From owner-freebsd-security Mon Jan 20 2:13:31 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5AC7F37B407 for ; Mon, 20 Jan 2003 02:13:28 -0800 (PST) Received: from orion.interexc.com (orion.interexc.com [193.108.123.252]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D36543F13 for ; Mon, 20 Jan 2003 02:13:27 -0800 (PST) (envelope-from sat@orion.interexc.com) Received: from orion.interexc.com (localhost [127.0.0.1]) by orion.interexc.com (8.12.3/8.12.3) with ESMTP id h0KADO70000400 for ; Mon, 20 Jan 2003 12:13:24 +0200 (EET) (envelope-from sat@orion.interexc.com) Received: (from sat@localhost) by orion.interexc.com (8.12.3/8.12.3/Submit) id h0KADNlA000399 for security@freebsd.org; Mon, 20 Jan 2003 12:13:23 +0200 (EET) Date: Mon, 20 Jan 2003 12:13:23 +0200 From: Oleg Shevtsov To: security@freebsd.org Message-ID: <20030120101323.GA371@interexc.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.99i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, how to give specific user FTP but no shell access? Ftpd's manual says: 4. The user must have a standard shell returned by getusershell(3). But I don't want to give shell account. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 20 2:25:55 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0179B37B401 for ; Mon, 20 Jan 2003 02:25:53 -0800 (PST) Received: from amun.isnic.is (amun.isnic.is [193.4.58.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A16043F87 for ; Mon, 20 Jan 2003 02:23:20 -0800 (PST) (envelope-from oli@amun.isnic.is) Received: from amun.isnic.is (oli@localhost [127.0.0.1]) by amun.isnic.is (8.12.3/8.12.3/isnic) with ESMTP id h0KAMeJN015529; Mon, 20 Jan 2003 10:22:40 GMT (envelope-from oli@amun.isnic.is) Received: (from oli@localhost) by amun.isnic.is (8.12.3/8.12.3/Submit) id h0KAMeSk015527; Mon, 20 Jan 2003 10:22:40 GMT (envelope-from oli) Date: Mon, 20 Jan 2003 10:22:40 +0000 From: Olafur Osvaldsson To: Oleg Shevtsov Cc: security@FreeBSD.ORG Subject: Re: your mail Message-ID: <20030120102240.GI66269@isnic.is> References: <20030120101323.GA371@interexc.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030120101323.GA371@interexc.com> User-Agent: Mutt/1.3.28i X-Spam-Status: No, hits=-2.6 required=5.0 tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,SPAM_PHRASE_00_01, TO_BE_REMOVED_REPLY,USER_AGENT,USER_AGENT_MUTT version=2.43-isnic Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Oleg, Try using /sbin/nologin and remember to put it in /etc/shells /Oli On Mon, 20 Jan 2003, Oleg Shevtsov wrote: > > Hi, > how to give specific user FTP but no shell access? > Ftpd's manual says: > 4. The user must have a standard shell returned by > getusershell(3). > But I don't want to give shell account. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Olafur Osvaldsson Systems Administrator Internet a Islandi hf. Tel: +354 525-5291 Email: oli@isnic.is To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 20 2:26:31 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DFDFD37B401 for ; Mon, 20 Jan 2003 02:26:28 -0800 (PST) Received: from hp.ulstu.ru (hp.ulstu.ru [62.76.34.33]) by mx1.FreeBSD.org (Postfix) with ESMTP id 45A43443AD for ; Mon, 20 Jan 2003 02:23:25 -0800 (PST) (envelope-from zaa@ulstu.ru) Received: by hp.ulstu.ru (Postfix, from userid 3909) id EBD172B; Mon, 20 Jan 2003 13:22:35 +0300 (MSK) Date: Mon, 20 Jan 2003 13:22:35 +0300 From: zhuravlev alexander To: Oleg Shevtsov Cc: security@freebsd.org Subject: Re: your mail Message-ID: <20030120102235.GA45357@hp.ulstu.ru> Reply-To: zhuravlev alexander Mail-Followup-To: Oleg Shevtsov , security@freebsd.org References: <20030120101323.GA371@interexc.com> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20030120101323.GA371@interexc.com> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jan 20, 2003 at 12:13:23PM +0200, Oleg Shevtsov wrote: > > Hi, > how to give specific user FTP but no shell access? > Ftpd's manual says: > 4. The user must have a standard shell returned by > getusershell(3). > But I don't want to give shell account. /sbin/nologin ? -- zhuravlev alexander To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 20 2:36:32 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AE4DF37B406 for ; Mon, 20 Jan 2003 02:36:28 -0800 (PST) Received: from orion.interexc.com (orion.interexc.com [193.108.123.252]) by mx1.FreeBSD.org (Postfix) with ESMTP id 91DD543F18 for ; Mon, 20 Jan 2003 02:36:27 -0800 (PST) (envelope-from sat@orion.interexc.com) Received: from orion.interexc.com (localhost [127.0.0.1]) by orion.interexc.com (8.12.3/8.12.3) with ESMTP id h0KAaQ70001293; Mon, 20 Jan 2003 12:36:26 +0200 (EET) (envelope-from sat@orion.interexc.com) Received: (from sat@localhost) by orion.interexc.com (8.12.3/8.12.3/Submit) id h0KAaQx5001292; Mon, 20 Jan 2003 12:36:26 +0200 (EET) Date: Mon, 20 Jan 2003 12:36:26 +0200 From: Oleg Shevtsov To: Olafur Osvaldsson Cc: security@freebsd.org Subject: Re: your mail Message-ID: <20030120103626.GA1272@interexc.com> References: <20030120101323.GA371@interexc.com> <20030120102240.GI66269@isnic.is> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030120102240.GI66269@isnic.is> User-Agent: Mutt/1.3.99i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thank you, now I know about /etc/shells :) All working fine On Mon, Jan 20, 2003 at 10:22:40AM +0000, Olafur Osvaldsson wrote: >Delivered-To: freebsd-security@freebsd.org >Date: Mon, 20 Jan 2003 10:22:40 +0000 >From: Olafur Osvaldsson >To: Oleg Shevtsov >Cc: security@FreeBSD.ORG >Subject: Re: your mail >User-Agent: Mutt/1.3.28i >X-Spam-Status: No, hits=-2.6 required=5.0 > tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,SPAM_PHRASE_00_01, > TO_BE_REMOVED_REPLY,USER_AGENT,USER_AGENT_MUTT > version=2.43-isnic >List-ID: >List-Archive: (Web Archive) >List-Help: (List Instructions) >List-Subscribe: >List-Unsubscribe: >X-Loop: FreeBSD.org >Precedence: bulk > >Oleg, >Try using /sbin/nologin and remember to put it in /etc/shells > >/Oli > >On Mon, 20 Jan 2003, Oleg Shevtsov wrote: > >> >> Hi, >> how to give specific user FTP but no shell access? >> Ftpd's manual says: >> 4. The user must have a standard shell returned by >> getusershell(3). >> But I don't want to give shell account. >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message > >-- >Olafur Osvaldsson >Systems Administrator >Internet a Islandi hf. >Tel: +354 525-5291 >Email: oli@isnic.is > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 20 5:59:16 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EC82E37B401 for ; Mon, 20 Jan 2003 05:59:13 -0800 (PST) Received: from spxgate.servplex.com (ip66-105-58-82.z58-105-66.customer.algx.net [66.105.58.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C9F643E4A for ; Mon, 20 Jan 2003 05:59:13 -0800 (PST) (envelope-from peter@servplex.com) Received: from peter.servplex.com ([192.168.0.96]) by spxgate.servplex.com (8.12.6/8.12.6) with ESMTP id h0KEFVU4012116; Mon, 20 Jan 2003 08:15:32 -0600 (CST) (envelope-from peter@servplex.com) Message-Id: <5.2.0.9.2.20030120075839.021bfec8@mail.servplex.com> X-Sender: peter@mail.servplex.com X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Mon, 20 Jan 2003 07:59:41 -0600 To: Oleg Shevtsov From: Peter Elsner Subject: Re: Cc: freebsd-security@freebsd.org In-Reply-To: <20030120101323.GA371@interexc.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Add a shell such as /sbin/nologin to your /etc/shells line. At 12:13 PM 1/20/2003 +0200, you wrote: >Hi, >how to give specific user FTP but no shell access? >Ftpd's manual says: > 4. The user must have a standard shell returned by > getusershell(3). >But I don't want to give shell account. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message ---------------------------------------------------------------------------------------------------------- Peter Elsner Vice President Of Customer Service (And System Administrator) 1835 S. Carrier Parkway Grand Prairie, Texas 75051 (972) 263-2080 - Voice (972) 263-2082 - Fax (972) 489-4838 - Cell Phone (425) 988-8061 - eFax I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin Unix IS user friendly... It's just selective about who its friends are. System Administration - It's a dirty job, but somebody said I had to do it. If you receive something that says 'Send this to everyone you know, pretend you don't know me. Standard $500/message proofreading fee applies for UCE. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 20 6:24:10 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B86937B401 for ; Mon, 20 Jan 2003 06:24:09 -0800 (PST) Received: from mgateway.borderware.com (mgateway.borderware.com [207.236.65.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id B567343F13 for ; Mon, 20 Jan 2003 06:24:08 -0800 (PST) (envelope-from db@borderware.com) Message-ID: <3E2C05F2.7080208@borderware.com> Date: Mon, 20 Jan 2003 09:21:38 -0500 From: David Bell User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:0.9.4) Gecko/20011128 Netscape6/6.2.1 X-Accept-Language: en-us MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Vulnerability Note VU#412115 References: <5.2.0.9.2.20030120075839.021bfec8@mail.servplex.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is FreeBSD vulnerable to the following, and if so is it being addressed? http://www.kb.cert.org/vuls/id/412115 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 20 8:50:47 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7BFB037B401; Mon, 20 Jan 2003 08:50:44 -0800 (PST) Received: from sccrmhc01.attbi.com (sccrmhc01.attbi.com [204.127.202.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E57443E4A; Mon, 20 Jan 2003 08:50:43 -0800 (PST) (envelope-from bmah@employees.org) Received: from bmah.dyndns.org (12-240-204-110.client.attbi.com[12.240.204.110]) by sccrmhc01.attbi.com (sccrmhc01) with ESMTP id <2003012016504200100hntnse>; Mon, 20 Jan 2003 16:50:42 +0000 Received: from intruder.bmah.org (localhost [IPv6:::1]) by bmah.dyndns.org (8.12.6/8.12.6) with ESMTP id h0KGofA8088073; Mon, 20 Jan 2003 08:50:41 -0800 (PST) (envelope-from bmah@intruder.bmah.org) Received: (from bmah@localhost) by intruder.bmah.org (8.12.6/8.12.6/Submit) id h0KGoeJi088072; Mon, 20 Jan 2003 08:50:40 -0800 (PST) Message-Id: <200301201650.h0KGoeJi088072@intruder.bmah.org> X-Mailer: exmh version 2.5+ 20021120 with nmh-1.0.4 To: Udo Erdelhoff Cc: freebsd-doc@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, bmah@FreeBSD.ORG Subject: Re: Putting MD5 checksums on the web site In-Reply-To: <20030120065252.GB173@nathan.ruhr.de> References: <20030120065252.GB173@nathan.ruhr.de> Comments: In-reply-to Udo Erdelhoff message dated "Mon, 20 Jan 2003 07:52:52 +0100." From: bmah@FreeBSD.ORG (Bruce A. Mah) Reply-To: bmah@FreeBSD.ORG X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Image-Url: http://www.employees.org/~bmah/Images/bmah-cisco-small.gif X-Url: http://www.employees.org/~bmah/ Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_719035776P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Mon, 20 Jan 2003 08:50:40 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --==_Exmh_719035776P Content-Type: text/plain; charset=us-ascii If memory serves me right, Udo Erdelhoff wrote: > some time ago, Bruce added the MD5 checksums for the 4.7 ISOs to > the release notes website (www/en/releases/4.7R/CHECKSUM-i386.MD5 > in the CVS repository). I think this is a good idea that should > be repeated for 5.0. I could assemble the file easily enough from > the various CHECKSUM.MD5 files for the different platforms by > sampling the mirrors. Just for the record, it was Murray who did this, not Bruce. :-) It's not an institutionalized policy, though I think it's a good idea. (Personally, I like the thought of putting the checksums in the release announcement.) > However, I think it would be a better idea to have that file assembled > and PGP-signed by the security-officer before adding it. Signing by one of the release engineers or by the security-officer team would be a Good Thing (TM). If the RE team had a shared signing key, we could use it for this, but we don't. Maybe we should, but that's another issue. Cheers, Bruce. --==_Exmh_719035776P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (FreeBSD) Comment: Exmh version 2.5+ 20020506 iD8DBQE+LCjg2MoxcVugUsMRAhHHAJ4uSA0iD5jVJIBz87pHaLfDkbdaTwCgopWu 72EnUdm+UG6fTplkgsXrZWM= =qaBJ -----END PGP SIGNATURE----- --==_Exmh_719035776P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 20 13:39:47 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 965CB37B401 for ; Mon, 20 Jan 2003 13:39:43 -0800 (PST) Received: from sccrmhc01.attbi.com (sccrmhc01.attbi.com [204.127.202.