From owner-freebsd-security Mon Dec 9 11:17:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B00B537B401 for ; Mon, 9 Dec 2002 11:17:19 -0800 (PST) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 20DCD43E4A for ; Mon, 9 Dec 2002 11:17:19 -0800 (PST) (envelope-from timothy@voidnet.com) Received: from repose (12-210-146-224.client.attbi.com[12.210.146.224]) by sccrmhc02.attbi.com (sccrmhc02) with SMTP id <2002120919171800200dj9e8e>; Mon, 9 Dec 2002 19:17:18 +0000 Content-Type: text/plain; charset="us-ascii" From: Eric Timme To: freebsd-security@freebsd.org Subject: gateway security? Date: Mon, 9 Dec 2002 13:17:15 -0600 User-Agent: KMail/1.4.3 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200212091317.15077.timothy@voidnet.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi everyone, I was wondering if someone could point me in the direction o= f=20 some discussions of general security in a LAN environment with a FreeBSD=20 machine doing NAT/firewalling? I haven't had a ton of luck browsing the=20 archives and finding any discussions. I've read over the general primer,= but=20 would like to read about some actual deployment of security when your=20 headless gateway sits in a dark closet, accumulating dust. Currently I have a pretty restrictive set of firewall rules in place, all= owing=20 only http and ssh traffic from the outside, and I require DES public/priv= ate=20 keys for ssh access. There is a single user account on the gateway, and = root=20 logins are disallowed from all but console. The gateway is doing a singl= e=20 NFS export of my public_html directory for easy access from an internal=20 FreeBSD gateway. As for current security, it is a little lacking, but I am planning to wip= e and=20 reinstall now that winter break affords me some freedom from schoolwork. = I=20 have the following settings in my partitioning scheme (ad0 is 1.5 gig, an= d=20 with this partitioning scheme I just barely fit, and use ad1 for addition= al=20 space), and use secure level 2 for daily operations. /dev/ad0s1a / rw,nosuid =20 /dev/ad0s1e /tmp rw,noexec,nosuid =20 /dev/ad0s1g /usr ro =20 /dev/ad1s1e /usr/obj ro /dev/ad0s1d /usr/home rw,noexec,nosuid =20 /dev/ad1s2e /usr/home/timothy/public_html rw,nosuid /dev/ad0s1h /usr/local ro,nosuid =20 /dev/ad0s1f /var rw,noexec,nosuid =20 I've been using snort with a remote acid installation with alright succes= s,=20 but it has never quite worked right, and am considering junking it, simpl= y=20 because I don't see a lot of other people using it, and it has only been = of=20 marginal success, spending more time picking up proxy scans from IRC and=20 false positives than anything else. I'm planning to deploy aide with a write protected diskette, but would li= ke=20 some advice as to other products to look into; I don't access the machine= =20 regularly, aside from the NFS mount of my public_html directory, so would= =20 like to find something that could email me status updates daily, or bi-da= ily,=20 ala the daily messages, which I currently forward to myself, to help reas= sure=20 me nobody is poking around in it. Thanks for any pointers you can give me. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 9 14:18:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6717437B401 for ; Mon, 9 Dec 2002 14:18:52 -0800 (PST) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id C129A43F2C for ; Mon, 9 Dec 2002 14:18:51 -0800 (PST) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id 56D7015247; Mon, 9 Dec 2002 14:15:47 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id 5474915213 for ; Mon, 9 Dec 2002 14:15:47 -0800 (PST) Date: Mon, 9 Dec 2002 14:15:47 -0800 (PST) From: Mike Hoskins To: freebsd-security@freebsd.org Subject: Re: gateway security? In-Reply-To: <200212091317.15077.timothy@voidnet.com> Message-ID: <20021209134844.A9836-100000@fubar.adept.