobody and GID to nogroup. # # If Squid is not started as root, the default is to keep the # current UID/GID. Note that if Squid is not started as root then # you cannot set http_port to a value lower than 1024. # #cache_effective_user nobody #cache_effective_group nogroup ;------------------------------------------------------------------ the problem was: why the summary number of bytes shown by the rules 01010 count ip from any to 212.113.112.145 uid nobody via rl0 01010 count ip from 212.113.112.145 to any uid nobody via rl0 is less, than the number reported by squid itself. Why? ;------------------------------------------- ; NKritsky ; SysAdmin InternetHelp.Ru ; http://www.internethelp.ru ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 1 6:38:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (unknown [198.92.199.5]) by hub.freebsd.org (Postfix) with ESMTP id 5667D37B401 for ; Wed, 1 Aug 2001 06:38:28 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.4/8.11.4) with ESMTP id f71DbB041692; Wed, 1 Aug 2001 09:37:11 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Wed, 1 Aug 2001 09:37:01 -0400 (EDT) From: Rob Simmons To: Darren Reed Cc: Subject: Re: ipfilter state tables In-Reply-To: <200108011032.UAA24848@cairo.anu.edu.au> Message-ID: <20010801093420.K41564-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Maybe adding a kernel option: options IPSTATE_SIZE xxxxx options IPSTATE_MAX xxxxx and apropriate options for IPNAT constants? Robert Simmons Systems Administrator http://www.wlcg.com/ On Wed, 1 Aug 2001, Darren Reed wrote: > In some mail from Rob Simmons, sie said: > > > > I noticed that the code around the IPSTATE_SIZE and IPSTATE_MAX constants > > in: > > src/contrib/ipfilter/ip_state.h > > src/sys/contrib/ipfilter/netinet/ip_state.h > > > > has changed and there was a line added to: > > src/contrib/ipfilter/HISTORY > > > > "allow state/nat table sizes to be externally influenced" > > > > I had suggested that a sysctl knob, or a kernel config file knob be added > > to control these. Does this mean that the knob exists? I looked in the > > man page for sysctl and did not see anything, nor did I see anything in > > LINT about it. > > > > Am I looking in the wrong place, or was that change just a preparation for > > adding the knob? > > There's no knob at present because you really need to stop (ipf -D) ipfilter, > then change the values via sysctl, then start it (ipf -E). It's safer to > enforce this by requiring a reboot (at present). > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7aAYHv8Bofna59hYRA2U4AJ0ZrmDk+ONDwZ/+VDR1bmRvtPPpjACaArx/ 3sPtErdF7hjSrEopIXxqthg= =BUQI -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 1 6:41:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.microelectronics.com (www.microelectronics.com [4.18.26.20]) by hub.freebsd.org (Postfix) with ESMTP id 74EA737B401 for ; Wed, 1 Aug 2001 06:41:14 -0700 (PDT) (envelope-from abush@microcenter.com) Received: from zul.microcenter.com (zul.microcenter.com [4.18.26.10]) by www.microelectronics.com (Pro-8.9.3/Pro-8.9.3) with SMTP id JAA16455 for ; Wed, 1 Aug 2001 09:41:16 -0400 Received: from sysadm.microcenter.com by zul.microcenter.com via smtpd (for www.microelectronics.com [4.18.26.20]) with SMTP; 1 Aug 2001 13:38:31 UT Received: from mail.microcenter.com (anbhpc.microcenter.com [10.10.29.94]) by sysadm.microcenter.com (8.8.5/8.8.5) with ESMTP id JAA18761 for ; Wed, 1 Aug 2001 09:40:59 -0400 (EDT) Message-ID: <3B680AB7.6972CC43@mail.microcenter.com> Date: Wed, 01 Aug 2001 09:57:11 -0400 From: Aaron Bush X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.4.2-2 i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: named exited on signal 6? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In my system messages i have the following entry: Jul 28 12:37:30 tosh /kernel: pid 165 (named), uid 53: exited on signal 6 This box is running: 4.3-RELEASE FreeBSD 4.3-RELEASE #4: Fri May 18 14:27:31 EDT 2001 Name server is: # named -v named 8.2.3-REL Sat Apr 21 08:32:02 GMT 2001 jkh@narf.osd.bsdi.com:/usr/obj/usr/src/usr.sbin/named My dmesg output also appears to be a little messed up (or is this normal): # dmesg|head -1 ntroller> port 0x2480-0x249f irq 15 at device 12.2 on pci0 It appears that the first line of the dmesg is truncated. Is this the normal behavior? Also the "security check output" emails to root show that the problem in dmesg is adjusting more and more every day? examples: <-snip- day 1> kernel log messages: > el 82371AB PCI to ISA bridge> at device 12.0 on pci0 <-snip- day 2> kernel log messages: > on isab0 <-snip- day 3> kernel log messages: > irq 14 on atapci0 I have never seen this type of kernel log messages _until_ the day the DNS died. After the DNS died several messages were written like this: > Limiting icmp unreach response from 211 to 200 packets per second > Limiting icmp unreach response from 211 to 200 packets per second which was caused when an IP to hostname script ran without a DNS server being available, I am assuming that this message is normal but the continuing kernel log messages showing the truncated lines from the head of dmesg are not? Or are they? A major concern of mine is with the security of named and why it died? ps shows: /usr/sbin/named -u bind -g bind -t /etc/namedb/sandbox /etc/rc.conf has: named_enable="YES" named_flags="-u bind -g bind -t /etc/namedb/sandbox" /etc/namedb/sandbox/etc/namedb/named.conf has this: Forwarders IP's have been replaced (is the "directory" option wrong?). options { directory "/etc/namedb"; forward only; forwarders { x.x.x.1; x.x.x.2; x.x.x.3; }; listen-on { 127.0.0.1; }; }; zone "0.0.127.IN-ADDR.ARPA" { type master; file "localhost.rev"; }; zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" { type master; file "localhost.rev"; }; Thanks, -ab To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 1 6:56:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 0312E37B406 for ; Wed, 1 Aug 2001 06:56:03 -0700 (PDT) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id XAA19649; Wed, 1 Aug 2001 23:55:55 +1000 (EST) From: Darren Reed Message-Id: <200108011355.XAA19649@cairo.anu.edu.au> Subject: Re: ipfilter state tables To: rsimmons@wlcg.com (Rob Simmons) Date: Wed, 1 Aug 2001 23:55:55 +1000 (Australia/NSW) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20010801093420.K41564-100000@mail.wlcg.com> from "Rob Simmons" at Aug 01, 2001 09:37:01 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Rob Simmons, sie said: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > Maybe adding a kernel option: > > options IPSTATE_SIZE xxxxx > options IPSTATE_MAX xxxxx > > and apropriate options for IPNAT constants? that is the intention of the #ifdef'ing, yes. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 1 7:24:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from mx5.port.ru (mx5.port.ru [194.67.57.15]) by hub.freebsd.org (Postfix) with ESMTP id A38B537B403 for ; Wed, 1 Aug 2001 07:24:45 -0700 (PDT) (envelope-from m-a-x-i-m-u-m@mail.ru) Received: from f4.int ([10.0.0.51] helo=f4.mail.ru) by mx5.port.ru with esmtp (Exim 3.14 #1) id 15RwvG-000K0p-00 for freebsd-security@freebsd.org; Wed, 01 Aug 2001 18:24:30 +0400 Received: from mail by f4.mail.ru with local (Exim 3.14 #1) id 15Rwv3-0000Ag-00 for freebsd-security@freebsd.org; Wed, 01 Aug 2001 18:24:17 +0400 Received: from [195.201.78.235] by win.mail.port.ru with HTTP; Wed, 01 Aug 2001 14:24:17 +0000 (GMT) From: "Maximum" To: freebsd-security@freebsd.org Subject: Trojan injected in my Freebsd 4.1-RELEASE Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: [195.201.78.235] Reply-To: "Maximum" Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: Date: Wed, 01 Aug 2001 18:24:17 +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi everybody, today I've got security report from my FreeBSD box that some suid files changed. That was /usr/bin/netstat, /usr/bin/fstat and /usr/bin/quote. Using chkproc programm from Nelson Murilo found at pangeia.com.br I found one stealth process. Running clean ps command i found ssh daemon sshd daemon named 'swapper' in process list. This daemon is attached to 50505 port. Also i found directory with other hacker's scripts and one of them contained full list of changed binaries that was : ps,ls,netstat,fstat,ldconfig and telnetd Examining logs I had not found any records about visit of hacker. Wtmp was cleared 5 hours back from time of created hackers scripts. I'm going not only remove this trojan from my box, but find from where attack was made and the way attack was made. Now I wrote small script that will run clean netstat and grep from output any connections to 50505 port and telnet port. This scripth I had included in my crontab and cron runs it every minute. This way I hope to find from where that man connects to me. Do you have any other suggestions to help me find how hacker injected trojan ? In one of shell script I'm talking about i found copyright mark "nrfbsdrk v0.1 by gREMLiNs". Thank you. Maxim Sorokin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 1 7:49: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from void.xpert.com (xpert.com [199.203.132.1]) by hub.freebsd.org (Postfix) with ESMTP id 1FD2B37B403 for ; Wed, 1 Aug 2001 07:48:58 -0700 (PDT) (envelope-from Yonatan@xpert.com) Received: from mailserv.xpert.com ([199.203.132.135]) by void.xpert.com with esmtp (Exim 3.20 #1) id 15RwJ5-0008Q5-00; Wed, 01 Aug 2001 16:45:03 +0300 Received: by mailserv.xpert.com with Internet Mail Service (5.5.2650.21) id ; Wed, 1 Aug 2001 17:48:40 +0300 Message-ID: From: Yonatan Bokovza To: 'Maximum' , freebsd-security@freebsd.org Subject: RE: Trojan injected in my Freebsd 4.1-RELEASE Date: Wed, 1 Aug 2001 17:48:39 +0300 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="koi8-r" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi > Examining logs I had not found any records about visit of > hacker. Wtmp was cleared 5 hours back from time of created > hackers scripts. > > I'm going not only remove this trojan from my box, but find > from where attack was made and the way attack was made. > In one of shell script I'm talking about i found copyright > mark "nrfbsdrk v0.1 by gREMLiNs". This will translate to "NRF BSD RootKit" in human-speak. I can't trivially find any information about it, so I'll be happy if you'll send me a tarball of this offline, for deeper analysis. It seems from your mail that you don't have any important information on this server and don't care for it's being hacked, you just want to learn about the hacker. Having noted that I won't lead you through the usual path of "newfs this machine and reinstall from backup". It _is_ however, important to understand that this machine might pose a threat to the rest of your network. Use ifconfig to see if the interfaces are in Promiscuous mode- meaning your attacker is probably sniffing for more User-name/Password combos. Dig around /var/log and see if any program exited with weird signals, or any other weird behavior that occurred around 5 hours ago (per the deletion of your wtmp). There are several very good tools that can help you in identifying your attacker. Installing ntop from the ports tree will give you a cool measurement of who is accessing what IP/ports on your segment. You could use that to learn what IP access your 50505 port. Now is probably the time to mention you could use log_in_vain="YES" in your /etc/rc.conf to have invalid access to closed ports reported to syslog. As for security oriented programs you could use snort to look for malicious network activity, but that's a bit late. What could really be of interest is something like tripwire to see what files are accessed by your attacker. Best Regards, Yonatan Bokovza IT Security Consultant Xpert Systems To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 1 8:17:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from sunny.fishnet.com (sunny.fishnet.com [209.150.200.6]) by hub.freebsd.org (Postfix) with ESMTP id A2E6F37B401 for ; Wed, 1 Aug 2001 08:17:49 -0700 (PDT) (envelope-from mschlosser@eschelon.com) Received: from walleye.corp.fishnet.com (209.150.197.205) by sunny.fishnet.com (5.0.048) id 3B66D63D00011F4B; Wed, 1 Aug 2001 10:17:45 -0500 Received: by walleye.corp.fishnet.com with Internet Mail Service (5.5.2653.19) id ; Wed, 1 Aug 2001 10:21:02 -0500 Message-ID: <2FA3BA0C7551724CA6DDF4E345360505049EF1@walleye.corp.fishnet.com> From: "Schlosser, Matt D." To: 'Maximum' , "'freebsd-security@freebsd.org'" Subject: RE: Trojan injected in my Freebsd 4.1-RELEASE Date: Wed, 1 Aug 2001 10:21:01 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="koi8-r" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If all you want to do is play with the hacker and not boot them, the best thing you can do is take careful steps in making sure they don't know you know. Don't do anything out of the ordinary that the other person might notice, do things quietly secretly. Stick the machine on a hub with another machine and have that machine sniff for traffic on that port. Then the person will not see you looking for them. With luck, you can build a sandbox around them without their knowledge. Could be a fun project. nrfbsdrk v0.1 by gREMLiNs means rootkit. This person doesn't seem very good since your security report told you they were there. Probably script kiddie turned dorm rat. -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Maximum Sent: Wednesday, August 01, 2001 9:24 AM To: freebsd-security@freebsd.org Subject: Trojan injected in my Freebsd 4.1-RELEASE Hi everybody, today I've got security report from my FreeBSD box that some suid files changed. That was /usr/bin/netstat, /usr/bin/fstat and /usr/bin/quote. Using chkproc programm from Nelson Murilo found at pangeia.com.br I found one stealth process. Running clean ps command i found ssh daemon sshd daemon named 'swapper' in process list. This daemon is attached to 50505 port. Also i found directory with other hacker's scripts and one of them contained full list of changed binaries that was : ps,ls,netstat,fstat,ldconfig and telnetd Examining logs I had not found any records about visit of hacker. Wtmp was cleared 5 hours back from time of created hackers scripts. I'm going not only remove this trojan from my box, but find from where attack was made and the way attack was made. Now I wrote small script that will run clean netstat and grep from output any connections to 50505 port and telnet port. This scripth I had included in my crontab and cron runs it every minute. This way I hope to find from where that man connects to me. Do you have any other suggestions to help me find how hacker injected trojan ? In one of shell script I'm talking about i found copyright mark "nrfbsdrk v0.1 by gREMLiNs". Thank you. Maxim Sorokin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 1 8:59:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id 61E1637B405 for ; Wed, 1 Aug 2001 08:59:26 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from IBMKA (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with ESMTP id TAA60499; Wed, 1 Aug 2001 19:59:21 +0400 (MSD) Date: Wed, 1 Aug 2001 19:58:53 +0400 From: "Nickolay A.Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A.Kritsky" Organization: IHelp X-Priority: 3 (Normal) Message-ID: <172110747676.20010801195853@internethelp.ru> To: "Maximum" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Trojan injected in my Freebsd 4.1-RELEASE In-reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Maximum, Wednesday, August 01, 2001, 6:24:17 PM, you wrote: M> Hi everybody, M> today I've got security report from my FreeBSD box that some suid files changed. That was /usr/bin/netstat, /usr/bin/fstat and /usr/bin/quote. M> Using chkproc programm from Nelson Murilo found at pangeia.com.br I found one stealth process. Running clean ps command i found ssh daemon sshd daemon named 'swapper' in process list. This daemon M> is attached to 50505 port. Also i found directory with other hacker's scripts and one of them contained full list of changed binaries M> that was : ps,ls,netstat,fstat,ldconfig and telnetd Looks strange to me. The list of changed setuid binaries is not the same,as in your security report. You should better check this out. How do you know, that ps wasn't trojaned, when you ran it? I suggest you to write a CD-R with the clean binaries you can need in your work, mount it as ~/trash and add ~/tradh in your $PATH variable M> Examining logs I had not found any records about visit of hacker. Wtmp was cleared 5 hours back from time of created hackers scripts. M> I'm going not only remove this trojan from my box, but find from where attack was made and the way attack was made. M> Now I wrote small script that will run clean netstat and grep from output any connections to 50505 port and telnet port. This scripth I had included in my crontab and cron runs it every minute. M> This way I hope to find from where that man connects to me. M> Do you have any other suggestions to help me find how hacker injected trojan ? If the traffic to this box is not very large I would place some sniffer between Internet and vulnerable box. Logging all packets can help. M> In one of shell script I'm talking about i found copyright mark "nrfbsdrk v0.1 by gREMLiNs". Try running chkrootkit on it ( /usr/ports/security/chkrootkit ). M> Thank you. M> Maxim Sorokin M> To Unsubscribe: send mail to majordomo@FreeBSD.org M> with "unsubscribe freebsd-security" in the body of the message Good luck ;------------------------------------------- ; NKritsky ; SysAdmin InternetHelp.Ru ; http://www.internethelp.ru ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 1 9: 1:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 1A6EC37B403 for ; Wed, 1 Aug 2001 09:01:35 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 24615 invoked by uid 1000); 1 Aug 2001 16:01:55 -0000 Date: Wed, 1 Aug 2001 18:01:55 +0200 From: "Karsten W. Rohrbach" To: Mike Silbersack Cc: "Nickolay A.Kritsky" , security@FreeBSD.ORG Subject: Re: accounting with ipfw (gid, uid riles) Message-ID: <20010801180155.A24106@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Mike Silbersack , "Nickolay A.Kritsky" , security@FreeBSD.ORG References: <20010731180828.I92506@mail.webmonster.de> <20010731175236.A58983-100000@achilles.silby.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="oyUTqETQ0mS9luUI" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010731175236.A58983-100000@achilles.silby.com>; from silby@silby.com on Tue, Jul 31, 2001 at 05:54:18PM -0500 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --oyUTqETQ0mS9luUI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Mike Silbersack(silby@silby.com)@2001.07.31 17:54:18 +0000: >=20 > On Tue, 31 Jul 2001, Karsten W. Rohrbach wrote: >=20 > > > If squid runs the listen as root, all sockets created from that listen > > > socket will also be accounted to root. Same problem as the above. I= do > > > not know how natd would affect connections in terms of uid accounting. > > > > squid's standard ports are higher than 1024, so it should not be a > > problem to start it with a uid wrapper (setuidgid from daemontools > > or similar), shouldn't it? then the socket belongs to the squid user > > i think... > > > > /k >=20 > I'm not familiar with how squid acts, but your idea sounds good to me. > Tell us how it works. :) eh? AFAIK the entity that creates the socket owns it.=20 to bind ports <1024 this entity has to be root. therefor the daemon gets started as root, does the socket magic and suids to whatever. the bound socket is still owned by root, right? this magic has been implemented to bind to ports <1024 but it is not necessary for binding unprivileged ports (squid's standard is 3128 i think for binding the tcp port, the icp port should be 3130/udp). so here's what i would do: cd /usr/ports/sysutils/daemontools && make install clean cd /usr/ports/www/squidXX && make install clean vipw # add users 'squid', 'log' vi /etc/group # add groups 'squid', 'log' mkdir -p /var/service/squid cat >/var/service/squid/run <&1 exec setuidgid squid /where/ever/squid -YN EOF chmod 0700 /var/service/squid mkdir -p /var/service/squid/log/squid cat >/var/service/squid/log/run </usr/local/etc/rc.d/svscan.sh <1024 etc... cd /service ln -s /var/service/squid DO NOT CUT & PASTE, it could kill your cat, i just typed this in ;-) squid should now run, bind to 3128 as the uid it was started with from setuidgid squid (uid=3Dsquid, gid=3Dsquid).=20 did i miss something? have fun /k >=20 > Mike "Silby" Silbersack >=20 --=20 > Q: What do you get when you cross Dracula with a used car dealer? > A: autoexec.bat KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --oyUTqETQ0mS9luUI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7aCfzM0BPTilkv0YRAoZOAJ46fTJJQVM3NLjETJswUYzVwqY11gCfWxvG Y1KI7yRDoVcSPbzYBh7FROU= =3rc4 -----END PGP SIGNATURE----- --oyUTqETQ0mS9luUI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 1 9:16:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from mx2.port.ru (mx2.port.ru [194.67.23.33]) by hub.freebsd.org (Postfix) with ESMTP id D3B6B37B401 for ; Wed, 1 Aug 2001 09:16:52 -0700 (PDT) (envelope-from m-a-x-i-m-u-m@mail.ru) Received: from f4.int ([10.0.0.51] helo=f4.mail.ru) by mx2.port.ru with esmtp (Exim 3.14 #1) id 15Ryfz-000Gkr-00; Wed, 01 Aug 2001 20:16:51 +0400 Received: from mail by f4.mail.ru with local (Exim 3.14 #1) id 15Ryfy-00057g-00; Wed, 01 Aug 2001 20:16:50 +0400 Received: from [195.201.78.235] by win.mail.port.ru with HTTP; Wed, 01 Aug 2001 16:16:50 +0000 (GMT) From: "Maximum" To: mschlosser@eschelon.com Cc: freebsd-security@freebsd.org Subject: RE: Trojan injected in my Freebsd 4.1-RELEASE Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: [195.201.78.235] Reply-To: "Maximum" Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: Date: Wed, 01 Aug 2001 20:16:50 +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >If all you want to do is play with the hacker I want to find the way hacker injected trojan and close that backdoor. Simple restoring clean binaries will not help me understanding that way. >the other person might notice, do things quietly secretly. Stick >the machine on a hub with another machine and have that machine >sniff for traffic on that port. Then the person will not see you >looking for them. With luck, you can build a sandbox around them >without their knowledge. Could be a fun project. Problem is that my box placed as colocated server far faraway from me in another country and I have no physical access to computer. So only thing I can do is run my own watching programs. >nrfbsdrk v0.1 by gREMLiNs means rootkit. This person doesn't seem >very good since your security report told you they were there. >Probably script kiddie turned dorm rat. Hope you right because I can't have this server lost. Also I hope hackers do not subscribed to this maillist :) Maxim Sorokin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 1 9:55:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (unknown [217.75.135.248]) by hub.freebsd.org (Postfix) with SMTP id D90B237B408 for ; Wed, 1 Aug 2001 09:55:44 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 4366 invoked by uid 1000); 1 Aug 2001 16:54:40 -0000 Date: Wed, 1 Aug 2001 19:54:40 +0300 From: Peter Pentchev To: "Nickolay A.Kritsky" Cc: Maximum , freebsd-security@FreeBSD.ORG Subject: Re: Trojan injected in my Freebsd 4.1-RELEASE Message-ID: <20010801195440.B4274@ringworld.oblivion.bg> Mail-Followup-To: "Nickolay A.Kritsky" , Maximum , freebsd-security@FreeBSD.ORG References: <172110747676.20010801195853@internethelp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <172110747676.20010801195853@internethelp.ru>; from nkritsky@internethelp.ru on Wed, Aug 01, 2001 at 07:58:53PM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Aug 01, 2001 at 07:58:53PM +0400, Nickolay A.Kritsky wrote: > Hello Maximum, > > Wednesday, August 01, 2001, 6:24:17 PM, you wrote: > > > M> Hi everybody, > > M> today I've got security report from my FreeBSD box that some suid files changed. That was /usr/bin/netstat, /usr/bin/fstat and /usr/bin/quote. > > M> Using chkproc programm from Nelson Murilo found at pangeia.com.br I found one stealth process. Running clean ps command i found ssh daemon sshd daemon named 'swapper' in process list. This daemon > M> is attached to 50505 port. Also i found directory with other hacker's scripts and one of them contained full list of changed binaries > M> that was : ps,ls,netstat,fstat,ldconfig and telnetd > > Looks strange to me. The list of changed setuid binaries is not the > same,as in your security report. You should better check this out. This is normal, and easily explained: of the listed changed binaries, only netstat and fstat are setgid. None of the others is either setuid or setgid, so they wouldn't be listed in the security report. G'luck, Peter -- You have, of course, just begun reading the sentence that you have just finished reading. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 1 10:55:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id F3C6537B407 for ; Wed, 1 Aug 2001 10:55:40 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id LAA17194; Wed, 1 Aug 2001 11:55:23 -0600 (MDT) Message-Id: <4.3.2.7.2.20010801115333.0476d100@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 01 Aug 2001 11:55:15 -0600 To: "Maximum" , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: Trojan injected in my Freebsd 4.1-RELEASE In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 08:24 AM 8/1/2001, Maximum wrote: >In one of shell script I'm talking about i found copyright mark "nrfbsdrk v0.1 by gREMLiNs". The final letters of "nrfbsdrk" almost certainly stand for "FreeBSD rootkit." I'd be interested in knowing what was exploited to install it. Could be BIND or telnetd. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 1 11:21:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from veldy.net (w028.z064001117.msp-mn.dsl.cnc.net [64.1.117.28]) by hub.freebsd.org (Postfix) with ESMTP id 0C11537B401 for ; Wed, 1 Aug 2001 11:21:13 -0700 (PDT) (envelope-from veldy@veldy.net) Received: from HP2500B (localhost.veldy.net [127.0.0.1]) by veldy.net (Postfix) with SMTP id 2FA4FBAB9; Wed, 1 Aug 2001 13:21:10 -0500 (CDT) Message-ID: <00fb01c11ab6$829c83b0$3028680a@tgt.com> From: "Thomas T. Veldhouse" To: "Maximum" , , "Brett Glass" References: <4.3.2.7.2.20010801115333.0476d100@localhost> Subject: Re: Trojan injected in my Freebsd 4.1-RELEASE Date: Wed, 1 Aug 2001 13:19:30 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Somebody keeps trying to install something through my FTPd when it is setup to allow anonymous users (no directories available for upload either). I opened up the FTP ports on Sunday night and I had somebody hack into my system before Monday morning. Lucky for me, they ran out of space on /var before they were able to do any damage. Seems there is a security hole with the installed ftpd. I usually use proftpd, which was always been secure for me. The only reason I switched back was that I needed a quick way to increase the timeout for ftp to my server (Dreamweaver likes a long timeout). Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "Brett Glass" To: "Maximum" ; Sent: Wednesday, August 01, 2001 12:55 PM Subject: Re: Trojan injected in my Freebsd 4.1-RELEASE > At 08:24 AM 8/1/2001, Maximum wrote: > > >In one of shell script I'm talking about i found copyright mark "nrfbsdrk v0.1 by gREMLiNs". > > The final letters of "nrfbsdrk" almost certainly stand for "FreeBSD rootkit." > I'd be interested in knowing what was exploited to install it. Could be BIND > or telnetd. > > --Brett > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 1 11:42:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 861AA37B401 for ; Wed, 1 Aug 2001 11:42:34 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA17754; Wed, 1 Aug 2001 12:42:12 -0600 (MDT) Message-Id: <4.3.2.7.2.20010801123827.046907f0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 01 Aug 2001 12:42:04 -0600 To: "Thomas T. Veldhouse" , "Maximum" , From: Brett Glass Subject: Re: Trojan injected in my Freebsd 4.1-RELEASE In-Reply-To: <00fb01c11ab6$829c83b0$3028680a@tgt.com> References: <4.3.2.7.2.20010801115333.0476d100@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:19 PM 8/1/2001, Thomas T. Veldhouse wrote: >Somebody keeps trying to install something through my FTPd when it is setup >to allow anonymous users (no directories available for upload either). Ah, that's it. There was a local buffer overflow exploit in the BSD FTPd that could be exploited by the "anonymous" user. This was fixed between 4.2-RELEASE and 4.3-RELEASE, IIRC. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 1 11:46:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from veldy.net (w028.z064001117.msp-mn.dsl.cnc.net [64.1.117.28]) by hub.freebsd.org (Postfix) with ESMTP id 294CD37B401 for ; Wed, 1 Aug 2001 11:46:11 -0700 (PDT) (envelope-from veldy@veldy.net) Received: from HP2500B (localhost.veldy.net [127.0.0.1]) by veldy.net (Postfix) with SMTP id 6D19CBABB; Wed, 1 Aug 2001 13:46:05 -0500 (CDT) Message-ID: <012401c11ab9$fde2dda0$3028680a@tgt.com> From: "Thomas T. Veldhouse" To: "Maximum" , , "Brett Glass" References: <4.3.2.7.2.20010801115333.0476d100@localhost> <4.3.2.7.2.20010801123827.046907f0@localhost> Subject: Re: Trojan injected in my Freebsd 4.1-RELEASE Date: Wed, 1 Aug 2001 13:44:25 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have been running 4.3-STABLE (as of 7-1-2001). Still exploitable then apparently. Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "Brett Glass" To: "Thomas T. Veldhouse" ; "Maximum" ; Sent: Wednesday, August 01, 2001 1:42 PM Subject: Re: Trojan injected in my Freebsd 4.1-RELEASE > At 12:19 PM 8/1/2001, Thomas T. Veldhouse wrote: > > >Somebody keeps trying to install something through my FTPd when it is setup > >to allow anonymous users (no directories available for upload either). > > Ah, that's it. There was a local buffer overflow exploit in the BSD FTPd > that could be exploited by the "anonymous" user. This was fixed between > 4.2-RELEASE and 4.3-RELEASE, IIRC. > > --Brett > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 1 14: 0:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp2.netc.pt (smtp2.netc.pt [212.18.160.142]) by hub.freebsd.org (Postfix) with ESMTP id CBA4A37B401 for ; Wed, 1 Aug 2001 14:00:31 -0700 (PDT) (envelope-from nuno.mailinglists@pt-quorum.com) Received: from gateway.bogus (p168-237.netc.pt) by smtp2.netc.pt (Sun Internet Mail Server sims.3.5.1999.05.24.18.28.p7) with ESMTP id <0GHE00LSNQCNQ3@smtp2.netc.pt>; Wed, 1 Aug 2001 22:00:24 +0100 (WET DST) Received: by gateway.bogus (Postfix, from userid 1001) id 4429D7C5C; Wed, 01 Aug 2001 22:01:41 +0100 (WEST) Date: Wed, 01 Aug 2001 22:01:41 +0100 From: Nuno Teixeira Subject: RELEASE 4.3 -> RELENG_4_3: SUCCESSFULLY but ... To: freebsd-security@freebsd.org Message-id: <20010801220141.C2354@gateway.bogus> MIME-version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-disposition: inline Content-transfer-encoding: 8BIT User-Agent: Mutt/1.2.5i X-Operating-System: FreeBSD 4.3-STABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello to all, Today I update my online server RELEASE 4.3 with RELENG_4_3 (SECURITY) tag. I don't have console access (to do a single user access) so I do all the things in multiuser mode via SSH: -- make buildworld make buildkernel KERNCONF = KERNNAME make installkernel KERNCONF = KERNNAME make installworld mergemaster -svia mergemaster -svir reboot -- And, everything goes right. My question is: what is the real danger of doing `installworld` in multiuser mode? I have doing a lot of tests in other machines tracking STABLE and I have no problems so far. I choose the RELENG_4_3 for my server because I think it is the best way of apply the security fixes, am I right? Thanks very much, -- -- Nuno Teixeira Dir. Técnico pt-quorum.com -- PGP Public Key: http://www.pt-quorum.com/pgp/nunoteixeira.asc Key fingerprint: 8C2C B364 D4DC 0C92 56F5 CE6F 8F07 720A 63A0 4FC7 -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 1 14:31:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by hub.freebsd.org (Postfix) with ESMTP id C75B037B405 for ; Wed, 1 Aug 2001 14:31:23 -0700 (PDT) (envelope-from marka@nominum.com) Received: from nominum.com (localhost.dv.isc.org [127.0.0.1]) by drugs.dv.isc.org (8.11.3/8.11.2) with ESMTP id f71LV8u28535; Thu, 2 Aug 2001 07:31:10 +1000 (EST) (envelope-from marka@nominum.com) Message-Id: <200108012131.f71LV8u28535@drugs.dv.isc.org> To: Aaron Bush Cc: freebsd-security@freebsd.org From: Mark.Andrews@nominum.com Subject: Re: named exited on signal 6? In-reply-to: Your message of "Wed, 01 Aug 2001 09:57:11 -0400." <3B680AB7.6972CC43@mail.microcenter.com> Date: Thu, 02 Aug 2001 07:31:08 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > In my system messages i have the following entry: > Jul 28 12:37:30 tosh /kernel: pid 165 (named), uid 53: exited on signal > 6 Signal 6 is ABRT which means named killed itself. The should be a log message associated with the action. Mark -- Mark Andrews, Nominum Inc. 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 1 15:55:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from tao.org.uk (genesis.tao.org.uk [212.135.162.62]) by hub.freebsd.org (Postfix) with ESMTP id 5817937B401 for ; Wed, 1 Aug 2001 15:55:19 -0700 (PDT) (envelope-from joe@tao.org.uk) Received: by tao.org.uk (Postfix, from userid 100) id 246594FE; Wed, 1 Aug 2001 23:55:16 +0100 (BST) Date: Wed, 1 Aug 2001 23:55:15 +0100 From: Josef Karthauser To: Nuno Teixeira Cc: freebsd-security@freebsd.org Subject: Re: RELEASE 4.3 -> RELENG_4_3: SUCCESSFULLY but ... Message-ID: <20010801235514.D1443@tao.org.uk> Mail-Followup-To: Josef Karthauser , Nuno Teixeira , freebsd-security@freebsd.org References: <20010801220141.C2354@gateway.bogus> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="8w3uRX/HFJGApMzv" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010801220141.C2354@gateway.bogus>; from nuno.mailinglists@pt-quorum.com on Wed, Aug 01, 2001 at 10:01:41PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --8w3uRX/HFJGApMzv Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 01, 2001 at 10:01:41PM +0100, Nuno Teixeira wrote: > My question is: what is the real danger of doing `installworld` in=20 > multiuser mode? I have doing a lot of tests in other machines tracking=20 > STABLE and I have no problems so far. I've _always_ done installworld in multiuser on many servers. That doesn't mean that it's the safest way, but it was safe enough for me. Joe --8w3uRX/HFJGApMzv Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjtoiNEACgkQXVIcjOaxUBZq6wCginUCou4/6mRphEFBNLiI9Qvy xaAAnjPBqsXni8KkmkgJ6CtAdsv5vRaN =OjZU -----END PGP SIGNATURE----- --8w3uRX/HFJGApMzv-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 1 16: 2:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from xchange.xpa1.x.com (egress.pa1.paypal.com [64.41.130.2]) by hub.freebsd.org (Postfix) with ESMTP id 7831837B403 for ; Wed, 1 Aug 2001 16:02:40 -0700 (PDT) (envelope-from bnelson@paypal.com) Received: from paypal.com (10.1.2.5 [10.1.2.5]) by xchange.xpa1.x.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id P6S49LY6; Wed, 1 Aug 2001 16:02:39 -0700 Message-ID: <3B688A87.90407@paypal.com> Date: Wed, 01 Aug 2001 16:02:31 -0700 From: Brian Nelson User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.2) Gecko/20010702 X-Accept-Language: en-us MIME-Version: 1.0 To: Josef Karthauser Cc: Nuno Teixeira , freebsd-security@FreeBSD.ORG Subject: Re: RELEASE 4.3 -> RELENG_4_3: SUCCESSFULLY but ... References: <20010801235514.D1443@tao.org.uk> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Josef Karthauser wrote: > On Wed, Aug 01, 2001 at 10:01:41PM +0100, Nuno Teixeira wrote: > > > My question is: what is the real danger of doing `installworld` in > > multiuser mode? I have doing a lot of tests in other machines tracking > > STABLE and I have no problems so far. > > I've _always_ done installworld in multiuser on many servers. That > doesn't mean that it's the safest way, but it was safe enough for me. > > Joe > I usually stop all non-system-essential running processes (mail servers, web servers, inetd, etc) and make it so the system isn't running more then sshd and init when I do the installworld/kernel install process. But that's just me. I don't think i have ever ran into a problem thus far, running since 2.2.8 - 4.3-STABLE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 1 16: 6:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from tao.org.uk (genesis.tao.org.uk [212.135.162.62]) by hub.freebsd.org (Postfix) with ESMTP id 30C5737B403 for ; Wed, 1 Aug 2001 16:06:49 -0700 (PDT) (envelope-from joe@tao.org.uk) Received: by tao.org.uk (Postfix, from userid 100) id CB2FB51C; Thu, 2 Aug 2001 00:06:23 +0100 (BST) Date: Thu, 2 Aug 2001 00:06:18 +0100 From: Josef Karthauser To: Brian Nelson Cc: Nuno Teixeira , freebsd-security@FreeBSD.ORG Subject: Re: RELEASE 4.3 -> RELENG_4_3: SUCCESSFULLY but ... Message-ID: <20010802000616.E1443@tao.org.uk> Mail-Followup-To: Josef Karthauser , Brian Nelson , Nuno Teixeira , freebsd-security@FreeBSD.ORG References: <20010801235514.D1443@tao.org.uk> <3B688A87.90407@paypal.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="r7U+bLA8boMOj+mD" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B688A87.90407@paypal.com>; from bnelson@paypal.com on Wed, Aug 01, 2001 at 04:02:31PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --r7U+bLA8boMOj+mD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 01, 2001 at 04:02:31PM -0700, Brian Nelson wrote: > Josef Karthauser wrote: >=20 > > On Wed, Aug 01, 2001 at 10:01:41PM +0100, Nuno Teixeira wrote: > >=20 > > > My question is: what is the real danger of doing `installworld` in > > > multiuser mode? I have doing a lot of tests in other machines tracki= ng > > > STABLE and I have no problems so far. > >=20 > > I've _always_ done installworld in multiuser on many servers. That > > doesn't mean that it's the safest way, but it was safe enough for me. > >=20 > > Joe > >=20 >=20 > I usually stop all non-system-essential running processes (mail servers,= =20 > web servers, inetd, etc) and make it so the system isn't running more=20 > then sshd and init when I do the installworld/kernel install process.=20 > But that's just me. I don't think i have ever ran into a problem thus=20 > far, running since 2.2.8 - 4.3-STABLE >=20 Me neither, from 2.1.5 though to 4.1. Joe --r7U+bLA8boMOj+mD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjtoi2cACgkQXVIcjOaxUBZgCQCgzJTrz7m+XMMeUyipEjvGRjpq 7qgAoOmS7M+cHUeGpipXmn9gdEkWWPdq =M8+u -----END PGP SIGNATURE----- --r7U+bLA8boMOj+mD-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 1 16:10: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from xs4nobody.nl (xs4nobody.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id A231137B403 for ; Wed, 1 Aug 2001 16:09:56 -0700 (PDT) (envelope-from bart@xs4nobody.nl) Received: (qmail 9902 invoked by uid 1000); 1 Aug 2001 23:09:46 -0000 Date: Thu, 2 Aug 2001 01:09:46 +0200 From: Bart Matthaei To: Nuno Teixeira Cc: freebsd-security@freebsd.org Subject: Re: RELEASE 4.3 -> RELENG_4_3: SUCCESSFULLY but ... Message-ID: <20010802010946.A9880@heresy.xs4nobody.nl> References: <20010801220141.C2354@gateway.bogus> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010801220141.C2354@gateway.bogus>; from nuno.mailinglists@pt-quorum.com on Wed, Aug 01, 2001 at 10:01:41PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Aug 01, 2001 at 10:01:41PM +0100, Nuno Teixeira wrote: > My question is: what is the real danger of doing `installworld` in > multiuser mode? I have doing a lot of tests in other machines tracking > STABLE and I have no problems so far. They advice you to run singleuser, because of the securelevel. If your securlevel is set to 3, for instance, you (no, not even root) wont be able to overwrite files that have the schg flags set (system immutable flag).. So things like rcp (which is schg by default) wont be installed properly. Also, singleuser makes sure processes like sshd are shut down. (this is my theory.. correct me if im wrong) With regards, Bart Matthaei -- Bart Matthaei | bart@xs4nobody.nl | +31 6 24907042 Cysonet Managed Hosting | bart@cysonet.com ------------------------------------------------- /* It's always funny until someone gets hurt.. * (and then it's just hilarious) */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 1 16:46:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id E0CD337B403 for ; Wed, 1 Aug 2001 16:46:17 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 63966 invoked by uid 1000); 1 Aug 2001 23:46:15 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 1 Aug 2001 23:46:15 -0000 Date: Wed, 1 Aug 2001 18:46:15 -0500 (CDT) From: Mike Silbersack To: "Karsten W. Rohrbach" Cc: "Nickolay A.Kritsky" , Subject: Re: accounting with ipfw (gid, uid riles) In-Reply-To: <20010801180155.A24106@mail.webmonster.de> Message-ID: <20010801184239.I63961-100000@achilles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 1 Aug 2001, Karsten W. Rohrbach wrote: > Mike Silbersack(silby@silby.com)@2001.07.31 17:54:18 +0000: > > I'm not familiar with how squid acts, but your idea sounds good to me. > > Tell us how it works. :) > > eh? > > AFAIK the entity that creates the socket owns it. > to bind ports <1024 this entity has to be root. Heh, by "tell us how it works", I meant "test it out and tell us how well it works in practice." :) I guess we'll have to wait to hear back from Nickolay. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 1 16:48:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from dns.yahoo.co.jp (dns.yahoo.co.jp [210.140.200.2]) by hub.freebsd.org (Postfix) with ESMTP id B5E0D37B403 for ; Wed, 1 Aug 2001 16:48:32 -0700 (PDT) (envelope-from kkawamot@mail.yahoo.co.jp) Received: from kkawamot (kawamoto.yahoo.co.jp [210.152.237.79]) by dns.yahoo.co.jp (8.9.3+3.2W/3.7W/MGATE-1.1) with SMTP id IAA00268 for ; Thu, 2 Aug 2001 08:48:31 +0900 (JST) Date: Thu, 02 Aug 2001 08:48:40 +0900 From: "Koushi Kawamoto" To: freebsd-security@FreeBSD.ORG Message-Id: <3B6895583A1.5D4AKKAWAMOT@mailgate.yahoo.co.jp> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver 1.26.03 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org auth ede523c8 unsubscribe freebsd-security kkawamot@mail.yahoo.co.jp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 1 16:49:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id C7B1B37B405 for ; Wed, 1 Aug 2001 16:49:05 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 63985 invoked by uid 1000); 1 Aug 2001 23:49:05 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 1 Aug 2001 23:49:05 -0000 Date: Wed, 1 Aug 2001 18:49:05 -0500 (CDT) From: Mike Silbersack To: "Nickolay A.Kritsky" Cc: "Karsten W. Rohrbach" , Subject: Re[2]: accounting with ipfw (gid, uid riles) In-Reply-To: <79100794374.20010801171300@internethelp.ru> Message-ID: <20010801184745.M63961-100000@achilles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 1 Aug 2001, Nickolay A.Kritsky wrote: > ;------------------------------------------------------------------ > # TAG: cache_effective_user > # TAG: cache_effective_group > # > # If the cache is run as root, it will change its effective/real > # UID/GID to the UID/GID specified below. The default is to > # change to UID to nobody and GID to nogroup. > # > # If Squid is not started as root, the default is to keep the > # current UID/GID. Note that if Squid is not started as root then > # you cannot set http_port to a value lower than 1024. > # > #cache_effective_user nobody > #cache_effective_group nogroup This looks commented out to me, are you sure that it's actually changing to nobody? Also, you'll have to check to make sure that the listen is after the uid change for the accounting to work. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 1 17: 5:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18]) by hub.freebsd.org (Postfix) with ESMTP id 9E07337B405 for ; Wed, 1 Aug 2001 17:05:12 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [172.16.0.12]) by Awfulhak.org (8.11.4/8.11.4) with ESMTP id f7205As06531; Thu, 2 Aug 2001 01:05:10 +0100 (BST) (envelope-from brian@lan.Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.4/8.11.4) with ESMTP id f7205A811423; Thu, 2 Aug 2001 01:05:10 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200108020005.f7205A811423@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Bart Matthaei Cc: Nuno Teixeira , freebsd-security@FreeBSD.ORG, brian@freebsd-services.com Subject: Re: RELEASE 4.3 -> RELENG_4_3: SUCCESSFULLY but ... In-Reply-To: Message from Bart Matthaei of "Thu, 02 Aug 2001 01:09:46 +0200." <20010802010946.A9880@heresy.xs4nobody.nl> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <11416.996710709.1@hak.lan.Awfulhak.org> Date: Thu, 02 Aug 2001 01:05:10 +0100 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Wed, Aug 01, 2001 at 10:01:41PM +0100, Nuno Teixeira wrote: > > > My question is: what is the real danger of doing `installworld` in > > multiuser mode? I have doing a lot of tests in other machines tracking > > STABLE and I have no problems so far. > > They advice you to run singleuser, because of the securelevel. > If your securlevel is set to 3, for instance, you (no, not even root) wont be > able to overwrite files that have the schg flags set (system immutable > flag).. So things like rcp (which is schg by default) wont be installed > properly. $ ls -lo /bin/* /usr/bin/* /sbin/* /usr/sbin/* /usr/libexec/* | fgrep -w schg -r-sr-xr-x 1 root wheel schg 348908 Aug 1 07:58 /bin/rcp -r-x------ 1 root wheel schg 382188 Aug 1 08:10 /sbin/init -r-sr-xr-x 6 root wheel schg 32612 Aug 1 08:15 /usr/bin/chfn -r-sr-xr-x 6 root wheel schg 32612 Aug 1 08:15 /usr/bin/chpass -r-sr-xr-x 6 root wheel schg 32612 Aug 1 08:15 /usr/bin/chsh -r-sr-xr-x 1 root wheel schg 24936 Jul 26 11:23 /usr/bin/crontab -r-sr-xr-x 1 root wheel schg 21668 Aug 1 08:15 /usr/bin/login -r-sr-xr-x 1 man wheel schg 29040 Jul 16 09:07 /usr/bin/man -r-sr-xr-x 1 root wheel schg 4064 Jul 16 09:15 /usr/bin/opieinfo -r-sr-xr-x 1 root wheel schg 10692 Jul 16 09:15 /usr/bin/opiepasswd -r-sr-xr-x 2 root wheel schg 26900 Aug 1 08:16 /usr/bin/passwd -r-sr-xr-x 1 root wheel schg 10296 Jul 16 09:15 /usr/bin/rlogin -r-sr-xr-x 1 root wheel schg 7660 Aug 1 08:16 /usr/bin/rsh -r-sr-xr-x 1 root wheel schg 10456 Aug 1 08:16 /usr/bin/su -r-sr-xr-x 6 root wheel schg 32612 Aug 1 08:15 /usr/bin/ypchfn -r-sr-xr-x 6 root wheel schg 32612 Aug 1 08:15 /usr/bin/ypchpass -r-sr-xr-x 6 root wheel schg 32612 Aug 1 08:15 /usr/bin/ypchsh -r-sr-xr-x 2 root wheel schg 26900 Aug 1 08:16 /usr/bin/yppasswd -r-xr-xr-x 1 root wheel schg 85120 Aug 1 08:09 /usr/libexec/ld-elf.so.1 -r-sr-x--- 1 root network schg 11256 Jul 16 09:17 /usr/sbin/sliplogin This just blows my mind. Not only because I can't see (for example) why rsh has schg and rshd does not, but also because $ ls -lod / /bin /usr/bin /sbin /usr /usr/sbin /usr/libexec drwxr-xr-x 21 root wheel - 512 Aug 1 14:07 / drwxr-xr-x 2 root wheel - 1024 Aug 1 08:14 /bin drwxr-xr-x 2 root wheel - 2048 Aug 1 08:11 /sbin drwxr-xr-x 26 root wheel - 512 Aug 1 07:54 /usr drwxr-xr-x 2 root wheel - 8192 Aug 1 08:21 /usr/bin drwxr-xr-x 8 root wheel - 1536 Aug 1 08:21 /usr/libexec drwxr-xr-x 2 root wheel - 4608 Aug 1 08:21 /usr/sbin makes the whole thing a joke. Even at a high secure level, to replace /sbin/init for example, you can # cd / # cp -rp sbin sbin.new # mv sbin sbin.old # mv sbin.new sbin If programs are going to be chflags'd at install time, then their parent directories should at least have sappnd on them -- or even more appropriately, schg so that nothing can be planted in root's path. Of course the problem with doing that is it makes the installworld rather difficult, even with securelevel == -1. > Also, singleuser makes sure processes like sshd are shut down. I can't see why that would make a difference (assuming a reboot is done after the installworld). > (this is my theory.. correct me if im wrong) > > With regards, > > Bart Matthaei -- Brian http://www.freebsd-services.com/ Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 1 17:10:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-80.dsl.lsan03.pacbell.net [63.207.60.80]) by hub.freebsd.org (Postfix) with ESMTP id 9B5EC37B401 for ; Wed, 1 Aug 2001 17:10:48 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 72B3766D16; Wed, 1 Aug 2001 17:10:47 -0700 (PDT) Date: Wed, 1 Aug 2001 17:10:47 -0700 From: Kris Kennaway To: Brian Somers Cc: Bart Matthaei , Nuno Teixeira , freebsd-security@FreeBSD.ORG, brian@freebsd-services.com Subject: Re: RELEASE 4.3 -> RELENG_4_3: SUCCESSFULLY but ... Message-ID: <20010801171046.A85330@xor.obsecurity.org> References: <200108020005.f7205A811423@hak.lan.Awfulhak.