From owner-freebsd-security Sun Dec 16 0: 8: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from noname.csdl.lt (noname.csdl.lt [194.176.40.182]) by hub.freebsd.org (Postfix) with SMTP id 09B4E37B419 for ; Sun, 16 Dec 2001 00:07:57 -0800 (PST) Received: (qmail 61026 invoked by uid 1000); 16 Dec 2001 08:07:55 -0000 Date: Sun, 16 Dec 2001 10:07:55 +0200 From: Paulius Bulotas To: freebsd-security@freebsd.org Subject: Re: okay now I am worried Message-ID: <20011216080755.GA60984@noname> Mail-Followup-To: freebsd-security@freebsd.org References: <000001c184f6$133d72e0$fa01a8c0@rjstech.com> <20011214175310.D3473@blossom.cjclark.org> <20011215105636.B338@Picasso.Zahemszky.HU> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20011215105636.B338@Picasso.Zahemszky.HU> User-Agent: Mutt/1.3.24i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, On 01 12 15, Zahemszky Gábor wrote: > 1) (from sendmail manual): uncomment the biff port in /etc/services > (if you didn't install any other MTA) > 2) edit /etc/mail/sendmail.cf, and change in the Mlocal part: in my case that was procmail, which by default compiles with COMSAT enabled... if this the case, just reinstall port deisabling COMSAT (cd work/procmail... and grep -ir COMSAT * and figure out correct #define ;) Regards, Paulius To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 16 6:47: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp2.mx.pitdc1.stargate.net (smtp2.mx.pitdc1.stargate.net [206.210.69.142]) by hub.freebsd.org (Postfix) with SMTP id 2D08C37B41B for ; Sun, 16 Dec 2001 06:46:53 -0800 (PST) Received: (qmail 5468 invoked from network); 16 Dec 2001 14:46:41 -0000 Received: from 1cust102.tnt3.bakersfield.ca.da.uu.net (HELO localhost) (63.48.184.102) by smtp2.mx.pitdc1.stargate.net with SMTP; 16 Dec 2001 14:46:41 -0000 X-Sender: jackieg@stargate.net From: Jack Green To: "Mortgage Borrower" Date: Sun, 16 Dec 2001 06:58:52 -0800 Subject: Need a Home Loan? Let Us Help! Reply-To: jackieg@stargate.net MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_001__761153522_25132.69" Message-Id: <20011216144653.2D08C37B41B@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a Multipart MIME message. ------=_NextPart_000_001__761153522_25132.69 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit ------=_NextPart_000_001__761153522_25132.69 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: base64 DQoNCjxIVE1MPg0KDQo8aGVhZD4NCjxNRVRBIEhUVFAtRVFVSVY9IkNvbnRlbnQtVHlwZSIg Q09OVEVOVD0idGV4dC9odG1sO2NoYXJzZXQ9aXNvLTg4NTktMSI+DQo8IURPQ1RZUEUgSFRN TCBQVUJMSUMgIi0vL1czQy8vRFREIEhUTUwgNC4wIFRyYW5zaXRpb25hbC8vRU4iPg0KPFRJ VExFPkZyZWUgUmF0ZSBRdW90ZTwvVElUTEU+DQo8TUVUQSBjb250ZW50PSJ0ZXh0L2h0bWw7 IGNoYXJzZXQ9aXNvLTg4NTktMSIgaHR0cC1lcXVpdj1Db250ZW50LVR5cGU+PFhNRVRBIA0K Y29udGVudD0iTW96aWxsYS80LjcgW2VuXSAoV2luOTg7IEkpIFtOZXRzY2FwZV0iIG5hbWU9 IkdFTkVSQVRPUiI+DQo8TUVUQSBjb250ZW50PSJNaWNyb3NvZnQgRnJvbnRQYWdlIDQuMCIg bmFtZT1HRU5FUkFUT1I+DQo8U1RZTEU+PC9TVFlMRT4NCjwvSEVBRD4NCjxCT0RZIGJhY2tn cm91bmQ9aHR0cDovLzIxNi4xMTAuMTc5LjIyL21vbmV5X2dyLmpwZyBiZ0NvbG9yPSNmZmZm ZmYgYmdwcm9wZXJ0aWVzPSJmaXhlZCI+DQo8RElWIHN0eWxlPSJGT05UOiAxMHB0IGFyaWFs Ij4NCjxESVY+Jm5ic3A7PC9ESVY+PC9ESVY+DQo8RElWPjxCUj48L0RJVj4NCjxCUj4NCg0K DQo8UCBhbGlnbj1jZW50ZXI+PGVtPjxiPjxmb250IGNvbG9yPSIjZmYwMDAwIiBzaXplPSI2 IiBmYWNlPSJhcmlhbCI+JnF1b3Q7UmVmaW5hbmNlIFlvdXINCkN1cnJlbnQgTW9ydGdhZ2Ug V2hpbGUgUmF0ZXMgQXJlIExPVyEhJnF1b3Q7PC9mb250PjwvYj48L2VtPjwvUD4NCjxNQVJR VUVFPjxpPjxiPjxGT05UIHNpemU9NCBjb2xvcj0jMDAwMGZmPkhPTUUgRVFVSVRZIExPQU5T ICoqKiBKVU1CTyBMT0FOUyAqKiogSE9NRSBJTVBST1ZFTUVOVCBMT0FOUyAqKiogDQogICAg ICBERUJUIENPTlNPTElEQVRJT04gTE9BTlMgKioqIFJFRklOQU5DRSBMT0FOUyAqKiogQUxM IEFSRSBBVkFJTEFCTEUgVE8gWU9VICoqKiBSQVRFUyBBUyBMT1cgQVMgDQogICAgICAzLjk1 JTwvZm9udD48L2I+PC9pPjwvbWFycXVlZT4NCjxCUj48QlI+DQo8cCBhbGlnbj0iY2VudGVy Ij48Yj48Zm9udCBzaXplPSI0Ij5Nb3J0Z2FnZSBSYXRlcyBBcmUgU28gTG93ISZuYnNwOzwv Zm9udD48L2I+PC9wPg0KPHAgYWxpZ249ImNlbnRlciI+PGI+PGZvbnQgc2l6ZT0iNCI+WW91 IENhbiBTYXZlIFRob3VzYW5kcyBPZiBEb2xsYXJzIEJ5IFRha2luZw0KQWR2YW50YWdlIE5v dyE8L2ZvbnQ+PC9iPjwvcD4NCjxQIGFsaWduPWNlbnRlcj48RU0+PEI+PEZPTlQgY29sb3I9 I2ZmMDAwMCBzaXplPTU+JnF1b3Q7V0UgQVJFIEFOIEFTU09DSUFUSU9OIE9GDQpNT1JUR0FH RSBCUk9LRVJTIEFORCBMRU5ERVJTIDwvRk9OVD48L0I+PC9FTT48L1A+DQo8UCBhbGlnbj1j ZW50ZXI+PEVNPjxCPjxGT05UIGNvbG9yPSNmZjAwMDAgc2l6ZT01PldJVEggVEhFIEJFU1Qg UkFURVMgQU5EIFRIRSBMT1dFU1QNCkNPU1RTISZxdW90PC9GT05UPjwvQj48L0VNPjwvUD4N CjxwIGFsaWduPSJjZW50ZXIiPiZuYnNwOzwvcD4NCjxQIGFsaWduPWNlbnRlcj48Rk9OVCBj b2xvcj0jMDAwMGZmIHNpemU9ND48Qj5XZSZuYnNwO2hhdmUgdGhvdXNhbmRzIG9mIGxvYW4g DQpwcm9ncmFtcyB0aHJvdWdoIGh1bmRyZWRzIG9mIGxlbmRlcnMhPEJSPjwvQj48L0ZPTlQ+ PEZPTlQgc2l6ZT0zPjwvRk9OVD48L1A+DQo8UCBhbGlnbj1jZW50ZXI+PFNUUk9ORz48Rk9O VCBzaXplPTU+WW91IGNhbiBjaG9vc2UgZnJvbSZuYnNwOyJBZGp1c3RhYmxlIFJhdGUNCk1v cnRnYWdlcyANCmFzIGxvdyBhcyAzLjk1JSZxdW90OzwvRk9OVD48L1NUUk9ORz48L1A+DQo8 UCBhbGlnbj1jZW50ZXI+PFNUUk9ORz48Rk9OVCBzaXplPTU+YW5kJm5ic3A7IkZpeGVkIFJh dGUgTW9ydGdhZ2VzIGFzIGxvdyBhcw0KNi4wMCUmbmJzcDs8L0ZPTlQ+PC9TVFJPTkc+PC9Q Pg0KPFAgYWxpZ249Y2VudGVyPjxTVFJPTkc+PEZPTlQgc2l6ZT01PmFsbCB3aXRoIHRoZSBs b3dlc3QgY29zdHMgaW4gdGhlDQpOYXRpb24hJnF1b3Q7PC9GT05UPjwvU1RST05HPjxCSUc+ PEJJRz48Rk9OVCBjb2xvcj0jZmYwMDAwPio8L0ZPTlQ+PC9CSUc+PC9CSUc+PC9QPg0KPFAg YWxpZ249Y2VudGVyPjxGT05UIA0Kc2l6ZT01Pjxmb250IGNvbG9yPSIjRkYwMDAwIj4mcXVv dDs8Yj48aT5ZT1UgQ0FOIDx1PkJVWSBET1dOIFlPVVIgSU5URVJFU1QgUkFURTwvdT4NClRP PC9pPjwvYj48L2ZvbnQ+PC9GT05UPjwvUD4NCjxQIGFsaWduPWNlbnRlcj48Zm9udCBjb2xv cj0iI0ZGMDAwMCIgc2l6ZT0iNSI+PGI+PGk+QVMgTE9XIEFTIFlPVSBDQU4NCkFGRk9SRCEm cXVvdDs8L2k+PC9iPjwvZm9udD48Rk9OVCANCnNpemU9NT48QlI+PC9GT05UPjxGT05UIHNp emU9Mz48L0ZPTlQ+PC9QPg0KPFAgYWxpZ249Y2VudGVyPjxGT05UIHNpemU9KzA+PEZPTlQg Y29sb3I9IzAwMDBmZiBzaXplPTI+PEJJRz48QklHPjxGT05UIA0KY29sb3I9I2ZmMDAwMCBz aXplPTU+KjwvRk9OVD48L0JJRz48U1RST05HPkFsbCByYXRlcyBhcmUgYmFzZWQgb24gDQpx dWFsaWZpY2F0aW9uPC9TVFJPTkc+ITwvQklHPjwvRk9OVD48L0ZPTlQ+PC9QPg0KPFAgYWxp Z249Y2VudGVyPjxGT05UIHNpemU9KzA+PEZPTlQgc2l6ZT0yPjxCSUc+PC9CSUc+PC9GT05U PjxGT05UIA0KY29sb3I9IzAwMDBmZj48Rk9OVCBmYWNlPUFyaWFsPjxGT05UIHNpemU9Mj48 QSBocmVmPSJodHRwOi8vMjE2LjExMC4xNzkuMjIiIA0KdGFyZ2V0PV9ibGFuaz48Rk9OVCBz aXplPTU+PFNUUk9ORz48Rk9OVCBmYWNlPSJUaW1lcyBOZXcgUm9tYW4iPkNsaWNrIGhlcmUg Zm9yIA0KeW91ciA8L0ZPTlQ+PEZPTlQgc2l6ZT02PjxGT05UIGZhY2U9IlRpbWVzIE5ldyBS b21hbiI+PEVNPiJGUkVFIFJBVEUgDQpRVU9URSIhPC9FTT48L0ZPTlQ+PC9GT05UPjwvU1RS T05HPjwvRk9OVD48L0E+PC9GT05UPjwvRk9OVD48L0ZPTlQ+PC9GT05UPjwvUD4NCjxQIGFs aWduPWxlZnQ+Jm5ic3A7PC9QPg0KPFAgYWxpZ249bGVmdD48aT48Yj48Zm9udCBmYWNlPSJB cmlhbCIgc2l6ZT0iKzAiPkNMSUNLIE9OIExPQU5TIEJFTE9XIEZPUiBZT1VSDQpGUkVFIEFQ UExJQ0FUSU9OITwvZm9udD48L2I+PC9pPjxGT05UIGZhY2U9QXJpYWw+PEJSPjwvRk9OVD48 L1A+DQo8UCBhbGlnbj1sZWZ0PjxTVFJPTkc+PEVNPjxBIGhyZWY9Imh0dHA6Ly8yMTYuMTEw LjE3OS4yMiIgDQp0YXJnZXQ9X2JsYW5rPjxmb250IHNpemU9IjUiIGNvbG9yPSIjODAwMDgw Ij5QdXJjaGFzZSBMb2FuczwvZm9udD48L0E+IDxGT05UIHNpemU9NT4NCjwvRk9OVD4gPC9F TT48Rk9OVCANCnNpemU9ND4tIDxFTT5UaG91c2FuZHMgb2YgcHJvZ3JhbXMgDQpmb3IgRmly c3QgTW9ydGdhZ2VzITwvRU0+PC9GT05UPjxJPjwvST48L1NUUk9ORz48ST48Rk9OVCANCmNv bG9yPSMwMDAwMDA+PEJSPjxCUj48L0ZPTlQ+PC9JPjxBIGhyZWY9Imh0dHA6Ly8yMTYuMTEw LjE3OS4yMiIgX2JsYW5rPz48RU0+PFNUUk9ORz48Zm9udCBzaXplPSI1IiBjb2xvcj0iIzgw MDA4MCI+UmVmaW5hbmNlIExvYW5zPC9mb250PjwvU1RST05HPjwvRU0+PEk+PEZPTlQgDQpj b2xvcj0jMDAwMDAwIHNpemU9Mj4gPC9GT05UPjwvST48L0E+PEk+PEZPTlQgY29sb3I9IzAw MDAwMCBzaXplPTQ+LSA8Qj5SZWR1Y2UgeW91ciANCm1vbnRobHkgcGF5bWVudHMgYW5kPC9G T05UPjxGT05UIGNvbG9yPSMwMDAwMDAgc2l6ZT0yPiA8L0ZPTlQ+PEZPTlQgDQpjb2xvcj0j ZmYwMDAwIHNpemU9NT5HZXQgQ2FzaCBCYWNrITwvRk9OVD48L0I+PEZPTlQgY29sb3I9IzAw MDAwMCBzaXplPTQ+IA0KPC9GT05UPjxGT05UIGNvbG9yPSMwMDAwMDAgc2l6ZT0zPjxCUj48 QlI+PC9GT05UPjwvST48QSANCmhyZWY9Imh0dHA6Ly8yMTYuMTEwLjE3OS4yMiIgdGFyZ2V0 PV9ibGFuaz48Zm9udCBjb2xvcj0iIzgwMDA4MCI+PEVNPjxCPjxGT05UIHNpemU9NT5TZWNv bmQgDQpNb3J0Z2FnZXM8L0ZPTlQ+PC9CPjwvRU0+PEk+PEZPTlQgc2l6ZT0zPiA8L0ZPTlQ+ PC9JPg0KPC9mb250PiA8L0E+PEk+PEZPTlQgY29sb3I9IzAwMDAwMCBzaXplPTM+IC0gPC9G T05UPjxCPjxGT05UIA0KY29sb3I9IzAwMDAwMCBzaXplPTQ+V2UgY2FuIGhlbHAgeW91IGdl dCBmcm9tIDwvRk9OVD48Rk9OVCBjb2xvcj0jZmYwMDAwIA0Kc2l6ZT01PjkwJTwvRk9OVD48 Rk9OVCBjb2xvcj0jMDAwMDAwIHNpemU9ND4gdXAgdG8gPC9GT05UPjxGT05UIGNvbG9yPSNm ZjAwMDAgDQpzaXplPTU+MTI1JTwvRk9OVD48Rk9OVCBjb2xvcj0jMDAwMDAwIHNpemU9ND4g b2YgeW91ciBob21lcyB2YWx1ZSEgKHJhdGlvcyB2YXJ5IA0KYnkgc3RhdGUpPC9GT05UPjwv Qj48L1A+DQo8UCBhbGlnbj1sZWZ0PjxBIGhyZWY9Imh0dHA6Ly8yMTYuMTEwLjE3OS4yMiIg DQp0YXJnZXQ9X2JsYW5rPjxCPjxmb250IHNpemU9IjUiIGNvbG9yPSIjODAwMDgwIj5EZWJ0 IENvbnNvbGlkYXRpb248L2ZvbnQ+PC9CPjwvQT48Rk9OVCBjb2xvcj0jMDAwMDAwIHNpemU9 Mz4gPEZPTlQgY29sb3I9IzAwMDAwMCBzaXplPTQ+LSANCjxCPkNvbWJpbmUgPC9GT05UPjxG T05UIGNvbG9yPSNmZjAwMDAgc2l6ZT01PmFsbDwvRk9OVD48Rk9OVCBjb2xvcj0jMDAwMDAw IA0Kc2l6ZT00PiB5b3VyIGJpbGxzIGludG8gPC9GT05UPjxGT05UIGNvbG9yPSNmZjAwMDAg c2l6ZT01Pk9uZSBMb3cgTW9udGhseSANClBheW1lbnQhPC9GT05UPjwvQj48QlI+PEJSPjwv Rk9OVD48Qj48QSANCmhyZWY9Imh0dHA6Ly8yMTYuMTEwLjE3OS4yMiIgdGFyZ2V0PV9ibGFu az48Zm9udCBzaXplPSI1IiBjb2xvcj0iIzgwMDA4MCI+Rmlyc3QgVGltZSBIb21lIEJ1eWVy czwvZm9udD48L0E+PEZPTlQgY29sb3I9IzAwMDAwMCBzaXplPTM+IC0gDQo8Rk9OVCBjb2xv cj0jMDAwMDAwIHNpemU9ND5XZSBjYW4gaGVscCB5b3UgYnV5IHdpdGggPEZPTlQgY29sb3I9 I2ZmMDAwMCANCnNpemU9NT5Mb3c8L0ZPTlQ+PC9GT05UPjxGT05UIGNvbG9yPSNmZjAwMDAg c2l6ZT01PiBNb25leSBEb3duPC9GT05UPjxGT05UIA0KY29sb3I9IzAwMDAwMCBzaXplPTQ+ LCBhbmQgZXZlbiA8L0ZPTlQ+PEZPTlQgY29sb3I9I2ZmMDAwMCBzaXplPTU+R2V0IENhc2gg DQpCYWNrITwvRk9OVD48L0ZPTlQ+PC9CPjwvUD48L0k+DQo8UCBhbGlnbj1jZW50ZXI+PEJJ Rz48QklHPjxGT05UIGNvbG9yPSNmZjAwMDA+KjwvRk9OVD48L0JJRz5BbGwgcmF0ZXMgYXJl IGJhc2VkIA0Kb24gcXVhbGlmaWNhdGlvbiE8L0JJRz48L1A+DQo8UCBhbGlnbj1jZW50ZXI+ PEI+PEk+PEZPTlQgY29sb3I9IzAwMDAwMCBzaXplPTY+V2UgaGF2ZSBwcm9ncmFtcyBmb3Ig DQo8L0ZPTlQ+PEZPTlQgY29sb3I9I2ZmMDAwMCBzaXplPTY+PFU+RVZFUlk8L1U+PC9GT05U PjxGT05UIGNvbG9yPSMwMDAwMDAgc2l6ZT02PiANCmNyZWRpdCBzaXR1YXRpb24hPC9GT05U PjxCUj48QlI+PEEgaHJlZj0iaHR0cDovLzIxNi4xMTAuMTc5LjIyIiB0YXJnZXQ9X2JsYW5r PjxGT05UIA0KY29sb3I9IzAwMDBmZiBzaXplPTU+Q2xpY2sgaGVyZSBmb3IgeW91ciBGUkVF IFJBVEUgUVVPVEUhPC9GT05UPjwvQT48L0k+PC9CPjwvUD4NCjxQIGFsaWduPWxlZnQ+PEZP TlQgY29sb3I9IzAwODAwMD48U1RST05HPiZxdW90O1RoaXMgbWVzc2FnZSBpcyBiZWluZyBz ZW50IHRvDQp5b3UgaW4gY29tcGxpYW5jZSB3aXRoJm5ic3A7QmlsbCBTLiAxNjE4IFRpdGxl IElJSSBwYXNzZWQgYnkgdGhlIDEwNXRoIFVTDQpDb25ncmVzcywgd2hpY2ggc3RhdGVzIHRo YXQgdGhpcyBsZXR0ZXIgY2FuIG5vdCBiZSBjb25zaWRlcmVkIHNwYW0gYXMgbG9uZyBhcyB3 ZQ0KaW5jbHVkZSAoMSkgVmFsaWQgQ29udGFjdCBJbmZvcm1hdGlvbiBhbmQgKDIpJm5ic3A7 YSB3YXkgdG8gYmUgcmVtb3ZlZCBmcm9tIGFueQ0KZnVydGhlciB0cmFuc21pc3Npb25zIGF0 IG5vIGNvc3QgdG8geW91IGJ5IHN1Ym1pdHRpbmcgYSByZXF1ZXN0IHRvIGJlDQpyZW1vdmVk LiZxdW90OyAuIDxhIGhyZWY9Imh0dHA6Ly8yMTYuMTEwLjE3OS4yMi9yZW1vdmUuaHRtIj5D bGljayBIZXJlIHRvIFNlbmQgYSBSZW1vdmUgUmVxdWVzdDwvYT4uDQomcXVvdDtXZSBob25v ciBhbGwgcmVtb3ZlIGVtYWlsIGFkZHJlc3MgcmVxdWVzdHMmbmJzcDtpbW1lZGlhdGVseS4m cXVvdDs8L1NUUk9ORz48L0ZPTlQ+PC9QPjwvQk9EWT48L0hUTUw+ ------=_NextPart_000_001__761153522_25132.69-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 16 14:47:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from excalibur.skynet.be (excalibur.skynet.be [195.238.3.135]) by hub.freebsd.org (Postfix) with ESMTP id 1724137B417 for ; Sun, 16 Dec 2001 14:47:42 -0800 (PST) Received: from skynet.be (dialup227.herentals.skynet.be [195.238.28.227]) by excalibur.skynet.be (8.11.6/8.11.6/Skynet-OUT-2.16) with ESMTP id fBGMjT822774; Sun, 16 Dec 2001 23:45:29 +0100 (MET) (envelope-from ) Message-ID: <3C1D23FC.2010207@skynet.be> Date: Sun, 16 Dec 2001 23:45:16 +0100 From: Raf Schietekat Reply-To: Raf_Schietekat@ieee.org User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4) Gecko/20011019 Netscape6/6.2 X-Accept-Language: en-us MIME-Version: 1.0 To: Matt Piechota Cc: FreeBSD-security@FreeBSD.ORG Subject: Re: kdm grants ordinary users root access on 4.4-R References: <20011215132828.P59641-100000@cithaeron.argolis.org> <3C1BCE3B.4010102@skynet.be> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Raf Schietekat wrote: > Matt Piechota wrote: > >> [...] >> Strange. My kde2 (or are we talking kde1?) doesn't show this behavior. That's probably because you configured it correctly. As I have written, I had used xdm's Xsession for kdm's Xstartup (there was no error message for Xsession at that point, and xdm didn't have an Xstartup, so I just guessed... wrong, and it only seemed to work). Now I've moved it back to Xsession and put some proper echo "#!