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id D3B6A43EB2 for ; Mon, 20 Jan 2003 13:39:42 -0800 (PST) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org (12-234-89-252.client.attbi.com[12.234.89.252]) by sccrmhc01.attbi.com (sccrmhc01) with ESMTP id <2003012021393600100hngf3e>; Mon, 20 Jan 2003 21:39:36 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.6/8.12.3) with ESMTP id h0KLdWeq035248; Mon, 20 Jan 2003 13:39:32 -0800 (PST) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.6/8.12.6/Submit) id h0KLdUei035247; Mon, 20 Jan 2003 13:39:30 -0800 (PST) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Mon, 20 Jan 2003 13:39:30 -0800 From: "Crist J. Clark" To: David Bell Cc: freebsd-security@freebsd.org Subject: Re: Vulnerability Note VU#412115 Message-ID: <20030120213930.GA34751@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: <5.2.0.9.2.20030120075839.021bfec8@mail.servplex.com> <3E2C05F2.7080208@borderware.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3E2C05F2.7080208@borderware.com> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jan 20, 2003 at 09:21:38AM -0500, David Bell wrote: > > Is FreeBSD vulnerable to the following, and if so is it being addressed? > > http://www.kb.cert.org/vuls/id/412115 Yes, many FreeBSD network drivers display this behavior. If you followed any of the later discussion by the authors on several mailing lists, FreeBSD was one of many OSes on which they duplicated the problem. As for whether the "vulnerability" is being addressed, this issue has been known about for a long, long time, but has never been regarded as a priority. The real security exposure here is quite small. The cost of potentially breaking stuff and hurting performance has never been seen to be worth the effort of a sweep. I personally am not aware of a concerted effort to go through all of the Ethernet drivers to zero out extra memory, but someone may be doing it... It's a bit of a PITA and there is not a whole lot the Project can do about binary-only drivers supplied by some vendors. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 20 14:11: 6 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 44A7037B401; Mon, 20 Jan 2003 14:10:58 -0800 (PST) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D71943F13; Mon, 20 Jan 2003 14:10:57 -0800 (PST) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org (12-234-89-252.client.attbi.com[12.234.89.252]) by sccrmhc02.attbi.com (sccrmhc02) with ESMTP id <2003012022105500200mnn6ie>; Mon, 20 Jan 2003 22:10:56 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.6/8.12.3) with ESMTP id h0KMAteq035390; Mon, 20 Jan 2003 14:10:55 -0800 (PST) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.6/8.12.6/Submit) id h0KMAs8O035389; Mon, 20 Jan 2003 14:10:54 -0800 (PST) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Mon, 20 Jan 2003 14:10:54 -0800 From: "Crist J. Clark" To: security@freebsd.org, net@freebsd.org Subject: ftpd.c DoS Fix Message-ID: <20030120221054.GB34751@blossom.cjclark.org> Reply-To: "Crist J. Clark" Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="HcAYCG3uE/tztfnV" Content-Disposition: inline User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --HcAYCG3uE/tztfnV Content-Type: text/plain; charset=us-ascii Content-Disposition: inline The current design of the FTP daemon leaves it open to denial of service attacks where an attacker can lock out all other users from making PORT (active) data connections. This DoS is mitigated by the fact the attacker must have a valid login on the server (although anonymous access will do) and that PASV (passive) mode is not affected. The problem lies in the way in which the server fails when it tries to open a data connection in active mode. If the connection attempt fails with an EADDRINUSE error, the server waits and tries the connection again. Durning this wait period, 90 seconds is the hard-coded value, the process is bound to port 20, using the bind() call. This is an exclusive bind(). No other processes may bind() to port 20 for this 90 second wait. This locks all other processes from setting up active data connections during this 90 second wait. Once the 90 seconds is up, the attacker can easily start another 90 second wait. The result is that an attacker with limited resources can prevent all other users from making data connections rendering the server almost useless. I will describe an example of how to attack. It is trivial to automate with a Perl script, but I will not be providing such a tool on a public list. 1) Using a telnet client, log into the test victim FTP server (obviously, this should be your server and it's availability should not be critical). 2) Set up a data connection to your attacker host. 3) Set up a listening process on the attacker on the right port for the data connection. 4) Do a LIST command. 5) Using the same port you used in (2), repeat (2), (3), and (4). (You can't wait to long between (4) and (5) in this example, since we are choking things up by trying to run over our previous connection still in the TIME_WAIT state.) That's it. You will have locked out all other data connections. During the 90 seconds, try firing up another FTP session to the host and try to do anything involving an active data connection (make sure you're not using passive mode, in FreeBSD's ftp client, type 'pass'). I have a quick fix for this. Instead of holding onto our bind() of 20 while we wait, we release, and bind() again at our next try. The inline patch below shows the diff without whitespace changes. A complete diff is attached. The diffs are from HEAD, but it should apply to any RELENG_* branch fine. Unless anyone has some objections, I plan to commit this to HEAD and RELENG_4 today and see about re@ and security-officer@ approval for other branches. As a final note, I came across this bug in a different vendor's FTP daemon before checking if FreeBSD was vulnerable. You might want to check you favorite FTP daemon today. Index: ftpd.c =================================================================== RCS file: /export/freebsd/ncvs/src/libexec/ftpd/ftpd.c,v retrieving revision 1.132 diff -u -b -r1.132 ftpd.c --- ftpd.c 16 Jan 2003 14:25:32 -0000 1.132 +++ ftpd.c 20 Jan 2003 21:26:39 -0000 @@ -1772,7 +1772,7 @@ { char sizebuf[32]; FILE *file; - int retry = 0, tos; + int retry = 0, tos, conerrno; file_size = size; byte_count = 0; @@ -1840,6 +1840,7 @@ if (usedefault) data_dest = his_addr; usedefault = 1; + do { file = getdatasock(mode); if (file == NULL) { char hostbuf[BUFSIZ], portbuf[BUFSIZ]; @@ -1852,16 +1853,22 @@ return (NULL); } data = fileno(file); - while (connect(data, (struct sockaddr *)&data_dest, - data_dest.su_len) < 0) { - if (errno == EADDRINUSE && retry < swaitmax) { + conerrno = 0; + if (connect(data, (struct sockaddr *)&data_dest, + data_dest.su_len) == 0) + break; + conerrno = errno; + (void) fclose(file); + data = -1; + if (conerrno == EADDRINUSE) { sleep((unsigned) swaitint); retry += swaitint; - continue; + } else { + break; } + } while (retry <= swaitmax); + if (conerrno != 0) { perror_reply(425, "Can't build data connection"); - (void) fclose(file); - data = -1; return (NULL); } reply(150, "Opening %s mode data connection for '%s'%s.", -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org --HcAYCG3uE/tztfnV Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ftpd.diff" Index: ftpd.c =================================================================== RCS file: /export/freebsd/ncvs/src/libexec/ftpd/ftpd.c,v retrieving revision 1.132 diff -u -r1.132 ftpd.c --- ftpd.c 16 Jan 2003 14:25:32 -0000 1.132 +++ ftpd.c 20 Jan 2003 21:26:39 -0000 @@ -1772,7 +1772,7 @@ { char sizebuf[32]; FILE *file; - int retry = 0, tos; + int retry = 0, tos, conerrno; file_size = size; byte_count = 0; @@ -1840,28 +1840,35 @@ if (usedefault) data_dest = his_addr; usedefault = 1; - file = getdatasock(mode); - if (file == NULL) { - char hostbuf[BUFSIZ], portbuf[BUFSIZ]; - getnameinfo((struct sockaddr *)&data_source, - data_source.su_len, hostbuf, sizeof(hostbuf) - 1, - portbuf, sizeof(portbuf), - NI_NUMERICHOST|NI_NUMERICSERV); - reply(425, "Can't create data socket (%s,%s): %s.", - hostbuf, portbuf, strerror(errno)); - return (NULL); - } - data = fileno(file); - while (connect(data, (struct sockaddr *)&data_dest, - data_dest.su_len) < 0) { - if (errno == EADDRINUSE && retry < swaitmax) { + do { + file = getdatasock(mode); + if (file == NULL) { + char hostbuf[BUFSIZ], portbuf[BUFSIZ]; + getnameinfo((struct sockaddr *)&data_source, + data_source.su_len, hostbuf, sizeof(hostbuf) - 1, + portbuf, sizeof(portbuf), + NI_NUMERICHOST|NI_NUMERICSERV); + reply(425, "Can't create data socket (%s,%s): %s.", + hostbuf, portbuf, strerror(errno)); + return (NULL); + } + data = fileno(file); + conerrno = 0; + if (connect(data, (struct sockaddr *)&data_dest, + data_dest.su_len) == 0) + break; + conerrno = errno; + (void) fclose(file); + data = -1; + if (conerrno == EADDRINUSE) { sleep((unsigned) swaitint); retry += swaitint; - continue; + } else { + break; } + } while (retry <= swaitmax); + if (conerrno != 0) { perror_reply(425, "Can't build data connection"); - (void) fclose(file); - data = -1; return (NULL); } reply(150, "Opening %s mode data connection for '%s'%s.", --HcAYCG3uE/tztfnV-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 20 14:56:26 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A4FA37B401 for ; Mon, 20 Jan 2003 14:56:24 -0800 (PST) Received: from HAL9000.homeunix.com (12-233-57-224.client.attbi.com [12.233.57.