From owner-freebsd-security@FreeBSD.ORG Sun Feb 15 08:11:34 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3D91F16A4CE for ; Sun, 15 Feb 2004 08:11:34 -0800 (PST) Received: from rwcrmhc13.comcast.net (rwcrmhc13.comcast.net [204.127.198.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id 36C7343D1F for ; Sun, 15 Feb 2004 08:11:34 -0800 (PST) (envelope-from erschulz@comcast.net) Received: from 204.127.197.115 ([204.127.197.115]) by comcast.net (rwcrmhc13) with SMTP id <2004021516113401500hrtlve>; Sun, 15 Feb 2004 16:11:34 +0000 Received: from [24.0.202.208] by 204.127.197.115; Sun, 15 Feb 2004 16:11:33 +0000 From: erschulz@comcast.net To: Flemming Jacobsen Date: Sun, 15 Feb 2004 16:11:33 +0000 Message-Id: <021520041611.22703.f3e@comcast.net> X-Mailer: AT&T Message Center Version 1 (Oct 27 2003) X-Authenticated-Sender: ZXJzY2h1bHpAY29tY2FzdC5uZXQ= cc: freebsd-security@freebsd.org Subject: Re: Localhost traffic and ipfw rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Feb 2004 16:11:34 -0000 On Sun, 15 Feb 2004, Flemming Jacobsen wrote: > You probably want this as your first 3 rules: > allow ip from any to any via lo0 > deny ip from any to 127.0.0.0/8 > deny ip from 127.0.0.0/8 to any > > Some say that the TCP stack already takes care of this, but I > like these rules in my set - just to be 100% sure. > Sorry about the long lines. I hope this is one better. Well, let me see if I can clarify what I am seeing. My rules are similar but, the counters are not incrementing. That's when I started adding the other rules just to see if the counters would increment. The second rule below is a dead-on match for the packets I captured with tcpdump. Still, the counters do not increment. 0 0 deny ip from any to 127.0.0.0/8 in recv dc0 0 0 deny tcp from 127.0.0.1 to x.x.x.x tcpflags ack,rst 0 0 deny ip from 127.0.0.0/8 to x.x.x.x As you can see, none of these have incremented. And, this has been the case every time even though snort identified the traffic and I captured it with tcpdump. The counters were still zeros. The traffic is not present on lo0 or my internal interface. It is only present on my external interface. I'm not so much concerned about the traffic as I am with the failure of the counters to increment. Thx, Richard From owner-freebsd-security@FreeBSD.ORG Sun Feb 15 14:45:00 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F56D16A4CE for ; Sun, 15 Feb 2004 14:44:59 -0800 (PST) Received: from tagish.taiga.ca (tagish.taiga.ca [204.209.164.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E81343D2D for ; Sun, 15 Feb 2004 14:44:59 -0800 (PST) (envelope-from campbell@tagish.taiga.ca) Received: (from campbell@localhost) by tagish.taiga.ca (8.9.3/8.9.1) id PAA30240 for freebsd-security@freebsd.org; Sun, 15 Feb 2004 15:44:38 -0700 Date: Sun, 15 Feb 2004 15:44:38 -0700 From: Duncan Campbell Message-Id: <200402152244.PAA30240@tagish.taiga.ca> To: freebsd-security@freebsd.org Subject: Rooted system X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Feb 2004 22:45:00 -0000 Howyd all? Seems that I have been routed. Possibly by a physical B&E, but who knows? Probably some of you do.... anyways, some politically sensitive email was deleted from a user account and the line low -tr & inserted into my .xinitrc . Duncan (Dhu) Campbell From owner-freebsd-security@FreeBSD.ORG Sun Feb 15 16:19:46 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 40F4A16A4CE for ; Sun, 15 Feb 2004 16:19:46 -0800 (PST) Received: from mail.evilcoder.org (cust.94.120.adsl.cistron.nl [195.64.94.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0DD6643D1D for ; Sun, 15 Feb 2004 16:19:46 -0800 (PST) (envelope-from remko@elvandar.org) From: "Remko Lodder" To: "Duncan Campbell" , Date: Mon, 16 Feb 2004 01:20:23 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) In-Reply-To: <20040215224555.60B991C@mail.elvandar.org> Importance: Normal X-Virus-Scanned: for evilcoder.org Message-Id: <20040216001944.306A92B4D6C@mail.evilcoder.org> Subject: RE: [Freebsd-security] Rooted system X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Feb 2004 00:19:46 -0000 Hi, And now what? [ You are unclear to me ] Well, you could use a Security Toolkit Distribution from Knoppix, called knoppix-std And do some research with that. Hope this helps you a little, And sorry to hear that your system is compromised, hang on, take care, and if we can help... -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl Dutch community for helping newcomers on the hackerscene mrtg.grunn.org Dutch mirror of MRTG -----Oorspronkelijk bericht----- Van: freebsd-security-bounces@lists.elvandar.org [mailto:freebsd-security-bounces@lists.elvandar.org]Namens Duncan Campbell Verzonden: zondag 15 februari 2004 23:45 Aan: freebsd-security@freebsd.org Onderwerp: [Freebsd-security] Rooted system Howyd all? Seems that I have been routed. Possibly by a physical B&E, but who knows? Probably some of you do.... anyways, some politically sensitive email was deleted from a user account and the line low -tr & inserted into my .xinitrc . Duncan (Dhu) Campbell _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" _______________________________________________ Freebsd-security mailing list Freebsd-security@lists.elvandar.org http://lists.elvandar.org/mailman/listinfo/freebsd-security From owner-freebsd-security@FreeBSD.ORG Sun Feb 15 17:55:44 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3D53C16A4CE for ; Sun, 15 Feb 2004 17:55:44 -0800 (PST) Received: from tagish.taiga.ca (tagish.taiga.ca [204.209.164.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id D82AA43D2F for ; Sun, 15 Feb 2004 17:55:43 -0800 (PST) (envelope-from campbell@tagish.taiga.ca) Received: (from campbell@localhost) by tagish.taiga.ca (8.9.3/8.9.1) id SAA30875; Sun, 15 Feb 2004 18:55:11 -0700 Date: Sun, 15 Feb 2004 18:55:11 -0700 From: Duncan Campbell Message-Id: <200402160155.SAA30875@tagish.taiga.ca> To: campbell@tagish.taiga.ca, freebsd-security@freebsd.org, remko@elvandar.org Subject: RE: [Freebsd-security] Rooted system X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Feb 2004 01:55:44 -0000 How d'you do, Remko? There's not much I can do. This has happened several times before and I've made some pointed comments about BSD security which might be so useful, given that I now believe these intrusions have been physically initiated. I'm reporting this mostly as a public caveat, but also as an apology to honest folks here who might have been offended. Thanks for the pointer to knoppix. I take it this is a bootable CD system with good security tool ... having a look now. Dhu From owner-freebsd-security@FreeBSD.ORG Sun Feb 15 17:57:53 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E837916A4CE for ; Sun, 15 Feb 2004 17:57:53 -0800 (PST) Received: from tagish.taiga.ca (tagish.taiga.ca [204.209.164.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9086143D31 for ; Sun, 15 Feb 2004 17:57:53 -0800 (PST) (envelope-from campbell@tagish.taiga.ca) Received: (from campbell@localhost) by tagish.taiga.ca (8.9.3/8.9.1) id SAA30887; Sun, 15 Feb 2004 18:57:52 -0700 Date: Sun, 15 Feb 2004 18:57:52 -0700 From: Duncan Campbell Message-Id: <200402160157.SAA30887@tagish.taiga.ca> To: campbell@tagish.taiga.ca, freebsd-security@freebsd.org, remko@elvandar.org Subject: RE: [Freebsd-security] Rooted system X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Feb 2004 01:57:54 -0000 How d'you do, Remko? There's not much I can do. This has happened several times before and I've made some pointed comments about BSD security which might be so useful, given that I now believe these NOT intrusions have been physically initiated. I'm reporting this mostly as a public caveat, but also as an apology to honest folks here who might have been offended. Thanks for the pointer to knoppix. I take it this is a bootable CD system with good security tool ... having a look now. Dhu From owner-freebsd-security@FreeBSD.ORG Mon Feb 16 00:12:42 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F9BA16A4CE for ; Mon, 16 Feb 2004 00:12:42 -0800 (PST) Received: from mail.evilcoder.org (cust.94.120.adsl.cistron.nl [195.64.94.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6C63B43D1F for ; Mon, 16 Feb 2004 00:12:42 -0800 (PST) (envelope-from remko@elvandar.org) From: "Remko Lodder" To: "Duncan Campbell" , Date: Mon, 16 Feb 2004 09:12:20 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) In-Reply-To: <20040216015917.DA1C418@mail.elvandar.org> Importance: Normal X-Virus-Scanned: for evilcoder.org Message-Id: <20040216081221.59ED92B4D6C@mail.evilcoder.org> Subject: RE: [Freebsd-security] Rooted system X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Feb 2004 08:12:42 -0000 Hi i am fine thanks, i hope you do to. Knoppix is indeed a Live-CD, with those security tools onboard (The std version) Well i hope everything will work out alright for you. cheers -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl Dutch community for helping newcomers on the hackerscene mrtg.grunn.org Dutch mirror of MRTG -----Oorspronkelijk bericht----- Van: Duncan Campbell [mailto:campbell@tagish.taiga.ca] Verzonden: maandag 16 februari 2004 2:58 Aan: campbell@tagish.taiga.ca; freebsd-security@freebsd.org; remko@elvandar.org Onderwerp: RE: [Freebsd-security] Rooted system How d'you do, Remko? There's not much I can do. This has happened several times before and I've made some pointed comments about BSD security which might be so useful, given that I now believe these NOT intrusions have been physically initiated. I'm reporting this mostly as a public caveat, but also as an apology to honest folks here who might have been offended. Thanks for the pointer to knoppix. I take it this is a bootable CD system with good security tool ... having a look now. Dhu From owner-freebsd-security@FreeBSD.ORG Mon Feb 16 08:02:41 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D41A916A4CE for ; Mon, 16 Feb 2004 08:02:41 -0800 (PST) Received: from arginine.spc.org (arginine.spc.org [195.206.69.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id A931443D1D for ; Mon, 16 Feb 2004 08:02:41 -0800 (PST) (envelope-from bms@spc.org) Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id D6863653AC; Mon, 16 Feb 2004 16:02:40 +0000 (GMT) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 18650-01; Mon, 16 Feb 2004 16:02:40 +0000 (GMT) Received: from saboteur.dek.spc.org (82-147-17-88.dsl.uk.rapidplay.com [82.147.17.88]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by arginine.spc.org (Postfix) with ESMTP id 14AB16520F; Mon, 16 Feb 2004 16:02:32 +0000 (GMT) Received: by saboteur.dek.spc.org (Postfix, from userid 1001) id 3069814; Mon, 16 Feb 2004 16:02:31 +0000 (GMT) Date: Mon, 16 Feb 2004 16:02:31 +0000 From: Bruce M Simpson To: Duncan Campbell Message-ID: <20040216160231.GL805@saboteur.dek.spc.org> Mail-Followup-To: Duncan Campbell , freebsd-security@freebsd.org, Remko Lodder References: <20040216015917.DA1C418@mail.elvandar.org> <20040216081221.59ED92B4D6C@mail.evilcoder.