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 9 Dec 2002, Eric Timme wrote: > archives and finding any discussions. I've read over the general primer, but > would like to read about some actual deployment of security when your > headless gateway sits in a dark closet, accumulating dust. I'm not sure which general primer you mean, so I'll post a few references to start... If you've already read through these, just disregard: Handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/security.html Man pages: tuning(7) security(7) firewall(7) You've probably already gleaned the handbook, but the man pages have been added and updated more recently and are often overlooked. If you really want something hardcopy, the 2nd edition of _Building Internet Firewalls_ is probably a good read (I still refer to my first ed. once in awhile): http://www.oreilly.com/catalog/fire2/ > Currently I have a pretty restrictive set of firewall rules in place, allowing > only http and ssh traffic from the outside, and I require DES public/private > keys for ssh access. There is a single user account on the gateway, and root Consult the man pages above, and triple check your rule chains. Making sure rules are as restrictive as possible, carefully tuning timeouts to your needs, etc. > logins are disallowed from all but console. The gateway is doing a single > NFS export of my public_html directory for easy access from an internal > FreeBSD gateway. Can you export this from a "more trusted" (I.e. farther from the hostile network) server r/o to the gateway? If someone did compromise the gateway, could they cause other clients on the network to read potentially hostile data? If it's not feasible to move NFS, you should take checksums of critical files and compare running copies to the trusted backup at regular intervals. This is probably a good idea anyway... Be warned, it takes some tweaking to checksum enough critical files to catch intruders w/o checksumming so many that the system slows to a crawl while the security check is running. :) Routine backups, if you value the data (most likely the NFS export), are a good idea as well. If you suspect a compromise, you want to be able to a) compare the current system (or significant parts of it) to a "known good" image and b) restore a working system as quickly as possible if evidence of a compromise is found. This can be as simple as scp'ing a tarball to some backend machine, then writing the archive to CDR. Don't backup compromised data though... Schedule backups to run after your routine integrity checks. > with this partitioning scheme I just barely fit, and use ad1 for additional > space), and use secure level 2 for daily operations. Tuning(7) will help here. > I've been using snort with a remote acid installation with alright success, > but it has never quite worked right, and am considering junking it, simply > because I don't see a lot of other people using it, and it has only been of > marginal success, spending more time picking up proxy scans from IRC and > false positives than anything else. When it comes to IDS, your best bet is to monitor the internal segment (I.e. what's just behind your firewall/gateway) and alarm on what you know should not be there. For the most part, that's how people avoid a seemingly endless flood of false positives. Heuristic algorithms are getting better all the time, but it's mostly just educational institutions and IDS dvelopers monitoring external flows today. > like to find something that could email me status updates daily, or bi-daily, > ala the daily messages, which I currently forward to myself, to help reassure > me nobody is poking around in it. What sort of status updates do you have in mind? If you're forwarding the daily/monthly/etc. reports, you will be given useful statistics about the machine. What other statistics would you like to monitor? You can script and cron just about anything. A sort of "security through obscurity" advantage this may have is that a potential intruder may know where to disable the default reports... But may overlook an obscure cronjob that will end up catching him/her. I think a combinaton of the things mentioned here and in the man pages will lead to an environment with a reasonable level of trust. Good