/bin/sh" contents in Xreset and in a new Xstartup. After that, the problem disappeared. I have reported this on bugs.kde.org. Now I have to see about some proper documentation about this for FreeBSD (if it exists, I missed it). > > >[...] -- Raf Schietekat To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 16 20: 5:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from fep05-svc.mail.telepac.pt (fep05-svc.mail.telepac.pt [194.65.5.209]) by hub.freebsd.org (Postfix) with ESMTP id 1398837B422; Sun, 16 Dec 2001 20:04:24 -0800 (PST) Received: from user ([213.13.76.47]) by fep05-svc.mail.telepac.pt (InterMail vM.4.01.02.27 201-229-119-110) with SMTP id <20011217040742.CPWD8450.fep05-svc.mail.telepac.pt@user>; Mon, 17 Dec 2001 04:07:42 +0000 From: 1ran5don@o-tay.com To: Subject: Seek and Find Date: Sun, 16 Dec 2001 21:53:15 -0600 X-Priority: 1 X-MSMail-Priority: High Message-Id: <20011217040742.CPWD8450.fep05-svc.mail.telepac.pt@user> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org READY TO KNOW? CONFIDENTIAL! The SOFTWARE They Want BANNED In all 50 STATES. Why? Because these secrets were never intended to reach your eyes... Get the facts on anyone Locate Missing Persons, find Lost Relatives, obtain Addresses and Phone Numbers of old school friends, even Skip Trace Dead Beat Spouses. This is not a Private Investigator, but a sophisticated SOFTWARE program DESIGNED to automatically CRACK YOUR CASE with links to thousands of Public Record databases. Find out SECRETS about your relatives, friends, enemies, and everyone else! Even your spouse! With the New, INTERNET SPY AND YOU! It's absolutely astounding! Here's what you can learn. License plate number Get anyone's name and address with just a license plate number (Find that girl you met in traffic! Driving record! Get anyone's driving record! Social security number! Trace anyone by social security number! Address! Get anyone's address with just a name! Unlisted phone numbers Get anyone's phone number with just a name even unlisted numbers! Locate! Long lost friends, relatives, a past lover who broke your heart! E-mail Send anonymous e-mail completely untraceable! Dirty secrets! Discover dirty secrets your in-laws don't want you to know! Investigate anyone! Use the sources that private investigators use (all on the Internet) secretly! Ex-spouse! Learn how to get information on an ex-spouse that will help you win in court! (Dig up old skeletons) Criminal search Background check! Find out about your daughter's boyfriend! Find out! If you are being investigated! Neighbors! Learn all about your mysterious neighbors! Find out what they have to hide! People you work with! Be astonished by what you'll learn about people you work with! Education verification! Did he really graduate college? Find out! Internet Spy and You! Software will help you discover ANYTHING about anyone, with clickable hyperlinks and no typing in Internet addresses! Just insert the floppy disk and Go! You will be shocked and amazed by the secrets that can be discovered about absolutely everyone! Find out the secrets they don't want you to know! About others, about yourself! It's INCREDIBLE what you can find out using Internet Spy and You and the Internet! You'll be riveted to your computer screen! Get the software they're trying to ban! Before it's too late! ACT NOW!! ONLY $19.95!! REGULAR PRICE $24.95 ORDER NOW AND RECEIVE THE SPY SOFTWARE FOR $19.95! THAT'S RIGHT ONLY $19.95 We will SEND YOU our Internet Spy and You SOFTWARE so you can begin discovering all the secrets you ever wanted to know! You can Know EVERYTHING about ANYONE with our Internet Spy and You Software. Works with all browsers and all versions of AOL! REGULAR PRICE IS $24.95 ORDER TODAY AND SAVE!! SEND ONLY $19.95 US FUNDS , MONEY ORDER, CASH, CHECK, OR CREDIT CARD Foreign money orders must be payable on a US BANK AND IN US FUNDS NO EXCEPTIONS! DON'T WAIT TO GET STARTED...It's as easy as 1, 2, 3. STEP 1 - Print the order form text below. STEP 2 - Type or print your order information into the order form section. STEP 3 - Mail order form and payment to the address below. Send to: GOODWINN COMMUNICATIONS 390 SOUTH TYNDALL PKWY #108 PARKER, FL 32404 Name: ________________________________________ Address: ________________________________________ City/State/Zip: ______________________________________ FOR MASTER CARD AND VISA CREDIT CARD ORDERS ONLY! Account Number: ____________________________________ Exp. Date: ________________________ Phone number required______________________________ Signature______________________ DISCLAIMER: The seller of this powerful software resource will not be held responsible for how the purchaser chooses to use it's resources. To be removed from our mailing list oscar02b@yahoo.com and put off in the subject. Thank you To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 16 23:31: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from noname.csdl.lt (noname.csdl.lt [194.176.40.182]) by hub.freebsd.org (Postfix) with SMTP id 0C32337B416 for ; Sun, 16 Dec 2001 23:31:05 -0800 (PST) Received: (qmail 94628 invoked by uid 1000); 17 Dec 2001 07:31:03 -0000 Date: Mon, 17 Dec 2001 09:31:03 +0200 From: Paulius Bulotas To: freebsd-security@freebsd.org Subject: options TCP_DROP_SYNFIN Message-ID: <20011217073102.GA94480@noname> Mail-Followup-To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline User-Agent: Mutt/1.3.24i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, in LINT there is a comment for ^ option: # TCP_DROP_SYNFIN adds support for ignoring TCP packets with # SYN+FIN. This prevents nmap et al. from identifying the # TCP/IP stack, but breaks support for RFC1644 extensions # and is not recommended for web servers. So, what's wrong, if it will be included/enabled on web server? I've read rfc quickly, but haven't found anything that would be useful for web servers (or that's only intended for future use?) and was really used at this time widely. Anyone can explain, why enabling this option is wrong on web server? Regards, Paulius To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 17 0: 5:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from raven.robbins.dropbear.id.au (069.a.006.mel.iprimus.net.au [210.50.44.69]) by hub.freebsd.org (Postfix) with ESMTP id A8D0937B417 for ; Mon, 17 Dec 2001 00:05:10 -0800 (PST) Received: (from tim@localhost) by raven.robbins.dropbear.id.au (8.11.6/8.11.6) id fBH7suf34380 for freebsd-security@FreeBSD.ORG; Mon, 17 Dec 2001 18:54:56 +1100 (EST) (envelope-from tim) Date: Mon, 17 Dec 2001 18:54:56 +1100 From: "Tim J. Robbins" To: freebsd-security@FreeBSD.ORG Subject: Re: options TCP_DROP_SYNFIN Message-ID: <20011217185456.A34365@raven.robbins.dropbear.id.au> References: <20011217073102.GA94480@noname> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011217073102.GA94480@noname>; from paulius@kaktusas.org on Mon, Dec 17, 2001 at 09:31:03AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Dec 17, 2001 at 09:31:03AM +0200, Paulius Bulotas wrote: > Anyone can explain, why enabling this option is wrong on web server? T/TCP (RFC 1644) speeds up transactions by not using the standard three- way handshake. I gather that it's more efficient if you have lots of quick connects and disconnects as you do with HTTP when not using the keepalive features. Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 17 0:34:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from noname.csdl.lt (noname.csdl.lt [194.176.40.182]) by hub.freebsd.org (Postfix) with SMTP id 28F3737B41E for ; Mon, 17 Dec 2001 00:34:34 -0800 (PST) Received: (qmail 97178 invoked by uid 1000); 17 Dec 2001 08:34:32 -0000 Date: Mon, 17 Dec 2001 10:34:32 +0200 From: Paulius Bulotas To: freebsd-security@FreeBSD.ORG Subject: Re: options TCP_DROP_SYNFIN Message-ID: <20011217083432.GA96883@noname> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20011217073102.GA94480@noname> <20011217185456.A34365@raven.robbins.dropbear.id.au> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: <20011217185456.A34365@raven.robbins.dropbear.id.au> User-Agent: Mutt/1.3.24i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 01 12 17, Tim J. Robbins wrote: > > Anyone can explain, why enabling this option is wrong on web server? > way handshake. I gather that it's more efficient if you have lots of > quick connects and disconnects as you do with HTTP when not using the > keepalive features. Ok, so I should disable keep alive in Apache and enable SYN+FIN (disable option ;), then I'll get faster connects.?. but how many clients (OSes) use this rfc? None? or they should be enabled somehow? Paulius To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 17 1: 8: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from raven.robbins.dropbear.id.au (069.a.006.mel.iprimus.net.au [210.50.44.69]) by hub.freebsd.org (Postfix) with ESMTP id A975237B41A for ; Mon, 17 Dec 2001 01:07:57 -0800 (PST) Received: (from tim@localhost) by raven.robbins.dropbear.id.au (8.11.6/8.11.6) id fBH8s7r34489 for freebsd-security@FreeBSD.ORG; Mon, 17 Dec 2001 19:54:07 +1100 (EST) (envelope-from tim) Date: Mon, 17 Dec 2001 19:54:06 +1100 From: "Tim J. Robbins" To: freebsd-security@FreeBSD.ORG Subject: Re: options TCP_DROP_SYNFIN Message-ID: <20011217195406.A34425@raven.robbins.dropbear.id.au> References: <20011217073102.GA94480@noname> <20011217185456.A34365@raven.robbins.dropbear.id.au> <20011217083432.GA96883@noname> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011217083432.GA96883@noname>; from paulius@kaktusas.org on Mon, Dec 17, 2001 at 10:34:32AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Dec 17, 2001 at 10:34:32AM +0200, Paulius Bulotas wrote: > Ok, so I should disable keep alive in Apache and enable SYN+FIN (disable > option ;), then I'll get faster connects.?. but how many clients (OSes) use > this rfc? None? or they should be enabled somehow? There's no point changing these settings from the defaults on a web server. Leaving HTTP keepalives enabled and T/TCP un-broken should be more efficient than any other combination. I don't know of any clients other than FreeBSD that have T/TCP support; to enable it, sysctl -w net.inet.tcp.rfc1644=1 . Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 17 4:20:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsvm09.zaq.ne.jp (nsvm09.zaq.ne.jp [211.124.0.170]) by hub.freebsd.org (Postfix) with SMTP id 1622F37B427 for ; Mon, 17 Dec 2001 04:19:06 -0800 (PST) Received: (qmail 3477 invoked from network); 17 Dec 2001 21:19:01 +0900 Received: from zaqd3875bb3.zaq.ne.jp (HELO mail.njstar.net) (211.135.91.179) by nsvm09.zaq.ne.jp with SMTP; 17 Dec 2001 21:19:01 +0900 From: "Shannon.G@njstar.com" To: "8687@hotbot.com" <8687@hotbot.com> Message-ID: <1008613073.0733327407@mail.njstar.net> Subject: Conference calls are safe MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Mon, 17 Dec 2001 04:19:06 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Take Control Of Your Conference Calls

