From owner-freebsd-security@FreeBSD.ORG Sun Sep 27 18:39:13 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B270D1065672 for ; Sun, 27 Sep 2009 18:39:13 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id 87B3F8FC13 for ; Sun, 27 Sep 2009 18:39:13 +0000 (UTC) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by cyrus.watson.org (Postfix) with ESMTPS id 2424946B03; Sun, 27 Sep 2009 14:39:13 -0400 (EDT) Date: Sun, 27 Sep 2009 19:39:13 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Pieter de Boer In-Reply-To: <4AAF4A64.3080906@thedarkside.nl> Message-ID: References: <4AAF4A64.3080906@thedarkside.nl> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: Protecting against kernel NULL-pointer derefs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Sep 2009 18:39:13 -0000 On Tue, 15 Sep 2009, Pieter de Boer wrote: > Given the amount of NULL-pointer dereference vulnerabilities in the FreeBSD > kernel that have been discovered of late, I've started looking at a way to > generically protect against the code execution possibilities of such bugs. > > By disallowing userland to map pages at address 0x0 (and a bit beyond), it > is possible to make such NULL-pointer deref bugs mere DoS'es instead of code > execution bugs. Linux has implemented such a protection for a long while > now, by disallowing page mappings on 0x0 - 0xffff. > > On FreeBSD, it appears that simply bumping up VM_MIN_ADDRESS to 65536 > downgrades a whole class of code execution vulnerabilities to DoS > vulnerabilities. I've raised that #define to 65536 on a 6.4-RELEASE i386 VM. > This made at least the mmap() method to map at 0x0 fail. FYI, changes are now going into head to implement this policy, although by slightly different mechanisms. I expect to see them merged to various branches, and also to active security branches (although disabled there by default using a sysctl so as not to disturb existing setups unless desired by the administrator). Robert > > So: > - How do you feel about disallowing such mappings to protect against > NULL-pointer deref code executions? > - Is bumping VM_MIN_ADDRESS enough to protect against all methods of > creating such mappings (on all supported platforms)? > - Are there unwanted side-effects of raising VM_MIN_ADDRESS? > - Should I file a PR to get this into FreeBSD? > > Lemme know, > Pieter > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Sun Sep 27 20:00:45 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DF379106566C for ; Sun, 27 Sep 2009 20:00:45 +0000 (UTC) (envelope-from rwatson@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id B7B3A8FC16 for ; Sun, 27 Sep 2009 20:00:45 +0000 (UTC) Received: from [192.168.2.101] (host81-155-13-237.range81-155.btcentralplus.com [81.155.13.237]) by cyrus.watson.org (Postfix) with ESMTPSA id 6F25746B0C; Sun, 27 Sep 2009 16:00:44 -0400 (EDT) Mime-Version: 1.0 (Apple Message framework v1075.2) Content-Type: text/plain; charset=us-ascii; format=flowed; delsp=yes From: "Robert N. M. Watson" In-Reply-To: <200909271904.NAA14681@lariat.net> Date: Sun, 27 Sep 2009 21:00:42 +0100 Content-Transfer-Encoding: 7bit Message-Id: <4C92C4D0-1224-4885-98D4-629F67AC6DBB@freebsd.org> References: <4AAF4A64.3080906@thedarkside.nl> <200909271904.NAA14681@lariat.net> To: Brett Glass X-Mailer: Apple Mail (2.1075.2) Cc: freebsd-security@freebsd.org, Pieter de Boer Subject: Re: Protecting against kernel NULL-pointer derefs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Sep 2009 20:00:46 -0000 On 27 Sep 2009, at 20:04, Brett Glass wrote: > As someone who has been frustrated by a disproportionate number of > bugs related to null and wild pointer dereferencing, I'd opt for > such an option to be incorporated in the next point release. > > Perhaps, there could be two options: one to generate a warning in > the log and then "fail soft" (e.g. by mapping a zero page) and > another to cause a hard panic. The "fail soft" option would be > particularly handy to help flush out bugs -- particularly in device > drivers -- in preparation for making a hard panic the default at > some future time. It would also provide a fallback for > administrators, to allow them to keep their systems running while a > bug was diagnosed and fixed. Right now the immediate goals are: (1) Enable by default in head so that we can evaluate the compatibility fallout (2) Provide the ability to enable on other -stable and -security branches non-default My guess is that we'll enable it in -stable (and hence point releases) fairly quickly, but it's not a switch we want to throw in -stable until we have a better understanding of the impact. We're also still working through the implementation details so I suspect more commits will follow. In practice, it will be tools like "doscmd" that fail in the new world order; some may not consider this a significant functional loss. We observe that Wine does do a mapping at NULL by default, but seems not to mind if it can't (as is also true on Linux I believe). Robert > > --Brett Glass > > At 12:39 PM 9/27/2009, Robert Watson wrote: > >> FYI, changes are now going into head to implement this policy, >> although by slightly different mechanisms. I expect to see them >> merged to various branches, and also to active security branches >> (although disabled there by default using a sysctl so as not to >> disturb existing setups unless desired by the administrator). >> >> Robert > From owner-freebsd-security@FreeBSD.ORG Sun Sep 27 19:43:21 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 183431065676; Sun, 27 Sep 2009 19:43:21 +0000 (UTC) (envelope-from brett@lariat.net) Received: from lariat.net (lariat.net [66.119.58.2]) by mx1.freebsd.org (Postfix) with ESMTP id 88D348FC0A; Sun, 27 Sep 2009 19:43:20 +0000 (UTC) Received: from anne-o1dpaayth1.lariat.net (IDENT:ppp1000.lariat.net@lariat.net [66.119.58.2]) by lariat.net (8.9.3/8.9.3) with ESMTP id NAA14681; Sun, 27 Sep 2009 13:04:55 -0600 (MDT) Message-Id: <200909271904.NAA14681@lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Sun, 27 Sep 2009 13:04:30 -0600 To: Robert Watson , Pieter de Boer From: Brett Glass In-Reply-To: References: <4AAF4A64.3080906@thedarkside.nl> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Mailman-Approved-At: Sun, 27 Sep 2009 20:25:34 +0000 Cc: freebsd-security@freebsd.org Subject: Re: Protecting against kernel NULL-pointer derefs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Sep 2009 19:43:21 -0000 As someone who has been frustrated by a disproportionate number of bugs related to null and wild pointer dereferencing, I'd opt for such an option to be incorporated in the next point release. Perhaps, there could be two options: one to generate a warning in the log and then "fail soft" (e.g. by mapping a zero page) and another to cause a hard panic. The "fail soft" option would be particularly handy to help flush out bugs -- particularly in device drivers -- in preparation for making a hard panic the default at some future time. It would also provide a fallback for administrators, to allow them to keep their systems running while a bug was diagnosed and fixed. --Brett Glass At 12:39 PM 9/27/2009, Robert Watson wrote: >FYI, changes are now going into head to implement this policy, >although by slightly different mechanisms. I expect to see them >merged to various branches, and also to active security branches >(although disabled there by default using a sysctl so as not to >disturb existing setups unless desired by the administrator). > >Robert From owner-freebsd-security@FreeBSD.ORG Mon Sep 28 19:22:57 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DE4221065693 for ; Mon, 28 Sep 2009 19:22:57 +0000 (UTC) (envelope-from simon@nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.freebsd.org (Postfix) with ESMTP id 9B6958FC0C for ; Mon, 28 Sep 2009 19:22:57 +0000 (UTC) Received: from arthur.nitro.dk (arthur.bofh [192.168.2.3]) by mx.nitro.dk (Postfix) with ESMTP id E2CB92D489B; Mon, 28 Sep 2009 19:22:56 +0000 (UTC) Received: by arthur.nitro.dk (Postfix, from userid 1000) id CF6995C17; Mon, 28 Sep 2009 21:22:56 +0200 (CEST) Date: Mon, 28 Sep 2009 21:22:56 +0200 From: "Simon L. Nielsen" To: Mike Tancsa Message-ID: <20090928192256.GC2111@arthur.nitro.dk> References: <4AAF45B4.60307@isafeelin.org> <4AAF5999.7020501@delphij.net> <200909251248.n8PCmJPY011925@lava.sentex.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200909251248.n8PCmJPY011925@lava.sentex.ca> User-Agent: Mutt/1.5.20 (2009-06-14) Cc: freebsd-security@freebsd.org, d@delphij.net Subject: Re: FreeBSD bug grants local root access (FreeBSD 6.x) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Sep 2009 19:22:57 -0000 On 2009.09.25 08:52:25 -0400, Mike Tancsa wrote: > At 05:08 AM 9/15/2009, Xin LI wrote: > >Frederique Rijsdijk wrote: > > > Hi, > > > > > > Any info on this subject on > > > > > > http://www.theregister.co.uk/2009/09/14/freebsd_security_bug/ > > > >Currently we (secteam@) are testing the correction patch and do > >peer-review on the security advisory draft, the bug was found and fixed > >on -HEAD and 7-STABLE before 7.1-RELEASE during some stress test but was > >not recognized as a security vulnerability at that time. The exploit > >code has to be executed locally, i.e. either by an untrusted local user, > >or be exploited in conjunction with some remote vulnerability on > >applications that allow the attacker to inject their own code. > > > >We can not release further details about the problem at this time, > >though, but I think we will likely to publish the advisory and > >correction patch this patch Wednesday. > > Just wondering if there is any update on this issue ? It turned out more difficult to fix than expected and we (secteam) didn't handle that as well as we should have, but I think we are almost there so the advisory should be out soon - sometime this week at the latest. Sorry about the delay - this should have been fixed by now. -- Simon L. Nielsen FreeBSD Deputy Security Officer