From owner-freebsd-security Sun Jul 7 0:33:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A76437B400 for ; Sun, 7 Jul 2002 00:33:46 -0700 (PDT) Received: from kilgore.blindfaith.org (adsl-64-163-155-3.dsl.snfc21.pacbell.net [64.163.155.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6A7AE43E3B for ; Sun, 7 Jul 2002 00:33:45 -0700 (PDT) (envelope-from blyon@blindfaith.org) Received: from kilgore.blindfaith.org (localhost.blindfaith.org [127.0.0.1]) by kilgore.blindfaith.org (8.12.2/8.12.2) with ESMTP id g677XfHB004796; Sun, 7 Jul 2002 00:33:41 -0700 (PDT) (envelope-from blyon@blindfaith.org) Received: from localhost (blyon@localhost) by kilgore.blindfaith.org (8.12.2/8.12.2/Submit) with ESMTP id g677XbWO004793; Sun, 7 Jul 2002 00:33:37 -0700 (PDT) (envelope-from blyon@blindfaith.org) X-Authentication-Warning: kilgore.blindfaith.org: blyon owned process doing -bs Date: Sun, 7 Jul 2002 00:33:37 -0700 (PDT) From: Ben Lyon To: "David G . Andersen" Cc: Ross Wheeler , twig les , Brian Reichert , Kim Okasawa , _@r4k.net, freebsd-security@FreeBSD.ORG Subject: Re: NTP security - (was Any security issues with root's cron job?) In-Reply-To: <20020705224406.B23004@cs.utah.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ship over to truetime.com and have a look-see. Nice self-contained 1U GPS stratum 1 timeservers. Less than $2000 if I remember correctly.. -------------------------------------------------------------------- Ben Lyon blyon@blindfaith.org On Fri, 5 Jul 2002, David G . Andersen wrote: > Ross Wheeler just mooed: > > > > Whip over to ebay, buy a cheap second-hand GPS and cable, stick it into > > one of your servers and presto - instant "stratum 1" time reference for > > One thing to note with this approach is that you have to pick > your GPS carefully. Hand-helds often have really terrible time output; > a friend of mine used his PCMCIA GPS and was getting worse-than-NTP > time from it. If you can find it, look for a model that's optimized > for time synch. Trimble, UT+, etc. There's a good list of them in > the NTP faq at http://www.ntp.org/ > > > under a hundred bucks. Under your control (I can't see anyone taking over > > or DoSing the whole of the GPS network any time soon, do you?) > > Certainly not to attack one internet site, at least. :) > > -Dave > > -- > work: dga@lcs.mit.edu me: dga@pobox.com > MIT Laboratory for Computer Science http://www.angio.net/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 7 11:50:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5B1BA37B401 for ; Sun, 7 Jul 2002 11:50:26 -0700 (PDT) Received: from kobold.compt.com (TBextgw.compt.com [209.115.146.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9E4DF43E09 for ; Sun, 7 Jul 2002 11:50:25 -0700 (PDT) (envelope-from klaus@kobold.compt.com) Date: Sun, 7 Jul 2002 14:50:20 -0400 From: Klaus Steden To: Randy Bush Cc: freebsd-security@FreeBSD.ORG Subject: Re: signal 8 (fp execption) in pgp 5 Message-ID: <20020707145020.D95654@cthulu.compt.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: ; from randy@psg.com on Sat, Jul 06, 2002 at 10:54:12PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > yesterday's -stable and ports tree, rebuilt twice. > > % pgpk -l randy > Type Bits KeyID Created Expires Algorithm Use > sec+ 1024 0xB1331439 1994-04-04 ---------- RSA Sign & Encrypt > uid Randy Bush > > 1 matching key found > > Received signal 8. > > anyone else see this or have a clue? > Yup. I tried PGP6, too, and found the same problem. Did some digging around in the source, and at least with PGP6, I discovered it's a bug in pgpRndUnix.c. Specifically, when loading a timer for use in an entropy function (I think), there's a call to clock_getres() - using the CLOCK_REALTIME clock, filling in a structure that gets returned to the caller as 0, which triggers the FPE. I tried using CLOCK_VIRTUAL, which stopped the FPE, but returned an error and thus didn't generate any randomness. Hopefully I've got my terms right - I'm no crypto expert by any stretch, but that's what I found to be a problem in PGP6. I suspect something similar may be at play in PGP5. HTH, Klaus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 7 12: 2:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3748437B400 for ; Sun, 7 Jul 2002 12:02:38 -0700 (PDT) Received: from rip.psg.com (rip.psg.com [147.28.0.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id EBFB843E31 for ; Sun, 7 Jul 2002 12:02:37 -0700 (PDT) (envelope-from randy@psg.com) Received: from localhost ([127.0.0.1] helo=rip.psg.com.psg.com) by rip.psg.com with esmtp (Exim 4.05) id 17RHIr-000GP6-00; Sun, 07 Jul 2002 12:02:37 -0700 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Klaus Steden Cc: freebsd-security@FreeBSD.ORG Subject: Re: signal 8 (fp execption) in pgp 5 References: <20020707145020.D95654@cthulu.compt.com> Message-Id: Date: Sun, 07 Jul 2002 12:02:37 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >> yesterday's -stable and ports tree, rebuilt twice. >> % pgpk -l randy >> Type Bits KeyID Created Expires Algorithm Use >> sec+ 1024 0xB1331439 1994-04-04 ---------- RSA Sign & Encrypt >> uid Randy Bush >> 1 matching key found >> Received signal 8. > Yup. I tried PGP6, too, and found the same problem. Did some digging > around in the source, and at least with PGP6, I discovered it's a bug in > pgpRndUnix.c. Specifically, when loading a timer for use in an entropy > function (I think), there's a call to clock_getres() - using the > CLOCK_REALTIME clock, filling in a structure that gets returned to the > caller as 0, which triggers the FPE. > > I tried using CLOCK_VIRTUAL, which stopped the FPE, but returned an error > and thus didn't generate any randomness. makes sense. note that this just appeared on a system i built. my old system, same pgp port, works fine. so o it has to do with the install, order of install, etc. or o there is something that changed in the last week or two randy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 7 13: 5: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F095637B400; Sun, 7 Jul 2002 13:04:51 -0700 (PDT) Received: from hotmail.com (f94.law11.hotmail.com [64.4.17.94]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B29D43E54; Sun, 7 Jul 2002 13:04:21 -0700 (PDT) (envelope-from kimokasawa@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sun, 7 Jul 2002 13:01:44 -0700 Received: from 68.49.49.165 by lw11fd.law11.hotmail.msn.com with HTTP; Sun, 07 Jul 2002 20:01:44 GMT X-Originating-IP: [68.49.49.165] From: "Kim Okasawa" To: freebsd-net@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Methods to detect Internet censorship. Date: Mon, 08 Jul 2002 05:01:44 +0900 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 07 Jul 2002 20:01:44.0411 (UTC) FILETIME=[1E37BAB0:01C225F1] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dear all, First, I need to apologize because this question is not FreeBSD-specific, but I believe I may be able to find some good answers or insights from here. Currently I'm working on a research project about Internet censorship in certain Asia and middle east countries. I need to find out which US websites has been blocked by those countries (e.g. CNN, NY Times, Wall Street Journal, etc.) The problem I encountered is that I haven't found a good way to detect the blocking. Here are a brief description of what is going on. In certain countries such as China, Singapore, and some middle east countries, goverments do NOT want their people to have access to US websites and obtain 'sensitive' information. The most common way to achieve this is to build a national 'firewall' to drop all packets that come from certain foreign IP addresses (addresses that belongs to websites such as CNN, etc.) Here's the diagram: Censored country +--------------------------------------------+ | +--- ... | | | | | +----------+ +--- ... | | | National | | | Internet ----------+--+ +-----+--- ... hosts inside | (world) | | Firewall | | the country | | +----------+ +--- ... | | | | | +--- ... | +--------------------------------------------+ To detect which websites has been blocked by those national firewalls, I have two ways and each encounters a problem. 1. Buy shell or dial-up accounts from ISPs in such countries and remotely do a HTTP GET to see if the requested webpages come back. Problem: I cannot get shell or dial-up accounts from all regions in every countries because some of them either don't accept credit card or don't deal with foreigners. 2. Use loose source routing to fix a gateway inside such countries and send HTTP GET requests to US sites from my home. So idealy, the packet will travel from my home, pass a host inside the censored country, then come back to the US site that I specified. When the US site responds to the request, the packet will follow the same route to the censored country, then back to me. If the US site is being blocked by the country, then I will never receive the packet. Problem: Loose source routing is denied by many routers and *nix machines such as Linux so this method is quite unreliable and can generate a lot of false results. Are there other inexpensive ways to detect the censorships? I'm open to any possible methods. Thank you all for the helps. Best Regards, Kim Okasawa _________________________________________________________________ Join the world’s largest e-mail service with MSN Hotmail. http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 7 13:40:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4280537B401; Sun, 7 Jul 2002 13:40:27 -0700 (PDT) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id A8E9C43E54; Sun, 7 Jul 2002 13:40:26 -0700 (PDT) (envelope-from des@ofug.org) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 6E790534A; Sun, 7 Jul 2002 22:40:24 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Kim Okasawa" Cc: freebsd-net@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Methods to detect Internet censorship. References: From: Dag-Erling Smorgrav Date: 07 Jul 2002 22:40:23 +0200 In-Reply-To: Message-ID: Lines: 15 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Kim Okasawa" writes: > Are there other inexpensive ways to detect the censorships? I'm open > to any possible methods. Set up an open Squid proxy. Wait five minutes. Check the proxy logs and figure out what sites people access through your proxy, and from where. OK, so it might take a little more than five minutes, but the principle is sound. Great way do build up a huge collection of porn URLs and passwords, too :P DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 7 13:47:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD04937B401; Sun, 7 Jul 2002 13:47:32 -0700 (PDT) Received: from hotmail.com (f118.law11.hotmail.com [64.4.17.118]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1790143E4A; Sun, 7 Jul 2002 13:47:32 -0700 (PDT) (envelope-from kimokasawa@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sun, 7 Jul 2002 13:47:31 -0700 Received: from 68.49.49.165 by lw11fd.law11.hotmail.msn.com with HTTP; Sun, 07 Jul 2002 20:47:31 GMT X-Originating-IP: [68.49.49.165] From: "Kim Okasawa" To: des@ofug.org Cc: freebsd-net@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Methods to detect Internet censorship. Date: Mon, 08 Jul 2002 05:47:31 +0900 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 07 Jul 2002 20:47:31.0936 (UTC) FILETIME=[83DEC600:01C225F7] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >"Kim Okasawa" writes: > > Are there other inexpensive ways to detect the censorships? I'm open > > to any possible methods. > >Set up an open Squid proxy. Wait five minutes. Check the proxy logs >and figure out what sites people access through your proxy, and from >where. > >OK, so it might take a little more than five minutes, but the >principle is sound. Great way do build up a huge collection of porn >URLs and passwords, too :P > >DES >-- >Dag-Erling Smorgrav - des@ofug.org Well, I am not interested in fighting the censorship in such countries. All I want is to find out what US sites are being blocked by their national firewalls. Kim _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 7 14:26:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 31C7737B401; Sun, 7 Jul 2002 14:26:53 -0700 (PDT) Received: from hotmail.com (f85.law11.hotmail.com [64.4.17.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id C003643E4A; Sun, 7 Jul 2002 14:26:52 -0700 (PDT) (envelope-from kimokasawa@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sun, 7 Jul 2002 14:26:52 -0700 Received: from 68.49.49.165 by lw11fd.law11.hotmail.msn.com with HTTP; Sun, 07 Jul 2002 21:26:52 GMT X-Originating-IP: [68.49.49.165] From: "Kim Okasawa" To: brunner@nic-naa.net Cc: freebsd-security@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: Methods to detect Internet censorship. Date: Mon, 08 Jul 2002 06:26:52 +0900 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 07 Jul 2002 21:26:52.0707 (UTC) FILETIME=[02FFD730:01C225FD] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Eric, I'm neither for nor against Internet censorship. I am just working on a research project that needs information on which US sites are being blocked by certain countries. I don't want to get into the discussions of whether censorship is good or bad. All I want is to find out, technically, is there a good way for me to detect/monitor censorship remotely. Thank you. Best Regards, Kim ----Original Message Follows---- From: Eric Brunner-Williams in Portland Maine To: "Kim Okasawa" CC: brunner@nic-naa.net Subject: Re: Methods to detect Internet censorship. Date: Sun, 07 Jul 2002 17:16:50 -0400 Oki Kim, When I worked with the NIC for the PRC last year several classes of abuse caused concern for network operators. To give two examples, a common browser caused packet flow to North America, generating cash drain from the PRC to the US, adding functionally unnecessary "overseas bandwidth" cost to the network operators. The underlying cause was a bug in UTF-8 handling, and also a US-centered business model. These problems (bug and business model generated consumption of expensive trans-pacific network resources) existed concurrently for all Asian network operators. The second example, specific to the PRC, was undertaken by an agency that is funded by the United States. Radio Free Republican Morons or something along those lines. They were hosting "political speach" (if you are for it) or "stuff that kills children" (if you are not), take your pick as to the better characterization of the content. You know, all of the ccTLD NICs are on-line. They all get email, and most respond to reasonable requests, and asking if, what, even how they engineer crap (and I don't know how else to characterize the WSJ editorial page) out of the traffic they carry, is reasonable. Now, could I interest you in some addictive non-smoking nicotine products targeted for Asian females ages 8 to 12? How about opiates on-line? We live on an increassingly irresponsible internet. Anyone confusing access to some "news" product in the US with responsible operation is confused. Kitakitamatsino, Eric _________________________________________________________________ Join the world’s largest e-mail service with MSN Hotmail. http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 7 14:27:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6900F37B478 for ; Sun, 7 Jul 2002 14:27:14 -0700 (PDT) Received: from rage.so36.net (rage.so36.net [212.84.245.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1490643E31 for ; Sun, 7 Jul 2002 14:27:13 -0700 (PDT) (envelope-from ths@katjusha.de) Received: (qmail 6512 invoked from network); 7 Jul 2002 21:27:11 -0000 Received: from ths.so36.net (HELO jail.so36.net) (212.84.245.13) by rage.so36.net with DES-CBC3-SHA encrypted SMTP; 7 Jul 2002 21:27:11 -0000 Date: Sun, 7 Jul 2002 23:27:07 +0200 (CEST) From: Thorsten Schroeder X-X-Sender: ths@ths.so36.NET To: freebsd-security@FreeBSD.ORG Subject: fbsd Apache Worm / ddos Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, we have had a "nice" dos. today three of our apache webserver were compromised using the vulnerability found in the chucked encoding implementation of the Apache 1.3.24 and 2.0.36 and below servers. See CERT Advisory CA-2002-17 on http://www.cert.org I noticed an increasing traffic until no bandwidth was available. i tried to reconstruct/analyse this but it's totally unclear, why this degenerates in a (distributed?) denial of service against one of our (compromised) servers. please read http://dammit.lt/apache-worm/apache-worm.c and http://www.freebsd.org/cgi/getmsg.cgi?fetch=34552+54852+/usr/local/www/db/text/2 002/freebsd-security/20020707.freebsd-security for a worm analysis. The compromised system is a 4.5-STABLE FreeBSD 4.5-STABLE #0 running apache 1.3.22 (vulnarable). The apache logfiles shows: [Sun Jul 7 13:47:19 2002] [error] [client 66.146.1.28] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / dmesg output as appears in /var/log/messages: Jul 7 13:47:25 foobar /kernel: pid 22639 (httpd), uid 80: exited on signal 11 on another apache server (also compromised) i have found the following output in /var/log/messages: Jul 7 05:58:27 foobar /kernel: pid 25863 (.a), uid 65534: exited on signal 10 in the /tmp directories is the binary of the worm and it's uuencoded binary: -rwxr-xr-x 1 nobody wheel 51594 Jul 7 13:47 .a -rw-r--r-- 1 nobody wheel 71105 Jul 7 13:47 .uua As described in David Endlers "Apache Worm Analysis" the exploit to something like /usr/bin/uudecode -p /tmp/.uua > /tmp/.a;killall -9 .a;chmod +x /tmp/.a;killall -9 .a;/tmp/.a %s;exit; What i don't understand is the udp-flood after the explotation. Thousands of different (spoofed) ip-adresses as source for upd-packets from port 2001 to the compromised system port 2001. I captured some an they looks like that: 16:18:14.616723 213.131.0.14.2001 > 212.xx.xxx.xx.2001: udp 40 [tos 0x20] 4520 0044 adfc 0000 2e11 3f98 d583 000e d454 f50e 07d1 07d1 0030 e7f5 2600 0000 893a f36d 2800 0000 aea5 76b2 0500 0000 0000 0000 7400 0000 0000 0000 0000 0000 0000 0000 16:18:14.619078 209.81.10.51.2001 > 212.xx.xxx.xx.2001: udp 44 4500 0048 77c7 0000 2a11 73f6 d151 0a33 d454 f50e 07d1 07d1 0034 22fc 2600 0000 ea36 e44d 2c00 0000 f9cd bf8a 0500 0000 0000 0000 7100 0000 0000 0000 0400 0000 0000 0000 d30f 0112 16:18:14.620712 210.224.161.37.2001 > 212.xx.xxx.xx.2001: udp 40 4500 0044 00e9 0000 2611 5657 d2e0 a125 d454 f50e 07d1 07d1 0030 19c6 2600 0000 b44f 0566 2800 0000 e9e5 2e20 0500 0000 0000 0000 7400 0000 0000 0000 0000 0000 0000 0000 16:18:14.622291 211.167.73.219.2001 > 212.xx.xxx.xx.2001: udp 44 4500 0048 ff8e 0000 2611 ae30 d3a7 49db d454 f50e 07d1 07d1 0034 47d6 2600 0000 e846 4748 2c00 0000 4168 1e56 0500 0000 0000 0000 7100 0000 0000 0000 0400 0000 0000 0000 42d8 2301 16:18:14.623932 217.151.0.38.2001 > 212.xx.xxx.xx.2001: udp 44 4500 0048 1611 0000 3611 cb73 d997 0026 d454 f50e 07d1 07d1 0034 5d0b 2600 0000 61fa bb4a 2c00 0000 5eca 47e2 0500 0000 0000 0000 7100 0000 0000 0000 0400 0000 0000 0000 4373 1c52 16:18:14.625493 209.251.2.5.2001 > 212.xx.xxx.xx.2001: udp 40 4500 0044 038d 0000 3011 e9b8 d1fb 0205 d454 f50e 07d1 07d1 0030 e1ab 2600 0000 df1c b03c 2800 0000 96ea 8397 0500 0000 0000 0000 7400 0000 0000 0000 0000 0000 0000 0000 notice: there was so many udp-packets coming in, eating all of the bandwidth. many ppl talking about a "sloppy fashion" the worm was coded, and that it is quite "harmless" because "it causes no damage"... What about the udp flood? Can anyone explain that? The flooding hold on 3 hours until the routes to the ipaddresses were dropped. This is just FYI ... and if anyone have a clue about the flood... please contact me or discuss this on that list. Thanks & regards, Thorsten Schroeder To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 7 14:34:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9778A37B401; Sun, 7 Jul 2002 14:34:30 -0700 (PDT) Received: from 12-234-90-219.client.attbi.com (12-234-90-219.client.attbi.com [12.234.90.219]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0DF343E58; Sun, 7 Jul 2002 14:34:29 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from FreeBSD.org (master.gorean.org [10.0.0.2]) by 12-234-90-219.client.attbi.com (8.12.3/8.12.3) with ESMTP id g67LYIBu087992; Sun, 7 Jul 2002 14:34:19 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Message-ID: <3D28B3DA.E120A508@FreeBSD.org> Date: Sun, 07 Jul 2002 14:34:18 -0700 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.79 [en] (X11; U; FreeBSD 4.5-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Kim Okasawa Cc: freebsd-security@FreeBSD.org, freebsd-net@FreeBSD.org Subject: Re: Methods to detect Internet censorship. References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is not on topic for any freebsd-* lists, except -chat. -- "We have known freedom's price. We have shown freedom's power. And in this great conflict, ... we will see freedom's victory." - George W. Bush, President of the United States State of the Union, January 28, 2002 Do YOU Yahoo!? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 7 18: 6:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 494B337B400 for ; Sun, 7 Jul 2002 18:06:10 -0700 (PDT) Received: from smtp.pekinnet.net (64-40-75-24.dsl.peknil.grics.net [64.40.75.24]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8CF0043E09 for ; Sun, 7 Jul 2002 18:06:09 -0700 (PDT) (envelope-from freebsdlists@elitists.org) Received: from [192.168.1.100] (unknown [64.40.88.202]) by smtp.pekinnet.net (Postfix) with ESMTP id 1DA2E6A2BF for ; Sun, 7 Jul 2002 20:56:44 -0400 (EDT) User-Agent: Microsoft-Entourage/10.0.0.1331 Date: Sun, 07 Jul 2002 20:06:15 -0500 Subject: Re: Default ssh protocol in -STABLE [was: From: "F. Even" To: Message-ID: In-Reply-To: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Really? I seem to have noticed the introduction of a "periodic.conf" between 4.0 and 4.4. While it was pleasant to see it, it was still a change. This seems about the same....a small config change, except the default is a little different...and if people are blindly upgrading entire systems following the STABLE branch...well.... If I'm understanding right, this change is not going to be introduced into "RELENG_4_ver," just the STABLE branch. It would seem to me that you would know if you are upgrading your version of OpenSSH, the main way to connect to your machine remotely, and you should be familiar enough to know the defaults is different, and to either change it back or not. I mean....if you are taking the time to upgrade, a config file setting shouldn't be that big of a deal. Frank On 7/7/02 1:50 PM, "security-digest" wrote: > Date: Sat, 06 Jul 2002 22:42:29 -0700 > From: Doug Barton > Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: > FreeBSD-STABLEnowhas OpenSSH 3.4p1] > > Anthony Rubin wrote: >> >> In order for this change to affect a user they would have to run >> mergemaster, see the change, and tell mergemaster to go ahead and merge >> or overwrite their config file. > > Or, install a new box after wiping the old layout, or any number of > scenarios. The point remains, we don't do changes like this within a > - -stable branch. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 7 18:30:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5986137B400 for ; Sun, 7 Jul 2002 18:30:32 -0700 (PDT) Received: from 12-234-90-219.client.attbi.com (12-234-90-219.client.attbi.com [12.234.90.219]) by mx1.FreeBSD.org (Postfix) with ESMTP id D29B143E4A for ; Sun, 7 Jul 2002 18:30:31 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from Master.gorean.org (master.gorean.org [10.0.0.2]) by 12-234-90-219.client.attbi.com (8.12.3/8.12.3) with ESMTP id g681UIBw089663; Sun, 7 Jul 2002 18:30:24 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from localhost (doug@localhost) by Master.gorean.org (8.12.5/8.12.5/Submit) with ESMTP id g681KT0u001864; Sun, 7 Jul 2002 18:20:30 -0700 (PDT) X-Authentication-Warning: Master.gorean.org: doug owned process doing -bs Date: Sun, 7 Jul 2002 18:20:29 -0700 (PDT) From: Doug Barton To: "F. Even" Cc: security@FreeBSD.org Subject: Re: Default ssh protocol in -STABLE [was: In-Reply-To: Message-ID: <20020707181827.P679-100000@master.gorean.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 7 Jul 2002, F. Even wrote: > Really? I seem to have noticed the introduction of a "periodic.conf" > between 4.0 and 4.4. While it was pleasant to see it, it was still a > change. A) I'm still categorically opposed to /etc/defaults/anything... I think it's way too dangerous a toy to play with. B) They actually did things fairly well with the periodic thing, in that the default configuration did *exactly* what the old, non-configurable scripts did. In short, you're confusing "method of instituting policy" with "policy." It's sometimes ok to change one, it's never ok to change the other. > If I'm understanding right, this change is not going to be introduced into > "RELENG_4_ver," You are not understanding right. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 7 19:26:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1973B37B400 for ; Sun, 7 Jul 2002 19:26:41 -0700 (PDT) Received: from mailserver.link.net.id (mailserver.link.net.id [202.137.3.96]) by mx1.FreeBSD.org (Postfix) with SMTP id 6D0E043E3B for ; Sun, 7 Jul 2002 19:26:20 -0700 (PDT) (envelope-from ruspeni@mti.itb.ac.id) Received: (qmail 113252 invoked from network); 8 Jul 2002 02:23:25 -0000 Received: from ns1.mti.itb.ac.id (HELO asep) ([202.77.97.209]) (envelope-sender ) by mailserver.link.net.id (qmail-ldap-1.03) with SMTP for ; 8 Jul 2002 02:23:25 -0000 Message-ID: <006601c22627$a9199000$21020a0a@mti.itb.ac.id> From: "Asep Ruspeni" To: Subject: hiding OS name Date: Mon, 8 Jul 2002 09:32:09 +0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I am newbie in FreeBSD OS, but i have lot of concerned in securing system. I have questions like this : - how can i set-up FreeBSD, so when it being scanned, it's show no operating system name + version. - is there any articles i colud read about securing freeBSD such as the question i ask above. thank you in advance. -asep- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 7 20: 0:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8FE4437B401 for ; Sun, 7 Jul 2002 20:00:53 -0700 (PDT) Received: from smtp21.singnet.com.sg (smtp21.singnet.com.sg [165.21.101.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C1A743E42 for ; Sun, 7 Jul 2002 20:00:52 -0700 (PDT) (envelope-from shanali@singapura.singnet.com.sg) Received: from singapura.singnet.com.sg (singapura.singnet.com.sg [165.21.10.10]) by smtp21.singnet.com.sg (8.12.3/8.12.2) with ESMTP id g6830owu027291; Mon, 8 Jul 2002 11:00:50 +0800 Received: (from shanali@localhost) by singapura.singnet.com.sg (8.8.5/8.7.2) id LAA05697; Mon, 8 Jul 2002 11:00:50 +0800 (SST) Date: Mon, 8 Jul 2002 11:00:49 +0800 From: S H A N To: "Asep Ruspeni" Cc: Subject: Re: hiding OS name Message-ID: <20020708030049.GB32275@singapura.singnet.com.sg> Mail-Followup-To: "Asep Ruspeni" , References: <006601c22627$a9199000$21020a0a@mti.itb.ac.id> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <006601c22627$a9199000$21020a0a@mti.itb.ac.id> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hmm why would u like to hide the operating system name + version for ? i would like you to share your thoughts on that before can suggest you a solution. however, for your second question :) go to http://www.freebsd.org http://www.freebsddiary.org thks On Mon, Jul 08, 2002 at 09:32:09AM +0700, Asep Ruspeni wrote: > I am newbie in FreeBSD OS, but i have lot of concerned in securing system. > > I have questions like this : > > - how can i set-up FreeBSD, so when it being scanned, it's show no operating > system name + version. > - is there any articles i colud read about securing freeBSD such as the > question i ask above. > > thank you in advance. > > -asep- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- S H A N To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 7 21:31:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A8C7137B400 for ; Sun, 7 Jul 2002 21:31:36 -0700 (PDT) Received: from sub21-156.member.dsl-only.net (sub21-156.member.dsl-only.net [63.105.21.156]) by mx1.FreeBSD.org (Postfix) with ESMTP id ED2C243E09 for ; Sun, 7 Jul 2002 21:31:35 -0700 (PDT) (envelope-from nkinkade@dsl-only.com) Received: from sub21-156.member.dsl-only.net (freebsd.localhost.localdomain [127.0.0.1]) by sub21-156.member.dsl-only.net (8.12.4/8.12.4) with SMTP id g684TlnI008599; Sun, 7 Jul 2002 21:30:00 -0700 (PDT) (envelope-from nkinkade@dsl-only.com) Date: Sun, 7 Jul 2002 21:29:42 -0700 From: Nathan Kinkade To: "Asep Ruspeni" Cc: freebsd-security@FreeBSD.ORG Subject: Re: hiding OS name Message-Id: <20020707212942.027efd2e.nkinkade@dsl-only.com> In-Reply-To: <006601c22627$a9199000$21020a0a@mti.itb.ac.id> References: <006601c22627$a9199000$21020a0a@mti.itb.ac.id> X-Mailer: Sylpheed version 0.7.8claws (GTK+ 1.2.10; i386-portbld-freebsd4.6) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 8 Jul 2002 09:32:09 +0700 "Asep Ruspeni" wrote: > I am newbie in FreeBSD OS, but i have lot of concerned in securing > system. > > I have questions like this : > > - how can i set-up FreeBSD, so when it being scanned, it's show no > operating system name + version. > - is there any articles i colud read about securing freeBSD such as > the question i ask above. > > thank you in advance. What you are looking for is not really a function of FreeBSD, but rather of the various servers you may be running on FreeBSD such as Apache, FTP, Sendmail, and so on. If it's going to happen it will probably be something that you configure the daemon to do, however I don't know which allow you to do something similar other than wu-ftpd, although I'd guess there are others. Network scanning utilities - I'm thinking of nmap in particular - allow you to scan a host(s) and attempt to determine the OS/version based on certain peculiarities in the response(s). One way to help minimize the impact of this would be to set the net.inet.tcp.blackhole and net.inet.udp.blackhole kernel parameters using the sysctl utility. For more information on this checkout the "blackhole(4)" manpage with `man 4 blackhole`. Nathan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 7 22: 0:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF43737B401 for ; Sun, 7 Jul 2002 22:00:09 -0700 (PDT) Received: from relay3.kornet.net (relay3.kornet.net [211.48.62.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id E604B43E3B for ; Sun, 7 Jul 2002 22:00:07 -0700 (PDT) (envelope-from leaders06@kornet.net) Received: from ursxsearj57rfwb (61.73.152.26) by relay3.kornet.net; 8 Jul 2002 10:11:48 +0900 Message-ID: <3d28e6e03d548dcd@relay3.kornet.net> (added by relay3.kornet.net) From: =?ks_c_5601-1987?B?x9Gw5riuxKG//sDMxay3tA==?= To: freebsd-security@freebsd.org Subject: =?ks_c_5601-1987?B?W7GksO1dIGZyZWVic2Qtc2VjdXJpdHm01CC+yLPnx8+9yrTPse4/IMbyu/21v77ILLTnvcXAuyC/1cC4t84guPC9yrTPtNkh?= Date: Mon, 08 Jul 2002 10:11:45 +0900 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0107_01C0F11A.93A45C00" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0107_01C0F11A.93A45C00 Content-Type: text/plain; charset="ks_c_5601-1987" Content-Transfer-Encoding: base64 x9GxubDmwaYguK7Eob/+wMwgxay3tCAgIA0KDQogICAgIA0KDQogICAgIA0KDQogICAgIA0K DQogICAgIA0KDQogICAgICANCg0KICAgICANCg0KICAgICANCg0KICAgICANCg0KICAgICAN Cg0KICAgICANCg0KICANCrHNx8/AxyC9wrb0vvjAzCDIq7q4vLogwPzA2iC/7MbtwLsguriz u7DUILXIIMGhIMGkwd/I9yC757D6ILXluLO0z7TZLg0KIMGkurjF673FuMHAzL/rw8vB+Ln9 ILHUwaTAuyDB2Lz2x8+/qSCxpLDtuN7Az8DTwLsgIMelvcPHz7+0wLi45ywgvPa9xbDFus4g wOXEobimILi2t8PHz7DtIMDWvcC0z7TZLg0KCQkJCQmxzcfPwMcgwPzA2iC/7MbtIMHWvNK0 wiDAzsXNs90gu/PAxyCw+LCztcggwOW80r+hvK0gvcC15sfPv7TAuLjnLCAgwPrI8bTCILHN x8/AxyDA/MDav+zG7SDB1rzSIL/cDQogvu62sMfRILCzwM7BpLq4tbUgsKHB9rDtIMDWwfYg vsrAuLnHt84gvsi9ycfPvcOx4iC52bb4tM+02S4NCgkJCQkJvPa9xcC7IL/4xKEgIL7KwLi9 w7jpILz2vcWwxbrOuKYgxay4r8fYICDB1r3KvcO/5C4NCiANCiAgIA== ------=_NextPart_000_0107_01C0F11A.93A45C00 Content-Type: text/html; charset="ks_c_5601-1987" Content-Transfer-Encoding: base64 PCEtLSBzYXZlZCBmcm9tIHVybD0oMDAyMilodHRwOi8vaW50ZXJuZXQuZS1tYWlsIC0tPg0K PCEtLSBzYXZlZCBmcm9tIHVybD0oMDAyMilodHRwOi8vaW50ZXJuZXQuZS1tYWlsIC0tPg0K PGh0bWw+DQoNCjxoZWFkPg0KPHRpdGxlPsfRsbmw5sGmILiuxKG//sDMIMWst7Q8L3RpdGxl Pg0KPG1ldGEgbmFtZT0iZ2VuZXJhdG9yIiBjb250ZW50PSJOYW1vIFdlYkVkaXRvciB2NC4w Ij4NCjwvaGVhZD4NCg0KPGJvZHkgYmdjb2xvcj0id2hpdGUiIHRleHQ9ImJsYWNrIiBsaW5r PSJibHVlIiB2bGluaz0icHVycGxlIiBhbGluaz0icmVkIj4NCjx0YWJsZSBhbGlnbj0iY2Vu dGVyIiBib3JkZXI9IjAiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCIgd2lkdGg9 IjY1OCI+DQogICAgPHRyPg0KICAgICAgICA8dGQ+DQogICAgICAgICAgICA8cD48aW1nIHNy Yz0iaHR0cDovL3d3dy5tYWlscGFydG5lci5jby5rci9lbWFpbC8wNDIyL2ltYWdlL2ltZ18w MS5naWYiIHdpZHRoPSI2NTgiIGhlaWdodD0iMTAyIiBib3JkZXI9IjAiPjwvcD4NCiAgICAg ICAgPC90ZD4NCiAgICA8L3RyPg0KICAgIDx0cj4NCiAgICAgICAgPHRkPg0KICAgICAgICAg ICAgPHA+PGltZyBzcmM9Imh0dHA6Ly93d3cubWFpbHBhcnRuZXIuY28ua3IvZW1haWwvMDQy Mi9pbWFnZS9pbWdfMDIuZ2lmIiB3aWR0aD0iNjU4IiBoZWlnaHQ9IjE4NiIgYm9yZGVyPSIw Ij48L3A+DQogICAgICAgIDwvdGQ+DQogICAgPC90cj4NCiAgICA8dHI+DQogICAgICAgIDx0 ZD4NCiAgICAgICAgICAgIDxwPjxpbWcgc3JjPSJodHRwOi8vd3d3Lm1haWxwYXJ0bmVyLmNv LmtyL2VtYWlsLzA0MjIvaW1hZ2UvaW1nXzAzLmdpZiIgd2lkdGg9IjY1OCIgaGVpZ2h0PSI1 NSIgYm9yZGVyPSIwIiB1c2VtYXA9IiNJbWFnZU1hcDEiPjwvcD4NCiAgICAgICAgPC90ZD4N CiAgICA8L3RyPg0KICAgIDx0cj4NCiAgICAgICAgPHRkPg0KICAgICAgICAgICAgPHA+PGlt ZyBzcmM9Imh0dHA6Ly93d3cubWFpbHBhcnRuZXIuY28ua3IvZW1haWwvMDQyMi9pbWFnZS9p bWdfMDQuZ2lmIiB3aWR0aD0iNjU4IiBoZWlnaHQ9IjEzOCIgYm9yZGVyPSIwIj48L3A+DQog ICAgICAgIDwvdGQ+DQogICAgPC90cj4NCiAgICA8dHI+DQogICAgICAgIDx0ZD4NCiAgICAg ICAgICAgIDxwPjxpbWcgc3JjPSJodHRwOi8vd3d3Lm1haWxwYXJ0bmVyLmNvLmtyL2VtYWls LzA0MjIvaW1hZ2UvaW1nXzA1LmdpZiIgd2lkdGg9IjY1OCIgaGVpZ2h0PSI0NiIgYm9yZGVy PSIwIj48L3A+DQogICAgICAgIDwvdGQ+DQogICAgPC90cj4NCiAgICA8dHI+DQogICAgICAg IDx0ZD4NCiAgICAgICAgICAgIA0KICAgICAgPHA+PGltZyBzcmM9Imh0dHA6Ly93d3cubWFp bHBhcnRuZXIuY28ua3IvZW1haWwvMDQyMi9pbWFnZS9pbWdfMDYuZ2lmIiB3aWR0aD0iNjU4 IiBoZWlnaHQ9IjE4MyIgYm9yZGVyPSIwIiB1c2VtYXA9IiNNYXAiPjwvcD4NCiAgICAgICAg PC90ZD4NCiAgICA8L3RyPg0KICAgIDx0cj4NCiAgICAgICAgPHRkPg0KICAgICAgICAgICAg PHA+PGltZyBzcmM9Imh0dHA6Ly93d3cubWFpbHBhcnRuZXIuY28ua3IvZW1haWwvMDQyMi9p bWFnZS9pbWdfMDcuZ2lmIiB3aWR0aD0iNjU4IiBoZWlnaHQ9IjEwOSIgYm9yZGVyPSIwIj48 L3A+DQogICAgICAgIDwvdGQ+DQogICAgPC90cj4NCiAgICA8dHI+DQogICAgICAgIDx0ZD4N CiAgICAgICAgICAgIDxwPjxpbWcgc3JjPSJodHRwOi8vd3d3Lm1haWxwYXJ0bmVyLmNvLmty L2VtYWlsLzA0MjIvaW1hZ2UvaW1nXzA4LmdpZiIgd2lkdGg9IjY1OCIgaGVpZ2h0PSIxMTQi IGJvcmRlcj0iMCI+PC9wPg0KICAgICAgICA8L3RkPg0KICAgIDwvdHI+DQogICAgPHRyPg0K ICAgICAgICA8dGQ+DQogICAgICAgICAgICA8cD48aW1nIHNyYz0iaHR0cDovL3d3dy5tYWls cGFydG5lci5jby5rci9lbWFpbC8wNDIyL2ltYWdlL2ltZ18wOS5naWYiIHdpZHRoPSI2NTgi IGhlaWdodD0iMTM2IiBib3JkZXI9IjAiPjwvcD4NCiAgICAgICAgPC90ZD4NCiAgICA8L3Ry Pg0KICAgIDx0cj4NCiAgICAgICAgPHRkPg0KICAgICAgICAgICAgPHA+PGltZyBzcmM9Imh0 dHA6Ly93d3cubWFpbHBhcnRuZXIuY28ua3IvZW1haWwvMDQyMi9pbWFnZS9pbWdfMTAuZ2lm IiB3aWR0aD0iNjU4IiBoZWlnaHQ9IjU0IiBib3JkZXI9IjAiIHVzZW1hcD0iI0ltYWdlTWFw MiI+PC9wPg0KICAgICAgICA8L3RkPg0KICAgIDwvdHI+DQogICAgPHRyPg0KICAgICAgICA8 dGQ+DQogICAgICAgICAgICA8cD48aW1nIHNyYz0iaHR0cDovL3d3dy5tYWlscGFydG5lci5j by5rci9lbWFpbC8wNDIyL2ltYWdlL2ltZ18xMS5naWYiIHdpZHRoPSI2NTgiIGhlaWdodD0i MzgiIGJvcmRlcj0iMCI+PC9wPg0KICAgICAgICA8L3RkPg0KICAgIDwvdHI+DQo8L3RhYmxl Pg0KPHRhYmxlIHdpZHRoPSI2NTgiIGJvcmRlcj0iMCIgYWxpZ249ImNlbnRlciI+DQo8dHI+ PHRkIGJnY29sb3I9IiNlNmU2ZTYiIGFsaWduPSJjZW50ZXIiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6OXB0OyI+PGJyPrHNx8/AxyC9wrb0vvjAzCDIq7q4vLogwPzA2iC/7MbtwLsguriz u7DUILXIIMGhIMGkwd/I9yC757D6ILXluLO0z7TZLjxicj4NCiAgICAgICAgICAgICAgICAg ICAgwaS6uMXrvcW4wcDMv+vDy8H4uf0gsdTBpMC7IMHYvPbHz7+pIDxiPjxmb250IGNvbG9y PSIjRkYwMDAwIj6xpLDtuN7AzzwvZm9udD48L2I+wNPAuyANCiAgICAgICAgICAgICAgICAg ICAgx6W9w8fPv7TAuLjnLCC89r3FsMW6ziDA5cShuKYguLa3w8fPsO0gwNa9wLTPtNkuPGJy Pg0KCQkJCQmxzcfPwMcgwPzA2iC/7MbtIMHWvNK0wiDAzsXNs90gu/PAxyCw+LCztcggwOW8 0r+hvK0gvcC15sfPv7TAuLjnLCANCiAgICAgICAgICAgICAgICAgICAgwPrI8bTCILHNx8/A xyDA/MDav+zG7SDB1rzSIL/cPGJyPiC+7rawx9EgsLPAzsGkuri1tSCwocH2sO0gwNbB9iC+ ysC4uce3ziC+yL3Jx8+9w7HiILnZtvi0z7TZLjxicj4NCgkJCQkJvPa9xcC7IL/4xKEgDQog ICAgICAgICAgICAgICAgICAgIL7KwLi9w7jpIDxhIGhyZWY9Im1haWx0bzpoeXVuMTAzMTBA a29ybmV0Lm5ldCI+PGZvbnQgY29sb3I9ImJsdWUiPrz2vcWwxbrOPC9mb250PjwvYT64piDF rLivx9ggDQogICAgICAgICAgICAgICAgICAgIMHWvcq9w7/kLjwvc3Bhbj48YnI+Jm5ic3A7 PC90ZD48L3RyPjwvdGFibGU+DQo8YnI+DQo8bWFwIG5hbWU9IkltYWdlTWFwMSI+DQo8YXJl YSBzaGFwZT0icmVjdCIgY29vcmRzPSIxMCwgNywgMTU4LCA1MyIgaHJlZj0iaHR0cDovL3d3 dy5tYWlscGFydG5lci5jby5rci9lbWFpbC8wNDIyL2lucHV0LmFzcCIgdGFyZ2V0PSJfYmxh bmsiPg0KPC9tYXA+PG1hcCBuYW1lPSJJbWFnZU1hcDIiPg0KPGFyZWEgc2hhcGU9InJlY3Qi IGNvb3Jkcz0iNTAyLCAzLCA2NTMsIDQ5IiBocmVmPSJodHRwOi8vd3d3Lm1haWxwYXJ0bmVy LmNvLmtyL2VtYWlsLzA0MjIvaW5wdXQuYXNwIiB0YXJnZXQ9Il9ibGFuayI+DQo8L21hcD4N CjxtYXAgbmFtZT0iTWFwIj4NCiAgPGFyZWEgc2hhcGU9InJlY3QiIGNvb3Jkcz0iNDUsMywy MjEsMTgwIiBocmVmPSJodHRwOi8vd3d3Lm1haWxwYXJ0bmVyLmNvLmtyL2VtYWlsLzA0MjIv aW5wdXQuYXNwIiB0YXJnZXQ9Il9ibGFuayI+DQogIDxhcmVhIHNoYXBlPSJyZWN0IiBjb29y ZHM9IjI0MCwzLDQxNSwxODAiIGhyZWY9Imh0dHA6Ly93d3cubWFpbHBhcnRuZXIuY28ua3Iv ZW1haWwvMDQyMi9pbnB1dC5hc3AiIHRhcmdldD0iX2JsYW5rIj4NCiAgPGFyZWEgc2hhcGU9 InJlY3QiIGNvb3Jkcz0iNDM0LDMsNjEwLDE4MSIgaHJlZj0iaHR0cDovL3d3dy5tYWlscGFy dG5lci5jby5rci9lbWFpbC8wNDIyL2lucHV0LmFzcCIgdGFyZ2V0PSJfYmxhbmsiPg0KPC9t YXA+DQo8L2JvZHk+DQoNCjwvaHRtbD4NCg== ------=_NextPart_000_0107_01C0F11A.93A45C00-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 7 22:53:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 86D5437B400 for ; Sun, 7 Jul 2002 22:53:17 -0700 (PDT) Received: from relay.sambolian.net.nz (203-79-83-205.cable.paradise.net.nz [203.79.83.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id AEA7F43E4A for ; Sun, 7 Jul 2002 22:53:15 -0700 (PDT) (envelope-from andy@sambolian.net.nz) Received: from grace.sambolian.net.nz (grace.sambolian.net.nz [192.168.0.11]) by relay.sambolian.net.nz (Postfix) with ESMTP id 0A81D57316 for ; Mon, 8 Jul 2002 17:53:14 +1200 (NZST) Received: by grace.sambolian.net.nz (Postfix, from userid 80) id 223F0FED7; Mon, 8 Jul 2002 17:54:22 +1200 (NZST) Received: from 192.168.0.1 ( [192.168.0.1]) as user andy@imap.sambolian.net.nz by webmail.sambolian.net.nz with HTTP; Mon, 8 Jul 2002 17:54:22 +1200 Message-ID: <1026107662.3d29290e0c2cd@webmail.sambolian.net.nz> Date: Mon, 8 Jul 2002 17:54:22 +1200 From: Andrew Thompson To: Asep Ruspeni Cc: freebsd-security@FreeBSD.ORG Subject: Re: hiding OS name References: <006601c22627$a9199000$21020a0a@mti.itb.ac.id> In-Reply-To: <006601c22627$a9199000$21020a0a@mti.itb.ac.id> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.0 X-Originating-IP: 192.168.0.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You should be proud of running FreeBSD ;-) Quoting Asep Ruspeni : > I am newbie in FreeBSD OS, but i have lot of concerned in securing system. > > I have questions like this : > > - how can i set-up FreeBSD, so when it being scanned, it's show no operating > system name + version. > - is there any articles i colud read about securing freeBSD such as the > question i ask above. > > thank you in advance. > > -asep- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 8 1: 3: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 946AF37B400 for ; Mon, 8 Jul 2002 01:03:00 -0700 (PDT) Received: from spork.pantherdragon.org (spork.pantherdragon.org [206.29.168.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 15E4743E31 for ; Mon, 8 Jul 2002 01:02:59 -0700 (PDT) (envelope-from dmp@pantherdragon.org) Received: from spark.techno.pagans (spark.techno.pagans [4.61.202.145]) by spork.pantherdragon.org (Postfix) with ESMTP id 0DEDD471DA; Mon, 8 Jul 2002 01:02:48 -0700 (PDT) Received: from pantherdragon.org (speck.techno.pagans [172.21.42.2]) by spark.techno.pagans (Postfix) with ESMTP id 111FCFDA0; Mon, 8 Jul 2002 01:02:43 -0700 (PDT) Message-ID: <3D294723.7022CD07@pantherdragon.org> Date: Mon, 08 Jul 2002 01:02:43 -0700 From: Darren Pilgrim X-Mailer: Mozilla 4.76 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Asep Ruspeni Cc: freebsd-security@FreeBSD.ORG Subject: Re: hiding OS name References: <006601c22627$a9199000$21020a0a@mti.itb.ac.id> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Asep Ruspeni wrote: > > I am newbie in FreeBSD OS, but i have lot of concerned in securing system. > > I have questions like this : > > - how can i set-up FreeBSD, so when it being scanned, it's show no operating > system name + version. > - is there any articles i colud read about securing freeBSD such as the > question i ask above. > > thank you in advance. Hiding your OS name and version will do nothing to increase security, because the majority of people who scan for vulnerable hosts just do bulk scanning, trying their trick on everything they find. They know (or just don't care) that you can't reliably determine the OS without shell access and even then you can be tricked. That said, what you're looking to do is change the banner on the daemons you're running. How you do this is specific to each daemon. As usual, RTWP, JTML, RTFM, RTSL, etc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 8 2:22:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E252037B400; Mon, 8 Jul 2002 02:22:12 -0700 (PDT) Received: from mail.musha.org (daemon.musha.org [218.44.187.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id F1D0D43E4A; Mon, 8 Jul 2002 02:22:11 -0700 (PDT) (envelope-from knu@iDaemons.org) Received: from archon.local.idaemons.org (archon.local.idaemons.org [192.168.1.32]) by mail.musha.org (Postfix) with ESMTP id 8E40D4D801; Mon, 8 Jul 2002 18:22:09 +0900 (JST) Date: Mon, 08 Jul 2002 18:22:10 +0900 Message-ID: <86r8iepoal.wl@archon.local.idaemons.org> From: "Akinori MUSHA" To: security-officer@FreeBSD.org Cc: security@FreeBSD.org Subject: Re: cvs commit: src/lib/libc/net gethostbydns.c getnetbydns.c name6.c In-Reply-To: <86y9ctxipc.wl@daemon.musha.org> References: <200206262143.g5QLhiPS063301@freefall.freebsd.org> <86y9ctxipc.wl@daemon.musha.org> User-Agent: Wanderlust/2.9.13 (Unchained Melody) SEMI/1.14.4 (Hosorogi) LIMIT/1.14.7 (Fujiidera) APEL/10.3 Emacs/21.2 (i386--freebsd) MULE/5.0 (SAKAKI) Organization: Associated I. Daemons X-PGP-Public-Key: finger knu@FreeBSD.org X-PGP-Fingerprint: 081D 099C 1705 861D 4B70 B04A 920B EFC7 9FD9 E1EE MIME-Version: 1.0 (generated by SEMI 1.14.4 - "Hosorogi") Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At Wed, 03 Jul 2002 18:29:51 +0900, I wrote: > At Wed, 26 Jun 2002 14:43:44 -0700 (PDT), > Julian Elischer wrote: > > julian 2002/06/26 14:43:44 PDT > > > > Modified files: (Branch: RELENG_4_4) > > lib/libc/net gethostbydns.c getnetbydns.c name6.c > > Log: > > Add the security fix FreeBSD-SA-02:28.resolv to the 4.4 branch > > This branch is the one that some really big security consious organisations > > are running.. It needs to be maintained. > > > > (already done: newvers.sh) > > > > Obtained from: Other branches > > I belive the compat{3x,2?} stuff (and probably compat4x too) in those > branches also needs updating. In order to update the compat stuff, we > must MFC the fix also to RELENG_{3,2_?} and then find out someone in > our developers who can rebuild libc on the old systems. > > Security Officer/Team, would you give some consideration and organize > the work? Ping? I don't believe we should ship 4.6.1-RELEASE and 5.0-DP2 with the hole in compat libraries left untreated, but we should at least document it in Release notes, sysinstall and ports/misc/compat*. -- / /__ __ Akinori.org / MUSHA.org / ) ) ) ) / FreeBSD.org / Ruby-lang.org Akinori MUSHA aka / (_ / ( (__( @ iDaemons.org / and.or.jp "When I leave I don't know what I'm hoping to find When I leave I don't know what I'm leaving behind.." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 8 7: 9:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E9B5937B400 for ; Mon, 8 Jul 2002 07:09:15 -0700 (PDT) Received: from mail.neoxchange.com (159.216-123-203-0.interbaun.com [216.123.203.159]) by mx1.FreeBSD.org (Postfix) with SMTP id 96E9243E09 for ; Mon, 8 Jul 2002 07:09:14 -0700 (PDT) (envelope-from laurence@fluxinc.com) Received: (qmail 12162 invoked from network); 8 Jul 2002 14:11:12 -0000 Received: from unknown (HELO LBROCKMAN) ([207.229.1.162]) (envelope-sender ) by 159.216-123-203-0.interbaun.com (qmail-ldap-1.03) with SMTP for ; 8 Jul 2002 14:11:12 -0000 Message-ID: <001201c22689$6049a790$140115ac@BCDOMAIN01.COM> From: "Laurence Brockman" To: "Darren Pilgrim" , "Asep Ruspeni" Cc: References: <006601c22627$a9199000$21020a0a@mti.itb.ac.id> <3D294723.7022CD07@pantherdragon.org> Subject: Re: hiding OS name Date: Mon, 8 Jul 2002 08:11:37 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I think that what the original poster was trying to get at was when being scanned by something like nmap using the OS detection (Or other tools), it would show no OS. This would mean changing the way the networking layer responds to certain packets (ICMP, tcp sequencing, etc) and I'm not sure if there is anything out there for FreeBSD (Never bothered to look). I know there are kernel patches for linux that actually change the stack to emulate other OS's, thus fooling these OS detection tools. Laurence ----- Original Message ----- From: "Darren Pilgrim" To: "Asep Ruspeni" Cc: Sent: Monday, July 08, 2002 2:02 AM Subject: Re: hiding OS name > Asep Ruspeni wrote: > > > > I am newbie in FreeBSD OS, but i have lot of concerned in securing system. > > > > I have questions like this : > > > > - how can i set-up FreeBSD, so when it being scanned, it's show no operating > > system name + version. > > - is there any articles i colud read about securing freeBSD such as the > > question i ask above. > > > > thank you in advance. > > Hiding your OS name and version will do nothing to increase security, > because the majority of people who scan for vulnerable hosts just do > bulk scanning, trying their trick on everything they find. They know > (or just don't care) that you can't reliably determine the OS without > shell access and even then you can be tricked. > > That said, what you're looking to do is change the banner on the > daemons you're running. How you do this is specific to each daemon. > As usual, RTWP, JTML, RTFM, RTSL, etc. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 8 7:16:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C90237B400 for ; Mon, 8 Jul 2002 07:16:31 -0700 (PDT) Received: from empty1.ekahuna.com (empty1.ekahuna.com [198.144.200.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id B7CFF43E52 for ; Mon, 8 Jul 2002 07:16:30 -0700 (PDT) (envelope-from pjklist@ekahuna.com) Received: from pc-02 (pc02.ekahuna.com [198.144.200.197]) by empty1.ekahuna.com (Post.Office MTA v3.5.3 release 223 ID# 0-0U10L2S100V35) with ESMTP id com for ; Mon, 8 Jul 2002 07:16:30 -0700 From: "Philip J. Koenig" Organization: The Electric Kahuna Organization To: security@FreeBSD.ORG Date: Mon, 8 Jul 2002 07:16:30 -0700 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLEnow has OpenSSH 3.4p1] Reply-To: pjklist@ekahuna.com In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.12c) Message-ID: <20020708141630166.AAA962@empty1.ekahuna.com@pc02.ekahuna.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Date: Sat, 06 Jul 2002 22:05:35 -0700 > From: Doug Barton > > Anthony Rubin wrote: > > > > Do people who depend on such things run mergemaster and blindly accept > > all changes? Does everyone throw every new -RELEASE into production > > without any testing? > > You've missed the point. This would be an architectural change. We do > those between branches, not towards the end of life of a -stable branch. > > Those who want protocol 2 to be the default have a simple config change > to make... users expecting the RELENG_4 branch to actually be -stable > shouldn't have their expectations so violently disturbed. Actually I'm not sure that history bears that out. Take a look at the fundamental changes in Sendmail functionality recently, granted it's a "contrib" package but it is part of the base system and enabled by default. I'd say it comes pretty close to the current scenario with openssh. (although I'll admit ssh probably has more potential to mess up peoples management scripts etc) -- Philip J. Koenig pjklist@ekahuna.com Electric Kahuna Systems -- Computers & Communications for the New Millenium To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 8 7:26: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 263EF37B400 for ; Mon, 8 Jul 2002 07:25:53 -0700 (PDT) Received: from amsfep12-int.chello.nl (amsfep12-int.chello.nl [213.46.243.