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id 80AEF43F18 for ; Mon, 20 Jan 2003 14:56:23 -0800 (PST) (envelope-from dschultz@uclink.Berkeley.EDU) Received: from HAL9000.homeunix.com (localhost [127.0.0.1]) by HAL9000.homeunix.com (8.12.6/8.12.5) with ESMTP id h0KMuH0L004284; Mon, 20 Jan 2003 14:56:17 -0800 (PST) (envelope-from dschultz@uclink.Berkeley.EDU) Received: (from das@localhost) by HAL9000.homeunix.com (8.12.6/8.12.5/Submit) id h0KMu9NC004283; Mon, 20 Jan 2003 14:56:09 -0800 (PST) (envelope-from dschultz@uclink.Berkeley.EDU) Date: Mon, 20 Jan 2003 14:56:09 -0800 From: David Schultz To: zhuravlev alexander Cc: Oleg Shevtsov , security@FreeBSD.ORG Subject: Re: your mail Message-ID: <20030120225609.GB3668@HAL9000.homeunix.com> Mail-Followup-To: zhuravlev alexander , Oleg Shevtsov , security@FreeBSD.ORG References: <20030120101323.GA371@interexc.com> <20030120102235.GA45357@hp.ulstu.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030120102235.GA45357@hp.ulstu.ru> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thus spake zhuravlev alexander : > On Mon, Jan 20, 2003 at 12:13:23PM +0200, Oleg Shevtsov wrote: > > > > Hi, > > how to give specific user FTP but no shell access? > > Ftpd's manual says: > > 4. The user must have a standard shell returned by > > getusershell(3). > > But I don't want to give shell account. > > /sbin/nologin ? If you do it this way, you need to ensure that either the ``FTP-only'' users do not have home directories or that /sbin/nologin is statically linked (the default). Otherwise, it is possible to exploit a bug (ahem, feature) in OpenSSH to gain shell access on your box. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 20 15:40:26 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 341CA37B401 for ; Mon, 20 Jan 2003 15:40:24 -0800 (PST) Received: from gunjin.wccnet.org (gunjin.wccnet.org [198.111.176.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7E07243F5B for ; Mon, 20 Jan 2003 15:40:23 -0800 (PST) (envelope-from anthony@gunjin.wccnet.org) Received: from gunjin.wccnet.org (localhost.rexroof.com [127.0.0.1]) by gunjin.wccnet.org (8.12.3/8.12.2) with ESMTP id h0KNprgo020799; Mon, 20 Jan 2003 18:51:53 -0500 (EST) Received: (from anthony@localhost) by gunjin.wccnet.org (8.12.3/8.12.3/Submit) id h0KNprgA020798; Mon, 20 Jan 2003 18:51:53 -0500 (EST) Date: Mon, 20 Jan 2003 18:51:52 -0500 From: Anthony Schneider To: David Schultz Cc: zhuravlev alexander , Oleg Shevtsov , security@FreeBSD.ORG Subject: Re: your mail Message-ID: <20030120235152.GA20708@x-anthony.com> References: <20030120101323.GA371@interexc.com> <20030120102235.GA45357@hp.ulstu.ru> <20030120225609.GB3668@HAL9000.homeunix.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030120225609.GB3668@HAL9000.homeunix.com> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org statically linked? is /sbin/nologin not a shell script anymore? -Anthony. On Mon, Jan 20, 2003 at 02:56:09PM -0800, David Schultz wrote: > Thus spake zhuravlev alexander : > > On Mon, Jan 20, 2003 at 12:13:23PM +0200, Oleg Shevtsov wrote: > > > > > > Hi, > > > how to give specific user FTP but no shell access? > > > Ftpd's manual says: > > > 4. The user must have a standard shell returned by > > > getusershell(3). > > > But I don't want to give shell account. > > > > /sbin/nologin ? > > If you do it this way, you need to ensure that either the > ``FTP-only'' users do not have home directories or that > /sbin/nologin is statically linked (the default). Otherwise, it > is possible to exploit a bug (ahem, feature) in OpenSSH to gain > shell access on your box. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 20 16:24:46 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 90F1137B401 for ; Mon, 20 Jan 2003 16:24:41 -0800 (PST) Received: from sccrmhc01.attbi.com (sccrmhc01.attbi.com [204.127.202.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 872BA43ED8 for ; Mon, 20 Jan 2003 16:24:40 -0800 (PST) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org (12-234-89-252.client.attbi.com[12.234.89.252]) by sccrmhc01.attbi.com (sccrmhc01) with ESMTP id <2003012100243400100hncl6e>; Tue, 21 Jan 2003 00:24:34 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.6/8.12.3) with ESMTP id h0L0OWeq036170; Mon, 20 Jan 2003 16:24:33 -0800 (PST) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.6/8.12.6/Submit) id h0L0OSuT036169; Mon, 20 Jan 2003 16:24:28 -0800 (PST) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Mon, 20 Jan 2003 16:24:28 -0800 From: "Crist J. Clark" To: Anthony Schneider Cc: David Schultz , zhuravlev alexander , Oleg Shevtsov , security@FreeBSD.ORG Subject: Re: your mail Message-ID: <20030121002428.GF34751@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: <20030120101323.GA371@interexc.com> <20030120102235.GA45357@hp.ulstu.ru> <20030120225609.GB3668@HAL9000.homeunix.com> <20030120235152.GA20708@x-anthony.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030120235152.GA20708@x-anthony.com> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jan 20, 2003 at 06:51:52PM -0500, Anthony Schneider wrote: > statically linked? is /sbin/nologin not a shell script anymore? It is, but it invokes /bin/sh which is static and calls it with '-p'. > On Mon, Jan 20, 2003 at 02:56:09PM -0800, David Schultz wrote: > > Thus spake zhuravlev alexander : > > > On Mon, Jan 20, 2003 at 12:13:23PM +0200, Oleg Shevtsov wrote: > > > > > > > > Hi, > > > > how to give specific user FTP but no shell access? > > > > Ftpd's manual says: > > > > 4. The user must have a standard shell returned by > > > > getusershell(3). > > > > But I don't want to give shell account. > > > > > > /sbin/nologin ? > > > > If you do it this way, you need to ensure that either the > > ``FTP-only'' users do not have home directories or that > > /sbin/nologin is statically linked (the default). Otherwise, it > > is possible to exploit a bug (ahem, feature) in OpenSSH to gain > > shell access on your box. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 20 16:51:13 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0E20137B401 for ; Mon, 20 Jan 2003 16:51:11 -0800 (PST) Received: from HAL9000.homeunix.com (12-233-57-224.client.attbi.com [12.233.57.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC82543EB2 for ; Mon, 20 Jan 2003 16:51:09 -0800 (PST) (envelope-from dschultz@uclink.Berkeley.EDU) Received: from HAL9000.homeunix.com (localhost [127.0.0.1]) by HAL9000.homeunix.com (8.12.6/8.12.5) with ESMTP id h0L0p90L004926; Mon, 20 Jan 2003 16:51:09 -0800 (PST) (envelope-from dschultz@uclink.Berkeley.EDU) Received: (from das@localhost) by HAL9000.homeunix.com (8.12.6/8.12.5/Submit) id h0L0p8hE004925; Mon, 20 Jan 2003 16:51:08 -0800 (PST) (envelope-from dschultz@uclink.Berkeley.EDU) Date: Mon, 20 Jan 2003 16:51:08 -0800 From: David Schultz To: Anthony Schneider Cc: zhuravlev alexander , Oleg Shevtsov , security@FreeBSD.ORG Subject: Re: your mail Message-ID: <20030121005108.GA4575@HAL9000.homeunix.com> Mail-Followup-To: Anthony Schneider , zhuravlev alexander , Oleg Shevtsov , security@FreeBSD.ORG References: <20030120101323.GA371@interexc.com> <20030120102235.GA45357@hp.ulstu.ru> <20030120225609.GB3668@HAL9000.homeunix.com> <20030120235152.GA20708@x-anthony.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030120235152.GA20708@x-anthony.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thus spake Anthony Schneider : > statically linked? is /sbin/nologin not a shell script anymore? Sorry, I was thinking of OpenBSD, in which /sbin/nologin is a shell script. In the FreeBSD version, you are probably safe from environment poisoning attacks provided that your /bin/sh is statically linked. It would be safer to use /usr/bin/false or a simple C program, though, since a lot in libc depends on the environment. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 20 17:29:15 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9710837B401 for ; Mon, 20 Jan 2003 17:29:13 -0800 (PST) Received: from gunjin.wccnet.org (gunjin.wccnet.org [198.111.176.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id C671743ED8 for ; Mon, 20 Jan 2003 17:29:12 -0800 (PST) (envelope-from anthony@gunjin.wccnet.org) Received: from gunjin.wccnet.org (localhost.rexroof.com [127.0.0.1]) by gunjin.wccnet.org (8.12.3/8.12.2) with ESMTP id h0L1ebgo021921; Mon, 20 Jan 2003 20:40:37 -0500 (EST) Received: (from anthony@localhost) by gunjin.wccnet.org (8.12.3/8.12.3/Submit) id h0L1ebbY021920; Mon, 20 Jan 2003 20:40:37 -0500 (EST) Date: Mon, 20 Jan 2003 20:40:37 -0500 From: Anthony Schneider To: Robert Kraus Cc: David Schultz , zhuravlev alexander , security@FreeBSD.ORG Subject: Re: your mail Message-ID: <20030121014037.GA21880@x-anthony.com> References: <20030120101323.GA371@interexc.com> <20030120102235.GA45357@hp.ulstu.ru> <20030120225609.GB3668@HAL9000.homeunix.com> <20030120235152.GA20708@x-anthony.com> <20030121005108.GA4575@HAL9000.homeunix.com> <3E2C9E1B.57214C4@sympatico.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3E2C9E1B.57214C4@sympatico.ca> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org /usr/ports/sysutils/no-login looks like the one. On Mon, Jan 20, 2003 at 08:10:51PM -0500, Robert Kraus wrote: > David Schultz a ?crit : > > > > statically linked. It would be safer to use /usr/bin/false or a > > simple C program, though, since a lot in libc depends on the > > environment. > > See (I think) /usr/ports/security/nologin > > Bob K | melange@yip.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 21 4:33: 5 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C50637B401; Tue, 21 Jan 2003 04:33:03 -0800 (PST) Received: from mgateway.borderware.com (mgateway.borderware.com [207.236.65.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id ADA6043ED8; Tue, 21 Jan 2003 04:33:02 -0800 (PST) (envelope-from db@borderware.com) Message-ID: <3E2D3E68.3070208@borderware.com> Date: Tue, 21 Jan 2003 07:34:48 -0500 From: David Bell User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:0.9.4) Gecko/20011128 Netscape6/6.2.1 X-Accept-Language: en-us MIME-Version: 1.0 To: "Crist J. Clark" Cc: freebsd-security@freebsd.org Subject: Re: Vulnerability Note VU#412115 References: <5.2.0.9.2.20030120075839.021bfec8@mail.servplex.com> <3E2C05F2.7080208@borderware.com> <20030120213930.GA34751@blossom.cjclark.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Crist J. Clark wrote: >On Mon, Jan 20, 2003 at 09:21:38AM -0500, David Bell wrote: > >>Is FreeBSD vulnerable to the following, and if so is it being addressed? >> >>http://www.kb.cert.org/vuls/id/412115 >> > >Yes, many FreeBSD network drivers display this behavior. If you >followed any of the later discussion by the authors on several mailing >lists, FreeBSD was one of many OSes on which they duplicated the >problem. > >As for whether the "vulnerability" is being addressed, this issue has >been known about for a long, long time, but has never been regarded as >a priority. The real security exposure here is quite small. The >cost of potentially breaking stuff and hurting performance has never >been seen to be worth the effort of a sweep. I personally am not aware >of a concerted effort to go through all of the Ethernet drivers to >zero out extra memory, but someone may be doing it... It's a bit of a >PITA and there is not a whole lot the Project can do about binary-only >drivers supplied by some vendors. > It may be quite small, however image wise it is not good IMHO that FreeBSD is not doing anything to respond to this, or at least have some sort of official statement. You say many device drivers display this behavior, can you be more specific? Or tell me which ones do not display the behavior? Thanks, ~David Bell To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 21 7:16:37 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E237837B401 for ; Tue, 21 Jan 2003 07:16:34 -0800 (PST) Received: from mail.distalzou.net (203.141.139.231.user.ad.il24.net [203.141.139.