From owner-freebsd-security@FreeBSD.ORG Wed Sep 30 16:46:59 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BD57C106568B for ; Wed, 30 Sep 2009 16:46:59 +0000 (UTC) (envelope-from freebsd@optiksecurite.com) Received: from relais.videotron.ca (relais.videotron.ca [24.201.245.36]) by mx1.freebsd.org (Postfix) with ESMTP id 96ED68FC15 for ; Wed, 30 Sep 2009 16:46:59 +0000 (UTC) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=ISO-8859-1; format=flowed Received: from [69.69.69.193] ([24.201.201.211]) by VL-MO-MR005.ip.videotron.ca (Sun Java(tm) System Messaging Server 6.3-4.01 (built Aug 3 2007; 32bit)) with ESMTP id <0KQS00L7NJUAQF70@VL-MO-MR005.ip.videotron.ca> for freebsd-security@freebsd.org; Wed, 30 Sep 2009 11:46:58 -0400 (EDT) Message-id: <4AC37D6B.3060409@optiksecurite.com> Date: Wed, 30 Sep 2009 11:46:51 -0400 From: Martin Turgeon User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) To: freebsd-security@freebsd.org Subject: Update on protection against slowloris X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Sep 2009 16:46:59 -0000 Hi list! We tested mod_antiloris 0.4 and found it quite efficient, but before putting it in production, we would like to hear some feedback from freebsd users. We are using Apache 2.2.x on Freebsd 6.2 and 7.2. Is anyone using it? Do you have any other way to patch against Slowloris other than putting a proxy in front or using the HTTP accept filter? Thanks for your feedback, Martin From owner-freebsd-security@FreeBSD.ORG Thu Oct 1 00:59:50 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AC6231065676 for ; Thu, 1 Oct 2009 00:59:50 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from mail.tyknet.dk (gw.tyknet.dk [93.167.110.194]) by mx1.freebsd.org (Postfix) with ESMTP id 5D7238FC14 for ; Thu, 1 Oct 2009 00:59:50 +0000 (UTC) Received: from mail.tyknet.dk (localhost [127.0.0.1]) by mail.tyknet.dk (Postfix) with ESMTP id 93BA0B886 for ; Thu, 1 Oct 2009 02:40:51 +0200 (CEST) Received: from mail.tyknet.dk (localhost [127.0.0.1]) by mail.tyknet.dk (Postfix) with ESMTP id 8CC20B86B for ; Thu, 1 Oct 2009 02:40:50 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on doobie.tyknet.cn.dom X-Spam-Level: X-Spam-Status: No, score=-4.1 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.2.5 Received: from [10.10.1.143] (tykpc.tyknet.cn.dom [10.10.1.143]) by mail.tyknet.dk (Postfix) with ESMTP id 2B55BB84E for ; Thu, 1 Oct 2009 02:40:49 +0200 (CEST) Message-ID: <4AC3FA90.1000405@gibfest.dk> Date: Thu, 01 Oct 2009 02:40:48 +0200 From: Thomas Rasmussen User-Agent: Thunderbird 2.0.0.22 (Windows/20090605) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <4AC37D6B.3060409@optiksecurite.com> In-Reply-To: <4AC37D6B.3060409@optiksecurite.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Subject: Re: Update on protection against slowloris X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Oct 2009 00:59:50 -0000 Martin Turgeon wrote: > Hi list! > > We tested mod_antiloris 0.4 and found it quite efficient, but before > putting it in production, we would like to hear some feedback from > freebsd users. We are using Apache 2.2.x on Freebsd 6.2 and 7.2. Is > anyone using it? Do you have any other way to patch against Slowloris > other than putting a proxy in front or using the HTTP accept filter? > > Thanks for your feedback, > > Martin > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" Hello, I am using it succesfully although not under any serious load, same Apache and FreeBSD versions. I found it easy (compared to the alternatives) and efficient, and no I don't know of any other ways of blocking the attack, short of using Varnish or similar. However, accf_http doesn't help at all, since HTTP POST requests bypass the filter. HTTP POST can be enabled by passing the -httpready switch to Slowloris. Please report back with your findings, I've been wondering how it would perform under load. Best of luck with it, Thomas Rasmussen From owner-freebsd-security@FreeBSD.ORG Thu Oct 1 09:29:28 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7E68B1065696 for ; Thu, 1 Oct 2009 09:29:28 +0000 (UTC) (envelope-from tevans.uk@googlemail.com) Received: from mail-fx0-f222.google.com (mail-fx0-f222.google.com [209.85.220.222]) by mx1.freebsd.org (Postfix) with ESMTP id 0AF218FC08 for ; Thu, 1 Oct 2009 09:29:27 +0000 (UTC) Received: by fxm22 with SMTP id 22so2648290fxm.36 for ; Thu, 01 Oct 2009 02:29:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:subject:from:to:cc :in-reply-to:references:content-type:date:message-id:mime-version :x-mailer:content-transfer-encoding; bh=60ZfOFvw20vxAQd0NipZ6RqTKg1NaZqye6Nw+CKzQRA=; b=v2GDg0OotuNF/RB41EyTM0YwyLSh/dqhqtuFJLFvO4fNXvyRDxrO+e+Oh4EHTfXoru cNQhAmfqiohUsCWOfqIQQ6QRAU3dWg69sksLC0EVe20J0gcuqzC3ul6QiuT7zKwLGQ+4 Y3o/zgWLeev0gvF1kopVXXthLqTUPZY7QONvA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:x-mailer:content-transfer-encoding; b=kLI6mJaXySeRUeZPKl+7wax/EWAZe2jG2Re379CSEbViS/p9FNZW821e0s4B9fHKwG oMUZOuuBREGOUqrEJupV/ha3HvKm53j7vEQrfn+G9dullXyG8/9wfXDQIVD8K9y86AT6 rpXT2fV3/7+VP9aqg3xEFKcdW2UR5mOgJXVBQ= Received: by 10.86.220.9 with SMTP id s9mr926721fgg.40.1254387558840; Thu, 01 Oct 2009 01:59:18 -0700 (PDT) Received: from ?127.0.0.1? (87-194-39-182.bethere.co.uk [87.194.39.182]) by mx.google.com with ESMTPS id d4sm66797fga.17.2009.10.01.01.59.16 (version=SSLv3 cipher=RC4-MD5); Thu, 01 Oct 2009 01:59:17 -0700 (PDT) From: Tom Evans To: Thomas Rasmussen In-Reply-To: <4AC3FA90.1000405@gibfest.dk> References: <4AC37D6B.3060409@optiksecurite.com> <4AC3FA90.1000405@gibfest.dk> Content-Type: text/plain Date: Thu, 01 Oct 2009 09:59:16 +0100 Message-Id: <1254387556.39148.10.camel@strangepork.london.mintel.ad> Mime-Version: 1.0 X-Mailer: Evolution 2.26.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: Update on protection against slowloris X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Oct 2009 09:29:28 -0000 On Thu, 2009-10-01 at 02:40 +0200, Thomas Rasmussen wrote: > Martin Turgeon wrote: > > Hi list! > > > > We tested mod_antiloris 0.4 and found it quite efficient, but before > > putting it in production, we would like to hear some feedback from > > freebsd users. We are using Apache 2.2.x on Freebsd 6.2 and 7.2. Is > > anyone using it? Do you have any other way to patch against Slowloris > > other than putting a proxy in front or using the HTTP accept filter? > > > > Thanks for your feedback, > > > > Martin > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > > "freebsd-security-unsubscribe@freebsd.org" > Hello, > > I am using it succesfully although not under any serious load, same > Apache and FreeBSD versions. I found it easy (compared to the > alternatives) and efficient, and no I don't know of any other ways of > blocking the attack, short of using Varnish or similar. However, > accf_http doesn't help at all, since HTTP POST requests bypass the > filter. HTTP POST can be enabled by passing the -httpready switch to > Slowloris. > > Please report back with your findings, I've been wondering how it > would perform under load. > > Best of luck with it, > > Thomas Rasmussen We use Apache 2.2 with the event MPM. This configuration is immune to slowloris, as it was designed (several years before 'slowloris' came along) to solve that exact problem. Cheers Tom From owner-freebsd-security@FreeBSD.ORG Thu Oct 1 18:20:11 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2E45C1065670 for ; Thu, 1 Oct 2009 18:20:11 +0000 (UTC) (envelope-from ltning@anduin.net) Received: from mail.anduin.net (mail.anduin.net [213.225.74.249]) by mx1.freebsd.org (Postfix) with ESMTP id E074B8FC15 for ; Thu, 1 Oct 2009 18:20:10 +0000 (UTC) Received: from [212.62.248.148] (helo=[192.168.2.172]) by mail.anduin.net with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MtPlw-000Cah-IW; Thu, 01 Oct 2009 19:48:56 +0200 Mime-Version: 1.0 (Apple Message framework v1076) Content-Type: text/plain; charset=us-ascii; format=flowed; delsp=yes From: =?iso-8859-1?Q?Eirik_=D8verby?= In-Reply-To: <1254387556.39148.10.camel@strangepork.london.mintel.ad> Date: Thu, 1 Oct 2009 19:48:56 +0200 Content-Transfer-Encoding: 7bit Message-Id: <4E7E6B51-2B63-459C-A6FE-F327E899DCF6@anduin.net> References: <4AC37D6B.3060409@optiksecurite.com> <4AC3FA90.1000405@gibfest.dk> <1254387556.39148.10.camel@strangepork.london.mintel.ad> To: Tom Evans X-Mailer: Apple Mail (2.1076) Cc: Thomas Rasmussen , freebsd-security@freebsd.org Subject: Re: Update on protection against slowloris X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Oct 2009 18:20:11 -0000 On 1. okt. 2009, at 10.59, Tom Evans wrote: > On Thu, 2009-10-01 at 02:40 +0200, Thomas Rasmussen wrote: >> Martin Turgeon wrote: >>> Hi list! >>> >>> We tested mod_antiloris 0.4 and found it quite efficient, but before >>> putting it in production, we would like to hear some feedback from >>> freebsd users. We are using Apache 2.2.x on Freebsd 6.2 and 7.2. Is >>> anyone using it? Do you have any other way to patch against >>> Slowloris >>> other than putting a proxy in front or using the HTTP accept filter? >>> >>> Thanks for your feedback, >>> >>> Martin >>> _______________________________________________ >>> freebsd-security@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-security >>> To unsubscribe, send any mail to >>> "freebsd-security-unsubscribe@freebsd.org" >> Hello, >> >> I am using it succesfully although not under any serious load, same >> Apache and FreeBSD versions. I found it easy (compared to the >> alternatives) and efficient, and no I don't know of any other ways of >> blocking the attack, short of using Varnish or similar. However, >> accf_http doesn't help at all, since HTTP POST requests bypass the >> filter. HTTP POST can be enabled by passing the -httpready switch to >> Slowloris. >> >> Please report back with your findings, I've been wondering how it >> would perform under load. >> >> Best of luck with it, >> >> Thomas Rasmussen > > We use Apache 2.2 with the event MPM. This