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1E2EA43E42 for ; Mon, 8 Jul 2002 07:25:52 -0700 (PDT) (envelope-from mcrosland@chello.nl) Received: from [127.0.0.1] by amsfep12-int.chello.nl (InterMail vM.5.01.03.06 201-253-122-118-106-20010523) with SMTP id <20020708142551.MOXD28368.amsfep12-int.chello.nl@[127.0.0.1]> for ; Mon, 8 Jul 2002 16:25:51 +0200 From: To: freebsd-security@freebsd.org Subject: [Fwd: Fwd: Re: hiding OS name] Date: Mon, 8 Jul 2002 16:25:51 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-Id: <20020708142551.MOXD28368.amsfep12-int.chello.nl@[127.0.0.1]> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > Van: Mike Crosland > Datum: 2002/07/08 ma PM 04:21:38 GMT+02:00 > Aan: mcrosland@chello.nl > Onderwerp: Fwd: Re: hiding OS name > > > > ---------- Forwarded Message ---------- > > Subject: Fwd: Re: hiding OS name > Date: Mon, 8 Jul 2002 16:13:04 +0200 > From: Mike Crosland > To: freebsd-security@freebsd.org > > ---------- Forwarded Message ---------- > > Subject: Fwd: Re: hiding OS name > Date: Mon, 8 Jul 2002 12:09:53 +0200 > From: Mike Crosland > To: security@freebsd.org > > ---------- Forwarded Message ---------- > > Subject: Re: hiding OS name > Date: Mon, 8 Jul 2002 11:18:17 +0200 > From: Mike Crosland > To: Nathan Kinkade > > On Monday 08 July 2002 06:29, Nathan Kinkade wrote: > > On Mon, 8 Jul 2002 09:32:09 +0700 > > > > "Asep Ruspeni" wrote: > > > I am newbie in FreeBSD OS, but i have lot of concerned in securing > > > system. > > > > > > I have questions like this : > > > > > > - how can i set-up FreeBSD, so when it being scanned, it's show no > > > operating system name + version. > > > - is there any articles i colud read about securing freeBSD such as > > > the question i ask above. > > > > > > thank you in advance. > > You could try re-compiling the kernel to drop packets with SYN+FIN, which > prevents fingertprinting the staqck, but LINT carries a warning about this > not being good for web servers. If you're not running a webserver though, the > option is > > options TCP_DROP_SYNFIN > > > Michael Crosland > > Systeem Beheerder > > --------------------------------------- > HBH Automatisering BV + > Koningslaan 30 + > 1075 AD Amsterdam + > --------------------------------------- > > ------------------------------------------------------- > > -- > Met vriendelijk groeten, > > > Michael Crosland > > Systeem Beheerder > > --------------------------------------- > HBH Automatisering BV + > Koningslaan 30 + > 1075 AD Amsterdam + > Tel: 020-6624145 Ext: 808 + > Fax: 020-6764478 > Mobiel 0647 166305 + > --------------------------------------- > > ------------------------------------------------------- > > -- > Met vriendelijk groeten, > > > Michael Crosland > > Systeem Beheerder > > --------------------------------------- > HBH Automatisering BV + > Koningslaan 30 + > 1075 AD Amsterdam + > Tel: 020-6624145 Ext: 808 + > Fax: 020-6764478 > Mobiel 0647 166305 + > --------------------------------------- > > ------------------------------------------------------- > > -- > Met vriendelijk groeten, > > > Michael Crosland > > Systeem Beheerder > > --------------------------------------- > HBH Automatisering BV + > Koningslaan 30 + > 1075 AD Amsterdam + > Tel: 020-6624145 Ext: 808 + > Fax: 020-6764478 > Mobiel 0647 166305 + > --------------------------------------- > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 8 7:34:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 954D437B400 for ; Mon, 8 Jul 2002 07:34:19 -0700 (PDT) Received: from gull.mail.pas.earthlink.net (gull.mail.pas.earthlink.net [207.217.120.84]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4424343E09 for ; Mon, 8 Jul 2002 07:34:19 -0700 (PDT) (envelope-from rgbrenner@myrealbox.com) Received: from dialup-209.245.0.155.dial1.denver1.level3.net ([209.245.0.155] helo=localhost) by gull.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 17RZai-0001DG-00; Mon, 08 Jul 2002 10:34:17 -0400 Content-Type: text/plain; charset="iso-8859-1" From: "Ramsey G. Brenner" To: "Laurence Brockman" Subject: Re: hiding OS name Date: Mon, 8 Jul 2002 08:34:53 -0600 X-Mailer: KMail [version 1.4] References: <006601c22627$a9199000$21020a0a@mti.itb.ac.id> <3D294723.7022CD07@pantherdragon.org> <001201c22689$6049a790$140115ac@BCDOMAIN01.COM> In-Reply-To: <001201c22689$6049a790$140115ac@BCDOMAIN01.COM> Cc: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200207080834.53431.rgbrenner@myrealbox.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org =46rom /sys/i386/conf/LINT # # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. Thi= s # prevents nmap et al. from identifying the TCP/IP stack, but breaks supp= ort # for RFC1644 extensions and is not recommended for web servers. # options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN Also dont forget to add tcp_drop_synfin=3D"YES" to /etc/rc.conf --=20 ---------- Ramsey G. Brenner rgbrenner@myrealbox.com http://rgbrenner.cjb.net/ On Monday 08 July 2002 08:11 am, Laurence Brockman wrote: > I think that what the original poster was trying to get at was when bei= ng > scanned by something like nmap using the OS detection (Or other tools),= it > would show no OS. > > This would mean changing the way the networking layer responds to certa= in > packets (ICMP, tcp sequencing, etc) and I'm not sure if there is anythi= ng > out there for FreeBSD (Never bothered to look). > > I know there are kernel patches for linux that actually change the stac= k to > emulate other OS's, thus fooling these OS detection tools. > > Laurence > > ----- Original Message ----- > From: "Darren Pilgrim" > To: "Asep Ruspeni" > Cc: > Sent: Monday, July 08, 2002 2:02 AM > Subject: Re: hiding OS name > > > Asep Ruspeni wrote: > > > I am newbie in FreeBSD OS, but i have lot of concerned in securing > > system. > > > > I have questions like this : > > > > > > - how can i set-up FreeBSD, so when it being scanned, it's show no > > operating > > > > system name + version. > > > - is there any articles i colud read about securing freeBSD such as= the > > > question i ask above. > > > > > > thank you in advance. > > > > Hiding your OS name and version will do nothing to increase security, > > because the majority of people who scan for vulnerable hosts just do > > bulk scanning, trying their trick on everything they find. They know > > (or just don't care) that you can't reliably determine the OS without > > shell access and even then you can be tricked. > > > > That said, what you're looking to do is change the banner on the > > daemons you're running. How you do this is specific to each daemon. > > As usual, RTWP, JTML, RTFM, RTSL, etc. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 8 7:41:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 786A137B400; Mon, 8 Jul 2002 07:41:54 -0700 (PDT) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id DFC7943E42; Mon, 8 Jul 2002 07:41:53 -0700 (PDT) (envelope-from nectar@nectar.cc) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 0334861; Mon, 8 Jul 2002 09:41:53 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g68Efq0O023428; Mon, 8 Jul 2002 09:41:52 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g68EfqYJ023427; Mon, 8 Jul 2002 09:41:52 -0500 (CDT) Date: Mon, 8 Jul 2002 09:41:52 -0500 From: "Jacques A. Vidrine" To: Akinori MUSHA Cc: security-team@FreeBSD.org, security@FreeBSD.org Subject: Re: cvs commit: src/lib/libc/net gethostbydns.c getnetbydns.c name6.c Message-ID: <20020708144152.GB23377@madman.nectar.cc> References: <200206262143.g5QLhiPS063301@freefall.freebsd.org> <86y9ctxipc.wl@daemon.musha.org> <86r8iepoal.wl@archon.local.idaemons.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86r8iepoal.wl@archon.local.idaemons.org> User-Agent: Mutt/1.4i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jul 08, 2002 at 06:22:10PM +0900, Akinori MUSHA wrote: > > I belive the compat{3x,2?} stuff (and probably compat4x too) in those > > branches also needs updating. In order to update the compat stuff, we > > must MFC the fix also to RELENG_{3,2_?} and then find out someone in > > our developers who can rebuild libc on the old systems. > > > > Security Officer/Team, would you give some consideration and organize > > the work? > > Ping? > > I don't believe we should ship 4.6.1-RELEASE and 5.0-DP2 with the hole > in compat libraries left untreated, but we should at least document it > in Release notes, sysinstall and ports/misc/compat*. I don't think anyone here has had time to look at this much. I believe have tested RELENG_3 patches ready-to-commit --- I'll make sure they are not held up beyond today. -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 8 7:46: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 71DFF37B400 for ; Mon, 8 Jul 2002 07:46:01 -0700 (PDT) Received: from gw.catspoiler.org (217-ip-163.nccn.net [209.79.217.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id E966843E31 for ; Mon, 8 Jul 2002 07:46:00 -0700 (PDT) (envelope-from dl-freebsd@catspoiler.org) Received: from mousie.catspoiler.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.12.5/8.12.5) with ESMTP id g68Ejowr000591; Mon, 8 Jul 2002 07:45:54 -0700 (PDT) (envelope-from dl-freebsd@catspoiler.org) Message-Id: <200207081445.g68Ejowr000591@gw.catspoiler.org> Date: Mon, 8 Jul 2002 07:45:50 -0700 (PDT) From: Don Lewis Subject: Re: hiding OS name To: rgbrenner@myrealbox.com Cc: laurence@fluxinc.com, freebsd-security@FreeBSD.ORG In-Reply-To: <200207080834.53431.rgbrenner@myrealbox.com> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=iso-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 8 Jul, Ramsey G. Brenner wrote: > From /sys/i386/conf/LINT > # > # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This > # prevents nmap et al. from identifying the TCP/IP stack, but breaks support > # for RFC1644 extensions and is not recommended for web servers. Only until someone enhances nmap to detect this signature and identify the host as running FreeBSD with the TCP_DROP_SYNFIN option enabled. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 8 10:11:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F14AE37B400 for ; Mon, 8 Jul 2002 10:11:36 -0700 (PDT) Received: from nexusxi.com (balistraria.nexusxi.com [216.123.202.196]) by mx1.FreeBSD.org (Postfix) with SMTP id 0C1D443E4A for ; Mon, 8 Jul 2002 10:11:36 -0700 (PDT) (envelope-from dowen@nexusxi.com) Received: (qmail 33508 invoked by uid 1000); 8 Jul 2002 17:11:22 -0000 Date: Mon, 8 Jul 2002 11:11:22 -0600 From: "Dalin S. Owen" To: Laurence Brockman Cc: security@freebsd.org Subject: Re: hiding OS name Message-ID: <20020708111122.A33379@nexusxi.com> References: <006601c22627$a9199000$21020a0a@mti.itb.ac.id> <3D294723.7022CD07@pantherdragon.org> <001201c22689$6049a790$140115ac@BCDOMAIN01.COM> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <001201c22689$6049a790$140115ac@BCDOMAIN01.COM>; from laurence@fluxinc.com on Mon, Jul 08, 2002 at 08:11:37AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org A very easy way to fool nmap/queso: add: options RANDOM_IP_ID in your kernel and then add: net.inet.ip.ttl=68 to your /etc/sysctl.conf queso reports a differnt OS each time, and Nmap has no clue at all. :) Oh, one more thing, go in to the source for sshd and rip the "FreeBSD" from the bannertext and maybe lie about what version of OpenSSH you have. I have found this really effective. Enjoy. On Mon, Jul 08, 2002 at 08:11:37AM -0600, Laurence Brockman wrote: > I think that what the original poster was trying to get at was when being > scanned by something like nmap using the OS detection (Or other tools), it > would show no OS. > > This would mean changing the way the networking layer responds to certain > packets (ICMP, tcp sequencing, etc) and I'm not sure if there is anything > out there for FreeBSD (Never bothered to look). > > I know there are kernel patches for linux that actually change the stack to > emulate other OS's, thus fooling these OS detection tools. > > Laurence > > ----- Original Message ----- > From: "Darren Pilgrim" > To: "Asep Ruspeni" > Cc: > Sent: Monday, July 08, 2002 2:02 AM > Subject: Re: hiding OS name > > > > Asep Ruspeni wrote: > > > > > > I am newbie in FreeBSD OS, but i have lot of concerned in securing > system. > > > > > > I have questions like this : > > > > > > - how can i set-up FreeBSD, so when it being scanned, it's show no > operating > > > system name + version. > > > - is there any articles i colud read about securing freeBSD such as the > > > question i ask above. > > > > > > thank you in advance. > > > > Hiding your OS name and version will do nothing to increase security, > > because the majority of people who scan for vulnerable hosts just do > > bulk scanning, trying their trick on everything they find. They know > > (or just don't care) that you can't reliably determine the OS without > > shell access and even then you can be tricked. > > > > That said, what you're looking to do is change the banner on the > > daemons you're running. How you do this is specific to each daemon. > > As usual, RTWP, JTML, RTFM, RTSL, etc. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Regards, Dalin S. Owen Nexus XI Corp. Email: dowen@nexusxi.com Web: http://www.nexusxi.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 8 10:41:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB29237B400 for ; Mon, 8 Jul 2002 10:41:43 -0700 (PDT) Received: from web10105.mail.yahoo.com (web10105.mail.yahoo.com [216.136.130.55]) by mx1.FreeBSD.org (Postfix) with SMTP id 8721D43E52 for ; Mon, 8 Jul 2002 10:41:43 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20020708174143.31518.qmail@web10105.mail.yahoo.com> Received: from [68.5.49.41] by web10105.mail.yahoo.com via HTTP; Mon, 08 Jul 2002 10:41:43 PDT Date: Mon, 8 Jul 2002 10:41:43 -0700 (PDT) From: twig les Subject: Re: NTP security - (was Any security issues with root's cron job?) To: Ben Lyon , "David G . Andersen" Cc: Ross Wheeler , twig les , Brian Reichert , Kim Okasawa , _@r4k.net, freebsd-security@FreeBSD.ORG In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I should probably have mentioned that I work at a telco, which means:1. we're in the process of leasing a line to an internal source, and 2. I have no control over anything (I'm just the one who knows how to do it) and 3. most decisions are not based on sound technical logic. I will look at those solutions suggested though for myself and just for general curiosity. Thanks. --- Ben Lyon wrote: > > Ship over to truetime.com and have a look-see. Nice > self-contained 1U > GPS stratum 1 timeservers. Less than $2000 if I > remember correctly.. > > > -------------------------------------------------------------------- > Ben Lyon blyon@blindfaith.org > > > > On Fri, 5 Jul 2002, David G . Andersen wrote: > > > Ross Wheeler just mooed: > > > > > > Whip over to ebay, buy a cheap second-hand GPS > and cable, stick it into > > > one of your servers and presto - instant > "stratum 1" time reference for > > > > One thing to note with this approach is that you > have to pick > > your GPS carefully. Hand-helds often have really > terrible time output; > > a friend of mine used his PCMCIA GPS and was > getting worse-than-NTP > > time from it. If you can find it, look for a > model that's optimized > > for time synch. Trimble, UT+, etc. There's a > good list of them in > > the NTP faq at http://www.ntp.org/ > > > > > under a hundred bucks. Under your control (I > can't see anyone taking over > > > or DoSing the whole of the GPS network any time > soon, do you?) > > > > Certainly not to attack one internet site, at > least. :) > > > > -Dave > > > > -- > > work: dga@lcs.mit.edu me: > dga@pobox.com > > MIT Laboratory for Computer Science > http://www.angio.net/ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of > the message > > > ===== ----------------------------------------------------------- All warfare is based on deception. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 8 10:52:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C0FD137B400 for ; Mon, 8 Jul 2002 10:52:14 -0700 (PDT) Received: from web10104.mail.yahoo.com (web10104.mail.yahoo.com [216.136.130.54]) by mx1.FreeBSD.org (Postfix) with SMTP id 8549C43E09 for ; Mon, 8 Jul 2002 10:52:14 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20020708175214.31781.qmail@web10104.mail.yahoo.com> Received: from [68.5.49.41] by web10104.mail.yahoo.com via HTTP; Mon, 08 Jul 2002 10:52:14 PDT Date: Mon, 8 Jul 2002 10:52:14 -0700 (PDT) From: twig les Subject: Re: hiding OS name To: "Dalin S. Owen" , Laurence Brockman Cc: security@freebsd.org In-Reply-To: <20020708111122.A33379@nexusxi.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Portsentry may help (/usr/ports/security/portsentry I believe). Won't hide the OS, but it may shut down scans before they get that far. , never tested it that way. --- "Dalin S. Owen" wrote: > > A very easy way to fool nmap/queso: > > > add: > > options RANDOM_IP_ID > > in your kernel > > and then add: > > net.inet.ip.ttl=68 > > to your /etc/sysctl.conf > > queso reports a differnt OS each time, and Nmap has > no clue at all. > > :) > > Oh, one more thing, go in to the source for sshd and > rip the "FreeBSD" > from the bannertext and maybe lie about what version > of OpenSSH you have. > > I have found this really effective. > > Enjoy. > > > On Mon, Jul 08, 2002 at 08:11:37AM -0600, Laurence > Brockman wrote: > > I think that what the original poster was trying > to get at was when being > > scanned by something like nmap using the OS > detection (Or other tools), it > > would show no OS. > > > > This would mean changing the way the networking > layer responds to certain > > packets (ICMP, tcp sequencing, etc) and I'm not > sure if there is anything > > out there for FreeBSD (Never bothered to look). > > > > I know there are kernel patches for linux that > actually change the stack to > > emulate other OS's, thus fooling these OS > detection tools. > > > > Laurence > > > > ----- Original Message ----- > > From: "Darren Pilgrim" > > To: "Asep Ruspeni" > > Cc: > > Sent: Monday, July 08, 2002 2:02 AM > > Subject: Re: hiding OS name > > > > > > > Asep Ruspeni wrote: > > > > > > > > I am newbie in FreeBSD OS, but i have lot of > concerned in securing > > system. > > > > > > > > I have questions like this : > > > > > > > > - how can i set-up FreeBSD, so when it being > scanned, it's show no > > operating > > > > system name + version. > > > > - is there any articles i colud read about > securing freeBSD such as the > > > > question i ask above. > > > > > > > > thank you in advance. > > > > > > Hiding your OS name and version will do nothing > to increase security, > > > because the majority of people who scan for > vulnerable hosts just do > > > bulk scanning, trying their trick on everything > they find. They know > > > (or just don't care) that you can't reliably > determine the OS without > > > shell access and even then you can be tricked. > > > > > > That said, what you're looking to do is change > the banner on the > > > daemons you're running. How you do this is > specific to each daemon. > > > As usual, RTWP, JTML, RTFM, RTSL, etc. > > > > > > To Unsubscribe: send mail to > majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body > of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of > the message > > -- > Regards, > > Dalin S. Owen > Nexus XI Corp. > > Email: dowen@nexusxi.com > Web: http://www.nexusxi.com/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message ===== ----------------------------------------------------------- All warfare is based on deception. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 8 11: 2:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8BD0837B400 for ; Mon, 8 Jul 2002 11:02:26 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A8E643E31 for ; Mon, 8 Jul 2002 11:02:26 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g68I2QJU063763 for ; Mon, 8 Jul 2002 11:02:26 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g68I2PKh063760 for security@freebsd.org; Mon, 8 Jul 2002 11:02:25 -0700 (PDT) Date: Mon, 8 Jul 2002 11:02:25 -0700 (PDT) Message-Id: <200207081802.g68I2PKh063760@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: security@FreeBSD.org Subject: Current problem reports assigned to you Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Current FreeBSD problem reports No matches to your query To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 8 11:13:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C8DF137B400 for ; Mon, 8 Jul 2002 11:13:53 -0700 (PDT) Received: from kobold.compt.com (TBextgw.compt.com [209.115.146.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 18BB843E3B for ; Mon, 8 Jul 2002 11:13:53 -0700 (PDT) (envelope-from klaus@kobold.compt.com) Date: Mon, 8 Jul 2002 14:13:42 -0400 From: Klaus Steden To: twig les Cc: "Dalin S. Owen" , Laurence Brockman , security@FreeBSD.ORG Subject: Re: hiding OS name Message-ID: <20020708141342.G13139@cthulu.compt.com> References: <20020708111122.A33379@nexusxi.com> <20020708175214.31781.qmail@web10104.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020708175214.31781.qmail@web10104.mail.yahoo.com>; from twigles@yahoo.com on Mon, Jul 08, 2002 at 10:52:14AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Portsentry may help (/usr/ports/security/portsentry I > believe). Won't hide the OS, but it may shut down > scans before they get that far. , never tested > it that way. > A friend of mine runs portsentry configured to blackhole every IP that attempts to connect to a port where no server is running (in conjunction with a strict firewall); that can be done in FreeBSD without using portsentry, via the blackhole sysctl MIBs. See blackhole(4). It's not a bad means to keep people out of your machines. Klaus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 8 11:37:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8DD7837B400 for ; Mon, 8 Jul 2002 11:37:27 -0700 (PDT) Received: from south.nanolink.com (south.nanolink.com [217.75.134.10]) by mx1.FreeBSD.org (Postfix) with SMTP id 293B143E42 for ; Mon, 8 Jul 2002 11:37:26 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 23341 invoked by uid 85); 8 Jul 2002 18:50:15 -0000 Received: from unknown (HELO straylight.ringlet.net) (212.116.140.125) by south.nanolink.com with SMTP; 8 Jul 2002 18:50:13 -0000 Received: (qmail 20487 invoked by uid 1000); 8 Jul 2002 18:37:26 -0000 Date: Mon, 8 Jul 2002 21:37:26 +0300 From: Peter Pentchev To: Klaus Steden Cc: twig les , "Dalin S. Owen" , Laurence Brockman , security@FreeBSD.ORG Subject: Re: hiding OS name Message-ID: <20020708183726.GA363@straylight.oblivion.bg> Mail-Followup-To: Klaus Steden , twig les , "Dalin S. Owen" , Laurence Brockman , security@FreeBSD.ORG References: <20020708111122.A33379@nexusxi.com> <20020708175214.31781.qmail@web10104.mail.yahoo.com> <20020708141342.G13139@cthulu.compt.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="wac7ysb48OaltWcw" Content-Disposition: inline In-Reply-To: <20020708141342.G13139@cthulu.compt.com> User-Agent: Mutt/1.5.1i X-Virus-Scanned: by Nik's Monitoring Daemon (AMaViS perl-11d ) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --wac7ysb48OaltWcw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jul 08, 2002 at 02:13:42PM -0400, Klaus Steden wrote: > > Portsentry may help (/usr/ports/security/portsentry I > > believe). Won't hide the OS, but it may shut down > > scans before they get that far. , never tested > > it that way. > >=20 > A friend of mine runs portsentry configured to blackhole every IP that > attempts to connect to a port where no server is running (in conjunction = with > a strict firewall); that can be done in FreeBSD without using portsentry,= via > the blackhole sysctl MIBs. See blackhole(4). >=20 > It's not a bad means to keep people out of your machines. I know I'm going to regret posting in this thread, but so be it :) Does your friend know that, unlikely as it is made by modern ingress and egress routing practices, IP spoofing is still not quite ruled out? Will your friend's portsentry setup happily blackhole e.g. his ISP's nameserver, or the root nameservers, or www.cnn.com's IP addresses, simply because somebody found a way to send a TCP SYN packet with a forged source address to e.g. your friend's machine's port 3? :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Do you think anybody has ever had *precisely this thought* before? --wac7ysb48OaltWcw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9Kdvl7Ri2jRYZRVMRAmFsAKCoi3A52ydXemEawXxp4kRF5TIMlwCcDmPw lhwKLMkbJHtCYQE2hvaqsgs= =KrjA -----END PGP SIGNATURE----- --wac7ysb48OaltWcw-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 8 12:31: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CBFE037B400 for ; Mon, 8 Jul 2002 12:31:05 -0700 (PDT) Received: from I-Sphere.COM (shell.i-sphere.com [209.249.146.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7899243E31 for ; Mon, 8 Jul 2002 12:31:05 -0700 (PDT) (envelope-from fasty@shell.i-sphere.com) Received: from shell.i-sphere.com (fasty@localhost [127.0.0.1]) by I-Sphere.COM (8.12.3/8.12.3) with ESMTP id g68JVvHd094327; Mon, 8 Jul 2002 12:31:57 -0700 (PDT) (envelope-from fasty@shell.i-sphere.com) Received: (from fasty@localhost) by shell.i-sphere.com (8.12.3/8.12.3/Submit) id g68JVvqC094326; Mon, 8 Jul 2002 12:31:57 -0700 (PDT) Date: Mon, 8 Jul 2002 12:31:57 -0700 From: faSty To: Klaus Steden Cc: freebsd-security@freebsd.org Subject: Re: hiding OS name Message-ID: <20020708193157.GA94197@i-sphere.com> Mail-Followup-To: faSty , Klaus Steden , freebsd-security@freebsd.org References: <20020708111122.A33379@nexusxi.com> <20020708175214.31781.qmail@web10104.mail.yahoo.com> <20020708141342.G13139@cthulu.compt.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020708141342.G13139@cthulu.compt.com> User-Agent: Mutt/1.4i X-Virus-Scanned: by amavisd-milter (http://amavis.org/) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Problem is that when you run portsentry. If someone spoofing the packet fool portsentry trigger block on your own IP or Denial of Service with spoofing your IP and your portsentry will be useless even I had put list of IP "ignore" I.E. portsentry.ignore. I have that experience from the past. No good. -fasty On Mon, Jul 08, 2002 at 02:13:42PM -0400, Klaus Steden wrote: > > Portsentry may help (/usr/ports/security/portsentry I > > believe). Won't hide the OS, but it may shut down > > scans before they get that far. , never tested > > it that way. > > > A friend of mine runs portsentry configured to blackhole every IP that > attempts to connect to a port where no server is running (in conjunction with > a strict firewall); that can be done in FreeBSD without using portsentry, via > the blackhole sysctl MIBs. See blackhole(4). > > It's not a bad means to keep people out of your machines. > > Klaus > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 8 12:52:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ACDED37B400 for ; Mon, 8 Jul 2002 12:52:49 -0700 (PDT) Received: from web10107.mail.yahoo.com (web10107.mail.yahoo.com [216.136.130.57]) by mx1.FreeBSD.org (Postfix) with SMTP id 1A58443E31 for ; Mon, 8 Jul 2002 12:52:49 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20020708195244.79411.qmail@web10107.mail.yahoo.com> Received: from [68.5.49.41] by web10107.mail.yahoo.com via HTTP; Mon, 08 Jul 2002 12:52:44 PDT Date: Mon, 8 Jul 2002 12:52:44 -0700 (PDT) From: twig les Subject: Re: hiding OS name To: Peter Pentchev , Klaus Steden Cc: twig les , "Dalin S. Owen" , Laurence Brockman , security@FreeBSD.ORG In-Reply-To: <20020708183726.GA363@straylight.oblivion.bg> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Nah, they have an ignore file of IPs to never block. rude but simple and effective. --- Peter Pentchev wrote: > On Mon, Jul 08, 2002 at 02:13:42PM -0400, Klaus > Steden wrote: > > > Portsentry may help > (/usr/ports/security/portsentry I > > > believe). Won't hide the OS, but it may shut > down > > > scans before they get that far. , never > tested > > > it that way. > > > > > A friend of mine runs portsentry configured to > blackhole every IP that > > attempts to connect to a port where no server is > running (in conjunction with > > a strict firewall); that can be done in FreeBSD > without using portsentry, via > > the blackhole sysctl MIBs. See blackhole(4). > > > > It's not a bad means to keep people out of your > machines. > > I know I'm going to regret posting in this thread, > but so be it :) > > Does your friend know that, unlikely as it is made > by modern ingress and > egress routing practices, IP spoofing is still not > quite ruled out? > Will your friend's portsentry setup happily > blackhole e.g. his ISP's > nameserver, or the root nameservers, or > www.cnn.com's IP addresses, > simply because somebody found a way to send a TCP > SYN packet with a > forged source address to e.g. your friend's > machine's port 3? :) > > G'luck, > Peter > > -- > Peter Pentchev roam@ringlet.net roam@FreeBSD.org > PGP key: > http://people.FreeBSD.org/~roam/roam.key.asc > Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 > B68D 1619 4553 > Do you think anybody has ever had *precisely this > thought* before? > > ATTACHMENT part 2 application/pgp-signature ===== ----------------------------------------------------------- All warfare is based on deception. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 8 12:53:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB0C137B400 for ; Mon, 8 Jul 2002 12:53:48 -0700 (PDT) Received: from web10102.mail.yahoo.com (web10102.mail.yahoo.com [216.136.130.52]) by mx1.FreeBSD.org (Postfix) with SMTP id EB94443E42 for ; Mon, 8 Jul 2002 12:53:47 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20020708195347.78627.qmail@web10102.mail.yahoo.com> Received: from [68.5.49.41] by web10102.mail.yahoo.com via HTTP; Mon, 08 Jul 2002 12:53:47 PDT Date: Mon, 8 Jul 2002 12:53:47 -0700 (PDT) From: twig les Subject: Re: hiding OS name To: security@FreeBSD.ORG In-Reply-To: <20020708195244.79411.qmail@web10107.mail.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org That was *Crude*, not rude. --- twig les wrote: > Nah, they have an ignore file of IPs to never block. > > rude but simple and effective. > > > --- Peter Pentchev wrote: > > On Mon, Jul 08, 2002 at 02:13:42PM -0400, Klaus > > Steden wrote: > > > > Portsentry may help > > (/usr/ports/security/portsentry I > > > > believe). Won't hide the OS, but it may shut > > down > > > > scans before they get that far. , > never > > tested > > > > it that way. > > > > > > > A friend of mine runs portsentry configured to > > blackhole every IP that > > > attempts to connect to a port where no server is > > running (in conjunction with > > > a strict firewall); that can be done in FreeBSD > > without using portsentry, via > > > the blackhole sysctl MIBs. See blackhole(4). > > > > > > It's not a bad means to keep people out of your > > machines. > > > > I know I'm going to regret posting in this thread, > > but so be it :) > > > > Does your friend know that, unlikely as it is made > > by modern ingress and > > egress routing practices, IP spoofing is still not > > quite ruled out? > > Will your friend's portsentry setup happily > > blackhole e.g. his ISP's > > nameserver, or the root nameservers, or > > www.cnn.com's IP addresses, > > simply because somebody found a way to send a TCP > > SYN packet with a > > forged source address to e.g. your friend's > > machine's port 3? :) > > > > G'luck, > > Peter > > > > -- > > Peter Pentchev roam@ringlet.net roam@FreeBSD.org > > PGP key: > > http://people.FreeBSD.org/~roam/roam.key.asc > > Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E > ED18 > > B68D 1619 4553 > > Do you think anybody has ever had *precisely this > > thought* before? > > > > > ATTACHMENT part 2 application/pgp-signature > > > > ===== > ----------------------------------------------------------- > All warfare is based on deception. > ----------------------------------------------------------- > > __________________________________________________ > Do You Yahoo!? > Sign up for SBC Yahoo! Dial - First Month Free > http://sbc.yahoo.com ===== ----------------------------------------------------------- All warfare is based on deception. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 8 13: 2: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 96E1537B400 for ; Mon, 8 Jul 2002 13:02:04 -0700 (PDT) Received: from south.nanolink.com (south.nanolink.com [217.75.134.10]) by mx1.FreeBSD.org (Postfix) with SMTP id EDC7C43E31 for ; Mon, 8 Jul 2002 13:02:02 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 23686 invoked by uid 85); 8 Jul 2002 20:14:54 -0000 Received: from unknown (HELO straylight.ringlet.net) (212.116.140.125) by south.nanolink.com with SMTP; 8 Jul 2002 20:14:52 -0000 Received: (qmail 21214 invoked by uid 1000); 8 Jul 2002 20:02:03 -0000 Date: Mon, 8 Jul 2002 23:02:03 +0300 From: Peter Pentchev To: twig les Cc: Klaus Steden , "Dalin S. Owen" , Laurence Brockman , security@FreeBSD.ORG Subject: Re: hiding OS name Message-ID: <20020708200203.GB363@straylight.oblivion.bg> Mail-Followup-To: twig les , Klaus Steden , "Dalin S. Owen" , Laurence Brockman , security@FreeBSD.ORG References: <20020708183726.GA363@straylight.oblivion.bg> <20020708195244.79411.qmail@web10107.mail.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Fba/0zbH8Xs+Fj9o" Content-Disposition: inline In-Reply-To: <20020708195244.79411.qmail@web10107.mail.yahoo.com> User-Agent: Mutt/1.5.1i X-Virus-Scanned: by Nik's Monitoring Daemon (AMaViS perl-11d ) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Fba/0zbH8Xs+Fj9o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jul 08, 2002 at 12:52:44PM -0700, twig les wrote: >=20 >=20 > --- Peter Pentchev wrote: > > On Mon, Jul 08, 2002 at 02:13:42PM -0400, Klaus > > Steden wrote: > > > > Portsentry may help > > (/usr/ports/security/portsentry I > > > > believe). Won't hide the OS, but it may shut > > down > > > > scans before they get that far. , never > > tested > > > > it that way. > > > >=20 > > > A friend of mine runs portsentry configured to > > blackhole every IP that > > > attempts to connect to a port where no server is > > running (in conjunction with > > > a strict firewall); that can be done in FreeBSD > > without using portsentry, via > > > the blackhole sysctl MIBs. See blackhole(4). > > >=20 > > > It's not a bad means to keep people out of your > > machines. > >=20 > > I know I'm going to regret posting in this thread, > > but so be it :) > >=20 > > Does your friend know that, unlikely as it is made > > by modern ingress and > > egress routing practices, IP spoofing is still not > > quite ruled out? > > Will your friend's portsentry setup happily > > blackhole e.g. his ISP's > > nameserver, or the root nameservers, or > > www.cnn.com's IP addresses, > > simply because somebody found a way to send a TCP > > SYN packet with a > > forged source address to e.g. your friend's > > machine's port 3? :) >=20 > Nah, they have an ignore file of IPs to never block.=20 > rude but simple and effective. Uhm... ok... excuse me for a second, I have to start a little loop on several dozens of machines here; a simple loop, yeah, netblocks, that's right; well, I know it will not get too far, but I could probably get in a couple of thousand 'deny' rules into that firewall before they notice, can't I now? And if I start with the right netblocks, I could block half his favorite sites in a couple of minutes.. Oh, a reboot? Bother.. Okay, so I'll kill that in, say, a day, and start over again.. Oh hey, what's that badge that just fell outta yer pocket? Look, man, I gotta scramble, some cousin's probably having a baby right now or something.. :P What, do you put half the Internet in that ignore file? :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I am the meaning of this sentence. --Fba/0zbH8Xs+Fj9o Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9Ke+77Ri2jRYZRVMRApD2AKCbeb6iNYYO1A1xuw+KpA8rRIDW0gCgnKcL EAveuVHDrjS8QlRaqMgn6TQ= =rREA -----END PGP SIGNATURE----- --Fba/0zbH8Xs+Fj9o-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 8 13: 8:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 10D7137B400 for ; Mon, 8 Jul 2002 13:08:08 -0700 (PDT) Received: from I-Sphere.COM (shell.i-sphere.com [209.249.146.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id D5E2043E31 for ; Mon, 8 Jul 2002 13:08:06 -0700 (PDT) (envelope-from fasty@shell.i-sphere.com) Received: from shell.i-sphere.com (fasty@localhost [127.0.0.1]) by I-Sphere.COM (8.12.3/8.12.3) with ESMTP id g68K91Hd094889; Mon, 8 Jul 2002 13:09:01 -0700 (PDT) (envelope-from fasty@shell.i-sphere.com) Received: (from fasty@localhost) by shell.i-sphere.com (8.12.3/8.12.3/Submit) id g68K91U7094888; Mon, 8 Jul 2002 13:09:01 -0700 (PDT) Date: Mon, 8 Jul 2002 13:09:01 -0700 From: faSty To: twig les Cc: freebsd-security@freebsd.org Subject: Re: hiding OS name Message-ID: <20020708200901.GB94197@i-sphere.com> Mail-Followup-To: faSty , twig les , freebsd-security@freebsd.org References: <20020708183726.GA363@straylight.oblivion.bg> <20020708195244.79411.qmail@web10107.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020708195244.79411.qmail@web10107.mail.yahoo.com> User-Agent: Mutt/1.4i X-Virus-Scanned: by amavisd-milter (http://amavis.org/) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yeah, I know. but it still Denial of Service with spoofing hit hard on portsentry. -fasty On Mon, Jul 08, 2002 at 12:52:44PM -0700, twig les wrote: > Nah, they have an ignore file of IPs to never block. > rude but simple and effective. > > > --- Peter Pentchev wrote: > > On Mon, Jul 08, 2002 at 02:13:42PM -0400, Klaus > > Steden wrote: > > > > Portsentry may help > > (/usr/ports/security/portsentry I > > > > believe). Won't hide the OS, but it may shut > > down > > > > scans before they get that far. , never > > tested > > > > it that way. > > > > > > > A friend of mine runs portsentry configured to > > blackhole every IP that > > > attempts to connect to a port where no server is > > running (in conjunction with > > > a strict firewall); that can be done in FreeBSD > > without using portsentry, via > > > the blackhole sysctl MIBs. See blackhole(4). > > > > > > It's not a bad means to keep people out of your > > machines. > > > > I know I'm going to regret posting in this thread, > > but so be it :) > > > > Does your friend know that, unlikely as it is made > > by modern ingress and > > egress routing practices, IP spoofing is still not > > quite ruled out? > > Will your friend's portsentry setup happily > > blackhole e.g. his ISP's > > nameserver, or the root nameservers, or > > www.cnn.com's IP addresses, > > simply because somebody found a way to send a TCP > > SYN packet with a > > forged source address to e.g. your friend's > > machine's port 3? :) > > > > G'luck, > > Peter > > > > -- > > Peter Pentchev roam@ringlet.net roam@FreeBSD.org > > PGP key: > > http://people.FreeBSD.org/~roam/roam.key.asc > > Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 > > B68D 1619 4553 > > Do you think anybody has ever had *precisely this > > thought* before? > > > > > ATTACHMENT part 2 application/pgp-signature > > > > ===== > ----------------------------------------------------------- > All warfare is based on deception. > ----------------------------------------------------------- > > __________________________________________________ > Do You Yahoo!? > Sign up for SBC Yahoo! Dial - First Month Free > http://sbc.yahoo.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Chicago law prohibits eating in a place that is on fire. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 8 13:11:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B2DE237B400 for ; Mon, 8 Jul 2002 13:11:19 -0700 (PDT) Received: from malasada.lava.net (malasada.lava.net [64.65.64.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4B74C43E31 for ; Mon, 8 Jul 2002 13:11:19 -0700 (PDT) (envelope-from cliftonr@lava.net) Received: from localhost (4710 bytes) by malasada.lava.net; Mon, 8 Jul 2002 10:11:16 -1000 (HST) via sendmail [stdio] id for Date: Mon, 8 Jul 2002 10:11:16 -1000 From: Clifton Royston To: freebsd-security@FreeBSD.ORG Cc: Asep Ruspeni , Laurence Brockman Subject: (Correction) Re: hiding OS name Message-ID: <20020708101116.A22900@lava.net> Mail-Followup-To: freebsd-security@FreeBSD.ORG, Asep Ruspeni , Laurence Brockman Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org A correction to my earlier email response (which I also misdirected): > From: Clifton Royston ... > On Mon, Jul 08, 2002 at 07:42:00AM -0700, security-digest wrote: > > Date: Mon, 8 Jul 2002 08:11:37 -0600 > > From: "Laurence Brockman" > > Subject: Re: hiding OS name > > > > I think that what the original poster was trying to get at was when being > > scanned by something like nmap using the OS detection (Or other tools), it > > would show no OS. > > > > This would mean changing the way the networking layer responds to certain > > packets (ICMP, tcp sequencing, etc) and I'm not sure if there is anything > > out there for FreeBSD (Never bothered to look). > > > > I know there are kernel patches for linux that actually change the stack to > > emulate other OS's, thus fooling these OS detection tools. > > > > Laurence > > I believe some details of the TCP stack implementation were changed in > 4.4 and above, which already makes the FreeBSD stack harder to > identify. Rebuilding your 4-x kernel with the following flag out of > the LINT file will make it much harder to identify (and also immune to > TCP sequence number prediction.) My comment was incorrect; TCP sequence prediction is a completely different issue and this is already dealt with correctly by the network stack. The following option, as it states, refers to the lower level IP ID generation. > # RANDOM_IP_ID causes the ID field in IP packets to be randomized > # instead of incremented by 1 with each packet generated. This > # option closes a minor information leak which allows remote > # observers to determine the rate of packet generation on the > # machine by watching the counter. > options RANDOM_IP_ID > > Unlike the TCP_DROP_SYNFIN flag which will somewhat impair the > operation of your server, this one provides some actual, if minor, > benefits against certain types of man-in-the-middle attacks. My comment there is incorrect; probably the only benefit is closing the information leak mentioned (of dubious value) and making it a little harder to ID your operating system. > Here's sample output from a fairly recent nmap (2.54BETA31) against a > recently rebuilt 4-STABLE server under my control: > > No exact OS matches for host (If you know what OS is running on it, see > http://www.insecure.org/cgi-bin/nmap-submit.cgi). > TCP/IP fingerprint: > SInfo(V=2.54BETA31%P=i386-redhat-linux-gnu%D=7/8%Time=3D29DEDE%O=21%C=1) > TSeq(Class=TR%IPID=RD%TS=100HZ) > T1(Resp=Y%DF=N%W=E000%ACK=S++%Flags=AS%Ops=MNWNNT) > T2(Resp=N) > T3(Resp=Y%DF=N%W=E000%ACK=S++%Flags=AS%Ops=MNWNNT) > T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) > T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) > T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) > T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) > PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=0%ULEN=134%DAT=E) > > > Uptime 5.050 days (since Wed Jul 3 07:38:10 2002) > TCP Sequence Prediction: Class=truly random > Difficulty=9999999 (Good luck!) > IPID Sequence Generation: Randomized On a different machine running 4.4-R patched but without this flag the OS is successfully identified: Remote operating system guess: FreeBSD 4.3 - 4.4PRERELEASE Uptime 7.868 days (since Sun Jun 30 13:04:36 2002) TCP Sequence Prediction: Class=truly random Difficulty=9999999 (Good luck!) IPID Sequence Generation: Incremental BTW, a valid reason for keeping people from knowing exactly what you're running is to make it more likely that they will try the wrong version of an OS-specific exploit like the recent "apache_scalp". It might not help that much, but it would be a *little* better to have people running a Linux-specific exploit than a FreeBSD-specific exploit against your FreeBSD box. -- Clifton -- Clifton Royston -- LavaNet Systems Architect -- cliftonr@lava.net "What do we need to make our world come alive? What does it take to make us sing? While we're waiting for the next one to arrive..." - Sisters of Mercy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 8 13:26:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 561E537B400 for ; Mon, 8 Jul 2002 13:26:11 -0700 (PDT) Received: from web10107.mail.yahoo.com (web10107.mail.yahoo.com [216.136.130.57]) by mx1.FreeBSD.org (Postfix) with SMTP id 08B5143E5E for ; Mon, 8 Jul 2002 13:26:11 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20020708202610.85145.qmail@web10107.mail.yahoo.com> Received: from [68.5.49.41] by web10107.mail.yahoo.com via HTTP; Mon, 08 Jul 2002 13:26:10 PDT Date: Mon, 8 Jul 2002 13:26:10 -0700 (PDT) From: twig les Subject: Re: hiding OS name To: Peter Pentchev Cc: Klaus Steden , "Dalin S. Owen" , Laurence Brockman , security@FreeBSD.ORG In-Reply-To: <20020708200203.GB363@straylight.oblivion.bg> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > What, do you put half the Internet in that ignore > file? :) > > G'luck, > Peter No, I wouldn't. If the solution doesn't fit don't use it. For some people this tool will work, but it *is* good that they will now know the pitfalls too. ===== ----------------------------------------------------------- All warfare is based on deception. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 8 14:22:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A80E37B400 for ; Mon, 8 Jul 2002 14:22:58 -0700 (PDT) Received: from kobold.compt.com (TBextgw.compt.com [209.115.146.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 447A643E4A for ; Mon, 8 Jul 2002 14:22:57 -0700 (PDT) (envelope-from klaus@kobold.compt.com) Date: Mon, 8 Jul 2002 17:22:51 -0400 From: Klaus Steden To: Peter Pentchev Cc: twig les , "Dalin S. Owen" , Laurence Brockman , security@FreeBSD.ORG Subject: Re: hiding OS name Message-ID: <20020708172251.K13139@cthulu.compt.com> References: <20020708111122.A33379@nexusxi.com> <20020708175214.31781.qmail@web10104.mail.yahoo.com> <20020708141342.G13139@cthulu.compt.com> <20020708183726.GA363@straylight.