From owner-freebsd-security Mon Jan 27 8:29:32 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1458837B401 for ; Mon, 27 Jan 2003 08:29:31 -0800 (PST) Received: from outpost.lukarcos.com (outpost.globcon.net [62.141.88.161]) by mx1.FreeBSD.org (Postfix) with SMTP id B371243EB2 for ; Mon, 27 Jan 2003 08:29:29 -0800 (PST) (envelope-from sergei@kolobov.com) Received: (qmail 85369 invoked by uid 911); 27 Jan 2003 16:29:31 -0000 Date: Mon, 27 Jan 2003 19:29:31 +0300 From: Sergei Kolobov To: freebsd-security@FreeBSD.ORG Subject: Re: Limiting icmp unreach response from 231 to 200 packets per second Message-ID: <20030127162931.GC89570@globcon.net> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <014b01c2c182$b93b5da0$34a8a8c0@melim.com.br> <20030122112600.G12348-100000@fubar.adept.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030122112600.G12348-100000@fubar.adept.org> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2003-01-22 at 11:27 -0800, Mike Hoskins wrote: > On Tue, 21 Jan 2003, Ronan Lucio wrote: > > I think a good solution is install a DJB DNS Cache and leave it > > just to answer DNS queries. > > If you can stand DJB's rhetoric. Sure, he seems like a smart enough > guy... If he wasn't such an a$$. I guess that's a problem with a lot of > "smart" people though. Do you care about DJB's personality? Do you use BIND just because you like Paul Vixie's personality? or Sendmail because it was created by Eric Allman? Do you use Windows (hmm..) because you went to the same primary school as Bill Gates? ;-) One thing I cannot get is why some people do not even want to consider DJB software just because they do not like his "personality"? IMHO, as long as djbdns/qmail/etc. does its job the way I want, I do not care a bit what kind of person Dan is. That's something completely irrelevant. Sergei To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 27 10: 8: 2 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 85D8C37B405 for ; Mon, 27 Jan 2003 10:07:57 -0800 (PST) Received: from thufir.bluecom.no (thufir.bluecom.no [217.118.32.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4159043F13 for ; Mon, 27 Jan 2003 10:07:56 -0800 (PST) (envelope-from erik@pentadon.com) Received: from erik (a217-118-56-152.bluecom.no [217.118.56.152]) by thufir.bluecom.no (Postfix) with ESMTP id 5CA3F50EC6D; Mon, 27 Jan 2003 19:07:54 +0100 (CET) From: =?iso-8859-1?Q?Erik_Paulsen_Sk=E5lerud?= To: "'Sergei Kolobov'" , Subject: RE: Limiting icmp unreach response from 231 to 200 packets per second Date: Mon, 27 Jan 2003 19:07:45 +0100 Message-ID: <005401c2c62e$fe986270$0a00000a@lan.tekniker.no> MIME-Version: 1.0 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 In-Reply-To: <20030127162931.GC89570@globcon.net> Content-Type: multipart/signed; micalg=SHA1; protocol="application/x-pkcs7-signature"; boundary="----=_NextPart_000_004F_01C2C637.5F548230" Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_004F_01C2C637.5F548230 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit I fully agree with you here. Apples and lemons, people have different taste. DJB's software is extremely fast and it's relieable. I dont care about how the person who made it is acting. Who cares about that? Erik. -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Sergei Kolobov Sent: Monday, January 27, 2003 5:30 PM To: freebsd-security@FreeBSD.ORG Subject: Re: Limiting icmp unreach response from 231 to 200 packets per second On 2003-01-22 at 11:27 -0800, Mike Hoskins wrote: > On Tue, 21 Jan 2003, Ronan Lucio wrote: > > I think a good solution is install a DJB DNS Cache and leave it > > just to answer DNS queries. > > If you can stand DJB's rhetoric. Sure, he seems like a smart enough > guy... If he wasn't such an a$$. I guess that's a problem with a lot of > "smart" people though. Do you care about DJB's personality? Do you use BIND just because you like Paul Vixie's personality? or Sendmail because it was created by Eric Allman? Do you use Windows (hmm..) because you went to the same primary school as Bill Gates? ;-) One thing I cannot get is why some people do not even want to consider DJB software just because they do not like his "personality"? IMHO, as long as djbdns/qmail/etc. does its job the way I want, I do not care a bit what kind of person Dan is. That's something completely irrelevant. Sergei To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message ------=_NextPart_000_004F_01C2C637.5F548230 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII7TCCAnww ggHloAMCAQICAwhv7zANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsT FENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAw MC44LjMwMB4XDTAyMTAwODE5Mzg0NloXDTAzMTAwODE5Mzg0NlowQzEfMB0GA1UEAxMWVGhhd3Rl IEZyZWVtYWlsIE1lbWJlcjEgMB4GCSqGSIb3DQEJARYRZXJpa0BwZW50YWRvbi5jb20wgZ8wDQYJ KoZIhvcNAQEBBQADgY0AMIGJAoGBAOLvGK5AC/mpa/owuZsPD4db9+ZHhPA9VK7lbxSjoARoSbjb Ils0q//PFAsEemIp2/gn0E9uTT7Ql7Au22R0JAOnUgO2AKNxrH1y3HohQgvauJSOl8inSRC6+2zO dP0tjIJgrODTQjnDPdkDbaSg0KUi04Iytwpm1YMaBR4ptw0ZAgMBAAGjLjAsMBwGA1UdEQQVMBOB EWVyaWtAcGVudGFkb24uY29tMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEARBNXkrY2 oe1LAH3i6x1T7+BzkRwjfOpAnJ43SmJ/sMfGZCaEQWVZbtJZVQjvk4JMYg3/Msr2TxNpj96p6uAh qXP5bmllJ4g7dRFMoN0i7p2RoEhK6VC9is4cUe3xtHkwyhxSrZuQMRz/CcLtn2xRYfdDK6mnef9f Lem0V1w0FDswggMtMIIClqADAgECAgEAMA0GCSqGSIb3DQEBBAUAMIHRMQswCQYDVQQGEwJaQTEV MBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0 ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQw IgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNv bmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNOTYwMTAxMDAwMDAwWhcNMjAxMjMxMjM1OTU5WjCB 0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du MRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2 aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJ KoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMIGfMA0GCSqGSIb3DQEBAQUA A4GNADCBiQKBgQDUadfUsJRkW3HpR9gMUbbqcpGwhF59LQ2PexLfhSV1KHQ6QixjJ5+Ve0vvfhmH HYbqo925zpZkGsIUbkSsfOaP6E0PcR9AOKYAo4d49vmUhl6t6sBeduvZFKNdbnp8DKVLVX8GGSl/ npom1Wq7OCQIapjHsdqjmJH9edvlWsQcuQIDAQABoxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqG SIb3DQEBBAUAA4GBAMfskn5O+PWWpWdiKqTwTRFg0G+NYFhhrCa7UjVcCM8w+6hKloofYkIjjBcP 9LpknBesRynfnZhe0mxgcVyirNx54+duAEcftQ0o6AKd5Jr9E/Sm2Xyx+NxfIyYJkYBz0BQb3kOp gyXy5pwvFcr+pquKB3WLDN1RhGvk+NHOd6KBMIIDODCCAqGgAwIBAgIQZkVyt8x09c9jdkWE0C6R ATANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTES MBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMf Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFs IEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29t MB4XDTAwMDgzMDAwMDAwMFoXDTA0MDgyNzIzNTk1OVowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQI EwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYD VQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNB IDIwMDAuOC4zMDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3jMypmPHCSVFPtJueCdngcXa iBmClw7jRCmKYzUqbXA8+tyu9+50bzC8M5B/+TRxoKNtmPHDT6Jl2w36S/HW3WGl+YXNVZo1Gp2S dagnrthy+boC9tewkd4c6avgGAOofENCUFGHgzzwObSbVIoTh/+zm51JZgAtCYnslGvpoWkCAwEA AaNOMEwwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDEtMjk3MBIGA1UdEwEB /wQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBAUAA4GBADGxS0dd+QFx5fVTbF15 1j2YwCYTYoEipxL4IpXoG0m3J3sEObr85vIk65H6vewNKjj3UFWobPcNrUwbvAP0teuiR59sogxY jTFCCRFssBpp0SsSskBdavl50OouJd2K5PzbDR+dAvNa28o89kTqJmmHf0iezqWf54TYyWJirQXG MYIDaTCCA2UCAQEwgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQ BgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBT ZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMAIDCG/vMAkG BSsOAwIaBQCgggIkMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTAz MDEyNzE4MDc0NFowIwYJKoZIhvcNAQkEMRYEFNRZBjb4KRaETu5b5IoEOByyrKWJMGcGCSqGSIb3 DQEJDzFaMFgwCgYIKoZIhvcNAwcwBwYFKw4DAhowDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMC AgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMAoGCCqGSIb3DQIFMIGrBgkrBgEEAYI3EAQxgZ0w gZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUg VG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYG A1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMAIDCG/vMIGtBgsqhkiG9w0BCRAC CzGBnaCBmjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ Q2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2Vz MSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMIb+8wDQYJKoZIhvcN AQEBBQAEgYAM7lGwLQjZtTSV6n/yW7Ol9hjArhV7c+9mBbZB+bFQmqqaoCOeEfZmymcJWJgRD0cc +95RPzT1yCwdEmokcr0Wm5tO72Pb/Gi4W0t4MxgxVV40ZCEiFo9aqYaNsKIdUaJgRQS4e37ihgIi tGd+vqvdq1dmMEoOngeyCbBWTHGRngAAAAAAAA== ------=_NextPart_000_004F_01C2C637.5F548230-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 27 10:34:27 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B579137B405 for ; Mon, 27 Jan 2003 10:34:21 -0800 (PST) Received: from hotmail.com (dav67.sea1.hotmail.com [207.68.162.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD19A43F1E for ; Mon, 27 Jan 2003 10:34:20 -0800 (PST) (envelope-from kenzo_chin@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 27 Jan 2003 10:34:20 -0800 X-Originating-IP: [209.187.233.156] From: "Kenzo" To: Subject: portscan question Date: Mon, 27 Jan 2003 12:34:19 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Message-ID: X-OriginalArrivalTime: 27 Jan 2003 18:34:20.0698 (UTC) FILETIME=[B4FD9FA0:01C2C632] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is what I got when I ran nmap against my server from inside my network. everything looks good from the outsite. I'm curious to why when I have portsentry turned on, I see all these ports. and when I don't I only see the ones I'm runnin. --WITH PORTSENTRY ON BSDtest# nmap -v -O 10.25.x.x Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) No tcp,udp, or ICMP scantype specified, assuming SYN Stealth scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up). Host mydomain(10.25.x.x) appears to be up ... good. Initiating SYN Stealth Scan against mydomain(10.25.x.x) Adding open port 15/tcp Adding open port 1524/tcp Adding open port 54320/tcp Adding open port 22/tcp Adding open port 32774/tcp Adding open port 540/tcp Adding open port 6667/tcp Adding open port 1/tcp Adding open port 32773/tcp Adding open port 12346/tcp Adding open port 32771/tcp Adding open port 27665/tcp Adding open port 11/tcp Adding open port 143/tcp Adding open port 12345/tcp Adding open port 1080/tcp Adding open port 79/tcp Adding open port 111/tcp Adding open port 2000/tcp Adding open port 25/tcp Adding open port 31337/tcp Adding open port 635/tcp Adding open port 80/tcp Adding open port 32772/tcp Adding open port 119/tcp The SYN Stealth Scan took 8 seconds to scan 1601 ports. For OSScan assuming that port 1 is open and