luck, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 9 14:55:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 72BD037B401 for ; Mon, 9 Dec 2002 14:55:57 -0800 (PST) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C64143EBE for ; Mon, 9 Dec 2002 14:55:56 -0800 (PST) (envelope-from fgleiser@cactus.fi.uba.ar) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by cactus.fi.uba.ar (8.12.3/8.12.3) with ESMTP id gB9Mtd2b012364 for ; Mon, 9 Dec 2002 19:55:39 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Mon, 9 Dec 2002 19:55:34 -0300 (ART) From: Fernando Gleiser To: security@freebsd.org Subject: (slightly OT) IPSec with dynamic IP Message-ID: <20021209195332.X5648-100000@cactus.fi.uba.ar> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Status: No, hits=-100.0 required=5.0 tests=USER_IN_WHITELIST version=2.31 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm sorry if this is OT for -security. I sent it to -questions but got no answer. I need to set up a VPN between a corporate LAN and roaming users. The firewall is a FreeBSD 4.7 box with ipf/ipnat and will act as a security gateway for the tunnel. On the other side there are several Win2K/XP boxes connected to the Internet via DSL/cable modem/dialup/carrier pigeon/whatever and they have a different IP every time they connect. The problem is: every single doc/tutorial/man page/ I've read says how to set up the SA with static IPs, but now one side is dynamic. So the questions are: 1. Is this posible? 2. If it's posible, can I do it with IKE/ISAKMP? 3. Does anybody have a pointer to a doc which says how to do it? I'll rtfm, just tell me where the fm is :) Thanks Fer Fer "When I say "dogs", I'm talking about dogs, which are large, bounding, salivating animals, usually with bad breath. I am not talking about those little squeaky things you can hold on your lap and carry around. Zoologically speaking, these are not dogs at all; they are members of the pillow family." Dave Barry. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 9 15: 0:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0142A37B401 for ; Mon, 9 Dec 2002 15:00:48 -0800 (PST) Received: from proxy.centtech.com (moat.centtech.com [207.200.51.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id C17FF43EC2 for ; Mon, 9 Dec 2002 15:00:46 -0800 (PST) (envelope-from anderson@centtech.com) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6+Sun/8.11.6) with ESMTP id gB9N0Uc26892; Mon, 9 Dec 2002 17:00:30 -0600 (CST) Received: (from root@localhost) by sprint.centtech.com (8.11.6+Sun/8.11.6) id gB9N0Uv05031; Mon, 9 Dec 2002 17:00:30 -0600 (CST) Received: from centtech.com (electron [204.177.173.173]) by sprint.centtech.com (8.11.6+Sun/8.11.6) with ESMTP id gB9N0Rp05024; Mon, 9 Dec 2002 17:00:27 -0600 (CST) Message-ID: <3DF52076.4020700@centtech.com> Date: Mon, 09 Dec 2002 17:00:06 -0600 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Fernando Gleiser Cc: security@freebsd.org Subject: Re: (slightly OT) IPSec with dynamic IP References: <20021209195332.X5648-100000@cactus.fi.uba.ar> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Fernando Gleiser wrote: > I'm sorry if this is OT for -security. I sent it to -questions but > got no answer. > > I need to set up a VPN between a corporate LAN and roaming users. The > firewall is a FreeBSD 4.7 box with ipf/ipnat and will act as a security > gateway for the tunnel. > > On the other side there are several Win2K/XP boxes connected to the > Internet via DSL/cable modem/dialup/carrier pigeon/whatever and they have > a different IP every time they connect. > > The problem is: every single doc/tutorial/man page/ I've read says how to > set up the SA with static IPs, but now one side is dynamic. > > So the questions are: > > 1. Is this posible? > 2. If it's posible, can I do it with IKE/ISAKMP? > 3. Does anybody have a pointer to a doc which says how to do it? I'll rtfm, > just tell me where the fm is :) 1. Yes, it is possible.. You'll have to do something with certificates probably, or use mpd on the server end. There are other solutions, those are just a few things.. 