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020708183726.GA363@straylight.oblivion.bg>; from roam@ringlet.net on Mon, Jul 08, 2002 at 09:37:26PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > I know I'm going to regret posting in this thread, but so be it :) > > Does your friend know that, unlikely as it is made by modern ingress and > egress routing practices, IP spoofing is still not quite ruled out? > Will your friend's portsentry setup happily blackhole e.g. his ISP's > nameserver, or the root nameservers, or www.cnn.com's IP addresses, > simply because somebody found a way to send a TCP SYN packet with a > forged source address to e.g. your friend's machine's port 3? :) > That's his problem, though, not mine. :> Klaus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 8 15:11: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0895F37B400 for ; Mon, 8 Jul 2002 15:10:59 -0700 (PDT) Received: from ns3.ideathcare.com (mail.allneo.com [216.185.96.68]) by mx1.FreeBSD.org (Postfix) with SMTP id 5DCCF43E09 for ; Mon, 8 Jul 2002 15:10:58 -0700 (PDT) (envelope-from jps@funeralexchange.com) Received: (qmail 8874 invoked by uid 85); 8 Jul 2002 22:18:10 -0000 Received: from jps@funeralexchange.com by ns3.ideathcare.com with qmail-scanner-1.03 (uvscan: v4.1.40/v4121. . Clean. Processed in 0.185395 secs); 08 Jul 2002 22:18:10 -0000 Received: from unknown (HELO funeralexchange.com) (216.185.99.194) by mail.allneo.com with SMTP; 8 Jul 2002 22:18:09 -0000 Received: from 66.171.47.250 (SquirrelMail authenticated user jps@funeralexchange.com) by webmail.allneo.com with HTTP; Mon, 8 Jul 2002 17:11:35 -0500 (CDT) Message-ID: <3803.66.171.47.250.1026166295.squirrel@webmail.allneo.com> Date: Mon, 8 Jul 2002 17:11:35 -0500 (CDT) Subject: Re: (Correction) Re: hiding OS name From: To: In-Reply-To: <20020708101116.A22900@lava.net> References: <20020708101116.A22900@lava.net> X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal Cc: , , X-Mailer: SquirrelMail (version 1.2.6) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I dont know if anyone has mentioned this yet but i came across this in ;login from May 2002 Xprobe is a tool automating the X logic. X is a logic developed from the various Active Operating System Fingerprinting methods discovered during the "ICMP Usage In Scanning" research project. WWW: http://www.sys-security.com/html/projects/X.html It fingerprints your OS by ICMP datagrams instead of TCP and only needs upto four packets to do its job. Anyone know how to hide yourself from this besides blocking all ICMP traffic? Also off topic can anyone suggest a good way to do remote logging via a ssh tunnel? I have looked at syslog-ng but i would like to use the base tools that come with freebsd (i.e openssh and syslogd) Thanks Jeremy Suo-Anttila jps@funeralexchange.com > A correction to my earlier email response (which I also misdirected): >> From: Clifton Royston > ... >> On Mon, Jul 08, 2002 at 07:42:00AM -0700, security-digest wrote: >> > Date: Mon, 8 Jul 2002 08:11:37 -0600 >> > From: "Laurence Brockman" >> > Subject: Re: hiding OS name >> > >> > I think that what the original poster was trying to get at was when >> > being scanned by something like nmap using the OS detection (Or >> > other tools), it would show no OS. >> > >> > This would mean changing the way the networking layer responds to >> > certain packets (ICMP, tcp sequencing, etc) and I'm not sure if >> > there is anything out there for FreeBSD (Never bothered to look). >> > >> > I know there are kernel patches for linux that actually change the >> > stack to emulate other OS's, thus fooling these OS detection tools. >> > >> > Laurence >> >> I believe some details of the TCP stack implementation were changed in >> 4.4 and above, which already makes the FreeBSD stack harder to >> identify. Rebuilding your 4-x kernel with the following flag out of >> the LINT file will make it much harder to identify (and also immune to >> TCP sequence number prediction.) > > My comment was incorrect; TCP sequence prediction is a completely > different issue and this is already dealt with correctly by the network > stack. The following option, as it states, refers to the lower level > IP ID generation. > >> # RANDOM_IP_ID causes the ID field in IP packets to be randomized # >> instead of incremented by 1 with each packet generated. This >> # option closes a minor information leak which allows remote >> # observers to determine the rate of packet generation on the >> # machine by watching the counter. >> options RANDOM_IP_ID >> >> Unlike the TCP_DROP_SYNFIN flag which will somewhat impair the >> operation of your server, this one provides some actual, if minor, >> benefits against certain types of man-in-the-middle attacks. > > My comment there is incorrect; probably the only benefit is closing the > information leak mentioned (of dubious value) and making it a little > harder to ID your operating system. > >> Here's sample output from a fairly recent nmap (2.54BETA31) against a >> recently rebuilt 4-STABLE server under my control: >> >> No exact OS matches for host (If you know what OS is running on it, >> see http://www.insecure.org/cgi-bin/nmap-submit.cgi). >> TCP/IP fingerprint: >> SInfo(V=2.54BETA31%P=i386-redhat-linux-gnu%D=7/8%Time=3D29DEDE%O=21%C=1) >> TSeq(Class=TR%IPID=RD%TS=100HZ) >> T1(Resp=Y%DF=N%W=E000%ACK=S++%Flags=AS%Ops=MNWNNT) >> T2(Resp=N) >> T3(Resp=Y%DF=N%W=E000%ACK=S++%Flags=AS%Ops=MNWNNT) >> T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) >> T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) >> T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) >> T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) >> PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=0%ULEN=134%DAT=E)>> >> >> Uptime 5.050 days (since Wed Jul 3 07:38:10 2002) >> TCP Sequence Prediction: Class=truly random >> Difficulty=9999999 (Good luck!) >> IPID Sequence Generation: Randomized > > On a different machine running 4.4-R patched but without this flag the > OS is successfully identified: > > Remote operating system guess: FreeBSD 4.3 - 4.4PRERELEASE > Uptime 7.868 days (since Sun Jun 30 13:04:36 2002) > TCP Sequence Prediction: Class=truly random > Difficulty=9999999 (Good luck!) > IPID Sequence Generation: Incremental > > > BTW, a valid reason for keeping people from knowing exactly what you're > running is to make it more likely that they will try the wrong version > of an OS-specific exploit like the recent "apache_scalp". It might not > help that much, but it would be a *little* better to have people > running a Linux-specific exploit than a FreeBSD-specific exploit > against your FreeBSD box. > > -- Clifton > > -- > Clifton Royston -- LavaNet Systems Architect -- cliftonr@lava.net > "What do we need to make our world come alive? > What does it take to make us sing? > While we're waiting for the next one to arrive..." - Sisters of Mercy > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 8 15:25: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9977237B400 for ; Mon, 8 Jul 2002 15:25:02 -0700 (PDT) Received: from mrout2.yahoo.com (mrout2.yahoo.com [216.145.54.172]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3AD6243E31 for ; Mon, 8 Jul 2002 15:25:02 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from zoot.corp.yahoo.com (zoot.corp.yahoo.com [216.145.52.89]) by mrout2.yahoo.com (8.11.6/8.11.6/y.out) with ESMTP id g68MOuR24923; Mon, 8 Jul 2002 15:24:56 -0700 (PDT) Received: from localhost (dougb@localhost) by zoot.corp.yahoo.com (8.12.5/8.12.5/Submit) with ESMTP id g68MOt5B084728; Mon, 8 Jul 2002 15:24:56 -0700 (PDT) Date: Mon, 8 Jul 2002 15:24:55 -0700 (PDT) From: Doug Barton To: "Philip J. Koenig" Cc: security@FreeBSD.org Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLEnow has OpenSSH 3.4p1] In-Reply-To: <20020708141630166.AAA962@empty1.ekahuna.com@pc02.ekahuna.com> Message-ID: <20020708152038.D84324-100000@zoot.corp.yahoo.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 8 Jul 2002, Philip J. Koenig wrote: > Actually I'm not sure that history bears that out. Take a look at > the fundamental changes in Sendmail functionality recently, I disagree strongly with the direction that much of the sendmail stuff has taken in both -current and -stable. However, the upgrades were "necessary," for a fairly good definition of "necessary." We gain very little by changing the default, and we run the risk of causing tremendous trouble to our users. You can of course add an obligatory argument about two wrongs don't make a right here... Indeed, there are already at least two threads in -stable, and god knows how many in -questions on this very topic. That's because the default in the ssh binary seems to have been shifted to "Protocol 2,1" which is causing all kinds of problems for users who don't understand that. This has nothing to do with users carelessly mergemaster'ing, or any of the other aspersions that other contributors to this thread have made. Also, as you pointed out, wonky mail configurations are a problem I can fix, because I can log into the box. Not being able to log into the box is a whole other can of worms. -- "We have known freedom's price. We have shown freedom's power. And in this great conflict, ... we will see freedom's victory." - George W. Bush, President of the United States State of the Union, January 28, 2002 Do YOU Yahoo!? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 8 16:10:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0B73537B400; Mon, 8 Jul 2002 16:10:41 -0700 (PDT) Received: from empty1.ekahuna.com (empty1.ekahuna.com [198.144.200.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 47D8343E42; Mon, 8 Jul 2002 16:10:40 -0700 (PDT) (envelope-from pjklist@ekahuna.com) Received: from pc-02 (pc02.ekahuna.com [198.144.200.197]) by empty1.ekahuna.com (Post.Office MTA v3.5.3 release 223 ID# 0-0U10L2S100V35) with ESMTP id com; Mon, 8 Jul 2002 16:10:39 -0700 From: "Philip J. Koenig" Organization: The Electric Kahuna Organization To: security@FreeBSD.ORG Date: Mon, 8 Jul 2002 16:10:39 -0700 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Default ssh protocol in -STABLE [was: Reply-To: pjklist@ekahuna.com Cc: dougb@freebsd.org In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.12c) Message-ID: <20020708231039684.AAA987@empty1.ekahuna.com@pc02.ekahuna.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Date: Sun, 7 Jul 2002 18:20:29 -0700 (PDT) From: Doug Barton > > If I'm understanding right, this change is not going to be introduced into > > "RELENG_4_ver," > > You are not understanding right. Didn't des or Jacques say that there were no plans to replace openssh 2.9 in RELENG_4_6, or in RELENG_4_anything? -- Philip J. Koenig pjklist@ekahuna.com Electric Kahuna Systems -- Computers & Communications for the New Millenium To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 8 16:18:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A32BA37B400 for ; Mon, 8 Jul 2002 16:18:10 -0700 (PDT) Received: from empty1.ekahuna.com (empty1.ekahuna.com [198.144.200.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 13E3943E4A for ; Mon, 8 Jul 2002 16:18:10 -0700 (PDT) (envelope-from pjklist@ekahuna.com) Received: from pc-02 (pc02.ekahuna.com [198.144.200.197]) by empty1.ekahuna.com (Post.Office MTA v3.5.3 release 223 ID# 0-0U10L2S100V35) with ESMTP id com for ; Mon, 8 Jul 2002 16:18:09 -0700 From: "Philip J. Koenig" Organization: The Electric Kahuna Organization To: security@FreeBSD.ORG Date: Mon, 8 Jul 2002 16:18:08 -0700 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: hiding OS name Reply-To: pjklist@ekahuna.com In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.12c) Message-ID: <20020708231809505.AAA981@empty1.ekahuna.com@pc02.ekahuna.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Date: Sun, 7 Jul 2002 21:29:42 -0700 > From: Nathan Kinkade > > On Mon, 8 Jul 2002 09:32:09 +0700 > "Asep Ruspeni" wrote: > > > I am newbie in FreeBSD OS, but i have lot of concerned in securing > > system. > > > > I have questions like this : > > > > - how can i set-up FreeBSD, so when it being scanned, it's show no > > operating system name + version. > > - is there any articles i colud read about securing freeBSD such as > > the question i ask above. > > > > thank you in advance. > > What you are looking for is not really a function of FreeBSD, but rather > of the various servers you may be running on FreeBSD such as Apache, > FTP, Sendmail, and so on. If it's going to happen it will probably be > something that you configure the daemon to do, however I don't know > which allow you to do something similar other than wu-ftpd, although I'd > guess there are others. Network scanning utilities - I'm thinking of > nmap in particular - allow you to scan a host(s) and attempt to > determine the OS/version based on certain peculiarities in the > response(s). One way to help minimize the impact of this would be to > set the net.inet.tcp.blackhole and net.inet.udp.blackhole kernel > parameters using the sysctl utility. For more information on this > checkout the "blackhole(4)" manpage with `man 4 blackhole`. > > Nathan Another option is to put the box behind a firewall. Very often if something like nmap is looking for peculiarities in the IP stack implementation to ascertain what OS is on a box, if there is a firewall in front of it it will be id'ing the firewall's IP implementation rather than the target host's. -- Philip J. Koenig pjklist@ekahuna.com Electric Kahuna Systems -- Computers & Communications for the New Millenium To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 8 20:21:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B125837B400 for ; Mon, 8 Jul 2002 20:21:54 -0700 (PDT) Received: from va.cs.wm.edu (va.cs.wm.edu [128.239.2.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id F3C1D43E09 for ; Mon, 8 Jul 2002 20:21:53 -0700 (PDT) (envelope-from zvezdan@CS.WM.EDU) Received: from dali.cs.wm.edu (dali [128.239.26.26]) by va.cs.wm.edu (8.11.4/8.9.1) with ESMTP id g693JqN04391 for ; Mon, 8 Jul 2002 23:19:52 -0400 (EDT) Received: (from zvezdan@localhost) by dali.cs.wm.edu (8.11.6/8.9.1) id g693Llc22631 for security@FreeBSD.ORG; Mon, 8 Jul 2002 23:21:47 -0400 Date: Mon, 8 Jul 2002 23:21:47 -0400 From: Zvezdan Petkovic To: security@FreeBSD.ORG Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLEnow has OpenSSH 3.4p1] Message-ID: <20020708232147.A22605@dali.cs.wm.edu> Mail-Followup-To: security@FreeBSD.ORG References: <20020708141630166.AAA962@empty1.ekahuna.com@pc02.ekahuna.com> <20020708152038.D84324-100000@zoot.corp.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020708152038.D84324-100000@zoot.corp.yahoo.com>; from DougB@FreeBSD.ORG on Mon, Jul 08, 2002 at 03:24:55PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jul 08, 2002 at 03:24:55PM -0700, Doug Barton wrote: > On Mon, 8 Jul 2002, Philip J. Koenig wrote: > > Also, as you pointed out, wonky mail configurations are a problem I can > fix, because I can log into the box. Not being able to log into the box is > a whole other can of worms. > OK, we buy into your reasons of release engineering for keeping v1 the default. But please, do not exaggerate. Making v2 default wouldn't make a login to a box impossible. That's a ridiculous claim. It would just ignore your authorized ssh1 key and ask you for the password. That is bad for scripts if a sysadmin is that lazy to run echo " Protocol 1,2" >>/etc/ssh/ssh_config over all machines that use those scripts. I understand your wish to keep life easy for such people. But I do not understand or approve the exaggeration in order to market your opinion better. Let me repeat: Making v2 the default in the config file (it is already the default in the binary) would break only the scripts relying on the authorized ssh1 keys, _nothing_ else. You'd certainly be able to log into your box and fix the things. You think it's better to keep v1 the default in 4.x? Fine with me. But don't make oversimplified and misleading claims, please. -- Zvezdan Petkovic http://www.cs.wm.edu/~zvezdan/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 9 1:50:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1827337B405 for ; Tue, 9 Jul 2002 01:50:13 -0700 (PDT) Received: from mail.stic.gov.tw (mail.stic.gov.tw [192.83.171.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 07CD843E09 for ; Tue, 9 Jul 2002 01:50:12 -0700 (PDT) (envelope-from bjlin@stic.gov.tw) Received: from realcon (test.stic.gov.tw [192.83.171.9]) by mail.stic.gov.tw (8.12.5/8.12.5) with SMTP id g698nl8Q092439; Tue, 9 Jul 2002 16:49:59 +0800 (CST) (envelope-from bjlin@stic.gov.tw) Message-ID: <003f01c22725$9f507a80$09ab53c0@realcon> From: "Biing Jong Lin" To: "Darren Pilgrim" , Cc: "Asep Ruspeni" References: <006601c22627$a9199000$21020a0a@mti.itb.ac.id> <3D294723.7022CD07@pantherdragon.org> Subject: Re: hiding OS name Date: Tue, 9 Jul 2002 16:49:51 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "Darren Pilgrim" To: "Asep Ruspeni" Cc: Sent: Monday, July 08, 2002 4:02 PM Subject: Re: hiding OS name >Hiding your OS name and version will do nothing to increase security, >because the majority of people who scan for vulnerable hosts just do >bulk scanning, trying their trick on everything they find. They know >or just don't care) that you can't reliably determine the OS without >hell access and even then you can be tricked. >That said, what you're looking to do is change the banner on the >daemons you're running. How you do this is specific to each daemon. >As usual, RTWP, JTML, RTFM, RTSL, etc. I think hiding you OS name and version still helps. not to increase level of security, just to confuse and force intruder to make decisions, and hopefully they will make mistake. We are talking about some malicious hacking activities against speficied target. If you can 'survive' from these attacks, you can stop those script kiddies too. cracker would be confused, and may pick wrong tools/shellcodes when they launch attack without correct OS name and version. As for those who are using automatic tools, they are just trying their luck. At least I am not worried when people attack my FreeBSD box with IIS tools. Information hiding is just trying to confuse/stall intruders. The most efficient way to improve your security is to read advisories, and patch your system regularly. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 9 6:52:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 869E437B400 for ; Tue, 9 Jul 2002 06:52:30 -0700 (PDT) Received: from smtp03.wxs.nl (smtp03.wxs.nl [195.121.6.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6059343E09 for ; Tue, 9 Jul 2002 06:52:29 -0700 (PDT) (envelope-from freebsd-reply@akruijff.dds.nl) Received: from cybertron.kruijff ([213.10.151.186]) by smtp03.wxs.nl (Netscape Messaging Server 4.15) with ESMTP id GYZIJF00.ID6 for ; Tue, 9 Jul 2002 15:52:27 +0200 Date: Tue, 9 Jul 2002 15:52:14 +0200 From: Alex X-Mailer: The Bat! (v1.53d) Reply-To: Alex X-Priority: 3 (Normal) Message-ID: <5616647177.20020709155214@dds.nl> Cc: security@FreeBSD.ORG Subject: Re[2]: hiding OS name In-Reply-To: <20020708231809505.AAA981@empty1.ekahuna.com@pc02.ekahuna.com> References: <20020708231809505.AAA981@empty1.ekahuna.com@pc02.ekahuna.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello/Beste Philip, Tuesday, July 09, 2002, 1:18:08 AM, you wrote: >> Date: Sun, 7 Jul 2002 21:29:42 -0700 >> From: Nathan Kinkade >> >> On Mon, 8 Jul 2002 09:32:09 +0700 >> "Asep Ruspeni" wrote: >> >> > I am newbie in FreeBSD OS, but i have lot of concerned in securing >> > system. >> > >> > I have questions like this : >> > >> > - how can i set-up FreeBSD, so when it being scanned, it's show no >> > operating system name + version. >> > - is there any articles i colud read about securing freeBSD such as >> > the question i ask above. >> > >> > thank you in advance. >> >> What you are looking for is not really a function of FreeBSD, but rather >> of the various servers you may be running on FreeBSD such as Apache, >> FTP, Sendmail, and so on. If it's going to happen it will probably be >> something that you configure the daemon to do, however I don't know >> which allow you to do something similar other than wu-ftpd, although I'd >> guess there are others. Network scanning utilities - I'm thinking of >> nmap in particular - allow you to scan a host(s) and attempt to >> determine the OS/version based on certain peculiarities in the >> response(s). One way to help minimize the impact of this would be to >> set the net.inet.tcp.blackhole and net.inet.udp.blackhole kernel >> parameters using the sysctl utility. For more information on this >> checkout the "blackhole(4)" manpage with `man 4 blackhole`. >> >> Nathan PJK> Another option is to put the box behind a firewall. Very often if PJK> something like nmap is looking for peculiarities in the IP stack PJK> implementation to ascertain what OS is on a box, if there is a PJK> firewall in front of it it will be id'ing the firewall's IP PJK> implementation rather than the target host's. You can have openBSD on that system to look very very secure. -- Best regards/Met vriendelijke groet, Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 9 7:45:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D1BD937B400 for ; Tue, 9 Jul 2002 07:45:23 -0700 (PDT) Received: from brain-stream.com (brain-stream.com [209.95.107.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4115143E09 for ; Tue, 9 Jul 2002 07:45:23 -0700 (PDT) (envelope-from bkdelong@pobox.com) Received: from pantalaimon.pobox.com (h00609708e398.ne.client2.attbi.com [24.128.160.86]) by brain-stream.com (8.9.3/8.9.3) with ESMTP id HAA21986 for ; Tue, 9 Jul 2002 07:45:12 -0700 (PDT) Message-Id: <5.1.0.14.2.20020709104351.03b198e0@pop.earthlink.net> X-Sender: bdelong@pop.earthlink.net (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 09 Jul 2002 10:44:50 -0400 To: security@FreeBSD.ORG From: "B.K. DeLong" Subject: Black Hat Briefings Keynotes Include NSA Director and Special Advis. to Bush Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org FYI - I thought this may be of interest to several list members since a few of the topics (namely the Apache "vulnerabilities") are related to discussions at the show. Look me up if you're going. ---------------------------------------------------------------- For Immediate Release Contacts B.K. DeLong press@blackhat.com +1.617.877.3271 BLACK HAT BRIEFINGS 2002 KEYNOTES INCLUDE NSA DIRECTOR AND SPECIAL ADVISOR TO THE PRESIDENT NSA Security Evaluations Group Technical Director Richard George & Richard Clarke - Special Advisor to the President for Cyberspace Security http://www.blackhat.com/ -- Black Hat Inc. today announced the keynote speakers for this summer's Black Hat Briefings and Training 2002, the annual conference and workshop designed to help computer professionals better understand the security risks to their computer and information infrastructures by potential threats. This year's show will focus on 8 tracks of hot topics including Wireless, Firewalls, Access Control, PKI & Single Signon, Routing and Infrastructure, Application Security, Intrusion Detection, Incident Response & Computer Forensics, Privacy & Anonymity, Web, Mail and Other Related Servers, and Deep Knowledge. The event is being held 31 July through 1 August 2002 at the Caesars Palace Hotel and Casino in the heart of Las Vegas. Top-notch speakers will deliver to the conference's core audience of IT & network security experts, consultants and administrators the newest developments on the vital security issues facing organizations using large networks with a mix of operating systems. "Black Hat USA 2002 will be unlike any other security conference in the world- we will be showcasing the work of over 45 of the most knowledgeable and renown security professionals, hosting a gala reception with an unrivaled book signing event that will run concurrent with the never-before-seen Hacker Court," says Jeff Moss, founder of Black Hat Inc. "Black Hat USA 2002 promises to offer an unparalleled networking opportunity in the security arena." The keynote speakers for this year's Black Hat Briefings include: -- Richard George joined the National Security Agency as a mathematician in 1970 and has worked in the Information Assurance Directorate (or its predecessor organizations) for 32 years as a cryptomathematician. He currently serves as the Technical Director of the Security Evaluations Group which is responsible for evaluating security solutions used by the Department of Defense and Intelligence Community. -- Richard Clarke, Special Advisor to the President for Cyberspace Security. Clarke has served in several senior national security posts. Most recently he served as National Coordinator for Security, Infrastructure Protection, and Counter-terrorism on the National Security Council. As National Coordinator, he led the U.S. government's efforts on counter-terrorism, cyber security, continuity of government operations, domestic preparedness for weapons of mass destruction, and international organized crime. In 1992, General Scowcroft appointed Mr. Clarke to the National Security Council staff. He continued as a member of the NSC staff throughout the Clinton Administration. This year's Luncheon Speaker will be Jeff Jonas, President and founder of Systems Research & Development (SRD). Jonas will be talking about Non-Obvious Relationship Awareness (NORA) technology, how this technology is used to catch gaming cheats in the nearby casinos, and how it is being used to catch terrorists these days. Other Black Hat Briefings 2002 speakers include: -- Thomas Akin, Founding Director, Southeast Cybercrime Institute. Akin is a Certified Information Systems Security Professional (CISSP) who has worked in Information Security for almost a decade. He is the founding director of the Southeast Cybercrime Institute where he also serves as chairman for the Institute's Board of Advisors. He is an active member of the Georgia Cybercrime Task Force where he heads up the Task Force's Education committee. Thomas also works with Atlanta's ISSA, InfraGard, and HTCIA professional organizations. -- Don Cavender, Senior Special Agent, FBI Academy. SSA Cavender has twelve years experience as an FBI Agent. The past seven years he has been involved in high technology investigations and digital forensics. He is presently responsible for instruction in Internet and Network Investigations for FBI, Federal, State and Local Law Enforcement Investigators, case support and consultation and research. -- Sean Convery, Network Architect, Cisco. Convery is a network architect in Cisco's VPN and security business unit. Sean works primarily on the SAFE blueprint, and is an author several of its whitepapers. Prior to his four years at Cisco, Sean held various positions in both IT and security consulting during his 11 years in networking. -- Mark Eckenwiler, Senior Counsel in the Computer Crime & Intellectual Property Section, Criminal Division, U.S. Department of Justice. Eckenwiler is Senior Counsel in the Computer Crime and Intellectual Property Section, Criminal Division, U.S. Department of Justice. His areas of responsibility include federal wiretap law, computer search and seizure, and online investigations. An Internet veteran for almost two decades, Mark has written and spoken widely on such issues as anonymity and free speech, e-mail stalking laws, Internet jurisdiction, electronic privacy, and the Fifth Amendment implications of cryptographic keys. -- Carole Fennelly, Partner, Wizard's Keys Corporation. With 20 years as a Unix systems administrator and security consultant, Carole has a wealth of experience in both technical and managerial procedure. Her rather caustic articles, both technical and editorial, have been widely published and she has been quoted in numerous trade publications. -- Halvar Flake, Reverse Engineer, Black Hat Consulting. Originating in the fields of copy protection and digital rights management, he gravitated more and more towards network security over time as he realized that constructive copy protection is more or less fighting windmills. After writing his first few exploits he was hooked and realized that reverse engineering experience is a very handy asset when dealing with COTS software. With extensive experience in reverse engineering, network security, penetration testing and exploit development he recently joined BlackHat as their primary reverse engineer. -- Dr. Ian Goldberg is internationally recognized as one of the world's leading cryptographers and cypherpunks. Dr. Goldberg is a founder of Berkeley's Internet Security, Applications, Authentication and Cryptography group. In addition to developing many of the leading network software titles for the Palm Pilot, he is known for his part in cracking the first RSA Secret Key Challenge in three and a half hours; breaking Netscape's implementation of the encryption system SSL; and breaking the cryptography in the GSM cellular phone standard. In November 1998, Wired magazine selected Dr. Goldberg as one of the "Wired 25" - the twenty-five people who in 1998 are "about to change the rules all over again." In December 2000 he obtained his Ph.D. from UC Berkeley for his thesis "A Pseudonymous Communications Infrastructure for the Internet," which examined the technical and social issues involved in designing the Freedom Network. -- Jesse Kornblum, Chief, Research and Development, Air Force Office of Special Investigations. SA Kornblum is the Chief of Research and Development for the Air Force Office of Special Investigations Computer Investigations and Operations Branch . A graduate of the Massachusetts Institute of Technology, he has experience running intrusion investigations and supporting other agents in more traditional investigations. He is currently responsible for developing tools and techniques to allow agents to conduct investigations. -- David Litchfield, Managing Director & Co-Founder, Next Generation Security Software. Litchfield is a world-renowned security expert specializing in Windows NT and Internet security. His discovery and remediation of over 100 major vulnerabilities in products such as Microsoft's Internet Information Server and Oracle's Application Server have lead to the tightening of sites around the world. David Litchfield is also the author of Cerberus' Internet Scanner (previously NTInfoscan), one of the world's most popular free vulnerability scanners. In addition to CIS, David has written many other utilities to help identify and fix security holes. David is the author of many technical documents on security issues including his tutorial on Exploiting Windows NT Buffer Overruns referenced in the book "Hacking Exposed". A limited number of books will be available for purchase from our official on-site bookseller, Breakpoint, during the USA 2002 Briefings. Meet and speak with the authors: * Thomas Akin, author of "Hardening Cisco Routers" * Stuart McClure, author of "Web Hacking: Attacks and Defense" ^ * Paul Proctor, author of "The Secured Enterprise: Protecting Your Information Assets" and "The Practical Intrusion Detection Handbook" * Honeynet Project on their book "Know Your Enemy Revealing the Security Tools, Tactics, and Motives of the Blackhat" * Ryan Russell and Dan Kaminsky, best-selling authors of "Hack Proofing Your Network, Second Edition" * Debra Littlejohn Shinder, best-selling author of "Scene of the Cybercime: Computer Forensics Handbook" ^ * Dr. Thomas W. Shinder, bestselling author of "Configuring ISA Server 2000" and the forthcoming "InfoWar for MCSEs: Defending Your Microsoft Enterprise Network" * Robert Shimonski, author of "Sniffer Network Optimization and Troubleshooting Handbook" * Rick Smith, author of "Authentication: From Passwords to Public Keys" * Mike Schiffman, Hacker's Challenge: Test Your Incident Response Skills Using 20 Scenarios ^ Denotes a NEW BOOK- be one of the first to get a copy BEFORE it hits the bookstores! All paid Briefings attendees will receive free admission to the DEF CON conference (http://www.defcon.org), being held August 2, 3, and 4th at the Alexis Park Hotel. Conference-goers also get a free book: "Hack Proofing Your Ecommerce Site" by Ryan Russell, compliments of our official book sponsor, Syngress Publishing. There will also be access to a wireless network during the show; for those without wireless cards, we will be selling them on-site from the BlackHat Store To register for BlackHat Briefings, visit the Web site at http://www.blackhat.com or register at the conference. Direct any conference-related questions to info@blackhat.com. For press registration, contact B.K. DeLong at +1.617.877.3271 or via email at press@blackhat.com. (For the DEF CON conference, ALL PRESS MUST PRE-REGISTER or pay the $75 entrance fee on-site. For more details regarding media passes to DEF CON, please read this page: http://www.defcon.org/dcx-press.html) About Black Hat Inc. Black Hat Inc. was originally founded in 1997 by Jeff Moss to fill the need for computer security professionals to better understand the security risks and potential threats to their information infrastructures and computer systems. Black Hat accomplishes this by assembling a group of vendor-neutral security professionals and having them speak candidly about the problems businesses face and their solutions to those problems. Black Hat Inc. produces 5 briefing & training events a year on 3 different continents. Speakers and attendees travel from all over the world to meet and share in the latest advances in computer security. For more information, visit their Web site at http://www.blackhat.com ### -- B.K. DeLong bkdelong@pobox.com 617.877.3271 http://www.brain-stream.com Play. http://www.the-leaky-cauldron.org Potter. http://www.attrition.org Security. http://www.artemisiabotanicals.com Herb. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 9 8:46:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C01237B400 for ; Tue, 9 Jul 2002 08:46:08 -0700 (PDT) Received: from ns3.ideathcare.com (mail.allneo.com [216.185.96.68]) by mx1.FreeBSD.org (Postfix) with SMTP id 630F843E42 for ; Tue, 9 Jul 2002 08:46:07 -0700 (PDT) (envelope-from jps@funeralexchange.com) Received: (qmail 51779 invoked by uid 85); 9 Jul 2002 15:53:24 -0000 Received: from jps@funeralexchange.com by ns3.ideathcare.com with qmail-scanner-1.03 (uvscan: v4.1.40/v4121. . Clean. Processed in 0.23477 secs); 09 Jul 2002 15:53:24 -0000 Received: from unknown (HELO pimpin) (216.138.114.131) by mail.allneo.com with SMTP; 9 Jul 2002 15:53:24 -0000 Reply-To: From: "Jeremy Suo-Anttila" To: "Alex" Cc: Subject: RE: : hiding OS name Date: Tue, 9 Jul 2002 10:52:43 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 In-Reply-To: <5616647177.20020709155214@dds.nl> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Just because the firewall is OpenBSD do NOT make it anymore secure then a well tuned and hardened FreeBSD box. The box is only as secure as the administrator maintaining it. One way to hide your OS i can see after you have found a way to hide it from all the services you run on the servers would be to place as bridged ipf/ipfw firewall in front of them all and then run a black hole on it and drop all spoofed packets along with a half dozen other known types of scans. This way if your firewall is scanned the packets will be silently dropped to the floor and left for dead and the machines behind it should not have ever been touched by it. Also one final note the FreeBSD packet switching fairies work much faster for less pay and they are also very easily annoyed. http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/funnies.html Thanks Jeremy Suo-Anttila jps@funeralexchange.com Sent: Tuesday, July 09, 2002 8:52 AM Cc: security@FreeBSD.ORG Subject: Re[2]: hiding OS name Hello/Beste Philip, Tuesday, July 09, 2002, 1:18:08 AM, you wrote: >> Date: Sun, 7 Jul 2002 21:29:42 -0700 >> From: Nathan Kinkade >> >> On Mon, 8 Jul 2002 09:32:09 +0700 >> "Asep Ruspeni" wrote: >> >> > I am newbie in FreeBSD OS, but i have lot of concerned in securing >> > system. >> > >> > I have questions like this : >> > >> > - how can i set-up FreeBSD, so when it being scanned, it's show no >> > operating system name + version. >> > - is there any articles i colud read about securing freeBSD such as >> > the question i ask above. >> > >> > thank you in advance. >> >> What you are looking for is not really a function of FreeBSD, but rather >> of the various servers you may be running on FreeBSD such as Apache, >> FTP, Sendmail, and so on. If it's going to happen it will probably be >> something that you configure the daemon to do, however I don't know >> which allow you to do something similar other than wu-ftpd, although I'd >> guess there are others. Network scanning utilities - I'm thinking of >> nmap in particular - allow you to scan a host(s) and attempt to >> determine the OS/version based on certain peculiarities in the >> response(s). One way to help minimize the impact of this would be to >> set the net.inet.tcp.blackhole and net.inet.udp.blackhole kernel >> parameters using the sysctl utility. For more information on this >> checkout the "blackhole(4)" manpage with `man 4 blackhole`. >> >> Nathan PJK> Another option is to put the box behind a firewall. Very often if PJK> something like nmap is looking for peculiarities in the IP stack PJK> implementation to ascertain what OS is on a box, if there is a PJK> firewall in front of it it will be id'ing the firewall's IP PJK> implementation rather than the target host's. You can have openBSD on that system to look very very secure. -- Best regards/Met vriendelijke groet, Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 9 8:58: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F1EC337B400 for ; Tue, 9 Jul 2002 08:58:01 -0700 (PDT) Received: from smtp06.wxs.nl (smtp06.wxs.nl [195.121.6.58]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4089D43E58 for ; Tue, 9 Jul 2002 08:58:00 -0700 (PDT) (envelope-from freebsd-reply@akruijff.dds.nl) Received: from cybertron.kruijff ([213.10.151.186]) by smtp06.wxs.nl (Netscape Messaging Server 4.15) with ESMTP id GYZOCL02.G3O; Tue, 9 Jul 2002 17:57:57 +0200 Date: Tue, 9 Jul 2002 17:57:44 +0200 From: Alex X-Mailer: The Bat! (v1.53d) Reply-To: Alex X-Priority: 3 (Normal) Message-ID: <19624177455.20020709175744@dds.nl> To: "Jeremy Suo-Anttila" Cc: "Alex" , security@FreeBSD.ORG Subject: Re[2]: : hiding OS name In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello/Beste Jeremy, Tuesday, July 09, 2002, 5:52:43 PM, you wrote: JSA> Just because the firewall is OpenBSD do NOT make it anymore secure then a JSA> well tuned and hardened FreeBSD box. The box is only as secure as the JSA> administrator maintaining it. OpenBSD had earned it reputation on security. It score a little better then FreeBSD on this topic. At the very least you have less possibility of a insecure system. OpenBSD would be the best general choice for a firewall and FreeBSD would be the best choice of any other intel based computer. NetBSD would cover anything that is not supported. The different version of BSD exist for a reason. The principle bind the original suggestion is to have a firewall with a different OS on it. -- Best regards/Met vriendelijke groet, Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 9 9:24:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E3FEF37B400 for ; Tue, 9 Jul 2002 09:24:39 -0700 (PDT) Received: from web10105.mail.yahoo.com (web10105.mail.yahoo.com [216.136.130.55]) by mx1.FreeBSD.org (Postfix) with SMTP id 6C61C43E52 for ; Tue, 9 Jul 2002 09:24:39 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20020709162439.17252.qmail@web10105.mail.yahoo.com> Received: from [68.5.49.41] by web10105.mail.yahoo.com via HTTP; Tue, 09 Jul 2002 09:24:39 PDT Date: Tue, 9 Jul 2002 09:24:39 -0700 (PDT) From: twig les Subject: Dear god not another *BSD debate (was - hiding OS name) To: security@FreeBSD.ORG In-Reply-To: <19624177455.20020709175744@dds.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The subject is self-explanatory. --- Alex wrote: > Hello/Beste Jeremy, > > Tuesday, July 09, 2002, 5:52:43 PM, you wrote: > > JSA> Just because the firewall is OpenBSD do NOT > make it anymore secure then a > JSA> well tuned and hardened FreeBSD box. The box is > only as secure as the > JSA> administrator maintaining it. > > OpenBSD had earned it reputation on security. It > score a little better > then FreeBSD on this topic. At the very least you > have less possibility > of a insecure system. OpenBSD would be the best > general choice > for a firewall and FreeBSD would be the best choice > of any other intel > based computer. NetBSD would cover anything that is > not supported. > The different version of BSD exist for a reason. > > The principle bind the original suggestion is to > have a firewall with > a different OS on it. > > -- > Best regards/Met vriendelijke groet, > Alex > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message ===== ----------------------------------------------------------- All warfare is based on deception. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 9 12:16:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9DBB437B400 for ; Tue, 9 Jul 2002 12:16:49 -0700 (PDT) Received: from flock1.newmail.ru (flock1.newmail.ru [212.48.140.157]) by mx1.FreeBSD.org (Postfix) with SMTP id 3788B43E72 for ; Tue, 9 Jul 2002 12:16:44 -0700 (PDT) (envelope-from andrew-ozol@hotmail.ru) Received: (qmail 7607 invoked by alias); 9 Jul 2002 19:16:39 -0000 Message-ID: <20020709191639.7606.qmail@flock1.newmail.ru> From: Ozol Andrew Albert To: freebsd-security@FreeBSD.ORG Subject: Crypto default after "make world" X-Mailer: DenMail v1.0 by ORC X-Uid: 197557 X-RemoteIP: 194.84.181.232 Date: Tue, 09 Jul 2002 23:16:39 +0400 Content-type: text/plain; charset="koi8-r" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello ALL ! I have FreeBSD 4.4, established in the last year. Now has corrected resolv.patch and has made "make world" and "make installworld" on source 4.4, download then .CVS up did not do. Reboot and oops - me on mine login does not start up, but lets as root . Investigation has shown, that passwords in DES do not work, moreover, all new passwords are created in shadow.passwd in format MD5. Because of it also have ceased to work perl scripts with function crypt as in the scripts base old passwords in DES, and new are already created in MD5. Studying updating and readme in /usr/src , updating auth.conf and login.conf any result did not give. All passwords only MD5 and all!. To restore DES enciphering it was possible only "substitution" libcrypto on libdescrypto in /usr/lib , then all passwords began DES :-) . Readings mailing list it became clear, that up to version 4.4 the choice of algorithm crypto was defined(determined) by libraries, and with 4.4 like the universal library supporting MD5 and DES has appeared. Once again , that in auth.conf and login.conf passwd_format des registered - does not work. At des in login.conf also passwd refuses to work - passwd: cannot set password cipher: Undefined error: 0. cap_mkdb applied .It seems, that DES has disappeared as a class. And so a question to dear community - how all the same to establish algorithm crypto by default, for function crypto for example? And for new created logins? And how it is defined(determined) MD5 or DES for a started demon from nobody with nobody:*:65534:65534:: 0:0 in shadow.passwd - in the same place like type of the password obviously it is not specified? -- Best regards , Andrew A. Ozol Sysadmin __________ www.newmail.ru -- ×ÓÅÇÄÁ ÞÔÏ-ÔÏ ÎÏ×ÏÅ. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 9 16:13:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5996337B400 for ; Tue, 9 Jul 2002 16:13:31 -0700 (PDT) Received: from fep3.cogeco.net (smtp.cogeco.net [216.221.81.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id C29A643E42 for ; Tue, 9 Jul 2002 16:13:30 -0700 (PDT) (envelope-from dlavigne6@cogeco.ca) Received: from d226-33-213.home.cgocable.net (d226-33-213.home.cgocable.net [24.226.33.213]) by fep3.cogeco.net (Postfix) with ESMTP id 18F902A59 for ; Tue, 9 Jul 2002 19:13:29 -0400 (EDT) Date: Tue, 9 Jul 2002 19:18:04 -0400 (EDT) From: Dru X-X-Sender: dlavigne6@x1-6-00-80-c8-3a-b8-46.kico2.on.cogeco.ca To: security@freebsd.org Subject: no phase2 handle found (fwd) Message-ID: <20020709190806.J143-100000@x1-6-00-80-c8-3a-b8-46.kico2.on.cogeco.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Noone willing to give a stab at this? :( I've tried enabling/disabling every feature combination possible in racoon.conf, I've tried transport and tunnel modes, I've read the RFCs and scoured the Net (and learned more about IPSEC than a person should be allowed to know), I've created a bazillion phase one SAs, but nothing I've tried gets me past that "unknown notify message" in phase 2. I'd give my hen's teeth to see a phase 2 SA.... The bit of code the error message refers to deals with a potential of dos attack so it looks like racoon is the one that's baling out and deleting the phase 1 SA. I'm not good enough with C to want to try mucking with the source code. Anyone willing to reply to me off list? I'll buy you a beer if you ever come to Canada :) Dru ---------- Forwarded message ---------- Date: Sat, 6 Jul 2002 10:56:03 -0400 (EDT) From: Dru To: security@freebsd.org Subject: no phase2 handle found Didn't get any response from questions, so I'll try here. Trying to setup an IPSEC tunnel between a PIX 501 and FreeBSD 4.6 using the latest racoon. Phase 1 is successful and an ethereal analysis shows that both are negotiating the same policy parameters. However, Phase 2 repeats endlessly with this message in /var/log/racoon.conf: ERROR: isakmp_inf.c:776:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. The Phase 2 parameters on the PIX: crypto ipsec transform-set vpn esp-des esp-md5-hmac crypto dynamic-map bsd 100 set transform-set vpn crypto dynamic-map bsd 100 set pfs group2 crypto dynamic-map bsd 100 set security-association lifetime seconds 3600 kilobytes 4608000 and in racoon: pfs_group 2; lifetime time 3600 sec; encryption_algorithm des ; authentication_algorithm hmac_md5; compression_algorithm deflate; I can only guess that negotiations are failing because of the compression algorithm; from what I can gather PIX only supports lzs but I'm unsure if compression is enabled or disabled by default. There are no (documented) knobs in the PIX IOS to enable/disable compression in the transform set. I haven't had any luck getting setkey to use lzs and a google search shows one mailing list query which never received an answer. If I try: add bsd_ip pix_ip 666 -C lzs; I get a syntax error. I've been able to set the SPD to accept this as part of the policy ipcomp/tunnel/pix_ip-bsd_ip/require; but that still doesn't tell it to use lsz. racoon.conf accepts the lsz keyword but that didn't help either. Any suggestions on where to go from here? Also, the manpage for tcpdump has a -E option that works if tcpdump was compiled with cryptography enabled. How do I do this? TIA, Dru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 9 17:39: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9A5B137B400; Tue, 9 Jul 2002 17:37:36 -0700 (PDT) Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id E9D6D43E4A; Tue, 9 Jul 2002 17:37:35 -0700 (PDT) (envelope-from eldercare@earthlink.net) Received: from pool-63.52.66.209.cmbr.grid.net ([63.52.66.209] helo=earthlink.net) by albatross.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 17S5OQ-0005gf-00; Tue, 09 Jul 2002 17:31:43 -0700 Message-ID: <3D2B7F36.1B3C2762@earthlink.net> Date: Tue, 09 Jul 2002 20:26:30 -0400 From: Joseph Jackson X-Mailer: Mozilla 4.75 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 Subject: Financing Long-Term Care Content-Type: multipart/alternative; boundary="------------E04DD6E5583E5CC4196DBBAB" To: undisclosed-recipients: ; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --------------E04DD6E5583E5CC4196DBBAB Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit LONG TERM CARE MANAGEMENT REQUIRES A TEAM. SO DID THE BOOK THAT TEACHES IT. [Health Care Without Medicare] NEW FROM [Image] SOLARIAN PRESS An important new book for financial planners serving frail elders, the chronically ill and those with physical disabilities. HEALTH CARE WITHOUT MEDICARE: A New Practice Manual for Community-Based Care Management The care-management skills and knowledge you need to help your clients achieve their most often-stated goals — to stay well and independent, and to preserve their savings. by Joseph A. Jackson, LICSW, CCM To learn more about the book, click here ------------------------------------------------------------------------ High Praise from the Professional Community for- HEALTH CARE WITHOUT MEDICARE ------------------------------------------------------------------------ "An enormously useful resource. Jackson and his associates present both an optimistic vision of community care and richly detailed guidelines for achieving it." William J. Reid, Ph.D., Distinguished Professor School of Social Welfare, State University of New York at Albany ------------------------------------------------------------------------ "In Health Care Without Medicare our stewardship of frail elders, the chronically ill and the physically disabled is made possible by an all-star group of contributors." Karen Zander, RN, MS, CMAC, FAAN, Principal, The Center for Case Management ------------------------------------------------------------------------ "A should-read for every serious student of our health care system and where we are going in the next 10 — 20 years." Marcie Parker, Ph.D., CFLE ------------------------------------------------------------------------ "This outstanding guide offers unique training and will ensure the highest quality service by professionals who play a key role in serving the elderly." Peter J. Strauss, Esq. , Author The Elder Law Handbook ------------------------------------------------------------------------ "Indispensable advice... a clear path through the maze of medical, legal, and financial challenges of aging." Donald J. Parker, MSW, VP of Business Development AtlantiCare Health Systems ------------------------------------------------------------------------ Health care is moving to the community. Learn to set the trend as we move ... From Health Care to LifeCare in America. Click here to learn more about the book. --------------E04DD6E5583E5CC4196DBBAB Content-Type: multipart/related; boundary="------------254C0BB8A9433730232E76E9" --------------254C0BB8A9433730232E76E9 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 8bit  
LONG TERM CARE MANAGEMENT REQUIRES A TEAM.
SO DID THE BOOK THAT TEACHES IT.
Health Care Without Medicare
NEW FROM 
SOLARIAN PRESS
 