port 2 is closed and neither are firewalled For OSScan assuming that port 1 is open and port 2 is closed and neither are firewalled For OSScan assuming that port 1 is open and port 2 is closed and neither are firewalled Interesting ports on mydomain(10.25.x.x): (The 1576 ports scanned but not shown below are in state: closed) Port State Service 1/tcp open tcpmux 11/tcp open systat 15/tcp open netstat 22/tcp open ssh 25/tcp open smtp 79/tcp open finger 80/tcp open http 111/tcp open sunrpc 119/tcp open nntp 143/tcp open imap2 540/tcp open uucp 635/tcp open unknown 1080/tcp open socks 1524/tcp open ingreslock 2000/tcp open callbook 6667/tcp open irc 12345/tcp open NetBus 12346/tcp open NetBus 27665/tcp open Trinoo_Master 31337/tcp open Elite 32771/tcp open sometimes-rpc5 32772/tcp open sometimes-rpc7 32773/tcp open sometimes-rpc9 32774/tcp open sometimes-rpc11 54320/tcp open bo2k No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint: SInfo(V=3.00%P=i386-portbld-freebsd4.7%D=1/27%Time=3E357695%O=1%C=2) TSeq(Class=TR%IPID=I%TS=100HZ) T1(Resp=Y%DF=Y%W=E000%ACK=S++%Flags=AS%Ops=MNWNNT) T2(Resp=N) T3(Resp=Y%DF=Y%W=E000%ACK=S++%Flags=AS%Ops=MNWNNT) T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=0%ULEN=134%DAT=E) Uptime 0.168 days (since Mon Jan 27 08:11:17 2003) TCP Sequence Prediction: Class=truly random Difficulty=9999999 (Good luck!) IPID Sequence Generation: Incremental Nmap run completed -- 1 IP address (1 host up) scanned in 31 seconds --WITHOUT PORTSENTRY BSDtest# nmap -v -O 10.25.x.x Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) No tcp,udp, or ICMP scantype specified, assuming SYN Stealth scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up). Host mydomain(10.25.x.x) appears to be up ... good. Initiating SYN Stealth Scan against mydomain(10.25.x.x) Adding open port 25/tcp Adding open port 22/tcp Adding open port 80/tcp The SYN Stealth Scan took 7 seconds to scan 1601 ports. For OSScan assuming that port 22 is open and port 1 is closed and neither are firewalled For OSScan assuming that port 22 is open and port 1 is closed and neither are firewalled For OSScan assuming that port 22 is open and port 1 is closed and neither are firewalled Interesting ports on mydomain(10.25.x.x): (The 1598 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 25/tcp open smtp 80/tcp open http No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint: SInfo(V=3.00%P=i386-portbld-freebsd4.7%D=1/27%Time=3E357B34%O=22%C=1) TSeq(Class=TR%IPID=I%TS=100HZ) T1(Resp=Y%DF=Y%W=E000%ACK=S++%Flags=AS%Ops=MNWNNT) T2(Resp=N) T3(Resp=Y%DF=Y%W=E000%ACK=S++%Flags=AS%Ops=MNWNNT) T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=0%ULEN=134%DAT=E) Uptime 0.181 days (since Mon Jan 27 08:11:17 2003) TCP Sequence Prediction: Class=truly random Difficulty=9999999 (Good luck!) IPID Sequence Generation: Incremental Nmap run completed -- 1 IP address (1 host up) scanned in 34 seconds I thought that portsentry was suppose to monitor the ports, but I didn't know that it would add all these ports as being open. will it still be ok to run portsentry or is there a better program to use to monitor ports, for portscans and probes? thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 27 11:15:13 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3806537B401 for ; Mon, 27 Jan 2003 11:15:11 -0800 (PST) Received: from hotmail.com (dav29.sea1.hotmail.com [207.68.162.86]) by mx1.FreeBSD.org (Postfix) with ESMTP id D1EEB43E4A for ; Mon, 27 Jan 2003 11:15:10 -0800 (PST) (envelope-from kenzo_chin@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 27 Jan 2003 11:15:10 -0800 X-Originating-IP: [209.187.233.156] From: "Kenzo" To: References: <20030127124404.H22563-100000@sexynerd.org> Subject: Re: portscan question Date: Mon, 27 Jan 2003 13:15:10 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Message-ID: X-OriginalArrivalTime: 27 Jan 2003 19:15:10.0608 (UTC) FILETIME=[69403900:01C2C638] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org thanks guys I just wanted to make sure that it was working correctly and that I didn't mess up somewhere in the configs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 27 13:55: 2 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2FC6437B401 for ; Mon, 27 Jan 2003 13:55:00 -0800 (PST) Received: from mail.webjogger.net (mail.webjogger.net [208.29.192.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2681D43F75 for ; Mon, 27 Jan 2003 13:54:59 -0800 (PST) (envelope-from dino@webjogger.net) Received: from shadowfax [208.29.192.19] by mail.webjogger.net (SMTPD32-6.06) id AAA92270148; Mon, 27 Jan 2003 16:54:49 -0500 Message-ID: <015101c2c64e$e6848b30$13c01dd0@shadowfax> From: "Mario Antonio" To: Subject: Verifying the presence of any vulnerability Date: Mon, 27 Jan 2003 16:56:09 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dear List, How Can I verify that my system has some of the discovered vulnerabilities? Is there any tool that I can use to help me out? Regards Mario --- [This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 27 21:43:24 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 39BCB37B401 for ; Mon, 27 Jan 2003 21:43:21 -0800 (PST) Received: from smtp.javamoh.net (226049.D17-226.ncu.edu.tw [140.115.226.49]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1456B43F43 for ; Mon, 27 Jan 2003 21:43:11 -0800 (PST) (envelope-from spam@javamoh.net) Received: from pa (61-216-134-163.HINET-IP.hinet.net [61.216.134.163]) by smtp.javamoh.net (Postfix) with ESMTP id 103E523347; Tue, 28 Jan 2003 13:42:45 +0800 (CST) Message-ID: <004501c2c690$127912b0$0701a8c0@pa> From: "Lord Ouch" To: "Kenzo" , References: Subject: Re: portscan question Date: Tue, 28 Jan 2003 13:42:07 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 sure, that's ok. portsentry open those ports in order to monitor unexpected incoming connections, and when such a connection occurs, it blocks the source (from which intruders may come). you can change them in the configuration file. it is usually recommended to use snort rather than portsentry under freebsd......... since i am never a snort user, i have no idea about it. - -- With regards Lord Ouch - ----- Original Message ----- From: "Kenzo" To: Sent: Tuesday, January 28, 2003 2:34 AM Subject: portscan question > This is what I got when I ran nmap against my server from inside my network. > everything looks good from the outsite. > I'm curious to why when I have portsentry turned on, I see all these ports. > and when I don't I only see the ones I'm runnin. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPjYYLXbw5IZCFbKyEQKN6ACg1YvpwPDDObZmLMnt8XkuufynLr0An1mW aCr8QZ/p9jk3wpPjDumRFE3t =CamQ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 28 4:48: 7 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 255F637B401 for ; Tue, 28 Jan 2003 04:48:03 -0800 (PST) Received: from relay2.mecon.ar (relay2.mecon.ar [168.101.16.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5324143F85 for ; Tue, 28 Jan 2003 04:48:01 -0800 (PST) (envelope-from fernando@mecon.gov.ar) Received: from racing.mecon.ar (racing.mecon.ar [168.101.133.15]) by relay2.mecon.ar (8.12.6/8.12.6) with ESMTP id h0SClvXC092165; Tue, 28 Jan 2003 09:47:58 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from racing.mecon.ar (meyosp.mecon.gov.ar [10.11.0.149]) by racing.mecon.ar (8.12.6/8.12.6) with ESMTP id h0SClqQh062170; Tue, 28 Jan 2003 09:47:52 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from bal740r0.mecon.gov.ar (bal740r0.mecon.ar [10.11.1.11]) by racing.mecon.ar (8.12.6/8.12.6) with ESMTP id h0SClqGS062167; Tue, 28 Jan 2003 09:47:52 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from bal740r0.mecon.gov.ar (localhost [127.0.0.1]) by bal740r0.mecon.gov.ar (8.12.6/8.12.6) with ESMTP id h0SClq52000380; Tue, 28 Jan 2003 09:47:52 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: (from fpscha@localhost) by bal740r0.mecon.gov.ar (8.12.6/8.12.6/Submit) id h0SClpc2000379; Tue, 28 Jan 2003 09:47:51 -0300 (ART) (envelope-from fernando@mecon.gov.ar) X-Authentication-Warning: bal740r0.mecon.gov.ar: fpscha set sender to fernando@mecon.gov.ar using -f Date: Tue, 28 Jan 2003 09:47:51 -0300 From: Fernando Schapachnik To: Mario Antonio Cc: freebsd-security@FreeBSD.ORG Subject: Re: Verifying the presence of any vulnerability Message-ID: <20030128124751.GB296@bal740r0.mecon.gov.ar> References: <015101c2c64e$e6848b30$13c01dd0@shadowfax> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <015101c2c64e$e6848b30$13c01dd0@shadowfax> User-Agent: Mutt/1.4i X-OS: FreeBSD 4.7 - http://www.freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Make sure you are running RELENG_4_7 and you should be fine. Refer to the handbook to learn how to upgrade your system. Good luck! Lic. Fernando Schapachnik Proyecto de Informática Ministerio de Economía En un mensaje anterior, Mario Antonio escribió: > Dear List, > > How Can I verify that my system has some of the discovered vulnerabilities? > Is there any tool that I can use to help me out? > > > Regards > > Mario > > --- > [This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System] > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 28 6:19:36 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 49BEE37B401 for ; Tue, 28 Jan 2003 06:19:33 -0800 (PST) Received: from woody.ops.uunet.co.za (woody.ops.uunet.co.za [196.22.64.