configuration is immune to > slowloris, as it was designed (several years before 'slowloris' came > along) to solve that exact problem. Without SSL, I presume? /Eirik From owner-freebsd-security@FreeBSD.ORG Thu Oct 1 18:46:04 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AFB5F1065748 for ; Thu, 1 Oct 2009 18:46:04 +0000 (UTC) (envelope-from leccine@gmail.com) Received: from mail-bw0-f227.google.com (mail-bw0-f227.google.com [209.85.218.227]) by mx1.freebsd.org (Postfix) with ESMTP id 044AB8FC27 for ; Thu, 1 Oct 2009 18:46:03 +0000 (UTC) Received: by bwz27 with SMTP id 27so370131bwz.43 for ; Thu, 01 Oct 2009 11:46:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=M4y5Z2SeEhSVN0SK4eCwsXiUtgmYXOrrUnRksYpGw6A=; b=Z2LMUMPjv/dMb4/4wUZde4VVjg0U+1LGKOVgNB3Kh/X1TUT3fLlCERjy3nuPW/bOHj QGcVDJM3jNv1y7ti/JVGPwtoPJMv4vcUY/9PtDJfTdMu8ZFpw5xWPOq2t8V+8Y1xW5Iu BU/RQSy2VlydOm8lYA76uxAMGMo8+Sp89SLvI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=YKMlt0Yd1LkmfZjID6QUd/qnXl9L92XeewbAoj1qJ3b5yfFLVxPYFRvyB4oQAQPkR2 fF9Jl5UZUVX8RsyR6NXiuhKzyqms0Yy9XfLlgAEBfW763ajvjpV5wXQXN0eCStU006qE /MuXOpdp9MhFZiAGesM7P53CT8diC30loRvCg= MIME-Version: 1.0 Received: by 10.204.11.3 with SMTP id r3mr276944bkr.107.1254422762566; Thu, 01 Oct 2009 11:46:02 -0700 (PDT) In-Reply-To: <4E7E6B51-2B63-459C-A6FE-F327E899DCF6@anduin.net> References: <4AC37D6B.3060409@optiksecurite.com> <4AC3FA90.1000405@gibfest.dk> <1254387556.39148.10.camel@strangepork.london.mintel.ad> <4E7E6B51-2B63-459C-A6FE-F327E899DCF6@anduin.net> Date: Thu, 1 Oct 2009 19:46:02 +0100 Message-ID: From: =?ISO-8859-1?B?SXN0duFu?= To: =?ISO-8859-1?Q?Eirik_=D8verby?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Tom Evans , Thomas Rasmussen , freebsd-security@freebsd.org Subject: Re: Update on protection against slowloris X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Oct 2009 18:46:04 -0000 "The bad news is that it can indeed take a badly-configured apache server down, and the worse news is that that includes a low-traffic out-of-the box configuration. Even with the Event MPM, slowloris can tie up one worker thread per connection." for sure 2009/10/1 Eirik =D8verby > > On 1. okt. 2009, at 10.59, Tom Evans wrote: > > On Thu, 2009-10-01 at 02:40 +0200, Thomas Rasmussen wrote: >> >>> Martin Turgeon wrote: >>> >>>> Hi list! >>>> >>>> We tested mod_antiloris 0.4 and found it quite efficient, but before >>>> putting it in production, we would like to hear some feedback from >>>> freebsd users. We are using Apache 2.2.x on Freebsd 6.2 and 7.2. Is >>>> anyone using it? Do you have any other way to patch against Slowloris >>>> other than putting a proxy in front or using the HTTP accept filter? >>>> >>>> Thanks for your feedback, >>>> >>>> Martin >>>> _______________________________________________ >>>> freebsd-security@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-security >>>> To unsubscribe, send any mail to >>>> "freebsd-security-unsubscribe@freebsd.org" >>>> >>> Hello, >>> >>> I am using it succesfully although not under any serious load, same >>> Apache and FreeBSD versions. I found it easy (compared to the >>> alternatives) and efficient, and no I don't know of any other ways of >>> blocking the attack, short of using Varnish or similar. However, >>> accf_http doesn't help at all, since HTTP POST requests bypass the >>> filter. HTTP POST can be enabled by passing the -httpready switch to >>> Slowloris. >>> >>> Please report back with your findings, I've been wondering how it >>> would perform under load. >>> >>> Best of luck with it, >>> >>> Thomas Rasmussen >>> >> >> We use Apache 2.2 with the event MPM. This configuration is immune to >> slowloris, as it was designed (several years before 'slowloris' came >> along) to solve that exact problem. >> > > Without SSL, I presume? > > /Eirik > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g > " > --=20 the sun shines for all From owner-freebsd-security@FreeBSD.ORG Fri Oct 2 00:30:15 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4296C106566B for ; Fri, 2 Oct 2009 00:30:15 +0000 (UTC) (envelope-from me@johnea.net) Received: from mail.johnea.net (johnea.net [70.167.123.7]) by mx1.freebsd.org (Postfix) with ESMTP id 2AE8C8FC12 for ; Fri, 2 Oct 2009 00:30:14 +0000 (UTC) Received: from [192.168.100.239] (vhost.johnea.net [192.168.100.239]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.johnea.net (Postfix) with ESMTPSA id E1DE273F184D for ; Thu, 1 Oct 2009 17:05:36 -0700 (PDT) Message-ID: <4AC545C3.9020608@johnea.net> Date: Thu, 01 Oct 2009 17:13:55 -0700 From: johnea User-Agent: Thunderbird 2.0.0.22 (X11/20090719) MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 00:30:15 -0000 Hello, Sorry if this is dumb as ditch water but I just felt like I should ask. I'm been running an independent host here for the last 5 years with the usual toaster services: http, smtp, and imap all using ssl and ssh for remote login. I installed sshgaurd after dealing with the incessant brute force crack attempts. Lately I've been under ssh attack by a botnet with hundreds of IPs. The thing that concerned me is an entry I saw in netstat showing my system connecting back to a machine that was attempting to log in to ssh. This is where I may be a braindead noob, but is that normal? Does the ssh server establish a socket to a client attempting login? The details from netstat are below along with a bunch of other info that seemed relevant. Thank you so much for considering my question and for your work on the FreeBSD project. johnea ~~~~~~~~~~~~~~~~~~~~~~ issue information ~~~~~~~~~~~~~~~~~~~~~~ atom# openssl version OpenSSL 0.9.8e 23 Feb 2007 atom# uname -a FreeBSD atom.johnea.net 7.1-RELEASE-p6 FreeBSD 7.1-RELEASE-p6 #0: Tue Jun 9 16:26:47 UTC 2009 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 from netstat: tcp4 0 0 atom.60448 host154.advance.com.ar.auth TIME_WAIT tcp4 0 0 atom.ssh host154.advance.com.ar.37833 TIME_WAIT from auth.log: The same IP as above: Oct 1 15:51:56 atom sshd[84887]: warning: /etc/hosts.allow, line 37: can't verify hostname: getaddrinfo(host154.advance.com.ar, AF_INET) failed Other example entries from auth.log: Oct 1 13:45:55 atom sshd[82209]: error: PAM: authentication error for root from 222.211.93.81 Oct 1 13:47:14 atom sshd[82252]: error: PAM: authentication error for root from 217.77.72.115 Oct 1 13:47:29 atom sshd[82266]: error: PAM: authentication error for root from 60.170.80.198 Oct 1 13:48:23 atom sshd[82271]: error: PAM: authentication error for root from 201.26.169.150 Oct 1 13:49:11 atom sshd[82279]: error: PAM: authentication error for root from 200.36.249.22 Oct 1 13:50:11 atom sshd[82291]: error: PAM: authentication error for root from 80.152.227.160 Oct 1 13:50:47 atom sshd[82300]: error: PAM: authentication error for root from 80.108.8.74 Oct 1 13:51:38 atom sshd[82311]: error: PAM: authentication error for root from 58.60.106.119 Oct 1 13:52:27 atom sshd[82371]: error: PAM: authentication error for root from 200.36.249.22 Oct 1 13:53:21 atom sshd[82378]: error: PAM: authentication error for root from 74.218.172.158 Oct 1 13:54:05 atom sshd[82384]: error: PAM: authentication error for root from 220.248.9.163 Oct 1 13:54:55 atom sshd[82394]: error: PAM: authentication error for root from 58.60.106.199 Oct 1 13:56:31 atom sshd[82419]: error: PAM: authentication error for root from 222.128.48.222 Oct 1 13:57:22 atom sshd[82472]: error: PAM: authentication error for root from 83.65.166.74 Oct 1 13:58:20 atom sshd[82482]: error: PAM: authentication error for root from 81.244.253.110 Oct 1 13:59:02 atom sshd[82492]: error: PAM: authentication error for root from 76.12.185.151 Oct 1 13:59:49 atom sshd[82505]: error: PAM: authentication error for root from 200.41.97.213 Oct 1 14:00:00 atom newsyslog[82517]: logfile turned over due to size>100K Oct 1 15:50:58 atom sshd[84875]: error: PAM: authentication error for root from 74.56.151.159 Oct 1 15:51:56 atom sshd[84887]: warning: /etc/hosts.allow, line 37: can't verify hostname: getaddrinfo(host154.advance.com.ar, AF_INET) failed Oct 1 15:51:58 atom sshd[84887]: refused connect from 200.51.40.154 (200.51.40.154) Oct 1 15:52:49 atom sshd[84943]: warning: /etc/hosts.allow, line 37: can't verify hostname: getaddrinfo(static.khi77.pie.net.pk, AF_INET) failed Oct 1 15:52:49 atom sshd[84943]: refused connect from 221.120.201.71 (221.120.201.71) Oct 1 15:53:43 atom sshd[84955]: error: PAM: authentication error for root from 196.211.146.154 Oct 1 15:54:30 atom sshd[84964]: error: PAM: authentication error for root from 74.239.115.130 Oct 1 15:55:18 atom sshd[84990]: warning: /etc/hosts.allow, line 37: can't verify hostname: getaddrinfo(mail.iesmos.ru, AF_INET) failed Oct 1 15:55:19 atom sshd[84990]: refused connect from 217.147.21.166 (217.147.21.166) Oct 1 15:55:53 atom sshd[84994]: error: PAM: authentication error for root from 80.152.227.160 Oct 1 15:57:39 atom sshd[85042]: error: PAM: authentication error for root from 124.232.131.156 Oct 1 15:58:32 atom sshd[85048]: error: PAM: authentication error for root from 83.65.166.74 Oct 1 15:59:12 atom sshd[85062]: error: PAM: authentication error for root from 218.204.223.214 Oct 1 16:00:01 atom sshguard[83827]: Got exit signal, flushing blocked addresses and exiting... Oct 1 16:00:01 atom sshguard[85089]: Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. Oct 1 16:00:03 atom sshd[85092]: warning: /etc/hosts.allow, line 37: can't verify hostname: getaddrinfo(adsl3-pool From owner-freebsd-security@FreeBSD.ORG Fri Oct 2 00:55:32 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DC1371065679 for ; Fri, 2 Oct 2009 00:55:32 +0000 (UTC) (envelope-from stef-list@memberwebs.com) Received: from memberwebs.com (memberwebs.com [94.75.203.95]) by mx1.freebsd.org (Postfix) with ESMTP id A7C438FC08 for ; Fri, 2 Oct 2009 00:55:32 +0000 (UTC) Received: from [172.27.5.159] (unknown [172.27.5.159]) by memberwebs.com (Postfix) with ESMTP id 59E1783E4AA; Fri, 2 Oct 2009 00:37:52 +0000 (UTC) Message-ID: <4AC54B58.9030900@memberwebs.com> Date: Thu, 01 Oct 2009 19:37:44 -0500 From: Stef Walter User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: johnea References: <4AC545C3.9020608@johnea.net> In-Reply-To: <4AC545C3.9020608@johnea.