An important new book for financial planners serving frail elders, the chronically ill and those with physical disabilities.

HEALTH CARE WITHOUT MEDICARE:
A New Practice Manual 
for Community-Based Care Management

The care-management skills and knowledge you need to help your clients achieve their most often-stated goals — to stay well and independent, and to preserve their savings.

by Joseph A. Jackson, LICSW, CCM

To learn more about the book, click here


 
 
 

High Praise from the Professional Community for-

HEALTH CARE WITHOUT MEDICARE


"An enormously useful resource. Jackson and his associates present both an optimistic vision of community care and richly detailed guidelines for achieving it."

William J. Reid, Ph.D., Distinguished Professor 
School of Social Welfare,
State University of New York at Albany


"In Health Care Without Medicare our stewardship of frail elders, the chronically ill and the physically disabled is made possible by an all-star group of contributors."

Karen Zander, RN, MS, CMAC, FAAN, Principal, 
The Center for Case Management 


"A should-read for every serious student of our health care system and where we are going in the next 10 — 20 years."

Marcie Parker, Ph.D., CFLE


"This outstanding guide offers unique training and will ensure the highest quality service by professionals who play a key role in serving the elderly."

Peter J. Strauss, Esq. , Author
The Elder Law Handbook 


"Indispensable advice... a clear path through the maze of medical, legal, and financial challenges of aging."

Donald J. Parker, MSW, VP of Business Development 
AtlantiCare Health Systems


Health care is moving to the community. 
Learn to set the trend as we move ...
From Health Care to LifeCare in America.

Click here to learn more about the book.