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7EB6C43F3F for ; Tue, 28 Jan 2003 06:19:30 -0800 (PST) (envelope-from theob@za.uu.net) Received: from woody.ops.uunet.co.za (localhost.ops.uunet.co.za [127.0.0.1]) by woody.ops.uunet.co.za (8.12.6/8.12.6) with ESMTP id h0S6xShj000202 for ; Tue, 28 Jan 2003 08:59:28 +0200 (SAST) (envelope-from theob@za.uu.net) Received: from localhost (theob@localhost) by woody.ops.uunet.co.za (8.12.6/8.12.6/Submit) with ESMTP id h0S6xRPd000199 for ; Tue, 28 Jan 2003 08:59:28 +0200 (SAST) X-Authentication-Warning: woody.ops.uunet.co.za: theob owned process doing -bs Date: Tue, 28 Jan 2003 08:59:27 +0200 (SAST) From: theob@za.uu.net X-X-Sender: theob@woody.ops.uunet.co.za To: freebsd-security@freebsd.org Subject: The way forward Message-ID: <20030128085617.L167@woody.ops.uunet.co.za> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi List This is a question that I'm sure has been posted many a time and one that has lead to large debates/conversations, however since I'm new to the list and FreeBSD security I need to open it up again. Comming from a Cisco Pix background, being fairly new to security and being a huge fan and supporter of FreeBSD I would want to pursue a firewall that is based solely on stateful inspection, but here is my dilemma: On reading through the following links: http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO and http://www.freebsd-howto.com/HOWTO/IPFilter-FreeBSD-HOWTO It seems that both offer stateful inspection, in http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO it says: "Using these options to make primitive stateful rulesets has been functionality that has been available in ipfirewall(4) for a long time, however, because of its very limited stateful capabilities, ipfirewall(4) has long been regarded as a stateless firewall, with IPFilter the stateful alternative" So then is it safe to assume that ipfilter is the best choice for statefulness? There is also mention that one would have a lot more functionality by using ipfw and adding stateful arguments to the rule sets, is this true? While ipfw may not be a true stateful firewall, one can still add in the functionality and therefore be able to set up and very secure firewall, but how secure would it be against a firewall based on the ipfilter way? In a discusion I found on google, it was stated that ipfw is marginally better for freebsd because it supports all the freebsd specific hacks, so then does that mean ipfilter does not cope well with freebsd hacks? I have however successfully setup ipfilter as per http://www.freebsd-howto.com/HOWTO/IPFilter-FreeBSD-HOWTO and it works well. I guess what I'm trying to say is, on an average what do most people use? My feel is that ipfilter is the way to go, however since ipfw is FreeBSD specific then running a firewall on FreeBSD one should aim at ipfw as apposed to ipfilter...... Once again if this mail is opening up sore wounds or if people are tired of getting involved in this debate again then I apologise but like I said I'm a huge fan of FreeBSD and I really want to decide on which one to use so that I can give my full attention to it rather than be halfed minded between the two. Thanks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 28 6:19:40 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 61E6037B405 for ; Tue, 28 Jan 2003 06:19:35 -0800 (PST) Received: from woody.ops.uunet.co.za (woody.ops.uunet.co.za [196.22.64.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id E1C4143E4A for ; Tue, 28 Jan 2003 06:19:33 -0800 (PST) (envelope-from theob@za.uu.net) Received: from woody.ops.uunet.co.za (localhost.ops.uunet.co.za [127.0.0.1]) by woody.ops.uunet.co.za (8.12.6/8.12.6) with ESMTP id h0RDV7GO000459 for ; Mon, 27 Jan 2003 15:31:07 +0200 (SAST) (envelope-from theob@za.uu.net) Received: from localhost (theob@localhost) by woody.ops.uunet.co.za (8.12.6/8.12.6/Submit) with ESMTP id h0RDV2Ck000456 for ; Mon, 27 Jan 2003 15:31:06 +0200 (SAST) X-Authentication-Warning: woody.ops.uunet.co.za: theob owned process doing -bs Date: Mon, 27 Jan 2003 15:31:02 +0200 (SAST) From: theob@za.uu.net X-X-Sender: theob@woody.ops.uunet.co.za To: freebsd-security@freebsd.org Subject: The way forward..... Message-ID: <20030127152950.U446@woody.ops.uunet.co.za> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi List This is a question that I'm sure has been posted many a time and one that has lead to large debates/conversations, however since I'm new to the list and FreeBSD security I need to open it up again. Comming from a Cisco Pix background, being fairly new to security and being a huge fan and supporter of FreeBSD I would want to pursue a firewall that is based solely on stateful inspection, but here is my dilemma: On reading through the following links: http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO and http://www.freebsd-howto.com/HOWTO/IPFilter-FreeBSD-HOWTO It seems that both offer stateful inspection, in http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO it says: "Using these options to make primitive stateful rulesets has been functionality that has been available in ipfirewall(4) for a long time, however, because of its very limited stateful capabilities, ipfirewall(4) has long been regarded as a stateless firewall, with IPFilter the stateful alternative" So then is it safe to assume that ipfilter is the best choice for statefulness? There is also mention that one would have a lot more functionality by using ipfw and adding stateful arguments to the rule sets, is this true? While ipfw may not be a true stateful firewall, one can still add in the functionality and therefore be able to set up and very secure firewall, but how secure would it be against a firewall based on the ipfilter way? In a discusion I found on google, it was stated that ipfw is marginally better for freebsd because it supports all the freebsd specific hacks, so then does that mean ipfilter does not cope well with freebsd specific hacks? I have however successfully setup ipfilter as per http://www.freebsd-howto.com/HOWTO/IPFilter-FreeBSD-HOWTO and it works well. Would it also be safe to assume that should one want to set up a firewall whose sole purpose is to block everything comming in and allow everything going out on a stateful level then ipfilter is the way to go, but if the firewall was to protect different services behind it like a mail server and a web server, would ipfw be the way to go? I guess what I'm trying to say is, on an average what do most people use? My feel is that ipfilter is the way to go, however since ipfw is FreeBSD specific then running a firewall on FreeBSD one should aim at ipfw as apposed to ipfilter...... Once again if this mail is opening up sore wounds or if people are tired of getting involved in this debate again then I apologise but like I said I'm a huge fan of FreeBSD and I really want to decide on which one to use so that I can give my full attention to it rather than be halfed minded between the two. Thanks _______________________________________ Theo Bierman - theob@za.uu.net CIT Team - UUNET SA, a WorldCom Company http://www.uunet.co.za --------------------------------------- The contents of this e-mail and any accompanying documentation is confidential and any use thereof, in whatever form, by anyone other than the addressee for whom it is intended, is strictly prohibited. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 28 6:19:45 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 70FE137B401 for ; Tue, 28 Jan 2003 06:19:37 -0800 (PST) Received: from woody.ops.uunet.co.za (woody.ops.uunet.co.za [196.22.64.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 04C3643E4A for ; Tue, 28 Jan 2003 06:19:36 -0800 (PST) (envelope-from theob@za.uu.net) Received: from woody.ops.uunet.co.za (localhost.ops.uunet.co.za [127.0.0.1]) by woody.ops.uunet.co.za (8.12.6/8.12.6) with ESMTP id h0RDRZIk000096 for ; Mon, 27 Jan 2003 15:27:52 +0200 (SAST) (envelope-from theob@za.uu.net) Received: from localhost (theob@localhost) by woody.ops.uunet.co.za (8.12.6/8.12.6/Submit) with ESMTP id h0R66Hm5001610 for ; Mon, 27 Jan 2003 08:06:20 +0200 (SAST) X-Authentication-Warning: woody.ops.uunet.co.za: theob owned process doing -bs Date: Mon, 27 Jan 2003 08:06:17 +0200 (SAST) From: theob@za.uu.net X-X-Sender: theob@woody.ops.uunet.co.za To: freebsd-security@freebsd.org Subject: The way forward....... Message-ID: <20030127073039.U1537@woody.ops.uunet.co.za> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi List This is a question that I'm sure has been posted many a time and one that has lead to large debates/conversations, however since I'm new to the list and FreeBSD security I need to open it up again. Comming from a Cisco Pix background, being fairly new to security and being a huge fan and supporter of FreeBSD I would want to pursue a firewall that is based solely on stateful inspection, but here is my dilemma: On reading through the following links: http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO and http://www.freebsd-howto.com/HOWTO/IPFilter-FreeBSD-HOWTO It seems that both offer stateful inspection, in http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO it says: "Using these options to make primitive stateful rulesets has been functionality that has been available in ipfirewall(4) for a long time, however, because of its very limited stateful capabilities, ipfirewall(4) has long been regarded as a stateless firewall, with IPFilter the stateful alternative" So then is it safe to assume that ipfilter is the best choice for statefulness? There is also mention that one would have a lot more functionality by using ipfw and adding stateful arguments to the rule sets, is this true? While ipfw may not be a true stateful firewall, one can still add in the functionality and therefore be able to set up and very secure firewall, but how secure would it be against a firewall based on the ipfilter way? In a discusion I found on google, it was stated that ipfw is marginally better for freebsd because it supports all the freebsd specific hacks, so then does that mean ipfilter does not cope well with freebsd specific hacks? I have however successfully setup ipfilter as per http://www.freebsd-howto.com/HOWTO/IPFilter-FreeBSD-HOWTO and it works well. Would it also be safe to assume that should one want to set up a firewall whose sole purpose is to block everything comming in and allow everything going out on a stateful level then ipfilter is the way to go, but if the firewall was to protect different services behind it like a mail server and a web server, would ipfw be the way to go? I guess what I'm trying to say is, on an average what do most people use? My feel is that ipfilter is the way to go, however since ipfw is FreeBSD specific then running a firewall on FreeBSD one should aim at ipfw as apposed to ipfilter...... Once again if this mail is opening up sore wounds or if people are tired of getting involved in this debate again then I apologise but like I said I'm a huge fan of FreeBSD and I really want to decide on which one to use so that I can give my full attention to it rather than be halfed minded between the two. Thanks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 28 6:42: 5 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 569AA37B401 for ; Tue, 28 Jan 2003 06:42:04 -0800 (PST) Received: from cithaeron.argolis.org (pool-138-88-113-14.res.east.verizon.net [138.88.113.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 55CCB43E4A for ; Tue, 28 Jan 2003 06:41:58 -0800 (PST) (envelope-from piechota@argolis.org) Received: from cithaeron.argolis.org (localhost [127.0.0.1]) by cithaeron.argolis.org (8.12.6/8.12.6) with ESMTP id h0SEgYa1046182; Tue, 28 Jan 2003 09:42:35 -0500 (EST) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.12.6/8.12.6/Submit) with ESMTP id h0SEgYFG046179; Tue, 28 Jan 2003 09:42:34 -0500 (EST) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Tue, 28 Jan 2003 09:42:34 -0500 (EST) From: Matt Piechota To: theob@za.uu.