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="4Ckj6UjgE2iN1+kY" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200108020005.f7205A811423@hak.lan.Awfulhak.org>; from brian@Awfulhak.org on Thu, Aug 02, 2001 at 01:05:10AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --4Ckj6UjgE2iN1+kY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 02, 2001 at 01:05:10AM +0100, Brian Somers wrote: > This just blows my mind. Not only because I can't see (for example) why= =20 > rsh has schg and rshd does not, but also because It makes no sense as a security measure. It makes more sense as an anti-foot-shooting measure, to prevent accidental removal of critical binaries which are needed to get the system up and minimally running (init, /kernel, etc). Of course, that argument only works for some on that list, and the rest should probably have the flag removed. Kris --4Ckj6UjgE2iN1+kY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7aJqGWry0BWjoQKURAvS0AKCSRLvtlbUFdEIOzOgWwY61du1kbgCfSPkw mkovT2sV3CG5tnrUBmubvJI= =2gSX -----END PGP SIGNATURE----- --4Ckj6UjgE2iN1+kY-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 1 17:16: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18]) by hub.freebsd.org (Postfix) with ESMTP id B456837B401 for ; Wed, 1 Aug 2001 17:16:03 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [172.16.0.12]) by Awfulhak.org (8.11.4/8.11.4) with ESMTP id f720Fws06594; Thu, 2 Aug 2001 01:15:58 +0100 (BST) (envelope-from brian@lan.Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.4/8.11.4) with ESMTP id f720Fv811693; Thu, 2 Aug 2001 01:15:57 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200108020015.f720Fv811693@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Kris Kennaway Cc: Brian Somers , Bart Matthaei , Nuno Teixeira , freebsd-security@FreeBSD.ORG, brian@freebsd-services.com, brian@freebsd-services.com Subject: Re: RELEASE 4.3 -> RELENG_4_3: SUCCESSFULLY but ... In-Reply-To: Message from Kris Kennaway of "Wed, 01 Aug 2001 17:10:47 PDT." <20010801171046.A85330@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 02 Aug 2001 01:15:57 +0100 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Thu, Aug 02, 2001 at 01:05:10AM +0100, Brian Somers wrote: > > > This just blows my mind. Not only because I can't see (for example) why= > =20 > > rsh has schg and rshd does not, but also because > > It makes no sense as a security measure. It makes more sense as an > anti-foot-shooting measure, to prevent accidental removal of critical > binaries which are needed to get the system up and minimally running > (init, /kernel, etc). Of course, that argument only works for some on > that list, and the rest should probably have the flag removed. Agreed. I'd definitely consider rshd more critical than rsh (for people that use these programs) for example. sshd may be a good candidate for anti-foot-shooting measures too (against it being accidently removed, not noticed, and the box being rebooted). > Kris -- Brian http://www.freebsd-services.com/ Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 1 17:29:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from bazooka.unixfreak.org (bazooka.unixfreak.org [63.198.170.138]) by hub.freebsd.org (Postfix) with ESMTP id 8099F37B401 for ; Wed, 1 Aug 2001 17:29:46 -0700 (PDT) (envelope-from dima@unixfreak.org) Received: by bazooka.unixfreak.org (Postfix, from userid 1000) id 327E73E28; Wed, 1 Aug 2001 17:29:35 -0700 (PDT) Received: from bazooka.unixfreak.org (localhost [127.0.0.1]) by bazooka.unixfreak.org (Postfix) with ESMTP id 287023C12B; Wed, 1 Aug 2001 17:29:35 -0700 (PDT) To: Brian Somers Cc: freebsd-security@FreeBSD.ORG Subject: Re: RELEASE 4.3 -> RELENG_4_3: SUCCESSFULLY but ... In-Reply-To: <200108020005.f7205A811423@hak.lan.Awfulhak.org>; from brian@Awfulhak.org on "Thu, 02 Aug 2001 01:05:10 +0100" Date: Wed, 01 Aug 2001 17:29:30 -0700 From: Dima Dorfman Message-Id: <20010802002935.327E73E28@bazooka.unixfreak.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brian Somers writes: > $ ls -lo /bin/* /usr/bin/* /sbin/* /usr/sbin/* /usr/libexec/* | fgrep -w schg > -r-sr-xr-x 1 root wheel schg 348908 Aug 1 07:58 /bin/rcp > -r-x------ 1 root wheel schg 382188 Aug 1 08:10 /sbin/init > -r-sr-xr-x 6 root wheel schg 32612 Aug 1 08:15 /usr/bin/chfn > -r-sr-xr-x 6 root wheel schg 32612 Aug 1 08:15 /usr/bin/chpass > -r-sr-xr-x 6 root wheel schg 32612 Aug 1 08:15 /usr/bin/chsh > -r-sr-xr-x 1 root wheel schg 24936 Jul 26 11:23 /usr/bin/crontab > -r-sr-xr-x 1 root wheel schg 21668 Aug 1 08:15 /usr/bin/login > -r-sr-xr-x 1 man wheel schg 29040 Jul 16 09:07 /usr/bin/man > -r-sr-xr-x 1 root wheel schg 4064 Jul 16 09:15 /usr/bin/opieinfo > -r-sr-xr-x 1 root wheel schg 10692 Jul 16 09:15 /usr/bin/opiepasswd > -r-sr-xr-x 2 root wheel schg 26900 Aug 1 08:16 /usr/bin/passwd > -r-sr-xr-x 1 root wheel schg 10296 Jul 16 09:15 /usr/bin/rlogin > -r-sr-xr-x 1 root wheel schg 7660 Aug 1 08:16 /usr/bin/rsh > -r-sr-xr-x 1 root wheel schg 10456 Aug 1 08:16 /usr/bin/su > -r-sr-xr-x 6 root wheel schg 32612 Aug 1 08:15 /usr/bin/ypchfn > -r-sr-xr-x 6 root wheel schg 32612 Aug 1 08:15 /usr/bin/ypchpass > -r-sr-xr-x 6 root wheel schg 32612 Aug 1 08:15 /usr/bin/ypchsh > -r-sr-xr-x 2 root wheel schg 26900 Aug 1 08:16 /usr/bin/yppasswd > -r-xr-xr-x 1 root wheel schg 85120 Aug 1 08:09 /usr/libexec/ld-elf.so.1 > -r-sr-x--- 1 root network schg 11256 Jul 16 09:17 /usr/sbin/sliplogin > > This just blows my mind. Not only because I can't see (for example) why > rsh has schg and rshd does not, but also because > > $ ls -lod / /bin /usr/bin /sbin /usr /usr/sbin /usr/libexec > drwxr-xr-x 21 root wheel - 512 Aug 1 14:07 / > drwxr-xr-x 2 root wheel - 1024 Aug 1 08:14 /bin > drwxr-xr-x 2 root wheel - 2048 Aug 1 08:11 /sbin > drwxr-xr-x 26 root wheel - 512 Aug 1 07:54 /usr > drwxr-xr-x 2 root wheel - 8192 Aug 1 08:21 /usr/bin > drwxr-xr-x 8 root wheel - 1536 Aug 1 08:21 /usr/libexec > drwxr-xr-x 2 root wheel - 4608 Aug 1 08:21 /usr/sbin > > makes the whole thing a joke. Even at a high secure level, to > replace /sbin/init for example, you can All but two of the binaries you mentioned are setuid, so I think the point of schg in this case is to prevent somebody from doing `cat my_trojan > /bin/rcp` and having my_trojan automatically setuid. Of course to do that you already have to be root, so the point is kind of mute. As Kris said, at least it's an anti-foot-shooting measure. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 1 19:13:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 1144537B403 for ; Wed, 1 Aug 2001 19:13:56 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.11.4/8.11.4) id f722DhS41220; Wed, 1 Aug 2001 22:13:43 -0400 (EDT) (envelope-from wollman) Date: Wed, 1 Aug 2001 22:13:43 -0400 (EDT) From: Garrett Wollman Message-Id: <200108020213.f722DhS41220@khavrinen.lcs.mit.edu> To: Kris Kennaway Cc: freebsd-security@FreeBSD.ORG Subject: Re: RELEASE 4.3 -> RELENG_4_3: SUCCESSFULLY but ... In-Reply-To: <20010801171046.A85330@xor.obsecurity.org> References: <200108020005.f7205A811423@hak.lan.Awfulhak.org> <20010801171046.A85330@xor.obsecurity.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > It makes no sense as a security measure. It doesn't make sense, but it was effective for quite a while against unprepared intruders who found that their usual techniques were not up to the task. Stipulated that it has probably now passed its ``best if used before'' date. Some of us actually notice when our machines reboot for no readily explained reason. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 5:41:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from xs4nobody.nl (xs4nobody.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id B5A7037B401 for ; Thu, 2 Aug 2001 05:41:22 -0700 (PDT) (envelope-from bart@xs4nobody.nl) Received: (qmail 11226 invoked by uid 1000); 2 Aug 2001 12:41:21 -0000 Date: Thu, 2 Aug 2001 14:41:21 +0200 From: Bart Matthaei To: Brian Somers Cc: freebsd-security@freebsd.org Subject: Re: RELEASE 4.3 -> RELENG_4_3: SUCCESSFULLY but ... Message-ID: <20010802144121.A11210@heresy.xs4nobody.nl> References: <200108020005.f7205A811423@hak.lan.Awfulhak.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200108020005.f7205A811423@hak.lan.Awfulhak.org>; from brian@Awfulhak.org on Thu, Aug 02, 2001 at 01:05:10AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I didn't say that securelevels have any use. There are lots of ways you can get around it. with regards, Bart Matthaei On Thu, Aug 02, 2001 at 01:05:10AM +0100, Brian Somers wrote: > > On Wed, Aug 01, 2001 at 10:01:41PM +0100, Nuno Teixeira wrote: > > > > > My question is: what is the real danger of doing `installworld` in > > > multiuser mode? I have doing a lot of tests in other machines tracking > > > STABLE and I have no problems so far. > > > > They advice you to run singleuser, because of the securelevel. > > If your securlevel is set to 3, for instance, you (no, not even root) wont be > > able to overwrite files that have the schg flags set (system immutable > > flag).. So things like rcp (which is schg by default) wont be installed > > properly. > > $ ls -lo /bin/* /usr/bin/* /sbin/* /usr/sbin/* /usr/libexec/* | fgrep -w schg > -r-sr-xr-x 1 root wheel schg 348908 Aug 1 07:58 /bin/rcp > -r-x------ 1 root wheel schg 382188 Aug 1 08:10 /sbin/init > -r-sr-xr-x 6 root wheel schg 32612 Aug 1 08:15 /usr/bin/chfn > -r-sr-xr-x 6 root wheel schg 32612 Aug 1 08:15 /usr/bin/chpass > -r-sr-xr-x 6 root wheel schg 32612 Aug 1 08:15 /usr/bin/chsh > -r-sr-xr-x 1 root wheel schg 24936 Jul 26 11:23 /usr/bin/crontab > -r-sr-xr-x 1 root wheel schg 21668 Aug 1 08:15 /usr/bin/login > -r-sr-xr-x 1 man wheel schg 29040 Jul 16 09:07 /usr/bin/man > -r-sr-xr-x 1 root wheel schg 4064 Jul 16 09:15 /usr/bin/opieinfo > -r-sr-xr-x 1 root wheel schg 10692 Jul 16 09:15 /usr/bin/opiepasswd > -r-sr-xr-x 2 root wheel schg 26900 Aug 1 08:16 /usr/bin/passwd > -r-sr-xr-x 1 root wheel schg 10296 Jul 16 09:15 /usr/bin/rlogin > -r-sr-xr-x 1 root wheel schg 7660 Aug 1 08:16 /usr/bin/rsh > -r-sr-xr-x 1 root wheel schg 10456 Aug 1 08:16 /usr/bin/su > -r-sr-xr-x 6 root wheel schg 32612 Aug 1 08:15 /usr/bin/ypchfn > -r-sr-xr-x 6 root wheel schg 32612 Aug 1 08:15 /usr/bin/ypchpass > -r-sr-xr-x 6 root wheel schg 32612 Aug 1 08:15 /usr/bin/ypchsh > -r-sr-xr-x 2 root wheel schg 26900 Aug 1 08:16 /usr/bin/yppasswd > -r-xr-xr-x 1 root wheel schg 85120 Aug 1 08:09 /usr/libexec/ld-elf.so.1 > -r-sr-x--- 1 root network schg 11256 Jul 16 09:17 /usr/sbin/sliplogin > > This just blows my mind. Not only because I can't see (for example) why > rsh has schg and rshd does not, but also because > > $ ls -lod / /bin /usr/bin /sbin /usr /usr/sbin /usr/libexec > drwxr-xr-x 21 root wheel - 512 Aug 1 14:07 / > drwxr-xr-x 2 root wheel - 1024 Aug 1 08:14 /bin > drwxr-xr-x 2 root wheel - 2048 Aug 1 08:11 /sbin > drwxr-xr-x 26 root wheel - 512 Aug 1 07:54 /usr > drwxr-xr-x 2 root wheel - 8192 Aug 1 08:21 /usr/bin > drwxr-xr-x 8 root wheel - 1536 Aug 1 08:21 /usr/libexec > drwxr-xr-x 2 root wheel - 4608 Aug 1 08:21 /usr/sbin > > makes the whole thing a joke. Even at a high secure level, to > replace /sbin/init for example, you can > > # cd / > # cp -rp sbin sbin.new > # mv sbin sbin.old > # mv sbin.new sbin > > If programs are going to be chflags'd at install time, then their > parent directories should at least have sappnd on them -- or even > more appropriately, schg so that nothing can be planted in root's > path. > > Of course the problem with doing that is it makes the installworld > rather difficult, even with securelevel == -1. > > > Also, singleuser makes sure processes like sshd are shut down. > > I can't see why that would make a difference (assuming a reboot is > done after the installworld). > > > (this is my theory.. correct me if im wrong) > > > > With regards, > > > > Bart Matthaei > > -- > Brian > http://www.freebsd-services.com/ > Don't _EVER_ lose your sense of humour ! > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Bart Matthaei | bart@xs4nobody.nl | +31 6 24907042 Cysonet Managed Hosting | bart@cysonet.com ------------------------------------------------- /* It's always funny until someone gets hurt.. * (and then it's just hilarious) */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 6:39:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id 0D40437B401 for ; Thu, 2 Aug 2001 06:39:30 -0700 (PDT) (envelope-from rjh@mohawk.net) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.3/8.11.3) with ESMTP id f72DdUC63060 for ; Thu, 2 Aug 2001 09:39:30 -0400 (EDT) (envelope-from rjh@mohawk.net) Date: Thu, 2 Aug 2001 09:39:30 -0400 (EDT) From: Ralph Huntington To: Subject: pam session failing In-Reply-To: <20010802144121.A11210@heresy.xs4nobody.nl> Message-ID: <20010802093505.Q61813-100000@mohegan.mohawk.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ssh connections to a particular box are failing, but used to work fine. The password is accepted, the user authenticated, but then the session setup fails. Here is the verbose sshd debug output (after authentication). I don't understand what permission is denied and the man pages don't seem to cover this. Can anyone point me toward the solution? Thanks! -=r=- ... debug1: session_new: init debug1: session_new: session 0 debug1: Allocating pty. debug1: PAM setting tty to "/dev/ttyp4" debug1: do_pam_session: euid 0, uid 0 fatal: PAM session setup failed[6]: Permission denied <<========= debug1: Calling cleanup 0x80547b4(0x807b920) debug1: pty_cleanup_proc: /dev/ttyp4 debug1: Calling cleanup 0x8058330(0x0) Cannot close PAM session[6]: Permission denied <<=========== debug1: Calling cleanup 0x805e72c(0x0) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 6:54:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from mine.kame.net (kame195.kame.net [203.178.141.195]) by hub.freebsd.org (Postfix) with ESMTP id D5A3D37B401 for ; Thu, 2 Aug 2001 06:54:40 -0700 (PDT) (envelope-from sakane@kame.net) Received: from localhost ([3ffe:501:481d:e101::1]) by mine.kame.net (8.11.1/3.7W) with ESMTP id f72E2UY92537; Thu, 2 Aug 2001 23:02:31 +0900 (JST) To: ewancarr@yahoo.com Cc: FreeBSD-Security@FreeBSD.Org Subject: Re: SPD on FreeBSD In-Reply-To: Your message of "Tue, 31 Jul 2001 11:29:18 +0100 (BST)" <20010731102918.95043.qmail@web13304.mail.yahoo.com> References: <20010731102918.95043.qmail@web13304.mail.yahoo.com> X-Mailer: Cue version 0.6 (010413-1707/sakane) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-Id: <20010802225359W.sakane@kame.net> Date: Thu, 02 Aug 2001 22:53:59 +0900 From: Shoichi Sakane X-Dispatcher: imput version 20000228(IM140) Lines: 7 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Do you know whether this is the case or whether > a user-land API exists to access the SPD. if you have KAME tree, the sample code is kame/libipsec/test-policy.c although there is no manual page. note that you have to install kame snap kit if you want to use the full function of the sample code. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 7: 1:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from mine.kame.net (kame195.kame.net [203.178.141.195]) by hub.freebsd.org (Postfix) with ESMTP id 39CE837B401 for ; Thu, 2 Aug 2001 07:01:21 -0700 (PDT) (envelope-from sakane@kame.net) Received: from localhost ([3ffe:501:481d:e101::1]) by mine.kame.net (8.11.1/3.7W) with ESMTP id f72E33Y92542; Thu, 2 Aug 2001 23:03:04 +0900 (JST) To: ewancarr@yahoo.com Cc: FreeBSD-Security@FreeBSD.ORG Subject: Re: PFKEY/test-pfkey In-Reply-To: Your message of "Mon, 30 Jul 2001 17:30:22 +0100 (BST)" <20010730163022.96220.qmail@web13308.mail.yahoo.com> References: <20010730163022.96220.qmail@web13308.mail.yahoo.com> X-Mailer: Cue version 0.6 (010413-1707/sakane) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-Id: <20010802225410A.sakane@kame.net> Date: Thu, 02 Aug 2001 22:54:10 +0900 From: Shoichi Sakane X-Dispatcher: imput version 20000228(IM140) Lines: 19 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Is there any test code out there for playing with > the PFKEY API. I'd like to be able to have my > userland program send a PF_GET message to the > "key engine" (I take this is just a fancy name for the > SPD ?). I've found the file test-pfkey.c on the cvs > tree at freebsd but...'scuse me for being a bit thick > here but it seems to send the different types of PFKEY > message types but I dont see where it handles the > responses e.g. when sending the PF_GET where is the > return message handled...any help/pointers appreciated i'm not sure what the different types of PFKEY message types is. anyway, if you sent a SADB_REGISTER message to the kernel, then you sent a SADB_GET message to the one, you could get a response of the SADB_GET message from the kernel. test-pfkey.c calls recv() in order to get a response after sending the SADB_GET message to the kernel. you can get basic information from RFC2367. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 7:25:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from xs4nobody.nl (xs4nobody.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 112C437B401 for ; Thu, 2 Aug 2001 07:25:10 -0700 (PDT) (envelope-from bart@xs4nobody.nl) Received: (qmail 11493 invoked by uid 1000); 2 Aug 2001 14:25:08 -0000 Date: Thu, 2 Aug 2001 16:25:08 +0200 From: Bart Matthaei To: Ralph Huntington Cc: freebsd-security@freebsd.org Subject: Re: pam session failing Message-ID: <20010802162508.B11445@heresy.xs4nobody.nl> Reply-To: Bart Matthaei References: <20010802144121.A11210@heresy.xs4nobody.nl> <20010802093505.Q61813-100000@mohegan.mohawk.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010802093505.Q61813-100000@mohegan.mohawk.net>; from rjh@mohawk.net on Thu, Aug 02, 2001 at 09:39:30AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Did you look in /usr/src/UPDATING ? There might be a few lines you wanna add to your pam.config for sshd. It's documentated in /usr/src/UPDATING. With regards, Bart Matthaei -- Bart Matthaei | bart@xs4nobody.nl | +31 6 24907042 Cysonet Managed Hosting | bart@cysonet.com ------------------------------------------------- /* It's always funny until someone gets hurt.. * (and then it's just hilarious) */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 7:33:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id 9C0EE37B401 for ; Thu, 2 Aug 2001 07:33:37 -0700 (PDT) (envelope-from rjh@mohawk.net) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.4/8.11.3) with ESMTP id f72EXhR89803 for ; Thu, 2 Aug 2001 10:33:43 -0400 (EDT) Date: Thu, 2 Aug 2001 10:33:43 -0400 (EDT) From: Ralph Huntington To: Subject: Re: pam session failing In-Reply-To: <20010802093505.Q61813-100000@mohegan.mohawk.net> Message-ID: <20010802103228.H89488-100000@mohegan.mohawk.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Responding to my own posting... Two people have pointed me to pam.conf and updating that file has cured the problem. I don't know why the original file no longer worked, since the system was not upgraded since installed, but okay, it works now. Thanks very much to those who replied. On Thu, 2 Aug 2001, Ralph Huntington wrote: > ssh connections to a particular box are failing, but used to work fine. > The password is accepted, the user authenticated, but then the session > setup fails. Here is the verbose sshd debug output (after authentication). > I don't understand what permission is denied and the man pages don't seem > to cover this. Can anyone point me toward the solution? Thanks! -=r=- > > ... > debug1: session_new: init > debug1: session_new: session 0 > debug1: Allocating pty. > debug1: PAM setting tty to "/dev/ttyp4" > debug1: do_pam_session: euid 0, uid 0 > fatal: PAM session setup failed[6]: Permission denied <<========= > debug1: Calling cleanup 0x80547b4(0x807b920) > debug1: pty_cleanup_proc: /dev/ttyp4 > debug1: Calling cleanup 0x8058330(0x0) > Cannot close PAM session[6]: Permission denied <<=========== > debug1: Calling cleanup 0x805e72c(0x0) > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 7:57:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from void.xpert.com (xpert.com [199.203.132.1]) by hub.freebsd.org (Postfix) with ESMTP id 8B30E37B405 for ; Thu, 2 Aug 2001 07:56:48 -0700 (PDT) (envelope-from Yonatan@xpert.com) Received: from mailserv.xpert.com ([199.203.132.135]) by void.xpert.com with esmtp (Exim 3.20 #1) id 15SItJ-0004qO-00 for freebsd-security@freebsd.org; Thu, 02 Aug 2001 16:51:57 +0300 Received: by mailserv.xpert.com with Internet Mail Service (5.5.2650.21) id ; Thu, 2 Aug 2001 17:55:08 +0300 Message-ID: From: Yonatan Bokovza To: "'freebsd-security@freebsd.org'" Subject: [OT]: Phrack site Date: Thu, 2 Aug 2001 17:55:07 +0300 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="windows-1255" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, www.phrack.com doesn't resolve. Anyone knows of an up-to-date mirror? Regards, Yonatan. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 8: 4:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from startide.modernthings.net (w070.z064220184.sjc-ca.dsl.cnc.net [64.220.184.70]) by hub.freebsd.org (Postfix) with ESMTP id 42B6137B403 for ; Thu, 2 Aug 2001 08:04:17 -0700 (PDT) (envelope-from jb13@modernthings.net) Received: by startide.modernthings.net (Postfix, from userid 1001) id 8F4C34A53; Thu, 2 Aug 2001 08:14:57 -0700 (PDT) Date: Thu, 2 Aug 2001 08:14:57 -0700 From: jb13 To: freebsd-security@freebsd.org Subject: Re: [OT]: Phrack site Message-ID: <20010802081457.A51336@startide.modernthings.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from Yonatan@xpert.com on Thu, Aug 02, 2001 at 05:55:07PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Aug 02, 2001 at 05:55:07PM +0300, Yonatan Bokovza wrote: > Hi, > www.phrack.com doesn't resolve. > Anyone knows of an up-to-date mirror? > > Regards, > Yonatan. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message www.phrack.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 8: 7:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (unknown [217.75.135.254]) by hub.freebsd.org (Postfix) with SMTP id 6268837B432 for ; Thu, 2 Aug 2001 08:07:27 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 27313 invoked by uid 1000); 2 Aug 2001 14:39:39 -0000 Date: Thu, 2 Aug 2001 17:39:39 +0300 From: Peter Pentchev To: Ralph Huntington Cc: freebsd-security@FreeBSD.org Subject: Re: pam session failing Message-ID: <20010802173939.B989@ringworld.oblivion.bg> Mail-Followup-To: Ralph Huntington , freebsd-security@FreeBSD.org References: <20010802144121.A11210@heresy.xs4nobody.nl> <20010802093505.Q61813-100000@mohegan.mohawk.net> <20010802173820.A989@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010802173820.A989@ringworld.oblivion.bg>; from roam@orbitel.bg on Thu, Aug 02, 2001 at 05:38:20PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Aug 02, 2001 at 05:38:20PM +0300, Peter Pentchev wrote: > On Thu, Aug 02, 2001 at 09:39:30AM -0400, Ralph Huntington wrote: > > ssh connections to a particular box are failing, but used to work fine. > > The password is accepted, the user authenticated, but then the session > > setup fails. Here is the verbose sshd debug output (after authentication). > > I don't understand what permission is denied and the man pages don't seem > > to cover this. Can anyone point me toward the solution? Thanks! -=r=- > > Did you at some time update to a newer version of -stable or -current? > If so, did you run mergemaster, as both the Handbook and /usr/src/UPDATING > clearly state you should? :) > > More to the point: What is the output of 'fgrep ssh /etc/pam.conf' ? Or it might be something else: does your /etc/master.passwd file list passwords in DES or MD5 format? G'luck, Peter -- .siht ekil ti gnidaer eb d'uoy ,werbeH ni erew ecnetnes siht fI To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 8: 7:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (unknown [217.75.135.254]) by hub.freebsd.org (Postfix) with SMTP id 632D437B433 for ; Thu, 2 Aug 2001 08:07:27 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 25457 invoked by uid 1000); 2 Aug 2001 14:38:20 -0000 Date: Thu, 2 Aug 2001 17:38:20 +0300 From: Peter Pentchev To: Ralph Huntington Cc: freebsd-security@FreeBSD.ORG Subject: Re: pam session failing Message-ID: <20010802173820.A989@ringworld.oblivion.bg> Mail-Followup-To: Ralph Huntington , freebsd-security@FreeBSD.ORG References: <20010802144121.A11210@heresy.xs4nobody.nl> <20010802093505.Q61813-100000@mohegan.mohawk.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010802093505.Q61813-100000@mohegan.mohawk.net>; from rjh@mohawk.net on Thu, Aug 02, 2001 at 09:39:30AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Aug 02, 2001 at 09:39:30AM -0400, Ralph Huntington wrote: > ssh connections to a particular box are failing, but used to work fine. > The password is accepted, the user authenticated, but then the session > setup fails. Here is the verbose sshd debug output (after authentication). > I don't understand what permission is denied and the man pages don't seem > to cover this. Can anyone point me toward the solution? Thanks! -=r=- Did you at some time update to a newer version of -stable or -current? If so, did you run mergemaster, as both the Handbook and /usr/src/UPDATING clearly state you should? :) More to the point: What is the output of 'fgrep ssh /etc/pam.conf' ? G'luck, Peter -- What would this sentence be like if pi were 3? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 8:34: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id 181A537B401 for ; Thu, 2 Aug 2001 08:34:02 -0700 (PDT) (envelope-from rjh@mohawk.net) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.4/8.11.3) with ESMTP id f72FY7x92709; Thu, 2 Aug 2001 11:34:07 -0400 (EDT) Date: Thu, 2 Aug 2001 11:34:07 -0400 (EDT) From: Ralph Huntington To: Peter Pentchev Cc: Subject: Re: pam session failing In-Reply-To: <20010802173939.B989@ringworld.oblivion.bg> Message-ID: <20010802112641.T89488-100000@mohegan.mohawk.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > Did you at some time update to a newer version of -stable or -current? No... > > More to the point: What is the output of 'fgrep ssh /etc/pam.conf' ? This proved interesting. All the sshd entries were missing from pam.conf. I cannot imagine how the heck that happened since the system (4.2) had not been upgraded since it was installed (telnet was disabled from the start) and ssh always worked fine. > Or it might be something else: does your /etc/master.passwd file list > passwords in DES or MD5 format? Most are now MD5, but a few older ones are DES. When this system was reloaded with 4.2 (had been 3.x), the existing accounts were carried over with the DES passwords in place. That has not presented any problem to us. No, the sshd problem turned out to be the missing entries in pam.conf. Where they went, I do not know. Ralph To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 8:53:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from federation.addy.com (addy.com [208.11.142.20]) by hub.freebsd.org (Postfix) with ESMTP id EC78437B401 for ; Thu, 2 Aug 2001 08:53:09 -0700 (PDT) (envelope-from jim@federation.addy.com) Received: from localhost (jim@localhost) by federation.addy.com (8.9.3/8.9.3) with ESMTP id LAA36239 for ; Thu, 2 Aug 2001 11:53:52 -0400 (EDT) (envelope-from jim@federation.addy.com) Date: Thu, 2 Aug 2001 11:53:52 -0400 (EDT) From: Jim Sander Cc: freebsd-security@FreeBSD.ORG Subject: Re: RELEASE 4.3 -> RELENG_4_3: SUCCESSFULLY but ... In-Reply-To: <20010801220141.C2354@gateway.bogus> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Someone wrote: > My question is: what is the real danger of doing `installworld` in > multiuser mode? I have doing a lot of tests in other machines tracking > STABLE and I have no problems so far. >> Someone else replied: >> They advice you to run singleuser, because of the securelevel. It's more than that I think... I *believe* that it is *theoretically* possible that a binary copy of a library could change in a way that makes it incompatible with running processes that link to it. (for instance, if the library changes the number of arguments a function expects) Obviously this could cause "instability" in said processes, if not the kernel. That in turn could cause the failure of the install process. If things blew up badly enough, even a reboot wouldn't fix the problem and you'd be totally hosed. (the key here is to make sure the install process finishes cleanly- if it doesn't, all bets are off) The only time I suspect this sort of thing would be a real problem is if you did an "in place" major-revision upgrade (from 2.x to 3.x etc.) because the libraries underwent major changes. But I'm not experienced enough to say that with any authority. Any superior real-world experience or detailed technical knowledge to contradict or modify the above is of course welcome. -=Jim=- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 8:56:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.microelectronics.com (www.microelectronics.com [4.18.26.20]) by hub.freebsd.org (Postfix) with ESMTP id 8DA6537B403 for ; Thu, 2 Aug 2001 08:56:27 -0700 (PDT) (envelope-from abush@microcenter.com) Received: from zul.microcenter.com (zul.microcenter.com [4.18.26.10]) by www.microelectronics.com (Pro-8.9.3/Pro-8.9.3) with SMTP id LAA23865; Thu, 2 Aug 2001 11:32:50 -0400 Received: from sysadm.microcenter.com by zul.microcenter.com via smtpd (for www.microelectronics.com [4.18.26.20]) with SMTP; 2 Aug 2001 15:30:04 UT Received: from mail.microcenter.com (anbhpc.microcenter.com [10.10.29.94]) by sysadm.microcenter.com (8.8.5/8.8.5) with ESMTP id LAA16631; Thu, 2 Aug 2001 11:32:32 -0400 (EDT) Message-ID: <3B697660.2B771FF5@mail.microcenter.com> Date: Thu, 02 Aug 2001 11:48:48 -0400 From: Aaron Bush X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.4.2-2 i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Cc: Mark.Andrews@nominum.com Subject: Re: named exited on signal 6? References: <200108012131.f71LV8u28535@drugs.dv.isc.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mark.Andrews@nominum.com wrote: > > > In my system messages i have the following entry: > > Jul 28 12:37:30 tosh /kernel: pid 165 (named), uid 53: exited on signal > > 6 > > Signal 6 is ABRT which means named killed itself. The should > be a log message associated with the action. The only log message was the one from above. Would named log messages to another location or facility when it is running in a sandbox? -ab To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 9:13:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 3C8D937B406 for ; Thu, 2 Aug 2001 09:13:24 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 64908 invoked by uid 1000); 2 Aug 2001 16:13:38 -0000 Date: Thu, 2 Aug 2001 18:13:38 +0200 From: "Karsten W. Rohrbach" To: Mike Silbersack Cc: "Nickolay A.Kritsky" , security@FreeBSD.ORG Subject: Re: accounting with ipfw (gid, uid riles) Message-ID: <20010802181338.A51621@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Mike Silbersack , "Nickolay A.Kritsky" , security@FreeBSD.ORG References: <20010801180155.A24106@mail.webmonster.de> <20010801184239.I63961-100000@achilles.silby.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="EeQfGwPcQSOJBaQU" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010801184239.I63961-100000@achilles.silby.com>; from silby@silby.com on Wed, Aug 01, 2001 at 06:46:15PM -0500 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --EeQfGwPcQSOJBaQU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Mike Silbersack(silby@silby.com)@2001.08.01 18:46:15 +0000: >=20 > On Wed, 1 Aug 2001, Karsten W. Rohrbach wrote: >=20 > > Mike Silbersack(silby@silby.com)@2001.07.31 17:54:18 +0000: >=20 > > > I'm not familiar with how squid acts, but your idea sounds good to me. > > > Tell us how it works. :) > > > > eh? > > > > AFAIK the entity that creates the socket owns it. > > to bind ports <1024 this entity has to be root. >=20 > Heh, by "tell us how it works", I meant "test it out and tell us how well > it works in practice." :) >=20 > I guess we'll have to wait to hear back from Nickolay. no ;-) read on... root@WM:datasink[/usr/local/squid/logs]41# cat /opt/service/squid/run=20 #!/bin/sh ## run file for squid process PATH=3D/usr/local/bin:/usr/local/sbin:/usr/bin:/bin export PATH exec 2>&1 exec setuidgid squid /usr/local/sbin/squid -YN root@WM:datasink[/usr/local/squid/logs]42# sockstat -l4| grep ^squid =20 squid squid 64788 14 tcp4 *:3128 *:* = =20 squid squid 64788 15 udp4 *:3130 *:*=20 in other words: it fkn works this is tested with daemontools-0.70 and squid-2.4STABLE1 (2.4_4 port) *grin* /k >=20 > Mike "Silby" Silbersack >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=20 > Captain Hook died of jock itch. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --EeQfGwPcQSOJBaQU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7aXwyM0BPTilkv0YRAvR+AJ9D7DBVkgPBbZmzB1En7Ne2+cQ7wACbBz/1 Y+Iw3vst0nCj7fTCoBYUZkc= =AHhi -----END PGP SIGNATURE----- --EeQfGwPcQSOJBaQU-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 10:11:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.tavrida.net (unknown [193.220.126.131]) by hub.freebsd.org (Postfix) with ESMTP id D466037B401 for ; Thu, 2 Aug 2001 10:11:48 -0700 (PDT) (envelope-from kirill@tavrida.net) Received: from localhost (kirill@localhost) by mail.tavrida.net (8.11.5/8.11.5) with ESMTP id f72HBgb12241 for ; Thu, 2 Aug 2001 20:11:44 +0300 (EEST) Date: Thu, 2 Aug 2001 20:11:42 +0300 (EEST) From: Kirill Jezduke To: Subject: ipfw + QOS In-Reply-To: <3B697660.2B771FF5@mail.microcenter.com> Message-ID: <20010802195843.B10274-100000@mail.tavrida.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Excuse me for my English, please Is it possible to define the minimal bandwidth for user with a commands such as ipfw pipe ... ipfw queue ... For example, total bandwidth = 256Kb/sec. User always can use minimum 128Kb/sec, but it posssible for him to use maximun 256Kb/sec. If this user use less then 128Kb/sec, other users can use more then 128Kb/sec. Thats why the channel always totaly in use. kirill@tavrida.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 10:56:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (discworld.nanolink.com [217.75.135.248]) by hub.freebsd.org (Postfix) with SMTP id 4256137B401 for ; Thu, 2 Aug 2001 10:56:45 -0700 (PDT) (envelope-from roam@ringworld.nanolink.com) Received: (qmail 30753 invoked by uid 1000); 2 Aug 2001 17:55:38 -0000 Date: Thu, 2 Aug 2001 20:55:38 +0300 From: Peter Pentchev To: Jim Sander Cc: freebsd-security@FreeBSD.ORG Subject: Re: RELEASE 4.3 -> RELENG_4_3: SUCCESSFULLY but ... Message-ID: <20010802205538.B11105@ringworld.oblivion.bg> Mail-Followup-To: Jim Sander , freebsd-security@FreeBSD.ORG References: <20010801220141.C2354@gateway.bogus> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jim@federation.addy.com on Thu, Aug 02, 2001 at 11:53:52AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Aug 02, 2001 at 11:53:52AM -0400, Jim Sander wrote: > > Someone wrote: > > My question is: what is the real danger of doing `installworld` in > > multiuser mode? I have doing a lot of tests in other machines tracking > > STABLE and I have no problems so far. > > >> Someone else replied: > >> They advice you to run singleuser, because of the securelevel. > > It's more than that I think... It is, but mostly not in the way you think :) > I *believe* that it is *theoretically* possible that a binary copy of a > library could change in a way that makes it incompatible with running > processes that link to it. (for instance, if the library changes the > number of arguments a function expects) It is possible - say you change the *type* of the first argument :) However, both the situations you described - number of arguments changing - and the situation I described - type of arguments changing - fall into the case of changing functionality. With shared libraries, whenever the functionality of the 'important' functions is changed, the library version number is bumped. Thus, processes linked against the older version still get the older functionality, while newly linked processes, which have been compiled and linked against the new headers/library, know how to use the new calling conventions. So, this is not much of a problem. The problem lies more in the fact that there are processes running at the very moment the library files are replaced. Although install(1) generally does a great job at atomically replacing files, sometimes I've noticed a couple of processes complain about being unable to access libraries, if the processes happen to call a library function at the precise moment the library is being overwritten. This may cause important processes to fail, possibly in a disastrous way, possibly going haywire and doing random disk writes. This, I believe, is part of the reason that it is recommended that the installworld phase be performed in single user mode, so that there are no dynamically-linked background processes running, and the only dynamically-linked processes are the ones involved in the installation itself. > Obviously this could cause "instability" in said processes, if not the > kernel. That in turn could cause the failure of the install process. If > things blew up badly enough, even a reboot wouldn't fix the problem and > you'd be totally hosed. (the key here is to make sure the install process > finishes cleanly- if it doesn't, all bets are off) > > The only time I suspect this sort of thing would be a real problem is > if you did an "in place" major-revision upgrade (from 2.x to 3.x etc.) > because the libraries underwent major changes. But I'm not experienced > enough to say that with any authority. As explained above, a glitch might happen during any normal update of a library :( > Any superior real-world experience or detailed technical knowledge to > contradict or modify the above is of course welcome. I wouldn't really call my experiences 'superior' or 'technical' - I never really bothered to see just *why* was install(1) not atomically replacing my libs :) G'luck, Peter -- "yields falsehood, when appended to its quotation." yields falsehood, when appended to its quotation. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 11: 8: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from alpha.focalnetworks.net (alpha.focalnetworks.net [209.135.104.32]) by hub.freebsd.org (Postfix) with SMTP id 82E6437B401 for ; Thu, 2 Aug 2001 11:07:57 -0700 (PDT) (envelope-from project10@alpha.focalnetworks.net) Received: (qmail 69489 invoked by uid 1000); 2 Aug 2001 18:06:26 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 2 Aug 2001 18:06:26 -0000 Date: Thu, 2 Aug 2001 14:06:26 -0400 (EDT) From: Shawn Lussier To: Kirill Jezduke Cc: Subject: Re: ipfw + QOS In-Reply-To: <20010802195843.B10274-100000@mail.tavrida.net> Message-ID: <20010802140504.O69351-100000@alpha.focalnetworks.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 2 Aug 2001, Kirill Jezduke wrote: > Hello > Excuse me for my English, please > Is it possible to define the minimal bandwidth for user with a commands > such as > ipfw pipe ... > ipfw queue ... > For example, total bandwidth = 256Kb/sec. User always can use minimum > 128Kb/sec, but it posssible for him to use maximun 256Kb/sec. If this user > use less then 128Kb/sec, other users can use more then 128Kb/sec. Thats > why the channel always totaly in use. > > kirill@tavrida.net Yes, it's possible. Suggested reading: 'man 4 dummynet' & 'man ipfw' (under the "Traffic Shaper Configuration" section). Good luck. -Shawn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 13:32: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from web11605.mail.yahoo.com (web11605.mail.yahoo.com [216.136.172.57]) by hub.freebsd.org (Postfix) with SMTP id ECE9037B403 for ; Thu, 2 Aug 2001 13:32:03 -0700 (PDT) (envelope-from holtor@yahoo.com) Message-ID: <20010802203203.70517.qmail@web11605.mail.yahoo.com> Received: from [64.23.0.234] by web11605.mail.yahoo.com; Thu, 02 Aug 2001 13:32:03 PDT Date: Thu, 2 Aug 2001 13:32:03 -0700 (PDT) From: Holtor Subject: md5? To: security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi All, How do I make my system use MD5 by default when adding users? I had this in my /etc/make.conf NODESCRYPTLINKS=true But this no longer works after my last make world. So after reading the lists I put passwd_format=md5 into /etc/login.conf and rebuilt that and still no luck. adduser still adds users with a DES password which only gets swapped to MD5 if they change the password after they login. I assume I could just fix the symlinks in /usr/lib manually but that doesn't seem like the correct solution. Any suggestions on a solution for this? I hate DES. Holt G. __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 13:41:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from tmd.df.ru (cr775576-e.rchrd1.on.wave.home.com [24.43.202.49]) by hub.freebsd.org (Postfix) with ESMTP id 793D037B401 for ; Thu, 2 Aug 2001 13:41:14 -0700 (PDT) (envelope-from tmd@tmd.df.ru) Received: by tmd.df.ru (Postfix, from userid 1000) id 06B977A4F; Thu, 2 Aug 2001 16:41:10 -0400 (EDT) Date: Thu, 2 Aug 2001 16:41:10 -0400 From: Vlad To: freebsd-security@freebsd.org Subject: weird packets.. anyone? Message-ID: <20010802164110.A64693@tmd.df.ru> Mail-Followup-To: Vlad , freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Operating-System: FreeBSD 4.3-STABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I've got this today in my logs: Aug 2 12:51:32 tmd ipmon[35772]: 12:51:31.270526 ed0 @0:5 b 0.0.0.0,68 -> 255.255.255.255,67 PR udp len 20 328 IN Aug 2 12:57:54 tmd ipmon[35772]: 12:52:34.606148 3x ed0 @0:5 b 169.254.179.233,137 -> 169.254.255.255,137 PR udp len 20 96 and connection to 138. each of connection was followed by the following entries in the log: Aug 2 13:33:39 tmd /kernel: Connection attempt to UDP 24.43.202.10:1931 from 24.2.9.35:53 Aug 2 13:33:39 tmd /kernel: Connection attempt to UDP 24.43.202.10:1934 from 24.2.9.33:53 Aug 2 13:33:39 tmd /kernel: Connection attempt to UDP 24.43.202.10:1940 from 24.2.9.33:53 Aug 2 13:33:52 tmd /kernel: Connection attempt to UDP 24.43.202.10:1939 from 24.2.9.35:53 Aug 2 13:33:52 tmd /kernel: Connection attempt to UDP 24.43.202.10:1942 from 24.2.9.33:53 Aug 2 13:33:52 tmd /kernel: Connection attempt to UDP 24.43.202.10:1941 from 24.2.9.35:53 Aug 2 13:34:06 tmd /kernel: Connection attempt to UDP 24.43.202.10:1943 from 24.2.9.35:53 Aug 2 13:34:09 tmd /kernel: Connection attempt to UDP 24.43.202.10:1944 from 24.2.9.33:53 Aug 2 13:34:39 tmd /kernel: Connection attempt to UDP 24.43.202.10:1945 from 24.2.9.35:53 Aug 2 13:34:52 tmd /kernel: Connection attempt to UDP 24.43.202.10:1950 from 24.2.9.33:53 Aug 2 13:35:00 tmd /kernel: Connection attempt to UDP 24.43.202.10:1952 from 24.2.9.33:53 Aug 2 13:35:00 tmd /kernel: Connection attempt to UDP 24.43.202.10:1951 from 24.2.9.35:53 Aug 2 13:35:09 tmd /kernel: Connection attempt to UDP 24.43.202.10:1954 from 24.2.9.33:53 Aug 2 13:35:39 tmd /kernel: Connection attempt to UDP 24.43.202.10:1953 from 24.2.9.35:53 Aug 2 13:35:39 tmd /kernel: Connection attempt to UDP 24.43.202.10:1955 from 24.2.9.35:53 Aug 2 13:35:39 tmd /kernel: Connection attempt to UDP 24.43.202.10:1956 from 24.2.9.33:53 and then repeated.. 24.32.202.10 - my ip 24.2.9.33 - primary DNSof my ISP does anyone have any idea what this is? please answer to e-mail if possible.. thanks! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 13:55:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from sunny.fishnet.com (sunny.fishnet.com [209.150.200.6]) by hub.freebsd.org (Postfix) with ESMTP id 0B51337B401 for ; Thu, 2 Aug 2001 13:55:43 -0700 (PDT) (envelope-from mschlosser@eschelon.com) Received: from walleye.corp.fishnet.com (209.150.197.205) by sunny.fishnet.com (5.0.048) id 3B66D63D0002D0C8; Thu, 2 Aug 2001 15:55:27 -0500 Received: by walleye.corp.fishnet.com with Internet Mail Service (5.5.2653.19) id ; Thu, 2 Aug 2001 15:58:44 -0500 Message-ID: <2FA3BA0C7551724CA6DDF4E345360505049F1E@walleye.corp.fishnet.com> From: "Schlosser, Matt D." To: 'Vlad' , "'freebsd-security@freebsd.org'" Subject: RE: weird packets.. anyone? Date: Thu, 2 Aug 2001 15:58:38 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Looks like DNS is being blocked. DNS uses 53 for both UDP and TCP packets. -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Vlad Sent: Thursday, August 02, 2001 3:41 PM To: freebsd-security@freebsd.org Subject: weird packets.. anyone? I've got this today in my logs: Aug 2 12:51:32 tmd ipmon[35772]: 12:51:31.270526 ed0 @0:5 b 0.0.0.0,68 -> 255.255.255.255,67 PR udp len 20 328 IN Aug 2 12:57:54 tmd ipmon[35772]: 12:52:34.606148 3x ed0 @0:5 b 169.254.179.233,137 -> 169.254.255.255,137 PR udp len 20 96 and connection to 138. each of connection was followed by the following entries in the log: Aug 2 13:33:39 tmd /kernel: Connection attempt to UDP 24.43.202.10:1931 from 24.2.9.35:53 Aug 2 13:33:39 tmd /kernel: Connection attempt to UDP 24.43.202.10:1934 from 24.2.9.33:53 Aug 2 13:33:39 tmd /kernel: Connection attempt to UDP 24.43.202.10:1940 from 24.2.9.33:53 Aug 2 13:33:52 tmd /kernel: Connection attempt to UDP 24.43.202.10:1939 from 24.2.9.35:53 Aug 2 13:33:52 tmd /kernel: Connection attempt to UDP 24.43.202.10:1942 from 24.2.9.33:53 Aug 2 13:33:52 tmd /kernel: Connection attempt to UDP 24.43.202.10:1941 from 24.2.9.35:53 Aug 2 13:34:06 tmd /kernel: Connection attempt to UDP 24.43.202.10:1943 from 24.2.9.35:53 Aug 2 13:34:09 tmd /kernel: Connection attempt to UDP 24.43.202.10:1944 from 24.2.9.33:53 Aug 2 13:34:39 tmd /kernel: Connection attempt to UDP 24.43.202.10:1945 from 24.2.9.35:53 Aug 2 13:34:52 tmd /kernel: Connection attempt to UDP 24.43.202.10:1950 from 24.2.9.33:53 Aug 2 13:35:00 tmd /kernel: Connection attempt to UDP 24.43.202.10:1952 from 24.2.9.33:53 Aug 2 13:35:00 tmd /kernel: Connection attempt to UDP 24.43.202.10:1951 from 24.2.9.35:53 Aug 2 13:35:09 tmd /kernel: Connection attempt to UDP 24.43.202.10:1954 from 24.2.9.33:53 Aug 2 13:35:39 tmd /kernel: Connection attempt to UDP 24.43.202.10:1953 from 24.2.9.35:53 Aug 2 13:35:39 tmd /kernel: Connection attempt to UDP 24.43.202.10:1955 from 24.2.9.35:53 Aug 2 13:35:39 tmd /kernel: Connection attempt to UDP 24.43.202.10:1956 from 24.2.9.33:53 and then repeated.. 