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C66843EB2 for ; Tue, 21 Jan 2003 07:16:29 -0800 (PST) (envelope-from devin@spamcop.net) Received: from localhost ([127.0.0.1]) by mail.distalzou.net with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 3.36 #1) id 18b08T-0003Vc-00 for security@freebsd.org; Wed, 22 Jan 2003 00:16:22 +0900 Date: Wed, 22 Jan 2003 00:16:21 +0900 (JST) From: Tod McQuillin X-X-Sender: devin@glass.pun-pun.prv To: security@freebsd.org Subject: CVS remote vulnerability Message-ID: <20030122001452.O455@glass.pun-pun.prv> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Heads up... http://security.e-matters.de/advisories/012003.html I don't know if FreeBSD is affected but the advisory claims "I was also able to create proof of concept code that uses this vulnerability to execute arbitrary shell commands on BSD servers". -- Tod McQuillin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 21 7:23:41 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7703E37B401 for ; Tue, 21 Jan 2003 07:23:39 -0800 (PST) Received: from pcwin002.win.tue.nl (pcwin002.win.tue.nl [131.155.71.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5001543E4A for ; Tue, 21 Jan 2003 07:23:38 -0800 (PST) (envelope-from stijn@pcwin002.win.tue.nl) Received: from pcwin002.win.tue.nl (orb_rules@localhost [127.0.0.1]) by pcwin002.win.tue.nl (8.12.6/8.12.6) with ESMTP id h0LFNqfw001205; Tue, 21 Jan 2003 16:23:52 +0100 (CET) (envelope-from stijn@pcwin002.win.tue.nl) Received: (from stijn@localhost) by pcwin002.win.tue.nl (8.12.6/8.12.6/Submit) id h0LFNqrJ001204; Tue, 21 Jan 2003 16:23:52 +0100 (CET) Date: Tue, 21 Jan 2003 16:23:52 +0100 From: Stijn Hoop To: Tod McQuillin Cc: security@freebsd.org Subject: Re: CVS remote vulnerability Message-ID: <20030121152352.GG219@pcwin002.win.tue.nl> References: <20030122001452.O455@glass.pun-pun.prv> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="5Mfx4RzfBqgnTE/w" Content-Disposition: inline In-Reply-To: <20030122001452.O455@glass.pun-pun.prv> User-Agent: Mutt/1.4i X-Bright-Idea: Let's abolish HTML mail! Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --5Mfx4RzfBqgnTE/w Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jan 22, 2003 at 12:16:21AM +0900, Tod McQuillin wrote: >=20 > Heads up... http://security.e-matters.de/advisories/012003.html >=20 > I don't know if FreeBSD is affected but the advisory claims "I was also > able to create proof of concept code that uses this vulnerability to > execute arbitrary shell commands on BSD servers". Hmmm, I don't get this: The advisory claims that 'This does not apply to :pserver: method only', but what other method exists where you don't have to have a shell account? In other words, I have a CVS server where people use :ext: with CVS_RSH=3Dssh. How can one compromise this setup without compromising SSH? Or am I missing other CVS access methods? --Stijn --=20 SIGSIG -- signature too long (core dumped) --5Mfx4RzfBqgnTE/w Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+LWYIY3r/tLQmfWcRAhhlAJ4o5QKpB/GeAihJbnXQIeKAnhYtdgCeIk9F asQKxzwoAz+zkh4nf47DSCI= =PhkA -----END PGP SIGNATURE----- --5Mfx4RzfBqgnTE/w-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 21 7:38:45 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5EA0937B401 for ; Tue, 21 Jan 2003 07:38:43 -0800 (PST) Received: from pcwin002.win.tue.nl (pcwin002.win.tue.nl [131.155.71.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id F178D43ED8 for ; Tue, 21 Jan 2003 07:38:41 -0800 (PST) (envelope-from stijn@pcwin002.win.tue.nl) Received: from pcwin002.win.tue.nl (orb_rules@localhost [127.0.0.1]) by pcwin002.win.tue.nl (8.12.6/8.12.6) with ESMTP id h0LFcufw001345; Tue, 21 Jan 2003 16:38:56 +0100 (CET) (envelope-from stijn@pcwin002.win.tue.nl) Received: (from stijn@localhost) by pcwin002.win.tue.nl (8.12.6/8.12.6/Submit) id h0LFcuWX001344; Tue, 21 Jan 2003 16:38:56 +0100 (CET) Date: Tue, 21 Jan 2003 16:38:56 +0100 From: Stijn Hoop To: Tod McQuillin Cc: freebsd-security@freebsd.org Subject: Re: CVS remote vulnerability Message-ID: <20030121153856.GH219@pcwin002.win.tue.nl> References: <20030122001452.O455@glass.pun-pun.prv> <20030121152352.GG219@pcwin002.win.tue.nl> <20030122003247.H455@glass.pun-pun.prv> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Z0mFw3+mXTC5ycVe" Content-Disposition: inline In-Reply-To: <20030122003247.H455@glass.pun-pun.prv> User-Agent: Mutt/1.4i X-Bright-Idea: Let's abolish HTML mail! Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Z0mFw3+mXTC5ycVe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jan 22, 2003 at 12:34:20AM +0900, Tod McQuillin wrote: > On Tue, 21 Jan 2003, Stijn Hoop wrote: > > The advisory claims that 'This does not apply to :pserver: method only', > > but what other method exists where you don't have to have a shell accou= nt? > > In other words, I have a CVS server where people use :ext: with > > CVS_RSH=3Dssh. How can one compromise this setup without compromising S= SH? >=20 > Even though there is a shell account, maybe the shell is set to cvs > itself. If so, normally you can't run anything but cvs but if you can > exploit it then you can get a shell on the cvs server. OK, thanks for explaining, I didn't think of that possibility. Fortunately I only have trusted local users. --Stijn --=20 What would this sentence be like if it weren't self-referential? --Z0mFw3+mXTC5ycVe Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+LWmQY3r/tLQmfWcRAk1JAJ9QAyYT1XLfhOToWdqVfb2MY7alUQCfR/W8 5eCO2lbOqY2xhl9lcrmZu4w= =1BGK -----END PGP SIGNATURE----- --Z0mFw3+mXTC5ycVe-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 21 8: 0:16 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E0B9837B401 for ; Tue, 21 Jan 2003 08:00:14 -0800 (PST) Received: from dc.cis.okstate.edu (dc.cis.okstate.edu [139.78.100.219]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5DF7143E4A for ; Tue, 21 Jan 2003 08:00:14 -0800 (PST) (envelope-from martin@dc.cis.okstate.edu) Received: from dc.cis.okstate.edu (localhost.cis.okstate.edu [127.0.0.1]) by dc.cis.okstate.edu (8.12.6/8.12.6) with ESMTP id h0LG08vD022507 for ; Tue, 21 Jan 2003 10:00:08 -0600 (CST) (envelope-from martin@dc.cis.okstate.edu) Message-Id: <200301211600.h0LG08vD022507@dc.cis.okstate.edu> To: freebsd-security@FreeBSD.ORG Subject: Limiting icmp unreach response from 231 to 200 packets per second Date: Tue, 21 Jan 2003 10:00:08 -0600 From: Martin McCormick Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On rare occasions, a FreeBSD system in our network has been known to print the example shown in the subject at a furious rate for a short time and then things get back to normal. Is that what the effects of a ping flood look like? On one system running bind9, the named process died after the syslog message said that packets had reached 243 per second, but I was able to restart it within seconds of its crash. Only the named process crashed, not the system. Any ideas as to what this is? Martin McCormick WB5AGZ Stillwater, OK OSU Center for Computing and Information Services Network Operations Group To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 21 8: 8:18 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A958537B401 for ; Tue, 21 Jan 2003 08:08:15 -0800 (PST) Received: from mail1.crowders.org (mail1.crowders.org [62.49.128.148]) by mx1.FreeBSD.org (Postfix) with SMTP id DF85243F3F for ; Tue, 21 Jan 2003 08:08:08 -0800 (PST) (envelope-from steve@crowders.org) Received: (qmail 37009 invoked from network); 21 Jan 2003 16:07:27 -0000 Received: from wn2k-13.crowders.org (HELO wn2k13) (192.168.66.13) by mail-1.crowders.org with SMTP; 21 Jan 2003 16:07:27 -0000 Reply-To: From: "Steve Crowder" To: "Martin McCormick" , Subject: RE: Limiting icmp unreach response from 231 to 200 packets per second Date: Tue, 21 Jan 2003 16:08:07 -0000 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 In-reply-to: <200301211600.h0LG08vD022507@dc.cis.okstate.edu> Importance: Normal X-Spam-Rating: mail-1.crowders.org 1.6.2 0/0/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi I too have had an identical experience on two machines recently, any input much appreciated. Or perhaps it's a BIND 9 specific problem... Thanks --- Steve Crowder steve@crowders.org http://www.crowders.org/ -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Martin McCormick Sent: 21 January 2003 16:00 To: freebsd-security@FreeBSD.ORG Subject: Limiting icmp unreach response from 231 to 200 packets per second On rare occasions, a FreeBSD system in our network has been known to print the example shown in the subject at a furious rate for a short time and then things get back to normal. Is that what the effects of a ping flood look like? On one system running bind9, the named process died after the syslog message said that packets had reached 243 per second, but I was able to restart it within seconds of its crash. Only the named process crashed, not the system. Any ideas as to what this is? Martin McCormick WB5AGZ Stillwater, OK OSU Center for Computing and Information Services Network Operations Group To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 21 8:11:11 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9520937B401 for ; Tue, 21 Jan 2003 08:11:08 -0800 (PST) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 580B643F13 for ; Tue, 21 Jan 2003 08:11:05 -0800 (PST) (envelope-from tillman@seekingfire.com) Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211]) by mail.seekingfire.com (Postfix) with ESMTP id 82F8427B for ; Tue, 21 Jan 2003 10:10:58 -0600 (CST) Received: (from tillman@localhost) by blues.seekingfire.prv (8.11.6/8.11.6) id h0LGDvC09558 for freebsd-security@FreeBSD.ORG; Tue, 21 Jan 2003 10:13:57 -0600 Date: Tue, 21 Jan 2003 10:13:57 -0600 From: Tillman To: freebsd-security@FreeBSD.ORG Subject: Re: Limiting icmp unreach response from 231 to 200 packets per second Message-ID: <20030121101357.A9405@seekingfire.com> References: <200301211600.h0LG08vD022507@dc.cis.okstate.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200301211600.h0LG08vD022507@dc.cis.okstate.edu>; from martin@dc.cis.okstate.edu on Tue, Jan 21, 2003 at 10:00:08AM -0600 X-Urban-Legend: There is lots of hidden information in headers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jan 21, 2003 at 10:00:08AM -0600, Martin McCormick wrote: > On rare occasions, a FreeBSD system in our network has > been known to print the example shown in the subject at a furious > rate for a short time and then things get back to normal. > > Is that what the effects of a ping flood look like? ``Limiting icmp unreach response from 231 to 200 packets per second'' What you're seeing is the kernel limiting ICMP responses to 200/second. If there are more than 200 ICMP requests per second, and you have net.inet.icmp.icmplim set to 200 via sysctl (the default value), this occurs. This could be a ICMP flood attack. It could also be legimate traffic. For your network, what would you consider to be a normal number of ICMP requests per second? 