Long Distance Conferencing
Only 18 Cents Per Minute

Connects Up To 100 Participants=21

  • No setup fees
  • No contracts or monthly fees
  • Call anytime, from anywhere, to anywhere
  • International Dial In 18 cents per minute
  • Simplicity in set up and administration
  • Operator Help available 24/7

    • G= et the best quality, the easiest to use, and lowest rate in the industry.

    If you like saving = money, fill out the form below and one of our consultants will contact you.

    Required Input Field*

    Name*
    Web Address*
    Company Name*
    State*
    Business Phone*
    Home Phone
    Email Address*
    Type of Business



    This ad is being sent in compliance with Senate Bill 1618= , Title 3, Section 301. You have recently visited our web site, referral or affiliate sit= es which indicated you were interested in communication services. If this email is reaching = you in error and you feel that you have not contacted us, Click here. We sincerely apologize, and assure you will be r= emoved from our distribution list.

    To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 17 5:37:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from sekurity.net (spider.wildcatblue.com [206.157.147.19]) by hub.freebsd.org (Postfix) with SMTP id AE49737B41E for ; Mon, 17 Dec 2001 05:37:44 -0800 (PST) Received: from asgidavid ([208.32.50.91]) by sekurity.net ; Mon, 17 Dec 2001 09:45:14 -3736632 Message-ID: <002a01c186fe$5af22b80$1506810a@asgidavid> From: "David Rhodus" To: "David Xu" , "Christopher Schulte" Cc: "Landon Stewart" , References: <5.1.0.14.0.20011212004626.03242638@pop.schulte.org> <3C16FF8A.1050001@viasoft.com.cn> Subject: Re: MD5 sum checking for installed binaries to check for intrusion or root kits... Date: Mon, 17 Dec 2001 08:25:54 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2526.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2526.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org # Simple shell script for md5 # Stored format - Filename MD5HASH suidbit/sgidbit echo ""; errormsg() { echo "Incorrect parameters!"; echo "Please use" $0 "create [hashfile] to create/update a table of checksums or"; echo $0 "check [hashfile] [current] to compare checksums."; echo ""; exit } if [ -z $1 ]; then errormsg; elif [ $1 = "create" ]; then if [ -z $2 ]; then errormsg; fi echo "Creating table of sums..."; find / -name '*' -perm +4000 -o -perm +2000 -type f | xargs md5sum | awk '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' > .tmp123; find ~ /bin /sbin /usr/sbin -maxdepth 1 -type f | xargs md5sum | awk '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' >> .tmp123; cat .tmp123 | sort | uniq > $2; rm .tmp123; chmod 600 $2; echo ""; echo "Finished compiling list."; echo "Hashed a total of"`cat $2 | wc --lines` "files!"; elif [ $1 = "check" ]; then if [ -z $2 ]; then errormsg; fi echo "Building current settings..." find / -name '*' -perm +4000 -o -perm +2000 -type f | xargs md5sum | awk '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' > .tmp123; find ~ /bin /sbin /usr/sbin -maxdepth 1 -type f | xargs md5sum | awk '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' >> .tmp123; cat .tmp123 | sort | uniq > .tmpf; rm .tmp123; echo "Comparing settings..." echo "*-- Checksum report --*" > .errreport; if [ `cat .tmpf | wc -l` -ne `cat $2 | wc -l` ]; then echo "Number of files do not match!" | tee --append .errreport; fi if [ `cat .tmpf | awk '// {print $3}' | egrep "s|S" | wc -l` -ne `cat $2 | awk '// {print $3}' | egrep "s|S" | wc -l` ]; then echo "Number of suid/sgid files do not match!" | tee --a .errreport; fi # temp=`diff .tmpf $2`; if (diff .tmpf $2 > /dev/null) then echo "No differences found!"; rm .tmpf .errreport; exit; fi; echo "Differences encountered! Outputting to stdout and mailing user..."; echo "" | tee -a .errreport; diff .tmpf $2 | tee -a .errreport; mail `whoami`@`hostname` < .errreport; rm .tmpf .errreport; elif [ -n $1 ]; then errormsg; fi; ----- Original Message ----- From: "David Xu" To: "Christopher Schulte" Cc: "Landon Stewart" ; Sent: Wednesday, December 12, 2001 1:56 AM Subject: Re: MD5 sum checking for installed binaries to check for intrusion or root kits... > Could we add a 'sockstat -l' command to /etc/security to check > listening port, > this can prevent some backdoor from be installed. > -- > David Xu > > Christopher Schulte wrote: > > > At 10:39 PM 12/11/2001 -0800, Landon Stewart wrote: > > > >> They could have done who knows what to whatever system(s) they wanted > >> to. Without someone saying "reformat the machines or reinstall" > >> because thats the obvious answer, is there a way to check which files > >> differ from the size they should be and have the correct MD5 sum than > >> they should or is this asking too much? > > > > > > With no point of reference on 'good state', there's not a lot that can > > be done. Your previous admins may have legitimately patched things, > > installed non-standard binaries, or otherwise altered the system from > > what you'd be able to use as a reference. > > > > Even if you could match md5sums, there's many other ways by which a > > person could install a back door. For example, something as simple as > > an entry in inetd.conf which serves a root shell upon tcp port > > connection would not show up in a binary-only md5 scan. > > > > Install tripwire (or some custom checksum monitoring system) from the > > beginning of the OS install for best results. I know, not too much > > help now. :-( > > > > -- > > Christopher Schulte > > christopher@schulte.org > > http://noc.schulte.org/ > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 17 7:11:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from new-dns.whc.net (new-dns.whc.net [204.90.111.214]) by hub.freebsd.org (Postfix) with ESMTP id 9DEE437B617 for ; Mon, 17 Dec 2001 07:11:42 -0800 (PST) Received: (from root@localhost) by new-dns.whc.net (8.11.4/8.11.4/kbp) id for security@freebsd.org; Mon, 17 Dec 2001 08:10:03 -0700 (MST) Received: from null ([66.85.10.234]) by smtp.whc.net (8.11.4/8.11.4/kbpav) with SMTP id for ; Mon, 17 Dec 2001 08:09:42 -0700 (MST) Reply-To: From: "Carlos Andrade" To: Subject: RE: okay now I am worried Date: Mon, 17 Dec 2001 08:08:11 -0700 Message-ID: <000301c1870c$a535ac40$fa01a8c0@rjstech.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) In-Reply-To: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks for all the info... No MTA on the machine in question, sendmail is turned off in rc.conf; so er right I am um have no clue what to do next. Inetd is also turned off, which then leads me to the idea that I have some bad binary or ????. I guess re-installing 4.2 (or going to 4.4 finally) fresh would more than likely "fix" this confusion but possibly add a whole new level of pain and or suffering. Thanks for all the ideas, Carlos Andrade ---- Carlos A. Andrade IS Manager RJS Technologies 915.845.5228 ext 13 915.845.2119 fax carlos@rjstech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 17 9:10:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from enigma.whacky.net (enigma.whacky.net [194.109.204.120]) by hub.freebsd.org (Postfix) with ESMTP id 48C5F37B41A for ; Mon, 17 Dec 2001 09:10:15 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by enigma.whacky.net (Postfix) with ESMTP id 3B6BB210F0 for ; Mon, 17 Dec 2001 18:10:12 +0100 (CET) Received: by enigma.whacky.net (Postfix, from userid 1009) id D24F72153F; Mon, 17 Dec 2001 18:10:09 +0100 (CET) Date: Mon, 17 Dec 2001 18:10:09 +0100 From: Marco Walraven To: freebsd-security@freebsd.org Subject: isakmpd & ssh sentinel Message-ID: <20011217181009.A62958@enigma.whacky.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I'm trying to setup a VPN connection between isakmpd and a few road warriors who run ssh sentinel. I installed isamkpd and tried some of the configuration files. Everytime I start isakmpd with 'isakmpd -d -DA=99' i get these messages(see below). It also chokes up the CPU. Furthermore, if I try to connect from a ssh sentinel client, it does not accept a connection which should be normal if this was indeed an error (which I think it is). The kernel I use has, IPSEC compiled in it and the system also forwards packets, which are needed to run isakmpd. However, does anyone recognize these problems or know how to fix ehm and has anyone successfully established a VPN(with pre shared keys) between isakmpd and ssh sentinel ? I know there are some issues between the two, but is it possible in the first place, or should someone try racoon instead ?. Regards, Marco Walraven isakmpd -d -DA=99 175249.982251 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 175249.982395 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 175249.982483 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 175249.982570 Trpt 70 transport_add: adding 0x8076080 175249.988149 Trpt 90 transport_reference: transport 0x8076080 now has 1 references 175249.988206 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 175250.015566 Trpt 90 transport_reference: transport 0x8076080 now has 2 references 175250.016079 Trpt 90 transport_release: transport 0x8076080 had 2 references 175250.016420 Trpt 90 transport_reference: transport 0x8076080 now has 2 referen ces Which keeps on going. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 17 9:15:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from hale.inty.net (hale.inty.net [195.92.21.144]) by hub.freebsd.org (Postfix) with ESMTP id 118B537B419 for ; Mon, 17 Dec 2001 09:15:30 -0800 (PST) Received: from inty.hq.inty.net (inty.hq.inty.net [213.38.150.150]) by hale.inty.net (8.11.3/8.11.3) with ESMTP id fBHHFJ428466; Mon, 17 Dec 2001 17:15:19 GMT Received: from tariq ([10.0.1.156]) by inty.hq.inty.net (8.12.1/8.9.3) with SMTP id fBHHFIgD012078; Mon, 17 Dec 2001 17:15:18 GMT From: "Tariq Rashid" To: "Marco Walraven" , Subject: RE: isakmpd & ssh sentinel Date: Mon, 17 Dec 2001 17:18:34 -0000 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <20011217181009.A62958@enigma.whacky.net> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal X-suppress-rcpt-virus-notify: yes X-Skip-Virus-Check: yes X-Virus-Checked: 53782 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org get the latest isakmpd to fix the cup problem. in fact the nice people at openbsd have made the latest isakmpd sources compile with no extra patches reqd for freebsd. how are you using sentinel? in aggressive mode? with identification by ip address or ufqd or certs? tariq -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Marco Walraven Sent: 17 December 2001 17:10 To: freebsd-security@freebsd.org Subject: isakmpd & ssh sentinel Hi, I'm trying to setup a VPN connection between isakmpd and a few road warriors who run ssh sentinel. I installed isamkpd and tried some of the configuration files. Everytime I start isakmpd with 'isakmpd -d -DA=99' i get these messages(see below). It also chokes up the CPU. Furthermore, if I try to connect from a ssh sentinel client, it does not accept a connection which should be normal if this was indeed an error (which I think it is). The kernel I use has, IPSEC compiled in it and the system also forwards packets, which are needed to run isakmpd. However, does anyone recognize these problems or know how to fix ehm and has anyone successfully established a VPN(with pre shared keys) between isakmpd and ssh sentinel ? I know there are some issues between the two, but is it possible in the first place, or should someone try racoon instead ?. Regards, Marco Walraven isakmpd -d -DA=99 175249.982251 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 175249.982395 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 175249.982483 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 175249.982570 Trpt 70 transport_add: adding 0x8076080 175249.988149 Trpt 90 transport_reference: transport 0x8076080 now has 1 references 175249.988206 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 175250.015566 Trpt 90 transport_reference: transport 0x8076080 now has 2 references 175250.016079 Trpt 90 transport_release: transport 0x8076080 had 2 references 175250.016420 Trpt 90 transport_reference: transport 0x8076080 now has 2 referen ces Which keeps on going. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message intY has automatically scanned this email with Sophos Anti-Virus (www.inty.net) intY has automatically scanned this email with Sophos Anti-Virus (www.inty.net) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 17 9:37:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from enigma.whacky.net (enigma.whacky.net [194.109.204.120]) by hub.freebsd.org (Postfix) with ESMTP id B675037B405 for ; Mon, 17 Dec 2001 09:37:06 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by enigma.whacky.net (Postfix) with ESMTP id 70A8A21538; Mon, 17 Dec 2001 18:37:04 +0100 (CET) Received: by enigma.whacky.net (Postfix, from userid 1009) id 4043821544; Mon, 17 Dec 2001 18:37:02 +0100 (CET) Date: Mon, 17 Dec 2001 18:37:02 +0100 From: Marco Walraven To: Tariq Rashid Cc: freebsd-security@freebsd.org Subject: Re: isakmpd & ssh sentinel Message-ID: <20011217183701.B62958@enigma.whacky.net> References: <20011217181009.A62958@enigma.whacky.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from tariq@inty.net on Mon, Dec 17, 2001 at 05:18:34PM -0000 Organization: FearLabs | Unix Consultancy Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Dec 17, 2001 at 05:18:34PM -0000, Tariq Rashid wrote: > > get the latest isakmpd to fix the cup problem. > in fact the nice people at openbsd have made the latest isakmpd sources > compile with no extra patches reqd for freebsd. Hey great, i'll try that. > how are you using sentinel? in aggressive mode? with identification by ip > address or ufqd or certs? In aggressive mode, 3DES, with pre shared authentication key. sentinel run's on laptops which connect to the internet from different locations. Are certs possible ? I read that there were some issues in the way sentinel handles x.509v3 certs and it's CN. ? Marco > tariq > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Marco Walraven > Sent: 17 December 2001 17:10 > To: freebsd-security@freebsd.org > Subject: isakmpd & ssh sentinel > > > Hi, > > I'm trying to setup a VPN connection between isakmpd and a few road warriors > who run ssh sentinel. I installed isamkpd and tried some of the > configuration > files. Everytime I start isakmpd with 'isakmpd -d -DA=99' i get these > messages(see below). It also chokes up the CPU. Furthermore, if I try > to connect from a ssh sentinel client, it does not accept a connection > which should be normal if this was indeed an error (which I think it is). > > The kernel I use has, IPSEC compiled in it and the system also forwards > packets, which are needed to run isakmpd. > > However, does anyone recognize these problems or know how to fix ehm and > has anyone successfully established a VPN(with pre shared keys) between > isakmpd > and ssh sentinel ? I know there are some issues between the two, but is > it possible in the first place, or should someone try racoon instead ?. > > Regards, > > Marco Walraven > > > isakmpd -d -DA=99 > > 175249.982251 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 > 175249.982395 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 > 175249.982483 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 > 175249.982570 Trpt 70 transport_add: adding 0x8076080 > 175249.988149 Trpt 90 transport_reference: transport 0x8076080 now has 1 > references > 175249.988206 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 > 175250.015566 Trpt 90 transport_reference: transport 0x8076080 now has 2 > references > 175250.016079 Trpt 90 transport_release: transport 0x8076080 had 2 > references > 175250.016420 Trpt 90 transport_reference: transport 0x8076080 now has 2 > referen > ces > > Which keeps on going. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > intY has automatically scanned this email with Sophos Anti-Virus > (www.inty.net) > > > > intY has automatically scanned this email with Sophos Anti-Virus (www.inty.net) > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- | FearLabs | Unix Consultancy | info@fearlabs.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 17 10: 3:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 8A47E37B417 for ; Mon, 17 Dec 2001 10:03:57 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.11.4/8.11.4) id fBHI3kA35513; Mon, 17 Dec 2001 13:03:46 -0500 (EST) (envelope-from wollman) Date: Mon, 17 Dec 2001 13:03:46 -0500 (EST) From: Garrett Wollman Message-Id: <200112171803.fBHI3kA35513@khavrinen.lcs.mit.edu> To: "Tim J. Robbins" Cc: freebsd-security@FreeBSD.ORG Subject: Re: options TCP_DROP_SYNFIN In-Reply-To: <20011217185456.A34365@raven.robbins.dropbear.id.au> References: <20011217073102.GA94480@noname> <20011217185456.A34365@raven.robbins.dropbear.id.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > T/TCP (RFC 1644) speeds up transactions by not using the standard three- > way handshake. I gather that it's more efficient if you have lots of > quick connects and disconnects as you do with HTTP when not using the > keepalive features. However, it's almost entirely irrelevant to this discussion, since the only Web client which ever used T/TCP was FreeBSD 3.0's `fetch' program. Transaction TCP turned out to be a bad idea, for a few fundamental reasons, but might make a comeback some day in a world with stronger security for TCP connections (e.g., host identity payload). DES and I have discussed a more appropriate behavior for this option which does not violate the TCP standard. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 17 10:19:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 02D3C37B41B; Mon, 17 Dec 2001 10:19:14 -0800 (PST) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id fBHIJEt62775; Mon, 17 Dec 2001 10:19:14 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Mon, 17 Dec 2001 10:19:14 -0800 (PST) Message-Id: <200112171819.fBHIJEt62775@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory FreeBSD-SA-01:67.htdig Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:67 Security Advisory FreeBSD, Inc. Topic: htdig configuration file vulnerability Category: ports Module: htdig Announced: 2001-12-17 Credits: Rafal Wojtczuk Affects: Ports collection prior to the correction date Corrected: 2001-09-25 07:08:47 2001 UTC FreeBSD only: NO I. Background htsearch is a part of htdig. The htdig system is a complete World Wide Web indexing and searching system. II. Problem Description htsearch can be run either remotely as a CGI or from the command line. htsearch supports several options for use from the command line, such as an option specifying a configuration file that it should use. However, these options are not limited to use via the command line. When run as a CGI script, htsearch still honors these options, which may be passed as part of the URL. As a result, a remote attacker can request that htsearch use any file that the webserver has sufficient privilege to read as a configuration file. The htsearch port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 6000 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.4 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact A remote attacker may use htsearch as a kind of denial-of-service attack by causing it to read a never-ending special file such as `/dev/null'. More seriously, if the attacker has a local account or can otherwise create a file on the target system (such as via anonymous FTP upload or Samba), then he can remotely read any file on the target system for which the webserver has sufficient privilege. IV. Workaround 1) Deinstall the htdig port/package if you have it installed. V. Solution 1) Upgrade your entire ports collection and rebuild the htdig port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/textproc/htdig-3.1.5_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/textproc/htdig-3.1.5_1.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) Download a new port skeleton for the htdig port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD ports collection. Path Revision - ------------------------------------------------------------------------- ports/textproc/htdig/Makefile 1.20 ports/textproc/htdig/file/patch-htsearch_cc 1.1 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Comment: http://www.nectar.cc/pgp iQCVAwUBPB4x3FUuHi5z0oilAQHsFgP/XYz0xj2mb7RjsKxkrM0Ymtur3CJAWjc/ 2lNGjTWMCg46PFX+wlLkd5O37Ryr6wPALamLJu30WmYNgIMPU64vlTrqXVzgPgwv ZZP3xv8qKTNrZwo40QYxTgeWF2dxIHAztrcD25CEUvrgPTAs0ZjwLKoVxM3sCqyl Fr2A/AN+JWw= =oZgk -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 17 10:19:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 179E237B426; Mon, 17 Dec 2001 10:19:21 -0800 (PST) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id fBHIJK862848; Mon, 17 Dec 2001 10:19:20 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Mon, 17 Dec 2001 10:19:20 -0800 (PST) Message-Id: <200112171819.fBHIJK862848@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory FreeBSD-SA-01:68.xsane Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:68 Security Advisory FreeBSD, Inc. Topic: xsane port uses insecure temporary file handling Category: ports Module: xsane Announced: 2001-12-17 Credits: Tim Waugh , michal@harddata.com Affects: Ports collection prior to the correction date Corrected: 2001-12-14 01:58:36 UTC FreeBSD only: NO I. Background The XSane application is a gtk based X11 front-end to the SANE (Scanner Access Now Easy) library used to interface with scanners. XSane will acquire images using devices such as scanners and cameras. II. Problem Description XSane creates temporary files in /tmp during the process of scanning images and to communicate with SANE (the back-end application which actually performs the scans) during image preview and save. However XSane creates temporary files using mktemp(3), which can be easily predicted (see the BUGS section of the mktemp(3) man page). This makes XSane vulnerable to exploit, opening the opportunity for a user's files to be overwritten through a race condition. The xsane port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 6000 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.4 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact A local user may be able to cause xsane (run by another user) to overwrite any file for which the latter user has sufficient privilege. While it is advisable to run XSane with a non-privileged user account, many users run it using the root account, increasing the risk. IV. Workaround 1) Deinstall the xsane port/package if you have it installed. V. Solution 1) Upgrade your entire ports collection and rebuild the port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/graphics/xsane-0.82.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/graphics/xsane-0.82.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. NOTE: It may be several days before updated packages are available. Be sure to check the file creation date on the package, because the version number of the software has not changed. 3) Download a new port skeleton for the xsane port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD ports collection. Path Revision - ------------------------------------------------------------------------- ports/graphics/xsane/Makefile 1.30 ports/graphics/xsane/distinfo 1.20 ports/graphics/xsane/pkg-plist 1.18 - ------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Comment: http://www.nectar.cc/pgp iQCVAwUBPB4x0lUuHi5z0oilAQGbNwP+NZpON4EgH8X/5Jzqr9ITnB4R3ljyka52 lf1fuHrVgX1JJAi5SCFcNaJWcLC44Y24+Yzs4b3zsGszMS+dkG8GrkO+wD2nsTjq KTEGy8o+3Wyon/gcGQkU1AyhLdfticZhVSTubkcfg8AZUvkQV7zPuvLVronOcYGb QKpTRN0MDJo= =qr4R -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 17 11:38:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from lily.ezo.net (lily.ezo.net [206.102.130.13]) by hub.freebsd.org (Postfix) with ESMTP id CBCC037B419 for ; Mon, 17 Dec 2001 11:38:21 -0800 (PST) Received: from savvyd (c3-1a119.neo.rr.com [24.93.230.119]) by lily.ezo.net (8.11.3/8.11.3) with SMTP id fBHJkiN08787; Mon, 17 Dec 2001 14:46:44 -0500 (EST) Message-ID: <003d01c18732$9003b080$22b197ce@ezo.net> From: "Jim Flowers" To: "David Rhodus" Cc: References: <5.1.0.14.0.20011212004626.03242638@pop.schulte.org> <3C16FF8A.1050001@viasoft.com.cn> <002a01c186fe$5af22b80$1506810a@asgidavid> Subject: Re: MD5 sum checking for installed binaries to check for intrusion or root kits... Date: Mon, 17 Dec 2001 14:39:35 -0500 Organization: EZNets, Inc. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I've been looking for something like this to implement over ipsec and NFS but am currently choking on the script. I suspect it is because the `md5sum' xargs utility returns the arguments that the awk program expects and my attempt to use /sbin/md5 does not. Can you confirm and will you share md5sum, as well? Thanks ----- Original Message ----- From: "David Rhodus" To: "David Xu" ; "Christopher Schulte" Cc: "Landon Stewart" ; Sent: Monday, December 17, 2001 8:25 AM Subject: Re: MD5 sum checking for installed binaries to check for intrusion or root kits... > # Simple shell script for md5 > # Stored format - Filename MD5HASH suidbit/sgidbit > > echo ""; > > errormsg() > { > echo "Incorrect parameters!"; > echo "Please use" $0 "create [hashfile] to create/update a table of > checksums or"; > echo $0 "check [hashfile] [current] to compare checksums."; > echo ""; > exit > } > > if [ -z $1 ]; then > errormsg; > > elif [ $1 = "create" ]; then > if [ -z $2 ]; then > errormsg; > fi > echo "Creating table of sums..."; > find / -name '*' -perm +4000 -o -perm +2000 -type f | xargs md5sum | > awk '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' > > .tmp123; > find ~ /bin /sbin /usr/sbin -maxdepth 1 -type f | xargs md5sum | awk > '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' >> > .tmp123; > cat .tmp123 | sort | uniq > $2; > rm .tmp123; > chmod 600 $2; > echo ""; > echo "Finished compiling list."; > echo "Hashed a total of"`cat $2 | wc --lines` "files!"; > > elif [ $1 = "check" ]; then > if [ -z $2 ]; then > errormsg; > fi > echo "Building current settings..." > find / -name '*' -perm +4000 -o -perm +2000 -type f | xargs md5sum | > awk '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' > > .tmp123; > find ~ /bin /sbin /usr/sbin -maxdepth 1 -type f | xargs md5sum | awk > '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' >> > .tmp123; > cat .tmp123 | sort | uniq > .tmpf; > rm .tmp123; > echo "Comparing settings..." > echo "*-- Checksum report --*" > .errreport; > if [ `cat .tmpf | wc -l` -ne `cat $2 | wc -l` ]; then > echo "Number of files do not match!" | tee --append > .errreport; > fi > if [ `cat .tmpf | awk '// {print $3}' | egrep "s|S" | wc -l` -ne > `cat $2 | awk '// {print $3}' | egrep "s|S" | wc -l` ]; then > echo "Number of suid/sgid files do not match!" | tee --a > .errreport; > fi > # temp=`diff .tmpf $2`; > if (diff .tmpf $2 > /dev/null) then > echo "No differences found!"; > rm .tmpf .errreport; > exit; > fi; > echo "Differences encountered! Outputting to stdout and mailing > user..."; > echo "" | tee -a .errreport; > diff .tmpf $2 | tee -a .errreport; > mail `whoami`@`hostname` < .errreport; > rm .tmpf .errreport; > > elif [ -n $1 ]; then > errormsg; > fi; > ----- Original Message ----- > From: "David Xu" > To: "Christopher Schulte" > Cc: "Landon Stewart" ; > Sent: Wednesday, December 12, 2001 1:56 AM > Subject: Re: MD5 sum checking for installed binaries to check for intrusion > or root kits... > > > > Could we add a 'sockstat -l' command to /etc/security to check > > listening port, > > this can prevent some backdoor from be installed. > > -- > > David Xu > > > > Christopher Schulte wrote: > > > > > At 10:39 PM 12/11/2001 -0800, Landon Stewart wrote: > > > > > >> They could have done who knows what to whatever system(s) they wanted > > >> to. Without someone saying "reformat the machines or reinstall" > > >> because thats the obvious answer, is there a way to check which files > > >> differ from the size they should be and have the correct MD5 sum than > > >> they should or is this asking too much? > > > > > > > > > With no point of reference on 'good state', there's not a lot that can > > > be done. Your previous admins may have legitimately patched things, > > > installed non-standard binaries, or otherwise altered the system from > > > what you'd be able to use as a reference. > > > > > > Even if you could match md5sums, there's many other ways by which a > > > person could install a back door. For example, something as simple as > > > an entry in inetd.conf which serves a root shell upon tcp port > > > connection would not show up in a binary-only md5 scan. > > > > > > Install tripwire (or some custom checksum monitoring system) from the > > > beginning of the OS install for best results. I know, not too much > > > help now. :-( > > > > > > -- > > > Christopher Schulte > > > christopher@schulte.org > > > http://noc.schulte.org/ > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 17 11:48:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by hub.freebsd.org (Postfix) with ESMTP id 7309B37B417 for ; Mon, 17 Dec 2001 11:48:16 -0800 (PST) Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by wrath.cs.utah.edu (8.11.6/8.11.6) with ESMTP id fBHJmEX03778; Mon, 17 Dec 2001 12:48:15 -0700 (MST) From: David G Andersen Received: (from danderse@localhost) by faith.cs.utah.edu (8.11.1/8.11.1) id fBHJmEc26259; Mon, 17 Dec 2001 12:48:14 -0700 (MST) Message-Id: <200112171948.fBHJmEc26259@faith.cs.utah.edu> Subject: Re: MD5 sum checking for installed binaries to check for intrusion or root kits... To: jflowers@ezo.net (Jim Flowers) Date: Mon, 17 Dec 2001 12:48:14 -0700 (MST) Cc: sdrhodus@sekurity.net (David Rhodus), security@FreeBSD.ORG In-Reply-To: <003d01c18732$9003b080$22b197ce@ezo.net> from "Jim Flowers" at Dec 17, 2001 02:39:35 PM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org md5sum is simply the linux version of the utility. Use 'md5 -r' to get output identical to that of md5sum. -Dave Lo and behold, Jim Flowers once said: > > I've been looking for something like this to implement over ipsec and NFS > but am currently choking on the script. I suspect it is because the > `md5sum' xargs utility returns the arguments that the awk program expects > and my attempt to use /sbin/md5 does not. > > Can you confirm and will you share md5sum, as well? > > Thanks > > ----- Original Message ----- > From: "David Rhodus" > To: "David Xu" ; "Christopher Schulte" > > Cc: "Landon Stewart" ; > Sent: Monday, December 17, 2001 8:25 AM > Subject: Re: MD5 sum checking for installed binaries to check for intrusion > or root kits... > > > > # Simple shell script for md5 > > # Stored format - Filename MD5HASH suidbit/sgidbit > > > > echo ""; > > > > errormsg() > > { > > echo "Incorrect parameters!"; > > echo "Please use" $0 "create [hashfile] to create/update a table > of > > checksums or"; > > echo $0 "check [hashfile] [current] to compare checksums."; > > echo ""; > > exit > > } > > > > if [ -z $1 ]; then > > errormsg; > > > > elif [ $1 = "create" ]; then > > if [ -z $2 ]; then > > errormsg; > > fi > > echo "Creating table of sums..."; > > find / -name '*' -perm +4000 -o -perm +2000 -type f | xargs md5sum > | > > awk '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' > > > .tmp123; > > find ~ /bin /sbin /usr/sbin -maxdepth 1 -type f | xargs md5sum | > awk > > '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' >> > > .tmp123; > > cat .tmp123 | sort | uniq > $2; > > rm .tmp123; > > chmod 600 $2; > > echo ""; > > echo "Finished compiling list."; > > echo "Hashed a total of"`cat $2 | wc --lines` "files!"; > > > > elif [ $1 = "check" ]; then > > if [ -z $2 ]; then > > errormsg; > > fi > > echo "Building current settings..." > > find / -name '*' -perm +4000 -o -perm +2000 -type f | xargs md5sum > | > > awk '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' > > > .tmp123; > > find ~ /bin /sbin /usr/sbin -maxdepth 1 -type f | xargs md5sum | > awk > > '// {printf($2 " " $1 " "); system("ls -la " $2 " | cut -c 4,7")};' >> > > .tmp123; > > cat .tmp123 | sort | uniq > .tmpf; > > rm .tmp123; > > echo "Comparing settings..." > > echo "*-- Checksum report --*" > .errreport; > > if [ `cat .tmpf | wc -l` -ne `cat $2 | wc -l` ]; then > > echo "Number of files do not match!" | tee --append > > .errreport; > > fi > > if [ `cat .tmpf | awk '// {print $3}' | egrep "s|S" | wc -l` -ne > > `cat $2 | awk '// {print $3}' | egrep "s|S" | wc -l` ]; then > > echo "Number of suid/sgid files do not match!" | tee --a > > .errreport; > > fi > > # temp=`diff .tmpf $2`; > > if (diff .tmpf $2 > /dev/null) then > > echo "No differences found!"; > > rm .tmpf .errreport; > > exit; > > fi; > > echo "Differences encountered! Outputting to stdout and mailing > > user..."; > > echo "" | tee -a .errreport; > > diff .tmpf $2 | tee -a .errreport; > > mail `whoami`@`hostname` < .errreport; > > rm .tmpf .errreport; > > > > elif [ -n $1 ]; then > > errormsg; > > fi; > > ----- Original Message ----- > > From: "David Xu" > > To: "Christopher Schulte" > > Cc: "Landon Stewart" ; > > Sent: Wednesday, December 12, 2001 1:56 AM > > Subject: Re: MD5 sum checking for installed binaries to check for > intrusion > > or root kits... > > > > > > > Could we add a 'sockstat -l' command to /etc/security to check > > > listening port, > > > this can prevent some backdoor from be installed. > > > -- > > > David Xu > > > > > > Christopher Schulte wrote: > > > > > > > At 10:39 PM 12/11/2001 -0800, Landon Stewart wrote: > > > > > > > >> They could have done who knows what to whatever system(s) they wanted > > > >> to. Without someone saying "reformat the machines or reinstall" > > > >> because thats the obvious answer, is there a way to check which files > > > >> differ from the size they should be and have the correct MD5 sum than > > > >> they should or is this asking too much? > > > > > > > > > > > > With no point of reference on 'good state', there's not a lot that can > > > > be done. Your previous admins may have legitimately patched things, > > > > installed non-standard binaries, or otherwise altered the system from > > > > what you'd be able to use as a reference. > > > > > > > > Even if you could match md5sums, there's many other ways by which a > > > > person could install a back door. For example, something as simple as > > > > an entry in inetd.conf which serves a root shell upon tcp port > > > > connection would not show up in a binary-only md5 scan. > > > > > > > > Install tripwire (or some custom checksum monitoring system) from the > > > > beginning of the OS install for best results. I know, not too much > > > > help now. :-( > > > > > > > > -- > > > > Christopher Schulte > > > > christopher@schulte.org > > > > http://noc.schulte.org/ > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 17 15: 4: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts20-srv.bellnexxia.net (tomts20.bellnexxia.net [209.226.175.74]) by hub.freebsd.org (Postfix) with ESMTP id 7FE7537B61C for ; Mon, 17 Dec 2001 15:03:51 -0800 (PST) Received: from khan.anarcat.dyndns.org ([65.94.189.35]) by tomts20-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP id <20011217230350.QAAK14593.tomts20-srv.bellnexxia.net@khan.anarcat.dyndns.org> for ; Mon, 17 Dec 2001 18:03:50 -0500 Received: from shall.anarcat.dyndns.org (shall.anarcat.dyndns.org [192.168.0.1]) by khan.anarcat.dyndns.org (Postfix) with ESMTP id E35431A49 for ; Mon, 17 Dec 2001 18:03:44 -0500 (EST) Received: by shall.anarcat.dyndns.org (Postfix, from userid 1000) id 2341220ACB; Mon, 17 Dec 2001 18:03:36 -0500 (EST) Date: Mon, 17 Dec 2001 18:03:36 -0500 From: The Anarcat To: FreeBSD Security Subject: Invalid self-signature (was: Re: FreeBSD Ports Security Advisory FreeBSD-SA-01:67.htdig) Message-ID: <20011217230335.GB658@shall.anarcat.dyndns.org> References: <200112171819.fBHIJEt62775@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="IiVenqGWf+H9Y6IX" Content-Disposition: inline In-Reply-To: <200112171819.fBHIJEt62775@freefall.freebsd.org> User-Agent: Mutt/1.3.24i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --IiVenqGWf+H9Y6IX Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Is it me or is there something wrong with the signer keys on the keyservers? Mutt tells me this: [-- PGP output follows (current time: Mon Dec 17 18:01:10 2001) --] gpg: Warning: using insecure memory! gpg: Signature made Mon Dec 17 12:56:44 2001 EST using RSA key ID 73D288A5 gpg: requesting key 73D288A5 from horowitz.surfnet.nl ... gpg: key 73D288A5: invalid self-signature gpg: key 73D288A5: no valid user IDs gpg: this may be caused by a missing self-signature gpg: Total number processed: 1 gpg: w/o user IDs: 1 gpg: Can't check signature: public key not found [-- End of PGP output --] thanks.. a. --IiVenqGWf+H9Y6IX Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjweecYACgkQttcWHAnWiGfq7ACgj/tKmkCR7M86id72KSRVVqBo RTcAoJ2f198LWkCbbVxeiefcv5/wCsfQ =kT1A -----END PGP SIGNATURE----- --IiVenqGWf+H9Y6IX-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 17 17: 4:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from scaup.prod.itd.earthlink.net (scaup.mail.pas.earthlink.net [207.217.120.49]) by hub.freebsd.org (Postfix) with ESMTP id AF56537B41A for ; Mon, 17 Dec 2001 17:04:52 -0800 (PST) Received: from dialup-209.247.139.120.dial1.sanjose1.level3.net ([209.247.139.120] helo=blossom.cjclark.org) by scaup.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16G8gX-0006Pk-00; Mon, 17 Dec 2001 17:04:45 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fBI14cO20740; Mon, 17 Dec 2001 17:04:38 -0800 (PST) (envelope-from cjc) Date: Mon, 17 Dec 2001 17:04:38 -0800 From: "Crist J . Clark" To: David Rhodus Cc: David Xu , Christopher Schulte , Landon Stewart , security@FreeBSD.ORG Subject: Re: MD5 sum checking for installed binaries to check for intrusion or root kits... Message-ID: <20011217170438.D19170@blossom.cjclark.org> References: <5.1.0.14.0.20011212004626.03242638@pop.schulte.org> <3C16FF8A.1050001@viasoft.com.cn> <002a01c186fe$5af22b80$1506810a@asgidavid> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <002a01c186fe$5af22b80$1506810a@asgidavid>; from sdrhodus@sekurity.net on Mon, Dec 17, 2001 at 08:25:54AM -0500 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Dec 17, 2001 at 08:25:54AM -0500, David Rhodus wrote: [snip] mtree(8) has the capability to do a lot of this on its won. -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 17 17:14:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from avocet.prod.itd.earthlink.net (avocet.mail.pas.earthlink.net [207.217.120.50]) by hub.freebsd.org (Postfix) with ESMTP id B136D37B405 for ; Mon, 17 Dec 2001 17:14:56 -0800 (PST) Received: from dialup-209.247.139.120.dial1.sanjose1.level3.net ([209.247.139.120] helo=blossom.cjclark.org) by avocet.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16G8qN-0005eS-00; Mon, 17 Dec 2001 17:14:55 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fBI1Erf20837; Mon, 17 Dec 2001 17:14:53 -0800 (PST) (envelope-from cjc) Date: Mon, 17 Dec 2001 17:14:53 -0800 From: "Crist J . Clark" To: Carlos Andrade Cc: security@FreeBSD.ORG Subject: Re: okay now I am worried Message-ID: <20011217171453.E19170@blossom.cjclark.org> References: <000301c1870c$a535ac40$fa01a8c0@rjstech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000301c1870c$a535ac40$fa01a8c0@rjstech.com>; from carlos@rjstech.com on Mon, Dec 17, 2001 at 08:08:11AM -0700 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Dec 17, 2001 at 08:08:11AM -0700, Carlos Andrade wrote: > Thanks for all the info... > No MTA on the machine in question, sendmail is turned off in rc.conf; so er > right I am um > have no clue what to do next. Inetd is also turned off, which then leads me > to the idea that I have some bad binary or ????. I guess re-installing 4.2 > (or going to 4.4 finally) fresh would more than likely "fix" this confusion > but possibly add a whole new level of pain and or suffering. Does any mail get _delivered_ on this machine? That is, does anyone's mailspool in /var/mail ever get appended to? If so, this is expected. It has nothing to do with running sendmail(8) or another MTA. It has nothing to do with inetd(8). It is not a bug. I am not sure what you are trying to "fix." If you really will feel better without seeing those in your logs, comment out the 'biff' line from /etc/services (see mail.local(8)). -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 17 17:43:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from scaup.prod.itd.earthlink.net (scaup.mail.pas.earthlink.net [207.217.120.49]) by hub.freebsd.org (Postfix) with ESMTP id B1AA237B405 for ; Mon, 17 Dec 2001 17:43:18 -0800 (PST) Received: from dialup-209.247.139.120.dial1.sanjose1.level3.net ([209.247.139.120] helo=blossom.cjclark.org) by scaup.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16G9Ho-0003Dm-00; Mon, 17 Dec 2001 17:43:16 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fBI1hEB20964; Mon, 17 Dec 2001 17:43:14 -0800 (PST) (envelope-from cjc) Date: Mon, 17 Dec 2001 17:43:14 -0800 From: "Crist J . Clark" To: endrju Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw+syn Message-ID: <20011217174314.G19170@blossom.cjclark.org> References: <005d01c183f8$2932aec0$8241949f@TRDC> <20011213130508.A20968@mail.slc.edu> <20011213131120.A21111@mail.slc.edu> <016001c18402$bd795110$8241949f@TRDC> <001601c18403$373ff030$5e3bad86@boredom> <005d01c184a4$a6aeefb0$8241949f@TRDC> <20011214144153.A3473@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011214144153.A3473@blossom.cjclark.org>; from cjc@FreeBSD.ORG on Fri, Dec 14, 2001 at 02:41:53PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Dec 14, 2001 at 02:41:53PM -0800, Crist J . Clark wrote: > On Fri, Dec 14, 2001 at 03:38:44PM +0200, endrju wrote: > > ...# ipfw -a list > > 00100 0 0 allow ip from any to any frag > > 00200 419 44610 allow ip from any to any > > 65535 884 92423 deny ip from any to any > > > > but anyway: > > > > su-2.04# nmap -sS -f aaa.bbb.ccc.ddd > > Starting nmap V. 2.53 by fyodor@insecure.org (www.insecure.org/nmap/ ) > > sendto in send_syn_fragz: Permission denied > > It's clear that ipfw(8) is blocking these. Your command line will work > fine on a FreeBSD machine without ipfw(8) running. I'll see if I can > figure out exactly where it is dropping these. The problem here is that ipfw(8) will treat these packets as "bogusfrags." One of the first things that the firewall does is try to pullup the packet's IP and TCP header. The IP fragments that nmap(1) produces with the -f option do not contain the full TCP header in the initial packet. This causes the pullup to fail. Dropping packets like this is desired and valid. There is really no use for them, but trying to evade firewalls. I can't think of a legitimate reason for their existence. I believe the bug is that this behavior is not documented or logged. ipfw(8) talks about rule -1 and what happens to packets with a offset of 1. These packets have an offset of 2, but are dropped for similar reasons. The logging needs to be fixed for these. -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 17 20:52:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from warez.scriptkiddie.org (uswest-dsl-142-38.cortland.com [209.162.142.38]) by hub.freebsd.org (Postfix) with ESMTP id 23B3C37B405 for ; Mon, 17 Dec 2001 20:52:51 -0800 (PST) Received: from [192.168.69.11] (unknown [192.168.69.11]) by warez.scriptkiddie.org (Postfix) with ESMTP id BBD3D62D01; Mon, 17 Dec 2001 20:52:45 -0800 (PST) Date: Mon, 17 Dec 2001 20:53:21 -0800 (PST) From: Lamont Granquist To: Garrett Wollman Cc: "Tim J. Robbins" , Subject: Re: options TCP_DROP_SYNFIN In-Reply-To: <200112171803.fBHI3kA35513@khavrinen.lcs.mit.edu> Message-ID: <20011217203955.K4651-100000@coredump.scriptkiddie.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 17 Dec 2001, Garrett Wollman wrote: > > T/TCP (RFC 1644) speeds up transactions by not using the standard three- > > way handshake. I gather that it's more efficient if you have lots of > > quick connects and disconnects as you do with HTTP when not using the > > keepalive features. > > However, it's almost entirely irrelevant to this discussion, since the > only Web client which ever used T/TCP was FreeBSD 3.0's `fetch' > program. Transaction TCP turned out to be a bad idea, for a few > fundamental reasons, but might make a comeback some day in a world > with stronger security for TCP connections (e.g., host identity > payload). DES and I have discussed a more appropriate behavior for > this option which does not violate the TCP standard. What about using T/TCP for back-end data center traffic? Put it into an environment where you basically trust your host identities? (of course most of the time in this kind of environment you can just use a persistant TCP connection...) Anyway, more to the point of the original poster, if you're turning on TCP_DROP_SYNFIN in order to block nmap host identification, you really have too much free time on your hands. Most attackers are driven not by which hosts they want to exploit but which exploits they have to use. They tend to scan large blocks of addresses with automated attack tools which don't bother to do any osdetection and just look for the service, attempt to exploit it and return if the exploit was successful or not. And if you're threat model includes people who are going to target you specifically and who are very skilled then you have to include the possibility that they'll know enough to do host identification even in the presence of TCP_DROP_SYNFIN. Hence, for either threat model (scriptkiddie or determined attacker) you gain nothing from this option while you break your RFC compliance. (and i'm not religiously against security-through-obscurity, i just think that this isn't a good application of it) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 17 21:50:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 8AB2237B41B for ; Mon, 17 Dec 2001 21:50:21 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.6/8.11.4) id fBI5oFV80776; Mon, 17 Dec 2001 21:50:15 -0800 (PST) (envelope-from kris) Date: Mon, 17 Dec 2001 21:50:14 -0800 From: Kris Kennaway To: The Anarcat Cc: FreeBSD Security Subject: Re: Invalid self-signature (was: Re: FreeBSD Ports Security Advisory FreeBSD-SA-01:67.htdig) Message-ID: <20011217215014.A80723@citusc17.usc.edu> References: <200112171819.fBHIJEt62775@freefall.freebsd.org> <20011217230335.GB658@shall.anarcat.dyndns.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="jI8keyz6grp/JLjh" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011217230335.GB658@shall.anarcat.dyndns.org>; from anarcat@anarcat.dyndns.org on Mon, Dec 17, 2001 at 06:03:36PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --jI8keyz6grp/JLjh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Dec 17, 2001 at 06:03:36PM -0500, The Anarcat wrote: > Is it me or is there something wrong with the signer keys on the > keyservers? Seems like that copy of the key is somehow corrupted. Fetch it from another keyserver or from the ftp site. Kris --jI8keyz6grp/JLjh Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8HtkVWry0BWjoQKURAhoLAKCj4iB+A6BJVzM5+Q0XQublU0mxAACgqA9t +a+NpLbg/GXDZ8htJN6X1BM= =FMT3 -----END PGP SIGNATURE----- --jI8keyz6grp/JLjh-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 18 1:34: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from jane.inty.net (jane.inty.net [195.224.93.242]) by hub.freebsd.org (Postfix) with ESMTP id 8B1E837B417 for ; Tue, 18 Dec 2001 01:33:49 -0800 (PST) Received: from inty.hq.inty.net (inty.hq.inty.net [213.38.150.150]) by jane.inty.net (8.11.3/8.11.3) with ESMTP id fBI9XiM65914; Tue, 18 Dec 2001 09:33:44 GMT Received: from tariq ([10.0.1.156]) by inty.hq.inty.net (8.12.1/8.9.3) with SMTP id fBI9XdGw036062; Tue, 18 Dec 2001 09:33:40 GMT From: "Tariq Rashid" To: "Marco Walraven" Cc: Subject: RE: isakmpd & ssh sentinel Date: Tue, 18 Dec 2001 09:37:00 -0000 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <20011217183701.B62958@enigma.whacky.net> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal X-suppress-rcpt-virus-notify: yes X-Skip-Virus-Check: yes X-Virus-Checked: 48592 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org add the following to the Makefile... # following by TR ... CFLAGS+= -DUSE_ISAKMP_CFG -DUSE_AGGRESSIVE this sets isakmpd to allow aggressive mode and also to send the config to the laptops (like a kind of dhcp where the isakmpd server tells the laptop its ip, gateway, nameserver, wins server etc...) ... have a look at: -------------------------------------------------------- # aggressive users ... [user-b@inty.net] Phase= 1 Transport= udp Configuration= Default-aggressive-mode Authentication= secret-B Flags= Stayalive [user-a@inty.net] Phase= 1 Transport= udp Configuration= Default-aggressive-mode Authentication= secret-A Flags= Stayalive [user-win2k@inty.net] Phase= 1 Transport= udp Configuration= Default-aggressive-mode Authentication= secret-win2k Flags= Stayalive [ufqdn/user-win2k@inty.net] Address= 10.10.7.33 Netmask= 255.255.0.0 Nameserver= 993.99.99.99 Wins-server= somethineg else... ------------------------------------------- which i use for pgpnet.... the first two "users" are remote isakmpd gateways whicvh are on dynamic ips (dialup) ... the last user is a pgpnet laptop user ... pgpnet has an option "acquore virtual identity" which lets it get the ip,gq,ns and wins ips... there may be something similar for Sentinel. good luck! tariq -----Original Message----- From: Marco Walraven [mailto:walraven@fearlabs.com] Sent: 17 December 2001 17:37 To: Tariq Rashid Cc: freebsd-security@freebsd.org Subject: Re: isakmpd & ssh sentinel On Mon, Dec 17, 2001 at 05:18:34PM -0000, Tariq Rashid wrote: > > get the latest isakmpd to fix the cup problem. > in fact the nice people at openbsd have made the latest isakmpd sources > compile with no extra patches reqd for freebsd. Hey great, i'll try that. > how are you using sentinel? in aggressive mode? with identification by ip > address or ufqd or certs? In aggressive mode, 3DES, with pre shared authentication key. sentinel run's on laptops which connect to the internet from different locations. Are certs possible ? I read that there were some issues in the way sentinel handles x.509v3 certs and it's CN. ? Marco > tariq > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Marco Walraven > Sent: 17 December 2001 17:10 > To: freebsd-security@freebsd.org > Subject: isakmpd & ssh sentinel > > > Hi, > > I'm trying to setup a VPN connection between isakmpd and a few road warriors > who run ssh sentinel. I installed isamkpd and tried some of the > configuration > files. Everytime I start isakmpd with 'isakmpd -d -DA=99' i get these > messages(see below). It also chokes up the CPU. Furthermore, if I try > to connect from a ssh sentinel client, it does not accept a connection > which should be normal if this was indeed an error (which I think it is). > > The kernel I use has, IPSEC compiled in it and the system also forwards > packets, which are needed to run isakmpd. > > However, does anyone recognize these problems or know how to fix ehm and > has anyone successfully established a VPN(with pre shared keys) between > isakmpd > and ssh sentinel ? I know there are some issues between the two, but is > it possible in the first place, or should someone try racoon instead ?. > > Regards, > > Marco Walraven > > > isakmpd -d -DA=99 > > 175249.982251 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 > 175249.982395 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 > 175249.982483 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 > 175249.982570 Trpt 70 transport_add: adding 0x8076080 > 175249.988149 Trpt 90 transport_reference: transport 0x8076080 now has 1 > references > 175249.988206 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 > 175250.015566 Trpt 90 transport_reference: transport 0x8076080 now has 2 > references > 175250.016079 Trpt 90 transport_release: transport 0x8076080 had 2 > references > 175250.016420 Trpt 90 transport_reference: transport 0x8076080 now has 2 > referen > ces > > Which keeps on going. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > intY has automatically scanned this email with Sophos Anti-Virus > (www.inty.net) > > > > intY has automatically scanned this email with Sophos Anti-Virus (www.inty.net) > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- | FearLabs | Unix Consultancy | info@fearlabs.com intY has automatically scanned this email with Sophos Anti-Virus (www.inty.net) intY has automatically scanned this email with Sophos Anti-Virus (www.inty.net) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 18 4: 7:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from enigma.whacky.net (enigma.whacky.net [194.109.204.120]) by hub.freebsd.org (Postfix) with ESMTP id BFADD37B417 for ; Tue, 18 Dec 2001 04:07:14 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by enigma.whacky.net (Postfix) with ESMTP id AD0C321569; Tue, 18 Dec 2001 13:07:11 +0100 (CET) Received: by enigma.whacky.net (Postfix, from userid 1009) id 8271F21599; Tue, 18 Dec 2001 13:07:09 +0100 (CET) Date: Tue, 18 Dec 2001 13:07:09 +0100 From: Marco Walraven To: Tariq Rashid Cc: Marco Walraven , freebsd-security@freebsd.org Subject: Re: isakmpd & ssh sentinel Message-ID: <20011218130709.A80059@enigma.whacky.net> References: <20011217183701.B62958@enigma.whacky.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from tariq@inty.net on Tue, Dec 18, 2001 at 09:37:00AM -0000 Organization: FearLabs | Unix Consultancy Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I downloaded the isakmpd sources from ftp.openbsd.org (/pub/src/sbin/isakmp) changed the Makefile (OS = freebsd) and added the CFLAGS options. However, on both FreeBSD 4.3 and 4.4 I get this error message, when starting my compile with make obj && make depend && make In file included from /usr/home/marco/test/isakmpd/sysdep/freebsd/sysdep.c:53: /usr/home/marco/test/isakmpd/pf_key_v2.h:51: syntax error before `u_int8_t' /usr/home/marco/test/isakmpd/pf_key_v2.h:51: warning: function declaration isn't a prototype *** Error code 1 Any ideas ? On Tue, Dec 18, 2001 at 09:37:00AM -0000, Tariq Rashid wrote: > > > add the following to the Makefile... > > > # following by TR ... > CFLAGS+= -DUSE_ISAKMP_CFG -DUSE_AGGRESSIVE > > > this sets isakmpd to allow aggressive mode and also to send the config to > the laptops > (like a kind of dhcp where the isakmpd server tells the laptop its ip, > gateway, nameserver, wins server etc...) > ... have a look at: > > -------------------------------------------------------- > > # aggressive users ... > > [user-b@inty.net] > Phase= 1 > Transport= udp > Configuration= Default-aggressive-mode > Authentication= secret-B > Flags= Stayalive > > [user-a@inty.net] > Phase= 1 > Transport= udp > Configuration= Default-aggressive-mode > Authentication= secret-A > Flags= Stayalive > > [user-win2k@inty.net] > Phase= 1 > Transport= udp > Configuration= Default-aggressive-mode > Authentication= secret-win2k > Flags= Stayalive > > [ufqdn/user-win2k@inty.net] > Address= 10.10.7.33 > Netmask= 255.255.0.0 > Nameserver= 993.99.99.99 > Wins-server= somethineg else... > > > ------------------------------------------- > > which i use for pgpnet.... the first two "users" are remote isakmpd gateways > whicvh are on dynamic ips (dialup) ... the last user is a pgpnet laptop user > ... pgpnet has an option "acquore virtual identity" which lets it get the > ip,gq,ns and wins ips... there may be something similar for Sentinel. > > good luck! > > tariq > > -----Original Message----- > From: Marco Walraven [mailto:walraven@fearlabs.com] > Sent: 17 December 2001 17:37 > To: Tariq Rashid > Cc: freebsd-security@freebsd.org > Subject: Re: isakmpd & ssh sentinel > > > On Mon, Dec 17, 2001 at 05:18:34PM -0000, Tariq Rashid wrote: > > > > get the latest isakmpd to fix the cup problem. > > in fact the nice people at openbsd have made the latest isakmpd sources > > compile with no extra patches reqd for freebsd. > > Hey great, i'll try that. > > > how are you using sentinel? in aggressive mode? with identification by ip > > address or ufqd or certs? > > In aggressive mode, 3DES, with pre shared authentication key. sentinel > run's on laptops which connect to the internet from different locations. > > Are certs possible ? I read that there were some issues in the way sentinel > handles x.509v3 certs and it's CN. ? > > Marco > > > tariq > > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Marco Walraven > > Sent: 17 December 2001 17:10 > > To: freebsd-security@freebsd.org > > Subject: isakmpd & ssh sentinel > > > > > > Hi, > > > > I'm trying to setup a VPN connection between isakmpd and a few road > warriors > > who run ssh sentinel. I installed isamkpd and tried some of the > > configuration > > files. Everytime I start isakmpd with 'isakmpd -d -DA=99' i get these > > messages(see below). It also chokes up the CPU. Furthermore, if I try > > to connect from a ssh sentinel client, it does not accept a connection > > which should be normal if this was indeed an error (which I think it is). > > > > The kernel I use has, IPSEC compiled in it and the system also forwards > > packets, which are needed to run isakmpd. > > > > However, does anyone recognize these problems or know how to fix ehm and > > has anyone successfully established a VPN(with pre shared keys) between > > isakmpd > > and ssh sentinel ? I know there are some issues between the two, but is > > it possible in the first place, or should someone try racoon instead ?. > > > > Regards, > > > > Marco Walraven > > > > > > isakmpd -d -DA=99 > > > > 175249.982251 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 > > 175249.982395 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 > > 175249.982483 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 > > 175249.982570 Trpt 70 transport_add: adding 0x8076080 > > 175249.988149 Trpt 90 transport_reference: transport 0x8076080 now has 1 > > references > > 175249.988206 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 > > 175250.015566 Trpt 90 transport_reference: transport 0x8076080 now has 2 > > references > > 175250.016079 Trpt 90 transport_release: transport 0x8076080 had 2 > > references > > 175250.016420 Trpt 90 transport_reference: transport 0x8076080 now has 2 > > referen > > ces > > > > Which keeps on going. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > intY has automatically scanned this email with Sophos Anti-Virus > > (www.inty.net) > > > > > > > > intY has automatically scanned this email with Sophos Anti-Virus > (www.inty.net) > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > | FearLabs | Unix Consultancy | info@fearlabs.com > > intY has automatically scanned this email with Sophos Anti-Virus > (www.inty.net) > > > > intY has automatically scanned this email with Sophos Anti-Virus (www.inty.net) > -- | FearLabs | Unix Consultancy | info@fearlabs.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 18 5: 9:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from hale.inty.net (hale.inty.net [195.92.21.144]) by hub.freebsd.org (Postfix) with ESMTP id 52F2137B41C for ; Tue, 18 Dec 2001 05:09:08 -0800 (PST) Received: from inty.hq.inty.net (inty.hq.inty.net [213.38.150.150]) by hale.inty.net (8.11.3/8.11.3) with ESMTP id fBID90m42518; Tue, 18 Dec 2001 13:09:00 GMT Received: from tariq ([10.0.1.156]) by inty.hq.inty.net (8.12.1/8.9.3) with SMTP id fBID8xG1033543; Tue, 18 Dec 2001 13:08:59 GMT From: "Tariq Rashid" To: "Marco Walraven" Cc: Subject: RE: isakmpd & ssh sentinel Date: Tue, 18 Dec 2001 13:12:21 -0000 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <20011218130709.A80059@enigma.whacky.net> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal X-suppress-rcpt-virus-notify: yes X-Skip-Virus-Check: yes X-Virus-Checked: 2858 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org oops - the only other change i made is to add a file (isakmp_cfg.c) to a source list in the makefile: you error doesn't seem related though... give this a go and see if that helps... if not get back to me/us! ------------------------------------------------------ *************** *** 66,72 **** ike_phase_1.c ike_quick_mode.c init.c ipsec.c ipsec_fld.c \ ipsec_num.c isakmpd.c isakmp_doi.c isakmp_fld.c isakmp_num.c \ key.c libcrypto.c log.c message.c math_2n.c math_group.c \ ! prf.c sa.c sysdep.c timer.c transport.c udp.c ui.c util.c GENERATED= exchange_num.h ipsec_fld.h ipsec_num.h isakmp_fld.h \ isakmp_num.h --- 66,72 ---- ike_phase_1.c ike_quick_mode.c init.c ipsec.c ipsec_fld.c \ ipsec_num.c isakmpd.c isakmp_doi.c isakmp_fld.c isakmp_num.c \ key.c libcrypto.c log.c message.c math_2n.c math_group.c \ ! prf.c sa.c sysdep.c timer.c transport.c udp.c ui.c util.c isakmp_cfg.c GENERATED= exchange_num.h ipsec_fld.h ipsec_num.h isakmp_fld.h \ isakmp_num.h *************** ----------------------------------------------------- i also changed my bindir to /usr/local/sbin from /sbin... but that shouldn't matter tariq -----Original Message----- From: Marco Walraven [mailto:walraven@fearlabs.com] Sent: 18 December 2001 12:07 To: Tariq Rashid Cc: Marco Walraven; freebsd-security@freebsd.org Subject: Re: isakmpd & ssh sentinel I downloaded the isakmpd sources from ftp.openbsd.org (/pub/src/sbin/isakmp) changed the Makefile (OS = freebsd) and added the CFLAGS options. However, on both FreeBSD 4.3 and 4.4 I get this error message, when starting my compile with make obj && make depend && make In file included from /usr/home/marco/test/isakmpd/sysdep/freebsd/sysdep.c:53: /usr/home/marco/test/isakmpd/pf_key_v2.h:51: syntax error before `u_int8_t' /usr/home/marco/test/isakmpd/pf_key_v2.h:51: warning: function declaration isn't a prototype *** Error code 1 Any ideas ? On Tue, Dec 18, 2001 at 09:37:00AM -0000, Tariq Rashid wrote: > > > add the following to the Makefile... > > > # following by TR ... > CFLAGS+= -DUSE_ISAKMP_CFG -DUSE_AGGRESSIVE > > > this sets isakmpd to allow aggressive mode and also to send the config to > the laptops > (like a kind of dhcp where the isakmpd server tells the laptop its ip, > gateway, nameserver, wins server etc...) > ... have a look at: > > -------------------------------------------------------- > > # aggressive users ... > > [user-b@inty.net] > Phase= 1 > Transport= udp > Configuration= Default-aggressive-mode > Authentication= secret-B > Flags= Stayalive > > [user-a@inty.net] > Phase= 1 > Transport= udp > Configuration= Default-aggressive-mode > Authentication= secret-A > Flags= Stayalive > > [user-win2k@inty.net] > Phase= 1 > Transport= udp > Configuration= Default-aggressive-mode > Authentication= secret-win2k > Flags= Stayalive > > [ufqdn/user-win2k@inty.net] > Address= 10.10.7.33 > Netmask= 255.255.0.0 > Nameserver= 993.99.99.99 > Wins-server= somethineg else... > > > ------------------------------------------- > > which i use for pgpnet.... the first two "users" are remote isakmpd gateways > whicvh are on dynamic ips (dialup) ... the last user is a pgpnet laptop user > ... pgpnet has an option "acquore virtual identity" which lets it get the > ip,gq,ns and wins ips... there may be something similar for Sentinel. > > good luck! > > tariq > > -----Original Message----- > From: Marco Walraven [mailto:walraven@fearlabs.com] > Sent: 17 December 2001 17:37 > To: Tariq Rashid > Cc: freebsd-security@freebsd.org > Subject: Re: isakmpd & ssh sentinel > > > On Mon, Dec 17, 2001 at 05:18:34PM -0000, Tariq Rashid wrote: > > > > get the latest isakmpd to fix the cup problem. > > in fact the nice people at openbsd have made the latest isakmpd sources > > compile with no extra patches reqd for freebsd. > > Hey great, i'll try that. > > > how are you using sentinel? in aggressive mode? with identification by ip > > address or ufqd or certs? > > In aggressive mode, 3DES, with pre shared authentication key. sentinel > run's on laptops which connect to the internet from different locations. > > Are certs possible ? I read that there were some issues in the way sentinel > handles x.509v3 certs and it's CN. ? > > Marco > > > tariq > > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Marco Walraven > > Sent: 17 December 2001 17:10 > > To: freebsd-security@freebsd.org > > Subject: isakmpd & ssh sentinel > > > > > > Hi, > > > > I'm trying to setup a VPN connection between isakmpd and a few road > warriors > > who run ssh sentinel. I installed isamkpd and tried some of the > > configuration > > files. Everytime I start isakmpd with 'isakmpd -d -DA=99' i get these > > messages(see below). It also chokes up the CPU. Furthermore, if I try > > to connect from a ssh sentinel client, it does not accept a connection > > which should be normal if this was indeed an error (which I think it is). > > > > The kernel I use has, IPSEC compiled in it and the system also forwards > > packets, which are needed to run isakmpd. > > > > However, does anyone recognize these problems or know how to fix ehm and > > has anyone successfully established a VPN(with pre shared keys) between > > isakmpd > > and ssh sentinel ? I know there are some issues between the two, but is > > it possible in the first place, or should someone try racoon instead ?. > > > > Regards, > > > > Marco Walraven > > > > > > isakmpd -d -DA=99 > > > > 175249.982251 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 > > 175249.982395 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 > > 175249.982483 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 > > 175249.982570 Trpt 70 transport_add: adding 0x8076080 > > 175249.988149 Trpt 90 transport_reference: transport 0x8076080 now has 1 > > references > > 175249.988206 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 > > 175250.015566 Trpt 90 transport_reference: transport 0x8076080 now has 2 > > references > > 175250.016079 Trpt 90 transport_release: transport 0x8076080 had 2 > > references > > 175250.016420 Trpt 90 transport_reference: transport 0x8076080 now has 2 > > referen > > ces > > > > Which keeps on going. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > intY has automatically scanned this email with Sophos Anti-Virus > > (www.inty.net) > > > > > > > > intY has automatically scanned this email with Sophos Anti-Virus > (www.inty.net) > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > | FearLabs | Unix Consultancy | info@fearlabs.com > > intY has automatically scanned this email with Sophos Anti-Virus > (www.inty.net) > > > > intY has automatically scanned this email with Sophos Anti-Virus (www.inty.net) > -- | FearLabs | Unix Consultancy | info@fearlabs.com intY has automatically scanned this email with Sophos Anti-Virus (www.inty.net) intY has automatically scanned this email with Sophos Anti-Virus (www.inty.net) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 18 5:38:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from stargate.nol.co.za (nol.co.za [196.33.45.2]) by hub.freebsd.org (Postfix) with ESMTP id 91A2037B405 for ; Tue, 18 Dec 2001 05:38:41 -0800 (PST) Received: from sun.sz.co.za ([196.33.45.209] helo=netgod.nol.co.za) by stargate.nol.co.za with esmtp (Exim 3.33 #1) id 16GKVm-0000A5-00 for security@freebsd.org; Tue, 18 Dec 2001 15:42:26 +0200 Message-Id: <5.0.2.1.2.20011218152322.00babb40@nol.co.za> X-Sender: tim@nol.co.za X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Tue, 18 Dec 2001 15:30:51 +0200 To: security@freebsd.org From: "Timothy S. Bowers" Subject: kernel security? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I'm running FreeBSD 4.4Stable Can anyone tell me what is happening to my system ? The following appears on the console and then the PC reboots. This happens about once a day. I'd appreciate it if anyone could send me in the right direction. ---------------------------------------------> snip --------------------- Fatal trap 12: page fault in kernel mode fault virtual address = 0xc0ba991f fault code = supervisor write, page not present instruction pointer = 0x8:0xc017ac83 stack pointer = 0x10:0xd3515e30 frame pointer = 0x10:0xd3515e54 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL=0 current process = 588 (httpd) interrupt mask = net tty trap number = 12 pannic: page fault Automatic reboot in 15 seconds. ----------------------------------------> snip ------------------------ Thanks, Timothy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 18 5:54:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from blackhelicopters.org (geburah.blackhelicopters.org [209.69.178.18]) by hub.freebsd.org (Postfix) with ESMTP id AB8E037B41C for ; Tue, 18 Dec 2001 05:54:40 -0800 (PST) Received: (from mwlucas@localhost) by blackhelicopters.org (8.11.6/8.11.6) id fBIDsNd79983; Tue, 18 Dec 2001 08:54:23 -0500 (EST) (envelope-from mwlucas) Date: Tue, 18 Dec 2001 08:54:23 -0500 From: Michael Lucas To: "Timothy S. Bowers" Cc: security@FreeBSD.ORG Subject: Re: kernel security? Message-ID: <20011218085423.A79923@blackhelicopters.org> References: <5.0.2.1.2.20011218152322.00babb40@nol.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.0.2.1.2.20011218152322.00babb40@nol.co.za>; from tim@nol.co.za on Tue, Dec 18, 2001 at 03:30:51PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, This isn't really a security issue; please address future questions to FreeBSD-questions@FreeBSD.org. We really cannot tell what's happening from this information. Please check the Handbook for full details on how to prepare a debugging crash dump. Get the information, and send it on to FreeBSD-questions. On Tue, Dec 18, 2001 at 03:30:51PM +0200, Timothy S. Bowers wrote: > Hi, > > I'm running FreeBSD 4.4Stable > Can anyone tell me what is happening to my system ? > > The following appears on the console and then the PC reboots. This happens about once a day. > I'd appreciate it if anyone could send me in the right direction. > > ---------------------------------------------> snip --------------------- > Fatal trap 12: page fault in kernel mode > fault virtual address = 0xc0ba991f > fault code = supervisor write, page not present > instruction pointer = 0x8:0xc017ac83 > stack pointer = 0x10:0xd3515e30 > frame pointer = 0x10:0xd3515e54 > code segment = base 0x0, limit 0xfffff, type 0x1b > = DPL 0, pres 1, def32 1, gran 1 > processor eflags = interrupt enabled, resume, IOPL=0 > current process = 588 (httpd) > interrupt mask = net tty > trap number = 12 > pannic: page fault > > Automatic reboot in 15 seconds. > ----------------------------------------> snip ------------------------ > > > Thanks, > Timothy > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Michael Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org my FreeBSD column: http://www.oreillynet.com/pub/q/Big_Scary_Daemons http://www.blackhelicopters.org/~mwlucas/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 18 8:45:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from iaces.com (horton.iaces.com [204.147.87.98]) by hub.freebsd.org (Postfix) with ESMTP id 82A0037B419 for ; Tue, 18 Dec 2001 08:45:36 -0800 (PST) Received: from iaces.com (ptroot.iaces.com [204.147.87.124]) by iaces.com (8.11.6/8.11.6) with ESMTP id fBIGjZJ24474 for ; Tue, 18 Dec 2001 10:45:35 -0600 (CST) (envelope-from proot@iaces.com) Message-ID: <3C1F72AE.4A6115C8@iaces.com> Date: Tue, 18 Dec 2001 10:45:34 -0600 From: Paul Root X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: security@freebsd.org Subject: multiple pgp secret keys Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is it possible to have your own secret key and also a group secret key in pgp? We're using pgp2. We have setup a IPv6 support list (ok just an alias) that we want to be able to sign/encrypt to. Ideas? Thanks, Paul. -- Paul T. Root E/Mail: proot@iaces.com 600 Stinson Blvd, Fl 1S PAG: +1 (877) 693-7155 Minneapolis, MN 55413 WRK: +1 (612) 664-3385 NIC: PTR FAX: +1 (612) 664-4779 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 18 9: 2:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from atkielski.com (atkielski.com [161.58.232.69]) by hub.freebsd.org (Postfix) with ESMTP id 0336137B417 for ; Tue, 18 Dec 2001 09:02:32 -0800 (PST) Received: from contactdish (ASt-Lambert-101-2-1-14.abo.wanadoo.fr [193.251.59.14]) by atkielski.com (8.11.6) id fBIH2Rp16947; Tue, 18 Dec 2001 18:02:27 +0100 (CET) Message-ID: <00b701c187e5$c5fbd240$0a00000a@atkielski.com> From: "Anthony Atkielski" To: "Paul Root" , References: <3C1F72AE.4A6115C8@iaces.com> Subject: Re: multiple pgp secret keys Date: Tue, 18 Dec 2001 18:02:23 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You can have multiple private keys on your private keyring. The keyring is protected by a single passphrase, however. ----- Original Message ----- From: "Paul Root" To: Sent: Tuesday, December 18, 2001 17:45 Subject: multiple pgp secret keys > Is it possible to have your own secret key and also > a group secret key in pgp? We're using pgp2. We have > setup a IPv6 support list (ok just an alias) that we want > to be able to sign/encrypt to. > > Ideas? > > Thanks, > Paul. > > -- > Paul T. Root E/Mail: proot@iaces.com > 600 Stinson Blvd, Fl 1S PAG: +1 (877) 693-7155 > Minneapolis, MN 55413 WRK: +1 (612) 664-3385 > NIC: PTR FAX: +1 (612) 664-4779 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 18 12:21: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id A0D2437B419; Tue, 18 Dec 2001 12:20:58 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id MAA06127; Tue, 18 Dec 2001 12:20:56 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda06124; Tue Dec 18 12:20:43 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id fBIKKOD31470; Tue, 18 Dec 2001 12:20:24 -0800 (PST) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdD31459; Tue Dec 18 12:19:46 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id fBIKJj223508; Tue, 18 Dec 2001 12:19:45 -0800 (PST) Message-Id: <200112182019.fBIKJj223508@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdB23503; Tue Dec 18 12:19:12 2001 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: "Crist J . Clark" Cc: David Rhodus , David Xu , Christopher Schulte , Landon Stewart , security@FreeBSD.ORG Subject: Re: MD5 sum checking for installed binaries to check for intrusion or root kits... In-reply-to: Your message of "Mon, 17 Dec 2001 17:04:38 PST." <20011217170438.D19170@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 18 Dec 2001 12:19:12 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <20011217170438.D19170@blossom.cjclark.org>, "Crist J . Clark" write s: > On Mon, Dec 17, 2001 at 08:25:54AM -0500, David Rhodus wrote: > [snip] > > mtree(8) has the capability to do a lot of this on its won. .. and of course if you want to get fancy, there are the tripwire and aide ports. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Email: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC FreeBSD UNIX: cy@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 18 12:24:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.suntop-cn.com (www.suntop-cn.com [61.140.76.155]) by hub.freebsd.org (Postfix) with ESMTP id 45CD937B419 for ; Tue, 18 Dec 2001 12:24:15 -0800 (PST) Received: from win ([61.144.141.191]) (authenticated) by www.suntop-cn.com (8.11.3/8.11.3) with ESMTP id fBIKOBr80876 for ; Wed, 19 Dec 2001 04:24:12 +0800 (CST) (envelope-from slack@suntop-cn.com) From: slack@suntop-cn.com To: freebsd-security@FreeBSD.ORG Date: Wed, 19 Dec 2001 04:25:22 +0800 MIME-Version: 1.0 Subject: can I use ipfw reassemble fragment packet ? Message-ID: <3C2016B2.16111.5C1455@localhost> In-reply-to: <20011217174314.G19170@blossom.cjclark.org> References: <20011214144153.A3473@blossom.cjclark.org>; from cjc@FreeBSD.ORG on Fri, Dec 14, 2001 at 02:41:53PM -0800 X-mailer: Pegasus Mail for Windows (v4.01) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org can I use ipfw reassemble fragment packets before let them into intra-net ? I can't found a way do it . edwin chen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 18 12:43:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.suntop-cn.com (www.suntop-cn.com [61.140.76.155]) by hub.freebsd.org (Postfix) with ESMTP id C5A0237B416 for ; Tue, 18 Dec 2001 12:43:35 -0800 (PST) Received: from win ([61.144.141.191]) (authenticated) by www.suntop-cn.com (8.11.3/8.11.3) with ESMTP id fBIKhSr81657 for ; Wed, 19 Dec 2001 04:43:28 +0800 (CST) (envelope-from slack@suntop-cn.com) From: slack@suntop-cn.com To: freebsd-security@FreeBSD.ORG Date: Wed, 19 Dec 2001 04:44:40 +0800 MIME-Version: 1.0 Subject: about ipfw Message-ID: <3C201B38.28785.6DBD8F@localhost> X-mailer: Pegasus Mail for Windows (v4.01) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org 1. can ipfw do a TCP keep-state ? 2. how keep-state combine with "via interface" ? 3. this ipfw rules don't work: why ? ipfw add pass all any to any via lo ipfw add pass all any to any via ${iif} ipfw add divert natd all from any to any via ${oif} # Allow TCP through if setup succeeded ipfw add check-state ${fwcmd} add deny tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add deny all from any to any via ${oif} frag # Allow icmp 0 3 8 11 pass ${fwcmd} add pass icmp from any to any via ${oif} icmptypes 0,3,8,11 # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any out via ${oif} setup keep-state # Allow DNS queries out in the world ${fwcmd} add pass udp from ${oip} to any 53 out via ${oif} keep-state # Allow NTP queries out in the world ${fwcmd} add pass udp from ${oip} to any 123 out via ${oif} keep-state ${fwcmd} add deny log all from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 18 16:14:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from mel-rti20.wanadoo.fr (mel-rti20.wanadoo.fr [193.252.19.91]) by hub.freebsd.org (Postfix) with ESMTP id A5DA937B417 for ; Tue, 18 Dec 2001 16:14:54 -0800 (PST) Received: from mel-rta10.wanadoo.fr (193.252.19.193) by mel-rti20.wanadoo.fr; 19 Dec 2001 01:14:53 +0100 Received: from html (193.252.190.100) by mel-rta10.wanadoo.fr; 19 Dec 2001 01:14:51 +0100 Message-ID: <3c1fdbfd3c55dbfc@mel-rta10.wanadoo.fr> (added by mel-rta10.wanadoo.fr) From: bobinsman@msn.com To: adam@velocity2.com Subject: The Latest Web Technologies... Date: Wed, 9 Jan 2002 16:07:58 Mime-Version: 1.0 Content-Type: text/html; charset="DEFAULT" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org

    I noticed your email address on a list serve related to technology and web development.  With your permission, we
    would like to send you information regarding new web tools and utilities based on your interests.  Please click the
    following link and opt-in to our product updates and e-newsletter, click here

    Cordially,

    Victor Black

     

    To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 18 22: 1:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id DE51B37B405 for ; Tue, 18 Dec 2001 22:01:44 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.6/8.11.4) id fBJ61R682839; Tue, 18 Dec 2001 22:01:27 -0800 (PST) (envelope-from kris) Date: Tue, 18 Dec 2001 22:01:27 -0800 From: Kris Kennaway To: slack@suntop-cn.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: about ipfw Message-ID: <20011218220127.A82807@citusc17.usc.edu> References: <3C201B38.28785.6DBD8F@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="RnlQjJ0d97Da+TV1" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3C201B38.28785.6DBD8F@localhost>; from slack@suntop-cn.com on Wed, Dec 19, 2001 at 04:44:40AM +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Dec 19, 2001 at 04:44:40AM +0800, slack@suntop-cn.com wrote: > 1. can ipfw do a TCP keep-state ? > 2. how keep-state combine with "via interface" ? > 3. this ipfw rules don't work: why ? These questions are off-topic for freebsd-security since they don't deal with freebsd security issues. Please don't abuse the mailing lists by sending off-topic email, and direct your general support questions to the freebsd-questions@freebsd.org mailing list. Thanks. Kris --RnlQjJ0d97Da+TV1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8IC02Wry0BWjoQKURAmOtAJwOdGrTIYBkXfqWT0SYqtbzGhy+zACgn6TZ y8nQgfiUp9XcuJanDYZDxkM= =gDsp -----END PGP SIGNATURE----- --RnlQjJ0d97Da+TV1-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 19 5:21:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 84F9C37B405 for ; Wed, 19 Dec 2001 05:21:43 -0800 (PST) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.6/8.11.2) id fBJDLBY41741; Wed, 19 Dec 2001 15:21:11 +0200 (EET) (envelope-from ru) Date: Wed, 19 Dec 2001 15:21:10 +0200 From: Ruslan Ermilov To: slack@suntop-cn.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: can I use ipfw reassemble fragment packet ? Message-ID: <20011219152110.C37899@sunbay.com> References: <20011214144153.A3473@blossom.cjclark.org>; <3C2016B2.16111.5C1455@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3C2016B2.16111.5C1455@localhost> User-Agent: Mutt/1.3.23i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Dec 19, 2001 at 04:25:22AM +0800, slack@suntop-cn.com wrote: > can I use ipfw reassemble fragment packets before let them into intra-net ? I > can't found a way do it . > divert(4) has a property of reassembling IP packets. You can write a daemon which reads the packets from a divert socket, and writes them back. Take a look at ports/net/tcpmssd for a prototype divert daemon. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 19 5:48: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.all.org (bdsl.66.12.117.154.gte.net [66.12.117.154]) by hub.freebsd.org (Postfix) with ESMTP id 500DA37B419 for ; Wed, 19 Dec 2001 05:47:59 -0800 (PST) Message-ID: <02a101c18893$bd5be1d0$0164010a@compops1> From: "Joseph" To: , References: <3C201B38.28785.6DBD8F@localhost> Subject: Re: about ipfw Date: Wed, 19 Dec 2001 08:47:45 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is certainly a FreeBSD-security question. You are missing a "from". Also, try allow instead of pass. ipfw add allow all from any to any via lo in ipfw add allow all from any to any via lo out ----- Original Message ----- From: To: Sent: Tuesday, December 18, 2001 3:44 PM Subject: about ipfw > 1. can ipfw do a TCP keep-state ? > 2. how keep-state combine with "via interface" ? > 3. this ipfw rules don't work: why ? > ipfw add pass all any to any via lo > ipfw add pass all any to any via ${iif} > ipfw add divert natd all from any to any via ${oif} > # Allow TCP through if setup succeeded > ipfw add check-state > ${fwcmd} add deny tcp from any to any established > > # Allow IP fragments to pass through > ${fwcmd} add deny all from any to any via ${oif} frag > > # Allow icmp 0 3 8 11 pass > ${fwcmd} add pass icmp from any to any via ${oif} icmptypes 0,3,8,11 > > # Reject&Log all setup of incoming connections from the outside > ${fwcmd} add deny log tcp from any to any in via ${oif} setup > > # Allow setup of any other TCP connection > ${fwcmd} add pass tcp from any to any out via ${oif} setup keep-state > > # Allow DNS queries out in the world > ${fwcmd} add pass udp from ${oip} to any 53 out via ${oif} keep-state > > # Allow NTP queries out in the world > ${fwcmd} add pass udp from ${oip} to any 123 out via ${oif} keep-state > > ${fwcmd} add deny log all from any to any > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 19 10:25:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from excalibur.skynet.be (excalibur.skynet.be [195.238.3.135]) by hub.freebsd.org (Postfix) with ESMTP id ABB0137B416 for ; Wed, 19 Dec 2001 10:25:14 -0800 (PST) Received: from skynet.be (dialup605.namur.skynet.be [195.238.28.29]) by excalibur.skynet.be (8.11.6/8.11.6/Skynet-OUT-2.16) with ESMTP id fBJIP8825975; Wed, 19 Dec 2001 19:25:08 +0100 (MET) (envelope-from ) Message-ID: <3C20DB75.5060902@skynet.be> Date: Wed, 19 Dec 2001 19:24:53 +0100 From: Raf Schietekat Reply-To: Raf_Schietekat@ieee.org User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4) Gecko/20011019 Netscape6/6.2 X-Accept-Language: en-us MIME-Version: 1.0 To: FreeBSD-security@FreeBSD.ORG Subject: Re: kdm grants ordinary users root access on 4.4-R References: <20011215132828.P59641-100000@cithaeron.argolis.org> <3C1BCE3B.4010102@skynet.be> <3C1D23FC.2010207@skynet.be> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Vladislav Timofeev <_vlad@magnitka.ru> sent me an unreadable message, and I received an error message when trying to reply to this address. Raf Schietekat To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 19 19:45:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from kcisp1.kcisp.net (fw-2-kci.keycreations.com [208.222.40.24]) by hub.freebsd.org (Postfix) with ESMTP id AC94937B419 for ; Wed, 19 Dec 2001 19:45:12 -0800 (PST) Received: (from www-data@localhost) by kcisp1.kcisp.net (8.9.3/8.9.3/Debian 8.9.3-21) id WAA22529; Wed, 19 Dec 2001 22:43:40 -0600 Date: Wed, 19 Dec 2001 22:43:40 -0600 Message-Id: <200112200443.WAA22529@kcisp1.kcisp.net> To: security@freebsd.org, steve@cs.ucsb.edu, skatz@long-mcquade.com, lickwid_brayley@btinternet.com, smreeves7@hotmail.com From: Heather19x1@aol.com () Subject: heya Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Below is the result of your feedback form. It was submitted by (Heather19x1@aol.com) on Wednesday, December 19, 2001 at 22:43:40 --------------------------------------------------------------------------- message: Hi, my name is Heather and I am a 19 year old female from San Diego, California. Ever since my 14th birthday, I have been really sexually active, but I am still a virgin. Now I am 19 and away from home, attending school at San Diego State University and sharing a dorm with four of my girlfriends and are all VERY turned on to meet a guy and satisfy ALL of his pleasures. To see our sexy pictures we took just last week and to meet some other couples, go to our site
    < a href="http://www.lllil.com/heather/livewebcam">http://www.lllil.com/heather/livewebcam


    -1101 --------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 20 6: 8: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from mx1.colltech.com (ausproxy.colltech.com [65.115.223.19]) by hub.freebsd.org (Postfix) with ESMTP id B810137B416 for ; Thu, 20 Dec 2001 06:08:02 -0800 (PST) Received: from mail2.colltech.com (mail2.colltech.com [65.115.223.41]) by mx1.colltech.com (8.9.3/8.9.3/not) with ESMTP id IAA27541; Thu, 20 Dec 2001 08:08:00 -0600 Received: from portal.east.saic.com (portal.east.saic.com [198.151.13.15]) by mail2.colltech.com (8.9.3/8.9.3/not) with SMTP id IAA32532; Thu, 20 Dec 2001 08:07:48 -0600 Message-ID: <3C21F20C.C9806F70@colltech.com> Received: from [10.24.112.101] by portal.east.saic.com via smtpd (for mail2.colltech.com [65.115.223.41]) with SMTP; 20 Dec 2001 14:07:50 UT Date: Thu, 20 Dec 2001 09:13:32 -0500 From: Daniel Hagan X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Joseph Cc: slack@suntop-cn.com, freebsd-security@FreeBSD.ORG Subject: Re: about ipfw References: <3C201B38.28785.6DBD8F@localhost> <02a101c18893$bd5be1d0$0164010a@compops1> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Joseph wrote: > Also, try allow instead of pass. pass is an alias for allow and should be functionally identical. If this is not the case someone needs to either fix ipfw or fix the manpage. Daniel -- Consultant, Collective Technologies http://www.collectivetech.com/ Use PGP for confidential e-mail. http://www.pgp.com/products/freeware/ Key Id: 0xD44F15B1 3FA0 D899 4530 702F 72B0 5A17 C2A5 2C2B D22F 15B1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 20 6:59:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 2B4FA37B41A for ; Thu, 20 Dec 2001 06:59:35 -0800 (PST) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [192.168.11.2]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id E9BDB1DA7; Thu, 20 Dec 2001 15:59:10 +0100 (CET) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [127.0.0.1]) by velvet.zaraska.dhs.org (8.11.2/8.11.2) with SMTP id fBKEwrC01027; Thu, 20 Dec 2001 15:58:53 +0100 Date: Thu, 20 Dec 2001 15:58:53 +0100 From: Krzysztof Zaraska To: freebsd-security@freebsd.org Subject: FYI: Re: heya Message-Id: <20011220155853.09be0921.kzaraska@student.uci.agh.edu.pl> In-Reply-To: <200112200443.WAA22529@kcisp1.kcisp.net> References: <200112200443.WAA22529@kcisp1.kcisp.net> Organization: University Of Mining And Metallurgy X-Mailer: Sylpheed version 0.6.2 (GTK+ 1.2.10; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Just for your information: > Below is the result of your feedback form. It was submitted by This signature was described in bugtraq post on Dec 11: http://www.securityfocus.com/archive/1/244909 And it was suggested that this line could be used to filter out this kind of spam. Regards, Krzysztof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 20 7:32:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from relay3-gui.server.ntli.net (relay3-gui.server.ntli.net [194.168.4.200]) by hub.freebsd.org (Postfix) with ESMTP id 235F237B416 for ; Thu, 20 Dec 2001 07:32:38 -0800 (PST) Received: from pc3-card4-0-cust122.cdf.cable.ntl.com ([62.254.251.122] helo=rhadamanth.private.submonkey.net ident=exim) by relay3-gui.server.ntli.net with esmtp (Exim 3.03 #2) id 16H5AS-0005OP-00; Thu, 20 Dec 2001 15:31:32 +0000 Received: from setantae by rhadamanth.private.submonkey.net with local (Exim 3.33 #1) id 16H58f-0000vu-00; Thu, 20 Dec 2001 15:29:41 +0000 Date: Thu, 20 Dec 2001 15:29:41 +0000 From: Ceri To: Krzysztof Zaraska Cc: freebsd-security@freebsd.org Subject: Re: FYI: Re: heya Message-ID: <20011220152941.GA3486@rhadamanth> Mail-Followup-To: Ceri , Krzysztof Zaraska , freebsd-security@freebsd.org References: <200112200443.WAA22529@kcisp1.kcisp.net> <20011220155853.09be0921.kzaraska@student.uci.agh.edu.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20011220155853.09be0921.kzaraska@student.uci.agh.edu.pl> User-Agent: Mutt/1.3.24i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Dec 20, 2001 at 03:58:53PM +0100, Krzysztof Zaraska wrote: > Just for your information: > > > Below is the result of your feedback form. It was submitted by > This signature was described in bugtraq post on Dec 11: > http://www.securityfocus.com/archive/1/244909 > > And it was suggested that this line could be used to filter out this kind > of spam. These are generated by old versions (and maybe new) of formmail.pl from Matt's Script Archive. You could filter on that line if you wanted, but submitting details to any website running those scripts (and I believe there are many) is going to find you rejecting legitimate mail. Ceri -- keep a mild groove on To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 21 10:10:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [63.167.241.66]) by hub.freebsd.org (Postfix) with ESMTP id 94BF437B405 for ; Fri, 21 Dec 2001 10:10:40 -0800 (PST) Received: (from str@localhost) by giganda.komkon.org (8.11.3/8.11.3) id fBLIAXu71521 for security@freebsd.org; Fri, 21 Dec 2001 13:10:33 -0500 (EST) (envelope-from str) Date: Fri, 21 Dec 2001 13:10:33 -0500 (EST) From: Igor Roshchin Message-Id: <200112211810.fBLIAXu71521@giganda.komkon.org> To: security@freebsd.org Subject: sshd logging Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello! I am somewhat confused about sshd writing messages to the syslog. On 3.x systems with the sshd installed from ports (e.g. sshd version 1.2.27 [i386--freebsd3.5.1] ), I have much more verbose logging, then on 4.x systems with the "core" openssh (e.g. sshd version OpenSSH_2.3.0 ). As an example, here is the excerpts from logs on the same type of event for 3.x and 4.x systems: 3.x and sshd 1.2.27: Dec 21 11:05:36 host3.x sshd[7623]: connect from 210.97.143.20 Dec 21 11:05:36 host3.x sshd[7623]: log: Connection from 210.97.143.20 port 1257 Dec 21 11:05:36 host3.x sshd[7623]: log: Could not reverse map address 210.97.143.20. Dec 21 11:05:36 host3.x sshd[7624]: connect from 210.97.143.20 Dec 21 11:05:36 host3.x sshd[7624]: log: Connection from 210.97.143.20 port 1253 Dec 21 11:05:36 astra sshd[7624]: log: Could not reverse map address 210.97.143.20. Dec 21 11:05:36 astra sshd[7623]: fatal: Local: Your ssh version is too old and is no longer supported. Please install a newer version. Dec 21 11:05:36 astra sshd[7624]: fatal: Local: Your ssh version is too old and is no longer supported. Please install a newer version. 4.x and OpenSSH_2.3.0: Dec 21 11:05:26 host4.x sshd[67562]: Disconnecting: Your ssh version is too old and is no longer supported. Please install a newer version. Dec 21 11:05:39 host4.x sshd[67565]: Disconnecting: Your ssh version is too old and is no longer supported. Please install a newer version. I see that the priority of the messages changed between the versions. However, even enabling "auth.*" logging does not show the "connect from .." messages. In both cases sshd is run as a standalone daemon. Any ideas/sugggestions as for how to enable this logging in OpenSSH ? (Am I just overlooking something obvious ?) Thanks, Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 21 11:57:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from chaos.evolve.za.net (chaos.evolve.za.net [196.34.172.107]) by hub.freebsd.org (Postfix) with ESMTP id 2EED337B417 for ; Fri, 21 Dec 2001 11:57:13 -0800 (PST) Received: from DAVE ([192.168.0.56]) by chaos.evolve.za.net (8.11.6/1.1.3) with SMTP id fBLJuft21686; Fri, 21 Dec 2001 21:56:47 +0200 (SAST) (envelope-from dave@kill-9.za.net) Message-ID: <002f01c18a59$50806a00$3800a8c0@DAVE> From: "Dave Raven" To: "Igor Roshchin" , References: <200112211810.fBLIAXu71521@giganda.komkon.org> Subject: Re: sshd logging Date: Fri, 21 Dec 2001 21:54:26 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org your defauls (/etc/ssh/) sshd_config file will have this: LogLevel INFO change that to LogLevel DEBUG and your set. ----- Original Message ----- From: "Igor Roshchin" To: Sent: Friday, December 21, 2001 8:10 PM Subject: sshd logging > > Hello! > > > I am somewhat confused about sshd writing messages to the syslog. > On 3.x systems with the sshd installed from ports > (e.g. sshd version 1.2.27 [i386--freebsd3.5.1] ), > I have much more verbose logging, then on 4.x systems with the > "core" openssh (e.g. sshd version OpenSSH_2.3.0 ). > > As an example, here is the excerpts from logs on the same type of > event for 3.x and 4.x systems: > > 3.x and sshd 1.2.27: > > Dec 21 11:05:36 host3.x sshd[7623]: connect from 210.97.143.20 > Dec 21 11:05:36 host3.x sshd[7623]: log: Connection from 210.97.143.20 port 1257 > Dec 21 11:05:36 host3.x sshd[7623]: log: Could not reverse map address 210.97.143.20. > Dec 21 11:05:36 host3.x sshd[7624]: connect from 210.97.143.20 > Dec 21 11:05:36 host3.x sshd[7624]: log: Connection from 210.97.143.20 port 1253 > Dec 21 11:05:36 astra sshd[7624]: log: Could not reverse map address 210.97.143.20. > Dec 21 11:05:36 astra sshd[7623]: fatal: Local: Your ssh version is too old and is no longer supported. Please install a newer version. > Dec 21 11:05:36 astra sshd[7624]: fatal: Local: Your ssh version is too old and is no longer supported. Please install a newer version. > > > 4.x and OpenSSH_2.3.0: > > Dec 21 11:05:26 host4.x sshd[67562]: Disconnecting: Your ssh version is too old and is no longer supported. Please install a newer version. > Dec 21 11:05:39 host4.x sshd[67565]: Disconnecting: Your ssh version is too old and is no longer supported. Please install a newer version. > > > I see that the priority of the messages changed between the versions. > However, even enabling "auth.*" logging does not show the "connect from .." > messages. > In both cases sshd is run as a standalone daemon. > > Any ideas/sugggestions as for how to enable this logging in OpenSSH ? > (Am I just overlooking something obvious ?) > > Thanks, > > Igor > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 22 11:41:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta01-srv.alltel.net (mta01.alltel.net [166.102.165.143]) by hub.freebsd.org (Postfix) with ESMTP id ECCFC37B41D for ; Sat, 22 Dec 2001 11:41:09 -0800 (PST) Received: from earthlink.net ([162.39.75.165]) by mta01-srv.alltel.net with ESMTP id <20011222194103.JBT20212.mta01-srv.alltel.net@earthlink.net>; Sat, 22 Dec 2001 13:41:03 -0600 Message-ID: <3C24E1D0.398CCF28@earthlink.net> Date: Sat, 22 Dec 2001 19:41:04 +0000 From: William Clark X-Mailer: Mozilla 4.7 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org unsubscribe freebsd-security To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message