2. Maybe.. Are you trying to connect each individual windows box, or are you going to have a firewall/gateway that does this for all of them (the entire lan)? 3. I don't know .. maybe... I have this working, so maybe I should write one up.. :) Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology Beware the fury of a patient man. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 9 18:40:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B87537B401 for ; Mon, 9 Dec 2002 18:40:24 -0800 (PST) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B62D43EB2 for ; Mon, 9 Dec 2002 18:40:23 -0800 (PST) (envelope-from fgleiser@cactus.fi.uba.ar) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by cactus.fi.uba.ar (8.12.3/8.12.3) with ESMTP id gBA2e42b013911; Mon, 9 Dec 2002 23:40:04 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Mon, 9 Dec 2002 23:40:04 -0300 (ART) From: Fernando Gleiser To: Eric Anderson Cc: security@freebsd.org Subject: Re: (slightly OT) IPSec with dynamic IP In-Reply-To: <3DF52076.4020700@centtech.com> Message-ID: <20021209233412.H5648-100000@cactus.fi.uba.ar> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Status: No, hits=-103.4 required=5.0 tests=IN_REP_TO,USER_IN_WHITELIST version=2.31 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 9 Dec 2002, Eric Anderson wrote: > 1. Yes, it is possible.. You'll have to do something with certificates > probably, or use mpd on the server end. There are other solutions, > those are just a few things.. It *has* to be IPSec (corporate policy), so mpd as PPTP server is out of the question. > > 2. Maybe.. Are you trying to connect each individual windows box, or > are you going to have a firewall/gateway that does this for all of them > (the entire lan)? I want each of the remote Windows boxes to see the corporate LAN. We have a FreeBSD box as firewall, which will be the local node of the tunnel. > > 3. I don't know .. maybe... I have this working, so maybe I should > write one up.. :) Well, if you have some config files I can use as an example (with the names and IP changed to protect the innocent, of course), I'd be very grateful. Fer > > Eric > > > -- > ------------------------------------------------------------------ > Eric Anderson Systems Administrator Centaur Technology > Beware the fury of a patient man. > ------------------------------------------------------------------ > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 9 18:42:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E7E2C37B401 for ; Mon, 9 Dec 2002 18:42:21 -0800 (PST) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9111843EB2 for ; Mon, 9 Dec 2002 18:42:20 -0800 (PST) (envelope-from fgleiser@cactus.fi.uba.ar) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by cactus.fi.uba.ar (8.12.3/8.12.3) with ESMTP id gBA2gA2b013928 for ; Mon, 9 Dec 2002 23:42:10 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Mon, 9 Dec 2002 23:42:10 -0300 (ART) From: Fernando Gleiser To: security@freebsd.org Subject: Re: (slightly OT) IPSec with dynamic IP In-Reply-To: <20021209230602.GA45169@yazzy.org> Message-ID: <20021209234030.D5648-100000@cactus.fi.uba.ar> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Status: No, hits=-103.4 required=5.0 tests=IN_REP_TO,USER_IN_WHITELIST version=2.31 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 10 Dec 2002, Marcin M. Jessa wrote: > Hi Fernando. > > Yeah, it is possible. > The easiest way both for you and your clients would be to use > /usr/ports/net/mpd/ > It creates vpn tunnel over pptp. I thought about it, but I have to use IPSec. The corporate policy says so. Fer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 10 2: 6:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2541237B401 for ; Tue, 10 Dec 2002 02:06:33 -0800 (PST) Received: from codeblau.de (codeblau.walledcity.de [212.84.209.