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: The way forward..... In-Reply-To: <20030127152950.U446@woody.ops.uunet.co.za> Message-ID: <20030128094147.O41703-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 27 Jan 2003 theob@za.uu.net wrote: > This is a question that I'm sure has been posted many a time and one that > has lead to large debates/conversations, however since I'm new to the list > and FreeBSD security I need to open it up again. Posted many times from the same person, apparently. :) -- Matt Piechota To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 28 6:50:43 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB63637B401 for ; Tue, 28 Jan 2003 06:50:40 -0800 (PST) Received: from woody.ops.uunet.co.za (woody.ops.uunet.co.za [196.22.64.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 457F043E4A for ; Tue, 28 Jan 2003 06:50:39 -0800 (PST) (envelope-from theob@za.uu.net) Received: from woody.ops.uunet.co.za (localhost.ops.uunet.co.za [127.0.0.1]) by woody.ops.uunet.co.za (8.12.6/8.12.6) with ESMTP id h0SEoVhj005565; Tue, 28 Jan 2003 16:50:31 +0200 (SAST) (envelope-from theob@za.uu.net) Received: from localhost (theob@localhost) by woody.ops.uunet.co.za (8.12.6/8.12.6/Submit) with ESMTP id h0SEoT5a005562; Tue, 28 Jan 2003 16:50:30 +0200 (SAST) X-Authentication-Warning: woody.ops.uunet.co.za: theob owned process doing -bs Date: Tue, 28 Jan 2003 16:50:29 +0200 (SAST) From: theob@za.uu.net X-X-Sender: theob@woody.ops.uunet.co.za To: Matt Piechota Cc: freebsd-security@FreeBSD.ORG Subject: Re: The way forward..... In-Reply-To: <20030128094147.O41703-100000@cithaeron.argolis.org> Message-ID: <20030128164950.C5326@woody.ops.uunet.co.za> References: <20030128094147.O41703-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 28 Jan 2003, Matt Piechota wrote: > On Mon, 27 Jan 2003 theob@za.uu.net wrote: > > > This is a question that I'm sure has been posted many a time and one that > > has lead to large debates/conversations, however since I'm new to the list > > and FreeBSD security I need to open it up again. > > Posted many times from the same person, apparently. :) sorry about that, i have no idea what happened, i think the storm is over now > > -- > Matt Piechota > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > _______________________________________ Theo Bierman - theob@za.uu.net CIT Team - UUNET SA, a WorldCom Company http://www.uunet.co.za --------------------------------------- The contents of this e-mail and any accompanying documentation is confidential and any use thereof, in whatever form, by anyone other than the addressee for whom it is intended, is strictly prohibited. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 28 7: 9:54 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 357FB37B401 for ; Tue, 28 Jan 2003 07:09:53 -0800 (PST) Received: from mail.online.ie (mail.online.ie [213.159.130.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 962B343F43 for ; Tue, 28 Jan 2003 07:09:52 -0800 (PST) (envelope-from bofh@online.ie) Received: from greebo.eirteic.com (news.eirteic.com [62.17.159.133]) by mail.online.ie (Postfix) with ESMTP id B17BAB07E for ; Tue, 28 Jan 2003 15:09:45 +0000 (GMT) Content-Type: text/plain; charset="iso-8859-1" From: Sascha Luck To: freebsd-security@freebsd.org Subject: chkrootkit & FBSD-5 Date: Tue, 28 Jan 2003 15:16:07 +0000 User-Agent: KMail/1.4.3 References: <20030128085617.L167@woody.ops.uunet.co.za> In-Reply-To: <20030128085617.L167@woody.ops.uunet.co.za> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200301281516.16413.bofh@online.ie> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all, on my CURRENT boxes, chkrootkit (v0.38) reports the following binaries as INFECTED: chfn chsh date ls ps as well as 7 hidden PIDs. recompiling/reinstalling the binaries seems to have no effect. I'm tempted to regard these as false positives - anyone else notice this behaviour? Cheers, s. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+Np6951unZWdvDMoRAolEAJ9N4yRBVoAvvymU2/biCIFhynbM1QCgktNM UDLIuG8N6gdbMFc5IxGu5KM= =J7vD -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 28 7:53:10 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F67637B401 for ; Tue, 28 Jan 2003 07:53:09 -0800 (PST) Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 953BF43F93 for ; Tue, 28 Jan 2003 07:53:07 -0800 (PST) (envelope-from avalon@caligula.anu.edu.au) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id CAA18768; Wed, 29 Jan 2003 02:52:53 +1100 (EST) From: Darren Reed Message-Id: <200301281552.CAA18768@caligula.anu.edu.au> Subject: Re: The way forward....... To: theob@za.uu.net Date: Wed, 29 Jan 2003 02:52:53 +1100 (Australia/ACT) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20030127073039.U1537@woody.ops.uunet.co.za> from "theob@za.uu.net" at Jan 27, 2003 08:06:17 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Well let me offer my completely biased opinion and say that unless you want/need to use dummynet, there's no reason to ever use ipfw :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 28 7:56: 1 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E428337B401 for ; Tue, 28 Jan 2003 07:55:59 -0800 (PST) Received: from otter3.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id EBC0A43F43 for ; Tue, 28 Jan 2003 07:55:58 -0800 (PST) (envelope-from anderson@centtech.com) Received: (from root@localhost) by otter3.centtech.com (8.12.3/8.12.3) id h0SFtrA9025285; Tue, 28 Jan 2003 09:55:53 -0600 (CST) (envelope-from anderson@centtech.com) Received: from centtech.com (electron.centtech.com [204.177.173.173]) by otter3.centtech.com (8.12.3/8.12.3) with ESMTP id h0SFtqNG025273; Tue, 28 Jan 2003 09:55:52 -0600 (CST) (envelope-from anderson@centtech.com) Message-ID: <3E36A7FD.8000200@centtech.com> Date: Tue, 28 Jan 2003 09:55:41 -0600 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Darren Reed Cc: theob@za.uu.net, freebsd-security@freebsd.org Subject: Re: The way forward....... References: <200301281552.CAA18768@caligula.anu.edu.au> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Speaking of that - when is IPFILTER going to have some basic traffic shaping built in so I never have to use IPFW again? :) Eric Darren Reed wrote: > Well let me offer my completely biased opinion and say that unless you > want/need to use dummynet, there's no reason to ever use ipfw :-) > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology Attitudes are contagious, is yours worth catching? ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 28 8:36:57 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E314637B401 for ; Tue, 28 Jan 2003 08:36:53 -0800 (PST) Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2BAFF43F79 for ; Tue, 28 Jan 2003 08:36:53 -0800 (PST) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (IDENT:brdavis@localhost.localdomain [127.0.0.1]) by odin.ac.hmc.edu (8.12.3/8.12.3) with ESMTP id h0SGaj6F006112; Tue, 28 Jan 2003 08:36:45 -0800 Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.12.3/8.12.3/Submit) id h0SGajco006111; Tue, 28 Jan 2003 08:36:45 -0800 Date: Tue, 28 Jan 2003 08:36:45 -0800 From: Brooks Davis To: Sascha Luck Cc: freebsd-security@FreeBSD.ORG Subject: Re: chkrootkit & FBSD-5 Message-ID: <20030128083645.A4998@Odin.AC.HMC.Edu> References: <20030128085617.L167@woody.ops.uunet.co.za> <200301281516.16413.bofh@online.ie> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="x+6KMIRAuhnl3hBn" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200301281516.16413.bofh@online.ie>; from bofh@online.ie on Tue, Jan 28, 2003 at 03:16:07PM +0000 X-Virus-Scanned: by amavisd-milter (http://amavis.org/) on odin.ac.hmc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --x+6KMIRAuhnl3hBn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 28, 2003 at 03:16:07PM +0000, Sascha Luck wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 >=20 > Hello all, >=20 > on my CURRENT boxes, chkrootkit (v0.38) reports the following binaries=20 > as INFECTED: >=20 > chfn > chsh > date > ls > ps >=20 > as well as 7 hidden PIDs. >=20 > recompiling/reinstalling the binaries seems to have no effect. I'm=20 > tempted to regard these as false positives - anyone else notice this=20 > behaviour? Someone else mentioned it to me. They now contain the string "/bin/sh" which chkrootkit looks for. I'd be curious to know why they do. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --x+6KMIRAuhnl3hBn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+NrGcXY6L6fI4GtQRAtbvAKDIMdg8UHiADe+HBuJXQje0RtlxUACcCJE7 JYSHFkCFsbVLwlH812MnOXQ= =Q/nb -----END PGP SIGNATURE----- --x+6KMIRAuhnl3hBn-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 28 9: 3:16 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1238437B401 for ; Tue, 28 Jan 2003 09:03:14 -0800 (PST) Received: from mailhost.det2.ameritech.net (mailhost1-sfldmi.sfldmi.ameritech.net [206.141.193.105]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4FE8043F43 for ; Tue, 28 Jan 2003 09:03:13 -0800 (PST) (envelope-from elh@outreachnetworks.com) Received: from preacher ([66.73.178.5]) by mailhost.det2.ameritech.net (InterMail vM.4.01.02.17 201-229-119) with SMTP id <20030128170251.UJL26543.mailhost.det2.ameritech.net@preacher> for ; Tue, 28 Jan 2003 12:02:51 -0500 Received: (nullmailer pid 12527 invoked by uid 1000); Tue, 28 Jan 2003 17:02:58 -0000 Date: Tue, 28 Jan 2003 12:02:58 -0500 From: Eric L Howard To: freebsd-security@freebsd.org Subject: Re: chkrootkit & FBSD-5 Message-ID: <20030128170258.GH10966@outreachnetworks.com> Mail-Followup-To: freebsd-security@freebsd.org References: <20030128085617.L167@woody.ops.uunet.co.za> <200301281516.16413.bofh@online.ie> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200301281516.16413.bofh@online.ie> User-Agent: Mutt/1.4i X-Favorite-Scripture: Romans 8:18 X-Theocratic-Rule-Advocate: http://www.crossmovement.com X-Registered-Secret-Agent: Agent Double-Naught Seven X-Operating-System: Linux 2.4.18-bf2.