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Fri, 02 Oct 2009 02:59:55 +0000 Cc: freebsd-security@freebsd.org Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: stef@memberwebs.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 00:55:32 -0000 johnea wrote: > tcp4 0 0 atom.60448 host154.advance.com.ar.auth > TIME_WAIT > tcp4 0 0 atom.ssh host154.advance.com.ar.37833 > TIME_WAIT Your machine is, for some reason, connecting to the ident service on the remote machine. This isn't done by default by openssh, as far as I know. Cheers, Stef From owner-freebsd-security@FreeBSD.ORG Fri Oct 2 01:16:30 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8063B1065672 for ; Fri, 2 Oct 2009 01:16:30 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (hergotha.csail.mit.edu [66.92.79.170]) by mx1.freebsd.org (Postfix) with ESMTP id 0178B8FC21 for ; Fri, 2 Oct 2009 01:16:29 +0000 (UTC) Received: from hergotha.csail.mit.edu (localhost [127.0.0.1]) by hergotha.csail.mit.edu (8.14.3/8.14.3) with ESMTP id n920oNmX012010; Thu, 1 Oct 2009 20:50:23 -0400 (EDT) (envelope-from wollman@hergotha.csail.mit.edu) Received: (from wollman@localhost) by hergotha.csail.mit.edu (8.14.3/8.14.3/Submit) id n920oNab012007; Thu, 1 Oct 2009 20:50:23 -0400 (EDT) (envelope-from wollman) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <19141.20047.694147.865710@hergotha.csail.mit.edu> Date: Thu, 1 Oct 2009 20:50:23 -0400 From: Garrett Wollman To: johnea In-Reply-To: <4AC545C3.9020608@johnea.net> References: <4AC545C3.9020608@johnea.net> X-Mailer: VM 7.17 under 21.4 (patch 21) "Educational Television" XEmacs Lucid X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (hergotha.csail.mit.edu [127.0.0.1]); Thu, 01 Oct 2009 20:50:23 -0400 (EDT) X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED autolearn=disabled version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on hergotha.csail.mit.edu X-Mailman-Approved-At: Fri, 02 Oct 2009 03:00:09 +0000 Cc: freebsd-security@freebsd.org Subject: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 01:16:30 -0000 < said: > The thing that concerned me is an entry I saw in netstat showing > my system connecting back to a machine that was attempting to log > in to ssh. > Does the ssh server establish a socket to a client attempting login? The SSH protocol does not, but you appear to be using "TCP wrappers" (/etc/hosts.allow) configured in such a way that it make an IDENT protocol request back to the originating server. This is rarely likely to do anything useful and should probably be disabled. > tcp4 0 0 atom.60448 host154.advance.com.ar.auth TIME_WAIT "auth" is the port number used by the IDENT protocol. -GAWollman From owner-freebsd-security@FreeBSD.ORG Fri Oct 2 05:28:58 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9E6CA106566B; Fri, 2 Oct 2009 05:28:58 +0000 (UTC) (envelope-from jmarneweck@gmail.com) Received: from mail-fx0-f222.google.com (mail-fx0-f222.google.com [209.85.220.222]) by mx1.freebsd.org (Postfix) with ESMTP id 083948FC0A; Fri, 2 Oct 2009 05:28:57 +0000 (UTC) Received: by fxm22 with SMTP id 22so833137fxm.36 for ; Thu, 01 Oct 2009 22:28:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=g45LdwAMxulv6+d2/3PAKiGKhs5504YYdEWhh5pTKi8=; b=nTKBostVsLD0M5zT3tgZal0buD0WFXcDolCUDyDSP7KlZv84+M2583GWeQeCFAXkgz qa9RHmffWyTALXzFyUIHazU3o4ZEvPXYnoJJ9RfsjCX290TrOWZIU1W06wUHhwP0QkvY zJmX693GdBpVtg01TLsUfbrbWUYlASXeWAev8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=i3WjRlybbWZ4NT8Hn0pdYmPQzWzLsO4wQbV8LCt0pkBXRaP6eOLN/4bhS3Ml1FP2dz 9Acn2faKJ4K+teRxrATHWwI77iljexdOXOSIlS6O434+Ql8rNRUtIaZg7/JwlzFzX0bX Bu6y99y9MoMh6bj7xRwF3RZX/hmlnxecL+yw8= MIME-Version: 1.0 Received: by 10.102.236.29 with SMTP id j29mr771015muh.68.1254459624910; Thu, 01 Oct 2009 22:00:24 -0700 (PDT) In-Reply-To: <20090928192256.GC2111@arthur.nitro.dk> References: <4AAF45B4.60307@isafeelin.org> <4AAF5999.7020501@delphij.net> <200909251248.n8PCmJPY011925@lava.sentex.ca> <20090928192256.GC2111@arthur.nitro.dk> Date: Fri, 2 Oct 2009 07:00:24 +0200 Message-ID: <4802d0520910012200p271a2d5awc5e69b9ab1235851@mail.gmail.com> From: Jacques Marneweck To: "Simon L. Nielsen" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, d@delphij.net Subject: Re: FreeBSD bug grants local root access (FreeBSD 6.x) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 05:28:58 -0000 Hi Simon, Is there any further feedback regarding this bug? Has anyone tested to see if this also affects FreeBSD 5.x? Regards --jm On Mon, Sep 28, 2009 at 9:22 PM, Simon L. Nielsen wrote= : > On 2009.09.25 08:52:25 -0400, Mike Tancsa wrote: >> At 05:08 AM 9/15/2009, Xin LI wrote: >> >Frederique Rijsdijk wrote: >> > > Hi, >> > > >> > > Any info on this subject on >> > > >> > > http://www.theregister.co.uk/2009/09/14/freebsd_security_bug/ >> > >> >Currently we (secteam@) are testing the correction patch and do >> >peer-review on the security advisory draft, the bug was found and fixed >> >on -HEAD and 7-STABLE before 7.1-RELEASE during some stress test but wa= s >> >not recognized as a security vulnerability at that time. =C2=A0The expl= oit >> >code has to be executed locally, i.e. either by an untrusted local user= , >> >or be exploited in conjunction with some remote vulnerability on >> >applications that allow the attacker to inject their own code. >> > >> >We can not release further details about the problem at this time, >> >though, but I think we will likely to publish the advisory and >> >correction patch this patch Wednesday. >> >> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Just wondering if there is any update = on this issue ? > > It turned out more difficult to fix than expected and we (secteam) > didn't handle that as well as we should have, but I think we are > almost there so the advisory should be out soon - sometime this week > at the latest. > > Sorry about the delay - this should have been fixed by now. > > -- > Simon L. Nielsen > FreeBSD Deputy Security Officer --=20 Jacques Marneweck http://www.powertrip.co.za/ http://www.powertrip.co.za/blog/ http://www.ataris.co.za/ #include From owner-freebsd-security@FreeBSD.ORG Fri Oct 2 06:57:07 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9BEEF1065672; Fri, 2 Oct 2009 06:57:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [195.88.108.3]) by mx1.freebsd.org (Postfix) with ESMTP id 52C448FC0C; Fri, 2 Oct 2009 06:57:07 +0000 (UTC) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 8F2AD41C67E; Fri, 2 Oct 2009 08:40:06 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([195.88.108.3]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id BzAXRgc83CLS; Fri, 2 Oct 2009 08:40:06 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id 34B3C41C67B; Fri, 2 Oct 2009 08:40:06 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 97DB64448E6; Fri, 2 Oct 2009 06:36:28 +0000 (UTC) Date: Fri, 2 Oct 2009 06:36:28 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Jacques Marneweck In-Reply-To: <4802d0520910012200p271a2d5awc5e69b9ab1235851@mail.gmail.com> Message-ID: <20091002063444.L26486@maildrop.int.zabbadoz.net> References: <4AAF45B4.60307@isafeelin.org> <4AAF5999.7020501@delphij.net> <200909251248.n8PCmJPY011925@lava.sentex.ca> <20090928192256.GC2111@arthur.nitro.dk> <4802d0520910012200p271a2d5awc5e69b9ab1235851@mail.gmail.com> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org, d@delphij.net, "Simon L. Nielsen" Subject: Re: FreeBSD bug grants local root access (FreeBSD 6.x) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 06:57:07 -0000 On Fri, 2 Oct 2009, Jacques Marneweck wrote: Hi, > Is there any further feedback regarding this bug? There is progress. > Has anyone tested > to see if this also affects FreeBSD 5.x? FreeBSD 5.x is not a supported branch anymore, so it's unlikely that anyone will check it. See http://security.freebsd.org/#sup for a list of branches SO/secteam care about. /bz -- Bjoern A. Zeeb It will not break if you know what you are doing. From owner-freebsd-security@FreeBSD.ORG Fri Oct 2 08:15:59 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C38D71065672 for ; Fri, 2 Oct 2009 08:15:59 +0000 (UTC) (envelope-from tevans.uk@googlemail.com) Received: from mail-ew0-f209.google.com (mail-ew0-f209.google.com [209.85.219.209]) by mx1.freebsd.org (Postfix) with ESMTP id 4FF0F8FC0C for ; Fri, 2 Oct 2009 08:15:58 +0000 (UTC) Received: by ewy5 with SMTP id 5so83653ewy.36 for ; Fri, 02 Oct 2009 01:15:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:subject:from:to:cc :in-reply-to:references:content-type:date:message-id:mime-version :x-mailer:content-transfer-encoding; bh=7jGFN9KOF+5pXA4823uFjZBTV/72BGK8b1uWOBwnGEY=; b=xfHLWCU53ZN/JxpWD0t6ngu1w1ip+3uz5IZ/fKFFq51S2YkMcRRv4W8e6yyaZTHNtF fTdj5mOGIlauMTd9UcW70berAXkjcX3EesSt3aRlDtY0Rd+8S8bgWbxnh4iF71jnsiS8 DpWYnh4gOAm1lP0J7ZL69Zf9l+0vlOxIhtvfs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:x-mailer:content-transfer-encoding; b=UN2Tx6DtxkjbMSgqVVtHGBgCn48itBpAJ92GLhTSeztqCc6+1/q6QWnsjhzx8SgaKh PwrhBbuow+i7JYxc6Bu+anmqjCOMPFxm71WaXe389J4dJxM4lqXbtmFcXWhUy+aNjoE7 FpvfsQ+Ea0g1TtRQKdXF+A3aSUsPN9BTIC+3E= Received: by 10.211.155.16 with SMTP id h16mr2671083ebo.55.1254471357911; Fri, 02 Oct 2009 01:15:57 -0700 (PDT) Received: from ?127.0.0.1? (87-194-39-182.bethere.co.uk [87.194.39.182]) by mx.google.com with ESMTPS id 10sm100366eyz.18.2009.10.02.01.15.55 (version=SSLv3 cipher=RC4-MD5); Fri, 02 Oct 2009 01:15:56 -0700 (PDT) From: Tom Evans To: Eirik =?ISO-8859-1?Q?=D8verby?= In-Reply-To: <4E7E6B51-2B63-459C-A6FE-F327E899DCF6@anduin.net> References: <4AC37D6B.3060409@optiksecurite.com> <4AC3FA90.1000405@gibfest.dk> <1254387556.39148.10.camel@strangepork.london.mintel.ad> <4E7E6B51-2B63-459C-A6FE-F327E899DCF6@anduin.net> Content-Type: text/plain; charset="UTF-8" Date: Fri, 02 Oct 2009 09:15:54 +0100 Message-Id: <1254471354.54871.7.camel@strangepork.london.mintel.ad> Mime-Version: 1.0 X-Mailer: Evolution 2.26.