231 packets/second is actually pretty slow if you're on a high speed local network, so in that situation it's unlikely to be a deliberate ping flood. I've had network monitoring tools that were badly configured do something that looked much like this. - Tillman -- Page 41: Two of the most important Unix traditions are to share and to help people. - Harley Hahn, _The Unix Companion_ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 21 8:20:44 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD07137B401 for ; Tue, 21 Jan 2003 08:20:41 -0800 (PST) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id A31DD43F13 for ; Tue, 21 Jan 2003 08:20:39 -0800 (PST) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.6/8.12.6) with ESMTP id h0LGL1fc094300; Tue, 21 Jan 2003 11:21:01 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030121111802.060ee170@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Tue, 21 Jan 2003 11:24:24 -0500 To: Tillman , freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: Re: Limiting icmp unreach response from 231 to 200 packets per second In-Reply-To: <20030121101357.A9405@seekingfire.com> References: <200301211600.h0LG08vD022507@dc.cis.okstate.edu> <200301211600.h0LG08vD022507@dc.cis.okstate.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 10:13 AM 21/01/2003 -0600, Tillman wrote: >On Tue, Jan 21, 2003 at 10:00:08AM -0600, Martin McCormick wrote: > > On rare occasions, a FreeBSD system in our network has > > been known to print the example shown in the subject at a furious > > rate for a short time and then things get back to normal. > > > > Is that what the effects of a ping flood look like? > >``Limiting icmp unreach response from 231 to 200 packets per second'' > >What you're seeing is the kernel limiting ICMP responses to 200/second. >If there are more than 200 ICMP requests per second, and you have >net.inet.icmp.icmplim set to 200 via sysctl (the default value), this >occurs. It could be a ping flood, but if its happening after named dies, its more likely your kernel sending back messages to all the hosts asking for DNS requests. i.e. since named is dead, you had 231 DNS requests coming in per second. The kernel, limits its response to the first 200 hosts, sending back a message saying there is nothing listening on that port. ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 21 8:27:24 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5049E37B401 for ; Tue, 21 Jan 2003 08:27:22 -0800 (PST) Received: from franky.speednet.com.au (franky.speednet.com.au [203.57.65.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id F312F43F65 for ; Tue, 21 Jan 2003 08:27:17 -0800 (PST) (envelope-from andyf@speednet.com.au) Received: from hewey.af.speednet.com.au (hewey.af.speednet.com.au [203.38.96.242]) by franky.speednet.com.au (8.12.6/8.12.6) with ESMTP id h0LGRGmD054721; Wed, 22 Jan 2003 03:27:16 +1100 (EST) (envelope-from andyf@speednet.com.au) Received: from hewey.af.speednet.com.au (hewey.af.speednet.com.au [172.22.2.1]) by hewey.af.speednet.com.au (8.12.6/8.12.6) with ESMTP id h0LGRFdI054400; Wed, 22 Jan 2003 02:27:15 +1000 (EST) (envelope-from andyf@speednet.com.au) Date: Wed, 22 Jan 2003 02:27:15 +1000 (EST) From: Andy Farkas X-X-Sender: andyf@hewey.af.speednet.com.au To: Mike Tancsa Cc: Tillman , Subject: Re: Limiting icmp unreach response from 231 to 200 packets per second In-Reply-To: <5.2.0.9.0.20030121111802.060ee170@marble.sentex.ca> Message-ID: <20030122022350.A54298-100000@hewey.af.speednet.com.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > > On rare occasions, a FreeBSD system in our network has > > > been known to print the example shown in the subject at a furious > > > rate for a short time and then things get back to normal. > > > > > > Is that what the effects of a ping flood look like? > > Yes, that's exactly what happens when ping-flooded. Note that only root can ping-flood. > It could be a ping flood, but if its happening after named dies, its more > likely your kernel sending back messages to all the hosts asking for DNS > requests. i.e. since named is dead, you had 231 DNS requests coming in per > second. The kernel, limits its response to the first 200 hosts, sending > back a message saying there is nothing listening on that port. He is talking about icmp packets - nothing to do with named. -- :{ andyf@speednet.com.au Andy Farkas System Administrator Speednet Communications http://www.speednet.com.au/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 21 8:28:55 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 104F337B405 for ; Tue, 21 Jan 2003 08:28:54 -0800 (PST) Received: from dc.cis.okstate.edu (dc.cis.okstate.edu [139.78.100.219]) by mx1.FreeBSD.org (Postfix) with ESMTP id E3CFF43F43 for ; Tue, 21 Jan 2003 08:28:51 -0800 (PST) (envelope-from martin@dc.cis.okstate.edu) Received: from dc.cis.okstate.edu (localhost.cis.okstate.edu [127.0.0.1]) by dc.cis.okstate.edu (8.12.6/8.12.6) with ESMTP id h0LGSkvD001493 for ; Tue, 21 Jan 2003 10:28:46 -0600 (CST) (envelope-from martin@dc.cis.okstate.edu) Message-Id: <200301211628.h0LGSkvD001493@dc.cis.okstate.edu> To: freebsd-security@FreeBSD.ORG Subject: Re: Limiting icmp unreach response from 231 to 200 packets per second Date: Tue, 21 Jan 2003 10:28:46 -0600 From: Martin McCormick Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Tillman writes: >What you're seeing is the kernel limiting ICMP responses to 200/second. >If there are more than 200 ICMP requests per second, and you have >net.inet.icmp.icmplim set to 200 via sysctl (the default value), this >occurs. Thank you greatly. That makes perfect sense as I have never changed that value. We do have a good and fast network so this is more than likely legitimate but it is nice to know that the alarm goes off if that limit for ICMP traffic is reached. That seems like a valid limit to have at least for now. Martin McCormick WB5AGZ Stillwater, OK OSU Center for Computing and Information Services Network Operations Group To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 21 8:29:33 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4483737B401 for ; Tue, 21 Jan 2003 08:29:31 -0800 (PST) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id DAE9E43EB2 for ; Tue, 21 Jan 2003 08:29:27 -0800 (PST) (envelope-from tillman@seekingfire.com) Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211]) by mail.seekingfire.com (Postfix) with ESMTP id C86AF7E for ; Tue, 21 Jan 2003 10:29:18 -0600 (CST) Received: (from tillman@localhost) by blues.seekingfire.prv (8.11.6/8.11.6) id h0LGWIp09938 for freebsd-security@FreeBSD.ORG; Tue, 21 Jan 2003 10:32:18 -0600 Date: Tue, 21 Jan 2003 10:32:18 -0600 From: Tillman To: freebsd-security@FreeBSD.ORG Subject: Re: Limiting icmp unreach response from 231 to 200 packets per second Message-ID: <20030121103218.C9405@seekingfire.com> References: <5.2.0.9.0.20030121111802.060ee170@marble.sentex.ca> <20030122022350.A54298-100000@hewey.af.speednet.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030122022350.A54298-100000@hewey.af.speednet.com.au>; from andyf@speednet.com.au on Wed, Jan 22, 2003 at 02:27:15AM +1000 X-Urban-Legend: There is lots of hidden information in headers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jan 22, 2003 at 02:27:15AM +1000, Andy Farkas wrote: > > > > > On rare occasions, a FreeBSD system in our network has > > > > been known to print the example shown in the subject at a furious > > > > rate for a short time and then things get back to normal. > > > > > > > > Is that what the effects of a ping flood look like? > > > > > Yes, that's exactly what happens when ping-flooded. > > Note that only root can ping-flood. > > > It could be a ping flood, but if its happening after named dies, its more > > likely your kernel sending back messages to all the hosts asking for DNS > > requests. i.e. since named is dead, you had 231 DNS requests coming in per > > second. The kernel, limits its response to the first 200 hosts, sending > > back a message saying there is nothing listening on that port. > > He is talking about icmp packets - nothing to do with named. Yes, it is. TCP issues a tcp reset packet when the prot is unavailable - UDP can't do that, so it issues an ICMP port unreachable (which is what he was limiting). It wasn't an ICMP echo response, which would be the typical response to a ping flood. -T -- "Our opinions become fixed at the point where we stopped thinking." - Renan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 21 8:38:31 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50BF837B401 for ; Tue, 21 Jan 2003 08:38:29 -0800 (PST) Received: from dc.cis.okstate.edu (dc.cis.okstate.edu [139.78.100.219]) by mx1.FreeBSD.org (Postfix) with ESMTP id C123543F5B for ; Tue, 21 Jan 2003 08:38:28 -0800 (PST) (envelope-from martin@dc.cis.okstate.edu) Received: from dc.cis.okstate.edu (localhost.cis.okstate.edu [127.0.0.1]) by dc.cis.okstate.edu (8.12.6/8.12.6) with ESMTP id h0LGcSvD028812 for ; Tue, 21 Jan 2003 10:38:28 -0600 (CST) (envelope-from martin@dc.cis.okstate.edu) Message-Id: <200301211638.h0LGcSvD028812@dc.cis.okstate.edu> To: freebsd-security@FreeBSD.ORG Subject: Re: Limiting icmp unreach response from 231 to 200 packets per second Date: Tue, 21 Jan 2003 10:38:28 -0600 From: Martin McCormick Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mike Tancsa writes: >It could be a ping flood, but if its happening after named dies, its more >likely your kernel sending back messages to all the hosts asking for DNS >requests. i.e. since named is dead, you had 231 DNS requests coming in per >second. The kernel, limits its response to the first 200 hosts, sending >back a message saying there is nothing listening on that port. That is extremely likely. I don't know why named died as it is usually as tough as iron, but we sometimes get over 400,000 requests per hour at peak times so this may have been the result rather than the cause. It is hard to tell exactly when the named process stopped but it could have been as early as the first messages. there have been no more ICMP limitations since I restarted bind. Again, many thanks to all of you in the best UNIX tradition. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 21 8:41:23 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E5ED937B401 for ; Tue, 21 Jan 2003 08:41:21 -0800 (PST) Received: from out0.mx.nwbl.wi.voyager.net (out0.mx.nwbl.wi.voyager.net [169.207.3.118]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7BC7943F13 for ; Tue, 21 Jan 2003 08:41:21 -0800 (PST) (envelope-from silby@silby.com) Received: from [10.1.1.6] (d110.as8.nwbl0.wi.voyager.net [169.207.132.110]) by out0.mx.nwbl.wi.voyager.net (Postfix) with ESMTP id 080B2833D5; Tue, 21 Jan 2003 10:41:20 -0600 (CST) Date: Tue, 21 Jan 2003 10:48:58 -0600 (CST) From: Mike Silbersack To: Martin McCormick Cc: freebsd-security@FreeBSD.ORG Subject: Re: Limiting icmp unreach response from 231 to 200 packets per second In-Reply-To: <200301211600.h0LG08vD022507@dc.cis.okstate.edu> Message-ID: <20030121104626.Y2194-100000@patrocles.silby.com> References: <200301211600.h0LG08vD022507@dc.cis.okstate.edu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 21 Jan 2003, Martin McCormick wrote: > On rare occasions, a FreeBSD system in our network has > been known to print the example shown in the subject at a furious > rate for a short time and then things get back to normal. > > Is that what the effects of a ping flood look like? > > On one system running bind9, the named process died after > the syslog message said that packets had reached 243 per second, > but I was able to restart it within seconds of its crash. > Only the named process crashed, not the system. > > Any ideas as to what this is? > > Martin McCormick WB5AGZ Stillwater, OK > OSU Center for Computing and Information Services Network Operations Group This is not a ping flood, as others have reported. ICMP unreach packets are sent in response to incoming UDP packets to a port which has no service running on it. Here's what's happening: 1. BIND crashes. 2. DNS requests keep coming in, at a rate of 231 per second. 3. FreeBSD limits the number of icmp unreach responses, and tells you. 4. You restart BIND, and messages go away. I can't answer why step #1 occured, but I can assure you that #2 through #4 are natural results of #1, and are nothing to worry about it. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 21 10: 7:59 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2CF0F37B401 for ; Tue, 21 Jan 2003 10:07:57 -0800 (PST) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 9C0AF43E4A for ; Tue, 21 Jan 2003 10:07:56 -0800 (PST) (envelope-from kudzu@tenebras.com) Received: (qmail 72916 invoked from network); 21 Jan 2003 18:07:56 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 21 Jan 2003 18:07:56 -0000 Message-ID: <3E2D8C7A.1040300@tenebras.com> Date: Tue, 21 Jan 2003 10:07:54 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.2b) Gecko/20021016 X-Accept-Language: en-us, en, fr-fr, ru MIME-Version: 1.0 To: Andy Farkas Cc: Mike Tancsa , Tillman , freebsd-security@FreeBSD.ORG Subject: Re: Limiting icmp unreach response from 231 to 200 packets per second References: <20030122022350.A54298-100000@hewey.af.speednet.com.au> In-Reply-To: <20030122022350.A54298-100000@hewey.af.speednet.com.au> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Andy Farkas wrote: > > He is talking about icmp packets - nothing to do with named. It might very well. If 'named' dies, and net.inet.udp.blackhole=0, then the kernel will be generating ICMP error responses for UDP packets sent to port 53. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 21 11:21:50 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C11137B401 for ; Tue, 21 Jan 2003 11:21:48 -0800 (PST) Received: from fep3.cogeco.net (smtp.cogeco.net [216.221.81.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 92CFE43EB2 for ; Tue, 21 Jan 2003 11:21:47 -0800 (PST) (envelope-from dlavigne6@cogeco.ca) Received: from dhcp-17-14.kico2.on.cogeco.ca (d226-42-146.home.cgocable.net [24.226.42.146]) by fep3.cogeco.net (Postfix) with ESMTP id 43229308F for ; Tue, 21 Jan 2003 14:15:59 -0500 (EST) Date: Tue, 21 Jan 2003 14:20:07 -0500 (EST) From: Dru X-X-Sender: dlavigne6@dhcp-17-14.kico2.on.cogeco.ca To: security@freebsd.org Subject: bug in opiepasswd? Message-ID: <20030121140942.Y201@dhcp-17-14.kico2.on.cogeco.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Has anyone else come across this weird behaviour before, or am I missing something fundamental here? If I use "opiepasswd" after a user is already in "/etc/opiekeys", the resulting seed is less than 5 characters long, rendering it unusable. It doesn't matter if I use "opiepasswd", "opiepasswd -c" or "opiepasswd -n 499". For example: opiepasswd -n 499 Old secret pass phrase: otp-md5 8 dh2324 ext Response: blah blah blah blah blah blah New secret pass phrase: otp-md5 499 dh23 ^^^^ opiekey 499 dh23 Using the MD5 algorithm to compute response. Seeds must be greater than 5 characters long. However, if I manually remove the user from "/etc/opiekeys", "opiepasswd -c" works fine and computes a useable seed. Dru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 21 11:23: 7 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0DDA37B401 for ; Tue, 21 Jan 2003 11:23:05 -0800 (PST) Received: from smtp.melim.com.br (smtp.melim.com.br [200.215.110.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id ACCD443ED8 for ; Tue, 21 Jan 2003 11:23:04 -0800 (PST) (envelope-from ronan@melim.com.br) Received: from fazendinha (ressacada.melim.com.br [200.215.110.4]) by smtp.melim.com.br (Postfix) with ESMTP id D17B1FCB5; Tue, 21 Jan 2003 17:18:21 -0200 (EDT) Message-ID: <014b01c2c182$b93b5da0$34a8a8c0@melim.com.br> From: "Ronan Lucio" To: "Mike Silbersack" , "Martin McCormick" Cc: References: <200301211600.h0LG08vD022507@dc.cis.okstate.edu> <20030121104626.Y2194-100000@patrocles.silby.com> Subject: Re: Limiting icmp unreach response from 231 to 200 packets per second Date: Tue, 21 Jan 2003 17:24:31 -0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > This is not a ping flood, as others have reported. ICMP unreach packets > are sent in response to incoming UDP packets to a port which has no > service running on it. > > Here's what's happening: > > 1. BIND crashes. > 2. DNS requests keep coming in, at a rate of 231 per second. > 3. FreeBSD limits the number of icmp unreach responses, and tells you. > 4. You restart BIND, and messages go away. > > I can't answer why step #1 occured, but I can assure you that #2 through > #4 are natural results of #1, and are nothing to worry about it. I think a good solution is install a DJB DNS Cache and leave it just to answer DNS queries. The dnscache machine could even point to a DNS Server running Bind9. http://cr.yp.to/djbdns.html Ronan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 21 11:59: 6 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3105637B401 for ; Tue, 21 Jan 2003 11:59:04 -0800 (PST) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id CDA9543F1E for ; Tue, 21 Jan 2003 11:59:03 -0800 (PST) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id E81AB15315; Tue, 21 Jan 2003 11:58:40 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id E5CBC15213 for ; Tue, 21 Jan 2003 11:58:40 -0800 (PST) Date: Tue, 21 Jan 2003 11:58:40 -0800 (PST) From: Mike Hoskins To: security@freebsd.org Subject: Re: Vulnerability Note VU#412115 In-Reply-To: <3E2D3E68.3070208@borderware.com> Message-ID: <20030121114921.I9619-100000@fubar.adept.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 21 Jan 2003, David Bell wrote: > It may be quite small, however image wise it is not good IMHO that > FreeBSD is not doing anything to respond to this, or at least have some > sort of official statement. I can see both sides. It's not great for image, but in fairness all free OS' have the same image right now. In that vein, I believe it's because all opensource projects are strapped for time... And things which would be "nice to have" often get a lower pirority than things that are broken and keeping the next release from happening. > You say many device drivers display this behavior, can you be more > specific? Or tell me which ones do not display the behavior? I think that's the point... Right now, noone really knows. You'd have to inspect the source wrt the RFC, find the improper padding, and offer patches where you could (opensource drivers). As Mr Clark indicated, the effort would be obscured by binary drivers... At that point you'd be forced to solicit each and every commercial vendor and log their official responses. (If you get one.) So you'd end up with an announcement to CERT that still resembled an "unknown" status... Because you'd have a list of drivers, some of which would almost certainly be vulnerable and some of which may not. Of course I'm not saying I wouldn't like to see this (and every other issue) addressed. It's just a rather large task, and I think it would need a sort of coordinator. (Especially when it comes to soliciting and collecting responses from vendors.) Perhaps someone closer to the project could at least offer/collect a list of drivers, and which ones rely on some binary. Then we could begin trying to fix what we can. Of course all of the BSD's (maybe other OS' too) would benefit. -- Mike Hoskins This message is RFC 1855 compliant, mike@adept.org www.adept.org/pub/rfcs/rfc1855.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 21 12:36: 5 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3ECFA37B401 for ; Tue, 21 Jan 2003 12:36:04 -0800 (PST) Received: from dc.cis.okstate.edu (dc.cis.okstate.edu [139.78.100.219]) by mx1.FreeBSD.org (Postfix) with ESMTP id B26E043F18 for ; Tue, 21 Jan 2003 12:36:03 -0800 (PST) (envelope-from martin@dc.cis.okstate.edu) Received: from dc.cis.okstate.edu (localhost.cis.okstate.edu [127.0.0.1]) by dc.cis.okstate.edu (8.12.6/8.12.6) with ESMTP id h0LKZvvD077479 for ; Tue, 21 Jan 2003 14:35:58 -0600 (CST) (envelope-from martin@dc.cis.okstate.edu) Message-Id: <200301212035.h0LKZvvD077479@dc.cis.okstate.edu> To: freebsd-security@FreeBSD.ORG Subject: Re: Limiting icmp unreach response from 231 to 200 packets per second Date: Tue, 21 Jan 2003 14:35:57 -0600 From: Martin McCormick Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is Martin McCormick again and it looks like those who said that bind first got sick and caused the situation that generated the ICMP slow-down are 100% right. I had been concentrating on the syslog file since the problem appeared to be network-related and there just wasn't much there to look at in the way of tracks, but I sure found tracks when I looked at the named.log file. Things had been going along quite busily with the usual transfers and dynamic updates and then: Jan 21 09:04:43.081 client 139.78.48.251#13631: no more TCP clients: quota reached That went on for a short time and then bind crashed. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 22 6: 4:17 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E043C37B401 for ; Wed, 22 Jan 2003 06:04:15 -0800 (PST) Received: from hotmail.com (oe23.law7.hotmail.com [216.33.236.243]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8ECDF43EB2 for ; Wed, 22 Jan 2003 06:04:15 -0800 (PST) (envelope-from elerrordlmilenio@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 22 Jan 2003 06:04:15 -0800 X-Originating-IP: [196.40.43.218] From: =?iso-8859-1?Q?Andr=E9s_Vargas?= To: References: <200301212035.h0LKZvvD077479@dc.cis.okstate.edu> Subject: ISC DHCPD NSUPDATE Buffer Overflow Vulnerabilities Date: Wed, 22 Jan 2003 08:04:09 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2720.3000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-ID: X-OriginalArrivalTime: 22 Jan 2003 14:04:15.0517 (UTC) FILETIME=[25E27CD0:01C2C21F] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The following advisory indicates FreeBSD 4.1-4.5 are affected. http://securityresponse.symantec.com/avcenter/security/Content/6627.html I have not seen any comments in this security list. Am I missing something? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 22 11:28:10 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DD1FA37B405 for ; Wed, 22 Jan 2003 11:28:07 -0800 (PST) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 46CF143EB2 for ; Wed, 22 Jan 2003 11:28:07 -0800 (PST) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id 66CCC15333; Wed, 22 Jan 2003 11:27:38 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id 6605415315 for ; Wed, 22 Jan 2003 11:27:38 -0800 (PST) Date: Wed, 22 Jan 2003 11:27:38 -0800 (PST) From: Mike Hoskins To: freebsd-security@FreeBSD.ORG Subject: Re: Limiting icmp unreach response from 231 to 200 packets per second In-Reply-To: <014b01c2c182$b93b5da0$34a8a8c0@melim.com.br> Message-ID: <20030122112600.G12348-100000@fubar.adept.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 21 Jan 2003, Ronan Lucio wrote: > > 1. BIND crashes. > > 2. DNS requests keep coming in, at a rate of 231 per second. > > 3. FreeBSD limits the number of icmp unreach responses, and tells you. > > 4. You restart BIND, and messages go away. > > I can't answer why step #1 occured, but I can assure you that #2 through > > #4 are natural results of #1, and are nothing to worry about it. See bind9-users for that. (Recent discussion.) > I think a good solution is install a DJB DNS Cache and leave it > just to answer DNS queries. If you can stand DJB's rhetoric. Sure, he seems like a smart enough guy... If he wasn't such an a$$. I guess that's a problem with a lot of "smart" people though. -- Mike Hoskins This message is RFC 1855 compliant, mike@adept.org www.adept.org/pub/rfcs/rfc1855.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 22 14:32:38 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B89837B405 for ; Wed, 22 Jan 2003 14:32:37 -0800 (PST) Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9DDCD43FB9 for ; Wed, 22 Jan 2003 14:32:21 -0800 (PST) (envelope-from emechler@radix.cryptio.net) Received: from radix.cryptio.net (localhost [127.0.0.1]) by radix.cryptio.net (8.12.6/8.12.6) with ESMTP id h0MMWF0N065037 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Wed, 22 Jan 2003 14:32:15 -0800 (PST) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.12.6/8.12.6/Submit) id h0MMWFCm065036; Wed, 22 Jan 2003 14:32:15 -0800 (PST) Date: Wed, 22 Jan 2003 14:32:15 -0800 From: Erick Mechler To: =?iso-8859-1?Q?Andr=E9s?= Vargas Cc: freebsd-security@FreeBSD.ORG Subject: Re: ISC DHCPD NSUPDATE Buffer Overflow Vulnerabilities Message-ID: <20030122223215.GN3893@techometer.net> References: <200301212035.h0LKZvvD077479@dc.cis.okstate.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :: The following advisory indicates FreeBSD 4.1-4.5 are affected. :: :: http://securityresponse.symantec.com/avcenter/security/Content/6627.html :: :: I have not seen any comments in this security list. Am I missing something? DHCP isn't part of the base system, so FreeBSD is only vulnerable if you've installed the port. A fix was committed to the ports tree 6 days ago by Kris, updating the DHCP port to 3.0.1.r11. If you're using the DHCP port, use your method of choice to upgrade. http://www.freebsd.org/cgi/cvsweb.cgi/ports/net/isc-dhcp3/ Security advisories for 3rd party packages (i.e., ports) are issued in bundles, and have the "FreeBSD-SN" prefix (SN == Security Notice). See http://www.freebsd.org/security/#adv for more information. Cheers - Erick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 22 14:58:19 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF30137B401 for ; Wed, 22 Jan 2003 14:58:16 -0800 (PST) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 1DCCD43F3F for ; Wed, 22 Jan 2003 14:58:16 -0800 (PST) (envelope-from kudzu@tenebras.com) Received: (qmail 76689 invoked from network); 22 Jan 2003 22:58:14 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 22 Jan 2003 22:58:14 -0000 Message-ID: <3E2F2205.3060306@tenebras.com> Date: Wed, 22 Jan 2003 14:58:13 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.2b) Gecko/20021016 X-Accept-Language: en-us, en, fr-fr, ru MIME-Version: 1.0 To: Mike Hoskins Cc: freebsd-security@FreeBSD.ORG Subject: Re: Limiting icmp unreach response from 231 to 200 packets per second References: <20030122112600.G12348-100000@fubar.adept.org> In-Reply-To: <20030122112600.G12348-100000@fubar.adept.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mike Hoskins wrote: > On Tue, 21 Jan 2003, Ronan Lucio wrote: > > >I think a good solution is install a DJB DNS Cache and leave it > >just to answer DNS queries. > > > If you can stand DJB's rhetoric. Sure, he seems like a smart enough > guy... If he wasn't such an a$$. I guess that's a problem with a lot of > "smart" people though. Yes, he's cranky and exigent. But BIND and Sendmail have a long history of security vulnerabilities, and of being generally porcine. Dan's long-standing cash reward offer for discovery of vulnerabilities in his software has never been claimed. djbdns works brilliantly, correctly separates caching server which performs recursive queries from the domain server which responds only to queries for which it is authoritative. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 23 7:20:33 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E2B337B401 for ; Thu, 23 Jan 2003 07:20:30 -0800 (PST) Received: from digitalme.com (imap.digitalme.com [193.97.97.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 040A243ED8 for ; Thu, 23 Jan 2003 07:20:30 -0800 (PST) (envelope-from dkt@digitalme.com) Received: from dkt [61.18.141.210] by digitalme.com with NIMS ModWeb Module; Thu, 23 Jan 2003 23:20:29 +0800 Subject: Egress filtering From: Dung Patrick To: freebsd-security@FreeBSD.ORG, Date: Thu, 23 Jan 2003 23:20:29 +0800 X-Mailer: NIMS ModWeb Module X-Sender: dkt MIME-Version: 1.0 Message-ID: <1043335229.ca145a00dkt@digitalme.com> Content-Type: text/plain; charset="BIG5" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, For the egress filtering, I would only allow my firewall to send out packet= only with the public IP of the firewall address. Not only dropping outgo= ing source address with RFC1918 address. I have a rule like this in ipfilter: block out log on dc0 from !fw_public_IP to any But I see this in my log: 192.168.0.1 (private LAN) -> a.b.c.d (an web server in Internet ) The ipfilter has drop/log packet before NAT. If it is after NAT, my source = address will be fw_public_IP and the above block rule will be skipped. Any suggestion? Regards, Patrick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 23 10:42:10 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8398737B401 for ; Thu, 23 Jan 2003 10:42:08 -0800 (PST) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4475C43E4A for ; Thu, 23 Jan 2003 10:42:07 -0800 (PST) (envelope-from fgleiser@cactus.fi.uba.ar) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by cactus.fi.uba.ar (8.12.3/8.12.3) with ESMTP id h0NId4ui025500; Thu, 23 Jan 2003 15:39:04 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Thu, 23 Jan 2003 15:39:04 -0300 (ART) From: Fernando Gleiser To: Dung Patrick Cc: freebsd-security@FreeBSD.ORG Subject: Re: Egress filtering In-Reply-To: <1043335229.ca145a00dkt@digitalme.com> Message-ID: <20030123153522.T4134-100000@cactus.fi.uba.ar> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Status: No, hits=-102.3 required=5.0 tests=IN_REP_TO,DOUBLE_CAPSWORD,USER_IN_WHITELIST version=2.31 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 23 Jan 2003, Dung Patrick wrote: > Hello, > > For the egress filtering, I would only allow my firewall to send out > packet only with the public IP of the firewall address. Not only dropping > outgoing source address with RFC1918 address. > > I have a rule like this in ipfilter: > > block out log on dc0 from !fw_public_IP to any > > But I see this in my log: > 192.168.0.1 (private LAN) -> a.b.c.d (an web server in Internet ) > The ipfilter has drop/log packet before NAT. If it is after NAT, my source > address will be fw_public_IP and the above block rule will be skipped. Ipfilter always sees the real IP. That is it does filtering before NAT for outgoing packets and NAT before filtering for incoming ones. Fer > > Any suggestion? > > Regards, > Patrick > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 23 13:33:51 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 55ED837B401 for ; Thu, 23 Jan 2003 13:33:49 -0800 (PST) Received: from dc.cis.okstate.edu (dc.cis.okstate.edu [139.78.100.219]) by mx1.FreeBSD.org (Postfix) with ESMTP id D82EC43EB2 for ; Thu, 23 Jan 2003 13:33:48 -0800 (PST) (envelope-from martin@dc.cis.okstate.edu) Received: from dc.cis.okstate.edu (localhost.cis.okstate.edu [127.0.0.1]) by dc.cis.okstate.edu (8.12.6/8.12.6) with ESMTP id h0NLXhvD085858 for ; Thu, 23 Jan 2003 15:33:43 -0600 (CST) (envelope-from martin@dc.cis.okstate.edu) Message-Id: <200301232133.h0NLXhvD085858@dc.cis.okstate.edu> To: freebsd-security@FreeBSD.ORG Subject: Re: Limiting icmp unreach response from 231 to 200 packets per second Date: Thu, 23 Jan 2003 15:33:43 -0600 From: Martin McCormick Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What we had was a compromised system that appears to be running some sort of denial of service script that crashes bind9.2.1 and possibly other versions. The problem is reportedly fixed in bind9.2.2. Our site has been using the latest versions of bind for close to a decade and that is the first time we have gotten hit. If you have a system with lots of storage on it, keep good logs. 99.999% of what gets logged is hardly worth looking at, but that last message before bind crashed was worth all that space since we would have still been scratching our heads and wondering what happened and when might it happen again. I have all the CRIT messages on the name server sent to our FreeBSD work station and that told us when things went wrong. The usual format of the messages changed giving us messages that identified the host sending with its IP number rather than its host name. I run bind in a root jail so I have a little shell script to restart it correctly so I just kept bringing it back up until one of our other network folks turned off the port of the compromised system. The advantage of that is that you can quickly send the correct commands even when your display is being trashed with all the distress calls which are a result of having no dns. The drill is to log on, type the command to restart bind, notice the brief lull in the carnage, wait for it to start again, and hit !!. The other advantage to having the startup script is you can easily tell a coworker to just run that script and bind runs under the correct UID and GID. Some years ago, when things weren't as robust as they have gotten, I used to run a cron job every minute to restart bind and dhcpd if they should die. I guess I should revive those scripts and update them to fit the present configuration. Martin McCormick WB5AGZ Stillwater, OK OSU Center for Computing and Information Services Network Operations Group To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 23 18:24:17 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C6CC637B48C for ; Thu, 23 Jan 2003 18:24:09 -0800 (PST) Received: from digitalme.com (imap.digitalme.com [193.97.97.