24.32.202.10 - my ip 24.2.9.33 - primary DNSof my ISP does anyone have any idea what this is? please answer to e-mail if possible.. thanks! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 13:57:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by hub.freebsd.org (Postfix) with ESMTP id 1787737B405 for ; Thu, 2 Aug 2001 13:57:38 -0700 (PDT) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.11.3/8.11.3) id f72Kufh23568; Thu, 2 Aug 2001 13:56:41 -0700 (PDT) (envelope-from emechler) Date: Thu, 2 Aug 2001 13:56:41 -0700 From: Erick Mechler To: Holtor Cc: security@FreeBSD.ORG Subject: Re: md5? Message-ID: <20010802135641.A22660@techometer.net> References: <20010802203203.70517.qmail@web11605.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010802203203.70517.qmail@web11605.mail.yahoo.com>; from Holtor on Thu, Aug 02, 2001 at 01:32:03PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org See this page for information on how to make sure your libraries are all in order: http://www.mostgraveconcern.com/freebsd/libcrypt.html Cheers - Erick At Thu, Aug 02, 2001 at 01:32:03PM -0700, Holtor said this: :: Hi All, :: :: How do I make my system use MD5 by default when :: adding users? I had this in my /etc/make.conf :: NODESCRYPTLINKS=true :: But this no longer works after my last make world. :: So after reading the lists I put :: passwd_format=md5 into /etc/login.conf and rebuilt :: that and still no luck. :: :: adduser still adds users with a DES password which :: only :: gets swapped to MD5 if they change the password after :: they login. :: :: I assume I could just fix the symlinks in /usr/lib :: manually but that doesn't seem like the correct :: solution. :: :: Any suggestions on a solution for this? I hate DES. :: :: Holt G. :: :: __________________________________________________ :: Do You Yahoo!? :: Make international calls for as low as $.04/minute with Yahoo! Messenger :: http://phonecard.yahoo.com/ :: :: To Unsubscribe: send mail to majordomo@FreeBSD.org :: with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 13:59:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (unknown [198.92.199.5]) by hub.freebsd.org (Postfix) with ESMTP id 599AE37B403 for ; Thu, 2 Aug 2001 13:59:20 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: (from root@localhost) by mail.wlcg.com (8.11.4/8.11.4) id f72KxN611689; Thu, 2 Aug 2001 16:59:23 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.4/8.11.4av) with ESMTP id f72KxLm11682; Thu, 2 Aug 2001 16:59:21 -0400 (EDT) (envelope-from rsimmons@wlcg.com) X-Authentication-Warning: mail.wlcg.com: rsimmons owned process doing -bs Date: Thu, 2 Aug 2001 16:59:17 -0400 (EDT) From: Rob Simmons To: Holtor Cc: Subject: Re: md5? In-Reply-To: <20010802203203.70517.qmail@web11605.mail.yahoo.com> Message-ID: <20010802165449.F9551-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Actually, bend the symlinks /usr/libcrypt* to point to their corresponding libscrypt libraries That is the correct way to do it. You also might want to look at the pw utility instead of adduser. One of the annoyances I've found with adduser is that it bonks your /etc/group file in the head and removes any comments including the RCS tag at the top. Once bonked, when you mergemaster after a installworld, it thinks that there has been a change and it asks you about the file, even though there are no changes to merge in. pw does not do this, and its much more powerful. Robert Simmons Systems Administrator http://www.wlcg.com/ On Thu, 2 Aug 2001, Holtor wrote: > Hi All, > > How do I make my system use MD5 by default when > adding users? I had this in my /etc/make.conf > NODESCRYPTLINKS=true > But this no longer works after my last make world. > So after reading the lists I put > passwd_format=md5 into /etc/login.conf and rebuilt > that and still no luck. > > adduser still adds users with a DES password which > only > gets swapped to MD5 if they change the password after > they login. > > I assume I could just fix the symlinks in /usr/lib > manually but that doesn't seem like the correct > solution. > > Any suggestions on a solution for this? I hate DES. > > Holt G. > > __________________________________________________ > Do You Yahoo!? > Make international calls for as low as $.04/minute with Yahoo! Messenger > http://phonecard.yahoo.com/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7ab8pv8Bofna59hYRA5XwAJ9HfpqzB/GD9ZkOnQKyZfyYn6YlWgCfSaPe vBcOQmxl7IJwxVmJgWVgr6U= =Br+o -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 14: 7:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.tavrida.net (alma.tavrida.net [193.220.126.131]) by hub.freebsd.org (Postfix) with ESMTP id 657EE37B401 for ; Thu, 2 Aug 2001 14:07:53 -0700 (PDT) (envelope-from kirill@tavrida.net) Received: from localhost (kirill@localhost) by mail.tavrida.net (8.11.5/8.11.5) with ESMTP id f72L7mf44815 for ; Fri, 3 Aug 2001 00:07:49 +0300 (EEST) Date: Fri, 3 Aug 2001 00:07:48 +0300 (EEST) From: Kirill Jezduke To: Subject: Re: ipfw + QOS Message-ID: <20010803000550.V42633-100000@mail.tavrida.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 2 Aug 2001, Shawn Lussier wrote: > > > ipfw pipe ... > > ipfw queue ... > > > Yes, it's possible. Suggested reading: 'man 4 dummynet' & 'man > ipfw' (under the "Traffic Shaper Configuration" section). Good luck. Excuse me, but I don't undestood how to determine the minimum bandwidth for user. Example: total bandwidth = 256Kb/sec. Interface ed0. IP (10.0.0.1) - minimum 128Kb/sec, maximun 256Kb/sec. IP (All others) - minimum 0Kb/sec, maximum 256Kb/sec Can you show me a ipfw-rules to do this? > > -Shawn Best regards, kirill@tavrida.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 14:24:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from web11602.mail.yahoo.com (web11602.mail.yahoo.com [216.136.172.54]) by hub.freebsd.org (Postfix) with SMTP id 4B0CE37B401 for ; Thu, 2 Aug 2001 14:24:32 -0700 (PDT) (envelope-from holtor@yahoo.com) Message-ID: <20010802212432.81118.qmail@web11602.mail.yahoo.com> Received: from [24.190.48.149] by web11602.mail.yahoo.com; Thu, 02 Aug 2001 14:24:32 PDT Date: Thu, 2 Aug 2001 14:24:32 -0700 (PDT) From: Holtor Subject: Re: md5? To: security@freebsd.org In-Reply-To: <20010802165449.F9551-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You guys seem to miss my point.. This is what I did back several months ago. And i had: NODESCRYPTLINKS=true in /etc/make.conf so when make world went threw it didn't demolish my links. Now it appears as if that option does nothing. After looking in /usr/lib there are not any symlinks at all anymore. They are actual libraries in place of where links to libscrypt and libdescrypt could go. Thats whats confused me, something recently - within the past week perhaps has changed. Holt. --- Rob Simmons wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > Actually, bend the symlinks /usr/libcrypt* > > to point to their corresponding libscrypt libraries > > That is the correct way to do it. > > You also might want to look at the pw utility > instead of adduser. One of > the annoyances I've found with adduser is that it > bonks your /etc/group > file in the head and removes any comments including > the RCS tag at the > top. Once bonked, when you mergemaster after a > installworld, it thinks > that there has been a change and it asks you about > the file, even though > there are no changes to merge in. > > pw does not do this, and its much more powerful. > > Robert Simmons > Systems Administrator > http://www.wlcg.com/ > > On Thu, 2 Aug 2001, Holtor wrote: > > > Hi All, > > > > How do I make my system use MD5 by default when > > adding users? I had this in my /etc/make.conf > > NODESCRYPTLINKS=true > > But this no longer works after my last make world. > > So after reading the lists I put > > passwd_format=md5 into /etc/login.conf and rebuilt > > that and still no luck. > > > > adduser still adds users with a DES password which > > only > > gets swapped to MD5 if they change the password > after > > they login. > > > > I assume I could just fix the symlinks in /usr/lib > > manually but that doesn't seem like the correct > > solution. > > > > Any suggestions on a solution for this? I hate > DES. > > > > Holt G. > > > > __________________________________________________ > > Do You Yahoo!? > > Make international calls for as low as $.04/minute > with Yahoo! Messenger > > http://phonecard.yahoo.com/ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of > the message > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iD8DBQE7ab8pv8Bofna59hYRA5XwAJ9HfpqzB/GD9ZkOnQKyZfyYn6YlWgCfSaPe > vBcOQmxl7IJwxVmJgWVgr6U= > =Br+o > -----END PGP SIGNATURE----- > > __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 14:37: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from 66-17-48-31.bkfd.arrival.net (66-17-48-31.snlo.arrival.net [66.17.48.31]) by hub.freebsd.org (Postfix) with SMTP id ACE5037B405 for ; Thu, 2 Aug 2001 14:37:04 -0700 (PDT) (envelope-from bsd@info-logix.com) Received: (qmail 1237 invoked from network); 2 Aug 2001 21:36:52 -0000 Received: from unknown (HELO falcon) (192.168.1.76) by 0 with SMTP; 2 Aug 2001 21:36:52 -0000 From: "Hank Wethington" To: "Kris Kennaway" Cc: , Subject: RE: OpenSSL patch applied and now locked out of machine. Date: Thu, 2 Aug 2001 14:34:58 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 In-Reply-To: <20010730183039.A65218@xor.obsecurity.org> Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I wanted to follow up on the solution and problem I encountered for anyone else following the thread. First I want to say that this is the reason to have a test box... Please always use on a test box before performing on a production server. This will save many headaches. Since I applied the patch then compiled in the wrong directory I changed the way BSD handled the DES passwords, as Kris pointed out. After driving the 3 hours to get to the box, I found I could log in locally as root, but not as the admin user I have set up. I thought this weird, anyone care to explain? This was good as I don't have a floppy or cd installed and single user log in is locked out. After getting into the machine, I redownloaded the crypto libs and a few other lib files from /stand/sysinstall. rebooted the machine and viola, it all worked. People started getting mail again and my logins worked again. I reapplied the patch (correctly this time) and all was well. So with that said, the machine is working again, but I am curious why I could log in locally as root after the crypto change. Is the local login different than the SSH login? Thanks for everyone's help. Hank Wethington ================================================ Information Logistics www.GoInfoLogistics.com mailto:info.at.GoInfoLogistics.com ================================================ -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Kris Kennaway Sent: Monday, July 30, 2001 6:31 PM To: Hank Wethington Cc: Kris Kennaway; security-officer@freebsd.org; security@FreeBSD.org Subject: Re: OpenSSL patch applied and now locked out of machine. On Mon, Jul 30, 2001 at 06:25:07PM -0700, Hank Wethington wrote: > As I can't see the error OpenSSH is giving (at least until I get to the > machine tonight), I can only say I'm getting a invalid password response > from my attempts to SSH into the machine. Also, vpopmail gives an invalid > password response as well. I will hopefully post more after I've seen the > machine. > > To give a tad more info, the initial release of the update stated that the > directory was /usr/src/lib/libcrypto/ however the true directory was > /usr/src/secure/lib/libcrypto/ > > As is the case with another user, I initially did the make depend && make > all install in the /usr/src/lib/libcrypt/ dir. Since the other user is > having a similar issue, perhaps they are related. I won't be to the machine > until 10p PDT, so I won't have any more info. Aha..if you did this, you installed a libcrypt which can't handle DES passwords. The DES-capable library (under 4.3 and earlier, this has been changed in 4.3-STABLE) is under secure/lib/libcrypt. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 15:11:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 2068037B401 for ; Thu, 2 Aug 2001 15:11:12 -0700 (PDT) (envelope-from kzaraska@student.uci.agh.edu.pl) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id 776921C67; Thu, 2 Aug 2001 23:48:40 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 563375482; Thu, 2 Aug 2001 23:48:40 +0200 (CEST) Date: Thu, 2 Aug 2001 23:48:39 +0200 (CEST) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: Vlad Cc: freebsd-security@FreeBSD.ORG Subject: Re: weird packets.. anyone? In-Reply-To: <20010802164110.A64693@tmd.df.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 2 Aug 2001, Vlad wrote: > I've got this today in my logs: > > Aug 2 12:51:32 tmd ipmon[35772]: 12:51:31.270526 ed0 @0:5 b 0.0.0.0,68 -> 255.255.255.255,67 PR udp len 20 328 IN > Aug 2 12:57:54 tmd ipmon[35772]: 12:52:34.606148 3x ed0 @0:5 b 169.254.179.233,137 -> 169.254.255.255,137 PR udp len > 20 96 > > and connection to 138. > > each of connection was followed by the following entries in the log: > > Aug 2 13:33:39 tmd /kernel: Connection attempt to UDP 24.43.202.10:1931 from 24.2.9.35:53 I had almost the same signature today. Weird packets attempted to leave the internal network having spoofed IP source address but were dropped by the firewall, so no DNS-related traffic was triggered. Anyhow my logs show: first series of 0.0.0.0,68 -> 255.255.255.255,67 PR udp len 20 328 (looks like BOOTP) then 169.254.65.154,138 -> 169.254.255.255,138 PR udp len 20 205 169.254.65.154,137 -> 169.254.255.255,137 PR udp len 20 78 alternating, then a long series of 169.254.65.154,137 -> 169.254.255.255,137 PR udp len 20 78 (please note same subnet numbers as in the letter above!) once immediately after BOOTP-like packets I got: 169.254.65.154 -> 224.0.0.2 PR icmp len 20 28 icmp 10/0 (multicast ?!) First series at 11:41 - 11:43 c.e.t., BOOTP queries repeated 11:46 - 13:29, second series at 13:31, third at 13:35. That looks like a DDOS attempt but I don't like two things: 1 - too few packets to 169.254.255.255 2 - I don't know what could have triggered it since no traffic is allowed inside the network (statefull firewalling). 169.254.0.0 is assigned to IANA according to ARIN WHOIS. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 16: 2:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from greg.cex.ca (h24-207-40-244.dlt.dccnet.com [24.207.40.244]) by hub.freebsd.org (Postfix) with SMTP id 8FD4E37B401 for ; Thu, 2 Aug 2001 16:02:25 -0700 (PDT) (envelope-from gregw-freebsd-security@greg.cex.ca) Received: (qmail 31946 invoked by uid 1001); 2 Aug 2001 23:03:31 -0000 Mail-Followup-To: freebsd-security@FreeBSD.org Date: Thu, 2 Aug 2001 16:03:30 -0700 From: Greg White To: FreeBSD Security Subject: Re: weird packets.. anyone? Message-ID: <20010802160330.R19198@greg.cex.ca> References: <20010802164110.A64693@tmd.df.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010802164110.A64693@tmd.df.ru>; from tmd@tmd.df.ru on Thu, Aug 02, 2001 at 04:41:10PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Aug 02, 2001 at 04:41:10PM -0400, Vlad wrote: > I've got this today in my logs: > > Aug 2 12:51:32 tmd ipmon[35772]: 12:51:31.270526 ed0 @0:5 b 0.0.0.0,68 -> 255.255.255.255,67 PR udp len 20 328 IN > Aug 2 12:57:54 tmd ipmon[35772]: 12:52:34.606148 3x ed0 @0:5 b 169.254.179.233,137 -> 169.254.255.255,137 PR udp len > 20 96 Looks like totaly normal broadcasty traffic for a cable modem setup (and based on your supplied addresses, that's what you have, right?). The first looks like a normal host-broadcast request for DHCP/BOOTP -- you'll see alot of this if your local cable segment is busy. See below for how I handle this on my cable connection. The second appears to be a broadcast NetBIOS-NS request from a DHCP client who did not recieve an address. 169.254.0.0/16 is reserved for clients in that state. It has an RFC associated with it, ISTR, but can't recall which one at this point. > > and connection to 138. You mean your machine accepted a connection on NetBIOS-dgm? That's odd. :) Or do you mean attempts? I simply drop all tcp and udp >134 <140 and ignore them. Windows machines generate this crap all day long. > > each of connection was followed by the following entries in the log: > > Aug 2 13:33:39 tmd /kernel: Connection attempt to UDP 24.43.202.10:1931 from 24.2.9.35:53 > Aug 2 13:33:39 tmd /kernel: Connection attempt to UDP 24.43.202.10:1934 from 24.2.9.33:53 > Aug 2 13:33:39 tmd /kernel: Connection attempt to UDP 24.43.202.10:1940 from 24.2.9.33:53 > Aug 2 13:33:52 tmd /kernel: Connection attempt to UDP 24.43.202.10:1939 from 24.2.9.35:53 > Aug 2 13:33:52 tmd /kernel: Connection attempt to UDP 24.43.202.10:1942 from 24.2.9.33:53 > Aug 2 13:33:52 tmd /kernel: Connection attempt to UDP 24.43.202.10:1941 from 24.2.9.35:53 > Aug 2 13:34:06 tmd /kernel: Connection attempt to UDP 24.43.202.10:1943 from 24.2.9.35:53 > Aug 2 13:34:09 tmd /kernel: Connection attempt to UDP 24.43.202.10:1944 from 24.2.9.33:53 > Aug 2 13:34:39 tmd /kernel: Connection attempt to UDP 24.43.202.10:1945 from 24.2.9.35:53 > Aug 2 13:34:52 tmd /kernel: Connection attempt to UDP 24.43.202.10:1950 from 24.2.9.33:53 > Aug 2 13:35:00 tmd /kernel: Connection attempt to UDP 24.43.202.10:1952 from 24.2.9.33:53 > Aug 2 13:35:00 tmd /kernel: Connection attempt to UDP 24.43.202.10:1951 from 24.2.9.35:53 > Aug 2 13:35:09 tmd /kernel: Connection attempt to UDP 24.43.202.10:1954 from 24.2.9.33:53 > Aug 2 13:35:39 tmd /kernel: Connection attempt to UDP 24.43.202.10:1953 from 24.2.9.35:53 > Aug 2 13:35:39 tmd /kernel: Connection attempt to UDP 24.43.202.10:1955 from 24.2.9.35:53 > Aug 2 13:35:39 tmd /kernel: Connection attempt to UDP 24.43.202.10:1956 from 24.2.9.33:53 > > and then repeated.. > > 24.32.202.10 - my ip > 24.2.9.33 - primary DNSof my ISP If you meant 24.2.9.35 right above this, then that does look just like normal DNS traffic to me -- either keep state on all your outbound DNS requests, or allow this server to talk to you from UDP 53 - UDP ephemeral (>1024). If you meant .33, then it seems likely that someone is attempting to spoof UDP traffic through your packet filters. My recommendations: 1. Drop all traffic not destined to your IP (or subnet, if you have one) as soon as possible. If you need DHCP, set specific rules to allow only your provider's DHCP in -- if necessary, drop filters and sniff a session, or log everything for a little bit to find out which. You'll need to rewrite your filter rules if your provider changes DHCP servers, but IMHO it's more secure that way. Then, make a rule that drops everything not headed directly for you into the bitbucket. 2. Ignore _any and all_ NetBIOS traffic. See above for ports, etc. 3. Use stateful filtering whenever possible. If you're feeling adventurous, and have time on your hands, control the traffic as it leaves your network, rather than trying to filter the replies, and just keep state on everything you allow. If you're _sure_ that any traffic you generate must be legit, just keep state on outbound UDP and TCP SYNs. 4. Now you should be able to log everything else, with some exceptions. Many cable providers try to stuff routing information down your throat, and you may have some twit constantly poking a service you don't run, like RPC/Portmap. Deny this kind of crap and don't log it. 5. Log everything else. Hope this helps, GW -- Greg White To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 16: 4:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from purgatory.unfix.org (purgatory.xs4all.nl [194.109.237.229]) by hub.freebsd.org (Postfix) with ESMTP id 1581137B401 for ; Thu, 2 Aug 2001 16:04:50 -0700 (PDT) (envelope-from jeroen@unfix.org) Received: from HELL (hell.unfix.org [::ffff:10.100.13.66]) by purgatory.unfix.org (Postfix) with ESMTP id 482F93158; Fri, 3 Aug 2001 01:04:46 +0200 (CEST) From: "Jeroen Massar" To: "'Krzysztof Zaraska'" , "'Vlad'" Cc: Subject: RE: weird packets.. anyone? Date: Fri, 3 Aug 2001 01:04:05 +0200 Organization: Unfix Message-ID: <003c01c11ba7$6de9ece0$420d640a@HELL> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2479.0006 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Krzysztof Zaraska wrote: > On Thu, 2 Aug 2001, Vlad wrote: > > > I've got this today in my logs: > > first series of > 0.0.0.0,68 -> 255.255.255.255,67 PR udp len 20 328 > (looks like BOOTP) > > then > 169.254.65.154,138 -> 169.254.255.255,138 PR udp len 20 205 > 169.254.65.154,137 -> 169.254.255.255,137 PR udp len 20 78 > alternating, then a long series of > 169.254.65.154,137 -> 169.254.255.255,137 PR udp len 20 78 > (please note same subnet numbers as in the letter above!) > > once immediately after BOOTP-like packets I got: > 169.254.65.154 -> 224.0.0.2 PR icmp len 20 28 icmp 10/0 > (multicast ?!) > > First series at 11:41 - 11:43 c.e.t., BOOTP queries repeated 11:46 - > 13:29, second series at 13:31, third at 13:35. > > That looks like a DDOS attempt but I don't like two things: > 1 - too few packets to 169.254.255.255 > 2 - I don't know what could have triggered it since no > traffic is allowed > inside the network (statefull firewalling). > > 169.254.0.0 is assigned to IANA according to ARIN WHOIS. And is also used by Windows 9x and 2k when they can't get an IP from a dhcps erver (that's your BOOTP alike thingy). And the try to broadcast together with port 138/137 indicate samba.... There you go, at least... With a 99% probability factor Greets, Jeroen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 16:42:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from ualjuarez.elrancho.com.mx (unknown [200.23.18.58]) by hub.freebsd.org (Postfix) with ESMTP id EB48037B40B for ; Thu, 2 Aug 2001 16:41:01 -0700 (PDT) (envelope-from promo@elrancho.com.mx) Received: from 200 [148.243.115.100] by ualjuarez.elrancho.com.mx (SMTPD32-6.05) id A0A3DA0216; Thu, 02 Aug 2001 18:41:21 +0100 From: Fre nights for you. To: Subject: You have WON your FREE nights!!! Mime-Version: 1.0 Content-Type: text/html; charset="windows-1251" Content-Transfer-Encoding: quoted-printable Reply-To: promo@elrancho.com.mx X-Mailer: MailList Express 3.70, Internet-Soft.Com Message-Id: <200108021825.23w9r9A@www.elrancho.com.mx> Date: Thu, 2 Aug 2001 18:41:26 +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org =0D=0A=0D=0A=0D=0A=0D=0A=20=20= =0D=0A=20=20=20=20=0D=0A=20=20=20=20=20=20