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3290743EBE for ; Tue, 10 Dec 2002 02:06:26 -0800 (PST) (envelope-from stephan-freebsd-security@eckner.org) Received: (qmail 31191 invoked by uid 103); 10 Dec 2002 10:06:28 -0000 Date: Tue, 10 Dec 2002 11:06:28 +0100 From: Stephan Eckner To: freebsd-security@freebsd.org Subject: Re: gateway security? Message-ID: <20021210100628.GB31091@knuth.codeblau.de> Mail-Followup-To: freebsd-security@freebsd.org References: <200212091317.15077.timothy@voidnet.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200212091317.15077.timothy@voidnet.com> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Dec 09, 2002 at 01:17:15PM -0600, Eric Timme wrote: <--snip--> > I'm planning to deploy aide with a write protected diskette, but would like > some advice as to other products to look into; I don't access the machine aide works quite well. If you're looking for a more lightweight implementation, have a look at http://integrit.sourceforge.net/ (you'll find it in the ports as well). Don't forget to put the statically linked binary on the protected disk as well, or, even better: put the database, the config-file and the binary on some _other_ machine, have cron-job running on that other machine, that rsyncs all three files and than runs the verification via ssh :) I wrote some (very simple) shell-scripts to do that for me, if you're intrested, send me private mail. Hope it helps, Stephan -- Stephan Eckner http://www.eckner.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 10 9:46:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C2CFE37B401 for ; Tue, 10 Dec 2002 09:46:39 -0800 (PST) Received: from tagish.taiga.ca (tagish.taiga.ca [204.209.164.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3711643EBE for ; Tue, 10 Dec 2002 09:46:39 -0800 (PST) (envelope-from campbell@tagish.taiga.ca) Received: (from campbell@localhost) by tagish.taiga.ca (8.9.3/8.9.1) id KAA18890; Tue, 10 Dec 2002 10:46:28 -0700 Date: Tue, 10 Dec 2002 10:46:28 -0700 From: Duncan Campbell Message-Id: <200212101746.KAA18890@tagish.taiga.ca> To: freebsd-security@FreeBSD.ORG, stephan-freebsd-security@eckner.org Subject: Re: gateway security? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I am posting from this address as there appears to be something seriously wrong with this list or its administration. I cannot post. I cannont unsubscribe. I keep getting more junk mail from it. This has been so since August. Duncan Campbell To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 10 11:28:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E10F37B401 for ; Tue, 10 Dec 2002 11:28:38 -0800 (PST) Received: from web41302.mail.yahoo.com (web41302.mail.yahoo.com [66.218.93.51]) by mx1.FreeBSD.org (Postfix) with SMTP id 95D8C43EC5 for ; Tue, 10 Dec 2002 11:28:37 -0800 (PST) (envelope-from duckbreath@yahoo.com) Message-ID: <20021210192837.88790.qmail@web41302.mail.yahoo.com> Received: from [12.155.142.123] by web41302.mail.yahoo.com via HTTP; Tue, 10 Dec 2002 11:28:37 PST Date: Tue, 10 Dec 2002 11:28:37 -0800 (PST) From: Duckbreath Subject: Privsep To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! I know awhile back there was a little rucus and next thing I knew it, I was getting 'sshd' and 'www' users in my group with the newest versions of the FreeBSD RELEASE. Hip hip hooray! These look useful. I should of used them earlier -- if I knew how. Anyway, the status quo is I'm still running too much under root and I want to take advantage of this priv sep business. Now I went searching through the handbook, and here is what I concluded: 1) It is not in the handbook, OR 2) I am very lousy at going through the handbook. So how do I get sshd to run off the sshd user? Would apache be cooperative with the www user as well, or is that more tricky? These are not ports I'm using -- I like to download from source directly from the ssh/apache folks. So umm.. how do I get this privsep thing going for me? Sorry about the Yahoo account (and the do you Yahoo!? signature you are about to receive), but I don't want to lure every scripter and blackhat in the known universe to run screaming 'root daemon! root daemon! attack attack!!!'