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040216081221.59ED92B4D6C@mail.evilcoder.org> cc: freebsd-security@freebsd.org cc: Remko Lodder Subject: Re: [Freebsd-security] Rooted system X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Feb 2004 16:02:41 -0000 On Mon, Feb 16, 2004 at 09:12:20AM +0100, Remko Lodder wrote: > Knoppix is indeed a Live-CD, with those security tools onboard (The std > version) Try the security/chkrootkit port, or even sysutils/tct. I fail to see how the suggestion of Knoppix is relevant to FreeBSD security, given that post-mortem and auditing procedures for that Linux distribution would be different. BMS From owner-freebsd-security@FreeBSD.ORG Mon Feb 16 18:55:31 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A66A816A4CE for ; Mon, 16 Feb 2004 18:55:31 -0800 (PST) Received: from smtp806.mail.sc5.yahoo.com (smtp806.mail.sc5.yahoo.com [66.163.168.185]) by mx1.FreeBSD.org (Postfix) with SMTP id A045843D1F for ; Mon, 16 Feb 2004 18:55:31 -0800 (PST) (envelope-from fscked@pacbell.net) Received: from unknown (HELO pacbell.net) (fscked@pacbell.net@66.124.233.247 with plain) by smtp806.mail.sc5.yahoo.com with SMTP; 17 Feb 2004 02:55:31 -0000 Message-ID: <40318261.1090908@pacbell.net> Date: Mon, 16 Feb 2004 18:54:25 -0800 From: richard childers / kg6hac Organization: Daemonized Networking Services - http://www.daemonized.com User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20040216200052.D9AC516A4E6@hub.freebsd.org> In-Reply-To: <20040216200052.D9AC516A4E6@hub.freebsd.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Duncan's rooted system X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: fscked@pacbell.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Feb 2004 02:55:31 -0000 Duncan writes: >Howyd all? Seems that I have been routed. Possibly >by a physical B&E, but who knows? Probably some >of you do.... anyways, some politically sensitive >email was deleted from a user account and the >line > >low -tr & > >inserted into my .xinitrc . > >Duncan (Dhu) Campbell > I didn't see a lot of feedback that struck me as useful, there, Duncan, in response to your description of events ... but let me add my two cents; it's always useful to get an objective perspective. First off, the 'low -tr' could be a red herring; it could be anything, or nothing. Second, looking for an executable 'low' may or may not be profitable depending on whether your executables or libraries have been compromised. Third of all, the first thing you should do is make some backups, preferably in single user. Think of these as photographs of the crime scene; they will be referred to later and must be of the highest quality. 4mm DAT, 8mm and DLT are all suitable media; so are CDs. (Indeed, periodically making 600 MB snapshots of critical pieces of your installation, using a CD burner, is one of the cheapest ways to archive your data; the cost per megabyte is cheaper than any other media I know.) All of your analysis should be carried out on files restored from these media and copied onto another, pristine, perhaps identical system; if it is identical this is advantageous because it expedites the process of (automate this, naturally) comparing the restored files against the installed files for relevant differences. When thinking about how to prevent this in the future, I would advise that you (1) automate the transfer of all system logs to electronic mail, off the server, for preservation against tampering (IE, mail yourself a copy of every log, to an offsite address, every day, so that you have a copy in a tamper-proof location) ... and (2), consider using command-line interfaces and living without X where possible. (Daemonized Networking Services strongly advises against installing X on servers; the advantages are few when compared to the disadvantages and maintenance overhead and vulnerability. We have nothing against X - I have personally been using X since R10V4, no kidding !! - but think that X deserves its own dedicated server and should not piggyback on other services. Of course, there are exceptions, and we have no desire to provoke a debate on this topic; this is, remember, just our free advice - worth about $0.02.) As for physical security, I would consider a webcam monitoring the console and even the approach to the console; again, by transferring the pictures offsite to another Internet locale that is (more) secure from tampering, one increases the probability that important evidence will be preserved, despite the best efforts of professionals to do otherwise. Using ssh or some form of encryption to secure the images against tampering, during transfer, is recommended. AXIS makes a nice line of Internet-ready and wireless security cameras; some even include audio and do streaming video. If you're interested in something more complex, a variety of VCRs exist that can handle multiple video streams (IE, multiple cameras) and even trigger off of activity in one specific region (not a quadrant, more like a quadrant of a quadrant) of the area monitored by a given camera. But at this point your security system will start to outstrip your local giant drugstore's and approach that of a bank's. (Daemonized Networking Services hosts www.orafraud.org ... and takes physical and network security -very- seriously.) Regards, -- richard -- Richard Childers / Senior Engineer Daemonized Networking Services 945 Taraval Street, #105 San Francisco, CA 94116 USA [011.]1.415.759.5571 http://www.daemonized.com From owner-freebsd-security@FreeBSD.ORG Mon Feb 16 12:20:52 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8445D16A4CE for ; Mon, 16 Feb 2004 12:20:52 -0800 (PST) Received: from malasada.lava.net (malasada.lava.net [64.65.64.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 71DCA43D3F for ; Mon, 16 Feb 2004 12:20:52 -0800 (PST) (envelope-from cliftonr@lava.net) Received: by malasada.lava.net (Postfix, from userid 102) id 06F8E15390E; Mon, 16 Feb 2004 10:20:52 -1000 (HST) Date: Mon, 16 Feb 2004 10:20:51 -1000 From: Clifton Royston To: Duncan Campbell Message-ID: <20040216202051.GA15307@tikitechnologies.com> Mail-Followup-To: Duncan Campbell , freebsd-security@freebsd.org References: <20040216200052.BAC7C16A4FA@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040216200052.BAC7C16A4FA@hub.freebsd.org> User-Agent: Mutt/1.4.2i X-Mailman-Approved-At: Tue, 17 Feb 2004 02:08:17 -0800 cc: freebsd-security@freebsd.org Subject: Re: Rooted system X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Feb 2004 20:20:52 -0000 On Mon, Feb 16, 2004 at 12:00:52PM -0800, freebsd-security-request@freebsd.org wrote: > Date: Mon, 16 Feb 2004 01:20:23 +0100 > From: "Remko Lodder" > Subject: RE: [Freebsd-security] Rooted system > To: "Duncan Campbell" , > > Message-ID: <20040216001944.306A92B4D6C@mail.evilcoder.org> > Content-Type: text/plain; charset="iso-8859-1" > > Hi, > > > And now what? [ You are unclear to me ] > > Well, you could use a Security Toolkit Distribution from Knoppix, called > knoppix-std > And do some research with that. More generic forensic help (less Linux-specific) might come from the "Coroner's Toolkit" from the team of Wietse Venema and Dan Farmer (SATAN et al., and also TCPwrap and Postfix in the case of Wietse.) It's supposed to be pretty cross-platform with BSD support. Sounds like it might already be a bit late to do deep forensics on the system but maybe better late than never. > Hope this helps you a little, > > And sorry to hear that your system is compromised, hang on, take care, and > if we can > help... Sorry to hear it also. I assume, since you've been active on this list, your system was fully patched, up-to-date with all FreeBSD security notices? Any particular nonstandard ports or services running on this system? -- Clifton -- Clifton Royston -- cliftonr@tikitechnologies.com Tiki Technologies Lead Programmer/Software Architect Did you ever fly a kite in bed? Did you ever walk with ten cats on your head? Did you ever milk this kind of cow? Well we can do it. We know how. If you never did, you should. These things are fun, and fun is good. -- Dr. Seuss From owner-freebsd-security@FreeBSD.ORG Tue Feb 17 12:10:18 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0FD0316A4EA; Tue, 17 Feb 2004 12:10:18 -0800 (PST) Received: from pm1.ric-18.lft.widomaker.com (pm1.ric-18.lft.widomaker.com [209.96.189.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 707BF43D1D; Tue, 17 Feb 2004 12:10:16 -0800 (PST) (envelope-from jason@pm1.ric-18.lft.widomaker.com) Received: (from jason@localhost) by pm1.ric-18.lft.widomaker.com (8.12.11/8.12.10) id i1HKABFQ077953; Tue, 17 Feb 2004 15:10:11 -0500 (EST) Date: Tue, 17 Feb 2004 15:10:07 -0500 From: Jason Harris To: Michael Nottebrock Message-ID: <20040217201007.GK360@pm1.ric-05.lft.widomaker.com> References: <200402091336.i19Da8nQ019809@repoman.freebsd.org> <200402171404.30701.michaelnottebrock@gmx.net> <200402171420.47274.michaelnottebrock@gmx.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Rm5rkB9L8kG9H2n8" Content-Disposition: inline In-Reply-To: <200402171420.47274.michaelnottebrock@gmx.net> User-Agent: Mutt/1.4.1i X-Mailman-Approved-At: Wed, 18 Feb 2004 02:19:23 -0800 cc: ports@FreeBSD.org cc: cvs-ports@FreeBSD.org cc: Jason Harris cc: freebsd-security@FreeBSD.org Subject: Re: cvs commit: ports/devel/tmake Makefile distinfo X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Feb 2004 20:10:18 -0000 --Rm5rkB9L8kG9H2n8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 17, 2004 at 02:20:46PM +0100, Michael Nottebrock wrote: [distfile rerolls] > I didn't know that I was supposed to perform a security audit and I did n= ot do=20 > so. So if anyone happens to have the old distfile still around, please se= nd=20 > it my way, cause I don't. I suggest next time instead of marking a port a= s=20 > BROKEN=3D Checksum mismatch, mark it as BROKEN=3D Needs security audit so= I won't=20 > be tempted to fix it. Distfile caches are great for this sort of thing. While updating a checksum for a distfile wipes out many pre-reroll copies on many FreeBSD mirrors, there are often copies available on FreeBSD machines that haven't built the port since the checksum was updated or NetBSD and/or OpenBSD distfile caches and sometimes even Linux distfile caches, particularly Gentoo. I use alltheweb.com, filesearching.com, filewatcher.com (which have FTP search engines), Google Groups, and Google to search for the MD5 hashes and the names of distfiles I want to track down. filesearching.com can display file sizes in bytes and filewatcher.com embeds the byte counts in some URLs it generates, making it easy to discern which distfiles are (hopefully) identical. For tmake-1.7.tar.gz, filesearching.com currently reports 30 FTP sites which have copies of 46518 bytes in length, for example. At least a few of these sites should still have the pre-reroll distfile. Beyond that, I've used pavuk running multiple simultaneous connections and fetch with -S to scour the 100+ distfile caches from the FTP mirror sites listed in the FreeBSD Handbook. --=20 Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://keyserver.kjsl.com/~jharris/ --Rm5rkB9L8kG9H2n8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAMnUeSypIl9OdoOMRAkp/AKDUYtsTKpN+J4FXAR1V6LDDmQd1UgCgrjdX KQVuMOe1U9clWc2M5fFmCPg= =wh1u -----END PGP SIGNATURE----- --Rm5rkB9L8kG9H2n8-- From owner-freebsd-security@FreeBSD.ORG Wed Feb 18 06:21:25 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE78116A4CE for ; Wed, 18 Feb 2004 06:21:25 -0800 (PST) Received: from web41902.mail.yahoo.com (web41902.mail.yahoo.com [66.218.93.153]) by mx1.FreeBSD.org (Postfix) with SMTP id 9AF1443D1F for ; Wed, 18 Feb 2004 06:21:25 -0800 (PST) (envelope-from baby_p_nut2@yahoo.com) Message-ID: <20040218142125.49433.qmail@web41902.mail.yahoo.com> Received: from [69.138.247.249] by web41902.mail.yahoo.com via HTTP; Wed, 18 Feb 2004 06:21:25 PST Date: Wed, 18 Feb 2004 06:21:25 -0800 (PST) From: Baby Peanut To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: is this mbuf problem real? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Feb 2004 14:21:25 -0000 BM_207650 MEDIUM Vulnerability Version: 1 2/18/2004@03:47:29 GMT Initial report ID#207650: FreeBSD Memory Buffer Exhaustion Denial of Service Vulnerability (iDEFENSE Exclusive): Remote exploitation of a denial of service (DoS) vulnerability in FreeBSD's memory buffers (mbufs) could allow attackers to launch a DoS attack. By sending many out-of-sequence packets, a low bandwidth denial of service attack is possible against FreeBSD. When the targeted system runs out of memory buffers (mbufs), it is no longer able to accept or create new connections. Analysis: (iDEFENSE US) Exploitation of this vulnerability requires that the targeted system has at least one open TCP port. The DoS will last until the port is closed, either by the attacker or the target machine. Detection: iDEFENSE has confirmed this vulnerability exists in FreeBSD 5.1 (default install from media). It is expected that it also exists in earlier versions. Exploit: iDEFENSE has proof of concept exploit code demonstrating the impact of this vulnerability. Vulnerability Types: Design Error - Denial of Service Prevalence and Popularity: Almost always Evidence of Active Exploitation or Probing: No known exploitation or spike in probing Ease of Exploitation: Remotely Exploitable Existence and Availability of Exploit Code: An Exploit exists and is closely traded. Vulnerability Consequence: Availability __________________________________ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools From owner-freebsd-security@FreeBSD.ORG Wed Feb 18 06:26:42 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ABA8416A4CE; Wed, 18 Feb 2004 06:26:42 -0800 (PST) Received: from conn.mc.mpls.visi.com (conn.mc.mpls.visi.com [208.42.156.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 853BD43D1D; Wed, 18 Feb 2004 06:26:42 -0800 (PST) (envelope-from veldy@veldy.net) Received: from veldy.net (fuggle.veldy.net [209.98.200.33]) by conn.mc.mpls.visi.com (Postfix) with ESMTP id 835A281BD; Wed, 18 Feb 2004 08:26:41 -0600 (CST) Received: from localhost (localhost.veldy.net [127.0.0.1]) by veldy.net (Postfix) with ESMTP id 1098D1CC65; Wed, 18 Feb 2004 08:26:41 -0600 (CST) Received: from veldy.net ([127.0.0.1]) by localhost (fuggle.veldy.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 74971-07; Wed, 18 Feb 2004 08:26:38 -0600 (CST) Received: from veldy.net (localhost.veldy.net [127.0.0.1]) by veldy.net (Postfix) with ESMTP id 7C6A51CC61; Wed, 18 Feb 2004 08:26:37 -0600 (CST) Message-ID: <40337619.1050504@veldy.net> Date: Wed, 18 Feb 2004 08:26:33 -0600 From: "Thomas T. Veldhouse" User-Agent: Mozilla Thunderbird 0.5 (Windows/20040207) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ports@freebsd.org, freebsd-security@freebsd.org X-Enigmail-Version: 0.83.3.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig227DDCDF225DD1782EFFE0AF" X-Virus-Scanned: by amavisd-new at veldy.net Subject: [Fwd: [gentoo-announce] [ GLSA 200402-07 ] Clamav 0.65 DoS vulnerability] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Feb 2004 14:26:42 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig227DDCDF225DD1782EFFE0AF Content-Type: multipart/mixed; boundary="------------040800090305080004070700" This is a multi-part message in MIME format. --------------040800090305080004070700 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Attached is a security alert from Gentoo pertaining to clam antivirus. It seems that as of this morning, FreeBSD's ports still contain the affected version. Thank in advance, Tom Veldhouse --------------040800090305080004070700 Content-Type: message/rfc822; name="[gentoo-announce] [ GLSA 200402-07 ] Clamav 0.65 DoS vulnerability" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="[gentoo-announce] [ GLSA 200402-07 ] Clamav 0.65 DoS vulnerability" Return-Path: X-Original-To: veldy@veldy.net Delivered-To: veldy@veldy.net Received: from localhost (localhost.veldy.net [127.0.0.1]) by veldy.net (Postfix) with ESMTP id 1C1F21CC65 for ; Wed, 18 Feb 2004 07:18:35 -0600 (CST) Received: from veldy.net ([127.0.0.1]) by localhost (fuggle.veldy.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 67893-01 for ; Wed, 18 Feb 2004 07:18:32 -0600 (CST) Received: from eagle.gentoo.org (eagle.gentoo.oregonstate.edu [128.193.0.34]) by veldy.net (Postfix) with ESMTP id ED2B71CC61 for ; Wed, 18 Feb 2004 07:18:31 -0600 (CST) Received: (qmail 10970 invoked by uid 50004); 18 Feb 2004 13:17:09 +0000 Mailing-List: contact gentoo-announce-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@gentoo.org Delivered-To: mailing list gentoo-announce@lists.gentoo.org Delivered-To: moderator for gentoo-announce@lists.gentoo.org Received: (qmail 15384 invoked from network); 18 Feb 2004 13:16:32 +0000 Message-ID: <403365AD.4030809@gentoo.org> Date: Wed, 18 Feb 2004 13:16:29 +0000 From: Tim Yamin User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040212 X-Accept-Language: en-us, en MIME-Version: 1.0 To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com, security-alerts@linuxsecurity.com, gentoo-core@lists.gentoo.org, gentoo-announce@lists.gentoo.org X-Enigmail-Version: 0.83.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 18 Feb 2004 13:16:30.0295 (UTC) FILETIME=[6C024E70:01C3F621] Subject: [gentoo-announce] [ GLSA 200402-07 ] Clamav 0.65 DoS vulnerability X-Virus-Scanned: by amavisd-new at veldy.net X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on fuggle.veldy.net X-Spam-Status: No, hits=-2.3 required=4.0 tests=BAYES_00,SUSPICIOUS_RECIPS autolearn=no version=2.61 X-Spam-Level: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200402-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ~ http://security.gentoo.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ~ Severity: Normal ~ Title: Clamav 0.65 DoS vulnerability ~ Date: February 11, 2004 ~ Bugs: #41248 ~ ID: 200402-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Oliver Eikemeier has reported a vulnerability in clamav, which can be exploited by a malformed uuencoded message causing a denial of service for programs that rely on the clamav daemon, such as SMTP daemons. Background ========== Clam AntiVirus is a GPLed anti-virus toolkit, designed for integration with mail servers to perform attachment scanning. Clam AV also provides a command line scanner and a tool for fetching updates of the virus database. Description =========== Oliver Eikemeier of Fillmore Labs discovered the overflow in Clam AV 0.65 when it handled malformed UUEncoded messages, causing the daemon to shut down. The problem originated in libclamav which calculates the line length of an uuencoded message by taking the ASCII value of the first character minus 64 while doing an assertion if the length is not in the allowed range, effectively terminating the calling program as clamav would not be available. Impact ====== A malformed message such as the one below would cause a denial of service, and depending on the server configuration this may impact other daemons relying on Clam AV in a fatal manner. To exploit the vulnerability, you can add the following [ excluding the two lines ] to ~/clamtest.mbox: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ~From - begin 644 byebye byebye end - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Then do "clamscan --mbox -v ~/clamtest.mbox" or "clamdscan -v ~/clamtest.mbox; ps ax | grep clam": the former will cause an assertion and a segmentation fault, the latter would cause the daemon to shut down. Workaround ========== There is no immediate workaround, a software upgrade is required. Resolution ========== All users are urged to upgrade their Clam AV installations to Clam AV 0.67: ~ # emerge sync ~ # emerge -pv ">=net-mail/clamav-0.6.7" ~ # emerge ">=net-mail/clamav-0.6.7" Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAM2WoMMXbAy2b2EIRAs5AAKCdFwwNjAn9N+/XWItkTlOS+RmFzQCg527H biZdE9YEL8aD1XsF3VnAesM= =vvEP -----END PGP SIGNATURE----- --------------040800090305080004070700-- --------------enig227DDCDF225DD1782EFFE0AF Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAM3YcARgTFXYf0wARAnisAJ9oYhaJw4L2yhhqcLWXSLOCfUDAywCghkB3 zMiGGQJLRJwJAcn8PZkJdJg= =ZmTs -----END PGP SIGNATURE----- --------------enig227DDCDF225DD1782EFFE0AF-- From owner-freebsd-security@FreeBSD.ORG Wed Feb 18 13:25:58 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3964F16A4D3 for ; Wed, 18 Feb 2004 13:25:58 -0800 (PST) Received: from pegmatite.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D69943D2D for ; Wed, 18 Feb 2004 13:25:58 -0800 (PST) (envelope-from damian@sentex.net) Received: by pegmatite.sentex.ca (Postfix, from userid 1001) id 47640B949; Wed, 18 Feb 2004 16:25:57 -0500 (EST) Date: Wed, 18 Feb 2004 16:25:57 -0500 From: Damian Gerow To: freebsd-security@freebsd.org Message-ID: <20040218212557.GK8213@sentex.net> Mail-Followup-To: freebsd-security@freebsd.org References: <20040218142125.49433.qmail@web41902.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040218142125.49433.qmail@web41902.mail.yahoo.com> X-GPG-Key-Id: 0xB841F142 X-GPG-Fingerprint: C7C1 E1D1 EC06 7C86 AF7C 57E6 173D 9CF6 B841 F142 X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . User-Agent: Mutt/1.5.4i Subject: Re: is this mbuf problem real? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Feb 2004 21:25:58 -0000 Thus spake Baby Peanut (baby_p_nut2@yahoo.com) [18/02/04 16:23]: > Detection: iDEFENSE has confirmed this vulnerability exists in FreeBSD > 5.1 (default install from media). It is expected that it also exists > in earlier versions. Perhaps a better question: Can anyone /confirm/ that it exists in actual stable releases, not just the development branch? From owner-freebsd-security@FreeBSD.ORG Wed Feb 18 13:59:51 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 160B316A4CE; Wed, 18 Feb 2004 13:59:51 -0800 (PST) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE9F543D2D; Wed, 18 Feb 2004 13:59:50 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 855C154883; Wed, 18 Feb 2004 15:59:50 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 1E8626D455; Wed, 18 Feb 2004 15:59:50 -0600 (CST) Date: Wed, 18 Feb 2004 15:59:50 -0600 From: "Jacques A. Vidrine" To: "Thomas T. Veldhouse" Message-ID: <20040218215950.GD47727@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , "Thomas T. Veldhouse" , freebsd-ports@freebsd.org, freebsd-security@freebsd.org References: <40337619.1050504@veldy.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <40337619.1050504@veldy.net> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: freebsd-security@freebsd.org cc: freebsd-ports@freebsd.org Subject: Re: [Fwd: [gentoo-announce] [ GLSA 200402-07 ] Clamav 0.65 DoS vulnerability] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Feb 2004 21:59:51 -0000 On Wed, Feb 18, 2004 at 08:26:33AM -0600, Thomas T. Veldhouse wrote: > Attached is a security alert from Gentoo pertaining to clam antivirus. > It seems that as of this morning, FreeBSD's ports still contain the > affected version. Oliver (the discoverer of the vulnerability) is a FreeBSD developer and fixed the port some time ago. See also . Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org From owner-freebsd-security@FreeBSD.ORG Wed Feb 18 14:01:58 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 21D5E16A4CE for ; Wed, 18 Feb 2004 14:01:58 -0800 (PST) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC52C43D1D for ; Wed, 18 Feb 2004 14:01:57 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 923DB5489C; Wed, 18 Feb 2004 16:01:57 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 2D32E6D455; Wed, 18 Feb 2004 16:01:57 -0600 (CST) Date: Wed, 18 Feb 2004 16:01:57 -0600 From: "Jacques A. Vidrine" To: Baby Peanut Message-ID: <20040218220157.GE47727@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Baby Peanut , freebsd-security@freebsd.org References: <20040218142125.49433.qmail@web41902.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040218142125.49433.qmail@web41902.mail.yahoo.com> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: freebsd-security@freebsd.org Subject: Re: is this mbuf problem real? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Feb 2004 22:01:58 -0000 On Wed, Feb 18, 2004 at 06:21:25AM -0800, Baby Peanut wrote: > BM_207650 > MEDIUM > Vulnerability > Version: 1 2/18/2004@03:47:29 GMT > Initial report > > ID#207650: > FreeBSD Memory Buffer Exhaustion Denial of Service Vulnerability > (iDEFENSE Exclusive): Remote exploitation of a denial of service (DoS) > vulnerability in FreeBSD's memory buffers (mbufs) could allow attackers > to launch a DoS attack. Hmm, in the past, iDEFENSE has contacted us (FreeBSD Project) in advance about such issues, but I haven't heard from them on this one. I cannot access the URL you referenced. Thanks for posting. -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org From owner-freebsd-security@FreeBSD.ORG Wed Feb 18 17:02:30 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C5E9016A4CE for ; Wed, 18 Feb 2004 17:02:30 -0800 (PST) Received: from lvlworld.com (dsl-38.226.240.220.dsl.comindico.com.au [220.240.226.38]) by mx1.FreeBSD.org (Postfix) with SMTP id ADF6F43D1F for ; Wed, 18 Feb 2004 17:02:29 -0800 (PST) (envelope-from tigger@onemoremonkey.com) Received: (qmail 40888 invoked from network); 19 Feb 2004 01:03:28 -0000 Received: from unknown (HELO lvlworld.com) (192.168.1.120) by eeeor.goo with SMTP; 19 Feb 2004 01:03:28 -0000 Date: Thu, 19 Feb 2004 12:04:50 +1100 From: Tig To: freebsd-security@freebsd.org Message-Id: <20040219120450.1854b521@piglet.goo> X-Mailer: Sylpheed version 0.9.9claws (GTK+ 1.2.10; i386-portbld-freebsd5.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Bogosity: No, tests=bogofilter, spamicity=0.508953, version=0.16.4 Subject: secuirty bug with /etc/login.access X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2004 01:02:30 -0000 /etc/login.access does not work 100% over ssh. I have the following line in login.access -:ray:ALL EXCEPT LOCAL Which I believe means the user 'ray' can not login from anywhere unless it is a local login. So, I tested it over ssh from a remote box tigger@piglet:~% ssh ray@sonic.cbnmediaX.com.au Password: Password: Password: ray@sonic.cbnmediaX.com.au's password: Last login: Sat Feb 14 12:29:45 2004 from dsl-38.226.240. Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 5.2-RELEASE-p2 (SONIC) #1: Sun Feb 8 01:18:08 EST 2004 (I'm 100% sure I typed the password correct each time) As you can see, I'm denied access each time until the 'ray@sonic...' option is presented, then I'm allowed in. I personally think this is a security hole but I'm happy to admit it could be a configuration issue at my end. Please let me know if its a problem at my end. Thanks for your time. -Tig From owner-freebsd-security@FreeBSD.ORG Wed Feb 18 17:11:32 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E258916A4CE; Wed, 18 Feb 2004 17:11:32 -0800 (PST) Received: from postman.arcor.de (postman2.arcor-online.net [151.189.0.152]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E91943D31; Wed, 18 Feb 2004 17:11:32 -0800 (PST) (envelope-from eikemeier@fillmore-labs.com) Received: from fillmore.dyndns.org (port-212-202-184-227.reverse.qdsl-home.de [212.202.184.227]) (authenticated bits=0)i1J1BUf5023432 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Thu, 19 Feb 2004 02:11:30 +0100 (MET) Received: from [172.16.0.2] (helo=fillmore-labs.com) by fillmore.dyndns.org with esmtp (Exim 4.30; FreeBSD) id 1Atciu-000NJV-79; Thu, 19 Feb 2004 02:11:28 +0100 Message-ID: <40340D3F.8060805@fillmore-labs.com> Date: Thu, 19 Feb 2004 02:11:27 +0100 From: Oliver Eikemeier Organization: Fillmore Labs GmbH - http://www.fillmore-labs.com/ MIME-Version: 1.0 To: "Jacques A. Vidrine" References: <40337619.1050504@veldy.net> <20040218215950.GD47727@madman.celabo.org> In-Reply-To: <20040218215950.GD47727@madman.celabo.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit User-Agent: KMail/1.5.9 cc: "Thomas T. Veldhouse" cc: freebsd-security@FreeBSD.org cc: freebsd-ports@FreeBSD.org Subject: Re: [Fwd: [gentoo-announce] [ GLSA 200402-07 ] Clamav 0.65 DoS vulnerability] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2004 01:11:33 -0000 Jacques A. Vidrine wrote: > On Wed, Feb 18, 2004 at 08:26:33AM -0600, Thomas T. Veldhouse wrote: > >>Attached is a security alert from Gentoo pertaining to clam antivirus. >>It seems that as of this morning, FreeBSD's ports still contain the >>affected version. > > Oliver (the discoverer of the vulnerability) is a FreeBSD developer and > fixed the port some time ago. > > See also > . Btw, it is almost unbearable smart that they include the sequence that triggers the bug in their mail, assuring that users that *have* the vulnerable clamd installed never see the advisory. It *had* a reason that I prefixed the lines with 'X'. Congratulations. -Oliver From owner-freebsd-security@FreeBSD.ORG Wed Feb 18 20:30:11 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5894716A4CE for ; Wed, 18 Feb 2004 20:30:11 -0800 (PST) Received: from relay.pair.com (relay.pair.com [209.68.1.20]) by mx1.FreeBSD.org (Postfix) with SMTP id EA58643D1F for ; Wed, 18 Feb 2004 20:30:10 -0800 (PST) (envelope-from silby@silby.com) Received: (qmail 74546 invoked from network); 19 Feb 2004 04:30:10 -0000 Received: from niwun.pair.com (HELO localhost) (209.68.2.70) by relay.pair.com with SMTP; 19 Feb 2004 04:30:10 -0000 X-pair-Authenticated: 209.68.2.70 Date: Wed, 18 Feb 2004 22:30:08 -0600 (CST) From: Mike Silbersack To: Oliver Eikemeier In-Reply-To: <40340D3F.8060805@fillmore-labs.com> Message-ID: <20040218222911.A28073@odysseus.silby.com> References: <40337619.1050504@veldy.net> <20040218215950.GD47727@madman.celabo.org> <40340D3F.8060805@fillmore-labs.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: "Jacques A. Vidrine" cc: "Thomas T. Veldhouse" cc: freebsd-ports@FreeBSD.org cc: freebsd-security@FreeBSD.org Subject: Re: [Fwd: [gentoo-announce] [ GLSA 200402-07 ] Clamav 0.65 DoS vulnerability] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2004 04:30:11 -0000 On Thu, 19 Feb 2004, Oliver Eikemeier wrote: > Btw, it is almost unbearable smart that they include the sequence that triggers > the bug in their mail, assuring that users that *have* the vulnerable clamd > installed never see the advisory. > > It *had* a reason that I prefixed the lines with 'X'. Congratulations. > > -Oliver When that pine header-parsing bug came out two years ago, the jerk threw the bad header in his post to bugtraq. I did not enjoy that. :( Mike "Silby" Silbersack From owner-freebsd-security@FreeBSD.ORG Wed Feb 18 22:43:20 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A97516A4CE; Wed, 18 Feb 2004 22:43:20 -0800 (PST) Received: from serendipity.wcape.school.za (serendipity.wcape.school.za [196.14.22.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1C0DD43D2F; Wed, 18 Feb 2004 22:43:15 -0800 (PST) (envelope-from david@wcsn.wcape.school.za) Received: from ukhokho.schoolnet.org.za ([196.14.22.9]) by serendipity.wcape.school.za with esmtp (Exim 4.30) id 1Athtp-0007Tw-KW; Thu, 19 Feb 2004 08:43:05 +0200 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.0.4417.0 Date: Thu, 19 Feb 2004 08:38:50 +0200 Message-ID: <9DCF7A9E7AD27A4F962A37F7E78607B142C360@ukhokho.ct.schoolnet.org.za> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Fwd: [gentoo-announce] [ GLSA 200402-07 ] Clamav 0.65 DoSvulnerability] Thread-Index: AcP2ZSG2oxaIqqLZQeSBf625ciGRQQATY7+A From: "David Peall" To: "Thomas T. Veldhouse" , , X-Spam-Score: 0.0 Subject: RE: [Fwd: [gentoo-announce] [ GLSA 200402-07 ] Clamav 0.65 DoSvulnerability] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2004 06:43:20 -0000 Hi=20 The FreeBSD port has been updated for the DoS vulnerability but the version is still=20 the same. See: http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/clamav/=20 David Peall Systems Administrator Western Cape Schools' Network http://www.wcsn.org.za/ PO Box 44460, Claremont 7735, Cape Town Fax +27 (021) 683-6766, Helpdesk +27 (021) 674-9140 > -----Original Message----- > From: Thomas T. Veldhouse [mailto:veldy@veldy.net] > Sent: 18 February 2004 04:27 PM > To: freebsd-ports@freebsd.org; freebsd-security@freebsd.org > Subject: [Fwd: [gentoo-announce] [ GLSA 200402-07 ] Clamav 0.65 > DoSvulnerability] >=20 >=20 > Attached is a security alert from Gentoo pertaining to clam=20 > antivirus.=20 > It seems that as of this morning, FreeBSD's ports still contain the=20 > affected version. >=20 > Thank in advance, >=20 > Tom Veldhouse >=20 From owner-freebsd-security@FreeBSD.ORG Wed Feb 18 23:34:35 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E58E916A4CE for ; Wed, 18 Feb 2004 23:34:35 -0800 (PST) Received: from amaunetsgothique.com (31.amaunetsgothique.com [69.17.34.