=0D=0A=20=20=20=20=20=20=  

=0D=0A=20=20=20=20=20=20English =0D=0A=20=20= =20=20=20=20Espa=F1ol=0D=0A=20= =20=0D=0A=0D=0A

=0D=0A=0D=0A=20=20
=0D=0A=20=20=0D=0A=20=20= =20=20=0D=0A=20=20=20=20=20=20
=0D=0A=20=20=20=20=20=20=0D=0A=20=20=20=20=20=20=20=20<= span=20style=3D"background-color:=20#FFFFFF">=0D=0A=20=20=20=20=20=20=20=20Escape=0D=0A=20= =20=20=20=20=20=20=20to=20Paradise...!=0D=0A=20=20=20=20=20=20= =20=20

=0D=0A=20=20=20=20=20=20=20=20=0D= =0A=20=20=20=20=20=20=20=20=20=20=0D=0A=20=20=20=20=20=20=20=20=20=20= =20=20=0D=0A=20=20=20=20=20=20=20=20=20=20=20=20 =0D=0A=20=20=20=20=20=20= =20=20=20=20=20=20El=0D=0A=20=20=20=20=20=20=20=20=20=20=20=20=20= =20Rancho=20Villas=0D=0A=20=20=20=20=20=20=20=20=20=20<= /center>=0D=0A=20=20=20=20=20=20=20=20=20=20=0D=0A=20=20=20=20=20=20=20=20=20=20=20=20 

=0D=0A=20=20=20=20=20=20=20=20=20=20=0D=0A=20=20=20= =20=20=20=20=20=0D=0A=20=20=20=20=20=20=20=20
=0D=0A=20=20=20= =20=20=20=20=20=0D=0A=20=20=20=20=20=20=20=20=20=20 =0D=0A=20=20=20=20=20= =20=20=20=20=20 =0D=0A=20=20=20=20=20=20=20=20=20=20=0D=0A=20=20=20=20=20=20=20=20=20=20=20=20<= font=20color=3D"#FFFFFF"=20face=3D"Arial"=20size=3D"2">Mazatlan,=0D=0A=20= =20=20=20=20=20=20=20=20=20=20=20Mexico

=0D=0A=20=20=20=20= =20=20=20=20=20=20=0D=0A=20=20=20=20=20=20=20=20=20=20 =0D=0A=20=20=20=20=20=20=20=20=0D=0A=20=20=20=20=20=20=20=20=0D=0A=20=20=20=20=20=20=20=20=20=20=  =0D=0A=20=20=20=20=20= =20
=0D=0A=20=20
=0D=0A=20=20=20=20=20=20=20=20=20=20=0D=0A=20=20=20=20=20=20=20=20=20= =20=20=20 

=0D=0A=20=20=20=20=20=20=20=20=20= =20=0D=0A=20=20=20=20=20=20=20=20=20=20=0D=0A=20=20=20=20=20=20=20=20=20=20=20=20Dear=0D=0A=20=20= =20=20=20=20=20=20=20=20=20=20Friend:

=0D=0A=20=20=20=20=20= =20=20=20=20=20=20=20You've=0D=0A=20=20=20=20=20=20=20=20=20=20=20=20been=20= selected=20to=20take=201=20night=20free=20for=20each=20one=20you=20pay=20= in=20our=0D=0A=20=20=20=20=20=20=20=20=20=20=20=20resort=20at=20Mazatla= n,=20Mexico.

=0D=0A=20=20=20=20=20=20=20=20=20=20=20=20That's=0D=0A= =20=20=20=20=20=20=20=20=20=20=20=20right=20!!

=0D=0A=20=20=20= =20=20=20=20=20=20=20=20=20Pay=0D=0A=20=20= =20=20=20=20=20=20=20=20=20=201=20night=20and=20get=20another=20one=20F= REE!!

=0D=0A=20=20=20=20=20=20=20=20=20=20=20=20This=0D=0A=20= =20=20=20=20=20=20=20=20=20=20=20opportunity=20goes=20to=20only=20selec= ted=20people,=20so=20take=20advantage=20of=20this=0D=0A=20=20=20=20=20=20= =20=20=20=20=20=20unique=20offer=20you'll=20never=20see=20again=20a=20l= odging=20offer=20like=20this=0D=0A=20=20=20=20=20=20=20=20=20=20=20=20o= ne. =20Your=20next=20vacation=20half=20the=20price!!

=0D= =0A=20=20=20=20=20=20=20=20=20=20=20=20 

=0D=0A=20=20=20=20=20=20=20=20=20=20=20=20Why=0D=0A=20=20=20= =20=20=20=20=20=20=20=20=20don't=20you=20take=20a=20rest=20in=20the=20w= onderful=20beach=20of=20Mazatlan,=0D=0A=20=20=20=20=20=20=20=20=20=20=20= =20Mexico. =20This=20is=20your=20opportunity. =20Make=20it=20= possible=20for=0D=0A=20=20=20=20=20=20=20=20=20=20=20=20you.

= =0D=0A=20=20=20=20=20=20=20=20=20=20=20=20 

=0D=0A=20=20=20=20=20=20=20=20=20=20=20=20If=0D=0A=20=20= =20=20=20=20=20=20=20=20=20=20you=20use=20this=20wonderful=20opportunit= y,=20I'll=20also=20give=20you=20a=2020%=0D=0A=20=20=20=20=20=20=20=20= =20=20=20=20discount=20over=20drinks=20and=20food=20in=20our=20rest= aurant. =20The=0D=0A=20=20=20=20=20=20=20=20=20=20=20=20delicious=20= flavors=20you're=20will=20taste=20there=20are=20going=20to=20be=0D=0A=20= =20=20=20=20=20=20=20=20=20=20=20unforgettable,=20believe=20me!<= /p>=0D=0A=20=20=20=20=20=20=20=20=20=20=20=20 

=0D=0A=20=20=20=20=20=20=20=20=20=20=20=20I=0D=0A=20= =20=20=20=20=20=20=20=20=20=20=20send=20you=20our=20addresses=20for=20m= ore=20information,=20just=20in=20case=20you=20are=0D=0A=20=20=20=20=20=20= =20=20=20=20=20=20interested=20in=20the=20offer=20I'm=20sending=20you.<= /font>

=0D=0A=20=20=20=20=20=20=20=20=20=20=20=20 

=0D=0A=20=20=20=20=20=20=20=20=20=20=20=20= If=0D= =0A=20=20=20=20=20=20=20=20=20=20=20=20you=20want=20to=20use=20this=20b= enefit,=20please=20refer=20the=20code=20below=20to=20make=0D=0A=20=20=20= =20=20=20=20=20=20=20=20=20this=20offer=20valid:

=0D=0A=20=20= =20=20=20=20=20=20=20=20=20=20fRpromo0802

=0D=0A=20=20=20=20=20=20=20=20= =20=20=20=20Promotion=0D=0A=20=20=20=20=20=20=20=20=20=20=20=20Validity: =20= from=20Aug=2015=20to=20Dec.=2015,=202001;=20excluding=20Thanksgiving=0D= =0A=20=20=20=20=20=20=20=20=20=20=20=20week.

=0D=0A=20=20=
=0D=0A=20=20=20=20=20=20=20=20=20=20=20=20Web=20Sites:
=0D=0A= =20=20=20=20=20=20=20=20=20=20=20=20www.elrancho.com.mx

=0D=0A=20=20=20=20=20=20=20=20=20=20=20=20<= a=20href=3D"http://www.elranchovillas.com">www.elranchovillas.com

=0D=0A=20=20=20=20=20=20= =20=20=20=20=20=20e-mail:<= font=20color=3D"#0000FF">
=0D=0A=20=20=20=20=20=20=20=20=20=20=20=20= info@elrancho.com.mx=0D=0A=20=20=20=20=20=20=20=20= =20=20=0D=0A=20= =20=20=20=20=20=20=20=20=20=20=20=0D=0A=20=20=20=20=20=20=20=20=20=20= =20=20=0D=0A=20=20=20=20=20=20= =20=20=20=20=20=20=0D=0A=20=20= =20=20=20=20=20=20=20=20=20=20=0D=0A=20=20
=0D=0A=20=20=20=20=20=20=20=20=20=20=20=20Reservations:=
=0D=0A=20=20=20=20=20=20=20=20=20=20=20=20Tel:=20(1)716-0606
=0D= =0A=20=20=20=20=20=20=20=20=20=20=20=20Fax: =20(1)716-9777
=0D=0A= =20=20=20=20=20=20=20=20=20=20=20=20=0D=0A=20=20=20=20=20=20=20=20= =20=20=20=20US=20&=20Canada:
=0D=0A=20=20=20=20=20=20=20=20=20=20=20=20= 1-888-596-5760
=0D=0A=20=20=20=20=20=20=20=20=20=20=20=20=0D=0A= =20=20=20=20=20=20=20=20=20=20=20=20Mexico:
=0D=0A=20=20=20=20=20=20=20=20=20= =20=20=2001-800-717-1991=0D=0A=20=20=20=20=20=20=20=20= =0D=0A=20=20=20=20=20=20=20=20=0D=0A=20=20
=0D=0A=20=20=20= =20=20=20To=20be=20removed=20= from=20our=20mailing=20list,=0D=0A=20=20=20=20=20=20please=20send=20us=20= a=20blank=20email=20to=20pro= mo@elrancho.com.mx=0D=0A=20=20=20=20=20=20with=20the=20word=20REMOV= E=20in=20the=20subject=20line.

=0D=0A=20=20=20=20=20=20=0D= =0A=20=20=20=20=0D=0A=20=20=0D=0A=20=20
=0D=0A=0D=0A 

=0D=0A&= nbsp;

=0D=0A 

=0D=0A 

=0D=0A 

=0D=0A 

=0D=0A 

=0D=0A 

=0D=0A 

=0D=0A=

=0D=0A=0D=0A= =20=20=0D=0A=20=20=20=20
=0D=0A=20=20=20=20=0D=0A=20=20=20=20=20=20=0D=0A=20=20=20=20=20=20Escapa=0D=0A=20=20=20=20=20=20al=20pa= ra=EDso...!=0D=0A=20=20=20=20=20=20

= =0D=0A=20=20=20=20=20=20=0D=0A=20=20=20=20=20=20=20=20=0D=0A= =20=20=20=20=20=20=20=20=20=20=0D=0A=20=20=20=20=20=20=20=20=20=20 =0D=0A= =20=20=20=20=20=20=20=20=20=20Villas=0D=0A=20=20=20=20=20=20=20= =20=20=20=20=20El=20Rancho=0D=0A=20=20=20=20=20=20=20=20=
=0D=0A=20=20=20=20=20=20=20=20=0D=0A=20=20=20=20=20=20=20=20=20=20&nbs= p;

=0D=0A=20=20=20=20=20=20=20=20=0D=0A=20=20=20=20=20=20=0D= =0A=20=20=20=20=20=20
=0D=0A=20=20=20=20=20=20=0D=0A=20=20=20= =20=20=20=20=20 =0D=0A=20=20=20=20=20=20=20=20 =0D=0A=20=20=20=20=20=20=20=20=0D=0A=20=20=20=20=20=20=20=20=20=20Maz= atl=E1n,=0D=0A=20=20=20=20=20=20=20=20=20=20M=E9xico

=0D=0A= =20=20=20=20=20=20=20=20=0D=0A=20=20=20=20=20=20=20=20 =0D=0A=20=20=20=20=20=20=0D= =0A=20=20=20=20=20=20=0D=0A=20=20=20=20=20=20=20=20 =0D=0A=20=20=20=20=20=20=20=20 =0D=0A=20=20=20=20=20=20=20= =20=0D=0A=20=20=20=20=20=20=20= =20=20=20=20=20Hola=0D=0A=20=20=20=20=20=20=20=20=20=20=20=20amigo:=

=0D=0A=20=20=20=20=20=20=20=20=20=20Haz=0D=0A=20=20=20=20=20=20=20= =20=20=20sido=20seleccionado=20para=20llevarte=20una=20noche=20gratis=20= por=20cada=20una=20que=0D=0A=20=20=20=20=20=20=20=20=20=20pagues=20a=20= nuestro=20hotel=20en=20Mazatl=E1n,=20M=E9xico.

=0D=0A=20=20=20= =20=20=20=20=20=20=20Es=0D=0A=20=20=20=20=20=20=20=20=20=20en=20serio=20!!=

=0D=0A=20=20=20=20=20=20=20=20=20=20Paga=0D=0A=20=20=20=20=20=20=20=20=20=201=20noche=20y=20te=20llev= as=20otra=20totalmente=20GRATIS!!

=0D=0A=20=20=20=20=20=20= =20=20=20=20Esta=0D=0A=20=20=20=20=20=20=20=20=20=20oportunidad=20se=20da=20= s=F3lo=20a=20personas=20muy=20selectas,=20asi=20que=20aproveche=0D=0A=20= =20=20=20=20=20=20=20=20=20esta=20=FAnica=20oferta.  =20Jam=E1= s=20vera=20una=20oferta=20igual=20en=20lo=20que=0D=0A=20=20=20=20=20=20= =20=20=20=20a=20alojamiento=20se=20refiere. =20Sus=20pr=F3ximas=20= vacaciones=20por=20la=20mitad=0D=0A=20=20=20=20=20=20=20=20=20=20de=20p= recio!!

=0D=0A=20=20=20=20=20=20=20=20=20=20Por=0D=0A=20=20=20=20=20= =20=20=20=20=20qu=E9=20no=20tomar=20un=20descansito=20en=20las=20maravi= llosas=20playas=20de=20Mazatl=E1n,=0D=0A=20=20=20=20=20=20=20=20=20=20M= =E9xico. =20Esta=20es=20su=20oportunidad. =20H=E1gala=20posib= le=20por=20usted.

=0D=0A=20=20=20=20=20=20=20=20=20=20 

=0D=0A=20=20=20=20=20=20=20=20= =20=20Es=0D=0A=20=20=20=20=20=20=20=20=20=20m=E1s,=20si=20usted=20hace=20u= so=20de=20esta=20incre=EDble=20oportunidad,=20adem=E1s=20le=0D=0A=20=20= =20=20=20=20=20=20=20=20regalo=20un=2020%=20de=20descuento=20en=20al= imentos=20y=20bebidas=20en=20nuestro=0D=0A=20=20=20=20=20=20=20=20=20= =20restaurante. =20Los=20sabores=20delicios=20que=20probara=20ah=ED= ,=20ser=E1n=0D=0A=20=20=20=20=20=20=20=20=20=20inolvidables,=20cr=E9ame= !

=0D=0A=20=20=20=20=20=20=20=20=20=20 

=0D=0A=20=20=20=20=20=20=20=20=20=20Para=0D=0A=20=20= =20=20=20=20=20=20=20=20m=E1s=20informaci=F3n,=20le=20mando=20nuestras=20= direcciones=20electr=F3nicas,=20s=F3lo=0D=0A=20=20=20=20=20=20=20=20=20= =20en=20el=20caso=20de=20que=20se=20interese=20por=20la=20oferta=20que=20= le=20he=20hecho.

=0D=0A=20=20=20=20=20=20=20=20=20=20 

=0D=0A=20=20=20=20=20=20=20=20= =20=20Si=0D=0A=20=20=20=20=20=20=20=20=20=20quiere=20usar=20el=20beneficio= ,=20por=20favor=20indique=20el=20codigo=20que=20sigue=20para=0D=0A=20=20= =20=20=20=20=20=20=20=20hacer=20v=E1lida=20esta=20oferta:

=0D= =0A=20=20=20=20=20=20=20=20=20=20<= font=20=0D=0Asize=3D"2">fRpromo0802

=0D=0A=20=20=20=20=0D=0A=20=20=20=20=20=20=20=20Vigencia=20de=20la=20promoci=F3n:=20de=20Agosto=0D=0A=20=20=20=20=20= =20=20=2015=20a=20Diciembre=2015=20del=202001;=20se=20excluye=20la=20se= mana=20de=20Thanksgiving=20(Festividad=0D=0A=20=20=20=20=20=20=20=20en=20= EE.UU.)

=0D=0A=20=20=20=20=20=20
=0D=0A=20=20=20=20= =20=20=20=20=20=20Web=20Sites:
=0D=0A=20=20=20=20=20=20=20=20=20=20ww= w.elrancho.com.mx

=0D=0A=20=20=20=20=20=20=20=20=20= =20www.elranchovillas.com<= /p>=0D=0A=20=20=20=20=20=20=20=20=20=20e-mail:
=0D=0A=20=20=20=20=20= =20=20=20=20=20info@elrancho.com.mx=0D=0A=20=20=20= =20=20=20=20=20= =0D=0A=20=20=20=20=20=20=20=20=20=20=0D=0A=20=20=20=20=20=20=20=20=20=20= =0D=0A=20=20=20=20=20=20=20=20=20= =20=0D=0A=20=20=20=20=20=20=20=20= =20=20=0D=0A=20=20=20=20=0D=0A=20=20=20=20=20=20=20=20=20=20Reservaciones:
=0D=0A=20=20=20=20=20= =20=20=20=20=20Tel:=20(1)716-0606
=0D=0A=20=20=20=20=20=20=20=20=20=20= Fax: =20(1)716-9777
=0D=0A=20=20=20=20=20=20=20=20=20=20= =0D=0A=20=20=20=20=20=20=20=20=20=20M=E9xico:
=0D=0A=20=20=20=20=20=20=20=20= =20=2001-800-717-1991
=0D=0A=20=20=20=20=20=20=20=20=20=20=0D= =0A=20=20=20=20=20=20=20=20=20=20US=20&=20Canada:
=0D=0A=20=20=20=20=20=20=20= =20=20=201-888-596-5760=0D=0A=20=20=20=20=20=20=0D= =0A=20=20=20=20=20=20=0D=0A=20=20=20=20<= font=20size=3D"1">Para=20ser=20removido=20de=20nuestra=20lista=20de=0D=0A= =20=20=20=20correo,=20por=20favor=20env=EDenos=20un=20email=20en=20blan= co=20a=20la=20siguiente=20direcci=F3n=0D=0A=20=20=20=20electr=F3nica=20= :=20promo@elrancho.com.mx,=0D=0A=20=20=20=20con=20la=20palabra=20REMOVE=20en=20la=20linea=20de=20= Asunto=20(subject).