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 8bit Cc: Thomas Rasmussen , freebsd-security@freebsd.org Subject: Re: Update on protection against slowloris X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 08:15:59 -0000 On Thu, 2009-10-01 at 19:48 +0200, Eirik Øverby wrote: > On 1. okt. 2009, at 10.59, Tom Evans wrote: > > > On Thu, 2009-10-01 at 02:40 +0200, Thomas Rasmussen wrote: > >> Martin Turgeon wrote: > >>> Hi list! > >>> > >>> We tested mod_antiloris 0.4 and found it quite efficient, but before > >>> putting it in production, we would like to hear some feedback from > >>> freebsd users. We are using Apache 2.2.x on Freebsd 6.2 and 7.2. Is > >>> anyone using it? Do you have any other way to patch against > >>> Slowloris > >>> other than putting a proxy in front or using the HTTP accept filter? > >>> > >>> Thanks for your feedback, > >>> > >>> Martin > >>> _______________________________________________ > >>> freebsd-security@freebsd.org mailing list > >>> http://lists.freebsd.org/mailman/listinfo/freebsd-security > >>> To unsubscribe, send any mail to > >>> "freebsd-security-unsubscribe@freebsd.org" > >> Hello, > >> > >> I am using it succesfully although not under any serious load, same > >> Apache and FreeBSD versions. I found it easy (compared to the > >> alternatives) and efficient, and no I don't know of any other ways of > >> blocking the attack, short of using Varnish or similar. However, > >> accf_http doesn't help at all, since HTTP POST requests bypass the > >> filter. HTTP POST can be enabled by passing the -httpready switch to > >> Slowloris. > >> > >> Please report back with your findings, I've been wondering how it > >> would perform under load. > >> > >> Best of luck with it, > >> > >> Thomas Rasmussen > > > > We use Apache 2.2 with the event MPM. This configuration is immune to > > slowloris, as it was designed (several years before 'slowloris' came > > along) to solve that exact problem. > > Without SSL, I presume? > > /Eirik > Yes, we run a prefork MPM apache as a reverse proxy in front of that, serving just SSL and proxying to the other. We're eagerly awaiting the release of httpd 2.4, which promotes event MPM to non experimental (as they've solved the problem with SSL). Cheers Tom From owner-freebsd-security@FreeBSD.ORG Fri Oct 2 08:18:53 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BF583106566B for ; Fri, 2 Oct 2009 08:18:53 +0000 (UTC) (envelope-from tevans.uk@googlemail.com) Received: from mail-bw0-f227.google.com (mail-bw0-f227.google.com [209.85.218.227]) by mx1.freebsd.org (Postfix) with ESMTP id 414B58FC1D for ; Fri, 2 Oct 2009 08:18:52 +0000 (UTC) Received: by bwz27 with SMTP id 27so740238bwz.43 for ; Fri, 02 Oct 2009 01:18:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:subject:from:to:cc :in-reply-to:references:content-type:date:message-id:mime-version :x-mailer:content-transfer-encoding; bh=L4fKK0RlC1gXfI8QRd82/cH9BCGXl0N+uZZO2bqaqL8=; b=tDK/rI39Ek394MsGhS/n8YSYnUDJvGD06zri2Ab1IC1wHglMyeEbYdSu6yi/3N9c8r K7i/Wo3xDKBc8n4pvZXHLYWCops7HG3Mqz91SYCuQ/V+yxzvesf5maT5kFR2tBiGLZi4 Qzl+eZTm7roxDM0SybnENtU+EVot2zGYdYh6I= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:x-mailer:content-transfer-encoding; b=eibcqNQTRRyBj4lyIjBnIb7F7Ur/JH7givaXG+sHfiX0xQmIlOI58f+LKtZACF73Oo TcJGjDxiXlMurMo8LyuztWWroF6WOUpP9E13jtJYiR6aCcZ7Z3N3RZxTg+Bgm0jR0VKT /YOxqSsrOG+ihmt6h3abRNGeu7L4cqCYHBl2U= Received: by 10.204.150.77 with SMTP id x13mr926620bkv.100.1254471530762; Fri, 02 Oct 2009 01:18:50 -0700 (PDT) Received: from ?127.0.0.1? (87-194-39-182.bethere.co.uk [87.194.39.182]) by mx.google.com with ESMTPS id h2sm1343881fkh.6.2009.10.02.01.18.48 (version=SSLv3 cipher=RC4-MD5); Fri, 02 Oct 2009 01:18:49 -0700 (PDT) From: Tom Evans To: =?ISO-8859-1?Q?Istv=E1n?= In-Reply-To: References: <4AC37D6B.3060409@optiksecurite.com> <4AC3FA90.1000405@gibfest.dk> <1254387556.39148.10.camel@strangepork.london.mintel.ad> <4E7E6B51-2B63-459C-A6FE-F327E899DCF6@anduin.net> Content-Type: text/plain; charset="UTF-8" Date: Fri, 02 Oct 2009 09:18:46 +0100 Message-Id: <1254471526.54871.10.camel@strangepork.london.mintel.ad> Mime-Version: 1.0 X-Mailer: Evolution 2.26.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 8bit Cc: Thomas Rasmussen , freebsd-security@freebsd.org, Eirik =?ISO-8859-1?Q?=D8verby?= Subject: Re: Update on protection against slowloris X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 08:18:53 -0000 On Thu, 2009-10-01 at 19:46 +0100, István wrote: > "The bad news is that it can indeed take a badly-configured apache > server down, and the worse news is that that includes a low-traffic > out-of-the box configuration. Even with the Event MPM, slowloris can > tie up one worker thread per connection." > > > > > for sure > It doesn't tie up one thread, one thread is partially occupied by waiting for the slowloris connection to finish sending the request. That thread can still handle other connections that are sending requests. In our tests, running a couple of slowloris instances against event MPM had virtually no effect. Cheers Tom From owner-freebsd-security@FreeBSD.ORG Fri Oct 2 08:49:02 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C79151065692 for ; Fri, 2 Oct 2009 08:49:02 +0000 (UTC) (envelope-from leccine@gmail.com) Received: from mail-bw0-f227.google.com (mail-bw0-f227.google.com [209.85.218.227]) by mx1.freebsd.org (Postfix) with ESMTP id 471B08FC35 for ; Fri, 2 Oct 2009 08:49:01 +0000 (UTC) Received: by bwz27 with SMTP id 27so755692bwz.43 for ; Fri, 02 Oct 2009 01:49:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=IgJpJkchziLNnhkNs2atkSKV9UxCN4yYEmItq2pi0ss=; b=GM14LMCtSn+2WVZwHnyHlKQlCkGvf537OA/R1dVvCluxg4sE55spaOUQZXZLj6j2gT FrfamP+UL7MIKRxAxwN7NFQ6EZUK5DSezSayV1jdr0G6cjRRaqepWCAf611LsFU+Nv8z 7Ht08yLIVMr26t8TPsdeLJHo6cyEIlOolLCuU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=rH5V9+FTc0HmEWIDBS72HS9it2t4NuYByxnaoioRzi1v2RjfsLtCKeovBPT9FwJ2se 0Q3c5Hn6tibOR3xD1UVTEgwjJTGudsdUi7e6rgaiDA3q7V5xvysRoqLtjyDBNcC2skom C/MmQ29pabrq3IAfq7GZdlFdnBW7OFNeNSCWY= MIME-Version: 1.0 Received: by 10.204.24.81 with SMTP id u17mr919753bkb.202.1254473340316; Fri, 02 Oct 2009 01:49:00 -0700 (PDT) In-Reply-To: <1254471526.54871.10.camel@strangepork.london.mintel.ad> References: <4AC37D6B.3060409@optiksecurite.com> <4AC3FA90.1000405@gibfest.dk> <1254387556.39148.10.camel@strangepork.london.mintel.ad> <4E7E6B51-2B63-459C-A6FE-F327E899DCF6@anduin.net> <1254471526.54871.10.camel@strangepork.london.mintel.ad> Date: Fri, 2 Oct 2009 09:49:00 +0100 Message-ID: From: =?ISO-8859-1?B?SXN0duFu?= To: Tom Evans Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Thomas Rasmussen , freebsd-security@freebsd.org, =?ISO-8859-1?Q?Eirik_=D8verby?= Subject: Re: Update on protection against slowloris X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 08:49:03 -0000 hmm, i am curious as well, lets wait to 2.4 On Fri, Oct 2, 2009 at 9:18 AM, Tom Evans wrote: > On Thu, 2009-10-01 at 19:46 +0100, Istv=E1n wrote: > > "The bad news is that it can indeed take a badly-configured apache > > server down, and the worse news is that that includes a low-traffic > > out-of-the box configuration. Even with the Event MPM, slowloris can > > tie up one worker thread per connection." > > > > > > > > > > for sure > > > > It doesn't tie up one thread, one thread is partially occupied by > waiting for the slowloris connection to finish sending the request. That > thread can still handle other connections that are sending requests. In > our tests, running a couple of slowloris instances against event MPM had > virtually no effect. > > Cheers > > Tom > > --=20 the sun shines for all From owner-freebsd-security@FreeBSD.ORG Fri Oct 2 15:28:00 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9A220106566B for ; Fri, 2 Oct 2009 15:28:00 +0000 (UTC) (envelope-from me@johnea.net) Received: from mail.johnea.net (johnea.net [70.167.123.7]) by mx1.freebsd.org (Postfix) with ESMTP id 7F0D98FC12 for ; Fri, 2 Oct 2009 15:28:00 +0000 (UTC) Received: from [192.168.100.239] (vhost.johnea.net [192.168.100.239]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.johnea.net (Postfix) with ESMTPSA id 104C673F1844; Fri, 2 Oct 2009 08:19:52 -0700 (PDT) Message-ID: <4AC61C0B.3050704@johnea.net> Date: Fri, 02 Oct 2009 08:28:11 -0700 From: johnea User-Agent: Thunderbird 2.0.0.22 (X11/20090719) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <4AC545C3.9020608@johnea.net> <19141.20047.694147.865710@hergotha.csail.mit.edu> In-Reply-To: <19141.20047.694147.865710@hergotha.csail.mit.edu> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 15:28:00 -0000 Garrett Wollman wrote: > < said: > >> The thing that concerned me is an entry I saw in netstat showing >> my system connecting back to a machine that was attempting to log >> in to ssh. > >> Does the ssh server establish a socket to a client attempting login? > > The SSH protocol does not, but you appear to be using "TCP wrappers" > (/etc/hosts.allow) configured in such a way that it make an IDENT > protocol request back to the originating server. This is rarely > likely to do anything useful and should probably be disabled. > >> tcp4 0 0 atom.60448 host154.advance.com.ar.auth TIME_WAIT > > "auth" is the port number used by the IDENT protocol. > > -GAWollman Thank You to everyone who responded! In fact I did discover these lines in hosts.allow: 31-# Protect against simple DNS spoofing attacks by checking that the 32-# forward and reverse records for the remote host match. If a mismatch 33-# occurs, access is denied, and any positive ident response within 34-# 20 seconds is logged. No protection is afforded against DNS poisoning, 35-# IP spoofing or more complicated attacks. Hosts with no reverse DNS 36-# pass this rule. 37:ALL : PARANOID : RFC931 20 : deny This is what was generating the auth protocol socket. I've