.... __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 10 11:37: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 29BB137B401 for ; Tue, 10 Dec 2002 11:37:05 -0800 (PST) Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF49143E4A for ; Tue, 10 Dec 2002 11:37:04 -0800 (PST) (envelope-from emechler@radix.cryptio.net) Received: from radix.cryptio.net (localhost [127.0.0.1]) by radix.cryptio.net (8.12.6/8.12.6) with ESMTP id gBAJaxrK049332 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Tue, 10 Dec 2002 11:36:59 -0800 (PST) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.12.6/8.12.6/Submit) id gBAJaxP1049331; Tue, 10 Dec 2002 11:36:59 -0800 (PST) (envelope-from emechler) Date: Tue, 10 Dec 2002 11:36:59 -0800 From: Erick Mechler To: Duckbreath Cc: freebsd-security@FreeBSD.ORG Subject: Re: Privsep Message-ID: <20021210193659.GI458@techometer.net> References: <20021210192837.88790.qmail@web41302.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021210192837.88790.qmail@web41302.mail.yahoo.com> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :: So how do I get sshd to run off the sshd user? :: Would apache be cooperative with the www user as well, :: or is that more tricky? Privsep is just an sshd thing right now. If you do a system upgrade via source, the new user should get setup, and the appropriate chroot environment will as well (/var/empty). To enable sshd privsep, set UsePrivilegeSeparation yes in /etc/ssh/sshd_config. As for running Apache as the www user, set User www Group www in your httpd.conf file. Make sure that the user and group you choose can read all the files in your DocumentRoot, too. The parent process will continue to run as root (binding to privileged ports and all), but the children will run as www). Hope this helps... Cheers - Erick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 10 12:50:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF95F37B40D for ; Tue, 10 Dec 2002 12:50:52 -0800 (PST) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 43C2743ED1 for ; Tue, 10 Dec 2002 12:50:52 -0800 (PST) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id 6352215247; Tue, 10 Dec 2002 12:47:42 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id 6290715213 for ; Tue, 10 Dec 2002 12:47:42 -0800 (PST) Date: Tue, 10 Dec 2002 12:47:42 -0800 (PST) From: Mike Hoskins To: security@freebsd.org Subject: Re: (slightly OT) IPSec with dynamic IP In-Reply-To: <20021209234030.D5648-100000@cactus.fi.uba.ar> Message-ID: <20021210124647.V80252-100000@fubar.adept.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 9 Dec 2002, Fernando Gleiser wrote: > > The easiest way both for you and your clients would be to use > > /usr/ports/net/mpd/ > I thought about it, but I have to use IPSec. The corporate policy says so. Google says, http://www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO.html Any luck with that? -- Mike Hoskins This message is RFC 1855 compliant, mike@adept.org www.adept.org/~mike/pub/rfcs/rfc1855.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 10 13:15:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6ECEA37B401 for ; Tue, 10 Dec 2002 13:15:11 -0800 (PST) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E73143EC2 for ; Tue, 10 Dec 2002 13:15:11 -0800 (PST) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id 3EC7D1527E; Tue, 10 Dec 2002 13:12:01 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id 3E04115247 for ; Tue, 10 Dec 2002 13:12:01 -0800 (PST) Date: Tue, 10 Dec 2002 13:12:01 -0800 (PST) From: Mike Hoskins To: freebsd-security@FreeBSD.ORG Subject: Re: Privsep In-Reply-To: <20021210193659.GI458@techometer.net> Message-ID: <20021210130046.H80252-100000@fubar.adept.