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id C11E843D31 for ; Wed, 18 Feb 2004 23:34:35 -0800 (PST) (envelope-from chort@amaunetsgothique.com) Received: from ([10.8.1.3]) by phalanx.amaunetsgothique.com with ESMTP ; Wed, 18 Feb 2004 23:34:11 -0800 (PST) Received: from [10.8.1.3] (abydos.amaunetsgothique.com [10.8.1.3]) by abydos.amaunetsgothique.com (Postfix) with ESMTP id E4F971A43E for ; Wed, 18 Feb 2004 23:34:10 -0800 (PST) From: Brian Keefer To: freebsd-security@freebsd.org In-Reply-To: <20040216202051.GA15307@tikitechnologies.com> References: <20040216200052.BAC7C16A4FA@hub.freebsd.org> <20040216202051.GA15307@tikitechnologies.com> Content-Type: text/plain Organization: Message-Id: <1077176050.22253.13.camel@abydos.amaunetsgothique.com> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.4 Date: 18 Feb 2004 23:34:10 -0800 Content-Transfer-Encoding: 7bit Subject: Re: Rooted system X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2004 07:34:36 -0000 On Mon, 2004-02-16 at 12:20, Clifton Royston wrote: > > And now what? [ You are unclear to me ] > > > > Well, you could use a Security Toolkit Distribution from Knoppix, called > > knoppix-std > > And do some research with that. > > More generic forensic help (less Linux-specific) might come from the > "Coroner's Toolkit" from the team of Wietse Venema and Dan Farmer > (SATAN et al., and also TCPwrap and Postfix in the case of Wietse.) > It's supposed to be pretty cross-platform with BSD support. > > > FYI the Knoppix-STD live-CD does have an extended version of Coroner's Toolkit. Have a look: http://www.knoppix-std.org/tools.html Also, although it's a Linux distribution, it's *not* expressly for Linux forensics. It has NTFS rw support (limited) and Windows password reset functions, etc... In other words, it's a multi-OS generic forensics kit. I'm fairly certain that it does have support for mount -t ufs, but I haven't confirmed that. -- Brian Keefer, CISSP Systems Engineer CipherTrust Inc, www.CipherTrust.com From owner-freebsd-security@FreeBSD.ORG Thu Feb 19 02:26:29 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0356216A4CE for ; Thu, 19 Feb 2004 02:26:29 -0800 (PST) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id D570043D2D for ; Thu, 19 Feb 2004 02:26:27 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 18943 invoked from network); 19 Feb 2004 10:24:55 -0000 Received: from office.sbnd.net (HELO straylight.m.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 19 Feb 2004 10:24:54 -0000 Received: (qmail 93115 invoked by uid 1000); 19 Feb 2004 10:26:28 -0000 Date: Thu, 19 Feb 2004 12:26:28 +0200 From: Peter Pentchev To: David Peall Message-ID: <20040219102628.GE725@straylight.m.ringlet.net> Mail-Followup-To: David Peall , "Thomas T. Veldhouse" , freebsd-ports@freebsd.org, freebsd-security@freebsd.org References: <9DCF7A9E7AD27A4F962A37F7E78607B142C360@ukhokho.ct.schoolnet.org.za> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="MW5yreqqjyrRcusr" Content-Disposition: inline In-Reply-To: <9DCF7A9E7AD27A4F962A37F7E78607B142C360@ukhokho.ct.schoolnet.org.za> User-Agent: Mutt/1.5.6i cc: "Thomas T. Veldhouse" cc: freebsd-security@freebsd.org cc: freebsd-ports@freebsd.org Subject: Re: [Fwd: [gentoo-announce] [ GLSA 200402-07 ] Clamav 0.65 DoSvulnerability] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2004 10:26:29 -0000 --MW5yreqqjyrRcusr Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 19, 2004 at 08:38:50AM +0200, David Peall wrote: > Hi=20 >=20 > The FreeBSD port has been updated for the DoS vulnerability but the > version is still=20 > the same. >=20 > See: > http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/clamav/=20 Err.. strictly speaking, the port's version is not the same: it is now 0.65_7, it was 0.65_6 before. The 'port revision' number was introduced for precisely this purpose: to provide an indicator that something important has changed in the FreeBSD port even when the mainstream version of the ported software remains the same. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If I were you, who would be reading this sentence? --MW5yreqqjyrRcusr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFANI9U7Ri2jRYZRVMRArDSAKC96VT/KV+YTJe92K9MiNZDM1tbBgCfXcET 0mO6DEvoYhzlXjwk/J+McQg= =nHYv -----END PGP SIGNATURE----- --MW5yreqqjyrRcusr-- From owner-freebsd-security@FreeBSD.ORG Thu Feb 19 04:31:39 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5016316A4CE for ; Thu, 19 Feb 2004 04:31:39 -0800 (PST) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.184]) by mx1.FreeBSD.org (Postfix) with ESMTP id 21EC543D1D for ; Thu, 19 Feb 2004 04:31:39 -0800 (PST) (envelope-from sven@yagonna.de) Received: from [212.227.126.179] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1AtnL8-0000Xu-00 for freebsd-security@freebsd.org; Thu, 19 Feb 2004 13:31:38 +0100 Received: from [80.146.45.8] (helo=moonrise.intern.yagonna.de) by mrelayng.kundenserver.de with asmtp (Exim 3.35 #1) id 1AtnL8-0000n0-00 for freebsd-security@freebsd.org; Thu, 19 Feb 2004 13:31:38 +0100 Received: by moonrise.intern.yagonna.de (Postfix, from userid 501) id ACB7B2143C; Thu, 19 Feb 2004 13:33:49 +0100 (CET) Date: Thu, 19 Feb 2004 13:33:49 +0100 From: Sven Pfeifer To: freebsd-security@freebsd.org Message-ID: <20040219123349.GB23725@yagonna.de> Mail-Followup-To: freebsd-security@freebsd.org References: <20040219120450.1854b521@piglet.goo> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040219120450.1854b521@piglet.goo> User-Agent: Mutt/1.4i X-Organization: YaGonna X-Location: Wuppertal X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:fc38b4c18c1c0557192e98767c9e60c3 Subject: Re: secuirty bug with /etc/login.access X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Sven Pfeifer List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2004 12:31:39 -0000 Hi Tig, Tig wrote: [...] > So, I tested it over ssh from a remote box > > tigger@piglet:~% ssh ray@sonic.cbnmediaX.com.au > Password: > Password: > Password: > ray@sonic.cbnmediaX.com.au's password: > Last login: Sat Feb 14 12:29:45 2004 from dsl-38.226.240. [...] > (I'm 100% sure I typed the password correct each time) > As you can see, I'm denied access each time until the 'ray@sonic...' > option is presented, then I'm allowed in. this looks like, you have configured PasswordAuthentication yes and Protocol 2,1 in your servers /etc/ssh/sshd_config. So your client is trying to authenticate to the _local_ id-File. If this is failing (3 times) then it tries the PasswordAuthentication at the _remote_ maschine. So i think you typed in the wrong password for your _local_ id-File and the fourth time at the "ray@sonic.cbnmediaX.com.au's password:" prompt you typed in the correct password for user ray at host sonic.cbnmediX.com.au. [...] > -Tig HTH Sven From owner-freebsd-security@FreeBSD.ORG Thu Feb 19 06:38:40 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F3C8A16A4CE; Thu, 19 Feb 2004 06:38:39 -0800 (PST) Received: from mail.takas.lt (mail-src.takas.lt [212.59.31.78]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6548343D1F; Thu, 19 Feb 2004 06:38:39 -0800 (PST) (envelope-from roam@ringlet.net) Received: from mail pickup service by mail.takas.lt with Microsoft SMTPSVC; Thu, 19 Feb 2004 16:38:37 +0200 Received: from mx2.freebsd.org ([216.136.204.119]) by mail.takas.lt with Microsoft SMTPSVC(5.0.2195.5329); Thu, 19 Feb 2004 15:11:52 +0200 Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 3C2E457903; Thu, 19 Feb 2004 05:11:03 -0800 (PST) (envelope-from owner-freebsd-ports@freebsd.org) Received: from hub.freebsd.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id ACC3A16A4F5; Thu, 19 Feb 2004 05:10:55 -0800 (PST) Delivered-To: freebsd-ports@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 165D216A4CF for ; Thu, 19 Feb 2004 02:26:29 -0800 (PST) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id D589143D2F for ; Thu, 19 Feb 2004 02:26:27 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 18940 invoked from network); 19 Feb 2004 10:24:55 -0000 Received: from office.sbnd.net (HELO straylight.m.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 19 Feb 2004 10:24:54 -0000 Received: (qmail 93115 invoked by uid 1000); 19 Feb 2004 10:26:28 -0000 Date: Thu, 19 Feb 2004 12:26:28 +0200 From: Peter Pentchev To: David Peall Message-ID: <20040219102628.GE725@straylight.m.ringlet.net> Mail-Followup-To: David Peall , "Thomas T. Veldhouse" , freebsd-ports@freebsd.org, freebsd-security@freebsd.org References: <9DCF7A9E7AD27A4F962A37F7E78607B142C360@ukhokho.ct.schoolnet.org.za> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="MW5yreqqjyrRcusr" Content-Disposition: inline In-Reply-To: <9DCF7A9E7AD27A4F962A37F7E78607B142C360@ukhokho.ct.schoolnet.org.za> User-Agent: Mutt/1.5.6i X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Sender: owner-freebsd-ports@freebsd.org Errors-To: owner-freebsd-ports@freebsd.org X-OriginalArrivalTime: 19 Feb 2004 13:11:52.0531 (UTC) FILETIME=[F0DCA230:01C3F6E9] cc: "Thomas T. Veldhouse" cc: freebsd-security@freebsd.org cc: freebsd-ports@freebsd.org Subject: Re: [Fwd: [gentoo-announce] [ GLSA 200402-07 ] Clamav 0.65 DoSvulnerability] X-BeenThere: freebsd-security@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2004 14:38:40 -0000 --MW5yreqqjyrRcusr Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 19, 2004 at 08:38:50AM +0200, David Peall wrote: > Hi=20 >=20 > The FreeBSD port has been updated for the DoS vulnerability but the > version is still=20 > the same. >=20 > See: > http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/clamav/=20 Err.. strictly speaking, the port's version is not the same: it is now 0.65_7, it was 0.65_6 before. The 'port revision' number was introduced for precisely this purpose: to provide an indicator that something important has changed in the FreeBSD port even when the mainstream version of the ported software remains the same. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If I were you, who would be reading this sentence? --MW5yreqqjyrRcusr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFANI9U7Ri2jRYZRVMRArDSAKC96VT/KV+YTJe92K9MiNZDM1tbBgCfXcET 0mO6DEvoYhzlXjwk/J+McQg= =nHYv -----END PGP SIGNATURE----- --MW5yreqqjyrRcusr-- From owner-freebsd-security@FreeBSD.ORG Thu Feb 19 07:44:34 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A89C16A4CE for ; Thu, 19 Feb 2004 07:44:34 -0800 (PST) Received: from smtp.des.no (flood.des.no [217.116.83.