disabled it to prevent the establishment of the auth socket to hosts who are attempting to breakin. Per another suggestion I also intend to change the port for ssh to a non-standard number (after synchronizing with the users of course 8-) Maybe I'm a little paranoid, but after watching the level of spam ever increasing over the last 5 years, and more and more people moving to big (monopolistic?) service providers like google and hotmail. I've wondered if these big corporate service providers don't tolerate the spam level in order to prevent anyone who doesn't have a building full of IT staff from running their own mail servers. Perhaps with the help of people like those on this list, the internet won't have to be abandoned by independents? Thanks again to everyone! johnea From owner-freebsd-security@FreeBSD.ORG Fri Oct 2 15:32:27 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6CF21106568D for ; Fri, 2 Oct 2009 15:32:27 +0000 (UTC) (envelope-from leccine@gmail.com) Received: from mail-bw0-f227.google.com (mail-bw0-f227.google.com [209.85.218.227]) by mx1.freebsd.org (Postfix) with ESMTP id DAA1C8FC16 for ; Fri, 2 Oct 2009 15:32:26 +0000 (UTC) Received: by bwz27 with SMTP id 27so1045423bwz.43 for ; Fri, 02 Oct 2009 08:32:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=F1I8E6JKTKJCTDUqqS6UpRCfacFp+gtCERqo6oL1TrU=; b=u61aIuQWQOyD/El/y8aUZvlCcuPnkod2cMoJplt4O3DpVTPQtvhs85fUWdq6ePYGTB 4ZzuXFUmI7ckATDVwU5FeLqNM2D6hWoWfBa4LrD7NX/mqv0LgbikzQEXDVwpmbB/Qpvi bEs2VeqvkcJjSVemKwIy5POc6To3eKrMTwOxg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=e8qSzRrQ2GAgfggCGALRIUaM04hMo2RfgXLmUmAaxpk+WEzd8jVDlfxV9V1jnTCm7V eDLBCMq3OpgBvUUD/MG7rqFVQKCuRC2rX40SOBrTPUNARnIK4n+i1TEhUotqIrU20OqH FM7QJsjIMBKQ2DsKGy5xA8aDUbejPzH03mWpY= MIME-Version: 1.0 Received: by 10.204.34.199 with SMTP id m7mr1306638bkd.48.1254497545264; Fri, 02 Oct 2009 08:32:25 -0700 (PDT) In-Reply-To: <4AC61C0B.3050704@johnea.net> References: <4AC545C3.9020608@johnea.net> <19141.20047.694147.865710@hergotha.csail.mit.edu> <4AC61C0B.3050704@johnea.net> Date: Fri, 2 Oct 2009 16:32:24 +0100 Message-ID: From: =?ISO-8859-1?B?SXN0duFu?= To: johnea Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 15:32:27 -0000 Protect against simple DNS spoofing attacks by checking that the... So if the ssh bruteforce is coming from a properly setup DNS host it is ok :)))) On Fri, Oct 2, 2009 at 4:28 PM, johnea wrote: > Garrett Wollman wrote: > >> < said: >> >> The thing that concerned me is an entry I saw in netstat showing >>> my system connecting back to a machine that was attempting to log >>> in to ssh. >>> >> >> Does the ssh server establish a socket to a client attempting login? >>> >> >> The SSH protocol does not, but you appear to be using "TCP wrappers" >> (/etc/hosts.allow) configured in such a way that it make an IDENT >> protocol request back to the originating server. This is rarely >> likely to do anything useful and should probably be disabled. >> >> tcp4 0 0 atom.60448 host154.advance.com.ar.auth >>> TIME_WAIT >>> >> >> "auth" is the port number used by the IDENT protocol. >> >> -GAWollman >> > > Thank You to everyone who responded! > > In fact I did discover these lines in hosts.allow: > > 31-# Protect against simple DNS spoofing attacks by checking that the > 32-# forward and reverse records for the remote host match. If a mismatch > 33-# occurs, access is denied, and any positive ident response within > 34-# 20 seconds is logged. No protection is afforded against DNS poisoning, > 35-# IP spoofing or more complicated attacks. Hosts with no reverse DNS > 36-# pass this rule. > 37:ALL : PARANOID : RFC931 20 : deny > > This is what was generating the auth protocol socket. > > I've disabled it to prevent the establishment of the auth socket to hosts > who are attempting to breakin. > > Per another suggestion I also intend to change the port for ssh to a > non-standard number (after synchronizing with the users of course 8-) > > Maybe I'm a little paranoid, but after watching the level of spam ever > increasing over the last 5 years, and more and more people moving to > big (monopolistic?) service providers like google and hotmail. I've > wondered if these big corporate service providers don't tolerate the > spam level in order to prevent anyone who doesn't have a building full > of IT staff from running their own mail servers. > > Perhaps with the help of people like those on this list, the internet > won't have to be abandoned by independents? > > Thanks again to everyone! > > johnea > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " > -- the sun shines for all From owner-freebsd-security@FreeBSD.ORG Fri Oct 2 16:09:57 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BFD431065670 for ; Fri, 2 Oct 2009 16:09:57 +0000 (UTC) (envelope-from devin@spamcop.net) Received: from mail.distalzou.net (203.141.139.231.static.zoot.jp [203.141.139.231]) by mx1.freebsd.org (Postfix) with ESMTP id 8A15D8FC14 for ; Fri, 2 Oct 2009 16:09:57 +0000 (UTC) Received: from plexi.pun-pun.prv ([192.168.7.29]) by mail.distalzou.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MtkGG-000KNJ-3W; Sat, 03 Oct 2009 00:41:36 +0900 Date: Sat, 3 Oct 2009 00:41:35 +0900 (JST) From: Tod McQuillin X-X-Sender: devin@plexi.pun-pun.prv To: johnea In-Reply-To: <4AC61C0B.3050704@johnea.net> Message-ID: <20091003003817.C1868@plexi.pun-pun.prv> References: <4AC545C3.9020608@johnea.net> <19141.20047.694147.865710@hergotha.csail.mit.edu> <4AC61C0B.3050704@johnea.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 16:09:57 -0000 On Fri, 2 Oct 2009, johnea wrote: > Maybe I'm a little paranoid, but after watching the level of spam ever > increasing over the last 5 years, and more and more people moving to > big (monopolistic?) service providers like google and hotmail. I've > wondered if these big corporate service providers don't tolerate the > spam level in order to prevent anyone who doesn't have a building full > of IT staff from running their own mail servers. As recently as last month I was thinking along the same lines, but now that I have installed a greylisting spam filter (mail/spamd from ports) spam is down to extremely manageable levels on my home mail server. With a little time spent configuring your world, there is still room for do-it-yourself admins with small networks. -- Tod From owner-freebsd-security@FreeBSD.ORG Fri Oct 2 19:09:25 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B1394106568D for ; Fri, 2 Oct 2009 19:09:25 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 32CDE8FC18 for ; Fri, 2 Oct 2009 19:09:24 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id n92Ih82i003901; Sat, 3 Oct 2009 04:43:08 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 3 Oct 2009 04:43:08 +1000 (EST) From: Ian Smith To: johnea In-Reply-To: <4AC61C0B.3050704@johnea.net> Message-ID: <20091003042802.O10039@sola.nimnet.asn.au> References: <4AC545C3.9020608@johnea.net> <19141.20047.694147.865710@hergotha.csail.mit.edu> <4AC61C0B.3050704@johnea.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-security@freebsd.org Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 19:09:25 -0000 On Fri, 2 Oct 2009, johnea wrote: > Garrett Wollman wrote: [..] > > > tcp4 0 0 atom.60448 host154.advance.com.ar.auth > > > TIME_WAIT > > > > "auth" is the port number used by the IDENT protocol. > > > > -GAWollman > > Thank You to everyone who responded! > > In fact I did discover these lines in hosts.allow: > > 31-# Protect against simple DNS spoofing attacks by checking that the > 32-# forward and reverse records for the remote host match. If a mismatch > 33-# occurs, access is denied, and any positive ident response within > 34-# 20 seconds is logged. No protection is afforded against DNS poisoning, > 35-# IP spoofing or more complicated attacks. Hosts with no reverse DNS > 36-# pass this rule. > 37:ALL : PARANOID : RFC931 20 : deny > > This is what was generating the auth protocol socket. > > I've disabled it to prevent the establishment of the auth socket to hosts > who are attempting to breakin. > > Per another suggestion I also intend to change the port for ssh to a > non-standard number (after synchronizing with the users of course 8-) This will provide the greatest relief against drive-by ssh probes, which are pretty much background radiation these days. Some may decry it as 'security by obscurity', but who cares when it works so effectively :) http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers provides a reasonably useful list of ports NOT to choose for an obscure ssh port. cheers, Ian From owner-freebsd-security@FreeBSD.ORG Fri Oct 2 19:57:24 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 80860106566B for ; Fri, 2 Oct 2009 19:57:24 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from rack.patpro.net (rack.patpro.net [193.30.227.216]) by mx1.freebsd.org (Postfix) with ESMTP id 1B5938FC12 for ; Fri, 2 Oct 2009 19:57:23 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by rack.patpro.net (Postfix) with ESMTP id 3B0B813C for ; Fri, 2 Oct 2009 21:42:15 +0200 (CEST) X-Virus-Scanned: amavisd-new at patpro.net Received: from amavis-at-patpro.net ([127.0.0.1]) by localhost (rack.patpro.