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At a certain time, now past [Tue, Jan 28, 2003 at 03:16:07PM +0000], Sascha Luck spake thusly: > Hello all, > > on my CURRENT boxes, chkrootkit (v0.38) reports the following binaries > as INFECTED: > > chfn > chsh > date > ls > ps > > as well as 7 hidden PIDs. > > recompiling/reinstalling the binaries seems to have no effect. I'm > tempted to regard these as false positives - anyone else notice this > behaviour? The release notes seem to indicate that chkrootkit isn't ready for RELENG_5_0. ~elh -- Eric L. Howard e l h @ o u t r e a c h n e t w o r k s . c o m ------------------------------------------------------------------------ www.OutreachNetworks.com 313.297.9900 ------------------------------------------------------------------------ JabberID: elh@jabber.org Advocate of the Theocratic Rule To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 28 11:51:59 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1859037B401 for ; Tue, 28 Jan 2003 11:51:58 -0800 (PST) Received: from spitfire.velocet.net (spitfire.velocet.net [216.138.223.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 76AB743F85 for ; Tue, 28 Jan 2003 11:51:57 -0800 (PST) (envelope-from steve@nomad.tor.lets.net) Received: from nomad.tor.lets.net (H74.C220.tor.velocet.net [216.138.220.74]) by spitfire.velocet.net (Postfix) with SMTP id 29F924B7CE6 for ; Tue, 28 Jan 2003 14:51:55 -0500 (EST) Received: (qmail 79237 invoked by uid 1001); 28 Jan 2003 19:46:16 -0000 Date: Tue, 28 Jan 2003 14:46:16 -0500 From: Steve Shorter To: Darren Reed Cc: freebsd-security@FreeBSD.ORG Subject: Re: The way forward....... Message-ID: <20030128144615.A79222@nomad.lets.net> References: <20030127073039.U1537@woody.ops.uunet.co.za> <200301281552.CAA18768@caligula.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200301281552.CAA18768@caligula.anu.edu.au>; from avalon@coombs.anu.edu.au on Wed, Jan 29, 2003 at 02:52:53AM +1100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jan 29, 2003 at 02:52:53AM +1100, Darren Reed wrote: > > Well let me offer my completely biased opinion and say that unless you > want/need to use dummynet, there's no reason to ever use ipfw :-) > Hmm ... what if I want to filter on tcpoptions. ipf supports ipopts but I couldn't see anything about tcpoptions. Reason .... Many SYN flood programs create packets with missing MSS. So it is possible to filter these with the ipfw rule add 100 deny tcp from someplace to someother tcpoptions !mss setup Or if I can do this with IPFilter how do I do it. Sorry if I'm missing something. -steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 28 13: 9:27 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0D3CB37B401 for ; Tue, 28 Jan 2003 13:09:23 -0800 (PST) Received: from spitfire.velocet.net (spitfire.velocet.net [216.138.223.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C6ED43E4A for ; Tue, 28 Jan 2003 13:09:22 -0800 (PST) (envelope-from steve@nomad.tor.lets.net) Received: from nomad.tor.lets.net (H74.C220.tor.velocet.net [216.138.220.74]) by spitfire.velocet.net (Postfix) with SMTP id 4E5414B7D4C for ; Tue, 28 Jan 2003 16:09:11 -0500 (EST) Received: (qmail 79284 invoked by uid 1001); 28 Jan 2003 21:03:32 -0000 Date: Tue, 28 Jan 2003 16:03:32 -0500 From: Steve Shorter To: theob@za.uu.net Cc: freebsd-security@freebsd.org Subject: Re: The way forward....... Message-ID: <20030128160332.A79276@nomad.lets.net> References: <20030127073039.U1537@woody.ops.uunet.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20030127073039.U1537@woody.ops.uunet.co.za>; from theob@za.uu.net on Mon, Jan 27, 2003 at 08:06:17AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jan 27, 2003 at 08:06:17AM +0200, theob@za.uu.net wrote: > > So then is it safe to assume that ipfilter is the best choice for > statefulness? > Depends on how you wish to evaluate them. > There is also mention that one would have a lot more functionality by using > ipfw and adding stateful arguments to the rule sets, is this true? > Depending on what you want you can have both at the same time. > While ipfw may not be a true stateful firewall, one can still add in the > functionality and therefore be able to set up and very secure firewall, but > how secure would it be against a firewall based on the ipfilter way? [snip] > > I guess what I'm trying to say is, on an average what do most people use? > My feel is that ipfilter is the way to go, however since ipfw is FreeBSD > specific then running a firewall on FreeBSD one should aim at ipfw as > apposed to ipfilter...... > Well .. I've got a dedicated FreeBSD router/firewall up front with ipfw *AND ipfilter compiled in. IPfilter does full stateful filtering and NAT. ipfw doesn't do anything except occassionaly some "emergency" or diagnostic stuff that IPFilter cant do. ipfw is compiled default "accept" and ipf is built with default "deny". The above machine is a gateway for a network of web/mail servers running FreeBSD also. On the internal machines I am running just ipfw in stateless mode only. So this way I get 2 layer "onion" firewall/packet management. -steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 29 18:45:26 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC90437B401 for ; Wed, 29 Jan 2003 18:45:23 -0800 (PST) Received: from smnolde.com (c-24-98-61-182.atl.client2.attbi.com [24.98.61.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F35D43F79 for ; Wed, 29 Jan 2003 18:45:23 -0800 (PST) (envelope-from scott@smnolde.com) Received: from [192.168.10.7] (helo=bsd.smnolde.com) by smnolde.com with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 3.36 #1) id 18e4he-000FIE-00; Wed, 29 Jan 2003 21:45:22 -0500 Received: from scott by bsd.smnolde.com with local (Exim 3.36 #1) id 18e4hc-000HU8-00; Wed, 29 Jan 2003 21:45:20 -0500 Date: Wed, 29 Jan 2003 21:45:20 -0500 From: "Scott M. Nolde" To: theob@za.uu.net Cc: freebsd-security@freebsd.org Subject: Re: The way forward Message-ID: <20030130024520.GJ83557@smnolde.com> References: <20030128085617.L167@woody.ops.uunet.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030128085617.L167@woody.ops.uunet.co.za> User-Agent: Mutt/1.4i X-GPG_Fingerprint: 0BD6 DDB4 2978 EB60 E0C8 33F2 BC34 9087 D869 AB48 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org theob@za.uu.net(theob@za.uu.net)@2003.01.28 08:59:27 +0000: > Hi List > Thanks Not to start a flame war either, but I like both and use both ipfw and ipf together. I use ipfw+dummynet for QoS and traffic shaping with a minimal ruleset to pretty much allow all. After the packets are processed by ipfw, they're passed to ipf which does the really hard stuff: stateful packet inspection and NAT. ipnat is nice because it's in kernel space and faster than natd. I also find that ipf has some nice tools and utilities you don't have with ipfw. I'm new to ipf, but using it isn't much different than ipfw, but I've been told by reliable sources that if you're handling lots of traffic and require stateful inspection then ipf is the way to go. Print the ipfw man page out as well as the ipf how-to. I've got copies of both. There's more info in both of those documents than my brain can handle on most days. I have a sample ipfw script which might help you in setting up a queuing and traffic-shaping packet pass-all packet filter. I use a version of this myself. Customize at will: https://www.smnolde.com/ipfw/ipfw-queue-bw-only Give ipf and ipfw a whirl and get the best out of both. I also hear there's AltQ coming to ipf in FreeBSD and there are patches for it, if you want to try it. -- Scott Nolde GPG Key 0xD869AB48 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 30 7:22:22 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 85E5537B401; Thu, 30 Jan 2003 07:22:18 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1372943F79; Thu, 30 Jan 2003 07:22:18 -0800 (PST) (envelope-from nectar@celabo.org) Received: from opus.celabo.org (opus.celabo.org [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 86F824; Thu, 30 Jan 2003 09:22:17 -0600 (CST) Received: by opus.celabo.org (Postfix, from userid 1001) id 1EA6C59AC; Thu, 30 Jan 2003 09:20:26 -0600 (CST) Date: Thu, 30 Jan 2003 09:20:26 -0600 From: "Jacques A. Vidrine" To: Vladimir Terziev Cc: hackers@FreeBSD.ORG, security@freebsd.org Subject: Re: Kerberos & OpenSSH+GSSAPI problem Message-ID: <20030130152025.GB73428@opus.celabo.org> References: <20030130114401.38eeffa2.vlady@sun-fish.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030130114401.38eeffa2.vlady@sun-fish.com> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.1i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You mailed me personally; you mailed the MIT Kerberos list; and you cross-posted on (at least) two FreeBSD mailing lists, all at approximately the same time. Please don't do that: it is rude. At least wait for replies in one area before launching into another. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 30 8:21:30 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A052937B401 for ; Thu, 30 Jan 2003 08:21:27 -0800 (PST) Received: from vista.netmemetic.com (bb-203-125-44-248.singnet.com.sg [203.125.44.248]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C34D43F75 for ; Thu, 30 Jan 2003 08:21:23 -0800 (PST) (envelope-from ngps@netmemetic.com) Received: by vista.netmemetic.com (Postfix, from userid 100) id 769626EE; Fri, 31 Jan 2003 00:21:52 +0800 (SGT) Date: Fri, 31 Jan 2003 00:21:52 +0800 From: Ng Pheng Siong To: Steve Shorter Cc: theob@za.uu.net, freebsd-security@FreeBSD.ORG Subject: Re: The way forward....... Message-ID: <20030130162152.GA40750@vista.netmemetic.com> References: <20030127073039.U1537@woody.ops.uunet.co.za> <20030128160332.A79276@nomad.lets.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030128160332.A79276@nomad.lets.net> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jan 28, 2003 at 04:03:32PM -0500, Steve Shorter wrote: > On the internal machines I am running just ipfw in > stateless mode only. Any specific reason why? I find myself writing stateful rules as a matter of habit, whether the machine is a gateway or not. Cheers. -- Ng Pheng Siong * http://www.netmemetic.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 30 9:46:58 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2AC6937B401 for ; Thu, 30 Jan 2003 09:46:56 -0800 (PST) Received: from spitfire.velocet.net (spitfire.velocet.net [216.138.223.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1AD8843F79 for ; Thu, 30 Jan 2003 09:46:54 -0800 (PST) (envelope-from steve@nomad.tor.lets.net) Received: from nomad.tor.lets.net (H74.C220.tor.velocet.net [216.138.220.74]) by spitfire.velocet.net (Postfix) with SMTP id 221764B7DD3 for ; Thu, 30 Jan 2003 12:46:52 -0500 (EST) Received: (qmail 80818 invoked by uid 1001); 30 Jan 2003 17:41:12 -0000 Date: Thu, 30 Jan 2003 12:41:12 -0500 From: Steve Shorter To: Ng Pheng Siong Cc: freebsd-security@FreeBSD.ORG Subject: Re: The way forward....... Message-ID: <20030130124112.A80796@nomad.lets.net> References: <20030127073039.U1537@woody.ops.uunet.co.za> <20030128160332.A79276@nomad.lets.net> <20030130162152.GA40750@vista.netmemetic.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20030130162152.GA40750@vista.netmemetic.com>; from ngps@netmemetic.com on Fri, Jan 31, 2003 at 12:21:52AM +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jan 31, 2003 at 12:21:52AM +0800, Ng Pheng Siong wrote: > On Tue, Jan 28, 2003 at 04:03:32PM -0500, Steve Shorter wrote: > > On the internal machines I am running just ipfw in > > stateless mode only. > > Any specific reason why? > > I find myself writing stateful rules as a matter of habit, whether the > machine is a gateway or not. > These are high volume web servers. To keep rudundant state information on all of these machines is a waste of resources and defeats much of the purpose of breaking out a dedicated machine for firewalling. A good webserver does not neccessarily make a good statefull firewall. A good firewall can suck as a webserver. Because of ipfilter up front the rules on these machines are very economical and highly efficient. Best not to have to many habits uncritically applied. Statefull firewalls are easily ruined by SYN flood attacks. There are situation where statefull firewalling is inappropriate and uneccessary. -steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 31 4: 3:35 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 411D237B443 for ; Fri, 31 Jan 2003 04:03:32 -0800 (PST) Received: from mx6.mail.ru (mx6.mail.ru [194.67.57.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8918043E4A for ; Fri, 31 Jan 2003 04:03:31 -0800 (PST) (envelope-from h-k@mail.ru) Received: from [194.84.56.194] (port=4461 helo=194.84.56.194) by mx6.mail.ru with esmtp id 18eZtJ-000Dnf-00 for freebsd-security@freebsd.org; Fri, 31 Jan 2003 15:03:29 +0300 Date: Fri, 31 Jan 2003 15:05:12 +0300 From: dawnshade X-Mailer: The Bat! (v1.62 Christmas Edition) Reply-To: dawnshade X-Priority: 3 (Normal) Message-ID: <74365074589.20030131150512@mail.ru> To: freebsd-security@freebsd.org Subject: strange packets MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello All, Sometimes i see in alert log Snort this records: ------------------------ [**] [1:404:4] ICMP Destination Unreachable (Protocol Unreachable) [**] [Classification: Misc activity] [Priority: 3] 01/29/03-23:34:34.582889 212.68.201.5 -> my.net.56.160 ICMP TTL:47 TOS:0x0 ID:61571 IpLen:20 DgmLen:76 Type:3 Code:2 DESTINATION UNREACHABLE: PROTOCOL UNREACHABLE ** ORIGINAL DATAGRAM DUMP: my.net.56.160:12709 -> 255.255.255.255:80 TCP TTL:129 TOS:0x0 ID:3455 IpLen:20 DgmLen:40 *2U***SF Seq: 0x54800000 Ack: 0x105A3E Win: 0x0 TcpLen: 40 ** END OF DUMP [**] [1:404:4] ICMP Destination Unreachable (Protocol Unreachable) [**] [Classification: Misc activity] [Priority: 3] 01/30/03-03:38:34.722373 212.68.201.5 -> my.net.56.163 ICMP TTL:47 TOS:0x0 ID:55712 IpLen:20 DgmLen:76 Type:3 Code:2 DESTINATION UNREACHABLE: PROTOCOL UNREACHABLE ** ORIGINAL DATAGRAM DUMP: my.net.56.163:2058 -> 255.255.255.255:80 TCP TTL:129 TOS:0x0 ID:256 IpLen:20 DgmLen:40 12UAPRS* Seq: 0x14A80000 Ack: 0x24439 Win: 0x0 TcpLen: 36 ** END OF DUMP [**] [1:404:4] ICMP Destination Unreachable (Protocol Unreachable) [**] [Classification: Misc activity] [Priority: 3] 01/30/03-04:30:45.313200 212.68.201.5 -> my.net.56.151 ICMP TTL:47 TOS:0x0 ID:5550 IpLen:20 DgmLen:76 Type:3 Code:2 DESTINATION UNREACHABLE: PROTOCOL UNREACHABLE ** ORIGINAL DATAGRAM DUMP: my.net.56.151:28011 -> 255.255.255.255:80 TCP TTL:129 TOS:0x0 ID:256 IpLen:20 DgmLen:40 *2*APRSF Seq: 0x38E60000 Ack: 0x50180F Win: 0x0 TcpLen: 12 ** END OF DUMP [**] [1:404:4] ICMP Destination Unreachable (Protocol Unreachable) [**] [Classification: Misc activity] [Priority: 3] 01/30/03-04:53:32.286139 212.68.201.5 -> my.router.246.1 ICMP TTL:47 TOS:0x20 ID:45640 IpLen:20 DgmLen:76 Type:3 Code:2 DESTINATION UNREACHABLE: PROTOCOL UNREACHABLE ** ORIGINAL DATAGRAM DUMP: my.router.246.1:28163 -> 255.255.255.255:80 TCP TTL:129 TOS:0x0 ID:256 IpLen:20 DgmLen:40 1*U***S* Seq: 0x1CC40000 Ack: 0x40F437 Win: 0x0 TcpLen: 44 ** END OF DUMP ------------------------ Why the 212.68.201.5 sends reply to broadcasts and some strange flags in packet?? No more activites in log file from this ip i didn't found. Snort 1.9.0, FreeBSD 4.5 Release #0. -- ...The daemons find works for the idle hands.... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 31 9:44: 1 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 532D037B401 for ; Fri, 31 Jan 2003 09:43:59 -0800 (PST) Received: from pacbell.net (adsl-63-199-179-203.dsl.snfc21.pacbell.net [63.199.179.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id C7E1743F75 for ; Fri, 31 Jan 2003 09:43:58 -0800 (PST) (envelope-from paleph@pacbell.net) Received: (from paleph@localhost) by pacbell.net (8.11.0/8.9.3) id h0VIBRQ02321 for freebsd-security@FreeBSD.ORG; Fri, 31 Jan 2003 10:11:27 -0800 From: paleph@pacbell.net Message-Id: <200301311811.h0VIBRQ02321@pacbell.net> Subject: question on Kerberos vs Heimdal To: freebsd-security@FreeBSD.ORG Date: Fri, 31 Jan 2003 10:11:27 -0800 (PST) X-Mailer: ELM [version 2.5 PL3] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi. I have a utility that I want to "kerberos'ize" and have a few questions. 1. Which package is becoming the standard: MIT Kerberos or Heimdal? 2. Where can I find documenation/man pages on the ABI for each? I started looking through the various daemons and clients for each package to see how they were modified. I quickly discovered that a number of the interfaces being used were not documented and I couldn't find man pages for them in either package. I was able to find some documentation for one or two interfaces by doing a google search, but I am still missing documentation on many of them. Any help would be appreciated... Paul Fronberg paleph@pacbell.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 31 15: 9:25 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DDF9037B401 for ; Fri, 31 Jan 2003 15:09:20 -0800 (PST) Received: from smtp.comcast.net (smtp.comcast.net [24.153.64.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 26DDF43F75 for ; Fri, 31 Jan 2003 15:09:20 -0800 (PST) (envelope-from ralph@maxsoft.com) Received: from [192.168.1.27] (pcp02336337pcs.echryh01.nj.comcast.net [68.84.64.49]) by mtaout01.icomcast.net (iPlanet Messaging Server 5.2 HotFix 1.09 (built Jan 7 2003)) with ESMTP id <0H9L0020APNJ59@mtaout01.icomcast.net> for freebsd-security@freebsd.org; Fri, 31 Jan 2003 18:09:19 -0500 (EST) Date: Fri, 31 Jan 2003 18:09:18 -0500 From: Ralph Dratman Subject: SSHD suddenly takes SIX MINUTES to authenticate X-Sender: ralph99@popmail.voicenet.com To: freebsd-security@freebsd.org Message-id: MIME-version: 1.0 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Suddenly I cannot SSH to one of my FreeBSD servers. This is true from every SSH client on every computer I've tried. My sshd setup had worked fine for several years until just yesterday. I am now getting "Timeout before authentication" errors in the system log. I can SSH normally to other hosts. On this host I am running FreeBSD 4.3. For testing, I killed the running sshd task, then started a new one using the -d (debug) switch. Now if I wait long enough I eventually get logged in. Can anyone help me figure out what the problem might be? Following is the sshd console output showing a VERY slow login attempt - it took about six minutes to connect! (I'm guessing the debug switch turns off timeouts.) Also after the long delay, the client screen says: debug: krb5_cleanup_proc() called. Thanks in advance for any suggestions. ---------------------------------- root@kq9 Fri Jan 31 17:07:52 /etc/ssh#/usr/sbin/sshd -d debug: sshd version OpenSSH_2.2.0 debug: read DSA private key done debug: Bind to port 22 on ::. Server listening on :: port 22. debug: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug: Server will not fork when running in debugging mode. Connection from router.dratman.com port 4656 Connection from 192.168.1.1 port 4656 debug: Client protocol version 2.0; client software version PuTTY-Release-0.53b Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-1.99-OpenSSH_2.2.0 debug: send KEXINIT debug: done debug: wait KEXINIT debug: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug: got kexinit: ssh-rsa,ssh-dss debug: got kexinit: aes256-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,rijn dael192-cbc,aes128-cbc,rijndael128-cbc,blowfish-cbc,3des-cbc debug: got kexinit: aes256-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,rijn dael192-cbc,aes128-cbc,rijndael128-cbc,blowfish-cbc,3des-cbc debug: got kexinit: hmac-sha1,hmac-md5,none debug: got kexinit: hmac-sha1,hmac-md5,none debug: got kexinit: none,zlib,none debug: got kexinit: none,zlib,none debug: got kexinit: debug: got kexinit: debug: first kex follow: 0 debug: reserved: 0 debug: done debug: kex: client->server blowfish-cbc hmac-sha1 none debug: kex: server->client blowfish-cbc hmac-sha1 none debug: Wait SSH2_MSG_KEXDH_INIT. debug: bits set: 514/1024 debug: bits set: 529/1024 debug: sig size 20 20 debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: Wait SSH2_MSG_NEWKEYS. debug: GOT SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: userauth-request for user rd service ssh-connection method none Failed none for rd from 192.168.1.1 port 4656 ssh2 debug: userauth-request for user rd service ssh-connection method password Accepted password for rd from 192.168.1.1 port 4656 ssh2 debug: Entering interactive session for SSH2. debug: server_init_dispatch_20 debug: channel_input_open: ctype session rchan 256 win 16384 max 16384 debug: open session debug: channel 0: new [server-session] debug: session_new: init debug: session_new: session 0 debug: session_open: channel 0 debug: session_open: session 0: link with channel 0 debug: confirm session debug: callback start debug: session_by_channel: session 0 channel 0 debug: session_input_channel_req: session 0 channel 0 request pty-req reply 1 debug: session_pty_req: session 0 alloc /dev/ttyp1 debug: callback done debug: callback start debug: session_by_channel: session 0 channel 0 debug: session_input_channel_req: session 0 channel 0 request shell reply 1 debug: no set_nonblock for tty fd 4 debug: Setting controlling tty using TIOCSCTTY. debug: no set_nonblock for tty fd 3 debug: callback done debug: channel 0: rcvd adjust 59 debug: channel 0: rcvd adjust 62 debug: channel 0: rcvd adjust 69 debug: channel 0: rcvd adjust 64 debug: channel 0: rcvd adjust 2 debug: channel 0: rcvd adjust 21 debug: channel 0: rcvd adjust 2 debug: channel 0: rcvd adjust 35 debug: channel 0: rcvd adjust 14 debug: channel 0: rcvd adjust 108 debug: channel 0: rcvd adjust 21 debug: channel 0: rcvd adjust 15 debug: channel 0: rcvd adjust 24 debug: channel 0: rcvd adjust 11 debug: channel 0: rcvd adjust 14 debug: channel 0: rcvd adjust 116 debug: channel 0: rcvd adjust 29 debug: channel 0: rcvd adjust 2 debug: channel 0: rcvd adjust 29 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 31 15:31:55 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F03C837B401 for ; Fri, 31 Jan 2003 15:31:53 -0800 (PST) Received: from natto.numachi.com (natto.numachi.com [198.175.254.216]) by mx1.FreeBSD.org (Postfix) with SMTP id 461DC43F3F for ; Fri, 31 Jan 2003 15:31:52 -0800 (PST) (envelope-from reichert@numachi.com) Received: (qmail 8438 invoked by uid 1001); 31 Jan 2003 23:31:45 -0000 Date: Fri, 31 Jan 2003 18:31:45 -0500 From: Brian Reichert To: Ralph Dratman Cc: freebsd-security@freebsd.org Subject: Re: SSHD suddenly takes SIX MINUTES to authenticate Message-ID: <20030131233145.GJ6122@numachi.