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 35C5B43D1D for ; Thu, 19 Feb 2004 07:44:34 -0800 (PST) (envelope-from des@des.no) Received: by smtp.des.no (Pony Express, from userid 666) id 1E1B85309; Thu, 19 Feb 2004 16:44:33 +0100 (CET) Received: from dwp.des.no (des.no [80.203.228.37]) by smtp.des.no (Pony Express) with ESMTP id C9A7D5308 for ; Thu, 19 Feb 2004 16:44:26 +0100 (CET) Received: by dwp.des.no (Postfix, from userid 2602) id AD17A33C6F; Thu, 19 Feb 2004 16:44:26 +0100 (CET) To: freebsd-security@freebsd.org References: <20040219120450.1854b521@piglet.goo> <20040219123349.GB23725@yagonna.de> From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) Date: Thu, 19 Feb 2004 16:44:26 +0100 In-Reply-To: <20040219123349.GB23725@yagonna.de> (Sven Pfeifer's message of "Thu, 19 Feb 2004 13:33:49 +0100") Message-ID: User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on flood.des.no X-Spam-Level: X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.63 Subject: Re: secuirty bug with /etc/login.access X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2004 15:44:34 -0000 Sven Pfeifer writes: > this looks like, you have configured > > PasswordAuthentication yes > and > Protocol 2,1 > > in your servers /etc/ssh/sshd_config. So your client is trying to > authenticate to the _local_ id-File. If this is failing (3 times) then > it tries the PasswordAuthentication at the _remote_ maschine. Uh, no. There is never any attempt by the client to authenticate the user against the client machine's password database. All four prompts are issued by the remote machine. The first three are from PAM, the fourth is OpenSSH's built-in password authentication which apparently does not respect login.access. The solution is to disable password authentication in /etc/ssh/sshd_config; this should be the default now that PAM works. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Feb 19 13:02:16 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE5E916A4CE for ; Thu, 19 Feb 2004 13:02:16 -0800 (PST) Received: from web12608.mail.yahoo.com (web12608.mail.yahoo.com [216.136.173.231]) by mx1.FreeBSD.org (Postfix) with SMTP id DBB2B43D1D for ; Thu, 19 Feb 2004 13:02:16 -0800 (PST) (envelope-from bj93542@yahoo.com) Message-ID: <20040219210216.22863.qmail@web12608.mail.yahoo.com> Received: from [128.226.68.47] by web12608.mail.yahoo.com via HTTP; Thu, 19 Feb 2004 13:02:16 PST Date: Thu, 19 Feb 2004 13:02:16 -0800 (PST) From: Dorin H To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: traffic normalizer for ipfw? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2004 21:02:17 -0000 Hi there, Is there some way to configure ipfw to do traffic normalizing ("scrubbing", as in ipf for OpenBSD)? Is there any tool to do it for FreeBSD firewalling? I've heard that ipf was ported on current, anything else? TIA, /Dorin. __________________________________ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools From owner-freebsd-security@FreeBSD.ORG Thu Feb 19 13:14:14 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 874DC16A4CE for ; Thu, 19 Feb 2004 13:14:14 -0800 (PST) Received: from arginine.spc.org (arginine.spc.org [195.206.69.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4903143D1F for ; Thu, 19 Feb 2004 13:14:14 -0800 (PST) (envelope-from bms@spc.org) Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id A325C654CC; Thu, 19 Feb 2004 21:14:12 +0000 (GMT) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 65017-01-5; Thu, 19 Feb 2004 21:14:12 +0000 (GMT) Received: from saboteur.dek.spc.org (82-147-17-88.dsl.uk.rapidplay.com [82.147.17.88]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by arginine.spc.org (Postfix) with ESMTP id 2F9CF6543E; Thu, 19 Feb 2004 21:14:12 +0000 (GMT) Received: by saboteur.dek.spc.org (Postfix, from userid 1001) id 60EFE2F; Thu, 19 Feb 2004 21:14:11 +0000 (GMT) Date: Thu, 19 Feb 2004 21:14:11 +0000 From: Bruce M Simpson To: Dorin H Message-ID: <20040219211411.GB3612@saboteur.dek.spc.org> Mail-Followup-To: Dorin H , freebsd-security@freebsd.org References: <20040219210216.22863.qmail@web12608.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040219210216.22863.qmail@web12608.mail.yahoo.com> cc: freebsd-security@freebsd.org Subject: Re: traffic normalizer for ipfw? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2004 21:14:14 -0000 On Thu, Feb 19, 2004 at 01:02:16PM -0800, Dorin H wrote: > Is there some way to configure ipfw to do traffic > normalizing ("scrubbing", as in ipf for OpenBSD)? Is > there any tool to do it for FreeBSD firewalling? > I've heard that ipf was ported on current, anything > else? We're looking at bringing pf into the tree. One of the things on my unofficial (some would say a work of pure fiction) is to look at something for KaZaA filtering on BSD... If you're talking about traffic shaping, have a look at dummynet which is already there. BMS From owner-freebsd-security@FreeBSD.ORG Thu Feb 19 13:19:51 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3620816A4CE for ; Thu, 19 Feb 2004 13:19:51 -0800 (PST) Received: from mail.1plan.net (ns1.1plan.net [216.240.143.74]) by mx1.FreeBSD.org (Postfix) with SMTP id 22A7E43D2F for ; Thu, 19 Feb 2004 13:19:51 -0800 (PST) (envelope-from clau@reversedhell.net) Received: (qmail 41024 invoked by uid 98); 19 Feb 2004 21:23:31 -0000 Received: from clau@reversedhell.net by cp by uid 101 with qmail-scanner-1.20 (clamscan: 0.65. Clear:RC:1(81.196.92.42):CR:PGP(old-signed):. Processed in 0.259898 secs); 19 Feb 2004 21:23:31 -0000 X-Qmail-Scanner-Mail-From: clau@reversedhell.net via cp X-Qmail-Scanner: 1.20 (Clear:RC:1(81.196.92.42):CR:PGP(old-signed):. Processed in 0.259898 secs) Received: from unknown (HELO reversedhell.net) (81.196.92.42) by reversedhell.net with SMTP; 19 Feb 2004 21:23:30 -0000 Message-ID: <403527DD.1090200@reversedhell.net> Date: Thu, 19 Feb 2004 23:17:17 +0200 From: Claudiu Dragalina-Paraipan Organization: Reversed Hell Networks User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6b) Gecko/20040215 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Dorin H References: <20040219210216.22863.qmail@web12608.mail.yahoo.com> In-Reply-To: <20040219210216.22863.qmail@web12608.mail.yahoo.com> X-Enigmail-Version: 0.83.3.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: traffic normalizer for ipfw? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2004 21:19:51 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dorin H wrote: | Hi there, | Is there some way to configure ipfw to do traffic | normalizing ("scrubbing", as in ipf for OpenBSD)? Is | there any tool to do it for FreeBSD firewalling? | I've heard that ipf was ported on current, anything | else? | TIA, | /Dorin. | You may want to check: /usr/ports/security/pf It is a port of Packet Filter from OpenBSD, which does traffic normalizing among other useful things. | __________________________________ | Do you Yahoo!? | Yahoo! Mail SpamGuard - Read only the mail you want. | http://antispam.yahoo.com/tools | _______________________________________________ | freebsd-security@freebsd.org mailing list | http://lists.freebsd.org/mailman/listinfo/freebsd-security | To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" | | - -- Claudiu Dragalina-Paraipan Reversed Hell Networks / reversedhell.net e-mail: clau@reversedhell.net site: oxygen.reversedhell.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFANSfcm0FWxb+swkQRAq43AJ0WYjFpFjoG/q4Xl8/t3MpcvGfWHQCfWNMB ggnEe/kI+LmifMXqtowCBuk= =jXXX -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Feb 19 14:31:01 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D2C1016A4CE for ; Thu, 19 Feb 2004 14:31:01 -0800 (PST) Received: from web12608.mail.yahoo.com (web12608.mail.yahoo.com [216.136.173.231]) by mx1.FreeBSD.org (Postfix) with SMTP id BA12F43D2F for ; Thu, 19 Feb 2004 14:31:01 -0800 (PST) (envelope-from bj93542@yahoo.com) Message-ID: <20040219223101.37571.qmail@web12608.mail.yahoo.com> Received: from [128.226.68.47] by web12608.mail.yahoo.com via HTTP; Thu, 19 Feb 2004 14:31:01 PST Date: Thu, 19 Feb 2004 14:31:01 -0800 (PST) From: Dorin H To: Bruce M Simpson In-Reply-To: <20040219211411.GB3612@saboteur.dek.spc.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-security@freebsd.org Subject: Re: traffic normalizer for ipfw? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2004 22:31:02 -0000 --- Bruce M Simpson wrote: > On Thu, Feb 19, 2004 at 01:02:16PM -0800, Dorin H > wrote: > > Is there some way to configure ipfw to do > traffic > > normalizing ("scrubbing", as in ipf for OpenBSD)? > We're looking at bringing pf into the tree. Is it the same thing as the port pf_freebsd-2.03 (/usr/port/security/pf)? I am mainly familiar with ipfw on FBSD. > > If you're talking about traffic shaping, have a look > at dummynet which is > already there. > Ok, let me clarify. I am thinking at the ability to modify the packet headers on the fly, to mitigate some of the IDS evasion techniques, and possibly eliminate other network recons. I know that pf is able to modify things like IP minimum TTL, reset Don't Fragment, and so on and I was wondering if there is a way to do it with ipfw or some additional plug. Thank you, /Dorin. __________________________________ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools From owner-freebsd-security@FreeBSD.ORG Thu Feb 19 14:40:26 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EC97716A4CE for ; Thu, 19 Feb 2004 14:40:26 -0800 (PST) Received: from lvlworld.com (dsl-38.226.240.220.dsl.comindico.com.au [220.240.226.38]) by mx1.FreeBSD.org (Postfix) with SMTP id C93F243D1D for ; Thu, 19 Feb 2004 14:40:25 -0800 (PST) (envelope-from tigger@onemoremonkey.com) Received: (qmail 21900 invoked from network); 19 Feb 2004 22:41:23 -0000 Received: from unknown (HELO lvlworld.com) (192.168.1.120) by eeeor.goo with SMTP; 19 Feb 2004 22:41:23 -0000 Date: Fri, 20 Feb 2004 09:42:47 +1100 From: Tig To: freebsd-security@freebsd.org Message-Id: <20040220094247.220247ca@piglet.goo> In-Reply-To: References: <20040219120450.1854b521@piglet.goo> <20040219123349.GB23725@yagonna.de> X-Mailer: Sylpheed version 0.9.9claws (GTK+ 1.2.10; i386-portbld-freebsd5.2) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Bogosity: No, tests=bogofilter, spamicity=0.461756, version=0.16.4 Subject: Re: secuirty bug with /etc/login.access X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2004 22:40:27 -0000 On Thu, 19 Feb 2004 16:44:26 +0100 des@des.no (Dag-Erling Sm=F8rgrav) wrote: > Sven Pfeifer writes: > > this looks like, you have configured > > > > PasswordAuthentication yes > > and > > Protocol 2,1 > > > > in your servers /etc/ssh/sshd_config. So your client is trying to > > authenticate to the _local_ id-File. If this is failing (3 times) > > then it tries the PasswordAuthentication at the _remote_ maschine. >=20 > Uh, no. There is never any attempt by the client to authenticate the > user against the client machine's password database. All four prompts > are issued by the remote machine. The first three are from PAM, the > fourth is OpenSSH's built-in password authentication which apparently > does not respect login.access. The solution is to disable password > authentication in /etc/ssh/sshd_config; this should be the default now > that PAM works. >=20 > DES > --=20 > Dag-Erling Sm=F8rgrav - des@des.no OK, Thanks, but do you mean;=20 'this should be the default now that PAM works, because I have have just update the CVS repository' or.. 