=0D=0A=20=20=20=20=0D=0A=20=20=0D= =0A=0D=0A=0D=0A=0D=0A=0D=0AThe=20message=20sent=20= by=20MailList=20Express=203.70=20=20=20Registered=20Version=20(Download= =20from=20http://Internet-Soft.com)=0D=0A To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 19:13:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from alpha.focalnetworks.net (alpha.focalnetworks.net [209.135.104.32]) by hub.freebsd.org (Postfix) with SMTP id 1DC9F37B405 for ; Thu, 2 Aug 2001 19:13:14 -0700 (PDT) (envelope-from project10@alpha.focalnetworks.net) Received: (qmail 81448 invoked by uid 1000); 3 Aug 2001 02:11:47 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 3 Aug 2001 02:11:47 -0000 Date: Thu, 2 Aug 2001 22:11:47 -0400 (EDT) From: Shawn Lussier To: Kirill Jezduke Cc: Subject: Re: ipfw + QOS In-Reply-To: <20010803000550.V42633-100000@mail.tavrida.net> Message-ID: <20010802220354.M81192-100000@alpha.focalnetworks.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 3 Aug 2001, Kirill Jezduke wrote: > Excuse me, but I don't undestood how to determine the minimum bandwidth > for user. > > Example: > total bandwidth = 256Kb/sec. Interface ed0. > IP (10.0.0.1) - minimum 128Kb/sec, maximun 256Kb/sec. > IP (All others) - minimum 0Kb/sec, maximum 256Kb/sec > > Can you show me a ipfw-rules to do this? > While I haven't setup something similar to this scenario, I am fairly certain that it is possible. You can use weighted queueing to give traffic priority to 10.0.0.1 before 'all others' (I hope :)). From the 'ipfw' manpage: weight weight Specifies the weight to be used for flows matching this queue. The weight must be in the range 1..100, and defaults to 1. Again, I've never setup minimums and weighted queueing using ipfw, so I can't say for certain whether it is possible, nor give concrete examples of how it might be implemented. -Shawn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 19:31: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by hub.freebsd.org (Postfix) with ESMTP id 214EE37B405 for ; Thu, 2 Aug 2001 19:31:02 -0700 (PDT) (envelope-from marka@nominum.com) Received: from nominum.com (localhost.dv.isc.org [127.0.0.1]) by drugs.dv.isc.org (8.11.3/8.11.2) with ESMTP id f732Uku45820; Fri, 3 Aug 2001 12:30:48 +1000 (EST) (envelope-from marka@nominum.com) Message-Id: <200108030230.f732Uku45820@drugs.dv.isc.org> To: Aaron Bush Cc: freebsd-security@freebsd.org From: Mark.Andrews@nominum.com Subject: Re: named exited on signal 6? In-reply-to: Your message of "Thu, 02 Aug 2001 11:48:48 -0400." <3B697660.2B771FF5@mail.microcenter.com> Date: Fri, 03 Aug 2001 12:30:46 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Mark.Andrews@nominum.com wrote: > > > > > In my system messages i have the following entry: > > > Jul 28 12:37:30 tosh /kernel: pid 165 (named), uid 53: exited on signal > > > 6 > > > > Signal 6 is ABRT which means named killed itself. The should > > be a log message associated with the action. > > The only log message was the one from above. > Would named log messages to another location or facility when it is > running in a sandbox? > > -ab Named will log where you tell it to. By default it will use syslog however you can configure it to write the logs to files. Whether those syslog messages get through depends upon how syslogd is set up which really is a bug in the syslog system. Mark -- Mark Andrews, Nominum Inc. 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 21: 0:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc17 (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 6818D37B403 for ; Thu, 2 Aug 2001 21:00:26 -0700 (PDT) (envelope-from kris@citusc17) Received: (from kris@localhost) by citusc17 (8.11.4/8.11.4) id f7340OT10372; Thu, 2 Aug 2001 21:00:24 -0700 (PDT) (envelope-from kris) Date: Thu, 2 Aug 2001 21:00:23 -0700 From: Kris Kennaway To: Holtor Cc: security@FreeBSD.ORG Subject: Re: md5? Message-ID: <20010802210023.A10332@citusc17.usc.edu> References: <20010802165449.F9551-100000@mail.wlcg.com> <20010802212432.81118.qmail@web11602.mail.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="AhhlLboLdkugWU4S" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010802212432.81118.qmail@web11602.mail.yahoo.com>; from holtor@yahoo.com on Thu, Aug 02, 2001 at 02:24:32PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --AhhlLboLdkugWU4S Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Aug 02, 2001 at 02:24:32PM -0700, Holtor wrote: > You guys seem to miss my point.. This is what I did > back several months ago. And i had: > NODESCRYPTLINKS=true in /etc/make.conf so when make > world went threw it didn't demolish my links. Now it > appears as if that option does nothing. After looking > in /usr/lib there are not any symlinks at all anymore. > They are actual libraries in place of where links to > libscrypt and libdescrypt could go. Thats whats > confused me, something recently - within the past week > perhaps has changed. Yes, there are no longer two separate libraries. You control which of MD5 or DES passwords you get via the login.conf capability, and whether or not you install the crypto sources (or binaries built from them). i.e. you still need to install the crypto code to get DES passwords, but whether or not you do you still get only one libcrypt, not a symlink pointing to one of two locations. The ability to select MD5/DES in login.conf was added in 4.2 or 4.3 -- you no longer need to play games with symlinks and any documentation which tells you to do so is out of date. Kris --AhhlLboLdkugWU4S Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7aiHXWry0BWjoQKURAi7pAKC9/SiLp8Ih7ZtDbrGHAV0rKHOGQQCgnL40 S6hnNIDO+fnlhmtQ/sp02tw= =on6L -----END PGP SIGNATURE----- --AhhlLboLdkugWU4S-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 21: 1:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc17 (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 761BB37B405; Thu, 2 Aug 2001 21:01:55 -0700 (PDT) (envelope-from kris@citusc17) Received: (from kris@localhost) by citusc17 (8.11.4/8.11.4) id f7341bD10380; Thu, 2 Aug 2001 21:01:37 -0700 (PDT) (envelope-from kris) Date: Thu, 2 Aug 2001 21:01:37 -0700 From: Kris Kennaway To: Hank Wethington Cc: Kris Kennaway , security-officer@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: OpenSSL patch applied and now locked out of machine. Message-ID: <20010802210137.B10332@citusc17.usc.edu> References: <20010730183039.A65218@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="2B/JsCI69OhZNC5r" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from bsd@info-logix.com on Thu, Aug 02, 2001 at 02:34:58PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --2B/JsCI69OhZNC5r Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Aug 02, 2001 at 02:34:58PM -0700, Hank Wethington wrote: > After driving the 3 hours to get to the box, I found I could log in > locally as root, but not as the admin user I have set up. Presumably your root user has an MD5 password (something like "$1$sdflj$khasjkldfh") which doesn't need DES libs present to authenticate. Kris --2B/JsCI69OhZNC5r Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7aiIgWry0BWjoQKURAhgQAJ9zIPqQGy0k8668Jnnt5zoLV0DvxACfb2g5 MXqlarfd7Dw6NNnsWN62iXA= =scr5 -----END PGP SIGNATURE----- --2B/JsCI69OhZNC5r-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 2 21:13:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from web11601.mail.yahoo.com (web11601.mail.yahoo.com [216.136.172.53]) by hub.freebsd.org (Postfix) with SMTP id 4075537B406 for ; Thu, 2 Aug 2001 21:13:24 -0700 (PDT) (envelope-from holtor@yahoo.com) Message-ID: <20010803041324.48700.qmail@web11601.mail.yahoo.com> Received: from [24.190.48.149] by web11601.mail.yahoo.com; Thu, 02 Aug 2001 21:13:24 PDT Date: Thu, 2 Aug 2001 21:13:24 -0700 (PDT) From: Holtor Subject: Re: md5? To: Kris Kennaway Cc: security@FreeBSD.ORG In-Reply-To: <20010802210023.A10332@citusc17.usc.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Kris, So how does one make adduser generate a MD5 password instead of DES? I've got passwd_format=md5 in my login.conf and ran that cap_mkdb command on it and it still generates DES. This seems to be the only issue I see -- a problem with adduser perhaps? Holt --- Kris Kennaway wrote: > On Thu, Aug 02, 2001 at 02:24:32PM -0700, Holtor > wrote: > > You guys seem to miss my point.. This is what I > did > > back several months ago. And i had: > > NODESCRYPTLINKS=true in /etc/make.conf so when > make > > world went threw it didn't demolish my links. Now > it > > appears as if that option does nothing. After > looking > > in /usr/lib there are not any symlinks at all > anymore. > > They are actual libraries in place of where links > to > > libscrypt and libdescrypt could go. Thats whats > > confused me, something recently - within the past > week > > perhaps has changed. > > Yes, there are no longer two separate libraries. > You control which of > MD5 or DES passwords you get via the login.conf > capability, and > whether or not you install the crypto sources (or > binaries built from > them). i.e. you still need to install the crypto > code to get DES > passwords, but whether or not you do you still get > only one libcrypt, > not a symlink pointing to one of two locations. > > The ability to select MD5/DES in login.conf was > added in 4.2 or 4.3 -- > you no longer need to play games with symlinks and > any documentation > which tells you to do so is out of date. > > Kris > > ATTACHMENT part 2 application/pgp-signature __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 3 0:42:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe52.pav0.hotmail.com [64.4.32.132]) by hub.freebsd.org (Postfix) with ESMTP id 4939D37B405 for ; Fri, 3 Aug 2001 00:42:15 -0700 (PDT) (envelope-from oykai@msn.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 3 Aug 2001 00:42:11 -0700 X-Originating-IP: [168.160.252.211] From: "ouyang kai" To: Subject: Howto manage the cvs users Date: Fri, 3 Aug 2001 15:28:51 +0800 MIME-Version: 1.0 X-Mailer: MSN Explorer 6.10.0016.1607 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0000_01C11C30.FFB674C0" Message-ID: X-OriginalArrivalTime: 03 Aug 2001 07:42:11.0827 (UTC) FILETIME=[CE793C30:01C11BEF] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ------=_NextPart_001_0000_01C11C30.FFB674C0 Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: quoted-printable Hi, Everybody, I setup a CVS Server for the programmers. =20 Now, I have a question about howto manage the programmers' privilege. = Such as John and Mike could read each other's source code. But, John couldn't modify M= ike's code, the same as Mike.How can I do? Thanks!Get more from the Web. FREE MSN Explorer download : http://explor= er.msn.com ------=_NextPart_001_0000_01C11C30.FFB674C0 Content-Type: text/html; charset="gb2312" Content-Transfer-Encoding: quoted-printable
Hi,
   Everybody, I setup a CVS Server for the programmers. =
   Now, I have a question about howto manage the programm= ers' privilege. Such as John
and Mike could read each other's = source code. But, John couldn't modify Mike's code, the same as Mike.How = can I do?
Thanks!