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 10 Dec 2002, Erick Mechler wrote: > Privsep is just an sshd thing right now. > As for running Apache as the www user, set > User www > Group www This is really the long-standing security premise of 'least privilege'. The funny thing is, historically, when people first started saying 'Gee, we shouldn't run everything as root...' everybody started running things as 'nobody'. (Hey, it's got low privilges!) Of course that essentially made a nobody (operator, daemon, bin, etc.) compromise as valuable as a root compromise. Now I think we all agree running daemons as unique users is a good and relatively "common sense" practice... Just make sure you don't start clumping too many services into any one user. Also, take care to ensure that the users running your pocesses (should someone gain that privilege level) cannot read sensitive data owned by other users running critical services, etc. Mass acceptance of chroot() is making this much simpler, but can obviously have it's own problems as well. -- Mike Hoskins This message is RFC 1855 compliant, mike@adept.org www.adept.org/~mike/pub/rfcs/rfc1855.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 11 22:53:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3597837B401 for ; Wed, 11 Dec 2002 22:53:54 -0800 (PST) Received: from smtp01.wlv.untd.com (smtp01.wlv.untd.com [209.247.163.57]) by mx1.FreeBSD.org (Postfix) with SMTP id BCF9543E4A for ; Wed, 11 Dec 2002 22:53:53 -0800 (PST) (envelope-from idiot1@netzero.net) Received: (qmail 2038 invoked from network); 12 Dec 2002 06:53:52 -0000 Received: from dialup-65.59.83.201.dial1.tampa1.level3.net (HELO netzero.net) (65.59.83.201) by smtp01.wlv.untd.com with SMTP; 12 Dec 2002 06:53:52 -0000 Message-ID: <3DF83300.5020803@netzero.net> Date: Thu, 12 Dec 2002 01:56:00 -0500 From: Kirk Bailey Organization: Silas Dent Memorial Cabal of ERIS Esoteric and hot dog boiling society User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: subscribe Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org subscribe -- end Respectfully, Kirk D Bailey +---------------------"Thou Art Free." -Eris-----------------------+ | http://www.howlermonkey.net mailto:highprimate@howlermonkey.net | | KILL spam dead! http://www.scambusters.org/stopspam/#Pledge | | http://www.tinylist.org +--------+ mailto:grumpy@tinylist.org | +------------------Thinking| NORMAL |Thinking----------------------+ +--------+ --------------------------------------------- Introducing NetZero Long Distance 1st month Free! Sign up today at: www.netzerolongdistance.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 14 3:14:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B8D237B401 for ; Sat, 14 Dec 2002 03:14:38 -0800 (PST) Received: from mel-rto2.wanadoo.fr (smtp-out-2.wanadoo.fr [193.252.19.254]) by mx1.FreeBSD.org (Postfix) with ESMTP id 34A3443EB2 for ; Sat, 14 Dec 2002 03:14:37 -0800 (PST) (envelope-from breton@cri.ensmp.fr) Received: from mel-rta10.wanadoo.fr (193.252.19.193) by mel-rto2.wanadoo.fr (6.7.015) id 3DF630960027D3C4 for freebsd-security@freebsd.org; Sat, 14 Dec 2002 12:14:36 +0100 Received: from athena (80.14.195.215) by mel-rta10.wanadoo.fr (6.7.015) id 3DF6325A0020449C for freebsd-security@freebsd.org; Sat, 14 Dec 2002 12:14:36 +0100 Content-Type: text/plain; charset="us-ascii" From: Erwan Breton To: freebsd-security@freebsd.org Subject: Kernel log messages Date: Sat, 14 Dec 2002 12:14:42 +0100 User-Agent: KMail/1.4.3 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200212141214.42931.breton@cri.ensmp.fr> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Since i have activate the firewall on my Box, I have many kernel log=20 messages in my security check output every night. the problem is, idon't = see=20 anymore interessant messages like bad login. athena kernel log messages: > <110>ipfw: 600 Deny TCP 80.14.195.215:3795 10.255.255.250:4661 out via = tun0 > ipfw: 800 Deny TCP 80.14.195.215:3801 192.168.10.210:4661 out via tun0 > ipfw: 800 Deny TCP 80.14.195.215:3810 192.168.1.77:4661 out via tun0 > ipfw: 1600 Deny ICMP:3.3 192.168.1.2 80.14.195.215 in via tun0 > ipfw: 4000 Deny TCP 80.105.241.117:62104 80.14.195.215:139 in via tun0 > ipfw: 4000 Deny TCP 80.105.241.117:62104 80.14.195.215:139 in via tun0 > ipfw: 4000 Deny TCP 80.105.241.117:62104 80.14.195.215:139 in via tun0 > ipfw: 4000 Deny TCP 80.105.241.117:62104 80.14.195.215:139 in via tun0 > ipfw: 800 Deny TCP 80.14.195.215:4191 192.168.17.200:4661 out via tun0 > ipfw: 800 Deny TCP 80.14.195.215:4193 192.168.100.99:4661 out via tun0 > ipfw: 700 Deny TCP 80.14.195.215:4198 172.16.1.50:4661 out via tun0 > ipfw: 800 Deny TCP 80.14.195.215:4217 192.168.19.1:4661 out via tun0 > ipfw: 800 Deny TCP 80.14.195.215:4222 192.168.99.1:4661 out via tun0 > ipfw: 800 Deny TCP 80.14.195.215:4227 192.168.200.107:4661 out via tun0 > ipfw: 800 Deny TCP 80.14.195.215:4234 192.168.0.23:4661 out via tun0 > ipfw: 600 Deny TCP 80.14.195.215:4236 10.1.251.1:4661 out via tun0 > ipfw: 800 Deny TCP 80.14.195.215:4242 192.168.1.6:4661 out via tun0 > Etc .. etc .. etc ... main# uname -a FreeBSD 4.7-STABLE #10: Thu Nov 28 19:00:13 CET 2002 I just active firewall (i think :o) ) If u need more conf (like syslog.conf) tell it. Thanks for ideas and answers. -- R1 Bzh!!! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 14 7:59:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DDE2637B401 for ; Sat, 14 Dec 2002 07:59:29 -0800 (PST) Received: from straylight.ringlet.net (discworld.nanolink.com [217.75.135.248]) by mx1.FreeBSD.org (Postfix) with SMTP id AAD6943ED8 for ; Sat, 14 Dec 2002 07:59:22 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 1915 invoked by uid 1000); 14 Dec 2002 15:58:54 -0000 Date: Sat, 14 Dec 2002 17:58:53 +0200 From: Peter Pentchev To: Erwan Breton Cc: freebsd-security@freebsd.org Subject: Re: Kernel log messages Message-ID: <20021214155853.GA405@straylight.oblivion.bg> Mail-Followup-To: Erwan Breton , freebsd-security@freebsd.org References: <200212141214.42931.breton@cri.ensmp.fr> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="HlL+5n6rz5pIUxbD" Content-Disposition: inline In-Reply-To: <200212141214.42931.breton@cri.ensmp.fr> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --HlL+5n6rz5pIUxbD Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Dec 14, 2002 at 12:14:42PM +0100, Erwan Breton wrote: > Hi, >=20 > Since i have activate the firewall on my Box, I have many kernel log=20 > messages in my security check output every night. the problem is, idon't = see=20 > anymore interessant messages like bad login. >=20 > athena kernel log messages: [snip ipfw log messages] >=20 > main# uname -a > FreeBSD 4.7-STABLE #10: Thu Nov 28 19:00:13 CET 2002 > I just active firewall (i think :o) ) >=20 > If u need more conf (like syslog.conf) tell it. >=20 > Thanks for ideas and answers. What exactly is the problem: that those messages are hiding the rest of the information in your logfiles? You can easily turn ipfw logging off: it is currently logging verbosely because of one of two reasons - either you have an 'option IPFIREWALL_VERBOSE' in your kernel config file, or you have 'firewall_logging=3D"yes"' in your /etc/rc.conf file. To turn ipfw logging off, either remove the firewall_logging=3D"yes" line from /etc/rc.conf, or add a net.inet.ip.fw.verbose=3D0 line to /etc/sysctl.conf. Both of these will take effect upon your next reboot, when the startup scripts reread the configuration; if you want to turn off the verbose ipfw logging right now, issue the following command: sysctl net.inet.ip.fw.verbose=3D0 Of course, neither of these will help if you have explicitly requested logging in one of your firewall rules: examine your firewall configuration and see if any of the rules has the 'log' keyword. All this said, there is another option for having your cake and eating it, too: instructing syslog.conf to send ipfw log messages to another location. According to the ipfw manual page, the 'log' keyword causes ipfw to send kernel.security syslog messages; you could redirect those to a separate file, so that they do not interfere with your normal logging. Hope this helps :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Thit sentence is not self-referential because "thit" is not a word. --HlL+5n6rz5pIUxbD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE9+1U97Ri2jRYZRVMRAilRAJ9M1EylYls7jZfmDT+M8xWSTdPOuACgun4U aMMLCdHTfgYVLZOXoqWzIww= =V6Ef -----END PGP SIGNATURE----- --HlL+5n6rz5pIUxbD-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message