'this should be the default now that PAM works, but its not at the moment. Someone will (hopefully) fix it soon' -Tig From owner-freebsd-security@FreeBSD.ORG Thu Feb 19 16:30:52 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5623316A4CE for ; Thu, 19 Feb 2004 16:30:52 -0800 (PST) Received: from web12606.mail.yahoo.com (web12606.mail.yahoo.com [216.136.173.229]) by mx1.FreeBSD.org (Postfix) with SMTP id 3A58943D1D for ; Thu, 19 Feb 2004 16:30:52 -0800 (PST) (envelope-from bj93542@yahoo.com) Message-ID: <20040220003052.41695.qmail@web12606.mail.yahoo.com> Received: from [128.226.68.47] by web12606.mail.yahoo.com via HTTP; Thu, 19 Feb 2004 16:30:52 PST Date: Thu, 19 Feb 2004 16:30:52 -0800 (PST) From: Dorin H To: Darren Reed In-Reply-To: <200402192315.i1JNFxo4004083@caligula.anu.edu.au> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-security@freebsd.org Subject: Re: traffic normalizer for ipfw? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Feb 2004 00:30:52 -0000 --- Darren Reed wrote: > In some mail from Bruce M Simpson, sie said: > > > > On Thu, Feb 19, 2004 at 01:02:16PM -0800, Dorin H > wrote: > > > Is there some way to configure ipfw to do > traffic normalizing ("scrubbing", as in ipf for > You mean pf, not ipf.. Right. > > normalizing is over rated as a firewall feature - > it's really > something that belongs in IDS software. > > Darren True, it's part of IDS. Nevertheless, do you think that traffic normalizing is useful? If yes, where would you have it (you need an inline device for it; move the IDS inline and becomes IPS, which, IMHO, is indeed something over rated:)? If not, do you know better ways to handle IDS evasions (other than network active mapping, which takes both time & resources and could be useful for small networks only probably)? TIA, /Dorin. __________________________________ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools From owner-freebsd-security@FreeBSD.ORG Thu Feb 19 22:20:21 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4AB7816A4CE for ; Thu, 19 Feb 2004 22:20:21 -0800 (PST) Received: from punky.seifried.org (punky.seifried.org [216.194.67.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3B07143D2D for ; Thu, 19 Feb 2004 22:20:21 -0800 (PST) (envelope-from listuser@seifried.org) Message-ID: <00b001c3f779$91ba8750$1400000a@bigdog> From: "Kurt Seifried" To: "Dorin H" , "Darren Reed" References: <20040220003052.41695.qmail@web12606.mail.yahoo.com> Date: Thu, 19 Feb 2004 23:20:00 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: traffic normalizer for ipfw? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Kurt Seifried List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Feb 2004 06:20:21 -0000 It's not like you HAVE to use it. It's an option, you can use it, or not. As far as the symantic arguments of firewalls/IDS/IPS/etc (technically I'd say scrub is more an IPS style feature then IDS since it actively manipulates the data to make it less "dangerous") please let's not go there, it's pointless. Isn't choice a good thing? Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ From owner-freebsd-security@FreeBSD.ORG Fri Feb 20 01:21:50 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5B76416A4CE for ; Fri, 20 Feb 2004 01:21:50 -0800 (PST) Received: from punky.seifried.org (punky.seifried.org [216.194.67.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C1D043D2D for ; Fri, 20 Feb 2004 01:21:50 -0800 (PST) (envelope-from listuser@seifried.org) Message-ID: <028101c3f792$eaf115a0$1400000a@bigdog> From: "Kurt Seifried" To: "Darren Reed" References: <200402200910.i1K9AIoe005185@caligula.anu.edu.au> Date: Fri, 20 Feb 2004 02:21:27 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: traffic normalizer for ipfw? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Kurt Seifried List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Feb 2004 09:21:50 -0000 > > It's not like you HAVE to use it. It's an option, you can use it, or not. As > > far as the symantic arguments of firewalls/IDS/IPS/etc (technically I'd say > > scrub is more an IPS style feature then IDS since it actively manipulates > > the data to make it less "dangerous") please let's not go there, it's > > pointless. > > Cripes, and you claim to be a publisher of security related information? > > Well, I suppose if you are then you're press and we all know how good > the press are at getting technical things "right". If you really must flame me can you do it offlist to spare everyone the tedium? BTW since when am I "the press"? This is news to me. > "scrub" won't do a damn thing about making data "less dangerous". > And it's not an IPS either (it won't do anything about preventing > someone from using an IIS/apache exploit in your web farm.) No but it will prevent some protocol level exploits/etc that can make applications and systems puke their guts up (yes, some TCP-IP stacks suck that much). Stopping a denial of service attack (intentional or otherwise) sounds like a typical IPS related function, not an IDS function. In any event this sort of prooves how pointless the IDS/IPS argument is (everyone is quite happy to disagree on what they are/do). > All it does is try and clean off rough edges of packet header fields > so that they fit into an IDS's picture of the world more easily. > > That's it. Well, they have extended the 'scrub' facility to do other > things that could just as easily be done elsewhere but it is definately > NOT an IPS (and anyone selling it as such is a fraud.) Last I checked it was BSD licensed, and AFAIK no-one is "selling it" as an IPS. In any event this sort of prooves how pointless the IDS/IPS argument is (everyone is quite happy to disagree on what they are/do). If you want to continue this discussion off list in a civil manner I'd be glad to, otherwise I'm done. > Darren -Kurt From owner-freebsd-security@FreeBSD.ORG Thu Feb 19 13:28:55 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D3CB16A4CE for ; Thu, 19 Feb 2004 13:28:55 -0800 (PST) Received: from gray.impulse.net (gray.impulse.net [207.154.64.174]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5607143D1D for ; Thu, 19 Feb 2004 13:28:55 -0800 (PST) (envelope-from secabeen@pobox.com) Received: by gray.impulse.net (Postfix, from userid 1000) id 2F065330; Thu, 19 Feb 2004 13:28:55 -0800 (PST) To: Jim Zajkowski References: <1171.192.168.0.77.1076505166.squirrel@mail.redix.it> <79D6F861-5C96-11D8-A225-000A95DA58FE@jimz.net> <2CAA7A5D-5C9A-11D8-ADF8-0030654D97EC@patpro.net> <1295.192.168.0.77.1076513042.squirrel@mail.redix.it> From: Ted Cabeen Date: Thu, 19 Feb 2004 13:28:55 -0800 In-Reply-To: (Jim Zajkowski's message of "Wed, 11 Feb 2004 10:35:07 -0500") Message-ID: <874qtmyd0o.fsf@gray.impulse.net> User-Agent: Gnus/5.1006 (Gnus v5.10.6) XEmacs/21.4 (Reasonable Discussion, berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailman-Approved-At: Fri, 20 Feb 2004 02:24:54 -0800 cc: freebsd-security@freebsd.org Subject: Re: Question about securelevel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2004 21:28:55 -0000 Jim Zajkowski writes: > On Feb 11, 2004, at 10:24 AM, roberto@redix.it wrote: > >> Yes I agree with you: a secure system should be read-only fs, but to >> overcome the drawbacks of a CDROM, I can use a standard hardisk with a >> read-only file system while securelevel==3. The writable file system >> should be available in single user mode only on console. > > If I figure out how to make your filesystem remount read-write without > a reboot, the game is over. Setting all of the important files on the disk immutable will help a fair bit too, but a true read-only medium is better. -- Ted Cabeen http://www.pobox.com/~secabeen ted@impulse.net Check Website or Keyserver for PGP/GPG Key BA0349D2 secabeen@pobox.com "I have taken all knowledge to be my province." -F. Bacon secabeen@cabeen.org "Human kind cannot bear very much reality."-T.S.Eliot cabeen@netcom.com From owner-freebsd-security@FreeBSD.ORG Thu Feb 19 15:16:02 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1EBE616A4CE for ; Thu, 19 Feb 2004 15:16:02 -0800 (PST) Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 92BB143D1F for ; Thu, 19 Feb 2004 15:16:01 -0800 (PST) (envelope-from avalon@caligula.anu.edu.au) Received: from caligula.anu.edu.au (localhost [127.0.0.1]) by caligula.anu.edu.au (8.12.9/8.12.9) with ESMTP id i1JNFxbF004086; Fri, 20 Feb 2004 10:15:59 +1100 (EST) Received: (from avalon@localhost) by caligula.anu.edu.au (8.12.9/8.12.8/Submit) id i1JNFxo4004083; Fri, 20 Feb 2004 10:15:59 +1100 (EST) From: Darren Reed Message-Id: <200402192315.i1JNFxo4004083@caligula.anu.edu.au> To: bms@spc.org (Bruce M Simpson) Date: Fri, 20 Feb 2004 10:15:59 +1100 (Australia/ACT) In-Reply-To: <20040219211411.GB3612@saboteur.dek.spc.org> from "Bruce M Simpson" at Feb 19, 2004 09:14:11 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Fri, 20 Feb 2004 02:24:54 -0800 cc: freebsd-security@freebsd.org cc: Dorin H Subject: Re: traffic normalizer for ipfw? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2004 23:16:02 -0000 In some mail from Bruce M Simpson, sie said: > > On Thu, Feb 19, 2004 at 01:02:16PM -0800, Dorin H wrote: > > Is there some way to configure ipfw to do traffic > > normalizing ("scrubbing", as in ipf for OpenBSD)? Is > > there any tool to do it for FreeBSD firewalling? > > I've heard that ipf was ported on current, anything > > else? You mean pf, not ipf.. normalizing is over rated as a firewall feature - it's really something that belongs in IDS software. > We're looking at bringing pf into the tree. For what benefit you have to wonder... > One of the things on my > unofficial (some would say a work of pure fiction) is to look at > something for KaZaA filtering on BSD... which pf won't do (so in that sense, it is pure fiction :) Darren From owner-freebsd-security@FreeBSD.ORG Thu Feb 19 18:13:27 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9100B16A4CE for ; Thu, 19 Feb 2004 18:13:27 -0800 (PST) Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id F36F143D1F for ; Thu, 19 Feb 2004 18:13:26 -0800 (PST) (envelope-from avalon@caligula.anu.edu.au) Received: from caligula.anu.edu.au (localhost [127.0.0.1]) by caligula.anu.edu.au (8.12.9/8.12.9) with ESMTP id i1K2DPbF021728; Fri, 20 Feb 2004 13:13:25 +1100 (EST) Received: (from avalon@localhost) by caligula.anu.edu.au (8.12.9/8.12.8/Submit) id i1K2DPoC021725; Fri, 20 Feb 2004 13:13:25 +1100 (EST) From: Darren Reed Message-Id: <200402200213.i1K2DPoC021725@caligula.anu.edu.au> To: bj93542@yahoo.com (Dorin H) Date: Fri, 20 Feb 2004 13:13:25 +1100 (Australia/ACT) In-Reply-To: <20040220003052.41695.qmail@web12606.mail.yahoo.com> from "Dorin H" at Feb 19, 2004 04:30:52 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Fri, 20 Feb 2004 02:24:54 -0800 cc: freebsd-security@freebsd.org Subject: Re: traffic normalizer for ipfw? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Feb 2004 02:13:27 -0000 In some mail from Dorin H, sie said: > > True, it's part of IDS. Nevertheless, do you think > that traffic normalizing is useful? No. The worst part of normalizing traffic is that it "tampers" with your evidence that comes in from the network. Darren From owner-freebsd-security@FreeBSD.ORG Fri Feb 20 01:10:27 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B72F16A4FC for ; Fri, 20 Feb 2004 01:10:27 -0800 (PST) Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 15EE243D2F for ; Fri, 20 Feb 2004 01:10:20 -0800 (PST) (envelope-from avalon@caligula.anu.edu.au) Received: from caligula.anu.edu.au (localhost [127.0.0.1]) by caligula.anu.edu.au (8.12.9/8.12.9) with ESMTP id i1K9AIbF005226; Fri, 20 Feb 2004 20:10:18 +1100 (EST) Received: (from avalon@localhost) by caligula.anu.edu.au (8.12.9/8.12.8/Submit) id i1K9AIoe005185; Fri, 20 Feb 2004 20:10:18 +1100 (EST) From: Darren Reed Message-Id: <200402200910.i1K9AIoe005185@caligula.anu.edu.au> To: listuser@seifried.org Date: Fri, 20 Feb 2004 20:10:17 +1100 (Australia/ACT) In-Reply-To: <00b001c3f779$91ba8750$1400000a@bigdog> from "Kurt Seifried" at Feb 19, 2004 11:20:00 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Fri, 20 Feb 2004 02:24:54 -0800 cc: freebsd-security@freebsd.org cc: Dorin H cc: Darren Reed Subject: Re: traffic normalizer for ipfw? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Feb 2004 09:10:27 -0000 In some mail from Kurt Seifried, sie said: > > It's not like you HAVE to use it. It's an option, you can use it, or not. As > far as the symantic arguments of firewalls/IDS/IPS/etc (technically I'd say > scrub is more an IPS style feature then IDS since it actively manipulates > the data to make it less "dangerous") please let's not go there, it's > pointless. Cripes, and you claim to be a publisher of security related information? Well, I suppose if you are then you're press and we all know how good the press are at getting technical things "right". "scrub" won't do a damn thing about making data "less dangerous". And it's not an IPS either (it won't do anything about preventing someone from using an IIS/apache exploit in your web farm.) All it does is try and clean off rough edges of packet header fields so that they fit into an IDS's picture of the world more easily. That's it. Well, they have extended the 'scrub' facility to do other things that could just as easily be done elsewhere but it is definately NOT an IPS (and anyone selling it as such is a fraud.) Darren From owner-freebsd-security@FreeBSD.ORG Fri Feb 20 01:31:12 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 63CB316A4CE for ; Fri, 20 Feb 2004 01:31:11 -0800 (PST) Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id D025943D2F for ; Fri, 20 Feb 2004 01:31:10 -0800 (PST) (envelope-from avalon@caligula.anu.edu.au) Received: from caligula.anu.edu.au (localhost [127.0.0.1]) by caligula.anu.edu.au (8.12.9/8.12.9) with ESMTP id i1K9V9bF010994; Fri, 20 Feb 2004 20:31:09 +1100 (EST) Received: (from avalon@localhost) by caligula.anu.edu.au (8.12.9/8.12.8/Submit) id i1K9V9HV010992; Fri, 20 Feb 2004 20:31:09 +1100 (EST) From: Darren Reed Message-Id: <200402200931.i1K9V9HV010992@caligula.anu.edu.au> To: listuser@seifried.org Date: Fri, 20 Feb 2004 20:31:09 +1100 (Australia/ACT) In-Reply-To: <028101c3f792$eaf115a0$1400000a@bigdog> from "Kurt Seifried" at Feb 20, 2004 02:21:27 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Fri, 20 Feb 2004 02:24:54 -0800 cc: freebsd-security@freebsd.org Subject: Re: traffic normalizer for ipfw? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Feb 2004 09:31:12 -0000 In some mail from Kurt Seifried, sie said: > > > "scrub" won't do a damn thing about making data "less dangerous". > > And it's not an IPS either (it won't do anything about preventing > > someone from using an IIS/apache exploit in your web farm.) > > No but it will prevent some protocol level exploits/etc that can make > applications and systems puke their guts up (yes, some TCP-IP stacks suck > that much). Stopping a denial of service attack (intentional or otherwise) > sounds like a typical IPS related function, not an IDS function. In any > event this sort of prooves how pointless the IDS/IPS argument is (everyone > is quite happy to disagree on what they are/do). You don't need normalising to achieve that. Why would you want to normalise bad packets into good ones so you can let them in rather than drop them ? > Last I checked it was BSD licensed, and AFAIK no-one is "selling it" as an > IPS. [...from your earlier text:...] > > > far as the symantic arguments of firewalls/IDS/IPS/etc > > > (technically I'd say scrub is more an IPS style feature > > > then IDS since it actively manipulates [...] So you're not selling it as an IPS there ? Darren From owner-freebsd-security@FreeBSD.ORG Fri Feb 20 02:31:42 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 31D8116A4CE for ; Fri, 20 Feb 2004 02:31:42 -0800 (PST) Received: from smtp.des.no (flood.des.no [217.116.83.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id F3BFB43D2F for ; Fri, 20 Feb 2004 02:31:41 -0800 (PST) (envelope-from des@des.no) Received: by smtp.des.no (Pony Express, from userid 666) id 9DF915309; Fri, 20 Feb 2004 11:31:40 +0100 (CET) Received: from dwp.des.no (des.no [80.203.228.37]) by smtp.des.no (Pony Express) with ESMTP id 9567D5308; Fri, 20 Feb 2004 11:31:33 +0100 (CET) Received: by dwp.des.no (Postfix, from userid 2602) id 28F9433C6F; Fri, 20 Feb 2004 11:31:33 +0100 (CET) To: Tig References: <20040219120450.1854b521@piglet.goo> <20040219123349.GB23725@yagonna.de> <20040220094247.220247ca@piglet.goo> From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) Date: Fri, 20 Feb 2004 11:31:33 +0100 In-Reply-To: <20040220094247.220247ca@piglet.goo> (tigger@onemoremonkey.com's message of "Fri, 20 Feb 2004 09:42:47 +1100") Message-ID: User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on flood.des.no X-Spam-Level: X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.63 cc: freebsd-security@freebsd.org Subject: Re: secuirty bug with /etc/login.access X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Feb 2004 10:31:42 -0000 Tig writes: > OK, Thanks, but do you mean;=20 > > 'this should be the default now that PAM works, because I have have just > update the CVS repository' > > or.. > > 'this should be the default now that PAM works, but its not at the > moment. Someone will (hopefully) fix it soon' I meant "this is not the default, but it should be, and I'll go fix it in CVS right away" DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Fri Feb 20 02:44:13 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE71B16A4CE for ; Fri, 20 Feb 2004 02:44:13 -0800 (PST) Received: from deskaheh.nysindy.org (host-69-48-73-242.roc.choiceone.net [69.48.73.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id 97A9743D1F for ; Fri, 20 Feb 2004 02:44:13 -0800 (PST) (envelope-from bks10@cornell.edu) Received: from atotarho.wuhjuhbuh.afraid.org (pool-129-44-211-45.syr.east.verizon.net [129.44.211.45]) by deskaheh.nysindy.org (Postfix) with ESMTP id 993C541A03; Fri, 20 Feb 2004 05:44:10 -0500 (EST) Received: from 10.0.0.26 (SquirrelMail authenticated user ski) by atotarho.wuhjuhbuh.afraid.org with HTTP; Fri, 20 Feb 2004 05:44:12 -0500 (EST) Message-ID: <3883.10.0.0.26.1077273852.squirrel@atotarho.wuhjuhbuh.afraid.org> In-Reply-To: <200402200931.i1K9V9HV010992@caligula.anu.edu.au> References: <028101c3f792$eaf115a0$1400000a@bigdog> from "Kurt Seifried" atFeb 20, 2004 02:21:27 AM <200402200931.i1K9V9HV010992@caligula.anu.edu.au> Date: Fri, 20 Feb 2004 05:44:12 -0500 (EST) From: "Brian Szymanski" To: "Darren Reed" User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit cc: freebsd-security@freebsd.org Subject: Re: traffic normalizer for ipfw? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Feb 2004 10:44:13 -0000 With all due respect, Mr. Reed (and others!), kindly keep this off-list. I do not need 4 consecutive responses to a flamewar about this. People are on this list to hear about security problems with freebsd, not to read such crap. Thank you! Brian Szymanski bks10@cornell.edu ski@indymedia.org > In some mail from Kurt Seifried, sie said: >> >> > "scrub" won't do a damn thing about making data "less dangerous". >> > And it's not an IPS either (it won't do anything about preventing >> > someone from using an IIS/apache exploit in your web farm.) >> >> No but it will prevent some protocol level exploits/etc that can make >> applications and systems puke their guts up (yes, some TCP-IP stacks >> suck >> that much). Stopping a denial of service attack (intentional or >> otherwise) >> sounds like a typical IPS related function, not an IDS function. In any >> event this sort of prooves how pointless the IDS/IPS argument is >> (everyone >> is quite happy to disagree on what they are/do). > > You don't need normalising to achieve that. > > Why would you want to normalise bad packets into good ones so you can > let them in rather than drop them ? > >> Last I checked it was BSD licensed, and AFAIK no-one is "selling it" as >> an >> IPS. > [...from your earlier text:...] >> > > far as the symantic arguments of firewalls/IDS/IPS/etc >> > > (technically I'd say scrub is more an IPS style feature >> > > then IDS since it actively manipulates > [...] > > So you're not selling it as an IPS there ? > > Darren > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > -- Brian Szymanski ski@indymedia.org bks10@cornell.edu From owner-freebsd-security@FreeBSD.ORG Sat Feb 21 14:48:14 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B65716A4CF for ; Sat, 21 Feb 2004 14:48:14 -0800 (PST) Received: from web60802.mail.yahoo.com (web60802.mail.yahoo.com [216.155.196.65]) by mx1.FreeBSD.org (Postfix) with SMTP id CD1A543D2F for ; Sat, 21 Feb 2004 14:48:13 -0800 (PST) (envelope-from richard_bejtlich@yahoo.com) Message-ID: <20040221224813.27829.qmail@web60802.mail.yahoo.com> Received: from [68.84.6.72] by web60802.mail.yahoo.com via HTTP; Sat, 21 Feb 2004 14:48:13 PST Date: Sat, 21 Feb 2004 14:48:13 -0800 (PST) From: Richard Bejtlich To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: interface bonding X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Feb 2004 22:48:14 -0000 Hello, I'm happy to confirm that interface bonding via the method I posted on 9 Jan 04 works properly when run on FreeBSD 4 STABLE. http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2004-01/0024.html I reported on 22 Jan that this method produced duplicate packets. This was only an issue on 4.9 RELEASE. Ruslan fixed it, so STABLE works well. Thanks again Ruslan! Richard http://www.taosecurity.com __________________________________ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools