From owner-freebsd-security@FreeBSD.ORG Mon Jul 21 09:50:54 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8027337B40D for ; Mon, 21 Jul 2003 09:50:54 -0700 (PDT) Received: from blacklamb.mykitchentable.net (209-63-47-141.br1.elk.ca.frontiernet.net [209.63.47.141]) by mx1.FreeBSD.org (Postfix) with ESMTP id 051A743F93 for ; Mon, 21 Jul 2003 09:50:53 -0700 (PDT) (envelope-from drew@mykitchentable.net) Received: from tagalong (unknown [165.107.42.110]) by blacklamb.mykitchentable.net (Postfix) with SMTP id 0E5A83BF429; Mon, 21 Jul 2003 09:50:52 -0700 (PDT) Message-ID: <011501c34fa8$3ed6cb30$6e2a6ba5@lc.ca.gov> From: "Drew Tomlinson" To: "Hajimu UMEMOTO" References: <039801c34d60$c3e59cb0$6e2a6ba5@lc.ca.gov><03cf01c34d6a$f3002150$6e2a6ba5@lc.ca.gov> Date: Mon, 21 Jul 2003 09:50:17 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 cc: freebsd-security@freebsd.org Subject: Re: ASMTP setup on 4.8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jul 2003 16:50:54 -0000 ----- Original Message ----- From: "Hajimu UMEMOTO" To: "Drew Tomlinson" Cc: "Chris Boyd" ; Sent: Friday, July 18, 2003 1:57 PM Subject: Re: ASMTP setup on 4.8 > Hi, > > >>>>> On Fri, 18 Jul 2003 13:26:56 -0700 > >>>>> "Drew Tomlinson" said: > > > Okay, I found the problem, and I've just committed the fix. Please > > re-cvsup and try it. > > drew> Thanks!!! > > You are welcome. > > > drew> It's been a few weeks since I looked at it but I recall having > drew> to create > > drew> a /usr/local/lib/sasl2/smtpd.conf file. What should the correct > > drew> contents be? > > > > Though I have no experience with postfix, I heared that > > /usr/local/lib/sasl2/smtpd.conf is for postfix. Are you using > > sendmail? If so, it should be /usr/local/lib/sasl2/Sendmail.conf. > > drew> Yes, I'm using Postfix. > > I see. Is your postfix able to access /var/state/saslauthd? It > should be: > > drwxrwx--- 2 cyrus mail 512 Jul 19 04:52 saslauthd Yes, mine is like this and Postfix is a member of the mail group. > Old cyrus-sasl2 port made the directory with wrong permission, and > postfix couldn't access it. This problem was corrected. I believe > postfix user belongs to mail group, so that postfix can access the > directory. > > Oops, I didn't answer your question. If you want to use saslauthd for > plain text password, the correct contents of smtpd.conf should be: > > pwcheck_method: saslauthd I have this. /var/log/maillog shows: Jul 21 09:34:38 blacklamb postfix/smtpd[66225]: warning: SASL authentication failure: no user in db Jul 21 09:34:38 blacklamb postfix/smtpd[66225]: warning: SASL authentication failure: no secret in database I have also tried "pwcheck_method: pam" but then /var/log/maillog shows: Jul 21 09:38:34 blacklamb postfix/smtpd[66269]: warning: SASL authentication problem: unknown password verifier Jul 21 09:38:34 blacklamb postfix/smtpd[66269]: warning: unknown[165.107.42.110]: SASL LOGIN authentication failed Chris Boyd posted he had success by adding the following to /etc/rc.conf: sasl_saslauthd_enable="YES" sasl_saslauthd_flags="-a getpwent" Is this preferred over the script in /usr/local/etc/rc.d? Still confused. Thanks, Drew P.S. Thanks for fixing the man page. Looks good now! From owner-freebsd-security@FreeBSD.ORG Tue Jul 22 04:16:17 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E6EEC37B401 for ; Tue, 22 Jul 2003 04:16:17 -0700 (PDT) Received: from srvexch1.nanoteq.co.za (srvexch1.nanoteq.co.za [196.30.152.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC8A743F85 for ; Tue, 22 Jul 2003 04:16:15 -0700 (PDT) (envelope-from PK@nanoteq.com) X-MimeOLE: Produced By Microsoft Exchange V6.0.4712.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Tue, 22 Jul 2003 13:11:36 +0200 Message-ID: <5AC9A01A8B1175418B4DF7F45DD94D5F1E8A58@srvexch1.nanoteq.co.za> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Custom crypto in hardware Thread-Index: AcNQQgQwOGk5T63zTTyF1pvh2PwVZA== From: "Peut Kotze" To: Subject: Custom crypto in hardware X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jul 2003 11:16:18 -0000 Hi Freebies!! I know F-BSD 4.8 supports a framework in the kernel to use crypto functions from hifn crypto cards. Is there any of these cards that support custom crypto? What is the best route to go if I want to support IPSec (and maybe other) crypto functions but with custom crypto algorithms? Any info or ideas will be appreciated. Thanks Peut=20 From owner-freebsd-security@FreeBSD.ORG Tue Jul 22 04:44:11 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4857C37B401 for ; Tue, 22 Jul 2003 04:44:11 -0700 (PDT) Received: from brisefer.cediti.be (porquepix.cediti.be [213.189.188.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id C321C43F75 for ; Tue, 22 Jul 2003 04:44:09 -0700 (PDT) (envelope-from Olivier.Cherrier@cediti.be) Received: by brisefer.nat.cediti.be with Internet Mail Service (5.5.2653.19) id ; Tue, 22 Jul 2003 13:40:06 +0200 Message-ID: From: Olivier Cherrier To: 'Peut Kotze' , security@freebsd.org Date: Tue, 22 Jul 2003 13:40:05 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Subject: RE: Custom crypto in hardware X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jul 2003 11:44:11 -0000 >I know F-BSD 4.8 supports a framework in the kernel to use crypto >functions from hifn crypto cards. Is there any of these cards that >support custom crypto? What is the best route to go if I want >to support >IPSec (and maybe other) crypto functions but with custom crypto >algorithms? Implemented crypto algorithms are listed here : http://www.freebsd.org/cgi/man.cgi?query=hifn For other one, it is not possible. oc From owner-freebsd-security@FreeBSD.ORG Tue Jul 22 09:37:25 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 08AF237B401 for ; Tue, 22 Jul 2003 09:37:25 -0700 (PDT) Received: from mailgw2a.lmco.com (mailgw2a.lmco.com [192.91.147.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2113843F3F for ; Tue, 22 Jul 2003 09:37:24 -0700 (PDT) (envelope-from koroush.saraf@lmco.com) Received: from emss01g01.ems.lmco.com ([129.197.181.54]) by mailgw2a.lmco.com (8.11.6p2/8.11.6) with ESMTP id h6MGbLW08953; Tue, 22 Jul 2003 12:37:21 -0400 (EDT) Received: from CONVERSION-DAEMON.lmco.com by lmco.com (PMDF V6.1-1 #40643) id <0HIF00801PZUPJ@lmco.com>; Tue, 22 Jul 2003 09:37:18 -0700 (PDT) Received: from BSDWIN2KKOROUSH ([129.197.244.4]) by lmco.com (PMDF V6.1-1 #40643) with SMTP id <0HIF00IRHPYA2O@lmco.com>; Tue, 22 Jul 2003 09:32:34 -0700 (PDT) Date: Tue, 22 Jul 2003 09:33:53 -0700 From: Koroush Saraf To: Peut Kotze , security@freebsd.org Message-id: <013e01c3506f$09c20cd0$04f4c581@BSDWIN2KKOROUSH> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-Priority: 3 X-MSMail-priority: Normal References: <5AC9A01A8B1175418B4DF7F45DD94D5F1E8A58@srvexch1.nanoteq.co.za> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7BIT X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Re: Custom crypto in hardware X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jul 2003 16:37:25 -0000 Custom crypto in hardwareYour question is very interesting. I would like to know why prompted looking for a custom algorithm? My company produces a dual gigabit NIC card with a multi-threaded processor on the NIC card. The card allows developers to write a driver and download what ever code you desire to the NIC card to offload the processing from the main CPU. I like to get peoples interest if they like a opportunity to test-drive this card once its available. Peut, I think our card will do what you want it to do and more, but you need someone to write/port software for it. Regards, ~koroush ----- Original Message ----- From: Peut Kotze To: security@freebsd.org Sent: Tuesday, July 22, 2003 4:11 AM Subject: Custom crypto in hardware Hi Freebies!! I know F-BSD 4.8 supports a framework in the kernel to use crypto functions from hifn crypto cards. Is there any of these cards that support custom crypto? What is the best route to go if I want to support IPSec (and maybe other) crypto functions but with custom crypto algorithms? Any info or ideas will be appreciated. Thanks Peut _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Wed Jul 23 11:08:15 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 38B4F37B401 for ; Wed, 23 Jul 2003 11:08:15 -0700 (PDT) Received: from blacklamb.mykitchentable.net (65-73-137-26.bras01.elk.ca.frontiernet.net [65.73.137.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2072043FBD for ; Wed, 23 Jul 2003 11:08:14 -0700 (PDT) (envelope-from drew@mykitchentable.net) Received: from tagalong (unknown [165.107.42.110]) by blacklamb.mykitchentable.net (Postfix) with SMTP id 6DED13BF373; Wed, 23 Jul 2003 11:08:13 -0700 (PDT) Message-ID: <004f01c35145$61d1d280$6e2a6ba5@lc.ca.gov> From: "Drew Tomlinson" To: "Scot W. Hetzel" , "Hajimu UMEMOTO" References: <039801c34d60$c3e59cb0$6e2a6ba5@lc.ca.gov><03cf01c34d6a$f3002150$6e2a6ba5@lc.ca.gov> <011501c34fa8$3ed6cb30$6e2a6ba5@lc.ca.gov> <010501c34fb2$3e3bb820$13fd2fd8@Admin02> Date: Wed, 23 Jul 2003 11:08:12 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 cc: freebsd-security@freebsd.org Subject: Re: ASMTP setup on 4.8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jul 2003 18:08:15 -0000 ----- Original Message ----- From: "Scot W. Hetzel" To: "Drew Tomlinson" ; "Hajimu UMEMOTO" Cc: Sent: Monday, July 21, 2003 11:02 AM > From: "Drew Tomlinson" > > I have also tried "pwcheck_method: pam" but then /var/log/maillog shows: > > > > Jul 21 09:38:34 blacklamb postfix/smtpd[66269]: warning: SASL > > authentication problem: unknown password verifier > > Jul 21 09:38:34 blacklamb postfix/smtpd[66269]: warning: > > unknown[165.107.42.110]: SASL LOGIN authentication failed > > > > If you want to use PAM, you need to set the pwcheck_method to saslauthd, and > then add the following to either /etc/rc.conf or /etc/rc.conf.local: > > sasl_saslauthd_enable="YES" > sasl_saslauthd_flags="-a pam" Thanks for your help but I'm still having trouble. :( The contents of /usr/local/lib/sasl2/smtpd.conf are: pwcheck_method: saslauthd And it's permissions are: -rw-r--r-- 1 root wheel 47 Jul 23 10:40 smtpd.conf I've also verified correct permissions on /var/state/saslauthd: drwxrwx--- 2 cyrus mail 512 Jul 23 10:46 saslauthd I've verified that Postfix is a member of the mail group as this line is in /etc/group: mail:*:6:postfix I manually started saslauthd for testing with this command line: blacklamb# saslauthd -a pam -d > Then you need to make sure PAM is configured correctly on your system: > > FreeBSD <=4.x: > 1. Check /etc/pam.conf for entries for imap, pop3, and other(?) > 2. Add an entry for sieve and cyrus, similar to your imap and pop3 > entries > > FreeBSD >=5.x > 1. Check the /etc/pam.d directroy for imap, pop3 and other(?) files > a. Make sure they are correctly configured > 2. Copy /etc/pam.d/imap to /etc/pam.d/sieve > 3. Copy /etc/pam.d/imap to /etc/pam.d/cyrus I'm using FBSD 4.8. /etc/pam.conf has the following entries: #Mail services imap auth required pam_unix.so try_first_pass imap account required pam_unix.so imap session required pam_permit.so pop3 auth required pam_unix.so try_first_pass pop3 account required pam_unix.so pop3 session required pam_permit.so smtp auth required pam_unix.so try_first_pass smtp account required pam_unix.so smtp session required pam_permit.so sieve auth required pam_unix.so try_first_pass sieve account required pam_unix.so sieve account required pam_unix.so sieve session required pam_permit.so cyrus auth required pam_unix.so try_first_pass cyrus account required pam_unix.so cyrus session required pam_permit.so # If we don't match anything else, default to using getpwnam(). other auth sufficient pam_skey.so other auth required pam_unix.so try_first_pass other account required pam_unix.so try_first_pass I included the "other" entries because in one of Hajimu's messages he stated he didn't have to add anything to /etc/pam.conf as the "other" entries took care of the request. Anyway, I started saslauthd in debug mode and this is what it reports when I attempt to authenticate: saslauthd[67502] :get_accept_lock : acquired accept lock saslauthd[67501] :rel_accept_lock : released accept lock saslauthd[67501] :do_auth : auth failure: [user=@blacklamb.mykitchentable.net] [service=smtp] [realm=blacklamb.mykitchentable.net] [mech=pam] [reason=PAM auth error] Please know that I replaced my real username with "" in the output. I get this message whether I am attempting to authenticate with MS Outlook, Evolution, and even from a direct telnet session with Postfix. I've double-checked my Postfix config with examples I've found on the Net. I think it's OK as it's advertising AUTH services: Connected to blacklamb.mykitchentable.net. Escape character is '^]'. 220 blacklamb.mykitchentable.net NO UCE ESMTP ehlo test 250-blacklamb.mykitchentable.net 250-PIPELINING 250-SIZE 5120000 250-ETRN 250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5 250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5 250-XVERP 250 8BITMIME I assume I don't have something configured right with PAM? Do you have any other ideas as to what I'm doing wrong? Everything I've read indicates this shouldn't be this hard but I don't know what else to check. Thanks again for your help! Drew P.S. My web server is running great after your help with FP extensions. :) From owner-freebsd-security@FreeBSD.ORG Wed Jul 23 12:10:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2F51837B401 for ; Wed, 23 Jul 2003 12:10:39 -0700 (PDT) Received: from blacklamb.mykitchentable.net (65-73-137-26.bras01.elk.ca.frontiernet.net [65.73.137.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 82F1043FB1 for ; Wed, 23 Jul 2003 12:10:37 -0700 (PDT) (envelope-from drew@mykitchentable.net) Received: from tagalong (unknown [165.107.42.110]) by blacklamb.mykitchentable.net (Postfix) with ESMTP id BDD1A3BF420; Wed, 23 Jul 2003 12:10:36 -0700 (PDT) Message-ID: <00d601c3514e$191e9740$6e2a6ba5@lc.ca.gov> From: "Drew Tomlinson" To: "Scot W. Hetzel" , "Hajimu UMEMOTO" References: <039801c34d60$c3e59cb0$6e2a6ba5@lc.ca.gov><03cf01c34d6a$f3002150$6e2a6ba5@lc.ca.gov><011501c34fa8$3ed6cb30$6e2a6ba5@lc.ca.gov><010501c34fb2$3e3bb820$13fd2fd8@Admin02> <004f01c35145$61d1d280$6e2a6ba5@lc.ca.gov> Date: Wed, 23 Jul 2003 12:10:35 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 cc: freebsd-security@freebsd.org Subject: Re: ASMTP setup on 4.8 -- SOLVED!!! X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jul 2003 19:10:39 -0000 I finally found the answer!!! I found the following on http://www.securitysage.com/guides/postfix_sasltls.html: Note: As per discussions on the Postfix users mailing list, there is a known issue in Postfix20020917/SASL2 where the smtpd_sasl_local_domain option must be left to an empty (null) value, otherwise SASL2 will not authenticate. In /usr/local/etc/postfix/main.cf I had "smtpd_sasl_local_domain = $myhostname" as shown in the various examples on the net. Based on the above, I changed it to "smtpd_sasl_local_domain =" and now it works. Thanks to both of you for your help and patience. Drew ----- Original Message ----- From: "Drew Tomlinson" To: "Scot W. Hetzel" ; "Hajimu UMEMOTO" Cc: Sent: Wednesday, July 23, 2003 11:08 AM Subject: Re: ASMTP setup on 4.8 > ----- Original Message ----- > From: "Scot W. Hetzel" > To: "Drew Tomlinson" ; "Hajimu UMEMOTO" > > Cc: > Sent: Monday, July 21, 2003 11:02 AM > > > > From: "Drew Tomlinson" > > > I have also tried "pwcheck_method: pam" but then /var/log/maillog > shows: > > > > > > Jul 21 09:38:34 blacklamb postfix/smtpd[66269]: warning: SASL > > > authentication problem: unknown password verifier > > > Jul 21 09:38:34 blacklamb postfix/smtpd[66269]: warning: > > > unknown[165.107.42.110]: SASL LOGIN authentication failed > > > > > > > If you want to use PAM, you need to set the pwcheck_method to > saslauthd, and > > then add the following to either /etc/rc.conf or /etc/rc.conf.local: > > > > sasl_saslauthd_enable="YES" > > sasl_saslauthd_flags="-a pam" > > Thanks for your help but I'm still having trouble. :( The contents of > /usr/local/lib/sasl2/smtpd.conf are: > pwcheck_method: saslauthd > > And it's permissions are: > -rw-r--r-- 1 root wheel 47 Jul 23 10:40 smtpd.conf > > I've also verified correct permissions on /var/state/saslauthd: > drwxrwx--- 2 cyrus mail 512 Jul 23 10:46 saslauthd > > I've verified that Postfix is a member of the mail group as this line is > in /etc/group: > mail:*:6:postfix > > I manually started saslauthd for testing with this command line: > blacklamb# saslauthd -a pam -d > > > Then you need to make sure PAM is configured correctly on your system: > > > > FreeBSD <=4.x: > > 1. Check /etc/pam.conf for entries for imap, pop3, and other(?) > > 2. Add an entry for sieve and cyrus, similar to your imap and pop3 > > entries > > > > FreeBSD >=5.x > > 1. Check the /etc/pam.d directroy for imap, pop3 and other(?) > files > > a. Make sure they are correctly configured > > 2. Copy /etc/pam.d/imap to /etc/pam.d/sieve > > 3. Copy /etc/pam.d/imap to /etc/pam.d/cyrus > > I'm using FBSD 4.8. /etc/pam.conf has the following entries: > #Mail services > imap auth required pam_unix.so try_first_pass > imap account required pam_unix.so > imap session required pam_permit.so > > pop3 auth required pam_unix.so try_first_pass > pop3 account required pam_unix.so > pop3 session required pam_permit.so > > smtp auth required pam_unix.so try_first_pass > smtp account required pam_unix.so > smtp session required pam_permit.so > > sieve auth required pam_unix.so try_first_pass > sieve account required pam_unix.so > sieve account required pam_unix.so > sieve session required pam_permit.so > > cyrus auth required pam_unix.so try_first_pass > cyrus account required pam_unix.so > cyrus session required pam_permit.so > > # If we don't match anything else, default to using getpwnam(). > other auth sufficient pam_skey.so > other auth required pam_unix.so try_first_pass > other account required pam_unix.so try_first_pass > > I included the "other" entries because in one of Hajimu's messages he > stated he didn't have to add anything to /etc/pam.conf as the "other" > entries took care of the request. > > Anyway, I started saslauthd in debug mode and this is what it reports > when I attempt to authenticate: > > saslauthd[67502] :get_accept_lock : acquired accept lock > saslauthd[67501] :rel_accept_lock : released accept lock > saslauthd[67501] :do_auth : auth failure: > [user=@blacklamb.mykitchentable.net] [service=smtp] > [realm=blacklamb.mykitchentable.net] [mech=pam] [reason=PAM auth error] > > Please know that I replaced my real username with "" in the > output. I get this message whether I am attempting to authenticate with > MS Outlook, Evolution, and even from a direct telnet session with > Postfix. > > I've double-checked my Postfix config with examples I've found on the > Net. I think it's OK as it's advertising AUTH services: > > Connected to blacklamb.mykitchentable.net. > Escape character is '^]'. > 220 blacklamb.mykitchentable.net NO UCE ESMTP > ehlo test > 250-blacklamb.mykitchentable.net > 250-PIPELINING > 250-SIZE 5120000 > 250-ETRN > 250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5 > 250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5 > 250-XVERP > 250 8BITMIME > > > I assume I don't have something configured right with PAM? Do you have > any other ideas as to what I'm doing wrong? Everything I've read > indicates this shouldn't be this hard but I don't know what else to > check. > > Thanks again for your help! > > Drew > > P.S. My web server is running great after your help with FP extensions. > :) > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > From owner-freebsd-security@FreeBSD.ORG Thu Jul 24 14:08:34 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9871237B401 for ; Thu, 24 Jul 2003 14:08:34 -0700 (PDT) Received: from relay.pair.com (relay.pair.com [209.68.1.20]) by mx1.FreeBSD.org (Postfix) with SMTP id BCABD43FAF for ; Thu, 24 Jul 2003 14:08:33 -0700 (PDT) (envelope-from Rich@WhiteOakLabs.com) Received: (qmail 87912 invoked from network); 24 Jul 2003 21:08:32 -0000 Received: from cs671035-224.houston.rr.com (HELO xa.home.org) (67.10.35.224) by relay.pair.com with SMTP; 24 Jul 2003 21:08:32 -0000 X-pair-Authenticated: 67.10.35.224 Received: from a ([172.16.0.105]) by xa.home.org (8.11.6/8.11.6) with SMTP id h6OL8Wo89262 for ; Thu, 24 Jul 2003 16:08:32 -0500 (CDT) (envelope-from Rich@WhiteOakLabs.com) Message-ID: <026d01c35227$bce089e0$690010ac@a> From: "Rich Murphey" To: Date: Thu, 24 Jul 2003 16:08:26 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Mailman-Approved-At: Fri, 25 Jul 2003 07:48:24 -0700 Subject: systrace for FreeBSD 5.1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jul 2003 21:08:35 -0000 I'm porting the most recent version of Neil Provos' systrace to FreeBSD 5.1. I'm sending him the diffs to integrate into his distribution. I'd also like to submit them to someone with FreeBSD for consideration, and hopefully inclusion as a port or whatever you prefer. Who could I send them to, or what would you prefer me to do with regard to FreeBSD? Thanks, Rich Murphey From owner-freebsd-security@FreeBSD.ORG Fri Jul 25 08:35:22 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA42737B401 for ; Fri, 25 Jul 2003 08:35:22 -0700 (PDT) Received: from mail.XtremeDev.com (xtremedev.com [216.241.38.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 34D4143F85 for ; Fri, 25 Jul 2003 08:35:22 -0700 (PDT) (envelope-from bsd@xtremedev.com) Received: from localhost (localhost [127.0.0.1]) by mail.XtremeDev.com (Postfix) with ESMTP id CD15170602; Fri, 25 Jul 2003 09:35:20 -0600 (MDT) Received: from mail.XtremeDev.com ([127.0.0.1]) by localhost (Amber.XtremeDev.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 69581-02-2; Fri, 25 Jul 2003 09:35:20 -0600 (MDT) Received: by mail.XtremeDev.com (Postfix, from userid 1001) id 6F4FA70601; Fri, 25 Jul 2003 09:35:20 -0600 (MDT) Date: Fri, 25 Jul 2003 09:35:20 -0600 From: BSD To: Rich Murphey Message-ID: <20030725153520.GA69761@Amber.XtremeDev.com> References: <026d01c35227$bce089e0$690010ac@a> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <026d01c35227$bce089e0$690010ac@a> User-Agent: Mutt/1.5.4i X-Virus-Scanned: by amavisd-new at xtremedev.com cc: security@freebsd.org Subject: Re: systrace for FreeBSD 5.1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jul 2003 15:35:23 -0000 On Thu, Jul 24, 2003 at 04:08:26PM -0500, Rich Murphey wrote: > I'm porting the most recent version of Neil Provos' systrace to FreeBSD 5.1. > I'm sending him the diffs to integrate into his distribution. I'd also like > to submit them to someone with FreeBSD for consideration, and hopefully > inclusion as a port or whatever you prefer. I'm curious as to difference between systrace and cerbNG. Can anyone shed some light on this? It would be great of course to have something like systrace be available on FreeBSD. From owner-freebsd-security@FreeBSD.ORG Fri Jul 25 12:40:10 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC25A37B401 for ; Fri, 25 Jul 2003 12:40:10 -0700 (PDT) Received: from out001.verizon.net (out001pub.verizon.net [206.46.170.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id A4EF943F3F for ; Fri, 25 Jul 2003 12:40:09 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from mac.com ([141.149.47.46]) by out001.verizon.net (InterMail vM.5.01.05.33 201-253-122-126-133-20030313) with ESMTP id <20030725194009.DLSD12592.out001.verizon.net@mac.com>; Fri, 25 Jul 2003 14:40:09 -0500 Message-ID: <3F218798.1020709@mac.com> Date: Fri, 25 Jul 2003 15:40:08 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Rich Murphey References: <026d01c35227$bce089e0$690010ac@a> In-Reply-To: <026d01c35227$bce089e0$690010ac@a> X-Enigmail-Version: 0.76.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out001.verizon.net from [141.149.47.46] at Fri, 25 Jul 2003 14:40:08 -0500 cc: security@freebsd.org Subject: Re: systrace for FreeBSD 5.1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jul 2003 19:40:11 -0000 Rich Murphey wrote: > I'm porting the most recent version of Neil Provos' systrace to FreeBSD 5.1. > I'm sending him the diffs to integrate into his distribution. I'd also like > to submit them to someone with FreeBSD for consideration, and hopefully > inclusion as a port or whatever you prefer. > > Who could I send them to, or what would you prefer me to do with regard to > FreeBSD? The best way to submit patches is via the 'send-pr' command, which will submit a bug report via GNATS. That helps ensure that your changes don't get lost in a sea of email. If you are working on a port, look at the Handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/ ...and ask quesions on . Thanks for your time and interest, -- -Chuck From owner-freebsd-security@FreeBSD.ORG Fri Jul 25 23:09:05 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F79237B401 for ; Fri, 25 Jul 2003 23:09:05 -0700 (PDT) Received: from milla.ask33.net (milla.ask33.net [217.197.166.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id D58CC43F3F for ; Fri, 25 Jul 2003 23:09:04 -0700 (PDT) (envelope-from nick@milla.ask33.net) Received: by milla.ask33.net (Postfix, from userid 1001) id 640B63ABB53; Sat, 26 Jul 2003 08:09:48 +0200 (CEST) Date: Sat, 26 Jul 2003 08:09:48 +0200 From: Pawel Jakub Dawidek To: Rich Murphey Message-ID: <20030726060948.GE43543@garage.freebsd.pl> References: <026d01c35227$bce089e0$690010ac@a> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="npbjE3dh3wBH6WIP" Content-Disposition: inline In-Reply-To: <026d01c35227$bce089e0$690010ac@a> X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc X-OS: FreeBSD 4.8-RELEASE i386 X-URL: http://garage.freebsd.pl User-Agent: Mutt/1.5.1i cc: security@freebsd.org Subject: Re: systrace for FreeBSD 5.1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Jul 2003 06:09:05 -0000 --npbjE3dh3wBH6WIP Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 24, 2003 at 04:08:26PM -0500, Rich Murphey wrote: +> I'm porting the most recent version of Neil Provos' systrace to FreeBSD = 5.1. +> I'm sending him the diffs to integrate into his distribution. I'd also = like +> to submit them to someone with FreeBSD for consideration, and hopefully +> inclusion as a port or whatever you prefer. And how you're planing to fix syscall arguments race? There is probably race in file names, but I'm not sure of this one. Niels implemented look-aside-buffer to avoid arguments races by hacking copyin(9)/copyout(9). CerbNG is already free of those races and it's still kld module. --=20 Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net --npbjE3dh3wBH6WIP Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPyIbLD/PhmMH/Mf1AQFbiwP/Xe+Vkm4stLIsM1HkTt7C4G8HjmGH61ko L93c0UKTOKe/ciQJEuordEJGQOSFQzlhVTS2dc5tHucNd0rHykI075UsHmb7mYp6 d0N/VjqZSfNF89PrFk73iTWuWACCB/Y440GIX3tp/31obVHf3gXgpOp5Nb4fDErM cuAJfJ41e6s= =+TIv -----END PGP SIGNATURE----- --npbjE3dh3wBH6WIP-- From owner-freebsd-security@FreeBSD.ORG Sat Jul 26 10:23:35 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6669337B401 for ; Sat, 26 Jul 2003 10:23:35 -0700 (PDT) Received: from ns.pro.sk (proxy.pro.sk [195.80.161.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id D2CEB43F3F for ; Sat, 26 Jul 2003 10:23:33 -0700 (PDT) (envelope-from prosa@pro.sk) Received: from peter (Peter [192.168.1.53]) by ns.pro.sk (8.11.3/8.11.3) with SMTP id h6QHNWE99295 for ; Sat, 26 Jul 2003 19:23:32 +0200 (CEST) (envelope-from prosa@pro.sk) Message-ID: <00d601c3539a$91576a40$3501a8c0@pro.sk> From: "Peter Rosa" To: "FreeBSD Security" Date: Sat, 26 Jul 2003 19:23:02 +0200 Organization: PRO, s.r.o. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Subject: suid bit files + securing FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Jul 2003 17:23:35 -0000 Hello everybody, I'm a newbie in this list, so I don't know if it's the appropriate place for my question. Anyway, I'd be happy to find out the solution. Please, has anyone simple answer for: I'm looking for an exact list of files, which: 1. MUST have... 2. HAVE FROM BSD INSTALLATION... 3. DO NOT NEED... 4. NEVER MAY... ...the suid-bit set. Of course, it's no problem to find-out which files ALREADY HAS suid-bit set. But what files REALLY MUST have it ? I know generalities, as e.g. shell should never have suid bit set, but what if someone has copied any shell to some other location and have set the suid bit ? It's security hole, isn't it ? And what if I have more such files on my machine ? It is not about my machine has been compromited, it is only WHAT IF... -------------------------------------------- Second question is: Has anybody an exact wizard, how to secure the FreeBSD machine. Imagine the situation, the only person who can do anything on that machine is me, and nobody other. I have set very restrictive firewalling, I have removed ALL tty's except two local tty's (I need to work on that machine), but there are still open port 25 and 53 (must be forever), so someone very tricky can compromite my machine. I'm a little bit paranoic, don't I :-))))))) Cheers, Peter Rosa From owner-freebsd-security@FreeBSD.ORG Sat Jul 26 10:35:48 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 872B437B407 for ; Sat, 26 Jul 2003 10:35:48 -0700 (PDT) Received: from ns.pro.sk (proxy.pro.sk [195.80.161.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id C6B3943F75 for ; Sat, 26 Jul 2003 10:35:46 -0700 (PDT) (envelope-from prosa@pro.sk) Received: from peter (Peter [192.168.1.53]) by ns.pro.sk (8.11.3/8.11.3) with SMTP id h6QHZjE99342; Sat, 26 Jul 2003 19:35:45 +0200 (CEST) (envelope-from prosa@pro.sk) Message-ID: <011501c3539c$462c0740$3501a8c0@pro.sk> From: "Peter Rosa" To: "Peter Rosa" Date: Sat, 26 Jul 2003 19:35:15 +0200 Organization: PRO, s.r.o. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 cc: FreeBSD Security Subject: Re: suid bit files and securing FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Jul 2003 17:35:49 -0000 Of course, I wanted to say not OPTION but CHOICE :-) Peter Rosa ----- Original Message ----- From: "Peter Rosa" To: Cc: "FreeBSD Questions" Sent: Saturday, July 26, 2003 7:33 PM Subject: Re: suid bit files and securing FreeBSD > Hello Matthew, > > thank you very much. It's excatly you say. FreeBSD is my option because of > "historical reasons". Someone has installed it for me two years ago, and now > I love it (he installed it after two hacks and two reinstallations of RedHat > Linux [I don't want to say, RHL is not good, but FBSD is better :-) {now I > see the storm, like with I'm christian...... mail to this list :-))) } ] ). > > Wow, such a short sentence I just produced :-) > > Peter Rosa > > > ----- Original Message ----- > From: "Matthew Graybosch" > To: "Peter Rosa" > Cc: > Sent: Saturday, July 26, 2003 7:22 PM > Subject: Re: suid bit files and securing FreeBSD > > > > > > > Second question is: Has anybody an exact wizard, how to secure > > > the FreeBSD machine. Imagine the situation, the only person who > > > can do anything on that machine is me, and nobody other. I have > > > set very restrictive firewalling, I have removed ALL tty's except > > > two local tty's (I need to work on that machine), but there are > > > still open port 25 and 53 (must be forever), so someone very > > > tricky can compromite my machine. > > > > > > I'm a little bit paranoic, don't I :-))))))) > > > > Uhm, yes, you *are* just a wee bit paranoid. But it helps to be > > paranoid if you're root on somebody else's machine. Great power and > > great responsibility, right? > > > > But if you're concerned with security uber alles, I'm surprised you > > didn't look into OpenBSD first. According to their site > > (openbsd.org), they've had "only one remote hole in the default > > install, in more than 7 years!" > > > > FreeBSD certainly can be secured, but it appears that the developers > > put performance and reliability first, and then security. Theo de > > Raadt puts security first. > > > > -- > > Matthew Graybosch > > http://www.starbreaker.net > > "I am become root, shatterer of kernels." > > > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > > > From owner-freebsd-security@FreeBSD.ORG Sat Jul 26 16:57:22 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6313437B401 for ; Sat, 26 Jul 2003 16:57:22 -0700 (PDT) Received: from cirb503493.alcatel.com.au (c211-28-27-130.belrs2.nsw.optusnet.com.au [211.28.27.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 478FB43F85 for ; Sat, 26 Jul 2003 16:57:20 -0700 (PDT) (envelope-from PeterJeremy@optushome.com.au) Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au [127.0.0.1])h6QNvHgh037019; Sun, 27 Jul 2003 09:57:18 +1000 (EST) (envelope-from jeremyp@cirb503493.alcatel.com.au) Received: (from jeremyp@localhost) by cirb503493.alcatel.com.au (8.12.8/8.12.8/Submit) id h6QNvAOm037018; Sun, 27 Jul 2003 09:57:10 +1000 (EST) Date: Sun, 27 Jul 2003 09:57:10 +1000 From: Peter Jeremy To: Peter Rosa Message-ID: <20030726235710.GD4105@cirb503493.alcatel.com.au> References: <00d601c3539a$91576a40$3501a8c0@pro.sk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <00d601c3539a$91576a40$3501a8c0@pro.sk> User-Agent: Mutt/1.4.1i cc: FreeBSD Security Subject: Re: suid bit files + securing FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Jul 2003 23:57:22 -0000 On Sat, Jul 26, 2003 at 07:23:02PM +0200, Peter Rosa wrote: >Please, has anyone simple answer for: Unfortunately, there isn't one. >I'm looking for an exact list of files, which: >1. MUST have... >2. HAVE FROM BSD INSTALLATION... >3. DO NOT NEED... >4. NEVER MAY... >...the suid-bit set. You may also want to look through the files that are setgid. >Of course, it's no problem to find-out which files ALREADY HAS >suid-bit set. Agreed. > But what files REALLY MUST have it ? There's no simple answer to this. It's a matter of going through each file with setuid (or setgid) set, understanding why that file has the set[gu]id bit and whether you need that functionality. >I know generalities, as e.g. shell should never have suid bit set, >but what if someone has copied any shell to some other location >and have set the suid bit ? It's security hole, isn't it ? Yes. But keep in mind that mind that you have to be user "foo" or root to make an arbitrary file setuid "foo". If you find that you have unexpected setuid "foo" files on your machine (where "foo" is not a shell user account) then your machine has already been compromised. >Second question is: Has anybody an exact wizard, how to secure >the FreeBSD machine. Seal it in an underground concrete bunker with no external access. Of course, this still isn't perfectly secure but it's probably good enough for most purposes. :-) > Imagine the situation, the only person who >can do anything on that machine is me, and nobody other. It still depends on what you want to do on the machine and what you want the machine to be able to do. > I have removed ALL tty's except >two local tty's (I need to work on that machine), Keep in mind that it isn't essential to have a TTY to access a machine. >still open port 25 and 53 (must be forever), so someone very >tricky can compromite my machine. Yes. Does the machine need to be an SMTP/DNS server? Have you evaluated the various SMTP/DNS daemons for their security? Have you installed the SMTP/DNS daemon securely? Peter From owner-freebsd-security@FreeBSD.ORG Sat Jul 26 21:17:09 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8219237B401 for ; Sat, 26 Jul 2003 21:17:09 -0700 (PDT) Received: from web10104.mail.yahoo.com (web10104.mail.yahoo.com [216.136.130.54]) by mx1.FreeBSD.org (Postfix) with SMTP id 1CC5043F3F for ; Sat, 26 Jul 2003 21:17:09 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20030727041708.95094.qmail@web10104.mail.yahoo.com> Received: from [68.5.49.41] by web10104.mail.yahoo.com via HTTP; Sat, 26 Jul 2003 21:17:08 PDT Date: Sat, 26 Jul 2003 21:17:08 -0700 (PDT) From: twig les To: Peter Rosa , FreeBSD Security In-Reply-To: <00d601c3539a$91576a40$3501a8c0@pro.sk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: suid bit files + securing FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Jul 2003 04:17:09 -0000 I don't know exactly what you mean by "wizard", maybe a menu-driven gui like Nero or M$ Lookout or something? Anyhoo I really like this checklist here: http://sddi.net/FBSDSecCheckList.html. I guess one could script a lot of this. This page also has a boatload of links at the bottom. As for perfect security I like to run Sendmail and BIND on RedHat myself, unless I can get my hands on an IIS box. woot! Sorry, it's late Saturday, thus I'm feeling mischievous. > > Second question is: Has anybody an exact wizard, how to secure > the FreeBSD machine. Imagine the situation, the only person > who > can do anything on that machine is me, and nobody other. I > have > set very restrictive firewalling, I have removed ALL tty's > except > two local tty's (I need to work on that machine), but there > are > still open port 25 and 53 (must be forever), so someone very > tricky can compromite my machine. > > I'm a little bit paranoic, don't I :-))))))) > > Cheers, > > Peter Rosa > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" ===== ----------------------------------------------------------- Emo is what happens when the glee club goes punk. ----------------------------------------------------------- __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com