  --------------254C0BB8A9433730232E76E9 Content-Type: image/gif Content-ID: Content-Transfer-Encoding: base64 Content-Disposition: inline; filename="C:\WINDOWS\TEMP\nsmailB7.gif" R0lGODlhiACpAOYAAP////6mFZaTlP1gkVpln/4CBPxgFN2nU62QWfxOZfsnV/uqKQokcpZs XXFucgQEBAQOjvyQDf6nB/3KC7GOKgEcef2Wnf73y/3GLvwKKf23A/7rkf7NTJV1Mv3vrzVP mP62F/3WaP0wLy0vcJmm0nmIuxApgs/P0FIzYUtKTvowDsyTMtitM01PeNKqFXBnWM2VEgQJ VvqTKwIWaQQIpP785G9QTyQ7iTZDa3teMzIwVP2Lv2pRdmBlav7jff7+9P/GyF13vvnRiQIG Zejo5/31US0VaAIJd+mlGtDT7PrhEk09me26BOymBBIophUmXO63FIaBavfnMvb+/s7Ck7a+ 3f/j4RQYe97IcNrk6yUUizM1rOf6+8TCwOLc8B0kzbOzr+jo+RggafX19F5eWiEZoq1ITeLG MCETV/3bpJAZQxIEgd7HFfb+9Pz6/P708/Lv/Pb2/d07QzxTut3d29veje/w7eHLT72ubxIF Zlk/PTQ1NfQVFczbZt/ivO0WPCH5BAAAAAAALAAAAACIAKkAQAf/gACCg4SFhoeIiYqLjIo/ hW4AP4+EkY2XmJmajG6dloSTbaJtk5BucCcCBDhiMxUQR2UoNhQrSFANZA5dP1Obv8CFk52C k5NTU8aPvoJ2dF0OOjEzEBBXVyNkHUgaIAEaEt5IAQsSEhoBEkhROHpYBBA2E1ROe00YB0jm SA09LyeRPn0KBuBTnGLGTBGiowrHE2o0IDjBYaMDDG7d0gXQmG6BBhcU+vUYgUcADXlY6oGQ QG5CiZMaygWAcoAFHidrXEzA80WHEpMo2Jg0waMBAhZNAiDp0KOHgEoEQU2pooeJVQ1Wz8UM IGOlhCYUyLxYgIDGFSQTHNDoMIFsBAln/17qgQECyY0KdFmGK2uDiQYMYGjoYSGgzBIE+xZo PLcRygoZFGyoJUlgm7eNmDNjpuCgB5hkAwkmk1SFBxMRA+SowEOxgwwJMjRCQQABxd8lYihM gDfiBQ8EZ0CAiBCgiblvC5osyBHlxggEQVog2KJDwxkcFVZgGHGEQrcXNHKcuUuBSYADMM6x KGNCp15ymuNTaOqAWFRDbuzcmKBCgQIVE7DQAQXcKBafZjKlc0cURyDgBwTPlcNGCzToFkAI BOQEDgJOmIDAAR8iMU45XrGEzgINOIdHFDTgAAIHBByxAnpMGHggZjC80IMDRBQ0SGjBeMED CwYkkIAILjjQgv9Rx91Ijo3FaeSRBkjAQEEHUThQRgdFBFHhBEKUIQYTKekxQQNHpNAWiSw4 gMcHR7AFxRZGsIGHWRQcQAAPURzl1UYgYCBcBAYYoEIGf+j4Ah2RtMFMVD+4kQwHUBigwA5/ yICAUYg5GR8IB2BhAg0I4FGGmSyYMAIIE1CQAhskrJEDAjasEBMSwmnQBBTCCRcAoSrwgagC CQwAxAAD+CeCCoUS56unmenYQxcB3SfJID8IoUEElyYQARTgrgAFSx1BC0JGMhhaAKLItpuA An/wwawBLPUK7b343ijBAh3oCAaQ1gKQxrao/QEDArUgpReUTpK70QIQl+OwZsJBnO//xQd6 0+vGMQnXr1Nj+BiwIG6kAUUExSpgAB4ONLCCBMTFxuoE4DSh7h/+DWDBDgMk8EcGBaigAnET KKHEBL8WKkIGBpwbgK+XAbrx1FRjYPXVWFvNwdZcd83BCp1FUQrAm1R7gWL2anayASKIwEcB xboLbwYiNCtB0UYjbejbGWQQ9wAZqMBB1hh4bfjWISSu+OKK++D4449vIPnkHniAxwsOREFH wG0U1AsAF3CQKwhQwNDBChNMIEMGl/Ls3891y4BBEbRzsEC6h/at++50GyADBz5sAHnwwQtf /OQbVK788h5c4LzzNTx/QQ3U12BMDY7C4UUVJTggFhwjF1KD/xCFcxACB3fckXgRHLQtAxbH bxDCAUfq/kcCFljQ8x9/iGAkFmlonvSeJ8AfdAEHMTjCEfKwhCok4xFJ4B4PRrCGPAzhCDPI 4AymYQIGlCAJBJjDHG5gAg26ogIoRKEJ/OEAMIQPFBeQnB+iAAYP0LB5AhzgAKs3CesBIA5x CEMVBMADFKAhgUOgxgzEMIIRnPAKKYyiFBlAgA8wwAQfqOIHgkBCLM7gAyUgwQdiwIAP3ACM JQiCGMhIwhOaoAX+cKEkKEGQSEzBDT94gxu2RwICGDEGMUiiFFG4BzKkAAcOGQF2BpnCKzJA gymcRgYZOchHVoAAQSAAJs1ogjNu8f8GV7yBKAmQxkyaIIoMeIIiW0AG+jiFbMGIRBzAgMpT QuCEDGAAJXdJSV2iMJdS7CQPzNC2AhizAHzggwjkYIYGOOCZO2rKjmjYhUJwoQpueIP+3mZM PgCBZJKawkHi8KgXAoAEusRGC1SZAh0coQLArKQvB6lKHMBxRw1IADf5MIAHVOEQDtgDGE7w gD1szg4p6EEW6PCAB5wAAEQgQ48uYYFjDoAQaZDEG8xpiCQIoAtgkCZ9HPDRE9AhZJkQgTEH YIVE9KChUYBoQR/wFACk4AGDAANNAcDQFBxCm8c0pgUYwQU3dI6jSD2EFRIQ1GMq039GiqqR 2sbNph4TNRb/aGlSt8rVrnr1q1/txCTG8AhijE1kYE3rIpQxCTucoI8OcQUEaKCFWWwDCqkD x8PMoQENQIEbLOHHjh6qVkxYQhki+0EbiBDSuFYDAloYQUUo4AK/dOM4iunGODbyGhbYAAFC iE4TNNAHJ6DBBeG4iQ4o8AG27OQGT6ACGGCQj42IRI6w/IVZ2/oMATjkghKJrB4sAoW+omMj b7ksFPzyjQO0ACOmugJqJYAFBECBRfL4CwkEAwM8QEAHULjd3XhiG5fcIAo86MABBPAhDPQV Yk1SDLn0si8EvOAF/0KrtR5RhRdoQAVGMsAKOpCDHBRoIxJgAotawIYVOEG6aYFA/xTY64IV 3IEAK8DDFiBAASmMAAIpQMESVgCCBUABAxMwB2MgxgK0wMAGE16CDazjHBeEFwEu8AgFnDCC 0V5sARTQkQDsUM779GIKSSADf4ykAtMhIAos0OvDFnCu+bJEvm1CQwOCcAQMcwABSGDDFtaA OhDcYQ5XiMC5HDwCFigBTh2GB1uUsAX/auAODiiKuDKjFSiABAZSdtIKdOSAjXKUCzhgggqQ pYIFROEFRwn0veSLAQGYgAJ1uIF3FnCAPiFBYsn1RgRM9wLvuAAFFDgDEY1zhg+spa/juQIP WtCBbsCIAXjAwgpYQGKHMSwAgx4sMXKbiU60QXQG4J8KZP/QA+m8zFPHkQAUsAAGJ+QBBlLg cg4wwIJ4rAAHo+VACSBQayzcIA9I6AN1JnCGOYygsg2gTAcCwIIzaHYlrAKHDIAlrL/tgGcJ QFTdIiCDBbDhvg44wVmj4oYa+AjZChiACCLQ6QYc4GLnwEOGeeACAXwAAeLiVV8bI6gAKI1v xPr3u/yTTGZFQM0T8EuTMKPiieGLH5gDAx0JsoxruUEITIjAH5L1LQQ4gEAwg1Z4DYDMZTXr aUwQjs0fhrGq/7gjHegMGFD6wikAPQIi2IHKjM6D8hw3X/Cd2QRezjZhDT1/PPtDAZpmMYxR 7e54Fw7hvoy5p1iC2JfohRs8AIX/JqAmAQLOcxRcYAC67S8DySxUAIymBFEbKlhD59kAAP4z ZRogAKmbgKDwTrjSH85rjGOcDxLnuMtlzg5I9cABpt4rQhkgAhqg/NFMrgJjDstIPZubvHyH ASnQ7ny4M0DiEJd61Q8PcsiTHPOmr8MLQEMXE7WWHX1RAw6I/moD1tr5MJAutwlrd+cXuAwO EALk+eAAbFua7pBZADkE0ANpuP/yqi+96lkvIdrDPQQwAmhgQReURL6kSzPwBDvyDxw1BTWQ BqsXAsFTB3iAB0KwAUKgUkDDOu+CMzojBDnEf8/jf/9naHBAAgm0WhowASuQAig0A7pURpgk RqIkg1eU/0UlYEZmNE8qtEsM2BRyNDJ0JD0CAAZtcITWQz2kIAjakwqrUIB5sAZHIAZPUAFX cEhXIAYpkAJkIAZicAVrMAQQ8AEfQAJBcEK8VAGnRIMfUEJYRAA3wEU3WEJnWAJymEuW5Arx 9Etw1EIjIxBTUAIxqAfeoQGRcUqVBE8z2IdTxEuCtIYqdANLgAJqIAdUZVWa2E1ts0wNQEMn EAZjEAlc11UkkEI6QAZX8AQO8YiSyEuKeAMtYAZHsk8i0Ez3tSMkBQZd4AV4NAZ0cAKwBwAC 0FAAIQjF6AAAMAZ74FCFMADGJAKFUGTmpFhVoIgpxIojkEJXwABMZE/S5AAvQP8GunCEJ0AE htYFFSVUhOAAzugGRHACIXMCPZBQXTCMxVAIE9ZQyliME5YCLWQJFlBVQ3UIZYVUj1BW9kEy 4AQMQHBVWnUIBQUAZNBQAEBQQ3gI2QQE+tRUfJAAQAB4kFBYJFmSJkmSxCYKgnAQoLBzJ/mS dTQFdMA9LbBGMZAHJfAJ1AOTaYUMyKCRAeEJcXACJeBY1YANKNAABHIufeUNMjEfIMOTaUUJ cECTI6BLc7UGRtACL2ALeEUz4KAYuwIuTekCZKADbkIAJgADGxFkToGPUqkIeERHc/kjWdAF AtADD3EEELAG2JACOUBZeVUv+6JiTLACMMAC5UAWPND/BCtxBhnSYVsgI0oQBGvgAB+QA+hg DmCDOdUSl9MoRCTQAtLAl5ClBSlQai7Qgu9lIysBDhW2AivAA0bQAJspbQKwBukxAa95ACXg BEYAaJA5AxTQB3QFA0pQAkeQAxOABUugmcDGQtmnXwGzc3XpDL71EI9lDYC5lFVmDgYCnupw JR2AWiBQj2xgAmPCa3VAJ0iQbV8CMxpwEzFAFyKSmAjQBHVQBnlAAWzgaijAAlRwFOWgK+Dg MCygI5rzQj9QA0TQAzNwBH5JVzigmqyJLhvhmFjRBE2wAjaQAk9WBjM2n2WgAywAAgp2Ekhj HORwF7YiASEwB0awAsm5Frz5/yt/QQXdoxts4A26MlroICKSVhwWYzHqII4J90KRYAcE4ALD USgsgAA88BvvIQMawAI4cAQwgAEOAAHMyQJOoAMNoAVJQW8HUAcPhjoswgMTAAVH9xE3sAYc Nxt4EBzfcByFB6T8MAIpgCt5EgX+2QLdgQErcDErIBKbs5CxVFZj0KRCJ3GQwQItthhqdgaC 2mHYFSBjxgKtQhIN0AFn0ABFcQAc0KPiSTpMICK0YnFqgQNtagS2oQEHQAMowAR8cS4gYhxQ 0ANxEhMJMnWZsQ7+cAJtIJKNUANGNQWOyjoikJgsUF1QkBk0liZPFgUHQGXvtRj7Iptgwxk0 QAbv4P8CXRAeSnAATaAWOcAGaqEHGMAgetCCLPAFIzABZaEDqaOUG3EAmYMAmZEg+oIiTVFN 91GseGQJBAADESAHybICUbAEZUdzTglf+yJfLIF7GNIgJrFtCIB7tKEH4zIBgQGdIOAAR9AA SkAbIwADzRkFDaCUzLURxoUVflZiUSAGKHAHYEAADQAt+3JbSFUCFCABOKMAEbACZyCpykEO UaMZV4ZgTHAGJHAFLVAYWoBaiEgDI6APC+BxDmArmRUO4AkCiEkgAcAEeLAEHbASabEGHaAE LaAFgIYHV6ADLfBuZ+ckSyGEDBk+JPACQuszBhAFTdEAvAKse0UODhMOVGD/K2fwaeYANSDR AaJKBrpxBlymG1FAZunABOZwBjm7Bi+QOiwCqmUAt/NAq+zWAgbma+9RXGRxX/kVPr0ABt4x dCrTV1HKAuZxI1AiHCxAWWJLJxSgBEtQIRqwAojRnjpwNyahB3GxBqm2BNAbpBSAAdYlBSSQ JhQQBVvQACZ2BsW1KyUCM3vTN/fjLn9gBk0hACFzkPeRTWmQDqihMpHbAKjVMFfmLGCwBGiQ a0sQnErQA1rQACXgXwHQnkbQBFJQAgmcnPGgsiASaQm2L6xieW6zLv6RAP/WM30zfMRxNzSD Wa/bA1FQikYmCB4wHP7zBwaAAC3QAlHAlhdjvXUw/wd7oAQZQqMEEB4dwAMOcAYHUFyM8TSC Qr5CM7TF8m874DP+0yxqxpRX9mvQggA9QAZRYKyNgEcFcTYSkDIGYJYj0AMYZ71ghmDhAMXp YgDp1zoWYCTwMnz0Yi9/MmlSfC8r0EpRQATUeB8egAESML8qMGAdgGOGy7QR0Hv3cynHogCQ 58FPkyszZ3WS3DDApqCbAyk/SQkXICjJpjJtIo5mly9IMHovB23GEcmTnMqZsRKVvCOX/EJv sAATYCmIx7BRsHjHZbhlSnPhkDEtyJvA0jfLdhmFLMl5h3cJ2hRE4L4B8wYcoAFFMgAqwGsu 0GLv4SR6lzRCwwc4o8Fi5/8fQBM0BnAPVnMcm+Upx3zMpYc1g4MBeNYUhDUyxfoDz0zLTeYb peYNhiJ/ETcAQ5cs8eLBVnM05sBv3Mw7kNcV6Xx368zOp8d85sN6WEBoOofFi2BURhUCIKDG QSMiMLsAzQICeaMBaRws3CxVAC3MzAJ6urcteyMDlad3Df3QqNd8jfN8j1MHgusZgQgAyDA+ HHEguWM/jowBurd2hmK+3Rw3Abcsy7YAHCAFNM18Ns16OO040Sd909c8O00t1oIM9iEET/PI U5M6TzrU3dwurzNwUE077APSIvAzvLMuBzCBi3PV8UM5W71/JOh/Y5CXnmHRcnlkEbgxGHAG FED/AVGNAZdnAAtgfLWDO8kkAsTyN0fSNgZwAEJwPO8nAwmgAgeQ1Vq91yQIPSZICo8QBknQ RyhgBAaYRDjgPTUFFZmwc5SQBl5zBytCqhzAdL7ne8qEP+2HPBzg2XzjgToD0P2DP0KQBhdQ Oc6TBv7XoNEz3QcZRKtdAnULSIGUQUNwBSbQQUFAAiRQAjeghjOAA+trwtrnAXadOBdoPMIj BPC3xviTLGuNPxYQQATU19WjrDEAAWKwB4ekQM4RSBd0BFCkQiYwB0EQBHg4Qk/QSZPEh2xI SertFD0i2I4AOsKzAVSABxsABjXUPBbgPxYggiNY2tQzCW9AVgUBB9ld/7d5AEiukEEp0AEd kAJiEEVwCEpZREpyaEYkdAMkUAU3MATwlEIzgIBq2EgZvqDmVAPQTQUC4AEgVX0mmBA/lARg EB1PgODfXUJbOI5eiAPt1ArhzUvzZIZdZAJoOIdB0EEMIEpzuIN3UeeYZAIPPgcl5EvqjTlZ 4Asu+Qs9R90/8AydEwlh4AXlvd0Ifg1LNAI64IU2QAY4sIVikEsm8E5bRN5iZEYVIIOvGINz UN5B8AGThEVoWEU3MEIVgIY7GANX8OSOGMaY88pGRuh28ARDMA1sSOk9TklrXuqM9EVh1Ec+ uEsKKOeZNEL2NKUtQABoyEkVgEFLBI4i1UovMP9hXXCOn6l9eBQGN2ANOGARSPACV2js7P6D zH5GlnjBHjnZbRNVZnDv+I6JVXVMIOnTUMHhF82Q5A5P4f0EYoDpy97uv6SHCV8BNzBM8t50 zOTDnZGLz/RRdMAFh3BTe5AKDxBTg/AGTMWOAKDxG7XH4s6kKDTgOvBd26jwlISDOMADKnVV cuBMJNUFRGAHozgQNwUGdNCMhGWRhNCFirCO0mgIKB8wU/ABvyRXOqADC/9Lxb7yqnRPIvVM E4YANe9NP9RQJhwFBTVQREBSPLUHAqXrhkAEzdiMZFCK0GhMCXAIi45UeKSsMZhOlG5PrTRS mXOEYcCSCEEI61gA30T/CF3Q9ikwUIMgAF7IdYnvACmwBwIQCc1ICGNQkbqw+AAQ93LvCEvP 9IOQBbx4UgBfCCM/94nQBQ9QkQLlUA3VI3bQjA1lUD8FACfeVCJgBSKpqKB5CUBQ8yuVVQNx AikAe+wdCW8ABMwvcZqIGof/+4XlBlZwLBG/iR7pPywFBHok/d7//eDfVQupDCgFROF//pUQ Gr7gBigVCYWO/tLfoGVF+g6AA/9ECaUA/97PWKoACCMzM0cQTk4tAl0CAl4Aj5CRkpOUlZaX mJmZbpGcAD+PbqKijz81Pz9eYAQ4TzGFEBAoNh0rLlAaEwFQHT0OYD9TmsPExcaawpWeAEQn /yQ9TzMVsU4mODkUSBrbIBoSCwEgAQESATAOPVFEy8ft7u+UqPI/Y1kkJa0zV7FaI7QUUJhs 81YOnISDC1hQ6GDDRgBwvXoAg0exYjs6AlpEkxbrCo4XFFwM1CBunMmDIGB0yNFAAocSNPQo wRKEwrcV6F7QschTUjJJnNzEcTOl6KiiANy8USUgRTQINK5o0YKiFi4o3TSME0cwQgAWKxZI wIDnixEmfb48gXFnDhoWeFZoJdfrhQBOY3rq/cFO3ihRcRb1yDcNgokWIGEwwbCt3MlvYqFQ aBClRY5tArZcHgszh5IWKCRMENCPQI8mJZE06NGDSFK9Pd2gejTFjf+dKqwYcIRwZURVGLgG Oh4nQSsTFxRsiiWHBwUbDVgQyNBA5QuEyxrOfIgRhYCODho4zJlxAAMHARS0UmAtIK8ndrCN 2TkhwAEOMTFiGcJBS6TwxwM1AcMKB/AwQgc+lLBGBxMsIINoJRzBIBIIrdCHABDYAMVoNOQg xRwLKoFHGXtQkMN1WkHRwws90AFfRaic0gYknqAijDBuEAGGfdFUUJg/HcDAwgQkgaDNQwdN MAESFILQAQoNrLEEHlFQQIUTKGjgA4gwlMShDk1gEEAEIODhAAIEQEDGBFJsYQQMfcxxRQ4H IHDAAlh5M856PbQHGyiv0cZJHF6QQMAI+cX/UoYROtiAQBMaMCHQcOAs4FUASCyggWpr6ABF cQI08BkNFCwZAgELuuAABHroQs4dQUhIEh4vnLECElIQQAMKCAiAh6VEloMECBLIYKxBqvnS BWyenABGCS0IMgNUZYyQQg5CYpDVQTKQSSwIAS2kBwwTMIEHBB3gckYL6GoQwQKaukDDCJ+C cCUKUBSxxBEwaBWBS2As8UIHZEQR6rDhECQBCAtkupwMATRxEJIBrMCiAK7FBsAUBFTgERkh BTcXOOQsHBAMMDTEwgFLQECBEgKggMQEd2xBqmgI0KADEyA0QQ4GPUDQgFYhKMhgHTq7gAQ5 5CymjVbTfYMEDBRE//GCES6URJxjBZGzgAMvvNAFoDwFkwQPbGCAgS4SQAGWXEzDi8BUUKy7 xss5p8BCBz43wQIYsdqgZJoMsoAADBKcsag2o5VRFR4saPpNODIsLQFyDvKAwIp4uMnGHdmY JPro4+CUjmsvuiPbDyWAp0IBKqwQxYo2ORaBBmysyiACsuSyLxlOUIDaHVHgQcARKExwxgh7 TMDCCDmAgEALJSDgcKTlSOAzFDA00EAHTEyQM70TQLHCCjIwEYWaDZLu/jgLdMDi2KkfI5so WbTAhAEJJGCAxQ1AQHoMUhwWmABdFLgBusR3BD3c4QAssMEZogADKcBEBw3gAQEEcIADlP/M GxLTQBOYRAEb8EAbNkjBGaTggLsp4XgMAsEKEKcBFmxBC3B7n/ss5gsi1KYibmjDD0tgkz/s QA4GYEFlKLAcJOVuDTkQ3xpQED4e0KADLrCBCaKwhAYwgQNsYNvEQNiEFSAABRRwQEyUcAAn 7IwF1XJB+T5AKjjSSwMLQAALRLO+NcGrHMTSoQSQMLsXgKEN9TsGX34QBh7sTwEKiB02sjGX iDGBBU7AGhuWQAMbrKABvmJBN4oVQhBEYEAI0EMH8IADBMQKTgJYQQuuAAMlqLEDGFjCGoYm vjX24IokmWEAangDGkRBYg9BQhNI9j4eOsAKPJENAITYOgmIYAD//jtAA8jwghUEkhwr8AUe zoCV7I0JU0JyQQNsADYqlAAJbHDjHWJ5r4VpIGcoqJMJxOCCOyyqCUraQpYwkCYbLKRf32DB pG6nMB0+BAEXswgi3VCD2rRBf/xLgAqQgIcM2mRr5IjAvyYGLwpF4DxHIAMWlmACCkyQXKuK YnZgQoGeYaAFQyBXFKA4ATzMoQXJ4YFNIqC8yJlkLjJATgcacIMRpMehmGJRiyqCyDckpQZu IEEDQHBNBfwvJBKDl+iYGTFvNMxS1HECGrDgFo4ujQVmQRwIsCBQ1NxzV5d0wg06cDs2dJBY mWKaC6jGEBvIsTpnwQAVVjCc0RFwc32K/09SWgCFCEBSBU0wUS18Zk6HGuQMeHAjFVB1Qg1A IQo0IIM3XnKdpR0gCnq06zi8QSxNfRIK5DjDErCmOFpaUEII8GJjTUJWJPTCAcsKRU+qsCYV DGAABqjTCxpwpIi9D5An0dIcjoCHErhsGwjYglMXdgAoMLM4UIACpHhhlxvYQCB0HYFIAhBa G7ChBTYQBxZuUIHuCI9CjR0uBS5mh9ck0hhxIAALItA/PkSgMjyg7jkdurCuaQBWHThPWIQ1 gWIVRysuEMgCBDAHMaxgAhTQghwXgAeJnSEIu9KGiq4QhShowQZhEsARosgGAfDNMZZjmtdW g9z4cCEJKZhAV/8NQKX6rIA4ggwAxLQ2yE99Y2FMmJpiwos1DwRhBLUkwXWUgNoOgIAJkzsA FvAgCNOGtlW/jKIQbmAECiCgi01EEgj23I0AQLRPGQsURYRYkwj8QQF/OB+kkElW0R3EduEI pGRqgYARYI2gawJDhybAAVR1oAhzMAIUeKcFXJDDb2cKbZ1fKCEWCGCvZ2DBGQaCWxBgIL0R MIAKVMAHPiD6D2ZYURc4IcRoWuEMXB2AVycQhTkQgAJMaLSjTSIZMjxBcHf4whHwtmkEfGpL tJwAFbRghDOAoQxRRO2aNLACFVIQA2D4gOZY8JymlYRhY9I1HwqQAQUkYAA7wCai+SD/gvU4 wAGuAcWBh8EXAAhBAhHIQAIUIIM6nW9i7iPrwjgQKweeG18g+ABVxFBTEHShkxqQQhDyAIMQ BAECKxBRC3iwVDvhYWlWtnVJZKDvDBx64gkIeAL+8Af/GcArZ9ZKExrAoolEkwtu8AAHmiCC /qlAIQhwAEB02DDRzTVCBKiDAEKUsw6EQDpmD8IMahkEFDCsBD2ggAclIJCt5EkCBtB1Afzt b4AnwNcK4IMKjj7MIu0CfqJbQQ4OXuBp9uQHQjClApQdgTO89phQHd0KsIAhPZxBvExQwhK0 ANAX5MEFAljCmUKsJ0DuOd+8zkC//w3wARya4Hn3ygJen/nR/60msj2ZEUX3bAB/bzQKEYZB 74mTRwyQ4AkYwJBh0aTHW3iDG1AQE+z5cOgMPDfgyu714A0gg93zfvk6ZEHYHEAHslFkNg7H QASqLoIkWg0B6P+GA3jggvIOaQJNACl85iC5pgIiEHiQBHA7AElDN37/smflhHGYgn5QRTAO cBfRVFGyoSnF5z8qYT0+03vFohVasXt1V4B84HN9p2wTpwAZUH8GsAt311gkwyQPcV3D1Xuq oiw/EU1pIHk7UH+Gs079ImWZBw76xgf90z/+xoSCl3dTpn0UOIXol0cXY1UWsQxvgAUaUHwD IAKKMQEHYDlc8z7mpQL9toC/Vn//wv8NfEaFcEiBB6F+vnACMPIagOIBWqECiBYBLEAADtAA otR7DpJ3R8dnEihtcbiIXOc1A0YGGPN+SFEDG1MDQgAFXlgAFoMIHzUOl0I6uGVOgcWIpDiF WvMVUrUTQFERPxgAB/gHSYQAwfVkXkOIf/Ro5RABEEMcAyEOIlUypeg+b7gVfAaBfDZg6ZAX glYRU8ABjxSEEbAeBPAoFNN7v2gSe6YkvmgAKVh0tudg4rB7iziMxViO5qg2tjZBrAEGy7Bw w+AGVoABEqACE3d1LxBhR6KIN1gy2SgmKPgH3rcDAvlcLsh9IiADJZGDDmWODMmQavOQEIkB B8AiDjAG72H/EVzQjEwgAwDHByvAAm/zTY4FAkoCcbt2gP82kJAke09IJhOgBCWJdA5COvDS kDa5ZxGZkw/JATzJkyEwOxcYH25wAfJYdRo1kTkAEsWhBDyDgvz2bxawAxMnAiypAl7xkkqg LQVIlbIneypAkpF2kw2pkxHZk2Z5lhwQAiFwAKzBfg1nEXwxBUIwAZZlexFgRlWCd2kIBELn ghnQa4f4kkSyfbK3gn75l/VnfmKJk2S5k2iJlmoZmZL5kxcDKO64CbVRA7tXfH8QOwjwkWwQ cQVQAE8YABigBDDZBLkmAipAdEXXP881cX/QkiCAmlKgBOKwNuXYmBD5mGc5mcAZ/wI+MJzE SQUUaYcZuDFpkG+6OFvYKJgQl4REpwDg92t/AIMRwAaoiZqm1HM+lwEGkJVk6ZuQGZySSZzo OZwbsJ7rWR8SgUjupzqvcQEcUDI5KAOvI3tPqWwrOXgPiJVKEAC6xmv81oT/1oLgyZPmYR7k 6ZPmqZbpmZ7sOaEeUKEVSgXowH7RRBs/kAZ5ho0kaQBVmXfhsJ24KaAE2m8rKJvXOXimWQQw ygEMWp4PKpwRSpwTyp4WuqMWegEecAEC8AKQaAeXWQw1gAWIZ44LcJqoqQs8l58MCJu295eD JwMYIAUwKgUcwHMikIKy9wcc4AMPeqPqmaMbwKNo+qMXsP+mbMqmNUAEGaqKFFEUb0AKyxmW 4MIkahMBXvqasEl0VGoACyAFWFoEUrAABiACXJkB/NaVjZoBByCmNkqmPmCmOpqmbZqpa1oD nMqps7Ej6dB48IAjwQAAFxACe0YSGKAQLHClINCaA1elKwSjRbCl3ilx2NSVgFlxlXqmGyCc G4CeQmCpaVqhmpqpndqplhkGVWAoOIAGaNACYLMspAAPslEUP0CUtvaQK0ABjlmoUoABMiAC ANmVk2cBAnedB4kFvbqeIcClKTiaCeABOVqsPnqsm5qs8vAIcJAE9xAtaBADMTAER3AEFWAC HtEDZOAAosqMkBACvbk3eNCT3Nj/lY46mogZXcPKnj6ABePqpbOHTX8wmn8gB2ngASf7o2qK rxegrKcAKHDgBc7ACgGbB0Nws1dgsAzwAR9wAzPAAEDLANJqSEVaCZb5CXxhBWhZJxyApTLg pQSXADIgBO36q0+6b7MnB7HZglIrBGnQpsa6qXQABgYDBkRgCn7Br2MLLTogsDh7BINgAiZw Ax9AAkFwAwTwAWJgAtLgIz6CAyuCcEXLcL+alpGJBwiABZHZrh0rA3IAsn7KhE1oAUKgsiy7 qT8ABjpAsFdwBTe7BEngr6yAHzcbA4MwA0MwA3P7AUEQBDw7B7pxsz4yCAfrtz4itBczuMhw AUJwnlSr/55C8Lj8dmjPRZAMOAAWcLKX66YuazZiYLAG5QI5MAIVkLqde7pzawJBYLd5ewM+ qxslkAQlcEAMYLvma7sj0JbIuRcegKMbUAcGs55pYACjSXBVR7lhe7nJ6qmQMAVw0Kyjqw86 gADdQAE64CMmUAGqWwJ3+wQH+wEjQAB2y7MfQABBYAKpW77nu8FCyx7KGBtvQK8eQLZU4AF4 QAV1gLJfu7wtWwNvoKw/IERTwAVZUAUlYCABO7BDcAW2yxtP8AQMAAEVwAA8zABD8AElwMBB ELRI3LofsLrZOwgZbAI8y8MKjMAVMAJkUIe6mwnZeqYewAgj3AUsnKyIBAlh4P+vDtACRpAH RzAEa9AbVzADI/AEZEAGTjHEGrzBtjsHQZDEBHADczC3DMy63gu0SFwCVeC6PWsCR0AAJUAC H2C7LbAiAgAHPQiXbOoHYOAHdtDJ++up++oGXmDDOGyzBIuwEHADKZACOKADL5ADKKAD0bDD QszH5/uzPMvAc3sDusG6kBwEsOu9FMy6JTAHB3u6QzzETxC463uHj1ADLcwIt3ECi1QUafyv RnCzBVuwV2ACKUAGOiAG4TwCYmDOYvCzguy6QQDJH9C3uGy+xOzH7fzOvUy3rkvFctu6Agu0 5hu0FVDJLxAFBdbFkwAK2DobfFEDzCoA3pEHeTCwnev/IymgAynQAi2QAnqQAnvAX+VrsLN7 A058A1YMz8scz8k8t4OAt65Ltzcwtzu7yFRMzK3rz7d7uybgBCPgAFvcBTPCE0ZBBw6wBG3L zXO8x+arA/fxs4OA1LgMz6mLt5Ns0nysGzPQsy/90hR8twwg0q3LyB9g1T/7wzhQyaxx1gcX BezILACAA34rBmTQAR2QAtS7wbSL0ue7x1cdyL5M1VU9xCJ9KFeAAv2jqL122IctAmaQQTzQ lmgtAGBAB0TgHpIFCVXgI2JgAzMzAe3Gx1aM1ydtvgmMxfFMxZamBrM5mqq92qzd2qyt2Mm1 inqRDKIQDB1zsI1iA26Ny+Xr/9Sg7bcMwLfLvMdz2wJqILyr3WsiIAdysNjec3AH5wsOUGMu cgIIAAR/l9xAoFyyzSwnYLu64REOrMe/jdd+Hdw3wANy0KXJvdyLHd1teccGcwJZ0LAAAAYP kN+N9wZAIAKqLQL9CwBWlckUcZEAcME+MgL3cdHjDdzlDdo30EUJ4N/16945QZFlewJKsTEA MAZd0AUPsAdgAAB78AAjPgYhHmgAYAX7VgAJAAlnvIywcQIJbALWIgZlQMsPXt7pPeGrvdwN AN1q3QV0AAcbwwk74gAPgHAdnt+RcAJODgBNIaePYAGjCeD9S+DxUQLl6xEpUAE4QNJ+O9o7 DrRzW//WDUDhoykHjAAGXhAHcYAUYMDRZDA2P0AGYEC2AvAAAvAIJd7nkEAH9t0JFP7ikGBV RGHQw5AF/DUDYhAN5KwDn43SQEvWGH3W0p3dpGkFUJ4Ck4DfApAFSh4Fj0AGDwCJKUDdjzDo YzAGIy4Jb5AA9bvdnRCffzIFXG6+T6ADvq3AM/AECr7F0t2WGe4ssk6atG4HKfAAH/wIRFDi YNAFrSynb/nkJ7ATdrAHnk4He7AH62vl9QtNkyB8lf0JcMBffssbIzACQLvuZY3pYZMOAnAC RPoXomAFhS4JIJ4CYHDHKeAANAIfzUDkkJDfgH7f+b0OIL4T4D6aA2AJwaD/6JoACiTQ2wre AsK+Ir6Q4evwCY8QB5Gg0MeeAFgYCXnOCSeQXG6Q3yb+CJ1OB9ze8qZ+8MwQ2TuB76tt6BBf 7hy+6gBwAjx9gWBw7SpuDBQ+ACU/Ccue8ERg4g/g6QAw837+ADvhBvM+CRag5qRpAUlfCVMQ B7a+F4Im8ZMwAKot7pSw8g4A5U7eA3wOCaH+6rAOAFn/2hZgDETB85OQOop+7FtfCW4v2d3+ CFxQCfxtBV/Y2koIBGhPDHmv93rf3689AEBgAYyf9PBoBUBQ+RaAruzt2glg+ZA/+jyB3a59 +qhPmqFvBVZQp6T/+vGx+dikqLRP+0uIvK0P+7q/Cvu83/u+//uXEAgAOw== --------------254C0BB8A9433730232E76E9 Content-Type: image/gif Content-ID: Content-Transfer-Encoding: base64 Content-Disposition: inline; filename="C:\WINDOWS\TEMP\nsmail0N.gif" R0lGODlhKAAoAIAAAP////TADywAAAAAKAAoAEACl4SPeRHqD5lsk1bFIKi8c+14oghi17VN pSklKtKuXTrWzWLnuTvrGY2K3GAx3nClKcKQoRfqU3oZfD9g1UgdCbNcLFcK+tYeV5yPyaoG wehN89hmKhdx2hs+lxfXbH3sFFSX1UQERWWVZyY2k7TYF+aYFzlJ+ej1JVNZVriIuAnlqaVo kpYBaBn15IQKiTcXKPdWJwi3UgAAOw== --------------254C0BB8A9433730232E76E9-- --------------E04DD6E5583E5CC4196DBBAB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 9 21:23: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3FA5B37B4D1 for ; Tue, 9 Jul 2002 21:22:52 -0700 (PDT) Received: from mail.npubs.com (npubs.com [207.111.208.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id B3ADE43E3B for ; Tue, 9 Jul 2002 21:22:51 -0700 (PDT) (envelope-from nielsen@memberwebs.com) From: "Nielsen" To: "Dru" , References: <20020709190806.J143-100000@x1-6-00-80-c8-3a-b8-46.kico2.on.cogeco.ca> Subject: Re: no phase2 handle found (fwd) MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-Id: <20020710042347.9CCE043B9FA@mail.npubs.com> Date: Wed, 10 Jul 2002 04:23:47 +0000 (GMT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org To be honest (and this is difficult to admit) I gave up on racoon recently. I have a bit of an arcane setup as well. I had it working perfectly with FreeBSD 4.3 but for some reason with 4.5 I couldn't for the life of me get it running. Will try again in the future. My sympathies all the way. I use static SADs now. I guess you would have tried that if it was a viable option. Nate Nielsen ----- Original Message ----- From: "Dru" To: Sent: Tuesday, July 09, 2002 17:15 Subject: no phase2 handle found (fwd) > > Noone willing to give a stab at this? :( > > I've tried enabling/disabling every feature combination possible in > racoon.conf, I've tried transport and tunnel modes, I've read the RFCs > and scoured the Net (and learned more about IPSEC than a person should be > allowed to know), I've created a bazillion phase one SAs, but nothing I've > tried gets me past that "unknown notify message" in phase 2. I'd give my hen's > teeth to see a phase 2 SA.... > > The bit of code the error message refers to deals with a potential of dos > attack so it looks like racoon is the one that's baling out and deleting > the phase 1 SA. I'm not good enough with C to want to try mucking with the > source code. Anyone willing to reply to me off list? I'll buy you a beer > if you ever come to Canada :) > > Dru > > > > > ---------- Forwarded message ---------- > Date: Sat, 6 Jul 2002 10:56:03 -0400 (EDT) > From: Dru > To: security@freebsd.org > Subject: no phase2 handle found > > > Didn't get any response from questions, so I'll try here. > > Trying to setup an IPSEC tunnel between a PIX 501 and FreeBSD 4.6 using > the latest racoon. Phase 1 is successful and an ethereal analysis shows > that both are negotiating the same policy parameters. However, Phase 2 > repeats endlessly with this message in /var/log/racoon.conf: > > ERROR: isakmp_inf.c:776:isakmp_info_recv_n(): unknown notify message, no > phase2 handle found. > > The Phase 2 parameters on the PIX: > > crypto ipsec transform-set vpn esp-des esp-md5-hmac > crypto dynamic-map bsd 100 set transform-set vpn > crypto dynamic-map bsd 100 set pfs group2 > crypto dynamic-map bsd 100 set security-association lifetime seconds 3600 > kilobytes 4608000 > > and in racoon: > > pfs_group 2; > lifetime time 3600 sec; > encryption_algorithm des ; > authentication_algorithm hmac_md5; > compression_algorithm deflate; > > I can only guess that negotiations are failing because of the compression > algorithm; from what I can gather PIX only supports lzs but I'm unsure if > compression is enabled or disabled by default. There are no (documented) knobs > in the PIX IOS to enable/disable compression in the transform set. > > I haven't had any luck getting setkey to use lzs and a google search shows > one mailing list query which never received an answer. If I try: > > add bsd_ip pix_ip 666 -C lzs; > > I get a syntax error. > > I've been able to set the SPD to accept this as part of the policy > > ipcomp/tunnel/pix_ip-bsd_ip/require; > > but that still doesn't tell it to use lsz. > > racoon.conf accepts the lsz keyword but that didn't help either. > > Any suggestions on where to go from here? > > Also, the manpage for tcpdump has a -E option that works if tcpdump was > compiled with cryptography enabled. How do I do this? > > TIA, > > Dru > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 10 0:10:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6DCD337B400 for ; Wed, 10 Jul 2002 00:10:30 -0700 (PDT) Received: from localhost.neotext.ca (h24-70-64-200.ed.shawcable.net [24.70.64.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5655D43E52 for ; Wed, 10 Jul 2002 00:10:29 -0700 (PDT) (envelope-from campbell@neotext.ca) Received: from neotext.ca (localhost.neotext.ca [127.0.0.1]) by localhost.neotext.ca (8.11.6/8.11.0) with SMTP id g6A7ATA01011; Wed, 10 Jul 2002 01:10:30 -0600 (MDT) (envelope-from campbell@neotext.ca) Message-Id: <200207100710.g6A7ATA01011@localhost.neotext.ca> Date: Wed, 10 Jul 2002 07:10:29 -0000 To: Subject: FYI report: Reflected Distributed Denial of Service Attack From: "Duncan Patton a Campbell" X-Mailer: TWIG 2.6.2 Disposition-Notification-To: "Duncan Patton a Campbell" Cc: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This a report FYI on an ongoing Reflected Distributed Denial of Service attack directed against the domain indx.ca since June 30/02. Background. The system (a website) consist of three FreeBSD 4.3 servers providing a GIS goods and services locator function to the net. Indx.ca is located in Burnaby B.C. on an ADSL link supplied by a Telus reseller, Infoserve.net(cypherkey/aka aebc.com). Two boxes (ww1.indx.ca and ww2.indx.ca) provide the function's user front-end with a third box (mail.indx.ca) providing support functions. The system is supported remotely from babayaga.neotext.ca (aka ww0.indx.ca) a FreeBSD 4.5 box located in Edmonton Alberta. History. The attack appears to have gradually ramped-up over the weekend of June 29/30 but was first notice by a squid proxy user as an inability to access the web at about 9:30pm Sunday. Nothing special was noted until July 02, when it was realised that an attack was under way -- it was initially thought that a Windos trojan was responsible for the failure, and our initial efforts were directed that way (we are still not certain that the Windos trojan we have on ice isn't one of the zombies used to instigate the attack). By the early am of July 02 responses between ww0 and the rest of the the servers in BC were degraded to performance that resembled a telebit PEP link: 1300 to 1700 milisecond responses to pings and a packet loss rate of > 70%. By afternoon of July 02 we had become convinced that we were under the gun of a reflected DDOS attack similar to that described by Steve Gibson on grc.com. Mail to these guys provoked a peculiarly blase' response, but, oh well. Thats when the fun began. At this point verio (aka NTT) apparently blocked our addresses from going to grc.com. At the same time, Telus blocked communication between neotext.ca and indx.ca (yes, we have traceroutes) so I was forced to use a tertiary server to talk thru. Initially we attempted to contact our immediate service provider by telephone and were met with a "sh!t deflection" response that called into question our competence and sanity. We "clearly" had a malfunctioning server that was causing the problem. By July 03, we had convinced ourselves that it didn't matter what OS was plugged in, and that if anything was plugged into the mail.indx.ca address it would start a storm that would take several hours to die down. We changed all three servers IP addresses and reconfigured our VPN (arghh). Arps from the telus routers serving us (209.53.196.02 and 209.53.196.03) to our defunct mail address (209.53.196.69) continued regarless as they continue even now. By July 06 we had finally received some non-commital nonsense from aebc.com's technical guy telling us that there were a lot of older servers in asia and that maybe we should turn off named mapping on the 209.53.196.69. Bilge. 209.53.196.69 had not existed for days, and the portnames in the tcpdump trace we had supplied are from inetd services, not named. As well, many of the servers/routers involved in the attack were northamerican in origin. At this point the arps continue to come in and I am sure that plugging in a machine to the address would invoke a storm. Maybe I'm being paranoid, but this is not a technical problem at all. Our addressess were blocked by the Telco's in a peculiarly useless and blatant manner, like the folks who did it were operating under really stupid or malicious orders that didn't make sense anyways. As well, our site is seen as stealing much bread from the telcos' managment/sales: it is a highly innovative prototype entirely based on GNU/GPL software and systems that maps goods and services available on the internet to real locations where people can go buy these goods/services from other people. And it does this better than anything the Telco managment could dream up. So, given the finacially stressed nature of the Telcos and the blind rapacity of their management (Telus is currently re-orging again, and blaming their poor $$ performance on unions and over-paid workers, again -- no, I'm not in the union, and have never worked for Telus and after this letter probably never will ;-), it seems to me very likely that some people without too much technical know-how have got a hold of a tool that sets off a reflective DDOS attack and are using it as a weapon to beat down anyone whose business they don't like or want to "absorb". Warning, Warning, Will Robinson!. -- Duncan (Dubh) Campbell ;-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 10 2:43:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C5AFD37B400 for ; Wed, 10 Jul 2002 02:43:41 -0700 (PDT) Received: from localhost.neotext.ca (h24-70-64-200.ed.shawcable.net [24.70.64.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 711AB43E3B for ; Wed, 10 Jul 2002 02:43:38 -0700 (PDT) (envelope-from campbell@neotext.ca) Received: from neotext.ca (localhost.neotext.ca [127.0.0.1]) by localhost.neotext.ca (8.11.6/8.11.0) with SMTP id g6A9hcA01547 for ; Wed, 10 Jul 2002 03:43:39 -0600 (MDT) (envelope-from campbell@neotext.ca) Message-Id: <200207100943.g6A9hcA01547@localhost.neotext.ca> Date: Wed, 10 Jul 2002 09:43:38 -0000 To: Subject: racoon/FreeBSD 4.5 problems & observations From: "Duncan Patton a Campbell" X-Mailer: TWIG 2.6.2 Disposition-Notification-To: "Duncan Patton a Campbell" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ok, so here are my observations wrt racoon and problems with FreeBSD I have a vpn with 3 nodes that is used for system maintenance and to transfer data around a replicated mysql database. Two of the nodes are 4.3. These are visible to the net as www.indx.ca (ww1 and ww2, individually). The third node is ww0.indx.ca and is used for system maintenance and development. Until recently ww0 was also a 4.3 node. While all three nodes were running 4.3, I was able to run the VPN using the racoon key server. Everything was hunky-dory. Then I upgraded (several months or so ago) ww0 to run 4.5. On doing this I first found my /var/log/racoon.log would bloat and overrun the filesystem (the 110% useage syndrome). So I then linked /var/log/racoon.log to /dev/null and ran like that. No good. The racoon task would bloat by 4k per packet transmitted across the VPN to the 4.5 node and would quickly reach 2, 3 or 4 hundred megabytes in memory useage. Didn't matter whether I was setting up for tunnel or transport. And it didn't matter which version of the racoon task I was using: binaries from 4.3 behaved as badly on the 4.5 system as did the latest release. Same with binaries I compiled on both systems. What this implies is either 1. there is a flaw in racoon that is sensitive to 4.5 (and beyond???) or 2. there is a flaw in some library called by racoon on the 4.5 system which may be in syslogd but does not evidence itself in the logging or behaviour of any other 4.5 system task. Very queer. I sent my configs to Munechika Sumikawa and haven't heard anything back, from which I must assume that he can't find anything wrong with them either. So I have reverted to a static configuration using host<->host transport. (tunneled is a little more complicated and needs gif configuration...) Here are my static configs (suitably edited) for your use/perusal. To test that your encryption is in place (*not* testing for quality of encryption) do: tcpdump -e -s1500 -w - | grep wheel on one system and ls -l /usr/bin on the other. if the pipe breaks, grep found "wheel" in the tcpdump and you aren't set up right. You will see something like: babayaga# tcpdump -e -s1500 -w - | grep wheel tcpdump: listening on xl0 Binary file (standard input) matches if you aren't setup rite. In these shell scripts you need to do the following replacements: IPA_addr -> Node A's IP address in dotted quad (WWW.XXX.YYY.ZZZ) IPD_addr -> Node D's IP address in dotted quad (WWW.XXX.YYY.ZZZ) BFkey8ch -> An 8 character key for Blowfish HMAC_SHA1_KEY_20char -> A 20 character key for the hmac INT16A -> an int16 for the D to A sequence start INT16B -> an int16 for the A to D sequence start Put the scripts somewhere they will get executed on boot, run chown root and chmod 700 on them, and away you go... Please do let me know of any flaws you see ;-) Dhu #!/bin/sh # Node A script setkey -c << EOF spdflush ; flush ; # A <-> D spdadd IPA_addr/32 IPD_addr/32 any -P out ipsec esp/transport/IPA_addr-IPD_addr/require; spdadd IPD_addr/32 IPA_addr/32 any -P in ipsec esp/transport/IPD_addr-IPA_addr/require; add IPD_addr IPA_addr esp INT16A -m transport -E blowfish-cbc "BFkey8ch" -A hmac-sha1 "HMAC_SHA1_KEY_20char"; add IPA_addr IPD_addr esp INT16B -m transport -E blowfish-cbc "BFkey8ch" -A hmac-sha1 "HMAC_SHA1_KEY_20char"; EOF exit 0 #!/bin/sh # Node D script setkey -c << EOF spdflush ; flush ; # D <-> A spdadd IPA_addr/32 IPD_addr/32 any -P in ipsec esp/transport/IPA_addr-IPD_addr/require; spdadd IPD_addr/32 IPA_addr/32 any -P out ipsec esp/transport/IPD_addr-IPA_addr/require; add IPD_addr IPA_addr esp INT16A -m transport -E blowfish-cbc "BFkey8ch" -A hmac-sha1 "HMAC_SHA1_KEY_20char"; add IPA_addr IPD_addr esp INT16B -m transport -E blowfish-cbc "BFkey8ch" -A hmac-sha1 "HMAC_SHA1_KEY_20char"; EOF exit 0 -- Duncan (Dubh) Campbell ;-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 10 4:13: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C27D837B400 for ; Wed, 10 Jul 2002 04:12:58 -0700 (PDT) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2310F43E4A for ; Wed, 10 Jul 2002 04:12:58 -0700 (PDT) (envelope-from des@ofug.org) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 24A0F534A; Wed, 10 Jul 2002 13:12:56 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Alex Cc: "Jeremy Suo-Anttila" , security@FreeBSD.ORG Subject: Re: Re[2]: : hiding OS name References: <19624177455.20020709175744@dds.nl> From: Dag-Erling Smorgrav Date: 10 Jul 2002 13:12:55 +0200 In-Reply-To: <19624177455.20020709175744@dds.nl> Message-ID: Lines: 8 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Alex writes: > The different version of BSD exist for a reason. Absolutely, but I don't think you know what that reason is. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 10 5:24:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E23D37B400 for ; Wed, 10 Jul 2002 05:24:33 -0700 (PDT) Received: from blackhelicopters.org (geburah.blackhelicopters.org [209.69.178.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9702F43E09 for ; Wed, 10 Jul 2002 05:24:32 -0700 (PDT) (envelope-from mwlucas@blackhelicopters.org) Received: from blackhelicopters.org (mwlucas@localhost [127.0.0.1]) by blackhelicopters.org (8.12.4/8.12.4) with ESMTP id g6ACOVFg073853; Wed, 10 Jul 2002 08:24:31 -0400 (EDT) (envelope-from mwlucas@blackhelicopters.org) Received: (from mwlucas@localhost) by blackhelicopters.org (8.12.4/8.12.4/Submit) id g6ACOU9j073852; Wed, 10 Jul 2002 08:24:30 -0400 (EDT) Date: Wed, 10 Jul 2002 08:24:30 -0400 From: Michael Lucas To: Andrew McNaughton Cc: "Matthew N. Dodd" , security@FreeBSD.ORG Subject: Re: Time to look put more resources into FreeSSH ? Message-ID: <20020710082430.A73733@blackhelicopters.org> References: <20020625035702.F95270-100000@sasami.jurai.net> <20020625200524.O69343-100000@a2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020625200524.O69343-100000@a2>; from andrew@scoop.co.nz on Tue, Jun 25, 2002 at 08:10:54PM +1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jun 25, 2002 at 08:10:54PM +1200, Andrew McNaughton wrote: > system, I like having the /usr/local/etc/rc.d scripts on hand. Why > doesn't FreeBSD make these scripts exist in a stand alone form for things > that get installed with the system? Is there a philosophy behind it, or > is it just historical? The problem is that many system daemons have dependencies on other daemons. It's not that easy. This is coming with RCng, in FreeBSD 5.x (NetBSD import). You'll be able to do, basically: cd /etc/rc.d/ ./sshd stop && ./sshd start ==ml -- Michael Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org http://www.oreillynet.com/pub/q/Big_Scary_Daemons Absolute BSD: http://www.nostarch.com/abs_bsd.htm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 10 6:48:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D7C8437B400 for ; Wed, 10 Jul 2002 06:48:49 -0700 (PDT) Received: from gamma.star.spb.ru (gamma.star.spb.ru [217.195.79.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F1CF43E64 for ; Wed, 10 Jul 2002 06:48:48 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from green.star.spb.ru (green.star.spb.ru [217.195.79.10]) by gamma.star.spb.ru (8.9.3/8.9.3) with ESMTP id RAA44061 for ; Wed, 10 Jul 2002 17:48:41 +0400 (MSD) Received: from 217.195.79.7 ([217.195.79.7]) by green.star.spb.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id NRJVGYW0; Wed, 10 Jul 2002 17:48:20 +0400 Date: Wed, 10 Jul 2002 17:48:37 +0400 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A. Kritsky" X-Priority: 3 (Normal) Message-ID: <3189959965.20020710174837@internethelp.ru> To: freebsd-security@freebsd.org Subject: resolv patch for 3.x systems Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, all. Has anyone developed recent resolv bug patch for 3.x systems? I can help as tester, and may be as a programmer. If noone has tried this task, maybe some gurus will give me some advice on moving patch from SA-02:28 to 3.x systems? I have never done this. Any help is very good. ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 10 7:12:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F31337B400 for ; Wed, 10 Jul 2002 07:12:16 -0700 (PDT) Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id E044843E6A for ; Wed, 10 Jul 2002 07:12:15 -0700 (PDT) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id E2D2B136B8; Wed, 10 Jul 2002 10:12:09 -0400 (EDT) Date: Wed, 10 Jul 2002 10:12:09 -0400 From: Chris Faulhaber To: "Nickolay A. Kritsky" Cc: freebsd-security@freebsd.org Subject: Re: resolv patch for 3.x systems Message-ID: <20020710141209.GA72950@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , "Nickolay A. Kritsky" , freebsd-security@freebsd.org References: <3189959965.20020710174837@internethelp.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="liOOAslEiF7prFVr" Content-Disposition: inline In-Reply-To: <3189959965.20020710174837@internethelp.ru> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --liOOAslEiF7prFVr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jul 10, 2002 at 05:48:37PM +0400, Nickolay A. Kritsky wrote: > Hello, all. >=20 > Has anyone developed recent resolv bug patch for 3.x systems? > I can help as tester, and may be as a programmer. If noone has tried > this task, maybe some gurus will give me some advice on moving patch > from SA-02:28 to 3.x systems? I have never done this. >=20 > Any help is very good. >=20 Actually this was comitted to RELENG_3 a few days ago: trevor 2002/07/08 15:17:52 PDT =20 Modified files: (Branch: RELENG_3) lib/libc/net gethostbydns.c getnetbydns.c Log: MFC: fix buffer overflows described in FreeBSD-SA-02:28.resolv. Sergey A. Osokin and I tested this. =20 Approved by: security-officer =20 Revision Changes Path 1.23.2.4 +2 -1 src/lib/libc/net/gethostbydns.c 1.12.2.2 +3 -1 src/lib/libc/net/getnetbydns.c Since there are not as many people running 3.x anymore, please feel free to test and let us know if you have any problems. --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --liOOAslEiF7prFVr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) Comment: FreeBSD: The Power To Serve iD8DBQE9LEC5ObaG4P6BelARAoE5AJ4w4ZkzNGkoXyJ4thbEeKY1EcM7XwCgmUt0 sAMetPitkDfqfvs3huCuXbw= =mJJU -----END PGP SIGNATURE----- --liOOAslEiF7prFVr-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 10 7:59:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B232F37B400 for ; Wed, 10 Jul 2002 07:59:48 -0700 (PDT) Received: from freebsd.org.ru (sweet.etrust.ru [194.84.67.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9338543E42 for ; Wed, 10 Jul 2002 07:59:47 -0700 (PDT) (envelope-from osa@freebsd.org.ru) Received: by freebsd.org.ru (Postfix, from userid 1000) id 59F3455; Wed, 10 Jul 2002 18:59:45 +0400 (MSD) Date: Wed, 10 Jul 2002 18:59:45 +0400 From: "Sergey A. Osokin" To: Chris Faulhaber Cc: "Nickolay A. Kritsky" , freebsd-security@freebsd.org Subject: Re: resolv patch for 3.x systems Message-ID: <20020710145945.GB17578@freebsd.org.ru> References: <3189959965.20020710174837@internethelp.ru> <20020710141209.GA72950@peitho.fxp.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="u3/rZRmxL6MmkK24" Content-Disposition: inline In-Reply-To: <20020710141209.GA72950@peitho.fxp.org> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --u3/rZRmxL6MmkK24 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jul 10, 2002 at 10:12:09AM -0400, Chris Faulhaber wrote: > On Wed, Jul 10, 2002 at 05:48:37PM +0400, Nickolay A. Kritsky wrote: > > Hello, all. > >=20 > > Has anyone developed recent resolv bug patch for 3.x systems? > > I can help as tester, and may be as a programmer. If noone has tried > > this task, maybe some gurus will give me some advice on moving patch > > from SA-02:28 to 3.x systems? I have never done this. > >=20 > > Any help is very good. > >=20 >=20 > Actually this was comitted to RELENG_3 a few days ago: >=20 > trevor 2002/07/08 15:17:52 PDT > =20 > Modified files: (Branch: RELENG_3) > lib/libc/net gethostbydns.c getnetbydns.c > Log: > MFC: fix buffer overflows described in FreeBSD-SA-02:28.resolv. > Sergey A. Osokin and I tested this. > =20 > Approved by: security-officer > =20 > Revision Changes Path > 1.23.2.4 +2 -1 src/lib/libc/net/gethostbydns.c > 1.12.2.2 +3 -1 src/lib/libc/net/getnetbydns.c >=20 > Since there are not as many people running 3.x anymore, please > feel free to test and let us know if you have any problems. I really use RELENG_3. I patch/recompile/reinstall new version of libc still 27 Jun. All works fine. --=20 Rgdz, /"\ ASCII RIBBON CAMPAIGN Sergey Osokin aka oZZ, \ / AGAINST HTML MAIL http://ozz.pp.ru/ X AND NEW / \ --u3/rZRmxL6MmkK24 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPSxL4Y/Va73vhFLNAQHiUwP+KY77KeqQdmsejKHMoYqnDaHK1ASntY2w d8ShTZ1zJgv/U+bUpxiu/jh/A8k+9xJMfoX9AYg2NquHHqV8ABKuhgNi7tSmRazu dRbMyfCxmp73HgsI3aZ9yFOU8eeOyooYUwxOA1isxzPW48z79Kr4mZaOB4TZJmyg tVyIipHOG14= =X7NO -----END PGP SIGNATURE----- --u3/rZRmxL6MmkK24-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 10 8:24:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 953F437B408 for ; Wed, 10 Jul 2002 08:24:49 -0700 (PDT) Received: from gamma.star.spb.ru (gamma.star.spb.ru [217.195.79.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 43E1443E31 for ; Wed, 10 Jul 2002 08:24:48 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from green.star.spb.ru (green.star.spb.ru [217.195.79.10]) by gamma.star.spb.ru (8.9.3/8.9.3) with ESMTP id TAA16428; Wed, 10 Jul 2002 19:24:37 +0400 (MSD) Received: from 217.195.79.7 ([217.195.79.7]) by green.star.spb.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id NRJVGYZ4; Wed, 10 Jul 2002 19:24:16 +0400 Date: Wed, 10 Jul 2002 19:24:32 +0400 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A. Kritsky" X-Priority: 3 (Normal) Message-ID: <595715191.20020710192432@internethelp.ru> To: "Sergey A. Osokin" Cc: Chris Faulhaber , freebsd-security@FreeBSD.ORG Subject: Re[2]: resolv patch for 3.x systems In-reply-To: <20020710145945.GB17578@freebsd.org.ru> References: <3189959965.20020710174837@internethelp.ru> <20020710141209.GA72950@peitho.fxp.org> <20020710145945.GB17578@freebsd.org.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Sergey, Wednesday, July 10, 2002, 6:59:45 PM, you wrote: SAO> On Wed, Jul 10, 2002 at 10:12:09AM -0400, Chris Faulhaber wrote: >> On Wed, Jul 10, 2002 at 05:48:37PM +0400, Nickolay A. Kritsky wrote: >> > Hello, all. >> > >> > Has anyone developed recent resolv bug patch for 3.x systems? >> > I can help as tester, and may be as a programmer. If noone has tried >> > this task, maybe some gurus will give me some advice on moving patch >> > from SA-02:28 to 3.x systems? I have never done this. >> > >> > Any help is very good. >> > >> >> Actually this was comitted to RELENG_3 a few days ago: >> >> trevor 2002/07/08 15:17:52 PDT >> >> Modified files: (Branch: RELENG_3) >> lib/libc/net gethostbydns.c getnetbydns.c >> Log: >> MFC: fix buffer overflows described in FreeBSD-SA-02:28.resolv. >> Sergey A. Osokin and I tested this. >> >> Approved by: security-officer >> >> Revision Changes Path >> 1.23.2.4 +2 -1 src/lib/libc/net/gethostbydns.c >> 1.12.2.2 +3 -1 src/lib/libc/net/getnetbydns.c >> >> Since there are not as many people running 3.x anymore, please >> feel free to test and let us know if you have any problems. SAO> I really use RELENG_3. I patch/recompile/reinstall new version of libc SAO> still 27 Jun. All works fine. Thanks to all of you. I will try that ASAP. ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 10 11:19:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D1DDC37B400 for ; Wed, 10 Jul 2002 11:19:05 -0700 (PDT) Received: from localhost.neotext.ca (h24-70-64-200.ed.shawcable.net [24.70.64.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7076E43E42 for ; Wed, 10 Jul 2002 11:19:04 -0700 (PDT) (envelope-from campbell@neotext.ca) Received: from neotext.ca (localhost.neotext.ca [127.0.0.1]) by localhost.neotext.ca (8.11.6/8.11.0) with SMTP id g6AIJ2403235; Wed, 10 Jul 2002 12:19:03 -0600 (MDT) (envelope-from campbell@neotext.ca) Message-Id: <200207101819.g6AIJ2403235@localhost.neotext.ca> Date: Wed, 10 Jul 2002 18:19:02 -0000 To: "Dan Busarow" Subject: Re: FYI report: Reflected Distributed Denial of Service Attack From: "Duncan Patton a Campbell" X-Mailer: TWIG 2.6.2 In-Reply-To: Disposition-Notification-To: "Duncan Patton a Campbell" Cc: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org How does it affect a Windows 98 Box, which is what we had plugged in, to trigger the storm? Dhu Dan Busarow said: > On Jul 10, Duncan Patton a Campbell wrote: > > This a report FYI on an ongoing Reflected Distributed Denial of Service attack > > directed against the domain indx.ca since June 30/02. > > > > Background. > > > > The system (a website) consist of three FreeBSD 4.3 servers providing > > a GIS goods and services locator function to the net. Indx.ca is > > located in Burnaby B.C. on an ADSL link supplied by a Telus reseller, > > Infoserve.net(cypherkey/aka aebc.com). > > > > Two boxes (ww1.indx.ca and ww2.indx.ca) provide the function's user > > java2:/usr/home/dan $ lynx -head -dump http://ww1.indx.ca > HTTP/1.1 200 OK > Date: Wed, 10 Jul 2002 16:45:41 GMT > Server: Apache/1.3.20 (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6a PHP/4.0.5 > X-Powered-By: PHP/4.0.5 > Connection: close > Content-Type: text/html > > Your real problem is more than likely that you have been hit by > the Apache worm. See if you have a file /tmp/.a on the systems. > > You need to upgrade to Apache 1.3.26 or 2.0.39 > > It happened to us too, on a box I had forgotten was running > Apache. Even after cleaning it up and turning it off we had > a full scale DOS that was bogging our router. We had to > have our upstream filter the IP address that was being attacked > on their end. > > Good luck! > > Dan > -- > Dan Busarow 949 443 4172 > Dana Point Communications, Inc. dan@dpcsys.com > Dana Point, California 83 09 EF 59 E0 11 89 B4 8D 09 DB FD E1 DD 0C 82 > > -- Duncan (Dubh) Campbell ;-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 10 11:28:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8FDE537B400 for ; Wed, 10 Jul 2002 11:28:05 -0700 (PDT) Received: from localhost.neotext.ca (h24-70-64-200.ed.shawcable.net [24.70.64.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF82243E3B for ; Wed, 10 Jul 2002 11:28:04 -0700 (PDT) (envelope-from campbell@neotext.ca) Received: from neotext.ca (localhost.neotext.ca [127.0.0.1]) by localhost.neotext.ca (8.11.6/8.11.0) with SMTP id g6AIS3403268; Wed, 10 Jul 2002 12:28:03 -0600 (MDT) (envelope-from campbell@neotext.ca) Message-Id: <200207101828.g6AIS3403268@localhost.neotext.ca> Date: Wed, 10 Jul 2002 18:28:03 -0000 To: "Duncan Patton a Campbell" , "Dan Busarow" Subject: Re: FYI report: Reflected Distributed Denial of Service Attack From: "Duncan Patton a Campbell" X-Mailer: TWIG 2.6.2 In-Reply-To: <200207101819.g6AIJ2403235@localhost.neotext.ca> Disposition-Notification-To: "Duncan Patton a Campbell" Cc: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This could be. But since I nuked /tmp... early on... The apache stuff says it does Windows98, but we have no apache on Windows and ... Duncan Patton a Campbell said: > > How does it affect a Windows 98 Box, which is what we had plugged > in, to trigger the storm? > > Dhu > > Dan Busarow said: > > > On Jul 10, Duncan Patton a Campbell wrote: > > > This a report FYI on an ongoing Reflected Distributed Denial of Service > attack > > > directed against the domain indx.ca since June 30/02. > > > > > > Background. > > > > > > The system (a website) consist of three FreeBSD 4.3 servers providing > > > a GIS goods and services locator function to the net. Indx.ca is > > > located in Burnaby B.C. on an ADSL link supplied by a Telus reseller, > > > Infoserve.net(cypherkey/aka aebc.com). > > > > > > Two boxes (ww1.indx.ca and ww2.indx.ca) provide the function's user > > > > java2:/usr/home/dan $ lynx -head -dump http://ww1.indx.ca > > HTTP/1.1 200 OK > > Date: Wed, 10 Jul 2002 16:45:41 GMT > > Server: Apache/1.3.20 (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6a PHP/4.0.5 > > X-Powered-By: PHP/4.0.5 > > Connection: close > > Content-Type: text/html > > > > Your real problem is more than likely that you have been hit by > > the Apache worm. See if you have a file /tmp/.a on the systems. > > > > You need to upgrade to Apache 1.3.26 or 2.0.39 > > > > It happened to us too, on a box I had forgotten was running > > Apache. Even after cleaning it up and turning it off we had > > a full scale DOS that was bogging our router. We had to > > have our upstream filter the IP address that was being attacked > > on their end. > > > > Good luck! > > > > Dan > > -- > > Dan Busarow 949 443 4172 > > Dana Point Communications, Inc. dan@dpcsys.com > > Dana Point, California 83 09 EF 59 E0 11 89 B4 8D 09 DB FD E1 DD 0C 82 > > > > > > > > -- > Duncan (Dubh) Campbell ;-) > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Duncan (Dubh) Campbell ;-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 10 11:41:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F67437B400 for ; Wed, 10 Jul 2002 11:41:10 -0700 (PDT) Received: from java2.dpcsys.com (java2.dpcsys.com [206.16.184.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 282D143E54 for ; Wed, 10 Jul 2002 11:41:10 -0700 (PDT) (envelope-from dan@dpcsys.com) Received: from localhost (localhost [127.0.0.1]) by java2.dpcsys.com (8.11.1/8.11.1) with ESMTP id g6AIe7C61760; Wed, 10 Jul 2002 11:40:07 -0700 (PDT) Date: Wed, 10 Jul 2002 11:40:07 -0700 (PDT) From: Dan Busarow To: Duncan Patton a Campbell Cc: security@FreeBSD.ORG Subject: Re: FYI report: Reflected Distributed Denial of Service Attack In-Reply-To: <200207101828.g6AIS3403268@localhost.neotext.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Jul 10, Duncan Patton a Campbell wrote: > This could be. But since I nuked /tmp... early on... The apache > stuff says it does Windows98, but we have no apache on Windows and ... The worm generates the DOS, possibly as a side affect of it trying to infect other machines. The DOS is directed at the IP address of the infected machine(s) and continues even after removing the worm or unplugging the machine. We had 2 T1's effectively shut down. Or it could just be that the win98 box has any one of the many windows viruses Dan -- Dan Busarow 949 443 4172 Dana Point Communications, Inc. dan@dpcsys.com Dana Point, California 83 09 EF 59 E0 11 89 B4 8D 09 DB FD E1 DD 0C 82 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 10 12:56:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB45B37B416 for ; Wed, 10 Jul 2002 12:56:42 -0700 (PDT) Received: from mail3.ksc.th.com (mail3.ksc.th.com [203.155.0.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4612643E54 for ; Wed, 10 Jul 2002 12:56:39 -0700 (PDT) (envelope-from easytoberich01@yahoo.com) Received: from ksc.th.com ([203.156.15.36]) by mail3.ksc.th.com (8.12.1/8.12.0) with SMTP id g6AJjxHD022592 for ; Thu, 11 Jul 2002 02:56:36 +0700 Message-Id: <200207101956.g6AJjxHD022592@mail3.ksc.th.com> Date: Thu, 11 Jul 2002 02:58:42 To: FreeBSD-security@FreeBSD.org From: easytoberich01@yahoo.com (international e-business) Subject: ÊÓËÃѺ¼Ùé·Õèµéͧ¡ÒÃâÍ¡ÒÊ㹡ÒÃà»ÅÕè¹á»Å§ªÕÇÔµ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org !!!!! Part-Time Job!! ÊÓËÃѺ¹Ñ¡àÃÕ¹ ¹Ñ¡ÈÖ¡ÉÒ áÅмÙé·Ó§Ò¹»ÃÐ¨Ó ¤Ø³µéͧ¡ÒçҹẺ¹ÕéºéÒ§äËÁ…?? -§Ò¹ parttime ·Ó§Ò¹·ÕèºéÒ¹ä´é ¶éҤسãªé Internet à»ç¹ -·Ó§Ò¹à¾Õ§ÇѹÅÐ 2-3 ªÁ. -ÃÒÂä´é 5,000 – 15,000 ºÒ· ¶éҤسà»ç¹¤¹Ë¹Ö觷Õè·Ó§Ò¹»ÃШÓËÃ×ÍÂѧäÁèÁÕ§Ò¹·Ó ¹Ñ¡ÈÖ¡ÉÒ·Õè¡ÓÅѧÈÖ¡ÉÒÍÂÙè ¼ÙéÇèÒ§§Ò¹ ËÃ×ͼÙé·ÕèÂѧ¾ÍÁÕàÇÅÒÇèÒ§¨Ò¡§Ò¹»ÃÐ¨Ó ÁդسÊÁºÑµÔàº×éͧµé¹´Ñ§¹Õé 1. ÁÕ·Ñȹ¤µÔ·Õè´Õ 2. ¾ÃéÍÁ·Õè¨ÐàÃÕ¹ÃÙé à¹×èͧ¨Ò¡à»ç¹ÃкºãËÁè¨Ö§µéͧãËéÁÕ¡ÒÃͺÃÁãËéµÒÁ¤ÇÒÁàËÁÒÐÊÁ 3. µéͧ¡Ò÷Õè¨Ð·Ó§Ò¹ÍÂèÒ§¨ÃÔ§¨Ñ§ ÍÂÒ¡·Õè¨Ðà»ÅÕ蹰ҹзҧ¡ÒÃà§Ô¹¢Í§µ¹àͧ áÅÐÍÂÒ¡ÁÕÃÒÂä´é¨Ò¡¡Ò÷ӧҹµÃ§¹Õé¨ÃÔ§æ ·Ø¡ÍÂèÒ§à»ç¹ä»ä´é ã¹ http://www.geocities.com/getchances2000/ ÍÂèÒ !…………….. à»ç¹á¤èà¾Õ§¤¹·Õè¹Ñè§ÃÍâÍ¡ÒÊ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 10 13:14: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE70437B400 for ; Wed, 10 Jul 2002 13:14:04 -0700 (PDT) Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id C4CE943E67 for ; Wed, 10 Jul 2002 13:14:02 -0700 (PDT) (envelope-from keramida@ceid.upatras.gr) Received: from hades.hell.gr (patr364-a18.otenet.gr [195.167.109.50]) by mailsrv.otenet.gr (8.12.4/8.12.4) with ESMTP id g6AKDtHw003499; Wed, 10 Jul 2002 23:13:56 +0300 (EEST) Received: from hades.hell.gr (hades [127.0.0.1]) by hades.hell.gr (8.12.5/8.12.5) with ESMTP id g6AKDY9N002685; Wed, 10 Jul 2002 23:13:53 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from charon@localhost) by hades.hell.gr (8.12.5/8.12.5/Submit) id g6AHwaH7001760; Wed, 10 Jul 2002 20:58:36 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Wed, 10 Jul 2002 20:58:36 +0300 From: Giorgos Keramidas To: "Dalin S. Owen" Cc: Laurence Brockman , security@FreeBSD.org Subject: Re: hiding OS name Message-ID: <20020710175836.GF1118@hades.hell.gr> References: <006601c22627$a9199000$21020a0a@mti.itb.ac.id> <3D294723.7022CD07@pantherdragon.org> <001201c22689$6049a790$140115ac@BCDOMAIN01.COM> <20020708111122.A33379@nexusxi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020708111122.A33379@nexusxi.com> X-Operating-System: FreeBSD 5.0-CURRENT i386 X-PGP-Fingerprint: C1EB 0653 DB8B A557 3829 00F9 D60F 941A 3186 03B6 X-Phone: +30-944-116520 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2002-07-08 11:11 +0000, Dalin S. Owen wrote: > Oh, one more thing, go in to the source for sshd and rip the "FreeBSD" > from the bannertext and maybe lie about what version of OpenSSH you have. That's not a good idea. Some of the parts of that banner line are used AFAIK by the SSH client to determine what features the server supports and what the protocol of the rest of the conversation is :/ I could be wrong though, so double check with the source code, before doing something like this. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 10 13:14: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA65A37B401 for ; Wed, 10 Jul 2002 13:14:04 -0700 (PDT) Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7937D43E54 for ; Wed, 10 Jul 2002 13:14:03 -0700 (PDT) (envelope-from keramida@ceid.upatras.gr) Received: from hades.hell.gr (patr364-a18.otenet.gr [195.167.109.50]) by mailsrv.otenet.gr (8.12.4/8.12.4) with ESMTP id g6AKDxHw003551; Wed, 10 Jul 2002 23:14:00 +0300 (EEST) Received: from hades.hell.gr (hades [127.0.0.1]) by hades.hell.gr (8.12.5/8.12.5) with ESMTP id g6AKDY9P002685; Wed, 10 Jul 2002 23:13:56 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from charon@localhost) by hades.hell.gr (8.12.5/8.12.5/Submit) id g6AHudnQ001742; Wed, 10 Jul 2002 20:56:39 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Wed, 10 Jul 2002 20:56:39 +0300 From: Giorgos Keramidas To: "Ramsey G. Brenner" Cc: Laurence Brockman , freebsd-security@FreeBSD.org Subject: Re: hiding OS name Message-ID: <20020710175639.GE1118@hades.hell.gr> References: <006601c22627$a9199000$21020a0a@mti.itb.ac.id> <3D294723.7022CD07@pantherdragon.org> <001201c22689$6049a790$140115ac@BCDOMAIN01.COM> <200207080834.53431.rgbrenner@myrealbox.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200207080834.53431.rgbrenner@myrealbox.com> X-Operating-System: FreeBSD 5.0-CURRENT i386 X-PGP-Fingerprint: C1EB 0653 DB8B A557 3829 00F9 D60F 941A 3186 03B6 X-Phone: +30-944-116520 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2002-07-08 08:34 +0000, Ramsey G. Brenner wrote: > >From /sys/i386/conf/LINT > # > # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This > # prevents nmap et al. from identifying the TCP/IP stack, but breaks support > # for RFC1644 extensions and is not recommended for web servers. > # > options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN > > Also dont forget to add > tcp_drop_synfin="YES" > to /etc/rc.conf That's one thing you can do to counter some of the methods used by tools like nmap to detect the OS type and version. You should not forger to read the comments in LINT about this specific option. Pay careful attention to the cases that it mentions this option should not be used. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 10 13:17:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F33A37B400 for ; Wed, 10 Jul 2002 13:17:13 -0700 (PDT) Received: from smtp-relay-1.adobe.com (smtp-relay-1.adobe.com [192.150.11.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F57F43E3B for ; Wed, 10 Jul 2002 13:17:13 -0700 (PDT) (envelope-from john@mtbiker.net) Received: from inner-relay-2.corp.adobe.com (inner-relay-2 [153.32.1.52]) by smtp-relay-1.adobe.com (8.12.3/8.12.3) with ESMTP id g6AKJKLG004750 for ; Wed, 10 Jul 2002 13:19:20 -0700 (PDT) Received: from mailsj-v1.corp.adobe.com (mailsj-dev.corp.adobe.com [153.32.1.192]) by inner-relay-2.corp.adobe.com (8.12.3/8.12.3) with ESMTP id g6AKF1UU000692 for ; Wed, 10 Jul 2002 13:15:02 -0700 (PDT) Received: from mtbiker.net ([153.32.129.64]) by mailsj-v1.corp.adobe.com (Netscape Messaging Server 4.15 v1 Jul 11 2001 16:32:57) with ESMTP id GZ1V0J00.J36 for ; Wed, 10 Jul 2002 13:17:07 -0700 Message-ID: <3D2C9643.4090205@mtbiker.net> Date: Wed, 10 Jul 2002 13:17:07 -0700 From: John Martinez User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.0.0) Gecko/20020611 X-Accept-Language: en-us, en MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Re: hiding OS name References: <006601c22627$a9199000$21020a0a@mti.itb.ac.id> <3D294723.7022CD07@pantherdragon.org> <001201c22689$6049a790$140115ac@BCDOMAIN01.COM> <20020708111122.A33379@nexusxi.com> <20020710175836.GF1118@hades.hell.gr> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Giorgos Keramidas wrote: > On 2002-07-08 11:11 +0000, Dalin S. Owen wrote: > >>Oh, one more thing, go in to the source for sshd and rip the "FreeBSD" >>from the bannertext and maybe lie about what version of OpenSSH you have. > > > That's not a good idea. Some of the parts of that banner line are > used AFAIK by the SSH client to determine what features the server > supports and what the protocol of the rest of the conversation is :/ You're correct. Try doing an 'ssh -v' next time you use ssh. -john To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 10 15:52: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BDC0337B400 for ; Wed, 10 Jul 2002 15:52:04 -0700 (PDT) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C97643E4A for ; Wed, 10 Jul 2002 15:52:04 -0700 (PDT) (envelope-from des@ofug.org) Received: by flood.ping.uio.no (Postfix, from userid 2602) id C32E1534A; Thu, 11 Jul 2002 00:51:59 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Dalin S. Owen" Cc: Laurence Brockman , security@freebsd.org Subject: Re: hiding OS name References: <006601c22627$a9199000$21020a0a@mti.itb.ac.id> <3D294723.7022CD07@pantherdragon.org> <001201c22689$6049a790$140115ac@BCDOMAIN01.COM> <20020708111122.A33379@nexusxi.com> From: Dag-Erling Smorgrav Date: 11 Jul 2002 00:51:58 +0200 In-Reply-To: <20020708111122.A33379@nexusxi.com> Message-ID: Lines: 9 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Dalin S. Owen" writes: > Oh, one more thing, go in to the source for sshd and rip the "FreeBSD" > from the bannertext and maybe lie about what version of OpenSSH you have. 'man sshd_config', look for VersionAddendum. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 10 16:13:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 30BA837B400 for ; Wed, 10 Jul 2002 16:13:09 -0700 (PDT) Received: from fep7.cogeco.net (smtp.cogeco.net [216.221.81.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9341743E42 for ; Wed, 10 Jul 2002 16:13:08 -0700 (PDT) (envelope-from dlavigne6@cogeco.ca) Received: from d226-33-213.home.cgocable.net (d226-33-213.home.cgocable.net [24.226.33.213]) by fep7.cogeco.net (Postfix) with ESMTP id A9A742F71 for ; Wed, 10 Jul 2002 19:13:05 -0400 (EDT) Date: Wed, 10 Jul 2002 19:17:42 -0400 (EDT) From: Dru X-X-Sender: dlavigne6@x1-6-00-80-c8-3a-b8-46.kico2.on.cogeco.ca To: security@freebsd.org Subject: no phase2 handle found--Solved! Message-ID: <20020710191535.I141-100000@x1-6-00-80-c8-3a-b8-46.kico2.on.cogeco.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org For the archives, this was a missing line in the configs on the PIX, not a racoon error. It _is_ possible to set up a VPN between a PIX and racoon. Thanks to all who took the time to respond and share their configs. Cheers, Dru ---------- Forwarded message ---------- Date: Tue, 9 Jul 2002 19:18:04 -0400 (EDT) From: Dru To: security@freebsd.org Subject: no phase2 handle found (fwd) Noone willing to give a stab at this? :( I've tried enabling/disabling every feature combination possible in racoon.conf, I've tried transport and tunnel modes, I've read the RFCs and scoured the Net (and learned more about IPSEC than a person should be allowed to know), I've created a bazillion phase one SAs, but nothing I've tried gets me past that "unknown notify message" in phase 2. I'd give my hen's teeth to see a phase 2 SA.... The bit of code the error message refers to deals with a potential of dos attack so it looks like racoon is the one that's baling out and deleting the phase 1 SA. I'm not good enough with C to want to try mucking with the source code. Anyone willing to reply to me off list? I'll buy you a beer if you ever come to Canada :) Dru ---------- Forwarded message ---------- Date: Sat, 6 Jul 2002 10:56:03 -0400 (EDT) From: Dru To: security@freebsd.org Subject: no phase2 handle found Didn't get any response from questions, so I'll try here. Trying to setup an IPSEC tunnel between a PIX 501 and FreeBSD 4.6 using the latest racoon. Phase 1 is successful and an ethereal analysis shows that both are negotiating the same policy parameters. However, Phase 2 repeats endlessly with this message in /var/log/racoon.conf: ERROR: isakmp_inf.c:776:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. The Phase 2 parameters on the PIX: crypto ipsec transform-set vpn esp-des esp-md5-hmac crypto dynamic-map bsd 100 set transform-set vpn crypto dynamic-map bsd 100 set pfs group2 crypto dynamic-map bsd 100 set security-association lifetime seconds 3600 kilobytes 4608000 and in racoon: pfs_group 2; lifetime time 3600 sec; encryption_algorithm des ; authentication_algorithm hmac_md5; compression_algorithm deflate; I can only guess that negotiations are failing because of the compression algorithm; from what I can gather PIX only supports lzs but I'm unsure if compression is enabled or disabled by default. There are no (documented) knobs in the PIX IOS to enable/disable compression in the transform set. I haven't had any luck getting setkey to use lzs and a google search shows one mailing list query which never received an answer. If I try: add bsd_ip pix_ip 666 -C lzs; I get a syntax error. I've been able to set the SPD to accept this as part of the policy ipcomp/tunnel/pix_ip-bsd_ip/require; but that still doesn't tell it to use lsz. racoon.conf accepts the lsz keyword but that didn't help either. Any suggestions on where to go from here? Also, the manpage for tcpdump has a -E option that works if tcpdump was compiled with cryptography enabled. How do I do this? TIA, Dru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 10 17:37:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC00337B400 for ; Wed, 10 Jul 2002 17:37:43 -0700 (PDT) Received: from nexusxi.com (balistraria.nexusxi.com [216.123.202.196]) by mx1.FreeBSD.org (Postfix) with SMTP id D131143E3B for ; Wed, 10 Jul 2002 17:37:40 -0700 (PDT) (envelope-from dowen@nexusxi.com) Received: (qmail 66092 invoked by uid 1000); 11 Jul 2002 00:37:34 -0000 Date: Wed, 10 Jul 2002 18:37:34 -0600 From: "Dalin S. Owen" To: John Martinez Cc: security@freebsd.org Subject: Re: hiding OS name Message-ID: <20020710183734.C66016@nexusxi.com> References: <006601c22627$a9199000$21020a0a@mti.itb.ac.id> <3D294723.7022CD07@pantherdragon.org> <001201c22689$6049a790$140115ac@BCDOMAIN01.COM> <20020708111122.A33379@nexusxi.com> <20020710175836.GF1118@hades.hell.gr> <3D2C9643.4090205@mtbiker.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3D2C9643.4090205@mtbiker.net>; from john@mtbiker.net on Wed, Jul 10, 2002 at 01:17:07PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jul 10, 2002 at 01:17:07PM -0700, John Martinez wrote: > > Giorgos Keramidas wrote: > > On 2002-07-08 11:11 +0000, Dalin S. Owen wrote: > > > >>Oh, one more thing, go in to the source for sshd and rip the "FreeBSD" > >>from the bannertext and maybe lie about what version of OpenSSH you have. > > > > > > That's not a good idea. Some of the parts of that banner line are > > used AFAIK by the SSH client to determine what features the server > > supports and what the protocol of the rest of the conversation is :/ > > > You're correct. Try doing an 'ssh -v' next time you use ssh. > > -john > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message nah. just the SSH- line is important. everyone knows that. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 10 19: 0:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 82B5A37B400 for ; Wed, 10 Jul 2002 19:00:11 -0700 (PDT) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0519A43E3B for ; Wed, 10 Jul 2002 19:00:11 -0700 (PDT) (envelope-from julian@elischer.org) Received: from InterJet.elischer.org ([12.232.206.8]) by sccrmhc02.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020711020010.VWIH6023.sccrmhc02.attbi.com@InterJet.elischer.org> for ; Thu, 11 Jul 2002 02:00:10 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id SAA43506 for ; Wed, 10 Jul 2002 18:41:42 -0700 (PDT) Date: Wed, 10 Jul 2002 18:41:41 -0700 (PDT) From: Julian Elischer To: security@freebsd.org Subject: DNS problems in bind tools. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is there a patch for 4.x for the bind tools yet? I've been looking to see something but it looks like there is no such patch yet. Is there one coming? I need to supply a patch for 4.4 soon. Julian p.s. is thre a mailing list I should be on if I want to take up teh releng_4_4 branch patching? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 10 19:27:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C9D9437B400 for ; Wed, 10 Jul 2002 19:27:32 -0700 (PDT) Received: from 12-234-90-219.client.attbi.com (12-234-90-219.client.attbi.com [12.234.90.219]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5A40D43E54 for ; Wed, 10 Jul 2002 19:27:32 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from master.gorean.org (master.gorean.org [10.0.0.2]) by 12-234-90-219.client.attbi.com (8.12.3/8.12.3) with ESMTP id g6B2RTBu042345; Wed, 10 Jul 2002 19:27:30 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from localhost (doug@localhost) by master.gorean.org (8.12.5/8.12.5/Submit) with ESMTP id g6B2RP1j002516; Wed, 10 Jul 2002 19:27:29 -0700 (PDT) Date: Wed, 10 Jul 2002 19:27:24 -0700 (PDT) From: Doug Barton To: Julian Elischer Cc: security@FreeBSD.org Subject: Re: DNS problems in bind tools. In-Reply-To: Message-ID: <20020710192501.L1551-100000@master.gorean.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 10 Jul 2002, Julian Elischer wrote: > > Is there a patch for 4.x for the bind tools yet? > I've been looking to see something but it looks like > there is no such patch yet. Well, the fix is to update BIND altogether... I've done the update in RELENG_4, and my discussion with the SO team was that we'd back port it at least as far as RELENG_4_4 once it's had a chance to mellow in RELENG_4. I did the import Saturday, so it's about time to take a look at that anyway... I'll ping them and cc: you. Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 10 20:55:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC4C137B400; Wed, 10 Jul 2002 20:55:31 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD2C443E42; Wed, 10 Jul 2002 20:55:30 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id VAA29391; Wed, 10 Jul 2002 21:55:16 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020710215210.02ec1410@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 10 Jul 2002 21:55:11 -0600 To: Doug Barton , Julian Elischer From: Brett Glass Subject: Re: DNS problems in bind tools. Cc: security@FreeBSD.ORG In-Reply-To: <20020710192501.L1551-100000@master.gorean.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 08:27 PM 7/10/2002, Doug Barton wrote: >Well, the fix is to update BIND altogether... I've done the update in >RELENG_4, and my discussion with the SO team was that we'd back port it at >least as far as RELENG_4_4 once it's had a chance to mellow in RELENG_4. This might be a good time to make BIND a port which is usually installed, rather than part of the base install. (This idea has come up many times before, most recently on the -STABLE list). Sysinstall could ask whether you want BIND, and, if so, which version. (If I'm installing BIND 9, I'd like to avoid installation of BIND 8 -- at least once BIND 9 gets a patched libbind.) --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 10 21:49: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7069337B400 for ; Wed, 10 Jul 2002 21:49:04 -0700 (PDT) Received: from host185.dolanmedia.com (host185.dolanmedia.com [209.98.197.185]) by mx1.FreeBSD.org (Postfix) with SMTP id A9BC843E42 for ; Wed, 10 Jul 2002 21:49:03 -0700 (PDT) (envelope-from greg.panula@dolaninformation.com) Received: (qmail 42139 invoked by uid 0); 11 Jul 2002 04:49:03 -0000 Received: from greg.panula@dolaninformation.com by proxy with qmail-scanner-0.96 (. Clean. Processed in 0.336474 secs); 11 Jul 2002 04:49:03 -0000 X-Qmail-Scanner-Mail-From: greg.panula@dolaninformation.com via proxy X-Qmail-Scanner-Rcpt-To: dlavigne6@cogeco.ca,security@freebsd.org X-Qmail-Scanner: 0.96 (No viruses found. Processed in 0.336474 secs) Received: from unknown (HELO mail.dolanmedia.com) (10.1.1.23) by host185.dolanmedia.com with SMTP; 11 Jul 2002 04:49:02 -0000 Received: from dolaninformation.com (10.1.1.135) by mail.dolanmedia.com (Worldmail 1.3.167); 10 Jul 2002 23:49:02 -0500 Message-ID: <3D2D0E3E.3AE08B84@dolaninformation.com> Date: Wed, 10 Jul 2002 23:49:02 -0500 From: Greg Panula Reply-To: greg.panula@dolaninformation.com Organization: Dolan Information Center Inc X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Dru Cc: security@freebsd.org Subject: Re: no phase2 handle found (fwd) References: <20020709190806.J143-100000@x1-6-00-80-c8-3a-b8-46.kico2.on.cogeco.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dru wrote: > ---------- Forwarded message ---------- > Date: Sat, 6 Jul 2002 10:56:03 -0400 (EDT) > From: Dru > To: security@freebsd.org > Subject: no phase2 handle found > > Didn't get any response from questions, so I'll try here. > > Trying to setup an IPSEC tunnel between a PIX 501 and FreeBSD 4.6 using > the latest racoon. Phase 1 is successful and an ethereal analysis shows > that both are negotiating the same policy parameters. However, Phase 2 > repeats endlessly with this message in /var/log/racoon.conf: > > ERROR: isakmp_inf.c:776:isakmp_info_recv_n(): unknown notify message, no > phase2 handle found. > > The Phase 2 parameters on the PIX: > > crypto ipsec transform-set vpn esp-des esp-md5-hmac > crypto dynamic-map bsd 100 set transform-set vpn > crypto dynamic-map bsd 100 set pfs group2 > crypto dynamic-map bsd 100 set security-association lifetime seconds 3600 > kilobytes 4608000 > > and in racoon: > > pfs_group 2; > lifetime time 3600 sec; > encryption_algorithm des ; > authentication_algorithm hmac_md5; > compression_algorithm deflate; > > I can only guess that negotiations are failing because of the compression > algorithm; from what I can gather PIX only supports lzs but I'm unsure if > compression is enabled or disabled by default. There are no (documented) knobs > in the PIX IOS to enable/disable compression in the transform set. > > I haven't had any luck getting setkey to use lzs and a google search shows > one mailing list query which never received an answer. If I try: > > add bsd_ip pix_ip 666 -C lzs; > > I get a syntax error. > > I've been able to set the SPD to accept this as part of the policy > > ipcomp/tunnel/pix_ip-bsd_ip/require; > Have you recently upgraded to OpenSSH3.4p1 via ports and also upgraded OpenSSL(required by the openssh port)? Maybe did this after installing racoon? Maybe try deleting racoon and reinstalling openssl... maybe even with the overwrite_base option set to yes, be careful with it and read /etc/default/make.conf. After reinstalling openssl, recompile&install racoon. And try again. I had a similar error in my raccon.log and recompiling racoon against the latest openssl corrected it for me. The equipment involved was a freebsd box and a linksys box... so your milage may vary. If you have a spare box, you might try establishing an ipsec between your current freebsd box and the spare box(freebsd) just to confirm raccon is behaving semi-properly and the problem really is the interaction between the pix box and the fbsd box. Good Luck, Greg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 11 0: 3:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC51F37B400 for ; Thu, 11 Jul 2002 00:03:36 -0700 (PDT) Received: from law-cs1.hotmail.com (law-cs1.hotmail.com [209.185.130.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id A308D43E31 for ; Thu, 11 Jul 2002 00:03:36 -0700 (PDT) (envelope-from wchelp@hotmail.com) Received: (from root@localhost) by law-cs1.hotmail.com (8.9.3/8.9.3) id AAA19112 for freebsd-security@freebsd.org; Thu, 11 Jul 2002 00:01:05 -0700 (PDT) Date: Thu, 11 Jul 2002 00:01:05 -0700 (PDT) Message-Id: <200207110701.AAA19112@law-cs1.hotmail.com> From: MSN Hotmail To: freebsd-security@freebsd.org Subject: Compressed MIME-Version: 1.0 X-Originating-IP: [209.185.130.56] Content-Type: TEXT/PLAIN; charset=iso-8859-1 Content-transfer-encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is an auto-generated response designed to answer your question as quickly as possible. Please note that you will not receive a reply if you respond directly to this message. We hope the directions below answer your question. If after following the directions your problem is still unresolved, please click the link to the Hotmail Customer Support form at the end of this message to submit your issue and a Customer Support Representative will help you. MSN Hotmail WebCourier is an online content delivery service that enables you to request that rich, graphical e-mail messages be delivered daily to your Inbox. Check regularly for additions because Hotmail constantly adds new titles to this list. For your convenience, we've divided current WebCourier services into these categories: - Business & Investing - Entertainment & Music - Games - Health & Fitness - News & Sports - Personal Interests - Shopping - Teens & Young Adults - Women >>> To subscribe to WebCourier 1. On the right navigation bar under "Hotmail Services", click the "Free Newsletters" link. The "WebCourier FREE Subscriptions" page appears. 2. Scroll down to see the list of possible subscriptions. 3. Select the check box next to each service to which you want to subscribe. 4. Click "OK" to subscribe to these services. >>> To unsubscribe from WebCourier 1. On the right navigation bar under "Hotmail Services", click the "Free Newsletters" link. The "WebCourier FREE Subscriptions" page appears. 2. Clear the check box next to each service to which you're subscribed. 3. Click "OK" to unsubscribe to these services. ************************* Still Didn't Solve Your Problem? Complete the Hotmail Customer Support request form at: http://www.hotmail.com/cgi-bin/support Remember that MSN Hotmail also has comprehensive online help available--just click "Help" in the upper right corner. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 11 1: 6:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64F3637B400 for ; Thu, 11 Jul 2002 01:06:10 -0700 (PDT) Received: from mail.crc.co.za (mail.crc.co.za [196.25.196.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id C4F3543E3B for ; Thu, 11 Jul 2002 01:06:01 -0700 (PDT) (envelope-from doron@crc.co.za) Received: (from root@localhost) by mail.crc.co.za (8.11.6/8.11.6) id g6B85pl46991 for security@freebsd.org; Thu, 11 Jul 2002 10:05:51 +0200 (SAST) (envelope-from doron@crc.co.za) Received: from dormobile (doron [192.168.0.253]) by mail.crc.co.za (8.11.6/8.11.6) with ESMTP id g6B85n046967 for ; Thu, 11 Jul 2002 10:05:49 +0200 (SAST) (envelope-from doron@crc.co.za) From: "Doron Shmaryahu" To: Subject: Date: Thu, 11 Jul 2002 10:05:45 +0200 Message-ID: <924250544ABD6E449359482DF3FD8EF84DB4@exsrv.crc.co.za> MIME-Version: 1.0 X-scanner: scanned by Inflex 1.0.12.1 - (http://pldaniels.com/inflex/) Content-Type: multipart/alternative; boundary="----=_NextPart_000_0093_01C228C2.8955C020" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0093_01C228C2.8955C020 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit subscribe ------=_NextPart_000_0093_01C228C2.8955C020 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