Get m= ore from the Web. FREE MSN Explorer download : http://explorer.msn.com

------=_NextPart_001_0000_01C11C30.FFB674C0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 3 1:10:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from fire.gu.net (fire.gu.net [194.93.191.149]) by hub.freebsd.org (Postfix) with ESMTP id 1514537B405 for ; Fri, 3 Aug 2001 01:10:13 -0700 (PDT) (envelope-from vadoo@fire.gu.net) Received: (from vadoo@localhost) by fire.gu.net (8.11.3/8.11.3) id f738A5237096; Fri, 3 Aug 2001 11:10:05 +0300 (EEST) (envelope-from vadoo) Date: Fri, 3 Aug 2001 11:10:05 +0300 From: Vadim Gelesev To: Holtor Cc: security@FreeBSD.ORG Subject: Re: md5? Message-ID: <20010803111005.K376@fire.gu.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20010802203203.70517.qmail@web11605.mail.yahoo.com> User-Agent: Mutt/1.3.18i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Holtor! > Hi All, > > How do I make my system use MD5 by default when > adding users? I had this in my /etc/make.conf > NODESCRYPTLINKS=true Sorry for my English.... It's quite simple! I have FreeBSD release 4.3. I've written small patch for /usr/sbin/adduser which change behaviour of password generation from des to md5. Here it is! --- /usr/sbin/adduser.orig Wed May 23 14:36:43 2001 +++ /usr/sbin/adduser Wed May 23 14:24:14 2001 @@ -791,7 +791,8 @@ $salt .= $itoa64[$rand & $#itoa64]; } warn "Salt is: $salt\n" if $verbose > 1; - + $salt = "\$1\$$salt\$"; + return $salt; } -- Vadim Gelesev VAG25-RIPE VAG1-UANIC ISP Global Ukraine To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 3 7:41:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-24-169-175-136.stny.rr.com [24.169.175.136]) by hub.freebsd.org (Postfix) with ESMTP id 73A0837B403 for ; Fri, 3 Aug 2001 07:41:24 -0700 (PDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.11.4/8.11.4) with ESMTP id f73EfJh13547; Fri, 3 Aug 2001 10:41:20 -0400 (EDT) (envelope-from piechota@argolis.org) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Fri, 3 Aug 2001 10:41:19 -0400 (EDT) From: Matt Piechota To: ouyang kai Cc: Subject: Re: Howto manage the cvs users In-Reply-To: Message-ID: <20010803103812.W13517-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 3 Aug 2001, ouyang kai wrote: > Hi, > Everybody, I setup a CVS Server for the programmers. > Now, I have a question about howto manage the programmers' > privilege. Such as John and Mike could read each other's source code. > But, John couldn't modify Mike's code, the same as Mike.How can I do? > Thanks! CVS obeys the standard UNIX permissions, so as longs as John and Mike are in the same group (or if the source directory is world readable), they can read each other's code. Unless you make the stuff group (or world writable, neither can modify the other's directory. -- Matt Piechota Finger piechota@emailempire.com for PGP key AOL IM: cithaeron To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 3 8:19: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.fdma.com (mail.fdma.com [216.241.67.73]) by hub.freebsd.org (Postfix) with ESMTP id 7AE0037B403 for ; Fri, 3 Aug 2001 08:19:00 -0700 (PDT) (envelope-from scheidell@fdma.com) Received: from MIKELT (mikelt.fdma.lan [10.1.1.40]) by mail.fdma.com (8.11.3/8.11.3) with SMTP id f73FIx422803 for ; Fri, 3 Aug 2001 11:18:59 -0400 (EDT) Message-ID: <004101c11c2f$9ee4cd00$2801010a@fdma.com> From: "Michael Scheidell" To: References: <20010802144121.A11210@heresy.xs4nobody.nl> <20010802093505.Q61813-100000@mohegan.mohawk.net> <20010802162508.B11445@heresy.xs4nobody.nl> Subject: Re: pam session failing Date: Fri, 3 Aug 2001 11:18:59 -0400 Organization: Florida Datamation, Inc. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "Bart Matthaei" Newsgroups: local.freebsd.security Sent: Thursday, August 02, 2001 2:20 PM Subject: Re: pam session failing > Did you look in /usr/src/UPDATING ? There might be a few lines you wanna add to your pam.config for sshd. > It's documentated in /usr/src/UPDATING. I was having same problem with rlogin on 4.3-stable. looked in UPDATING, copied over the sample file as suggested, same ting find a LARGER version of pam_unix.so in /usr/src/obj (somewhere) copied it over and no more problems (don't know why update/install didn't do it for me, but then again, lots of things don't do it for me) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 3 19:30:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.morning.ru (ns.morning.ru [195.161.98.5]) by hub.freebsd.org (Postfix) with ESMTP id 67E8337B405 for ; Fri, 3 Aug 2001 19:30:04 -0700 (PDT) (envelope-from poige@morning.ru) Received: from NIC1 ([195.161.98.236]) by ns.morning.ru (8.11.5/8.11.5) with ESMTP id f742Tmf17847; Sat, 4 Aug 2001 10:29:49 +0800 (KRAST) Date: Sat, 4 Aug 2001 10:30:12 +0800 From: Igor Podlesny X-Mailer: The Bat! (v1.52 Beta/7) UNREG / CD5BF9353B3B7091 Organization: Morning Network X-Priority: 3 (Normal) Message-ID: <15963958557.20010804103012@morning.ru> To: Kris Kennaway Cc: Paulo Fragoso , security@FreeBSD.ORG Subject: Re[2]: SSHD in JAIL In-Reply-To: <20010731183530.A40773@xor.obsecurity.org> References: <20010731141613.A37314@xor.obsecurity.org> <20010731183006.T5827-100000@mirage.nlink.com.br> <20010731183530.A40773@xor.obsecurity.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Tue, Jul 31, 2001 at 06:35:28PM -0300, Paulo Fragoso wrote: >> On Tue, 31 Jul 2001, Kris Kennaway wrote: >> >> > On Tue, Jul 31, 2001 at 05:53:21PM -0300, Paulo Fragoso wrote: >> > > Hi, >> > > >> > > We are making a jail using FBSD 4.3-RELEASE but in the jail sshd can't >> > > starting: >> > > >> > > ssh-keygen: no RSA support in libssl and libcrypto. See ssl(8). >> > > >> > > How we can buildworld with RSA support in libssl or libcrypto? >> > >> > The error message really means "I can't find /dev/urandom" :-) >> >> How we can start sshd in the jail using jail directory mounted with nodev? Let me ask what is the purpose of nodev in your situation? I suggest using devfs (5) mounted inside your jail dir (not sure, though, how about urandom there, but think it should be okay)... seems it will solve the problem. At least there is a hope there ;) > You can't: it needs /dev/urandom. > Kris -- Igor mailto:poige@morning.ru http://www.morning.ru/~poige To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 4 0: 7:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailout06.sul.t-online.de (mailout06.sul.t-online.com [194.25.134.19]) by hub.freebsd.org (Postfix) with ESMTP id 8FDF837B401 for ; Sat, 4 Aug 2001 00:07:48 -0700 (PDT) (envelope-from haribeau@gmx.de) Received: from fwd04.sul.t-online.de by mailout06.sul.t-online.de with smtp id 15SvXH-0001nm-05; Sat, 04 Aug 2001 09:07:47 +0200 Received: from asterix.local (320080844193-0001@[217.80.84.102]) by fmrl04.sul.t-online.com with smtp id 15SvXA-1mfuQyC; Sat, 4 Aug 2001 09:07:40 +0200 Received: (qmail 414 invoked from network); 4 Aug 2001 07:07:38 -0000 Received: from homer.local (HELO homer.local.nlocal) (192.168.1.50) by 0 with SMTP; 4 Aug 2001 07:07:38 -0000 Received: (nullmailer pid 1109 invoked by uid 1100); Sat, 04 Aug 2001 07:07:37 -0000 Date: Sat, 4 Aug 2001 09:07:37 +0200 From: Clemens Hermann To: FreeBSD security ML Subject: harden FreeBSD Message-ID: <20010804090737.A1037@homer.local> Mail-Followup-To: Clemens Hermann , FreeBSD security ML Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Mailer: Mutt 1.2.5i (FreeBSD 4.3-RELEASE i386) Organization: Linuxlupe InternetSolutions X-Sender: 320080844193-0001@t-dialin.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, for a bastion host I want to harden FreeBSD 4.3. I got some hints like disabeling gcc, mounting filesystems RO etc. Are there any docs available that deal with the subject? tia /ch -- "Contrary to popular belief, Unix is user friendly. It just happens to be selective about who it makes friends with." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 4 2:36:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from nightfly.ourservers.net (dcarmich.xnet.com [205.243.153.129]) by hub.freebsd.org (Postfix) with ESMTP id 0C2B237B403; Sat, 4 Aug 2001 02:36:14 -0700 (PDT) (envelope-from dcarmich@nightfly.ourservers.net) Received: (from dcarmich@localhost) by nightfly.ourservers.net (8.11.4/8.11.4) id f749SH400571; Sat, 4 Aug 2001 04:28:17 -0500 From: Douglas Carmichael Message-Id: <200108040928.f749SH400571@nightfly.ourservers.net> Subject: Can't access the Internet from behind a 192.168.1.x net using natd To: freebsd-security@freebsd.org, freebsd-questions@freebsd.org Date: Sat, 4 Aug 2001 04:28:17 -0500 (CDT) Reply-To: dcarmich@ourservers.net X-Mailer: ELM [version 2.5 PL3] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Version: 4.3-RELEASE Scenario: tun0 - user-PPP based connection via a modem, IP: 205.253.153.129 xl0 - local Ethernet, IP: 192.168.1.1 (client IP: 192.168.1.2) I bring up the PPP interface with ppp -auto xnet (my system name in /etc/ppp/ppp.conf) and I can access the net both locally from the FreeBSD system and from my Ethernet-attached client after a 'nat enable yes' command. However, even if I dial from the ppp command prompt and _then_ start natd (i.e. 'natd -dynamic -interface tun0 -unregistered_only'), no packets go across the external interface. Here's one set of firewall rules I tried: # Simple stateful network firewall rules for IPFW with NAT v. 1.01 # See bottom of file for instructions and description of rules # Created 20001206206 by Peter Brezny, pbrezny@purplecat.net (with a great # deal of help from freebsd-security@freebsd.org). Specific questions # about the use of ipfw should be directed to freebsd-ipfw@freebsd.org or # more general security questions to freebsd-security@freebsd.org. # Use this script at your own risk. # # if you don't know the a.b.c.0/xx notation for ip networks the ipsubnet # calculator can help you. /usr/ports/net/ipsc-0.4.2 # ########################### # # Brief Installation instructions # # Name this script /etc/rc.firewall.current # Edit /etc/rc.conf to include # gateway_enable="YES" # firewall_enable="YES" # firewall_script="/etc/rc.firewall.current" # natd_enable="YES" # natd_interface="***" #replace with your external ifX # natd_flags="-dynamic" # Make sure your kernel is configured to handle ipfw and natd # See the FreeBSD handbook on how to do this. # ############################ # # Define your variables # fwcmd="/sbin/ipfw" #leave as is if using ipfw oif="tun0" #set to outside interface name oip="205.253.153.129" #set to outside ip address iif="xl0" #set to internal interface name inwr="192.168.1.0/24" #set to internal network range iip="192.168.1.1" #set to internal ip address ns1="198.147.221.34" #set to primary name server best if = oif #ntp="i.j.k.l" #set to ip of NTP server or leave as is # # End of required user input if you only intend to allow ssh connections to # this box from the outside. If other services are required, edit line 96 # as necessary. # # Rules with descriptions # # # Force a flush of the current firewall rules before we reload $fwcmd -f flush # # Allow your loop back to work $fwcmd add allow all from any to any via lo0 # # Prevent spoofing of your loopback $fwcmd add deny log all from any to 127.0.0.0/8 # # Stop spoofing of your internal network range $fwcmd add deny log ip from $inwr to any in via $oif # # Stop spoofing from inside your private ip range $fwcmd add deny log ip from not $inwr to any in via $iif # # Stop private networks (RFC1918) from entering the outside interface. $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif # # Stop draft-manning-dsua-01.txt nets on the outside interface $fwcmd add deny all from 0.0.0.0/8 to any in via $oif $fwcmd add deny all from 169.254.0.0/16 to any in via $oif $fwcmd add deny all from 192.0.2.0/24 to any in via $oif $fwcmd add deny all from 224.0.0.0/4 to any in via $oif $fwcmd add deny all from 240.0.0.0/4 to any in via $oif $fwcmd add deny all from any to 0.0.0.0/8 in via $oif $fwcmd add deny all from any to 169.254.0.0/16 in via $oif $fwcmd add deny all from any to 192.0.2.0/24 in via $oif $fwcmd add deny all from any to 224.0.0.0/4 in via $oif $fwcmd add deny all from any to 240.0.0.0/4 in via $oif # # Divert all packets through natd $fwcmd add divert natd all from any to any via $oif # # Allow all established connections to persist (setup required # for new connections). $fwcmd add allow tcp from any to any established # # Allow incoming requests to reach the following services: # To allow multiple services you may list them separated # by a coma, for example ...to $oip 22,25,110,80 setup $fwcmd add allow tcp from any to $oip 22 setup # # NOTE: you may have to change your client to passive or active mode # to get ftp to work once enabled, only ssh enabled by default. # 21:ftp # 22:ssh enabled by default # 23:telnet # 25:smtp # 110:pop # 143:imap # 80:http # 443:ssl # # Allow icmp packets for diagnostic purposes (ping traceroute) # you may wish to leave commented out. # $fwcmd add allow icmp from any to any # # Allow required ICMP $fwcmd add allow icmp from any to any icmptypes 3,4,11,12 # # Allow DNS traffic from internet to query your DNS (for reverse # lookups etc). $fwcmd add allow udp from any 53 to $ns1 53 # # Allow time update traffic # $fwcmd add allow udp from $ntp 123 to $oip 123 # # Checks packets against dynamic rule set below. $fwcmd add check-state # # Allow any traffic from firewall ip to any going out the # external interface $fwcmd add allow ip from $oip to any keep-state out via $oif # # Allow any traffic from local network to any passing through the # internal interface $fwcmd add allow ip from $inwr to any keep-state via $iif # # Deny everything else $fwcmd add 65435 deny log ip from any to any # ##################################################### # # End firewall script. I also tried the 'client' set of rules from the default /etc/rc.firewall: ############ # This is a prototype setup that will protect your system somewhat # against people from outside your own network. ############ # set these to your network and netmask and ip net="192.168.1.0" mask="255.255.255.0" ip="192.168.1.1" # Allow any traffic to or from my own net. ${fwcmd} add pass all from ${ip} to ${net}:${mask} ${fwcmd} add pass all from ${net}:${mask} to ${ip} # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow setup of incoming email ${fwcmd} add pass tcp from any to ${ip} 25 setup # Allow setup of outgoing TCP connections only ${fwcmd} add pass tcp from ${ip} to any setup # Disallow setup of all other TCP connections ${fwcmd} add deny tcp from any to any setup # Allow DNS queries out in the world ${fwcmd} add pass udp from ${ip} to any 53 keep-state # Allow NTP queries out in the world ${fwcmd} add pass udp from ${ip} to any 123 keep-state # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. ;; None of them worked. What could be the problem? Any comments are welcome. PS: When I tried just using 'nat enable yes' and doing packet filtering with the 'set filter' commands, the filtering did not have any effect. (i.e. I could still telnet out even after filtering TCP port 23.) Any ideas? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 4 2:41: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from dialup.ptt.ru (dialup.ptt.ru [195.34.0.100]) by hub.freebsd.org (Postfix) with SMTP id 3D17F37B403 for ; Sat, 4 Aug 2001 02:41:06 -0700 (PDT) (envelope-from void@void.ru) Received: (qmail 52589 invoked from network); 4 Aug 2001 09:49:40 -0000 Received: from unknown (HELO DUKE?NOTER) (195.42.77.50) by 0 with SMTP; 4 Aug 2001 09:49:40 -0000 Date: Sat, 4 Aug 2001 13:31:13 +0400 From: void@void.ru X-Mailer: The Bat! (v1.53bis) X-Priority: 3 (Normal) Message-ID: <14023265198.20010804133113@void.ru> To: Douglas Carmichael Cc: freebsd-security@FreeBSD.ORG Subject: Re: Can't access the Internet from behind a 192.168.1.x net using natd In-Reply-To: <200108040928.f749SH400571@nightfly.ourservers.net> References: <200108040928.f749SH400571@nightfly.ourservers.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org sysctl -w net.inet.ip.forwarding=1 .d To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 4 4:21: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp03.wxs.nl (smtp03.wxs.nl [195.121.6.37]) by hub.freebsd.org (Postfix) with ESMTP id CC6B237B405; Sat, 4 Aug 2001 04:20:37 -0700 (PDT) (envelope-from alfatrion@cybertron.tmfweb.nl) Received: from cybertron ([213.10.151.186]) by smtp03.wxs.nl (Netscape Messaging Server 4.05) with SMTP id GHJJI403.V5L; Sat, 4 Aug 2001 13:20:28 +0200 Message-ID: <010f01c11cd7$72db3700$231fa8c0@kruijff> From: "Alfatrion" To: , , References: <200108040928.f749SH400571@nightfly.ourservers.net> Subject: Re: Can't access the Internet from behind a 192.168.1.x net using natd Date: Sat, 4 Aug 2001 13:20:15 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Try solving you problem in a couple small step instead of one large one. 1) Just focus on the connection to the internet from you FreeBSD (router) computer without a firewall. If that works focus on the computer behind you router. 3) focus on you firewall. This way it's much easier to spot the problem. It would also help to get two network cards instead of one. It simplifies the whole. Alex P.S. I don't fully understand your problem and have ----- Original Message ----- From: "Douglas Carmichael" To: ; Sent: Saturday, August 04, 2001 11:28 AM Subject: Can't access the Internet from behind a 192.168.1.x net using natd > Version: 4.3-RELEASE > Scenario: > > tun0 - user-PPP based connection via a modem, IP: 205.253.153.129 > xl0 - local Ethernet, IP: 192.168.1.1 (client IP: 192.168.1.2) > > I bring up the PPP interface with ppp -auto xnet (my system name in > /etc/ppp/ppp.conf) and I can access the net both locally from the FreeBSD > system and from my Ethernet-attached client after a 'nat enable yes' > command. However, even if I dial from the ppp command prompt and _then_ > start natd (i.e. 'natd -dynamic -interface tun0 -unregistered_only'), no > packets go across the external interface. > > Here's one set of firewall rules I tried: > # Simple stateful network firewall rules for IPFW with NAT v. 1.01 > # See bottom of file for instructions and description of rules > # Created 20001206206 by Peter Brezny, pbrezny@purplecat.net (with a great > # deal of help from freebsd-security@freebsd.org). Specific questions > # about the use of ipfw should be directed to freebsd-ipfw@freebsd.org or > # more general security questions to freebsd-security@freebsd.org. > # Use this script at your own risk. > # > # if you don't know the a.b.c.0/xx notation for ip networks the ipsubnet > # calculator can help you. /usr/ports/net/ipsc-0.4.2 > # > ########################### > # > # Brief Installation instructions > # > # Name this script /etc/rc.firewall.current > # Edit /etc/rc.conf to include > # gateway_enable="YES" > # firewall_enable="YES" > # firewall_script="/etc/rc.firewall.current" > # natd_enable="YES" > # natd_interface="***" #replace with your external ifX > # natd_flags="-dynamic" > # Make sure your kernel is configured to handle ipfw and natd > # See the FreeBSD handbook on how to do this. > # > ############################ > # > # Define your variables > # > fwcmd="/sbin/ipfw" #leave as is if using ipfw > oif="tun0" #set to outside interface name > oip="205.253.153.129" #set to outside ip address > > iif="xl0" #set to internal interface name > inwr="192.168.1.0/24" #set to internal network range > iip="192.168.1.1" #set to internal ip address > > ns1="198.147.221.34" #set to primary name server best if = oif > #ntp="i.j.k.l" #set to ip of NTP server or leave as is > > # > # End of required user input if you only intend to allow ssh connections to > # this box from the outside. If other services are required, edit line 96 > # as necessary. > # > # Rules with descriptions > # > # > # Force a flush of the current firewall rules before we reload > $fwcmd -f flush > # > # Allow your loop back to work > $fwcmd add allow all from any to any via lo0 > # > # Prevent spoofing of your loopback > $fwcmd add deny log all from any to 127.0.0.0/8 > # > # Stop spoofing of your internal network range > $fwcmd add deny log ip from $inwr to any in via $oif > # > # Stop spoofing from inside your private ip range > $fwcmd add deny log ip from not $inwr to any in via $iif > # > # Stop private networks (RFC1918) from entering the outside interface. > $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif > $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif > $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif > $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif > $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif > $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif > # > # Stop draft-manning-dsua-01.txt nets on the outside interface > $fwcmd add deny all from 0.0.0.0/8 to any in via $oif > $fwcmd add deny all from 169.254.0.0/16 to any in via $oif > $fwcmd add deny all from 192.0.2.0/24 to any in via $oif > $fwcmd add deny all from 224.0.0.0/4 to any in via $oif > $fwcmd add deny all from 240.0.0.0/4 to any in via $oif > $fwcmd add deny all from any to 0.0.0.0/8 in via $oif > $fwcmd add deny all from any to 169.254.0.0/16 in via $oif > $fwcmd add deny all from any to 192.0.2.0/24 in via $oif > $fwcmd add deny all from any to 224.0.0.0/4 in via $oif > $fwcmd add deny all from any to 240.0.0.0/4 in via $oif > # > # Divert all packets through natd > $fwcmd add divert natd all from any to any via $oif > # > # Allow all established connections to persist (setup required > # for new connections). > $fwcmd add allow tcp from any to any established > # > # Allow incoming requests to reach the following services: > # To allow multiple services you may list them separated > # by a coma, for example ...to $oip 22,25,110,80 setup > $fwcmd add allow tcp from any to $oip 22 setup > # > # NOTE: you may have to change your client to passive or active mode > # to get ftp to work once enabled, only ssh enabled by default. > # 21:ftp > # 22:ssh enabled by default > # 23:telnet > # 25:smtp > # 110:pop > # 143:imap > # 80:http > # 443:ssl > # > # Allow icmp packets for diagnostic purposes (ping traceroute) > # you may wish to leave commented out. > # $fwcmd add allow icmp from any to any > # > # Allow required ICMP > $fwcmd add allow icmp from any to any icmptypes 3,4,11,12 > # > # Allow DNS traffic from internet to query your DNS (for reverse > # lookups etc). > $fwcmd add allow udp from any 53 to $ns1 53 > # > # Allow time update traffic > # $fwcmd add allow udp from $ntp 123 to $oip 123 > # > # Checks packets against dynamic rule set below. > $fwcmd add check-state > # > # Allow any traffic from firewall ip to any going out the > # external interface > $fwcmd add allow ip from $oip to any keep-state out via $oif > # > # Allow any traffic from local network to any passing through the > # internal interface > $fwcmd add allow ip from $inwr to any keep-state via $iif > # > # Deny everything else > $fwcmd add 65435 deny log ip from any to any > # > ##################################################### > # > # End firewall script. > > I also tried the 'client' set of rules from the default /etc/rc.firewall: > ############ > # This is a prototype setup that will protect your system somewhat > # against people from outside your own network. > ############ > > # set these to your network and netmask and ip > net="192.168.1.0" > mask="255.255.255.0" > ip="192.168.1.1" > > # Allow any traffic to or from my own net. > ${fwcmd} add pass all from ${ip} to ${net}:${mask} > ${fwcmd} add pass all from ${net}:${mask} to ${ip} > > # Allow TCP through if setup succeeded > ${fwcmd} add pass tcp from any to any established > > # Allow IP fragments to pass through > ${fwcmd} add pass all from any to any frag > > # Allow setup of incoming email > ${fwcmd} add pass tcp from any to ${ip} 25 setup > > # Allow setup of outgoing TCP connections only > ${fwcmd} add pass tcp from ${ip} to any setup > > # Disallow setup of all other TCP connections > ${fwcmd} add deny tcp from any to any setup > > # Allow DNS queries out in the world > ${fwcmd} add pass udp from ${ip} to any 53 keep-state > > # Allow NTP queries out in the world > ${fwcmd} add pass udp from ${ip} to any 123 keep-state > > # Everything else is denied by default, unless the > # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel > # config file. > ;; > > None of them worked. > > What could be the problem? Any comments are welcome. > > PS: When I tried just using 'nat enable yes' and doing packet filtering > with the 'set filter' commands, the filtering did not have any effect. > (i.e. I could still telnet out even after filtering TCP port 23.) > Any ideas? > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 4 4:38:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from web4504.mail.yahoo.com (web4504.mail.yahoo.com [216.115.105.65]) by hub.freebsd.org (Postfix) with SMTP id 343EE37B406 for ; Sat, 4 Aug 2001 04:38:31 -0700 (PDT) (envelope-from cykyc@yahoo.com) Message-ID: <20010804113830.8139.qmail@web4504.mail.yahoo.com> Received: from [63.231.152.149] by web4504.mail.yahoo.com via HTTP; Sat, 04 Aug 2001 04:38:30 PDT Date: Sat, 4 Aug 2001 04:38:30 -0700 (PDT) From: Jon Reply-To: cykyc@yahoo.com Subject: Re: harden FreeBSD To: FreeBSD security ML In-Reply-To: <20010804090737.A1037@homer.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Matt Dillon and Aeon Flux (I thought her show got cancelled :) both have security-centric articles on Daemon News. Here they are respectively: http://www.daemonnews.org/200108/security_overview.html http://www.daemonnews.org/200108/security-howto.html The FreeBSD home page also obviously has some good stuff (archived mailing lists for one), and they do reference many other resources. Jon --- Clemens Hermann wrote: > Hi, > > for a bastion host I want to harden FreeBSD 4.3. I got some hints > like > disabeling gcc, mounting filesystems RO etc. Are there any docs > available that deal with the subject? > > tia > > /ch > > -- > "Contrary to popular belief, Unix is user friendly. > It just happens to be selective about who it makes friends with." > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 4 6:43: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (unknown [217.75.135.248]) by hub.freebsd.org (Postfix) with SMTP id 8519037B403 for ; Sat, 4 Aug 2001 06:42:54 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 5565 invoked by uid 1000); 4 Aug 2001 13:41:35 -0000 Date: Sat, 4 Aug 2001 16:41:34 +0300 From: Peter Pentchev To: Michael Scheidell Cc: freebsd-security@freebsd.org Subject: Re: pam session failing Message-ID: <20010804164134.A2162@ringworld.oblivion.bg> Mail-Followup-To: Michael Scheidell , freebsd-security@freebsd.org References: <20010802144121.A11210@heresy.xs4nobody.nl> <20010802093505.Q61813-100000@mohegan.mohawk.net> <20010802162508.B11445@heresy.xs4nobody.nl> <004101c11c2f$9ee4cd00$2801010a@fdma.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <004101c11c2f$9ee4cd00$2801010a@fdma.com>; from scheidell@fdma.com on Fri, Aug 03, 2001 at 11:18:59AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Aug 03, 2001 at 11:18:59AM -0400, Michael Scheidell wrote: > > ----- Original Message ----- > From: "Bart Matthaei" > Newsgroups: local.freebsd.security > Sent: Thursday, August 02, 2001 2:20 PM > Subject: Re: pam session failing > > > > Did you look in /usr/src/UPDATING ? There might be a few lines you wanna > add to your pam.config for sshd. > > It's documentated in /usr/src/UPDATING. > > I was having same problem with rlogin on 4.3-stable. > looked in UPDATING, copied over the sample file as suggested, same ting > > find a LARGER version of pam_unix.so in /usr/src/obj (somewhere) copied it > over and no more problems > (don't know why update/install didn't do it for me, but then again, lots of > things don't do it for me) Does /usr/src/UPDATING not suggest running 'mergemaster', not blindly copying files? Have you tried running mergemaster? G'luck, Peter -- This sentence contains exactly threee erors. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 4 9:13:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from science.slc.edu (Science.SLC.Edu [198.83.6.248]) by hub.freebsd.org (Postfix) with ESMTP id 0019337B401 for ; Sat, 4 Aug 2001 09:13:53 -0700 (PDT) (envelope-from aschneid@science.slc.edu) Received: (from aschneid@localhost) by science.slc.edu (8.11.0/8.11.0) id f74GFEl60534; Sat, 4 Aug 2001 12:15:14 -0400 (EDT) (envelope-from aschneid) Date: Sat, 4 Aug 2001 12:15:14 -0400 From: Anthony Schneider To: Clemens Hermann Cc: FreeBSD security ML Subject: Re: harden FreeBSD Message-ID: <20010804121514.A60497@mail.slc.edu> References: <20010804090737.A1037@homer.local> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010804090737.A1037@homer.local>; from haribeau@gmx.de on Sat, Aug 04, 2001 at 09:07:37AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Go to oreilly.com and get "Practical UNIX and Internet Security". (or "...Internet and UNIX...", whichever) -Anthony. On Sat, Aug 04, 2001 at 09:07:37AM +0200, Clemens Hermann wrote: > Hi, > > for a bastion host I want to harden FreeBSD 4.3. I got some hints like > disabeling gcc, mounting filesystems RO etc. Are there any docs > available that deal with the subject? > > tia > > /ch > > -- > "Contrary to popular belief, Unix is user friendly. > It just happens to be selective about who it makes friends with." > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 4 11: 2:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from rapid.black.pl (rapid.black.pl [217.113.224.151]) by hub.freebsd.org (Postfix) with ESMTP id E999B37B401 for ; Sat, 4 Aug 2001 11:02:33 -0700 (PDT) (envelope-from erph@black.pl) Received: by rapid.black.pl (Postfix, from userid 1001) id 6F2E419; Sat, 4 Aug 2001 18:03:17 +0000 (GMT) Date: Sat, 4 Aug 2001 20:03:17 +0200 From: Artur Meski To: freebsd-security@freebsd.org Subject: PAM - pam_chauthtok - 'Password expiry..' Message-ID: <20010804200317.A89175@rapid.black.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org When sshd is forcing password change (after password expiry time) it floods my logs with following messages: sshd[87757]: no modules loaded for `sshd' service sshd[87757]: PAM pam_chauthtok failed[6]: Permission denied I'm using login.conf to set expiry time. I don't know what to do with this bug of (my?) configuration. Turning off password expiry time is only workaround for me. -- Artur Meski -> [erph@freebsd.net.pl] [http://erph.black.pl/] [ftp://black.pl/users/erph] [info,pgp: finger erph@black.pl] [PGP fingerprint: A66017E41F68260E3496E7466646FF455FD1B329] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 4 11:35:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (unknown [217.75.135.248]) by hub.freebsd.org (Postfix) with SMTP id 5A68537B401 for ; Sat, 4 Aug 2001 11:35:16 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 67660 invoked by uid 1000); 4 Aug 2001 18:34:02 -0000 Date: Sat, 4 Aug 2001 21:34:02 +0300 From: Peter Pentchev To: Artur Meski Cc: freebsd-security@freebsd.org Subject: Re: PAM - pam_chauthtok - 'Password expiry..' Message-ID: <20010804213402.A565@ringworld.oblivion.bg> Mail-Followup-To: Artur Meski , freebsd-security@freebsd.org References: <20010804200317.A89175@rapid.black.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010804200317.A89175@rapid.black.pl>; from erph@freebsd.net.pl on Sat, Aug 04, 2001 at 08:03:17PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Aug 04, 2001 at 08:03:17PM +0200, Artur Meski wrote: > > When sshd is forcing password change (after password expiry time) it floods > my logs with following messages: > > sshd[87757]: no modules loaded for `sshd' service > sshd[87757]: PAM pam_chauthtok failed[6]: Permission denied > > I'm using login.conf to set expiry time. > > I don't know what to do with this bug of (my?) configuration. > > Turning off password expiry time is only workaround for me. What is the output of 'fgrep sshd /etc/pam.conf'? G'luck, Peter -- What would this sentence be like if it weren't self-referential? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 4 11:38:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from rapid.black.pl (rapid.black.pl [217.113.224.151]) by hub.freebsd.org (Postfix) with ESMTP id 364F837B401 for ; Sat, 4 Aug 2001 11:38:12 -0700 (PDT) (envelope-from erph@black.pl) Received: by rapid.black.pl (Postfix, from userid 1001) id 4F95C4A; Sat, 4 Aug 2001 18:38:53 +0000 (GMT) Date: Sat, 4 Aug 2001 20:38:53 +0200 From: Artur Meski To: freebsd-security@freebsd.org Subject: Re: PAM - pam_chauthtok - 'Password expiry..' Message-ID: <20010804203853.A89377@rapid.black.pl> References: <20010804200317.A89175@rapid.black.pl> <20010804213402.A565@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010804213402.A565@ringworld.oblivion.bg>; from roam@ringlet.net on Sat, Aug 04, 2001 at 09:34:02PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > What is the output of 'fgrep sshd /etc/pam.conf'? sshd auth sufficient pam_skey.so #sshd auth sufficient pam_kerberosIV.so try_first_pass sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so # "csshd" is for challenge-based authentication with sshd (TIS auth, etc.) csshd auth required pam_skey.so -- Artur Meski -> [erph@freebsd.net.pl] [http://erph.black.pl/] [ftp://black.pl/users/erph] [info,pgp: finger erph@black.pl] [PGP fingerprint: A66017E41F68260E3496E7466646FF455FD1B329] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 4 11:53: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (unknown [217.75.135.248]) by hub.freebsd.org (Postfix) with SMTP id EDE0D37B401 for ; Sat, 4 Aug 2001 11:53:03 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 68039 invoked by uid 1000); 4 Aug 2001 18:51:36 -0000 Date: Sat, 4 Aug 2001 21:51:36 +0300 From: Peter Pentchev To: Artur Meski Cc: freebsd-security@freebsd.org Subject: Re: PAM - pam_chauthtok - 'Password expiry..' Message-ID: <20010804215136.B565@ringworld.oblivion.bg> Mail-Followup-To: Artur Meski , freebsd-security@freebsd.org References: <20010804200317.A89175@rapid.black.pl> <20010804213402.A565@ringworld.oblivion.bg> <20010804203853.A89377@rapid.black.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010804203853.A89377@rapid.black.pl>; from erph@freebsd.net.pl on Sat, Aug 04, 2001 at 08:38:53PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Aug 04, 2001 at 08:38:53PM +0200, Artur Meski wrote: > > What is the output of 'fgrep sshd /etc/pam.conf'? > > sshd auth sufficient pam_skey.so > #sshd auth sufficient pam_kerberosIV.so try_first_pass > sshd auth required pam_unix.so try_first_pass > sshd session required pam_permit.so > # "csshd" is for challenge-based authentication with sshd (TIS auth, etc.) > csshd auth required pam_skey.so OK; can you try adding a line saying: sshd password required pam_permit.so ..and see if it works? If it still gives the same error message, try replacing 'password' with 'account'. If it *still* doesn't work, that would be weird. G'luck, Peter -- If there were no counterfactuals, this sentence would not have been paradoxical. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 4 13: 5:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from rapid.black.pl (rapid.black.pl [217.113.224.151]) by hub.freebsd.org (Postfix) with ESMTP id C64F237B401 for ; Sat, 4 Aug 2001 13:05:45 -0700 (PDT) (envelope-from erph@black.pl) Received: by rapid.black.pl (Postfix, from userid 1001) id D290519; Sat, 4 Aug 2001 20:06:31 +0000 (GMT) Date: Sat, 4 Aug 2001 22:06:31 +0200 From: Artur Meski To: freebsd-security@freebsd.org Subject: Re: PAM - pam_chauthtok - 'Password expiry..' Message-ID: <20010804220631.A89647@rapid.black.pl> References: <20010804200317.A89175@rapid.black.pl> <20010804213402.A565@ringworld.oblivion.bg> <20010804203853.A89377@rapid.black.pl> <20010804215136.B565@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010804215136.B565@ringworld.oblivion.bg>; from roam@ringlet.net on Sat, Aug 04, 2001 at 09:51:36PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > OK; can you try adding a line saying: > sshd password required pam_permit.so Ok, it worked, but it's default pam.conf from src/etc/pam.conf and it should work correctly, so it should be changed in CVS repository i think. :) -- Artur Meski -> [erph@freebsd.net.pl] [http://erph.black.pl/] [ftp://black.pl/users/erph] [info,pgp: finger erph@black.pl] [PGP fingerprint: A66017E41F68260E3496E7466646FF455FD1B329] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 4 17:11:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from nightfly.ourservers.net (dcarmich.xnet.com [205.243.153.129]) by hub.freebsd.org (Postfix) with ESMTP id A5E1937B401; Sat, 4 Aug 2001 17:11:37 -0700 (PDT) (envelope-from dcarmich@nightfly.ourservers.net) Received: (from dcarmich@localhost) by nightfly.ourservers.net (8.11.4/8.11.4) id f7503dM00486; Sat, 4 Aug 2001 19:03:39 -0500 From: Douglas Carmichael Message-Id: <200108050003.f7503dM00486@nightfly.ourservers.net> Subject: natd doesn't start on boot even when added to /etc/rc.conf To: freebsd-security@freebsd.org, freebsd-questions@freebsd.org Date: Sat, 4 Aug 2001 19:03:38 -0500 (CDT) Reply-To: dcarmich@ourservers.net X-Mailer: ELM [version 2.5 PL3] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org After following the instructions in the dialup firewall tutorial on freebsd.org, I have successfully gotten my Linux system on the local Ethernet (192.168.1.x range) to talk to the Internet through the FreeBSD gateway. However, I have two problems: 1) natd does not start up upon rebooting the system, even though I put it in /etc/rc.conf. 2) With PPP enabled, I can not connect to the gateway from other systems on the local Ethernet (i.e. a telnet connection is successfully set up, but I do not see a login prompt.) However, I am running a caching DNS server on the machine and that can be successfully accessed from the local Ethernet. And, I can connect to the PPP control port (i.e. port 3000) successfully. Here are my firewall rules (stored in /etc/rc.firewall.current and executed successfully on boot): # Firewall rules # Written by Marc Silver (marcs@draenor.org) # http://draenor.org/ipfw # Freely distributable # Define the firewall command (as in /etc/rc.firewall) for easy # reference. Helps to make it easier to read. fwcmd="/sbin/ipfw" # Define the inside and outside interfaces inside_if="xl0" outside_if="tun0" # Define the TCP ports that you wish to allow access to from the outside outside_tcp_ports="" # Force a flushing of the current rules before we reload. $fwcmd -f flush # Divert all packets through the tunnel interface. $fwcmd add divert natd all from any to any via $outside_if # Allow all data from my network card and localhost. Make sure you # change your network card (mine was fxp0) before you reboot. :) $fwcmd add allow ip from any to any via lo0 $fwcmd add allow ip from any to any via $inside_if # Allow all connections that I initiate. $fwcmd add allow tcp from any to any out xmit $outside_if setup # Once connections are made, allow them to stay open. $fwcmd add allow tcp from any to any via $outside_if established # Define the TCP ports that you wish to be accessible from the inside. if [ "$outside_tcp_ports" != "" ]; then for i in $outside_tcp_ports; do $fwcmd add allow tcp from any to any $i setup done fi # This sends a RESET to all ident packets. $fwcmd add reset log tcp from any to any 113 in recv $outside_if # Allow outgoing DNS queries ONLY to the specified servers. $fwcmd add allow udp from any to 198.147.221.34 53 out xmit $outside_if # Allow them back in with the answers... :) $fwcmd add allow udp from 198.147.221.34 53 to any in recv $outside_if # Allow ICMP (for ping and traceroute to work). You may wish to # disallow this, but I feel it suits my needs to keep them in. $fwcmd add 65435 allow icmp from any to any # Deny all the rest. $fwcmd add 65435 deny log ip from any to any Here's my /etc/rc.conf: # -- sysinstall generated deltas -- # # Created: Sun Aug 5 01:45:35 2001 # Enable network daemons for user convenience. # This file now contains just the overrides from /etc/defaults/rc.conf # please make all changes to this file. gateway_enable="YES" firewall_enable="YES" firewall_script="/etc/rc.firewall.current" hostname="gateway.dcarmich.net" ifconfig_xl0="inet 192.168.1.1 netmask 255.255.255.0" # User ppp configuration. ppp_enable="YES" # Start user-ppp (or NO). ppp_mode="auto" # Choice of "auto", "ddial", "direct" or "dedicated". # For details see man page for ppp(8). Default is auto. ppp_nat="NO" # Use PPP's internal network address translation or NO. ppp_profile="xnet" # Which profile to use from /etc/ppp/ppp.conf. ppp_user="root" # Which user to run ppp as # NAT configuration. natd_enable="YES" natd_flags="-f /etc/natd.conf" # named configuration. named_enable="YES" named_flags="-u bind -g bind" inetd_enable="YES" kern_securelevel_enable="NO" portmap_enable="NO" moused_enable="NO" moused_type="NO" sendmail_enable="NO" sshd_enable="YES" usbd_enable="NO" Here's my /etc/natd.conf: dynamic interface tun0 use_sockets same_ports unregistered_only log_denied What could be the problem? Any comments welcome. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message