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jan 31, 2003 at 06:09:18PM -0500, Ralph Dratman wrote: > Suddenly I cannot SSH to one of my FreeBSD servers. This is true from > every SSH client on every computer I've tried. My sshd setup had > worked fine for several years until just yesterday. I am now getting > "Timeout before authentication" errors in the system log. I can SSH > normally to other hosts. Reverse lookups changed, maybe? -- Brian 'you Bastard' Reichert 37 Crystal Ave. #303 Daytime number: (603) 434-6842 Derry NH 03038-1713 USA BSD admin/developer at large To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 31 17: 1:48 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E7A037B401 for ; Fri, 31 Jan 2003 17:01:46 -0800 (PST) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id A18E943E4A for ; Fri, 31 Jan 2003 17:01:45 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id SAA27600; Fri, 31 Jan 2003 18:01:27 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20030131175641.0290b720@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 31 Jan 2003 17:58:03 -0700 To: Ralph Dratman , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: SSHD suddenly takes SIX MINUTES to authenticate In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 04:09 PM 1/31/2003, Ralph Dratman wrote: >Suddenly I cannot SSH to one of my FreeBSD servers. This is true from >every SSH client on every computer I've tried. My sshd setup had worked >fine for several years until just yesterday. I am now getting "Timeout >before authentication" errors in the system log. I can SSH normally to >other hosts. Sounds like a DNS problem. Sendmail also starts up slowly or hangs when there's no DNS. Relying on DNS to work is a bug, since it can compound problems during network outages. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 31 17: 6: 9 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB01237B401 for ; Fri, 31 Jan 2003 17:06:06 -0800 (PST) Received: from mail2.insweb.com (mail2.insweb.com [204.254.158.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id CA74543F3F for ; Fri, 31 Jan 2003 17:06:00 -0800 (PST) (envelope-from fbsd-secure@ursine.com) Received: from ursine.com ([10.4.100.63]) by mail2.insweb.com (8.11.0/8.11.0) with ESMTP id h1115rT84102; Fri, 31 Jan 2003 17:05:54 -0800 (PST) (envelope-from fbsd-secure@ursine.com) Message-ID: <3E3B1D71.21CFBD42@ursine.com> Date: Fri, 31 Jan 2003 17:05:53 -0800 From: Michael Bryan X-Mailer: Mozilla 4.78 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Ralph Dratman Cc: freebsd-security@FreeBSD.ORG Subject: Re: SSHD suddenly takes SIX MINUTES to authenticate References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ralph Dratman wrote: > > Suddenly I cannot SSH to one of my FreeBSD servers. This is true from > every SSH client on every computer I've tried. My sshd setup had > worked fine for several years until just yesterday. I am now getting > "Timeout before authentication" errors in the system log. I can SSH > normally to other hosts. > > On this host I am running FreeBSD 4.3. There was a bug in older versions of OpenSSH, with symptoms exactly matching what you're seeing. For every connection, sshd would do a DNS lookup of the special krb5-realm domain. (It did this even if Kerberos support was disabled.) However, it would start out by looking for krb5-realm.yoursubdomain.yourdomain.com, which is fine. Then it would start stepping up the tree, checking for krb5-realm.yourdomain.com, then krb5-realm.com. If the nameservers setup to host krb5-realm.com stop responding to requests, then these DNS lookups take a long time, waiting to eventually timeout. The effect on a setup such as yours would be that things would -normally- work ok. But when those name servers for krb5-realm.com went out, long connection delays would be seen to the buggy SSH servers. I'm not sure when the problem was fixed. (I thought maybe FreeBSD 4.3, but you're running 4.3, so maybe it was in 4.4?) But recent versions of FreeBSD have a better-behaved version of OpenSSH. Also, general nameserver problems in your own network can cause this. Basically, anything that causes DNS lookups to timeout (as opposed to return a success or failure code) will make the SSH login process take much longer. If you can trace the DNS packets generated by sshd, you should be able to see exactly what's causing the problem. (One way to trace them would be to point the ssh system to a BIND DNS server, and run "ndc trace on" to start logging all requests/responses on the dns server.) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 31 17:50:52 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0BA7637B401 for ; Fri, 31 Jan 2003 17:50:50 -0800 (PST) Received: from bastet.rfc822.net (bastet.rfc822.net [64.81.113.233]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7978143F75 for ; Fri, 31 Jan 2003 17:50:49 -0800 (PST) (envelope-from pde@bastet.rfc822.net) Received: by bastet.rfc822.net (Postfix, from userid 1001) id 9AA409F14B; Fri, 31 Jan 2003 19:51:29 -0600 (CST) Date: Fri, 31 Jan 2003 19:51:29 -0600 From: Pete Ehlke To: Michael Bryan Cc: Ralph Dratman , freebsd-security@FreeBSD.ORG Subject: Re: SSHD suddenly takes SIX MINUTES to authenticate Message-ID: <20030201015129.GA27949@rfc822.net> References: <3E3B1D71.21CFBD42@ursine.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3E3B1D71.21CFBD42@ursine.com> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jan 31, 2003 at 05:05:53PM -0800, Michael Bryan wrote: > > > > > Ralph Dratman wrote: > > > > Suddenly I cannot SSH to one of my FreeBSD servers. This is true from > > every SSH client on every computer I've tried. My sshd setup had > > worked fine for several years until just yesterday. I am now getting > > "Timeout before authentication" errors in the system log. I can SSH > > normally to other hosts. > > > > On this host I am running FreeBSD 4.3. > > There was a bug in older versions of OpenSSH, with symptoms exactly > matching what you're seeing. For every connection, sshd would do > a DNS lookup of the special krb5-realm domain. (It did this even > if Kerberos support was disabled.) However, it would start out by > looking for krb5-realm.yoursubdomain.yourdomain.com, which is fine. > Then it would start stepping up the tree, checking for krb5-realm.yourdomain.com, > then krb5-realm.com. If the nameservers setup to host krb5-realm.com > stop responding to requests, then these DNS lookups take a long time, > waiting to eventually timeout. > Right. And the DNS for krb5-realm.com is, to put it politely, a mess. ISTR seeing something about changes to krb5-realm.com on nanog a couple of weeks ago. You may want to check the archives. Or, y'know. Upgrade openssh ;) -P. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 31 18:18:11 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B5A4137B401 for ; Fri, 31 Jan 2003 18:18:09 -0800 (PST) Received: from greg.cex.ca (h24-207-26-100.dlt.dccnet.com [24.207.26.100]) by mx1.FreeBSD.org (Postfix) with SMTP id DA9BE43E4A for ; Fri, 31 Jan 2003 18:18:03 -0800 (PST) (envelope-from gregw-freebsd-security@greg.cex.ca) Received: (qmail 42633 invoked by uid 1001); 1 Feb 2003 02:18:15 -0000 Date: Fri, 31 Jan 2003 18:18:15 -0800 From: Greg White To: freebsd-security@FreeBSD.ORG Subject: Re: SSHD suddenly takes SIX MINUTES to authenticate Message-ID: <20030131181815.A42597@greg.cex.ca> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <3E3B1D71.21CFBD42@ursine.com> <20030201015129.GA27949@rfc822.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030201015129.GA27949@rfc822.net>; from pde@rfc822.net on Fri, Jan 31, 2003 at 07:51:29PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri Jan 01/31/03, 2003 at 07:51:29PM -0600, Pete Ehlke wrote: > Right. And the DNS for krb5-realm.com is, to put it politely, a mess. > > ISTR seeing something about changes to krb5-realm.com on nanog a couple > of weeks ago. You may want to check the archives. And if you owned and operated krb5-realm.com, you wouldn't do what they appear to have done? This massive bug in openssh must have bit these poor guys pretty hard.... > Or, y'know. Upgrade openssh ;) And I'm sure than when you do, the poor suckers who O&O that got absolutely _fscked_ by this bit of silliness will thank you. :) Were I them, I might have simply NXDOMAIN'd the whole domain, if it were possible...Imagine the traffic! -- Greg White To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 1 2: 1:45 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D3D6537B401 for ; Sat, 1 Feb 2003 02:01:42 -0800 (PST) Received: from smtpzilla1.xs4all.nl (smtpzilla1.xs4all.nl [194.109.127.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id CB1A643F79 for ; Sat, 1 Feb 2003 02:01:41 -0800 (PST) (envelope-from steendijk@xs4all.nl) Received: from xs4all.nl (beware.xs4all.nl [80.126.79.169]) by smtpzilla1.xs4all.nl (8.12.0/8.12.0) with ESMTP id h11A1diG048314 for ; Sat, 1 Feb 2003 11:01:40 +0100 (CET) Message-ID: <3E3B9B03.6ACE7B96@xs4all.nl> Date: Sat, 01 Feb 2003 11:01:39 +0100 From: bas X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: krb5-realm.com References: <3E3B1D71.21CFBD42@ursine.com> <20030201015129.GA27949@rfc822.net> <20030131181815.A42597@greg.cex.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org isnt it a bad thing if every sshd on the world ends up contacting krb5-realm.com by default? is this also true for newer versions of sshd (with kerberos disabled)? i mean it may make the owners of krb5-realm.com powerful beings. sounds a bit .NET to me. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 1 14:53:33 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB4D637B401 for ; Sat, 1 Feb 2003 14:53:30 -0800 (PST) Received: from smtpzilla3.xs4all.nl (smtpzilla3.xs4all.nl [194.109.127.139]) by mx1.FreeBSD.org (Postfix) with ESMTP id D0F0943F43 for ; Sat, 1 Feb 2003 14:53:29 -0800 (PST) (envelope-from steendijk@xs4all.nl) Received: from xs4all.nl (beware.xs4all.nl [80.126.79.169]) by smtpzilla3.xs4all.nl (8.12.0/8.12.0) with ESMTP id h11MrRKj073615 for ; Sat, 1 Feb 2003 23:53:28 +0100 (CET) Message-ID: <3E3C4FE7.99F00ED9@xs4all.nl> Date: Sat, 01 Feb 2003 23:53:27 +0100 From: bas X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: krb5-realm.com References: <3E3B1D71.21CFBD42@ursine.com> <20030201015129.GA27949@rfc822.net> <20030131181815.A42597@greg.cex.ca> <3E3B9B03.6ACE7B96@xs4all.nl> <20030201214607.GA16797@rot13.obsecurity.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > krb5-realm.com powerful beings. sounds a bit .NET to me. > > What evidence do you have that this is true? > > Kris that is how i interpret the earlier mail: > > However, it would start out by > > looking for krb5-realm.yoursubdomain.yourdomain.com, which is fine. > > Then it would start stepping up the tree, checking for krb5-realm.yourdomain.com, > > then krb5-realm.com. If the nameservers setup to host krb5-realm.com > > stop responding to requests, then these DNS lookups take a long time, > > waiting to eventually timeout. > > > Right. And the DNS for krb5-realm.com is, to put it politely, a mess. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 1 15:23:55 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F0D5C37B405 for ; Sat, 1 Feb 2003 15:23:52 -0800 (PST) Received: from w0r.mine.nu (81-5-137-186.dsl.eclipse.net.uk [81.5.137.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E58443FB1 for ; Sat, 1 Feb 2003 15:23:52 -0800 (PST) (envelope-from port001@w0r.mine.nu) Received: from w0r (interimo.network [192.168.0.2]) by w0r.mine.nu (Postfix) with SMTP id B7525528 for ; Fri, 14 Feb 2003 23:32:06 +0000 (GMT) Message-ID: <000701c2ca4a$74d0b220$0200a8c0@w0r> From: "port001" To: "FreeBSD-Security" Subject: Messages to ttyv0 Date: Sat, 1 Feb 2003 23:34:25 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org even when logged out on ttyv0 messages show up, is this a feature or an oversight? I personaly see it as an oversight. Using fbsd 4.7-release-p1. Cheers List To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 1 15:41: 8 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2590037B401 for ; Sat, 1 Feb 2003 15:41:06 -0800 (PST) Received: from horkos.telenet-ops.be (horkos.telenet-ops.be [195.130.132.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id 386DE43F75 for ; Sat, 1 Feb 2003 15:41:05 -0800 (PST) (envelope-from philip@paeps.cx) Received: from localhost (localhost.localdomain [127.0.0.1]) by horkos.telenet-ops.be (Postfix) with SMTP id DE251846C6; Sun, 2 Feb 2003 00:40:58 +0100 (CET) Received: from fortuna.home.paeps.cx (D5768746.kabel.telenet.be [213.118.135.70]) by horkos.telenet-ops.be (Postfix) with ESMTP id C5AAF84356; Sun, 2 Feb 2003 00:40:58 +0100 (CET) Received: from juno.home.paeps.cx (juno.home.paeps.cx [10.0.0.2]) by fortuna.home.paeps.cx (Postfix) with ESMTP id 9E8978A5; Sun, 2 Feb 2003 00:40:58 +0100 (CET) Received: by juno.home.paeps.cx (Postfix, from userid 1001) id E9EA210E3; Sun, 2 Feb 2003 00:40:55 +0100 (CET) Date: Sun, 2 Feb 2003 00:40:55 +0100 From: Philip Paeps To: port001 Cc: FreeBSD-Security Subject: Re: Messages to ttyv0 Message-ID: <20030201234055.GJ637@juno.home.paeps.cx> Mail-Followup-To: port001 , FreeBSD-Security References: <000701c2ca4a$74d0b220$0200a8c0@w0r> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline In-Reply-To: <000701c2ca4a$74d0b220$0200a8c0@w0r> X-Date-in-Rome: ante diem IV Nonas Februarias MMDCCLVI ab Urbe Condida X-PGP-Fingerprint: FA74 3C27 91A6 79D5 F6D3 FC53 BF4B D0E6 049D B879 X-Message-Flag: Get a proper mailclient! Mutt: User-Agent: Mutt/1.5.3i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2003-02-01 23:34:25 (-0000), port001 wrote: > even when logged out on ttyv0 messages show up, is this a feature or an > oversight? It's a feature. > I personaly see it as an oversight. Nope. By default (ie: unless you put it elsewhere) ttyv0 is your console, where important things go. You can change where things go in syslog.conf. You could also grab the console with X11, or throw it out of your serial port, depending on what you need or what you want. - Philip -- Philip Paeps Please don't CC me, I am philip@paeps.cx subscribed to the list. No experiment is ever a complete failure. It can always be used as a bad example. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 1 16: 5:56 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1AA8B37B401 for ; Sat, 1 Feb 2003 16:05:53 -0800 (PST) Received: from localhost.neotext.ca (h24-70-64-200.ed.shawcable.net [24.70.64.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id EFE9043F85 for ; Sat, 1 Feb 2003 16:05:51 -0800 (PST) (envelope-from campbell@localhost.neotext.ca) Received: from localhost.neotext.ca (localhost.neotext.ca [127.0.0.1]) by localhost.neotext.ca (8.12.6/8.12.5) with ESMTP id h12081xg011378; Sat, 1 Feb 2003 17:08:02 -0700 (MST) (envelope-from campbell@localhost.neotext.ca) Received: (from campbell@localhost) by localhost.neotext.ca (8.12.6/8.12.5/Submit) id h12081WR011377; Sat, 1 Feb 2003 17:08:01 -0700 (MST) Date: Sat, 1 Feb 2003 17:08:01 -0700 From: Duncan Patton a Campbell To: "port001" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Messages to ttyv0 Message-Id: <20030201170801.72ae0336.campbell@neotext.ca> In-Reply-To: <000701c2ca4a$74d0b220$0200a8c0@w0r> References: <000701c2ca4a$74d0b220$0200a8c0@w0r> Organization: Index Express Ltd. X-Mailer: Sylpheed version 0.8.6 (GTK+ 1.2.10; i386-unknown-freebsd4.7) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha1"; boundary="=.BswevA/HpMMNGM" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=.BswevA/HpMMNGM Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Actually, it is a feature of the unix operating system in keeping with some of the more basic philosophic tennants that have guided its composition over the years, e.g. errors and system notice/warnings are not to be hidden, and that it should instruct the user as to its innner workings. It annoys the shit out of me sometimes, but its usefull to know whats going down. This is off-topic, I spose, but in some sense salient to system security. Dhu On Sat, 1 Feb 2003 23:34:25 -0000 "port001" wrote: > even when logged out on ttyv0 messages show up, is this a feature or an > oversight? > > I personaly see it as an oversight. > > Using fbsd 4.7-release-p1. > > Cheers List > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=.BswevA/HpMMNGM Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE+PGFhXgQtJ7uBra8RAk4YAJ916cSJBjAfuThGtF/H/1aYDfoujACgtca7 OMmezHSK0uYfFq0w/zisi7U= =RpB6 -----END PGP SIGNATURE----- --=.BswevA/HpMMNGM-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 1 19:55:45 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DFFB237B401 for ; Sat, 1 Feb 2003 19:55:42 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 15DEA43E4A for ; Sat, 1 Feb 2003 19:55:42 -0800 (PST) (envelope-from nectar@celabo.org) Received: from opus.celabo.org (opus.celabo.org [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 384662D; Sat, 1 Feb 2003 21:55:41 -0600 (CST) Received: by opus.celabo.org (Postfix, from userid 1001) id 1BEA45A22; Sat, 1 Feb 2003 21:53:11 -0600 (CST) Date: Sat, 1 Feb 2003 21:53:10 -0600 From: "Jacques A. Vidrine" To: Michael Bryan Cc: Ralph Dratman , freebsd-security@FreeBSD.ORG Subject: Re: SSHD suddenly takes SIX MINUTES to authenticate Message-ID: <20030202035310.GA14640@opus.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Michael Bryan , Ralph Dratman , freebsd-security@FreeBSD.ORG References: <3E3B1D71.21CFBD42@ursine.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3E3B1D71.21CFBD42@ursine.com> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.1i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jan 31, 2003 at 05:05:53PM -0800, Michael Bryan wrote: > There was a bug in older versions of OpenSSH, with symptoms exactly > matching what you're seeing. For every connection, sshd would do > a DNS lookup of the special krb5-realm domain. (It did this even > if Kerberos support was disabled.) However, it would start out by > looking for krb5-realm.yoursubdomain.yourdomain.com, which is fine. > Then it would start stepping up the tree, checking for krb5-realm.yourdomain.com, > then krb5-realm.com. If the nameservers setup to host krb5-realm.com > stop responding to requests, then these DNS lookups take a long time, > waiting to eventually timeout. Actually, that was a Heimdal (not OpenSSH) mis-feature. See src/crypto/heimdal/lib/krb5/get_host_realm.c:dns_find_realm for the current state of affairs. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 1 19:58:51 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BABFB37B401 for ; Sat, 1 Feb 2003 19:58:48 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3301943F43 for ; Sat, 1 Feb 2003 19:58:48 -0800 (PST) (envelope-from nectar@celabo.org) Received: from opus.celabo.org (opus.celabo.org [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id B9A9E2D; Sat, 1 Feb 2003 21:58:47 -0600 (CST) Received: by opus.celabo.org (Postfix, from userid 1001) id A140D5A22; Sat, 1 Feb 2003 21:56:17 -0600 (CST) Date: Sat, 1 Feb 2003 21:56:17 -0600 From: "Jacques A. Vidrine" To: bas Cc: freebsd-security@FreeBSD.ORG Subject: Re: krb5-realm.com Message-ID: <20030202035617.GB14640@opus.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , bas , freebsd-security@FreeBSD.ORG References: <3E3B1D71.21CFBD42@ursine.com> <20030201015129.GA27949@rfc822.net> <20030131181815.A42597@greg.cex.ca> <3E3B9B03.6ACE7B96@xs4all.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3E3B9B03.6ACE7B96@xs4all.nl> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.1i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Feb 01, 2003 at 11:01:39AM +0100, bas wrote: > isnt it a bad thing if every sshd on the world ends up contacting > krb5-realm.com by default? is this also true for newer versions of sshd > (with kerberos disabled)? i mean it may make the owners of > krb5-realm.com powerful beings. sounds a bit .NET to me. Well it could conceivably cause breakage (as described), but nothing worse. The krb5-realm.com domain administrator cannot possibly leverage the situation in order to subvert authentication. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message