subscribe

------=_NextPart_000_0093_01C228C2.8955C020-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 11 6:42:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 14F6B37B400; Thu, 11 Jul 2002 06:42:12 -0700 (PDT) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 818C143E58; Thu, 11 Jul 2002 06:42:11 -0700 (PDT) (envelope-from nectar@nectar.cc) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id BD6AD2F; Thu, 11 Jul 2002 08:42:10 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.5/8.12.3) with ESMTP id g6BDg6rQ005310; Thu, 11 Jul 2002 08:42:06 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.5/8.12.5/Submit) id g6BDg6TJ005309; Thu, 11 Jul 2002 08:42:06 -0500 (CDT) Date: Thu, 11 Jul 2002 08:42:05 -0500 From: "Jacques A. Vidrine" To: Doug Barton Cc: Julian Elischer , security@FreeBSD.org Subject: Re: DNS problems in bind tools. Message-ID: <20020711134205.GA5268@madman.nectar.cc> References: <20020710192501.L1551-100000@master.gorean.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020710192501.L1551-100000@master.gorean.org> User-Agent: Mutt/1.4i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jul 10, 2002 at 07:27:24PM -0700, Doug Barton wrote: > Well, the fix is to update BIND altogether... I've done the update in > RELENG_4, and my discussion with the SO team was that we'd back port it at > least as far as RELENG_4_4 once it's had a chance to mellow in RELENG_4. > > I did the import Saturday, so it's about time to take a look at that > anyway... I'll ping them and cc: you. Yes, please :-) RELENG_4_6 is a no-brainer. You have approval to do RELENG_4_5 and RELENG_4_4 as well. Thanks much for this, Doug! Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 11 6:57:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 505DF37B400 for ; Thu, 11 Jul 2002 06:57:47 -0700 (PDT) Received: from umail.ru (umail.mtu.ru [195.34.32.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id E3A5743E09 for ; Thu, 11 Jul 2002 06:57:45 -0700 (PDT) (envelope-from tofer@ultracomp.ru) Received: from [62.5.166.118] (HELO shurik) by umail.ru (CommuniGate Pro SMTP 4.0b2) with SMTP id 38345492 for freebsd-security@freebsd.org; Thu, 11 Jul 2002 17:55:50 +0400 Message-ID: <006e01c228e4$13bb4610$4e00a8c0@ultra.local.com> Reply-To: "=?koi8-r?B?4c7Uz84g88XSxM/Cz9c=?=" From: "=?koi8-r?B?4c7Uz84g88XSxM/Cz9c=?=" To: Subject: A Date: Thu, 11 Jul 2002 18:05:56 +0400 Organization: ULTRA Computers MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_006B_01C22905.9AB602B0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_006B_01C22905.9AB602B0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable ------=_NextPart_000_006B_01C22905.9AB602B0 Content-Type: text/html; charset="koi8-r" Content-Transfer-Encoding: quoted-printable
 
------=_NextPart_000_006B_01C22905.9AB602B0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 11 8:14: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EAA2A37B400 for ; Thu, 11 Jul 2002 08:14:04 -0700 (PDT) Received: from smtp02.iafrica.com (smtp02.iafrica.com [196.7.0.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5868443E4A for ; Thu, 11 Jul 2002 08:14:03 -0700 (PDT) (envelope-from gareth@za.uu.net) Received: from gabba.so.cpt1.za.uu.net ([196.30.72.25]) by smtp02.iafrica.com with esmtp (Exim 3.20 #1) id 17Sfdp-000HbX-00 for freebsd-security@freebsd.org; Thu, 11 Jul 2002 17:14:01 +0200 Received: from localhost ([127.0.0.1]) by gabba.so.cpt1.za.uu.net with esmtp (Exim 3.31 #1) id 17Sfdo-000P2F-00 for freebsd-security@freebsd.org; Thu, 11 Jul 2002 17:14:00 +0200 Date: Thu, 11 Jul 2002 17:14:00 +0200 (SAST) From: Gareth Hopkins X-X-Sender: ghopkins@gabba.so.cpt1.za.uu.net To: freebsd-security@freebsd.org Subject: Not installing openssh Message-ID: <20020711170957.U318-100000@gabba.so.cpt1.za.uu.net> X-Cell: +27 82 389 5389 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Is there a way of not compiling openssh when installing FreeBSD. I want to run the ssh that is in /usr/ports/security/ssh as I cannot get openssh to work with Kerberos 5. I have set NO_OPENSSH and NO_OPENSSL to true and have made world but ssh* is still in /usr/bin and sshd is still in /usr/local/sbin Do I need to manually remove these? --- Gareth Hopkins Server Operations UUNET South Africa (o) +27.21.658.8700 (f) +27.21.658.8552 (m) +27.82.389.5389 http://www.uunet.co.za 08600 UUNET (08600 88638) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 11 8:37:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D29737B400 for ; Thu, 11 Jul 2002 08:37:16 -0700 (PDT) Received: from south.nanolink.com (south.nanolink.com [217.75.134.10]) by mx1.FreeBSD.org (Postfix) with SMTP id 8263E43E09 for ; Thu, 11 Jul 2002 08:37:09 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 7768 invoked by uid 85); 11 Jul 2002 15:50:11 -0000 Received: from unknown (HELO straylight.ringlet.net) (212.116.140.125) by south.nanolink.com with SMTP; 11 Jul 2002 15:50:10 -0000 Received: (qmail 3560 invoked by uid 1000); 11 Jul 2002 15:37:08 -0000 Date: Thu, 11 Jul 2002 18:37:08 +0300 From: Peter Pentchev To: Gareth Hopkins Cc: freebsd-security@freebsd.org Subject: Re: Not installing openssh Message-ID: <20020711153708.GF25321@straylight.oblivion.bg> Mail-Followup-To: Gareth Hopkins , freebsd-security@freebsd.org References: <20020711170957.U318-100000@gabba.so.cpt1.za.uu.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="M/SuVGWktc5uNpra" Content-Disposition: inline In-Reply-To: <20020711170957.U318-100000@gabba.so.cpt1.za.uu.net> User-Agent: Mutt/1.5.1i X-Virus-Scanned: by Nik's Monitoring Daemon (AMaViS perl-11d ) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --M/SuVGWktc5uNpra Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 11, 2002 at 05:14:00PM +0200, Gareth Hopkins wrote: > Hi >=20 > Is there a way of not compiling openssh when installing FreeBSD. > I want to run the ssh that is in /usr/ports/security/ssh as I cannot get > openssh to work with Kerberos 5. >=20 > I have set NO_OPENSSH and NO_OPENSSL to true and have made world > but ssh* is still in /usr/bin and sshd is still in /usr/local/sbin >=20 > Do I need to manually remove these? In a word, yes. There is a way to get a FreeBSD system where OpenSSH and OpenSSL are never installed in the first place: make a custom release, and either use LOCAL_PATCHES to modify the src/etc/make.conf file, so it contains NO_OPENSSH=3Dyes and NO_OPENSSL=3Dyes, or use WORLD_FLAGS containing NO_OPENSSH=3Dyes and NO_OPENSSL=3Dyes. However, if you do not want to go to the trouble of building a release (it is not all that hard, really - especially if you set NODOC=3Dyes and NOPORTS=3Dyes, so only the FreeBSD base system is built), and you want to remove most traces of an installation after an installworld, something like the following may help (all on one line): # find /bin /sbin /usr/bin /usr/sbin /usr/libexec -type f \! -newer /kernel= \! -name 'ld-elf.so*' | xargs ls -lt | less This is assuming that your kernel was installed immediately before the beginning of the installworld stage, as things are supposed to work (at least that's the way I always do it, 'make buildworld buildkernel', then 'sudo make installkernel installworld'). After that, pick and choose from the displayed list of files to remove. If you find out that ALL the listed files are indeed obsolete, re-run the 'find' command, adding -delete *at the end* (after the 'ld-elf.so*' part). If you find that all but several of the files are obsolete, again, re-run the 'find' command, adding more \! -name 'foo' options, and tacking a -delete at the end. Wish I could say it was that simple with /usr/lib, /usr/include, and /usr/share; however, it is not. Most of the files there are way older than your last build/install date, since most of them are put in place using install(1)'s -C option - compare the files and only overwrite them if they have changed. You can fix that by setting 'INSTALL=3Dinstall' in your /etc/make.conf file before the next installworld; this will override the default value of 'install -C', and cause all files to be overwritten with ones with a current timestamp. Hope this helps. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I am not the subject of this sentence. --M/SuVGWktc5uNpra Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9LaYk7Ri2jRYZRVMRAhMbAJ0WmmuYm3tM1XILBBrR0GkjkgOABACcCwtE b4Smj80wDTk8gxT5wYS3J+Y= =THEe -----END PGP SIGNATURE----- --M/SuVGWktc5uNpra-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 11 16:41:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E293537B400 for ; Thu, 11 Jul 2002 16:41:25 -0700 (PDT) Received: from smtp.noos.fr (racine.noos.net [212.198.2.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id EAF2043E3B for ; Thu, 11 Jul 2002 16:41:24 -0700 (PDT) (envelope-from root@gits.dyndns.org) Received: (qmail 25144825 invoked by uid 0); 11 Jul 2002 23:41:23 -0000 Received: from unknown (HELO gits.gits.dyndns.org) ([212.198.229.153]) (envelope-sender ) by 212.198.2.71 (qmail-ldap-1.03) with SMTP for ; 11 Jul 2002 23:41:23 -0000 Received: from gits.gits.dyndns.org (p30gzk1gsk3l1bp2@localhost [127.0.0.1]) by gits.gits.dyndns.org (8.12.5/8.12.5) with ESMTP id g6BNfMTL025756; Fri, 12 Jul 2002 01:41:22 +0200 (CEST) (envelope-from root@gits.dyndns.org) Received: (from root@localhost) by gits.gits.dyndns.org (8.12.5/8.12.5/Submit) id g6BNfL2E025755; Fri, 12 Jul 2002 01:41:21 +0200 (CEST) (envelope-from root) Date: Fri, 12 Jul 2002 01:41:21 +0200 From: Cyrille Lefevre To: Alex Cc: Jeremy Suo-Anttila , security@FreeBSD.ORG Subject: Re: : hiding OS name Message-ID: <20020711234121.GK21234@gits.dyndns.org> Mail-Followup-To: Cyrille Lefevre , Alex , Jeremy Suo-Anttila , security@FreeBSD.ORG References: <19624177455.20020709175744@dds.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <19624177455.20020709175744@dds.nl> User-Agent: Mutt/1.3.99i Organization: ACME X-Face: V|+c;4!|B?E%BE^{E6);aI.[< List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jul 09, 2002 at 05:57:44PM +0200, Alex wrote: > Hello/Beste Jeremy, > > Tuesday, July 09, 2002, 5:52:43 PM, you wrote: > > JSA> Just because the firewall is OpenBSD do NOT make it anymore secure then a > JSA> well tuned and hardened FreeBSD box. The box is only as secure as the > JSA> administrator maintaining it. > > OpenBSD had earned it reputation on security. It score a little better > then FreeBSD on this topic. At the very least you have less possibility > of a insecure system. OpenBSD would be the best general choice one thing I dislike w/ OpenBSD is that there are almost no advisories ? are they "so" secure or are they just hidding things like "not seen, not caught" ? Cyrille. -- Cyrille Lefevre mailto:cyrille.lefevre@laposte.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 11 18:48:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE52337B400 for ; Thu, 11 Jul 2002 18:48:47 -0700 (PDT) Received: from va.cs.wm.edu (va.cs.wm.edu [128.239.2.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3231543E52 for ; Thu, 11 Jul 2002 18:48:46 -0700 (PDT) (envelope-from zvezdan@CS.WM.EDU) Received: from dali.cs.wm.edu (dali [128.239.26.26]) by va.cs.wm.edu (8.11.4/8.9.1) with ESMTP id g6C1kfN29415 for ; Thu, 11 Jul 2002 21:46:41 -0400 (EDT) Received: (from zvezdan@localhost) by dali.cs.wm.edu (8.11.6/8.9.1) id g6C1mdP31382 for security@FreeBSD.ORG; Thu, 11 Jul 2002 21:48:39 -0400 Date: Thu, 11 Jul 2002 21:48:39 -0400 From: Zvezdan Petkovic To: security@FreeBSD.ORG Subject: Re: : hiding OS name Message-ID: <20020711214839.A31361@dali.cs.wm.edu> Mail-Followup-To: security@FreeBSD.ORG References: <19624177455.20020709175744@dds.nl> <20020711234121.GK21234@gits.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020711234121.GK21234@gits.dyndns.org>; from cyrille.lefevre@laposte.net on Fri, Jul 12, 2002 at 01:41:21AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jul 12, 2002 at 01:41:21AM +0200, Cyrille Lefevre wrote: > > one thing I dislike w/ OpenBSD is that there are almost no advisories > ? are they "so" secure or are they just hidding things like "not > seen, not caught" ? > > Cyrille. One thing I dislike is when people voice the opinion before checking the facts. You've probably heard some rumour and never really tried to check is it true or not, right? I suppose you are not subscribed to OpenBSD announcement lists either? Well check this out: http://www.openbsd.org/errata.html It's accessible from the left navigation bar on the OpenBSD main site under the link "Patches". That seems reasonably visible for anybody who wants to make an effort to check. Regards, -- Zvezdan Petkovic http://www.cs.wm.edu/~zvezdan/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 11 22: 2:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D27A637B400 for ; Thu, 11 Jul 2002 22:02:11 -0700 (PDT) Received: from mx1.mail.ru (mx1.mail.ru [194.67.57.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id B8A8543E64 for ; Thu, 11 Jul 2002 22:02:10 -0700 (PDT) (envelope-from h-k@mail.ru) Received: from [194.84.56.194] (helo=elimar) by mx1.mail.ru with esmtp (Exim SMTP.1) id 17SsZF-000BaL-00 for security@FreeBSD.ORG; Fri, 12 Jul 2002 09:02:09 +0400 Date: Fri, 12 Jul 2002 09:02:57 +0400 From: dawnshade X-Mailer: The Bat! (v1.60m) Reply-To: dawnshade X-Priority: 3 (Normal) Message-ID: <60550254524.20020712090257@mail.ru> To: security@FreeBSD.ORG Subject: Snort problem. MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have a little problem: install, configure snort (1.8.6 (Build 105)). Run: /usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -s -A full -d -D -l /usr/log/snort But the snort does nothing: not log or alert scans, portscans, etc.... thank all for advance. -- dawnshade mailto:h-k@mail.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 11 22:37:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 91C6037B400 for ; Thu, 11 Jul 2002 22:37:18 -0700 (PDT) Received: from I-Sphere.COM (shell.i-sphere.com [209.249.146.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 29EC143E3B for ; Thu, 11 Jul 2002 22:37:18 -0700 (PDT) (envelope-from fasty@shell.i-sphere.com) Received: from shell.i-sphere.com (fasty@localhost [127.0.0.1]) by I-Sphere.COM (8.12.3/8.12.3) with ESMTP id g6C5ckHd089234 for ; Thu, 11 Jul 2002 22:38:46 -0700 (PDT) (envelope-from fasty@shell.i-sphere.com) Received: (from fasty@localhost) by shell.i-sphere.com (8.12.3/8.12.3/Submit) id g6C5cjut089233; Thu, 11 Jul 2002 22:38:45 -0700 (PDT) Date: Thu, 11 Jul 2002 22:38:45 -0700 From: faSty To: dawnshade Cc: freebsd-security@freebsd.org Subject: Re: Snort problem. Message-ID: <20020712053845.GA89208@i-sphere.com> Mail-Followup-To: faSty , dawnshade , freebsd-security@freebsd.org References: <60550254524.20020712090257@mail.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <60550254524.20020712090257@mail.ru> User-Agent: Mutt/1.4i X-Virus-Scanned: by amavisd-milter (http://amavis.org/) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Did you check /var/log/messages because -s mean it goes directly syslogd send to /var/log/messages. Depend on what your syslogd.conf unless it is default syslogd.conf then check /var/log/messages. My snort on bridge look like: /usr/local/bin/snort -A full -D -e -d -s -i fxp1 -c /usr/local/etc/snort.conf -fasty On Fri, Jul 12, 2002 at 09:02:57AM +0400, dawnshade wrote: > I have a little problem: > install, configure snort (1.8.6 (Build 105)). > Run: /usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -s -A full -d -D -l /usr/log/snort > > But the snort does nothing: not log or alert scans, portscans, > etc.... > > thank all for advance. > > > -- > > dawnshade mailto:h-k@mail.ru > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 11 22:38:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 305B537B400 for ; Thu, 11 Jul 2002 22:38:06 -0700 (PDT) Received: from I-Sphere.COM (shell.i-sphere.com [209.249.146.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7B17943E5E for ; Thu, 11 Jul 2002 22:38:05 -0700 (PDT) (envelope-from fasty@shell.i-sphere.com) Received: from shell.i-sphere.com (fasty@localhost [127.0.0.1]) by I-Sphere.COM (8.12.3/8.12.3) with ESMTP id g6C5dXHd089300 for ; Thu, 11 Jul 2002 22:39:33 -0700 (PDT) (envelope-from fasty@shell.i-sphere.com) Received: (from fasty@localhost) by shell.i-sphere.com (8.12.3/8.12.3/Submit) id g6C5dXuR089299 for freebsd-security@freebsd.org; Thu, 11 Jul 2002 22:39:33 -0700 (PDT) Date: Thu, 11 Jul 2002 22:39:33 -0700 From: faSty To: freebsd-security@freebsd.org Subject: Re: Snort problem. Message-ID: <20020712053933.GB89208@i-sphere.com> Mail-Followup-To: faSty , freebsd-security@freebsd.org References: <60550254524.20020712090257@mail.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <60550254524.20020712090257@mail.ru> User-Agent: Mutt/1.4i X-Virus-Scanned: by amavisd-milter (http://amavis.org/) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Did you check /var/log/messages because -s mean it goes directly syslogd send to /var/log/messages. Depend on what your syslogd.conf unless it is default syslogd.conf then check /var/log/messages. My snort on bridge look like: /usr/local/bin/snort -A full -D -e -d -s -i fxp1 -c /usr/local/etc/snort.conf -fasty On Fri, Jul 12, 2002 at 09:02:57AM +0400, dawnshade wrote: > I have a little problem: > install, configure snort (1.8.6 (Build 105)). > Run: /usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -s -A full -d -D -l /usr/log/snort > > But the snort does nothing: not log or alert scans, portscans, > etc.... > > thank all for advance. > > > -- > > dawnshade mailto:h-k@mail.ru > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 11 22:44:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0997B37B400 for ; Thu, 11 Jul 2002 22:44:31 -0700 (PDT) Received: from mx1.mail.ru (mx1.mail.ru [194.67.57.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id B68C743E65 for ; Thu, 11 Jul 2002 22:44:29 -0700 (PDT) (envelope-from h-k@mail.ru) Received: from [194.84.56.194] (helo=elimar) by mx1.mail.ru with esmtp (Exim SMTP.1) id 17StEC-00075M-00 for freebsd-security@freebsd.org; Fri, 12 Jul 2002 09:44:28 +0400 Date: Fri, 12 Jul 2002 09:45:17 +0400 From: dawnshade X-Mailer: The Bat! (v1.60m) Reply-To: dawnshade X-Priority: 3 (Normal) Message-ID: <29552793875.20020712094517@mail.ru> To: freebsd-security@freebsd.org Subject: Re[2]: Snort problem. In-Reply-To: <20020712053845.GA89208@i-sphere.com> References: <60550254524.20020712090257@mail.ru> <20020712053845.GA89208@i-sphere.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello faSty, Friday, July 12, 2002, 9:38:45 AM, you wrote: f> Did you check /var/log/messages because -s mean it goes directly syslogd send f> to /var/log/messages. Depend on what your syslogd.conf unless it is default f> syslogd.conf then check /var/log/messages. f> My snort on bridge look like: f> /usr/local/bin/snort -A full -D -e -d -s -i fxp1 -c /usr/local/etc/snort.conf f> -fasty f> On Fri, Jul 12, 2002 at 09:02:57AM +0400, dawnshade wrote: >> I have a little problem: >> install, configure snort (1.8.6 (Build 105)). >> Run: /usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -s -A full -d -D -l /usr/log/snort >> >> But the snort does nothing: not log or alert scans, portscans, >> etc.... >> >> thank all for advance. >> >> in syslog.conf i added these lines: LOG_ALERT /usr/log/snort.log LOG_AUTHPRIV /usr/log/snort.log In messages only starting message snort: Jul 12 09:44:01 mx /kernel: cp0: promiscuous mode enabled Jul 12 09:44:01 mx snort: Initializing daemon mode Jul 12 09:44:01 mx snort: PID stat checked out ok, PID set to /var/run/ Jul 12 09:44:01 mx snort: Writing PID file to "/var/run/" Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file alert plugin! Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file alert plugin! Jul 12 09:44:01 mx snort: limit == 128 Jul 12 09:44:01 mx snort: UnifiedLogFilename = snort.log Jul 12 09:44:02 mx snort[21582]: Snort initialization completed successfully, Snort running -- Best regards, dawnshade mailto:h-k@mail.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 11 23:20:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AA15D37B400 for ; Thu, 11 Jul 2002 23:20:24 -0700 (PDT) Received: from addr-mx01.addr.com (addr-mx01.addr.com [209.249.147.145]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0EBCB43E42 for ; Thu, 11 Jul 2002 23:20:24 -0700 (PDT) (envelope-from sprasadi@addr.com) Received: from proxy1.addr.com (proxy1.addr.com [209.249.147.28]) by addr-mx01.addr.com (8.12.2/8.12.2) with ESMTP id g6C6KNip020376 for ; Thu, 11 Jul 2002 23:20:23 -0700 (PDT) Received: from ts-27.addr.com ([202.71.153.170]) by proxy1.addr.com (8.11.6/8.9.1) with ESMTP id g6C6KMn18993 for ; Thu, 11 Jul 2002 23:20:22 -0700 (PDT) (envelope-from sprasadi@addr.com)(envelope-to ) Message-Id: <5.1.0.14.0.20020712114822.00ba8a20@localhost> X-Sender: sprasadi/mail.addr.com@localhost X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Fri, 12 Jul 2002 11:49:51 +0530 To: freebsd-security@FreeBSD.ORG From: Steve Subject: plain text passwords Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Scanned-By: MIMEDefang 2.15 (www dot roaringpenguin dot com slash mimedefang) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, I need to have plain text passwords in /etc/passwd. How can I get it? I need this for password protecting a web directory using /etc/passwd Thanks, Steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 11 23:55: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E3F8737B408 for ; Thu, 11 Jul 2002 23:55:02 -0700 (PDT) Received: from antalya.lupe-christoph.de (pD9E8866F.dip0.t-ipconnect.de [217.232.134.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id E121043E6D for ; Thu, 11 Jul 2002 23:55:01 -0700 (PDT) (envelope-from lupe@lupe-christoph.de) Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id 2A24574C; Fri, 12 Jul 2002 08:54:59 +0200 (CEST) Date: Fri, 12 Jul 2002 08:54:59 +0200 To: freebsd-security@freebsd.org Subject: Recommendations for filesystem integrity checkers? Message-ID: <20020712065459.GA24030@lupe-christoph.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.28i From: lupe@lupe-christoph.de (Lupe Christoph) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! Which filesystem integrity checkers do people use? I've found ports for aide, cksfv, integrit, l5, three versions of tripwire and yafic. (Feel free to point me to the ones I overlooked.) I did not find ports for fcheck and samhain (found on Debian). Since I don't have the time to assess them all, I would like to tap the collective experience of the FreeBSD security people. So which do you use, and why? Thanks for your time, Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 12 2: 2:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C2AB37B400 for ; Fri, 12 Jul 2002 02:02:10 -0700 (PDT) Received: from antalya.lupe-christoph.de (pD9E8866F.dip0.t-ipconnect.de [217.232.134.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id C04E943E31 for ; Fri, 12 Jul 2002 02:02:05 -0700 (PDT) (envelope-from lupe@lupe-christoph.de) Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id CA48174C; Fri, 12 Jul 2002 11:02:02 +0200 (CEST) Date: Fri, 12 Jul 2002 11:02:02 +0200 To: Steve Cc: freebsd-security@FreeBSD.ORG Subject: Re: plain text passwords Message-ID: <20020712090202.GD24030@lupe-christoph.de> References: <5.1.0.14.0.20020712114822.00ba8a20@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.0.14.0.20020712114822.00ba8a20@localhost> User-Agent: Mutt/1.3.28i From: lupe@lupe-christoph.de (Lupe Christoph) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Friday, 2002-07-12 at 11:49:51 +0530, Steve wrote: > I need to have plain text passwords in /etc/passwd. How can I get it? I > need this for password protecting a web directory using /etc/passwd Which webserver/authentication module uses /etc/passwd for authentication? I think you should use one that allows 1) hashed passwords 2) in a different location like Apache with mod_auth does for Basic Authentication. Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 12 2:11:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A94637B400 for ; Fri, 12 Jul 2002 02:11:19 -0700 (PDT) Received: from grace.sambolian.net.nz (203-79-83-205.cable.paradise.net.nz [203.79.83.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A3A443E64 for ; Fri, 12 Jul 2002 02:11:18 -0700 (PDT) (envelope-from andy@sambolian.net.nz) Received: by grace.sambolian.net.nz (Postfix, from userid 80) id 43E33FED7; Fri, 12 Jul 2002 21:13:04 +1200 (NZST) Received: from 192.168.0.30 ( [192.168.0.30]) as user andy@imap.sambolian.net.nz by webmail.sambolian.net.nz with HTTP; Fri, 12 Jul 2002 21:13:04 +1200 Message-ID: <1026465184.3d2e9da02c762@webmail.sambolian.net.nz> Date: Fri, 12 Jul 2002 21:13:04 +1200 From: Andrew Thompson To: dawnshade Cc: freebsd-security@freebsd.org Subject: Re: Re[2]: Snort problem. References: <60550254524.20020712090257@mail.ru> <20020712053845.GA89208@i-sphere.com> <29552793875.20020712094517@mail.ru> In-Reply-To: <29552793875.20020712094517@mail.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.0 X-Originating-IP: 192.168.0.30 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Have you got any snort rules loaded? it will say that it has loaded x number of rules when it starts up. I have been caught out before when it has not logged anything, and it turned out that no rules were loaded. --Andy Quoting dawnshade : > Hello faSty, > > Friday, July 12, 2002, 9:38:45 AM, you wrote: > > f> Did you check /var/log/messages because -s mean it goes directly syslogd > send > f> to /var/log/messages. Depend on what your syslogd.conf unless it is > default > f> syslogd.conf then check /var/log/messages. > > f> My snort on bridge look like: > f> /usr/local/bin/snort -A full -D -e -d -s -i fxp1 -c > /usr/local/etc/snort.conf > > f> -fasty > > f> On Fri, Jul 12, 2002 at 09:02:57AM +0400, dawnshade wrote: > >> I have a little problem: > >> install, configure snort (1.8.6 (Build 105)). > >> Run: /usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -s -A full > -d -D -l /usr/log/snort > >> > >> But the snort does nothing: not log or alert scans, portscans, > >> etc.... > >> > >> thank all for advance. > >> > >> > > in syslog.conf i added these lines: > > LOG_ALERT /usr/log/snort.log > LOG_AUTHPRIV /usr/log/snort.log > > In messages only starting message snort: > > Jul 12 09:44:01 mx /kernel: cp0: promiscuous mode enabled > Jul 12 09:44:01 mx snort: Initializing daemon mode > Jul 12 09:44:01 mx snort: PID stat checked out ok, PID set to /var/run/ > Jul 12 09:44:01 mx snort: Writing PID file to "/var/run/" > Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file alert > plugin! > Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file alert > plugin! > Jul 12 09:44:01 mx snort: limit == 128 > Jul 12 09:44:01 mx snort: UnifiedLogFilename = snort.log > Jul 12 09:44:02 mx snort[21582]: Snort initialization completed successfully, > Snort running > > -- > Best regards, > dawnshade mailto:h-k@mail.ru > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 12 3: 1:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C2F7837B401 for ; Fri, 12 Jul 2002 03:01:07 -0700 (PDT) Received: from mx1.mail.ru (mx1.mail.ru [194.67.57.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6684343E70 for ; Fri, 12 Jul 2002 03:01:04 -0700 (PDT) (envelope-from h-k@mail.ru) Received: from [194.84.56.194] (helo=elimar) by mx1.mail.ru with esmtp (Exim SMTP.1) id 17SxES-000Fr4-00 for freebsd-security@freebsd.org; Fri, 12 Jul 2002 14:01:00 +0400 Date: Fri, 12 Jul 2002 14:01:47 +0400 From: dawnshade X-Mailer: The Bat! (v1.60m) Reply-To: dawnshade X-Priority: 3 (Normal) Message-ID: <108568184025.20020712140147@mail.ru> To: freebsd-security@freebsd.org Subject: Re[4]: Snort problem. In-Reply-To: <1026465184.3d2e9da02c762@webmail.sambolian.net.nz> References: <60550254524.20020712090257@mail.ru> <20020712053845.GA89208@i-sphere.com> <29552793875.20020712094517@mail.ru> <1026465184.3d2e9da02c762@webmail.sambolian.net.nz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Andrew, Friday, July 12, 2002, 1:13:04 PM, you wrote: AT> Have you got any snort rules loaded? it will say that it has loaded x number of AT> rules when it starts up. I have been caught out before when it has not logged AT> anything, and it turned out that no rules were loaded. AT> --Andy AT> Quoting dawnshade : >> Hello faSty, >> >> Friday, July 12, 2002, 9:38:45 AM, you wrote: >> >> f> Did you check /var/log/messages because -s mean it goes directly syslogd >> send >> f> to /var/log/messages. Depend on what your syslogd.conf unless it is >> default >> f> syslogd.conf then check /var/log/messages. >> >> f> My snort on bridge look like: >> f> /usr/local/bin/snort -A full -D -e -d -s -i fxp1 -c >> /usr/local/etc/snort.conf >> >> f> -fasty >> >> f> On Fri, Jul 12, 2002 at 09:02:57AM +0400, dawnshade wrote: >> >> I have a little problem: >> >> install, configure snort (1.8.6 (Build 105)). >> >> Run: /usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -s -A full >> -d -D -l /usr/log/snort >> >> >> >> But the snort does nothing: not log or alert scans, portscans, >> >> etc.... >> >> >> >> thank all for advance. >> >> >> >> >> >> in syslog.conf i added these lines: >> >> LOG_ALERT /usr/log/snort.log >> LOG_AUTHPRIV /usr/log/snort.log >> >> In messages only starting message snort: >> >> Jul 12 09:44:01 mx /kernel: cp0: promiscuous mode enabled >> Jul 12 09:44:01 mx snort: Initializing daemon mode >> Jul 12 09:44:01 mx snort: PID stat checked out ok, PID set to /var/run/ >> Jul 12 09:44:01 mx snort: Writing PID file to "/var/run/" >> Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file alert >> plugin! >> Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file alert >> plugin! >> Jul 12 09:44:01 mx snort: limit == 128 >> Jul 12 09:44:01 mx snort: UnifiedLogFilename = snort.log >> Jul 12 09:44:02 mx snort[21582]: Snort initialization completed successfully, >> Snort running >> No, snorts "talks" only these line: >> Jul 12 09:44:01 mx /kernel: cp0: promiscuous mode enabled >> Jul 12 09:44:01 mx snort: Initializing daemon mode >> Jul 12 09:44:01 mx snort: PID stat checked out ok, PID set to /var/run/ >> Jul 12 09:44:01 mx snort: Writing PID file to "/var/run/" >> Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file alert >> plugin! >> Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file alert >> plugin! >> Jul 12 09:44:01 mx snort: limit == 128 >> Jul 12 09:44:01 mx snort: UnifiedLogFilename = snort.log >> Jul 12 09:44:02 mx snort[21582]: Snort initialization completed successfully, >> Snort running -- Best regards, dawnshade mailto:h-k@mail.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 12 3:25:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 27D9037B400 for ; Fri, 12 Jul 2002 03:25:52 -0700 (PDT) Received: from hobbits.brel.com (hobbits.brel.com [203.127.231.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1272243E42 for ; Fri, 12 Jul 2002 03:25:51 -0700 (PDT) (envelope-from calvinng@brel.com) Received: by hobbits.brel.com (Postfix, from userid 1001) id 4E764330D; Fri, 12 Jul 2002 18:25:48 +0800 (SGT) Date: Fri, 12 Jul 2002 18:25:48 +0800 From: Calvin NG To: freebsd-security@FreeBSD.ORG Subject: Re: Snort problem. Message-ID: <20020712102548.GH21554@brel.com> References: <60550254524.20020712090257@mail.ru> <20020712053845.GA89208@i-sphere.com> <29552793875.20020712094517@mail.ru> <1026465184.3d2e9da02c762@webmail.sambolian.net.nz> <108568184025.20020712140147@mail.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <108568184025.20020712140147@mail.ru> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Greetings, I am assuming we are not talking about a switched network here. And that the listen interface (cp0) can actually see all traffic. run it in tcpdump mode, and see that it really is collecting network data. or, deliberately run a probe/scan against host mx and see if snort generates an alert. Regards, /calvin lines with :> are quotes from dawnshade's email :> Hello Andrew, :> :> Friday, July 12, 2002, 1:13:04 PM, you wrote: :> :> AT> Have you got any snort rules loaded? it will say that it has loaded x number of :> AT> rules when it starts up. I have been caught out before when it has not logged :> AT> anything, and it turned out that no rules were loaded. :> :> :> AT> --Andy :> :> :> >> f> On Fri, Jul 12, 2002 at 09:02:57AM +0400, dawnshade wrote: :> >> >> I have a little problem: :> >> >> install, configure snort (1.8.6 (Build 105)). :> >> >> Run: /usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -s -A full :> >> -d -D -l /usr/log/snort :> >> >> :> >> >> But the snort does nothing: not log or alert scans, portscans, :> >> >> etc.... :> >> >> :> >> >> thank all for advance. :> >> >> :> >> >> :> >> :> :> No, snorts "talks" only these line: :> :> >> Jul 12 09:44:01 mx /kernel: cp0: promiscuous mode enabled :> >> Jul 12 09:44:01 mx snort: Initializing daemon mode :> >> Jul 12 09:44:01 mx snort: PID stat checked out ok, PID set to /var/run/ :> >> Jul 12 09:44:01 mx snort: Writing PID file to "/var/run/" :> >> Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file alert :> >> plugin! :> >> Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file alert :> >> plugin! :> >> Jul 12 09:44:01 mx snort: limit == 128 :> >> Jul 12 09:44:01 mx snort: UnifiedLogFilename = snort.log :> >> Jul 12 09:44:02 mx snort[21582]: Snort initialization completed successfully, :> >> Snort running :> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 12 4: 6:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A3B1537B400 for ; Fri, 12 Jul 2002 04:06:23 -0700 (PDT) Received: from mx6.mail.ru (mx6.mail.ru [194.67.57.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9764F43E31 for ; Fri, 12 Jul 2002 04:06:22 -0700 (PDT) (envelope-from h-k@mail.ru) Received: from [194.84.56.194] (helo=elimar) by mx6.mail.ru with esmtp (Exim SMTP.6) id 17SyFh-000Dmp-00 for freebsd-security@FreeBSD.ORG; Fri, 12 Jul 2002 15:06:21 +0400 Date: Fri, 12 Jul 2002 15:07:09 +0400 From: dawnshade X-Mailer: The Bat! (v1.60m) Reply-To: dawnshade X-Priority: 3 (Normal) Message-ID: <173572106055.20020712150709@mail.ru> To: freebsd-security@FreeBSD.ORG Subject: Re[2]: Snort problem. In-Reply-To: <20020712102548.GH21554@brel.com> References: <60550254524.20020712090257@mail.ru> <20020712053845.GA89208@i-sphere.com> <29552793875.20020712094517@mail.ru> <1026465184.3d2e9da02c762@webmail.sambolian.net.nz> <108568184025.20020712140147@mail.ru> <20020712102548.GH21554@brel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Calvin, Friday, July 12, 2002, 2:25:48 PM, you wrote: CN> Greetings, CN> I am assuming we are not talking about a switched network here. CN> And that the listen interface (cp0) can actually see all traffic. CN> run it in tcpdump mode, and see that it really is collecting CN> network data. CN> or, deliberately run a probe/scan against host mx and see if CN> snort generates an alert. CN> Regards, CN> /calvin :>> >> f> On Fri, Jul 12, 2002 at 09:02:57AM +0400, dawnshade wrote: :>> >> >> I have a little problem: :>> >> >> install, configure snort (1.8.6 (Build 105)). :>> >> >> Run: /usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -s -A full :>> >> -d -D -l /usr/log/snort :>> >> >> :>> >> >> But the snort does nothing: not log or alert scans, portscans, :>> >> >> etc.... :>> >> >> :>> >> >> thank all for advance. :>> >> >> :>> >> >> :>> >> :>> Yes, interface cp0 - external. BUT: snort analyzed 0 packets!!!!! Why??? su-2.05a# snort -v Log directory = /var/log/snort Initializing Network Interface cp0 --== Initializing Snort ==-- Decoding PPP on interface cp0 --== Initialization Complete ==-- -*> Snort! <*- Version 1.8.7 (Build 128) By Martin Roesch (roesch@sourcefire.com, www.snort.org) ^C =============================================================================== Snort analyzed 0 out of 1476 packets, The kernel dropped 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 0 (0.000%) ALERTS: 0 UDP: 0 (0.000%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) =============================================================================== Fragmentation Stats: Fragmented IP Packets: 0 (0.000%) Fragment Trackers: 0 Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 0 Frag2 memory faults: 0 =============================================================================== TCP Stream Reassembly Stats: TCP Packets Used: 0 (0.000%) Stream Trackers: 0 Stream flushes: 0 Segments used: 0 Stream4 Memory Faults: 0 =============================================================================== Snort received signal 2, exiting -- Best regards, dawnshade mailto:h-k@mail.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 12 4: 9:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4655537B400 for ; Fri, 12 Jul 2002 04:09:09 -0700 (PDT) Received: from grace.sambolian.net.nz (203-79-83-205.cable.paradise.net.nz [203.79.83.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6429843E4A for ; Fri, 12 Jul 2002 04:09:08 -0700 (PDT) (envelope-from andy@sambolian.net.nz) Received: by grace.sambolian.net.nz (Postfix, from userid 80) id ABF77FED7; Fri, 12 Jul 2002 23:10:55 +1200 (NZST) Received: from 192.168.0.30 ( [192.168.0.30]) as user andy@imap.sambolian.net.nz by webmail.sambolian.net.nz with HTTP; Fri, 12 Jul 2002 23:10:55 +1200 Message-ID: <1026472255.3d2eb93f98607@webmail.sambolian.net.nz> Date: Fri, 12 Jul 2002 23:10:55 +1200 From: Andrew Thompson To: dawnshade Cc: freebsd-security@freebsd.org Subject: Re: Re[4]: Snort problem. References: <60550254524.20020712090257@mail.ru> <20020712053845.GA89208@i-sphere.com> <29552793875.20020712094517@mail.ru> <1026465184.3d2e9da02c762@webmail.sambolian.net.nz> <108568184025.20020712140147@mail.ru> In-Reply-To: <108568184025.20020712140147@mail.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.0 X-Originating-IP: 192.168.0.30 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Try running snort in the foreground, and without syslog, I use this: /usr/local/bin/snort -i ep1 -A fast -c /usr/local/etc/snort.conf -m 027 This is the output that I recieve, note the line on the output where it says "885 Snort rules read..." Log directory = /var/log/snort Initializing Network Interface ep1 WARNING: OpenPcap() device ep1 network lookup: ep1: no IPv4 address assigned --== Initializing Snort ==-- Decoding Ethernet on interface ep1 Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! Parsing Rules file /usr/local/etc/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE No arguments to stream4_reassemble, setting defaults: Reassemble client: ACTIVE Reassemble server: INACTIVE Reassemble ports: 21 23 25 53 80 143 110 111 513 Reassembly alerts: ACTIVE Reassembly method: FAVOR_OLD Back Orifice detection brute force: DISABLED Using LOCAL time 885 Snort rules read... 885 Option Chains linked into 107 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 1.8.6 (Build 105) By Martin Roesch (roesch@sourcefire.com, www.snort.org) --Andy Quoting dawnshade : > Hello Andrew, > > Friday, July 12, 2002, 1:13:04 PM, you wrote: > > AT> Have you got any snort rules loaded? it will say that it has loaded x > number of > AT> rules when it starts up. I have been caught out before when it has not > logged > AT> anything, and it turned out that no rules were loaded. > > > AT> --Andy > > > AT> Quoting dawnshade : > > >> Hello faSty, > >> > >> Friday, July 12, 2002, 9:38:45 AM, you wrote: > >> > >> f> Did you check /var/log/messages because -s mean it goes directly > syslogd > >> send > >> f> to /var/log/messages. Depend on what your syslogd.conf unless it is > >> default > >> f> syslogd.conf then check /var/log/messages. > >> > >> f> My snort on bridge look like: > >> f> /usr/local/bin/snort -A full -D -e -d -s -i fxp1 -c > >> /usr/local/etc/snort.conf > >> > >> f> -fasty > >> > >> f> On Fri, Jul 12, 2002 at 09:02:57AM +0400, dawnshade wrote: > >> >> I have a little problem: > >> >> install, configure snort (1.8.6 (Build 105)). > >> >> Run: /usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -s -A > full > >> -d -D -l /usr/log/snort > >> >> > >> >> But the snort does nothing: not log or alert scans, portscans, > >> >> etc.... > >> >> > >> >> thank all for advance. > >> >> > >> >> > >> > >> in syslog.conf i added these lines: > >> > >> LOG_ALERT /usr/log/snort.log > >> LOG_AUTHPRIV /usr/log/snort.log > >> > >> In messages only starting message snort: > >> > >> Jul 12 09:44:01 mx /kernel: cp0: promiscuous mode enabled > >> Jul 12 09:44:01 mx snort: Initializing daemon mode > >> Jul 12 09:44:01 mx snort: PID stat checked out ok, PID set to /var/run/ > >> Jul 12 09:44:01 mx snort: Writing PID file to "/var/run/" > >> Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file > alert > >> plugin! > >> Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file > alert > >> plugin! > >> Jul 12 09:44:01 mx snort: limit == 128 > >> Jul 12 09:44:01 mx snort: UnifiedLogFilename = snort.log > >> Jul 12 09:44:02 mx snort[21582]: Snort initialization completed > successfully, > >> Snort running > >> > > > No, snorts "talks" only these line: > > >> Jul 12 09:44:01 mx /kernel: cp0: promiscuous mode enabled > >> Jul 12 09:44:01 mx snort: Initializing daemon mode > >> Jul 12 09:44:01 mx snort: PID stat checked out ok, PID set to /var/run/ > >> Jul 12 09:44:01 mx snort: Writing PID file to "/var/run/" > >> Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file > alert > >> plugin! > >> Jul 12 09:44:01 mx snort: WARNING: command line overrides rules file > alert > >> plugin! > >> Jul 12 09:44:01 mx snort: limit == 128 > >> Jul 12 09:44:01 mx snort: UnifiedLogFilename = snort.log > >> Jul 12 09:44:02 mx snort[21582]: Snort initialization completed > successfully, > >> Snort running > > -- > Best regards, > dawnshade mailto:h-k@mail.ru > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 12 4:31:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA7E437B400 for ; Fri, 12 Jul 2002 04:31:48 -0700 (PDT) Received: from mx1.mail.ru (mx1.mail.ru [194.67.57.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94EEE43E64 for ; Fri, 12 Jul 2002 04:31:47 -0700 (PDT) (envelope-from h-k@mail.ru) Received: from [194.84.56.194] (helo=elimar) by mx1.mail.ru with esmtp (Exim SMTP.1) id 17SyeI-000IaF-00 for freebsd-security@freebsd.org; Fri, 12 Jul 2002 15:31:46 +0400 Date: Fri, 12 Jul 2002 15:32:32 +0400 From: dawnshade X-Mailer: The Bat! (v1.60m) Reply-To: dawnshade X-Priority: 3 (Normal) Message-ID: <48573629315.20020712153232@mail.ru> To: freebsd-security@freebsd.org Subject: Re[6]: Snort problem. In-Reply-To: <1026472255.3d2eb93f98607@webmail.sambolian.net.nz> References: <60550254524.20020712090257@mail.ru> <20020712053845.GA89208@i-sphere.com> <29552793875.20020712094517@mail.ru> <1026465184.3d2e9da02c762@webmail.sambolian.net.nz> <108568184025.20020712140147@mail.ru> <1026472255.3d2eb93f98607@webmail.sambolian.net.nz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Andrew, Friday, July 12, 2002, 3:10:55 PM, you wrote: AT> Hi, AT> Try running snort in the foreground, and without syslog, I use this: AT> /usr/local/bin/snort -i ep1 -A fast -c /usr/local/etc/snort.conf -m 027 AT> This is the output that I recieve, note the line on the output where it says AT> "885 Snort rules read..." The same thing: 0 packet analyzing!!! su-2.05a# /usr/local/bin/snort -i cp0 -A fast -c /usr/local/etc/snort/snort.co nf -m 027 Log directory = /var/log/snort Initializing Network Interface cp0 --== Initializing Snort ==-- [!] ERROR: Can not get write access to logging directory "/var/log/snort". (directory doesn't exist or permissions are set incorrectly or it is not a directory at all) Fatal Error, Quitting.. su-2.05a# /usr/local/bin/snort -i cp0 -A fast -c /usr/local/etc/snort/snort.co nf -m 027 Log directory = /var/log/snort Initializing Network Interface cp0 --== Initializing Snort ==-- [!] ERROR: Can not get write access to logging directory "/var/log/snort". (directory doesn't exist or permissions are set incorrectly or it is not a directory at all) Fatal Error, Quitting.. su-2.05a# /usr/local/bin/snort -i cp0 -A fast -c /usr/local/etc/snort/snort.co nf -m 027 Log directory = /var/log/snort Initializing Network Interface cp0 --== Initializing Snort ==-- Decoding PPP on interface cp0 Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! Parsing Rules file /usr/local/etc/snort/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 No arguments to stream4_reassemble, setting defaults: Reassemble client: ACTIVE Reassemble server: INACTIVE Reassemble ports: 21 23 25 53 80 143 110 111 513 Reassembly alerts: ACTIVE Reassembly method: FAVOR_OLD Using LOCAL time Anomoly sensor threshold adapting repeadly specified, ignoring later specification: 0.01 15 4 24 7 WARNING: command line overrides rules file alert plugin! WARNING: command line overrides rules file alert plugin! limit == 128 UnifiedLogFilename = snort.log Opening /var/log/snort/snort.log.1026473194 1530 Snort rules read... 1530 Option Chains linked into 170 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log->suspicious --== Initialization Complete ==-- -*> Snort! <*- Version 1.8.7 (Build 128) By Martin Roesch (roesch@sourcefire.com, www.snort.org) ^C =============================================================================== Snort analyzed 0 out of 2742 packets, The kernel dropped 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 0 (0.000%) ALERTS: 0 UDP: 0 (0.000%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) =============================================================================== Fragmentation Stats: Fragmented IP Packets: 0 (0.000%) Fragment Trackers: 0 Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 0 Frag2 memory faults: 0 =============================================================================== TCP Stream Reassembly Stats: TCP Packets Used: 0 (0.000%) Stream Trackers: 0 Stream flushes: 0 Segments used: 0 Stream4 Memory Faults: 0 =============================================================================== Snort received signal 2, exiting -- Best regards, dawnshade mailto:h-k@mail.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 12 5: 4: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 87AB837B400 for ; Fri, 12 Jul 2002 05:04:05 -0700 (PDT) Received: from rambo.simx.org (rambo.simx.org [80.65.205.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id A1E3443E4A for ; Fri, 12 Jul 2002 05:04:04 -0700 (PDT) (envelope-from listsub@rambo.simx.org) Received: from rambo.simx.org (Rocky@rocky [192.168.0.2]) by rambo.simx.org (8.12.3/8.12.3) with ESMTP id g6CC3j4P088645; Fri, 12 Jul 2002 14:03:54 +0200 (CEST) (envelope-from listsub@rambo.simx.org) Message-ID: <3D2EC5A9.2070305@rambo.simx.org> Date: Fri, 12 Jul 2002 14:03:53 +0200 From: "Roger 'Rocky' Vetterberg" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0rc2) Gecko/20020618 Netscape/7.0b1 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Lupe Christoph Cc: freebsd-security@FreeBSD.ORG Subject: Re: Recommendations for filesystem integrity checkers? References: <20020712065459.GA24030@lupe-christoph.de> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Lupe Christoph wrote: > Hi! > > Which filesystem integrity checkers do people use? I've found ports > for aide, cksfv, integrit, l5, three versions of tripwire and yafic. > (Feel free to point me to the ones I overlooked.) I did not find > ports for fcheck and samhain (found on Debian). > > Since I don't have the time to assess them all, I would like to > tap the collective experience of the FreeBSD security people. > > So which do you use, and why? > > Thanks for your time, > Lupe Christoph Personally, I use aide. Its lightweight, easy to configure and automate via scripts and it does exactly I want it to do. -- R To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 12 7:55:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD95B37B400 for ; Fri, 12 Jul 2002 07:55:43 -0700 (PDT) Received: from bodb.mc.mpls.visi.com (bodb.mc.mpls.visi.com [208.42.156.104]) by mx1.FreeBSD.org (Postfix) with ESMTP id 39B9443E58 for ; Fri, 12 Jul 2002 07:55:43 -0700 (PDT) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bodb.mc.mpls.visi.com (Postfix) with ESMTP id 310C44F01 for ; Fri, 12 Jul 2002 09:55:42 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id g6CEtfi78331; Fri, 12 Jul 2002 09:55:41 -0500 (CDT) (envelope-from hawkeyd) Date: Fri, 12 Jul 2002 09:55:41 -0500 (CDT) Message-Id: <200207121455.g6CEtfi78331@sheol.localdomain> Mime-Version: 1.0 X-Newsreader: knews 1.0b.1 Reply-To: hawkeyd@visi.com Organization: if (!FIFO) if (!LIFO) break; References: <20020712065459.GA24030_lupe-christoph.de@ns.sol.net> <3D2EC5A9.2070305_rambo.simx.org@ns.sol.net> In-Reply-To: <3D2EC5A9.2070305_rambo.simx.org@ns.sol.net> From: hawkeyd@visi.com (D J Hawkey Jr) Subject: Re: Recommendations for filesystem integrity checkers? X-Original-Newsgroups: sol.lists.freebsd.security To: freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In article <3D2EC5A9.2070305_rambo.simx.org@ns.sol.net>, listsub@rambo.simx.org writes: > Lupe Christoph wrote: >> Hi! >> >> Which filesystem integrity checkers do people use? I've found ports >> for aide, cksfv, integrit, l5, three versions of tripwire and yafic. >> (Feel free to point me to the ones I overlooked.) I did not find >> ports for fcheck and samhain (found on Debian). >> >> Since I don't have the time to assess them all, I would like to >> tap the collective experience of the FreeBSD security people. >> >> So which do you use, and why? >> >> Thanks for your time, >> Lupe Christoph > > Personally, I use aide. Its lightweight, easy to configure and > automate via scripts and it does exactly I want it to do. Doesn't mtree(8) fulfill the task? I have yet to try it. The nice thing - if it suits - is that it's part of the base OS. I've had good results with Tripwire, but setting the attributes for "dynamic" directories (/var/log in particular) took a little head- scratching. http://www.schlacter.net:8500/public/FreeBSD-STABLE_and_IPFILTER.html was a great aid. > R Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 12 9: 8: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6DD3737B400; Fri, 12 Jul 2002 09:07:55 -0700 (PDT) Received: from internal.mail.telinco.net (internal.mail.telinco.net [212.1.128.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id A93A243E6D; Fri, 12 Jul 2002 09:07:54 -0700 (PDT) (envelope-from chris.scott@uk.tiscali.com) Received: from mk-fw-1.router.uk.worldonline.com ([212.74.112.53] helo=viper) by internal.mail.telinco.net with smtp (Exim 3.22 #1) id 17T2dn-0005Y2-00; Fri, 12 Jul 2002 16:47:31 +0100 Message-ID: <019701c229bb$6e2e0c90$a4102c0a@viper> From: "chris scott" To: , Subject: Raccon and dynamic IPs Date: Fri, 12 Jul 2002 16:47:30 +0100 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0194_01C229C3.CFBB5F00" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0194_01C229C3.CFBB5F00 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, I have currently setup a vpn between my dsl box at home and one at = work. I basically encrypt all gif tunnel traffic between the two boxes = and use racoon to do the key exchange. It al works fairly well. However = my box at home has a dynamic IP and this is where the problems start. I = have got they system to cope with a few shell scripts and remote ssh = commands, but it is messy and rather cludgy. What I really want to do is = to configure racoon to use a default key to initiate all key exchanges = unless the host is otherwise specified. However as far as I can see = racoon cant cope with wildcards or netblock notation. Am I correct in = thinking this as all the docs on raccoon are fairly sparse. What I would = really like to do is maybe use my dynamic host name or specify the ip = range my dsl connects in. Is this possible? I'm not to keen on = explicitly specifying every ip in the range I'm assigned as it is rather = a large one, although it would work. maybe something like this 1.2.3.4/16 secret or 5.6.7.8/255.255.128.0 secret or * secret etc regards Chris Scott MK NOC 0845 6684000 IMPORTANT NOTICE: This email may be confidential, may be legally privileged, and is for = the intended recipient only. Access, disclosure, copying, distribution, or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and email confirmation to = the sender. ------=_NextPart_000_0194_01C229C3.CFBB5F00 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi,
 
I have currently setup a vpn between my = dsl=20  box at home and one at work. I basically encrypt all gif tunnel = traffic=20 between the two boxes and use racoon to do the key exchange. It al works = fairly=20 well. However my box at home has a dynamic IP and this is where the = problems=20 start. I have got they system to cope with a few shell scripts and = remote ssh=20 commands, but it is messy and rather cludgy. What I really want to do is = to=20 configure racoon to use a default key to initiate all key exchanges = unless the=20 host is otherwise specified. However as far as I can see racoon cant = cope with=20 wildcards or netblock notation. Am I correct in thinking this as all the = docs on=20 raccoon are fairly sparse. What I would really like to do is maybe use = my=20 dynamic host name or specify the ip range my dsl connects in. Is this = possible?=20 I'm not to keen on explicitly specifying every ip in the range I'm = assigned as=20 it is rather a large one, although it would work.
 