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3051F43F13 for ; Thu, 23 Jan 2003 18:24:09 -0800 (PST) (envelope-from dkt@digitalme.com) Received: from dkt [210.0.207.154] by digitalme.com with NIMS ModWeb Module; Fri, 24 Jan 2003 10:23:56 +0800 Subject: Re: Re: Egress filtering From: Dung Patrick To: fgleiser@cactus.fi.uba.ar, Cc: freebsd-security@FreeBSD.ORG, Date: Fri, 24 Jan 2003 10:23:56 +0800 X-Mailer: NIMS ModWeb Module X-Sender: dkt MIME-Version: 1.0 Message-ID: <1043375036.a20e0240dkt@digitalme.com> Content-Type: text/plain; charset="BIG5" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, It seems that I get a quick fix with the help of ipfw. I add this rule to ipfw: ipfw add deny ip from not a.b.c.d to any out xmit xl0 where a.b.c.d is my fw public IP and xl0 is the public interface Regards, Patrick -----Original Message----- From: Fernando Gleiser To: Dung Patrick Date: Thu, 23 Jan 2003 15:39:04 -0300 (ART) Subject: Re: Egress filtering On Thu, 23 Jan 2003, Dung Patrick wrote: > Hello, > > For the egress filtering, I would only allow my firewall to send out > packet only with the public IP of the firewall address. Not only dropping > outgoing source address with RFC1918 address. > > I have a rule like this in ipfilter: > > block out log on dc0 from !fw_public_IP to any > > But I see this in my log: > 192.168.0.1 (private LAN) -> a.b.c.d (an web server in Internet ) > The ipfilter has drop/log packet before NAT. If it is after NAT, my sourc= e > address will be fw_public_IP and the above block rule will be skipped. Ipfilter always sees the real IP. That is it does filtering before NAT for outgoing packets and NAT before filtering for incoming ones. =09=09=09Fer > > Any suggestion? > > Regards, > Patrick > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 25 13:17:15 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 306A737B401 for ; Sat, 25 Jan 2003 13:17:14 -0800 (PST) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id C015343F1E for ; Sat, 25 Jan 2003 13:17:11 -0800 (PST) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 16608 invoked by uid 0); 25 Jan 2003 21:17:10 -0000 Received: from p509102B9.dip0.t-ipconnect.de (HELO mail.gsinet.sittig.org) (80.145.2.185) by mail.gmx.net (mp012-rz3) with SMTP; 25 Jan 2003 21:17:10 -0000 Received: (qmail 67991 invoked from network); 25 Jan 2003 19:46:51 -0000 Received: from shell.gsinet.sittig.org (192.168.11.153) by mail.gsinet.sittig.org with SMTP; 25 Jan 2003 19:46:51 -0000 Received: (from sittig@localhost) by shell.gsinet.sittig.org (8.11.3/8.11.3) id h0PJkj367976 for freebsd-security@FreeBSD.ORG; Sat, 25 Jan 2003 20:46:45 +0100 (CET) (envelope-from sittig) Date: Sat, 25 Jan 2003 20:46:45 +0100 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Subject: Re: Egress filtering Message-ID: <20030125204645.Y4807@shell.gsinet.sittig.org> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <1043335229.ca145a00dkt@digitalme.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <1043335229.ca145a00dkt@digitalme.com>; from dkt@digitalme.com on Thu, Jan 23, 2003 at 11:20:29PM +0800 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jan 23, 2003 at 23:20 +0800, Dung Patrick wrote: > > For the egress filtering, I would only allow my firewall to send out packet only with the public IP of the firewall address. Not only dropping outgoing source address with RFC1918 address. > > I have a rule like this in ipfilter: > > block out log on dc0 from !fw_public_IP to any > > But I see this in my log: > 192.168.0.1 (private LAN) -> a.b.c.d (an web server in Internet ) > The ipfilter has drop/log packet before NAT. If it is after NAT, my source address will be fw_public_IP and the above block rule will be skipped. You didn't say what other rules are there. Since you don't have the "quick" keyword in the above rule the "block" action is just an assumption which could be "corrected" by later rules the packet gets passed to. I.e. this is not a final decision. Since you specified so in your rule set. :) Make sure you have read the excellent ipfilter HowTo, available on the homepage. And make use of the offline test program which tells you what it _would_ do to a certain packet when being fed with a certain rule set (see `man ipftest`). You can even feed this tool with pcap files or tcpdump(1) text output to kind of replay what you have met in real life. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 25 13:17:20 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B9EB937B405 for ; Sat, 25 Jan 2003 13:17:14 -0800 (PST) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id D03FB43F3F for ; Sat, 25 Jan 2003 13:17:11 -0800 (PST) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 16634 invoked by uid 0); 25 Jan 2003 21:17:10 -0000 Received: from p509102B9.dip0.t-ipconnect.de (HELO mail.gsinet.sittig.org) (80.145.2.185) by mail.gmx.net (mp012-rz3) with SMTP; 25 Jan 2003 21:17:10 -0000 Received: (qmail 68000 invoked from network); 25 Jan 2003 19:46:54 -0000 Received: from shell.gsinet.sittig.org (192.168.11.153) by mail.gsinet.sittig.org with SMTP; 25 Jan 2003 19:46:54 -0000 Received: (from sittig@localhost) by shell.gsinet.sittig.org (8.11.3/8.11.3) id h0PJkrm67996 for freebsd-security@FreeBSD.ORG; Sat, 25 Jan 2003 20:46:53 +0100 (CET) (envelope-from sittig) Date: Sat, 25 Jan 2003 20:46:53 +0100 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Subject: Re: Limiting icmp unreach response from 231 to 200 packets per second Message-ID: <20030125204653.Z4807@shell.gsinet.sittig.org> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <200301232133.h0NLXhvD085858@dc.cis.okstate.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200301232133.h0NLXhvD085858@dc.cis.okstate.edu>; from martin@dc.cis.okstate.edu on Thu, Jan 23, 2003 at 03:33:43PM -0600 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [ not a personal attack to you, Martin; but a plea to all readers to make up their own minds and tell the blurb from the technical aspects (so not meant to start flame wars) ] On Thu, Jan 23, 2003 at 15:33 -0600, Martin McCormick wrote: > > I run bind in a root jail so I have a little shell script > to restart it correctly so I just kept bringing it back up until > one of our other network folks turned off the port of the > compromised system. The advantage of that is that you can > quickly send the correct commands even when your display is being > trashed with all the distress calls which are a result of having > no dns. > > [ ... ] > > Some years ago, when things weren't as robust as they > have gotten, I used to run a cron job every minute to restart > bind and dhcpd if they should die. I guess I should revive those > scripts and update them to fit the present configuration. You might as well make use of ports/sysutils/daemontools (or http://cr.yp.to/daemontools.html for online docs). This port has some really useful tools to supervise processes and keep logs. Although only djbware by default makes use of their presence (it's not too strict a dependency but more of a proposal; I managed to run qmail without supervise for a few hundred days, i.e. with no crash, the same can be said about tinydns and friends) one quickly gets tempted to wrap his own jobs and services with these handy tools (you can simply plug in existing startup scripts if they stay up as long as the service is running, and there is a tool for automatically backgrounded jobs in the collection). Once you realize how simple these tools can be applied you will never again want to roll your own. Definitely worth a look ... [ I'm happy to help those who are interested in getting started with this software. But since this is OT for -security please ask via PM after reading the pages DJB offers. :) ] > The other advantage to having the startup script is you > can easily tell a coworker to just run that script and bind runs > under the correct UID and GID. While you are there looking into daemontools you may consider evaluating djbdns, too (ports/net/djbdns or http://cr.yp.to/djbdns.html). I guess (OK, I'm more of afraid ...) that most people running bind do so just because they either - simply don't know any better (never heard of alternatives and cannot imagine there might be any) or - have been told that the alternatives are of no use or that there is only one real DNS server and that its name is bind and nothing else (there must be a reason why distributions ship with it and book shelves get filled with literature on it, right?) Only few admins do know about other implementations and still insist in running bind. IMO there are very few (valid) reasons to do so. Remember how much time you spent constantly upgrading your bind software (or maybe even cleaning up after you got compromised) and compare this to how much it takes to switch to djbdns only once. Add the features of djbdns (no server reload upon database updates, automatic serial number handling, user definable new record types should you need those, no way to pass an invalid zonefile to a running server and thus no startup problems or outages for this reason, server startup in the fraction of a second in the face of a few million entries database, chrooted and non privilegedly running by design from day one, split view, cleanly separated auth zone serving and recursive cache resolving, easy to use frontend, highly automatable due to very simple syntax, leightweight on resources, robustly running without slowdowns or resource leaks, no known security problems to date, did I forget something?) and it's hard to see what is missing (i.e. making you stick with bind). DynDNS is the only one I could see and this does not apply to public servers but only to LANs and only if you insist in workstation users administer the dynamic zone. :> So there is no excuse for getting compromised via a bind bug. "But it ships with the distro" asks for the reply "why didn't you keep the MS system which came with your machine then?". "But others do it too and everybody is talking about it" asks for "why don't you run Linux then? it's more popular in the press and thus must better fit your needs". "But I get literature on it everywhere and know a lot of people I can ask when I have problems" asks for "this is what makes an MS system more appropriate for your needs, it is even more widespread and there's a solution provider just around the (every) corner". If one does decide to run FreeBSD then the additional step of installing software not found in the standard distro should not be too much to ask for if services and security improve by this action. To make things clear: I'm not suggesting everyone should blindly switch to djbware. Just like I don't suggest to blindly follow the crowd and keep running the first program to come across and stick with it. But I *strongly* encourage people to look at alternatives and not merely repeat what they have heared from somebody else but instead to evaluate other software and make their own judgement from experience instead of rumours. Keeping the religious stuff aside (that's what I tried in the above paragraphs) one will notice that djbware is worth a look and most of the time better fits its purpose when you don't need all the bells and whistles of bloatware and don't want to be vulnerable to their holes all the additional code brings with it. And of course does this not only apply to standard distros and djbware but every software you use. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message