maybe something like this
 
1.2.3.4/16    = secret
or
 
5.6.7.8/255.255.128.0 = secret
 
or
 
*       =20         secret
 
etc
 
 
regards
 

Chris Scott
MK NOC
 
0845 6684000
 

IMPORTANT NOTICE:
This email may be confidential, may be = legally=20 privileged, and is for the
intended recipient only.  Access, = disclosure,=20 copying, distribution, or
reliance on any of it by anyone else is = prohibited=20 and may be a criminal
offence.  Please delete if obtained in = error and=20 email confirmation to the
sender.
------=_NextPart_000_0194_01C229C3.CFBB5F00-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 12 10:53:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F129F37B401; Fri, 12 Jul 2002 10:53:04 -0700 (PDT) Received: from tao.dizzy-online.org (dyn-213-36-104-4.ppp.tiscali.fr [213.36.104.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id B15E143E65; Fri, 12 Jul 2002 10:53:03 -0700 (PDT) (envelope-from guest@dizzy-online.org) Received: from www.dizzy-online.org (localhost.dizzy-online.org [127.0.0.1]) by tao.dizzy-online.org (8.12.3/8.12.3) with ESMTP id g6CGVhct040651; Fri, 12 Jul 2002 18:31:44 +0200 (CEST) (envelope-from guest@dizzy-online.org) From: "Dizzy" To: "chris scott" , , Subject: Re: Raccon and dynamic IPs Date: Fri, 12 Jul 2002 18:31:43 +0900 Message-Id: <20020712183143.M7997@dizzy-online.org> In-Reply-To: <019701c229bb$6e2e0c90$a4102c0a@viper> References: <019701c229bb$6e2e0c90$a4102c0a@viper> X-Mailer: Open WebMail 1.64 20020415 X-OriginatingIP: 192.0.1.3 (guest) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, you can use anonymous into remote and sainfo sections. setup remote with my_identifier user_fqdn "anonymous@dev.null" and pre_shared_key with anonymous@dev.null your_secret Maybe you prefer certificate for authentication ? good luck -- dizzy ---------- Original Message ----------- From: "chris scott" To: , Sent: Fri, 12 Jul 2002 16:47:30 +0100 Subject: Raccon and dynamic IPs > Hi, > > I have currently setup a vpn between my dsl box at home and one at > work. I basically encrypt all gif tunnel traffic between the two > boxes and use racoon to do the key exchange. It al works fairly > well. However my box at home has a dynamic IP and this is where the > problems start. I have got they system to cope with a few shell > scripts and remote ssh commands, but it is messy and rather cludgy. > What I really want to do is to configure racoon to use a default key > to initiate all key exchanges unless the host is otherwise > specified. However as far as I can see racoon cant cope with > wildcards or netblock notation. Am I correct in thinking this as all > the docs on raccoon are fairly sparse. What I would really like to > do is maybe use my dynamic host name or specify the ip range my dsl > connects in. Is this possible? I'm not to keen on explicitly > specifying every ip in the range I'm assigned as it is rather a > large one, although it would work. > > maybe something like this > > 1.2.3.4/16 secret > or > > 5.6.7.8/255.255.128.0 secret > > or > > * secret > > etc > > regards > > Chris Scott > MK NOC > > 0845 6684000 > > IMPORTANT NOTICE: > This email may be confidential, may be legally privileged, and is > for the intended recipient only. Access, disclosure, copying, > distribution, or reliance on any of it by anyone else is prohibited > and may be a criminal offence. Please delete if obtained in error > and email confirmation to the sender. ------- End of Original Message ------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 12 13:46:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA2F337B405; Fri, 12 Jul 2002 13:46:03 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 003CC43E6A; Fri, 12 Jul 2002 13:46:02 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g6CKk2JU099858; Fri, 12 Jul 2002 13:46:02 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g6CKk2tG099856; Fri, 12 Jul 2002 13:46:02 -0700 (PDT) Date: Fri, 12 Jul 2002 13:46:02 -0700 (PDT) Message-Id: <200207122046.g6CKk2tG099856@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-02:29.tcpdump Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:29 Security Advisory The FreeBSD Project Topic: Buffer overflow in tcpdump when handling NFS packets Category: contrib Module: tcpdump Announced: 2002-07-12 Credits: dwmw2@redhat.com Affects: All releases prior to and including 4.6-RELEASE FreeBSD 4.6-STABLE prior to the correction date Corrected: 2002-07-05 13:24:57 UTC (RELENG_4) 2002-07-12 13:29:47 UTC (RELENG_4_6) 2002-07-12 13:31:10 UTC (RELENG_4_5) 2002-07-12 13:31:44 UTC (RELENG_4_4) FreeBSD only: NO I. Background The tcpdump utility is used to capture and examining network traffic. II. Problem Description Versions of tcpdump up to and including 3.7.1 contain a buffer overflow that may be triggered by badly formed NFS packets, and possibly other types of packets. III. Impact It is not currently known whether this buffer overflow is exploitable. If it were, an attacker could inject specially crafted packets into the network which, when processed by tcpdump, could lead to arbitrary code execution with the privileges of the user running tcpdump (typically `root'). IV. Workaround There is no workaround, other than not using tcpdump. V. Solution Do one of the following: 1) Upgrade your vulnerable system to 4.6-STABLE; or to the RELENG_4_6, RELENG_4_5, or RELENG_4_4 security branch dated after the correction date (4.6-RELEASE-p2, 4.5-RELEASE-p8, or 4.4-RELEASE-p15). 2) To patch your present system: The following patch has been verified to apply to FreeBSD 4.4, 4.5, and 4.6 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:29/tcpdump.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:29/tcpdump.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/usr.sbin/tcpdump # make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Path Revision Branch - ------------------------------------------------------------------------- src/contrib/tcpdump/interface.h RELENG_4 1.4.2.3 RELENG_4_6 1.4.2.1.6.1 RELENG_4_5 1.4.2.1.4.1 RELENG_4_4 1.4.2.1.2.1 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPS8+yFUuHi5z0oilAQGEaAQApQpuobpvrYILjiJh9Zvfnupop9aDuQ/G 9RvnGVv0ZXrKtD8aRiP3JrjouGvZm9WLqXsXlnf0wmTXdWWg5ibjuJK/gDtdiqjA iuZvq5Rx+IKD33pZpAocg74zIv3nDYv1S+3ndJXtYcSFw7EnC4QHu3mFrZK81RcQ 6LpcUuxVTl8= =hQ/2 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 12 13:46:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 54E5E37B408; Fri, 12 Jul 2002 13:46:14 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6CA4B43E5E; Fri, 12 Jul 2002 13:46:13 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g6CKkDJU099900; Fri, 12 Jul 2002 13:46:13 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g6CKkDFN099899; Fri, 12 Jul 2002 13:46:13 -0700 (PDT) Date: Fri, 12 Jul 2002 13:46:13 -0700 (PDT) Message-Id: <200207122046.g6CKkDFN099899@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-02:30.ktrace Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:30 Security Advisory The FreeBSD Project Topic: Users may trace previously privileged processes Category: core Module: ktrace Announced: 2002-07-12 Credits: Theo DeRaadt Darren Reed Affects: All releases prior to and including 4.6-RELEASE FreeBSD 4.6-STABLE prior to the correction date Corrected: 2002-07-05 22:36:38 UTC (RELENG_4) 2002-07-11 16:47:41 UTC (RELENG_4_6) 2002-07-11 16:47:55 UTC (RELENG_4_5) 2002-07-11 16:56:05 UTC (RELENG_4_4) FreeBSD only: NO I. Background The ktrace utility is a debugging tool that allows users to trace system calls, I/O, and file system lookup operations executed by or on behalf of a process and its children. Since this could potentially reveal sensitive information, the kernel will normally only allow a user to trace his or her own processes, and will immediately stop tracing a process that gains special privileges, for instance by executing a setuid or setgid binary. The ktrace utility depends on the KTRACE kernel option, which is enabled by default. II. Problem Description If a process that had special privileges were to abandon them, it would become possible for the owner of that process to trace it. However, that process might still possess and / or communicate sensitive information that it had obtained before abandoning its privileges, which would then be revealed to the tracing user. III. Impact In theory, local users on systems where ktrace is enabled through the KTRACE kernel option might obtain sensitive information, such as password files or authentication keys. No specific utility is currently known to be vulnerable to this particular problem. IV. Workaround Recompile the kernel without the KTRACE option, and reboot. V. Solution The following patch has been verified to apply to FreeBSD 4.4, 4.5, and 4.6 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:30/ktrace.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:30/ktrace.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Path Revision Branch - ------------------------------------------------------------------------- src/sys/kern/kern_ktrace.c RELENG_4 1.35.2.6 RELENG_4_6 1.35.2.5.4.1 RELENG_4_5 1.35.2.5.2.1 RELENG_4_4 1.35.2.4.4.1 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPS8+qFUuHi5z0oilAQH+XwQAlGxDecckzp1md5S3S3JfLSkvI3vMHzTw nezUkanQ+2M65kj3QUzDnhv+jR0KpgAXCfMIVFUekb+rO8fbxbVygyWZH3T501F/ 5nhoNGwkbTVdjY9x34dSOvVJHNUZ0zn9Y+aQiC5msK4ZyI2GFdrH/Kfa1Ubh7H6z w1/J3NNJ5Bs= =z5iy -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 12 15:38:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DD53137B401 for ; Fri, 12 Jul 2002 15:38:37 -0700 (PDT) Received: from web10102.mail.yahoo.com (web10102.mail.yahoo.com [216.136.130.52]) by mx1.FreeBSD.org (Postfix) with SMTP id 932D644746 for ; Fri, 12 Jul 2002 15:17:11 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20020712214716.92226.qmail@web10102.mail.yahoo.com> Received: from [68.5.49.41] by web10102.mail.yahoo.com via HTTP; Fri, 12 Jul 2002 14:47:16 PDT Date: Fri, 12 Jul 2002 14:47:16 -0700 (PDT) From: twig les Subject: volunteers requested for FreeBSD snort doc test To: security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hey all, I just finished building a secured 4.6 Release box running Snort/MySQL/ACID based on a doc I wrote and it went well, but I'd like some input from those who know. This is a quasi-newbie tutorial, probably well beneath most people that are on this list, but it'll be helpful and good for advocacy too. So if anyone wants to try it out let me know (probably shouldn't CC the list) and I'll send you the Word doc (I know, I know--boo, hiss hiss), HTML, or PDF. BTW, please be gently :). Keith ===== ----------------------------------------------------------- All warfare is based on deception. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 12 15:45:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D75CA37B61B for ; Fri, 12 Jul 2002 15:44:47 -0700 (PDT) Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 616E3449A7 for ; Fri, 12 Jul 2002 15:31:33 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: from apollo.backplane.com (localhost [127.0.0.1]) by apollo.backplane.com (8.12.5/8.12.4) with ESMTP id g6CMO4LA063825 for ; Fri, 12 Jul 2002 15:24:04 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.12.5/8.12.4/Submit) id g6CMO4l8063824; Fri, 12 Jul 2002 15:24:04 -0700 (PDT) (envelope-from dillon) Date: Fri, 12 Jul 2002 15:24:04 -0700 (PDT) From: Matthew Dillon Message-Id: <200207122224.g6CMO4l8063824@apollo.backplane.com> To: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:30.ktrace References: <200207122046.g6CKkDFN099899@freefall.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Not to put a knot in the works but whatabout someone signalling the process to dump core or attaching to it via /proc? -Matt :FreeBSD-SA-02:30 Security Advisory : The FreeBSD Project : :Topic: Users may trace previously privileged processes : :Category: core :Module: ktrace :Announced: 2002-07-12 :... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 12 16: 3:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9BA4037B400; Fri, 12 Jul 2002 16:03:35 -0700 (PDT) Received: from spork.pantherdragon.org (spork.pantherdragon.org [206.29.168.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3284943E3B; Fri, 12 Jul 2002 16:03:35 -0700 (PDT) (envelope-from dmp@pantherdragon.org) Received: from sparx.pantherdragon.org (evrtwa1-ar10-4-61-236-062.evrtwa1.dsl-verizon.net [4.61.236.62]) by spork.pantherdragon.org (Postfix) with ESMTP id B15A7471D7; Fri, 12 Jul 2002 15:07:25 -0700 (PDT) Received: from pantherdragon.org (speck.techno.pagans [172.21.42.2]) by sparx.pantherdragon.org (Postfix) with ESMTP id 89802FDA0; Fri, 12 Jul 2002 15:07:23 -0700 (PDT) Message-ID: <3D2F531B.453A6855@pantherdragon.org> Date: Fri, 12 Jul 2002 15:07:23 -0700 From: Darren Pilgrim X-Mailer: Mozilla 4.76 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: security-advisories@freebsd.org, freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:30.ktrace References: <200207122046.g6CKkDFN099899@freefall.freebsd.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org When will this patch be merged into the security branches, or was it included with the tcpdump fix and the merge just not mentioned? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 12 16: 9: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D82A437B400 for ; Fri, 12 Jul 2002 16:09:04 -0700 (PDT) Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D5D843E42 for ; Fri, 12 Jul 2002 16:09:04 -0700 (PDT) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id A5696136AB; Fri, 12 Jul 2002 19:09:03 -0400 (EDT) Date: Fri, 12 Jul 2002 19:09:03 -0400 From: Chris Faulhaber To: Darren Pilgrim Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:30.ktrace Message-ID: <20020712230903.GA25363@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , Darren Pilgrim , freebsd-security@freebsd.org References: <200207122046.g6CKkDFN099899@freefall.freebsd.org> <3D2F531B.453A6855@pantherdragon.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="oyUTqETQ0mS9luUI" Content-Disposition: inline In-Reply-To: <3D2F531B.453A6855@pantherdragon.org> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --oyUTqETQ0mS9luUI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jul 12, 2002 at 03:07:23PM -0700, Darren Pilgrim wrote: > When will this patch be merged into the security branches, or was it > included with the tcpdump fix and the merge just not mentioned? >=20 ??? VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Path Revision Branch - ------------------------------------------------------------------------- src/sys/kern/kern_ktrace.c RELENG_4 1.35.2.6 RELENG_4_6 1.35.2.5.4.1 RELENG_4_5 1.35.2.5.2.1 RELENG_4_4 1.35.2.4.4.1 - ------------------------------------------------------------------------- --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --oyUTqETQ0mS9luUI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) Comment: FreeBSD: The Power To Serve iD8DBQE9L2GPObaG4P6BelARAt8PAJ98vU4yn030FFNY3Opwe1d1kWYDJgCeJ8Iq i0F+s9CHbcs/1ja0T7mAum8= =LahO -----END PGP SIGNATURE----- --oyUTqETQ0mS9luUI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 12 16:16:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4508F37B400 for ; Fri, 12 Jul 2002 16:16:55 -0700 (PDT) Received: from mail.npubs.com (npubs.com [207.111.208.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB63243E31 for ; Fri, 12 Jul 2002 16:16:54 -0700 (PDT) (envelope-from nielsen@memberwebs.com) From: "Nielsen" To: , "Steve" References: <5.1.0.14.0.20020712114822.00ba8a20@localhost> Subject: Re: plain text passwords MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-Id: <20020712231747.6EFBB43B396@mail.npubs.com> Date: Fri, 12 Jul 2002 23:17:47 +0000 (GMT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You should use an authentication module that uses hashed passwords. And secondly you usually shouldn't authenticate against the system passwords. But if you have to, try to find a solution that doesn't give the the apache user (www, or nobody or whatever) read access to your shaddow passwords. One thing I used which worked well was the cyrus-sasl pwcheck daemon. Apache has a module which authenticates against it. The pwcheck daemon runs as root, relieving apache of the above need. Cheers, Nate ----- Original Message ----- From: "Steve" To: Sent: Friday, July 12, 2002 0:21 Subject: plain text passwords > Hi all, > > I need to have plain text passwords in /etc/passwd. How can I get it? I > need this for password protecting a web directory using /etc/passwd > > Thanks, > > Steve > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 12 16:48: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A8CDC37B40F for ; Fri, 12 Jul 2002 16:47:55 -0700 (PDT) Received: from spork.pantherdragon.org (spork.pantherdragon.org [206.29.168.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id A3FF843E7B for ; Fri, 12 Jul 2002 16:47:52 -0700 (PDT) (envelope-from dmp@pantherdragon.org) Received: from sparx.pantherdragon.org (evrtwa1-ar10-4-61-236-062.evrtwa1.dsl-verizon.net [4.61.236.62]) by spork.pantherdragon.org (Postfix) with ESMTP id 4A529471DC; Fri, 12 Jul 2002 16:47:51 -0700 (PDT) Received: from pantherdragon.org (speck.techno.pagans [172.21.42.2]) by sparx.pantherdragon.org (Postfix) with ESMTP id 4D512FDA0; Fri, 12 Jul 2002 16:47:50 -0700 (PDT) Message-ID: <3D2F6AA6.5CF214CB@pantherdragon.org> Date: Fri, 12 Jul 2002 16:47:50 -0700 From: Darren Pilgrim X-Mailer: Mozilla 4.76 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Nielsen Cc: freebsd-security@FreeBSD.ORG, Steve Subject: Re: plain text passwords References: <5.1.0.14.0.20020712114822.00ba8a20@localhost> <20020712231747.6EFBB43B396@mail.npubs.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Nielsen wrote: > > You should use an authentication module that uses hashed passwords. > > And secondly you usually shouldn't authenticate against the system > passwords. But if you have to, try to find a solution that doesn't give the > the apache user (www, or nobody or whatever) read access to your shaddow > passwords. > > One thing I used which worked well was the cyrus-sasl pwcheck daemon. Apache > has a module which authenticates against it. The pwcheck daemon runs as > root, relieving apache of the above need. Does pwcheck use PAM on FreeBSD? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 12 16:53:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB69E37B400 for ; Fri, 12 Jul 2002 16:53:50 -0700 (PDT) Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id F221343E9E for ; Fri, 12 Jul 2002 16:51:31 -0700 (PDT) (envelope-from jedgar@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1000) id 27FC1136AB; Fri, 12 Jul 2002 19:51:26 -0400 (EDT) Date: Fri, 12 Jul 2002 19:51:25 -0400 From: Chris Faulhaber To: Darren Pilgrim Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:30.ktrace Message-ID: <20020712235125.GA91126@peitho.fxp.org> References: <200207122046.g6CKkDFN099899@freefall.freebsd.org> <3D2F531B.453A6855@pantherdragon.org> <20020712230903.GA25363@peitho.fxp.org> <3D2F6A38.72F41EE1@pantherdragon.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="AhhlLboLdkugWU4S" Content-Disposition: inline In-Reply-To: <3D2F6A38.72F41EE1@pantherdragon.org> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --AhhlLboLdkugWU4S Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jul 12, 2002 at 04:46:00PM -0700, Darren Pilgrim wrote: > Chris Faulhaber wrote: > > On Fri, Jul 12, 2002 at 03:07:23PM -0700, Darren Pilgrim wrote: > > > When will this patch be merged into the security branches, or was it > > > included with the tcpdump fix and the merge just not mentioned? > >=20 > > ??? >=20 > In the tcpdump SA, for example, we were told that updating to > 4.6-RELEASE-p2 would fix the problem for 4.6. There was no such > statement in the ktrace SA, so we're left with either going to stable Ah, ok. Yeah, looks like that was left out. > or applying the patch. While patching isn't much effort at all, I > just don't like it. One of the big attractors to FreeBSD is the CVS > method for getting all updates, fixes, and upgrades. It makes things > work really well without the worry of version conflicts and source > discrepancies that patching can induce. >=20 > I guess the better question should have been: is the ktrace fix > included in 4.6-RELEASE-p2? Yes, 4.6-RELEASE-p2 does contain the fix. --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --AhhlLboLdkugWU4S Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) Comment: FreeBSD: The Power To Serve iD8DBQE9L2t9ObaG4P6BelARAoYlAKCLRIO48Stpa51u0NKL7F4DB/ZPNwCdH7q1 bu7sW6pqYo1n3DVX67V/oAI= =M+uA -----END PGP SIGNATURE----- --AhhlLboLdkugWU4S-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 12 17:10:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8764437B405 for ; Fri, 12 Jul 2002 17:10:17 -0700 (PDT) Received: from spork.pantherdragon.org (spork.pantherdragon.org [206.29.168.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2551343E70 for ; Fri, 12 Jul 2002 17:10:16 -0700 (PDT) (envelope-from dmp@pantherdragon.org) Received: from sparx.pantherdragon.org (evrtwa1-ar10-4-61-236-062.evrtwa1.dsl-verizon.net [4.61.236.62]) by spork.pantherdragon.org (Postfix) with ESMTP id 82486471D7; Fri, 12 Jul 2002 16:46:02 -0700 (PDT) Received: from pantherdragon.org (speck.techno.pagans [172.21.42.2]) by sparx.pantherdragon.org (Postfix) with ESMTP id 9D8EDFDA0; Fri, 12 Jul 2002 16:46:00 -0700 (PDT) Message-ID: <3D2F6A38.72F41EE1@pantherdragon.org> Date: Fri, 12 Jul 2002 16:46:00 -0700 From: Darren Pilgrim X-Mailer: Mozilla 4.76 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Chris Faulhaber Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:30.ktrace References: <200207122046.g6CKkDFN099899@freefall.freebsd.org> <3D2F531B.453A6855@pantherdragon.org> <20020712230903.GA25363@peitho.fxp.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Chris Faulhaber wrote: > On Fri, Jul 12, 2002 at 03:07:23PM -0700, Darren Pilgrim wrote: > > When will this patch be merged into the security branches, or was it > > included with the tcpdump fix and the merge just not mentioned? > > ??? In the tcpdump SA, for example, we were told that updating to 4.6-RELEASE-p2 would fix the problem for 4.6. There was no such statement in the ktrace SA, so we're left with either going to stable or applying the patch. While patching isn't much effort at all, I just don't like it. One of the big attractors to FreeBSD is the CVS method for getting all updates, fixes, and upgrades. It makes things work really well without the worry of version conflicts and source discrepancies that patching can induce. I guess the better question should have been: is the ktrace fix included in 4.6-RELEASE-p2? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 12 17:13:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F63E37B400 for ; Fri, 12 Jul 2002 17:13:24 -0700 (PDT) Received: from malkavian.org (malkavian.org [206.136.132.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B84A43E72 for ; Fri, 12 Jul 2002 17:13:23 -0700 (PDT) (envelope-from rbw@myplace.org) Received: from malkavian.org (rbw@localhost [127.0.0.1]) by malkavian.org (8.12.3/8.12.3) with ESMTP id g6D0DH2F072005; Fri, 12 Jul 2002 20:13:17 -0400 (EDT) (envelope-from rbw@myplace.org) Received: (from rbw@localhost) by malkavian.org (8.12.3/8.12.3/Submit) id g6D0DH6D072004; Fri, 12 Jul 2002 17:13:17 -0700 (MST) X-Authentication-Warning: malkavian.org: rbw set sender to rbw@myplace.org using -f Date: Fri, 12 Jul 2002 17:13:17 -0700 From: "brian j. peterson" To: Darren Pilgrim , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:30.ktrace Message-ID: <20020713001317.GD8059@malkavian.org> Mail-Followup-To: Darren Pilgrim , freebsd-security@FreeBSD.ORG References: <200207122046.g6CKkDFN099899@freefall.freebsd.org> <3D2F531B.453A6855@pantherdragon.org> <20020712230903.GA25363@peitho.fxp.org> <3D2F6A38.72F41EE1@pantherdragon.org> <20020712235125.GA91126@peitho.fxp.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020712235125.GA91126@peitho.fxp.org> User-Agent: Mutt/1.4i X-URL: http://rbw.myplace.org/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org if you are tracking RELENG_4_6 (or any RELENG_x_y), /usr/src/UPDATING will tell you what security patches have been applied to your source. i find this very helpful for situations like this. from /usr/src/UPDATING: ******** 20020712: p2 FreeBSD-SA-02:29.tcpdump A buffer overflow in tcpdump has been corrected. 20020711: FreeBSD-SA-02:30.ktrace Prevent users from tracing previously privileged processes. 20020708: A tags bug in the ata(4) subsystem has been corrected. 20020626: p1 A fix for a buffer overflow in libc has been corrected. 20020615: FreeBSD 4.6-RELEASE. ******** -brian On Fri, Jul 12, 2002 at 07:51:25PM -0400, Chris Faulhaber wrote: > On Fri, Jul 12, 2002 at 04:46:00PM -0700, Darren Pilgrim wrote: > > Chris Faulhaber wrote: > > > On Fri, Jul 12, 2002 at 03:07:23PM -0700, Darren Pilgrim wrote: > > > > When will this patch be merged into the security branches, or was it > > > > included with the tcpdump fix and the merge just not mentioned? > > > > > > ??? > > > > In the tcpdump SA, for example, we were told that updating to > > 4.6-RELEASE-p2 would fix the problem for 4.6. There was no such > > statement in the ktrace SA, so we're left with either going to stable > > Ah, ok. Yeah, looks like that was left out. > > > or applying the patch. While patching isn't much effort at all, I > > just don't like it. One of the big attractors to FreeBSD is the CVS > > method for getting all updates, fixes, and upgrades. It makes things > > work really well without the worry of version conflicts and source > > discrepancies that patching can induce. > > > > I guess the better question should have been: is the ktrace fix > > included in 4.6-RELEASE-p2? > > Yes, 4.6-RELEASE-p2 does contain the fix. > > -- > Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org > -------------------------------------------------------- > FreeBSD: The Power To Serve - http://www.FreeBSD.org -- --===-----=======-----------=============-----------------=================== bjp aka rbw | and did you exchange a walk on part in the war rbw@myplace.org | for a lead role in a cage? ===================-----------------=============-----------=======-----===-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 12 17:29:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E287637B400 for ; Fri, 12 Jul 2002 17:29:44 -0700 (PDT) Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 168E943E3B for ; Fri, 12 Jul 2002 17:29:44 -0700 (PDT) (envelope-from andrew@scoop.co.nz) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g6D0Tgdd052278; Sat, 13 Jul 2002 12:29:42 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Sat, 13 Jul 2002 12:29:42 +1200 (NZST) From: Andrew McNaughton To: twig les Cc: security@FreeBSD.ORG Subject: Re: volunteers requested for FreeBSD snort doc test In-Reply-To: <20020712214716.92226.qmail@web10102.mail.yahoo.com> Message-ID: <20020713122557.V52095-100000@a2.scoop.co.nz> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'd like to take a look at this one. I don't know snort or ACID, but I'm reasonably up on secure practices in general. html and/or pdf preferred, but I can pipe through antiword if required. Andrew McNaughton On Fri, 12 Jul 2002, twig les wrote: > Date: Fri, 12 Jul 2002 14:47:16 -0700 (PDT) > From: twig les > To: security@FreeBSD.ORG > Subject: volunteers requested for FreeBSD snort doc test > > Hey all, > > I just finished building a secured 4.6 Release box > running Snort/MySQL/ACID based on a doc I wrote and it > went well, but I'd like some input from those who > know. This is a quasi-newbie tutorial, probably well > beneath most people that are on this list, but it'll > be helpful and good for advocacy too. > > So if anyone wants to try it out let me know (probably > shouldn't CC the list) and I'll send you the Word doc > (I know, I know--boo, hiss hiss), HTML, or PDF. > > BTW, please be gently :). > > Keith > > ===== > ----------------------------------------------------------- > All warfare is based on deception. > ----------------------------------------------------------- > > __________________________________________________ > Do You Yahoo!? > Sign up for SBC Yahoo! Dial - First Month Free > http://sbc.yahoo.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 12 17:54:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C63337B400 for ; Fri, 12 Jul 2002 17:54:51 -0700 (PDT) Received: from spork.pantherdragon.org (spork.pantherdragon.org [206.29.168.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 36B3843E42 for ; Fri, 12 Jul 2002 17:54:51 -0700 (PDT) (envelope-from dmp@pantherdragon.org) Received: from sparx.pantherdragon.org (evrtwa1-ar10-4-61-236-062.evrtwa1.dsl-verizon.net [4.61.236.62]) by spork.pantherdragon.org (Postfix) with ESMTP id 77B5F471D7; Fri, 12 Jul 2002 17:54:50 -0700 (PDT) Received: from pantherdragon.org (speck.techno.pagans [172.21.42.2]) by sparx.pantherdragon.org (Postfix) with ESMTP id 64C08FDA0; Fri, 12 Jul 2002 17:54:48 -0700 (PDT) Message-ID: <3D2F7A58.2D68D80B@pantherdragon.org> Date: Fri, 12 Jul 2002 17:54:48 -0700 From: Darren Pilgrim X-Mailer: Mozilla 4.76 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: "brian j. peterson" Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:30.ktrace References: <200207122046.g6CKkDFN099899@freefall.freebsd.org> <3D2F531B.453A6855@pantherdragon.org> <20020712230903.GA25363@peitho.fxp.org> <3D2F6A38.72F41EE1@pantherdragon.org> <20020712235125.GA91126@peitho.fxp.org> <20020713001317.GD8059@malkavian.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "brian j. peterson" wrote: > > if you are tracking RELENG_4_6 (or any RELENG_x_y), /usr/src/UPDATING > will tell you what security patches have been applied to your source. > i find this very helpful for situations like this. > > from /usr/src/UPDATING: And /usr/src/UPDATING can be looked at via CVSweb. I knew this. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 12 19: 2:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3CEEA37B400 for ; Fri, 12 Jul 2002 19:02:28 -0700 (PDT) Received: from smtp.noos.fr (claudel.noos.net [212.198.2.83]) by mx1.FreeBSD.org (Postfix) with ESMTP id 358D643E65 for ; Fri, 12 Jul 2002 19:02:27 -0700 (PDT) (envelope-from root@gits.dyndns.org) Received: (qmail 28182651 invoked by uid 0); 13 Jul 2002 02:02:25 -0000 Received: from unknown (HELO gits.gits.dyndns.org) ([212.198.229.153]) (envelope-sender ) by 212.198.2.83 (qmail-ldap-1.03) with SMTP for ; 13 Jul 2002 02:02:25 -0000 Received: from gits.gits.dyndns.org (7soy6jb8j5sy7awn@localhost [127.0.0.1]) by gits.gits.dyndns.org (8.12.5/8.12.5) with ESMTP id g6D22KdT003835; Sat, 13 Jul 2002 04:02:24 +0200 (CEST) (envelope-from root@gits.dyndns.org) Received: (from root@localhost) by gits.gits.dyndns.org (8.12.5/8.12.5/Submit) id g6D22JO4003834; Sat, 13 Jul 2002 04:02:19 +0200 (CEST) (envelope-from root) Date: Sat, 13 Jul 2002 04:02:19 +0200 From: Cyrille Lefevre To: Zvezdan Petkovic Cc: security@FreeBSD.ORG Subject: Re: : hiding OS name Message-ID: <20020713020219.GE2527@gits.dyndns.org> References: <19624177455.20020709175744@dds.nl> <20020711234121.GK21234@gits.dyndns.org> <20020711214839.A31361@dali.cs.wm.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020711214839.A31361@dali.cs.wm.edu> User-Agent: Mutt/1.3.99i Organization: ACME X-Face: V|+c;4!|B?E%BE^{E6);aI.[< List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jul 11, 2002 at 09:48:39PM -0400, Zvezdan Petkovic wrote: > On Fri, Jul 12, 2002 at 01:41:21AM +0200, Cyrille Lefevre wrote: > > > > one thing I dislike w/ OpenBSD is that there are almost no advisories > > ? are they "so" secure or are they just hidding things like "not > > seen, not caught" ? > > One thing I dislike is when people voice the opinion before checking the > facts. You've probably heard some rumour and never really tried to don't you see the question marks ? > check is it true or not, right? I suppose you are not subscribed to wrong, I don't listen rumours... > OpenBSD announcement lists either? Well check this out: you made a wrong assertion here, that's because I'm registered for some time now that I know there is no advisories announcement except the OpenSSH onces :P > http://www.openbsd.org/errata.html ok, but why don't they publish them in the -announce ml ? > It's accessible from the left navigation bar on the OpenBSD main site > under the link "Patches". That seems reasonably visible for anybody who > wants to make an effort to check. that's the point, why just "Patches" and not why they don't announce them publicly (read in usenet and ml). so, you have to check yourself for the information which FreeBSD push them to you which is the way to go, IMHO. Cyrille. -- Cyrille Lefevre mailto:cyrille.lefevre@laposte.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 12 23:36: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B1F7737B400 for ; Fri, 12 Jul 2002 23:36:07 -0700 (PDT) Received: from addr-mx01.addr.com (addr-mx01.addr.com [209.249.147.145]) by mx1.FreeBSD.org (Postfix) with ESMTP id 507BB43E3B for ; Fri, 12 Jul 2002 23:36:07 -0700 (PDT) (envelope-from torvalds@addr.com) Received: from proxy1.addr.com (proxy1.addr.com [209.249.147.28]) by addr-mx01.addr.com (8.12.2/8.12.2) with ESMTP id g6D6a1B3041671 for ; Fri, 12 Jul 2002 23:36:01 -0700 (PDT) Received: from TS22 ([202.71.153.170]) by proxy1.addr.com (8.11.6/8.9.1) with ESMTP id g6D6Zxk76981 for ; Fri, 12 Jul 2002 23:35:59 -0700 (PDT) (envelope-from torvalds@addr.com)(envelope-to ) Message-ID: <009901c22a37$7ffed450$9600a8c0@blraddrcom> From: "Naga Suresh B" To: Subject: plain text password Date: Sat, 13 Jul 2002 12:05:35 +0530 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Scanned-By: MIMEDefang 2.15 (www dot roaringpenguin dot com slash mimedefang) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hai, How can I change the password file into a plain text password, it should not use any authentication either MD5 or Pam. I need this solution as early as possible. Suresh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 13 0:25:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E9DFF37B400 for ; Sat, 13 Jul 2002 00:25:45 -0700 (PDT) Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by mx1.FreeBSD.org (Postfix) with SMTP id 2801243E4A for ; Sat, 13 Jul 2002 00:25:45 -0700 (PDT) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 23087 invoked by uid 1001); 13 Jul 2002 07:25:43 -0000 Date: Sat, 13 Jul 2002 03:25:43 -0400 From: "Peter C. Lai" To: Naga Suresh B Cc: freebsd-security@FreeBSD.ORG Subject: Re: plain text password Message-ID: <20020713032543.A23076@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <009901c22a37$7ffed450$9600a8c0@blraddrcom> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <009901c22a37$7ffed450$9600a8c0@blraddrcom>; from torvalds@addr.com on Sat, Jul 13, 2002 at 12:05:35PM +0530 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hashes are not reversible, so passwords in the password file are not recoverable to plaintext. (this is not to say you can't try to guess the password by applying the hash to your guess and see if it matches the hash in the file). On Sat, Jul 13, 2002 at 12:05:35PM +0530, Naga Suresh B wrote: > Hai, > > How can I change the password file into a plain text password, it > should not use any authentication either MD5 or Pam. I need this solution as > early as possible. > > Suresh > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology | Undergraduate Research Assistant Yale University School of Medicine Center for Medical Informatics | Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 13 0:57:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 32A6537B400 for ; Sat, 13 Jul 2002 00:57:40 -0700 (PDT) Received: from va.cs.wm.edu (va.cs.wm.edu [128.239.2.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5996543E3B for ; Sat, 13 Jul 2002 00:57:39 -0700 (PDT) (envelope-from zvezdan@CS.WM.EDU) Received: from dali.cs.wm.edu (dali [128.239.26.26]) by va.cs.wm.edu (8.11.4/8.9.1) with ESMTP id g6D7rON20271; Sat, 13 Jul 2002 03:53:24 -0400 (EDT) Received: (from zvezdan@localhost) by dali.cs.wm.edu (8.11.6/8.9.1) id g6D7tOB03125; Sat, 13 Jul 2002 03:55:24 -0400 Date: Sat, 13 Jul 2002 03:55:23 -0400 From: Zvezdan Petkovic To: Cyrille Lefevre Cc: security@FreeBSD.ORG Subject: Re: : hiding OS name Message-ID: <20020713035523.A3048@dali.cs.wm.edu> Mail-Followup-To: Cyrille Lefevre , security@FreeBSD.ORG References: <19624177455.20020709175744@dds.nl> <20020711234121.GK21234@gits.dyndns.org> <20020711214839.A31361@dali.cs.wm.edu> <20020713020219.GE2527@gits.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020713020219.GE2527@gits.dyndns.org>; from cyrille.lefevre@laposte.net on Sat, Jul 13, 2002 at 04:02:19AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Cyrille this is totally off topic in the subject and I suggest we stop it. If you intend to reply send me a personal email and let's spare the list. On Sat, Jul 13, 2002 at 04:02:19AM +0200, Cyrille Lefevre wrote: > On Thu, Jul 11, 2002 at 09:48:39PM -0400, Zvezdan Petkovic wrote: > > http://www.openbsd.org/errata.html > > ok, but why don't they publish them in the -announce ml ? > > > It's accessible from the left navigation bar on the OpenBSD main site > > under the link "Patches". That seems reasonably visible for anybody who > > wants to make an effort to check. > > that's the point, why just "Patches" and not why they don't announce > them publicly (read in usenet and ml). so, you have to check yourself > for the information which FreeBSD push them to you which is the way > to go, IMHO. > > Cyrille. Because the world is not uniform. Some people do it one way, some do it the other way. OpenBSD errata are publicly published on the Web just like FreeBSD. One can easily make a script to get that page automatically, diff it with the previous one and send the email to administrator that new errata is available. That's a good enough way for OpenBSD users, obviously. You seem to have the opinion that FreeBSD users prefer mailing list announcements. Fine. I could claim that Red Hat Linux users prefer the fact that they have binary updates through rpms. Then again, SuSE users have binary patch rpms that are smaller and perhaps more convenient from their point of view. Solaris users have pkg binary updates that save the copies of old version in case one doesn't like the new update. World comes in all different colours and that is Good(TM). -- Zvezdan Petkovic http://www.cs.wm.edu/~zvezdan/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 13 7:53:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A8C7537B400 for ; Sat, 13 Jul 2002 07:53:52 -0700 (PDT) Received: from mail.npubs.com (npubs.com [207.111.208.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id 215B543E42 for ; Sat, 13 Jul 2002 07:53:52 -0700 (PDT) (envelope-from nielsen@memberwebs.com) From: "Nielsen" To: "Darren Pilgrim" Cc: , "Steve" References: <5.1.0.14.0.20020712114822.00ba8a20@localhost> <20020712231747.6EFBB43B396@mail.npubs.com> <3D2F6AA6.5CF214CB@pantherdragon.org> Subject: Re: plain text passwords MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-Id: <20020713145448.2DB5C43B39E@mail.npubs.com> Date: Sat, 13 Jul 2002 14:54:48 +0000 (GMT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It can. There's a seperate binary for it: pwcheck_pam. Run that daemon instead. One other catch I've noted is that the /var/pwcheck directory (which contains the socket that programs use to communicate with pwcheck), is owned by cyrus:cyrus, and has 750 permissions. You need to either give the directory 755 permissions, or add apache's user to the cyrus group for apache/pwcheck to work. Nate > > Does pwcheck use PAM on FreeBSD? > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 13 10:31:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ABA6537B400; Sat, 13 Jul 2002 10:31:30 -0700 (PDT) Received: from lurza.secnetix.de (lurza.secnetix.de [212.66.1.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9285243E64; Sat, 13 Jul 2002 10:31:29 -0700 (PDT) (envelope-from olli@lurza.secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.11.6/8.11.6) id g6DHVRs92032; Sat, 13 Jul 2002 19:31:27 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Date: Sat, 13 Jul 2002 19:31:27 +0200 (CEST) Message-Id: <200207131731.g6DHVRs92032@lurza.secnetix.de> From: Oliver Fromme To: freebsd-security@FreeBSD.ORG, security-advisories@FreeBSD.ORG Reply-To: freebsd-security@FreeBSD.ORG, security-advisories@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:29.tcpdump In-Reply-To: <200207122046.g6CKk2tG099856@freefall.freebsd.org> X-Newsgroups: list.freebsd-security User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.5-RELEASE (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org FreeBSD Security Advisories wrote: > [...] > IV. Workaround > > There is no workaround, other than not using tcpdump. Well, you can at least set up the system in a way so you don't have to run tcpdump as root: Create a special group, chgrp /dev/bpf* to that group and make them group-readable (writable is not required). Then add all users to that group which should be allowed to use tcpdump. An even better approach would be to create a pseudo user (similar to the nobody user) which is a member of the tcpdump group, and write a small wrapper script which uses /usr/bin/su to call tcpdump as that pseudo-user. Of course, that's only a quick workaround, not a solution. It wouldn't close any potentially exploitable holes, but it would make it a lot harder (maybe even impossible) for an attacker to actually do any damage that way. On a related matter: It would probably be a very good idea for tcpdump to drop priviledges right after opening the BPF device. Regards Oliver -- Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "All that we see or seem is just a dream within a dream" (E. A. Poe) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 13 13:24:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4BB8937B400 for ; Sat, 13 Jul 2002 13:24:19 -0700 (PDT) Received: from topperwein.dyndns.org (acs-24-154-28-203.zoominternet.net [24.154.28.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 83B3D43E3B for ; Sat, 13 Jul 2002 13:24:18 -0700 (PDT) (envelope-from behanna@zbzoom.net) Received: from topperwein (topperwein [192.168.168.10]) by topperwein.dyndns.org (8.12.5/8.12.5) with ESMTP id g6DKOI4T015582 for ; Sat, 13 Jul 2002 16:24:18 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Sat, 13 Jul 2002 16:24:13 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: FreeBSD Security Subject: Re: plain text password In-Reply-To: <009901c22a37$7ffed450$9600a8c0@blraddrcom> Message-ID: <20020713162325.W15564-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 13 Jul 2002, Naga Suresh B wrote: > How can I change the password file into a plain text password, it > should not use any authentication either MD5 or Pam. I need this solution as > early as possible. You can't. If you must have plain text passwords (why?), you'll have to cobble a solution together yourself. -- Chris BeHanna http://www.pennasoft.com Principal Consultant PennaSoft Corporation chris@pennasoft.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 13 14:15:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C0A3037B406 for ; Sat, 13 Jul 2002 14:15:33 -0700 (PDT) Received: from kumquat.ixs1.net (usny58.ixs1.net [209.10.179.58]) by mx1.FreeBSD.org (Postfix) with SMTP id 08A3443E5E for ; Sat, 13 Jul 2002 14:15:32 -0700 (PDT) (envelope-from AcquireSolution.ue.h117320.y56528946@ixs2.net) From: AcquireSolution To: security@freebsd.org Subject: AcquireSolution requests your permission Date: Sat, 13 Jul 2002 17:03:45 -0400 X-Mailer: Zen Mailer (Bartmail 2.0) Message-ID: OM:AcquireSolution.ue.h117320.y56528946@ixs2.net Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="OMPH.56528946.1026594223971" Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. --OMPH.56528946.1026594223971 Content-Type: text/plain Dear Friend, Everyday more and more exciting and important information is being communicated via E-mail. In the future, we would like to communicate with you via E-mail, and send you exciting and "Up to Date" information on current subject matter, free e-commerce newsletters, case studiests, and services that Internet users like yourself would have interest in. We are presently seeking your permission for the privilege to serve you efficiently and electronically via E-Mail. Thank you! If you do not wish to have us contact you via e-mail, please click the "Unsubscribe" link within the message below and your name will be deleted from our email mailing lists. Sincerely, Acquire Solution Thank You for Reading. To unsubscribe to this publication, reply to this message and put "unsubscribe" in the subject line. You can also unsubscribe by clicking on this link: http://link.ixs2.net/s/link/unsub?rc=ue&rti=h117320&si=y56528946 If you can't click on the links in this message, copy the entire link and paste into the Location:/Address: field of your browser. --OMPH.56528946.1026594223971 Content-Type: text/html Acquire Solution


Dear Friend,

Everyday more and more exciting and important information is being communicated via E-mail. In the future, we would like to communicate with you via E-mail, and send you exciting and "Up to Date" information on current subject matter, free e-commerce newsletters, case studiests, and services that Internet users like yourself would have interest in. We are presently seeking your permission for the privilege to serve you efficiently and electronically via E-Mail.

Thank you!

If you do not wish to have us contact you via e-mail, please click the "Unsubscribe" link within the message below and your name will be deleted from our email mailing lists.


Sincerely,

Acquire Solution



Unsubscribe

--OMPH.56528946.1026594223971-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 13 23:24:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 79EE637B400 for ; Sat, 13 Jul 2002 23:24:30 -0700 (PDT) Received: from spork.pantherdragon.org (spork.pantherdragon.org [206.29.168.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F68543E77 for ; Sat, 13 Jul 2002 23:24:30 -0700 (PDT) (envelope-from dmp@pantherdragon.org) Received: from sparx.pantherdragon.org (evrtwa1-ar10-4-61-236-062.evrtwa1.dsl-verizon.net [4.61.236.62]) by spork.pantherdragon.org (Postfix) with ESMTP id 7F887471D7; Sat, 13 Jul 2002 23:24:29 -0700 (PDT) Received: from pantherdragon.org (speck.techno.pagans [172.21.42.2]) by sparx.pantherdragon.org (Postfix) with ESMTP id E6C76FFD6; Sat, 13 Jul 2002 23:24:26 -0700 (PDT) Message-ID: <3D31191A.3AD13F70@pantherdragon.org> Date: Sat, 13 Jul 2002 23:24:26 -0700 From: Darren Pilgrim X-Mailer: Mozilla 4.76 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Naga Suresh B Cc: freebsd-security@FreeBSD.ORG Subject: Re: plain text password References: <009901c22a37$7ffed450$9600a8c0@blraddrcom> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Naga Suresh B wrote: > > Hai, > > How can I change the password file into a plain text password, it > should not use any authentication either MD5 or Pam. I need this solution as > early as possible. There are programs in ports that you can use to do dictionary and exhaustive attacks against the hashes. This is the only way to get the plaintext passwords. After that, the method you use for storing the plaintext outside of the system password database is up to you. If you actually want the pwdb to use plaintext instead of hashes, you'll need to hack the source yourself as the password system was not designed to not use crypto. Start with getpass(3), read the source for /usr/bin/passwd, etc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message