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V3DaTBkAR8of for ; Fri, 2 Oct 2009 21:42:09 +0200 (CEST) Received: from [IPv6:::1] (localhost [127.0.0.1]) by rack.patpro.net (Postfix) with ESMTP for ; Fri, 2 Oct 2009 21:42:09 +0200 (CEST) Message-Id: From: Patrick Proniewski To: Liste FreeBSD-security In-Reply-To: <20091003042802.O10039@sola.nimnet.asn.au> Content-Type: multipart/signed; boundary=Apple-Mail-1--820062776; micalg=sha1; protocol="application/pkcs7-signature" Mime-Version: 1.0 (Apple Message framework v936) Date: Fri, 2 Oct 2009 21:42:07 +0200 References: <4AC545C3.9020608@johnea.net> <19141.20047.694147.865710@hergotha.csail.mit.edu> <4AC61C0B.3050704@johnea.net> <20091003042802.O10039@sola.nimnet.asn.au> X-Mailer: Apple Mail (2.936) X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 19:57:24 -0000 --Apple-Mail-1--820062776 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit > This will provide the greatest relief against drive-by ssh probes, > which > are pretty much background radiation these days. Some may decry it as > 'security by obscurity', but who cares when it works so effectively :) against script kiddies and bots, obscurity is good. > http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers > provides a > reasonably useful list of ports NOT to choose for an obscure ssh port. /etc/services is a good start too :) patpro --Apple-Mail-1--820062776-- From owner-freebsd-security@FreeBSD.ORG Fri Oct 2 20:11:57 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1A6A21065692; Fri, 2 Oct 2009 20:11:57 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 071118FC18; Fri, 2 Oct 2009 20:11:57 +0000 (UTC) Received: from freefall.freebsd.org (simon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n92KBuOo003893; Fri, 2 Oct 2009 20:11:56 GMT (envelope-from security-advisories@freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n92KBukq003891; Fri, 2 Oct 2009 20:11:56 GMT (envelope-from security-advisories@freebsd.org) Date: Fri, 2 Oct 2009 20:11:56 GMT Message-Id: <200910022011.n92KBukq003891@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: simon set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-09:13.pipe X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 20:11:57 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-09:13.pipe Security Advisory The FreeBSD Project Topic: kqueue pipe race conditions Category: core Module: kern Announced: 2009-10-02 Credits: Przemyslaw Frasunek Affects: FreeBSD 6.x Corrected: 2009-10-02 18:09:56 UTC (RELENG_6, 6.4-STABLE) 2009-10-02 18:09:56 UTC (RELENG_6_4, 6.4-RELEASE-p7) 2009-10-02 18:09:56 UTC (RELENG_6_3, 6.3-RELEASE-p13) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Pipes are a form of inter-process communication (IPC) provided by the FreeBSD kernel. kqueue is an event management API that applications can use to monitor pipes and other kernel services. II. Problem Description A race condition exists in the pipe close() code relating to kqueues, causing use-after-free for kernel memory, which may lead to an exploitable NULL pointer vulnerability in the kernel, kernel memory corruption, and other unpredictable results. III. Impact Successful exploitation of the race condition can lead to local kernel privilege escalation, kernel data corruption and/or crash. To exploit this vulnerability, an attacker must be able to run code on the target system. IV. Workaround An errata notice, FreeBSD-EN-09:05.null has been released simultaneously to this advisory, and contains a kernel patch implementing a workaround for a more broad class of vulnerabilities. However, prior to those changes, no workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, or to the RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3 and 6.4. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch # fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/sys/kern/kern_event.c 1.93.2.7 src/sys/kern/kern_fork.c 1.252.2.8 src/sys/kern/sys_pipe.c 1.184.2.6 src/sys/sys/event.h 1.32.2.1 src/sys/sys/pipe.h 1.29.2.1 RELENG_6_4 src/UPDATING 1.416.2.40.2.11 src/sys/conf/newvers.sh 1.69.2.18.2.13 src/sys/kern/kern_event.c 1.93.2.6.6.2 src/sys/kern/kern_fork.c 1.252.2.7.4.2 src/sys/kern/sys_pipe.c 1.184.2.4.2.3 src/sys/sys/event.h 1.32.12.2 src/sys/sys/pipe.h 1.29.16.2 RELENG_6_3 src/UPDATING 1.416.2.37.2.18 src/sys/conf/newvers.sh 1.69.2.15.2.17 src/sys/kern/kern_event.c 1.93.2.6.4.1 src/sys/kern/kern_fork.c 1.252.2.7.2.1 src/sys/kern/sys_pipe.c 1.184.2.2.6.3 src/sys/sys/event.h 1.32.10.1 src/sys/sys/pipe.h 1.29.12.1 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/6/ r197715 releng/6.4/ r197715 releng/6.3/ r197715 - ------------------------------------------------------------------------- VII. References http://svn.freebsd.org/viewvc/base?view=revision&revision=179243 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-09:13.pipe.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iD8DBQFKxlthFdaIBMps37IRAlk2AJ9mUrNPd1RMztbzO4w7g+AxosqJzgCgmr5l FKxrbF0G4v9P6SyyfAdVOFY= =TWhC -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Oct 2 20:12:05 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 13E9210656DD; Fri, 2 Oct 2009 20:12:05 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 004758FC20; Fri, 2 Oct 2009 20:12:05 +0000 (UTC) Received: from freefall.freebsd.org (simon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n92KC4lx003956; Fri, 2 Oct 2009 20:12:04 GMT (envelope-from security-advisories@freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n92KC4Tb003955; Fri, 2 Oct 2009 20:12:04 GMT (envelope-from security-advisories@freebsd.org) Date: Fri, 2 Oct 2009 20:12:04 GMT Message-Id: <200910022012.n92KC4Tb003955@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: simon set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-09:14.devfs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 20:12:05 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-09:14.devfs Security Advisory The FreeBSD Project Topic: Devfs / VFS NULL pointer race condition Category: core Module: kern Announced: 2009-10-02 Credits: Przemyslaw Frasunek Affects: FreeBSD 6.x and 7.x Corrected: 2009-05-18 10:41:59 UTC (RELENG_7, 7.2-STABLE) 2009-10-02 18:09:56 UTC (RELENG_7_2, 7.2-RELEASE-p4) 2009-10-02 18:09:56 UTC (RELENG_7_1, 7.1-RELEASE-p8) 2009-10-02 18:09:56 UTC (RELENG_6, 6.4-STABLE) 2009-10-02 18:09:56 UTC (RELENG_6_4, 6.4-RELEASE-p7) 2009-10-02 18:09:56 UTC (RELENG_6_3, 6.3-RELEASE-p13) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The device file system (devfs) provides access to system devices, such as storage devices and serial ports, via the file system namespace. VFS is the Virtual File System, which abstracts file system operations in the kernel from the actual underlying file system. II. Problem Description Due to the interaction between devfs and VFS, a race condition exists where the kernel might dereference a NULL pointer. III. Impact Successful exploitation of the race condition can lead to local kernel privilege escalation, kernel data corruption and/or crash. To exploit this vulnerability, an attacker must be able to run code with user privileges on the target system. IV. Workaround An errata note, FreeBSD-EN-09:05.null has been released simultaneously to this advisory, and contains a kernel patch implementing a workaround for a more broad class of vulnerabilities. However, prior to those changes, no workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3, 6.4, 7.1, and 7.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 6.x] # fetch http://security.FreeBSD.org/patches/SA-09:14/devfs6.patch # fetch http://security.FreeBSD.org/patches/SA-09:14/devfs6.patch.asc [FreeBSD 7.x] # fetch http://security.FreeBSD.org/patches/SA-09:14/devfs7.patch # fetch http://security.FreeBSD.org/patches/SA-09:14/devfs7.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/sys/fs/devfs/devfs_vnops.c 1.114.2.17 RELENG_6_4 src/UPDATING 1.416.2.40.2.11 src/sys/conf/newvers.sh 1.69.2.18.2.13 src/sys/fs/devfs/devfs_vnops.c 1.114.2.16.2.2 RELENG_6_3 src/UPDATING 1.416.2.37.2.18 src/sys/conf/newvers.sh 1.69.2.15.2.17 src/sys/fs/devfs/devfs_vnops.c 1.114.2.15.2.1 RELENG_7 src/sys/fs/devfs/devfs_vnops.c 1.149.2.9 RELENG_7_2 src/UPDATING 1.507.2.23.2.7 src/sys/conf/newvers.sh 1.72.2.11.2.8 src/sys/fs/devfs/devfs_vnops.c 1.149.2.8.2.2 RELENG_7_1 src/UPDATING 1.507.2.13.2.11 src/sys/conf/newvers.sh 1.72.2.9.2.12 src/sys/fs/devfs/devfs_vnops.c 1.149.2.4.2.2 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/6/ r197715 releng/6.4/ r197715 releng/6.3/ r197715 stable/7/ r192301 releng/7.2/ r197715 releng/7.1/ r197715 - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-09:14.devfs.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iD8DBQFKxltlFdaIBMps37IRAp4zAJwJEwIySGqxH4EXwc0wjkDXlcTb1wCfTltO Syds53GSM0YbsMNUVMGsLaU= =exPZ -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Oct 2 21:04:11 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E6E2C106568B for ; Fri, 2 Oct 2009 21:04:11 +0000 (UTC) (envelope-from jon@passki.us) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.152]) by mx1.freebsd.org (Postfix) with ESMTP id 259BB8FC17 for ; Fri, 2 Oct 2009 21:04:10 +0000 (UTC) Received: by fg-out-1718.google.com with SMTP id e21so11638fga.13 for ; Fri, 02 Oct 2009 14:04:10 -0700 (PDT) Received: by 10.86.170.4 with SMTP id s4mr1221273fge.9.1254517449929; Fri, 02 Oct 2009 14:04:09 -0700 (PDT) Received: from ?10.22.8.162? ([166.205.6.157]) by mx.google.com with ESMTPS id l12sm88573fgb.10.2009.10.02.14.04.02 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 02 Oct 2009 14:04:08 -0700 (PDT) Message-Id: <1B399692-1D5A-49C3-BDE7-7FAAA9C63910@passki.us> From: Jon Passki To: FreeBSD-Security X-Mailer: iPhone Mail (7C144) Mime-Version: 1.0 (iPhone Mail 7C144) Date: Fri, 2 Oct 2009 16:03:51 -0500 Content-Type: text/plain; charset=us-ascii; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Fwd: FreeBSD Security Advisory FreeBSD-SA-09:13.pipe X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 21:04:12 -0000 Has the FreeBSD Secteam tested setting VM_MIN_ADDRESS to some high number such as 65536? This does not fix the vulnerability per se, but one would hope it stops a user mapping code to 0x0. Also, were these the issues Przemyslaw Frasunek discovered? If so, I did not see an attribution to him in the advisory. (I could have missed it.) Any reason why not? Cheers, Jon Begin forwarded message: > From: FreeBSD Security Advisories > Date: October 2, 2009 20:11:56 CDT > To: FreeBSD Security Advisories > Subject: FreeBSD Security Advisory FreeBSD-SA-09:13.pipe > Reply-To: freebsd-security@freebsd.org > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > === > === > === > ==================================================================== > FreeBSD-SA-09:13.pipe Security > Advisory > The FreeBSD > Project > > Topic: kqueue pipe race conditions > Category: core > Module: kern > Announced: 2009-10-02 > Credits: Przemyslaw Frasunek > Affects: FreeBSD 6.x > Corrected: 2009-10-02 18:09:56 UTC (RELENG_6, 6.4-STABLE) > 2009-10-02 18:09:56 UTC (RELENG_6_4, 6.4-RELEASE-p7) > 2009-10-02 18:09:56 UTC (RELENG_6_3, 6.3-RELEASE-p13) > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > Pipes are a form of inter-process communication (IPC) provided by the > FreeBSD kernel. kqueue is an event management API that applications > can > use to monitor pipes and other kernel services. > > II. Problem Description > > A race condition exists in the pipe close() code relating to kqueues, > causing use-after-free for kernel memory, which may lead to an > exploitable NULL pointer vulnerability in the kernel, kernel memory > corruption, and other unpredictable results. > > III. Impact > > Successful exploitation of the race condition can lead to local kernel > privilege escalation, kernel data corruption and/or crash. > > To exploit this vulnerability, an attacker must be able to run code on > the target system. > > IV. Workaround > > An errata notice, FreeBSD-EN-09:05.null has been released > simultaneously to > this advisory, and contains a kernel patch implementing a workaround > for a > more broad class of vulnerabilities. However, prior to those > changes, no > workaround is available. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to 6-STABLE, or to the RELENG_6_4, > or > RELENG_6_3 security branch dated after the correction date. > > 2) To patch your present system: > > The following patches have been verified to apply to FreeBSD 6.3 and > 6.4. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch > # fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch.asc > > b) Apply the patch. > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile your kernel as described in > and reboot the > system. > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > CVS: > > Branch > Revision > Path > - > --- > ---------------------------------------------------------------------- > RELENG_6 > src/sys/kern/kern_event.c > 1.93.2.7 > src/sys/kern/kern_fork.c > 1.252.2.8 > src/sys/kern/sys_pipe.c > 1.184.2.6 > src/sys/sys/event.h > 1.32.2.1 > src/sys/sys/pipe.h > 1.29.2.1 > RELENG_6_4 > src/UPDATING 1.416.2.40.2.11 > src/sys/conf/newvers.sh 1.69.2.18.2.13 > src/sys/kern/kern_event.c 1.93.2.6.6.2 > src/sys/kern/kern_fork.c 1.252.2.7.4.2 > src/sys/kern/sys_pipe.c 1.184.2.4.2.3 > src/sys/sys/event.h > 1.32.12.2 > src/sys/sys/pipe.h > 1.29.16.2 > RELENG_6_3 > src/UPDATING 1.416.2.37.2.18 > src/sys/conf/newvers.sh 1.69.2.15.2.17 > src/sys/kern/kern_event.c 1.93.2.6.4.1 > src/sys/kern/kern_fork.c 1.252.2.7.2.1 > src/sys/kern/sys_pipe.c 1.184.2.2.6.3 > src/sys/sys/event.h > 1.32.10.1 > src/sys/sys/pipe.h > 1.29.12.1 > - > --- > ---------------------------------------------------------------------- > > Subversion: > > Branch/path > Revision > - > --- > ---------------------------------------------------------------------- > stable/6/ > r197715 > releng/6.4/ > r197715 > releng/6.3/ > r197715 > - > --- > ---------------------------------------------------------------------- > > VII. References > > http://svn.freebsd.org/viewvc/base?view=revision&revision=179243 > > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-09:13.pipe.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (FreeBSD) > > iD8DBQFKxlthFdaIBMps37IRAlk2AJ9mUrNPd1RMztbzO4w7g+AxosqJzgCgmr5l > FKxrbF0G4v9P6SyyfAdVOFY= > =TWhC > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " From owner-freebsd-security@FreeBSD.ORG Fri Oct 2 21:11:23 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A2AEB106568D for ; Fri, 2 Oct 2009 21:11:23 +0000 (UTC) (envelope-from pieter@thedarkside.nl) Received: from mail.thelostparadise.com (cl-92.ede-01.nl.sixxs.net [IPv6:2001:7b8:2ff:5b::2]) by mx1.freebsd.org (Postfix) with ESMTP id 6C7AB8FC18 for ; Fri, 2 Oct 2009 21:11:23 +0000 (UTC) Received: from [192.168.1.13] (home [85.145.92.158]) by mail.thelostparadise.com (Postfix) with ESMTP id 094B361C4B; Fri, 2 Oct 2009 23:11:22 +0200 (CEST) Message-ID: <4AC66C5A.3020301@thedarkside.nl> Date: Fri, 02 Oct 2009 23:10:50 +0200 From: Pieter de Boer User-Agent: Thunderbird 2.0.0.23 (X11/20090907) MIME-Version: 1.0 To: Jon Passki References: <1B399692-1D5A-49C3-BDE7-7FAAA9C63910@passki.us> In-Reply-To: <1B399692-1D5A-49C3-BDE7-7FAAA9C63910@passki.us> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: FreeBSD-Security Subject: Re: Fwd: FreeBSD Security Advisory FreeBSD-SA-09:13.pipe X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 21:11:23 -0000 Jon Passki wrote: > Has the FreeBSD Secteam tested setting VM_MIN_ADDRESS to some high > number such as 65536? This does not fix the vulnerability per se, but > one would hope it stops a user mapping code to 0x0. > See the FreeBSD-EN-09:05.null erratum that contains a patch that allows you to do this with a sysctl :) -- Pieter From owner-freebsd-security@FreeBSD.ORG Fri Oct 2 21:27:56 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AA9651065694 for ; Fri, 2 Oct 2009 21:27:56 +0000 (UTC) (envelope-from jon@passki.us) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.153]) by mx1.freebsd.org (Postfix) with ESMTP id DDF3E8FC1A for ; Fri, 2 Oct 2009 21:27:55 +0000 (UTC) Received: by fg-out-1718.google.com with SMTP id e21so17228fga.13 for ; Fri, 02 Oct 2009 14:27:54 -0700 (PDT) Received: by 10.86.22.12 with SMTP id 12mr2713966fgv.69.1254518874639; Fri, 02 Oct 2009 14:27:54 -0700 (PDT) Received: from ?10.22.8.162? ([166.205.6.157]) by mx.google.com with ESMTPS id l12sm210998fgb.0.2009.10.02.14.27.40 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 02 Oct 2009 14:27:53 -0700 (PDT) Message-Id: From: Jon Passki To: FreeBSD-Security In-Reply-To: <1B399692-1D5A-49C3-BDE7-7FAAA9C63910@passki.us> X-Mailer: iPhone Mail (7C144) Mime-Version: 1.0 (iPhone Mail 7C144) Date: Fri, 2 Oct 2009 16:27:28 -0500 References: <1B399692-1D5A-49C3-BDE7-7FAAA9C63910@passki.us> Content-Type: text/plain; charset=us-ascii; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:13.pipe X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 21:27:56 -0000 I'm an idiot re: credits. Sorry. Jon On Oct 2, 2009, at 16:03, Jon Passki wrote: > Has the FreeBSD Secteam tested setting VM_MIN_ADDRESS to some high > number such as 65536? This does not fix the vulnerability per se, > but one would hope it stops a user mapping code to 0x0. > > Also, were these the issues Przemyslaw Frasunek discovered? If so, I > did not see an attribution to him in the advisory. (I could have > missed it.) Any reason why not? > > Cheers, > > Jon > > Begin forwarded message: > >> From: FreeBSD Security Advisories >> Date: October 2, 2009 20:11:56 CDT >> To: FreeBSD Security Advisories >> Subject: FreeBSD Security Advisory FreeBSD-SA-09:13.pipe >> Reply-To: freebsd-security@freebsd.org >> > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> === >> === >> === >> ==================================================================== >> FreeBSD-SA-09:13.pipe >> Security Advisory >> The >> FreeBSD Project >> >> Topic: kqueue pipe race conditions >> Category: core >> Module: kern >> Announced: 2009-10-02 >> Credits: Przemyslaw Frasunek >> Affects: FreeBSD 6.x >> Corrected: 2009-10-02 18:09:56 UTC (RELENG_6, 6.4-STABLE) >> 2009-10-02 18:09:56 UTC (RELENG_6_4, 6.4-RELEASE-p7) >> 2009-10-02 18:09:56 UTC (RELENG_6_3, 6.3-RELEASE-p13) >> >> For general information regarding FreeBSD Security Advisories, >> including descriptions of the fields above, security branches, and >> the >> following sections, please visit . >> >> I. Background >> >> Pipes are a form of inter-process communication (IPC) provided by the >> FreeBSD kernel. kqueue is an event management API that >> applications can >> use to monitor pipes and other kernel services. >> >> II. Problem Description >> >> A race condition exists in the pipe close() code relating to kqueues, >> causing use-after-free for kernel memory, which may lead to an >> exploitable NULL pointer vulnerability in the kernel, kernel memory >> corruption, and other unpredictable results. >> >> III. Impact >> >> Successful exploitation of the race condition can lead to local >> kernel >> privilege escalation, kernel data corruption and/or crash. >> >> To exploit this vulnerability, an attacker must be able to run code >> on >> the target system. >> >> IV. Workaround >> >> An errata notice, FreeBSD-EN-09:05.null has been released >> simultaneously to >> this advisory, and contains a kernel patch implementing a >> workaround for a >> more broad class of vulnerabilities. However, prior to those >> changes, no >> workaround is available. >> >> V. Solution >> >> Perform one of the following: >> >> 1) Upgrade your vulnerable system to 6-STABLE, or to the >> RELENG_6_4, or >> RELENG_6_3 security branch dated after the correction date. >> >> 2) To patch your present system: >> >> The following patches have been verified to apply to FreeBSD 6.3 >> and 6.4. >> >> a) Download the relevant patch from the location below, and verify >> the >> detached PGP signature using your PGP utility. >> >> # fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch >> # fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch.asc >> >> b) Apply the patch. >> >> # cd /usr/src >> # patch < /path/to/patch >> >> c) Recompile your kernel as described in >> and reboot >> the >> system. >> >> VI. Correction details >> >> The following list contains the revision numbers of each file that >> was >> corrected in FreeBSD. >> >> CVS: >> >> Branch >> Revision >> Path >> - >> --- >> --- >> ------------------------------------------------------------------- >> RELENG_6 >> src/sys/kern/kern_event.c >> 1.93.2.7 >> src/sys/kern/kern_fork.c >> 1.252.2.8 >> src/sys/kern/sys_pipe.c >> 1.184.2.6 >> src/sys/sys/event.h >> 1.32.2.1 >> src/sys/sys/pipe.h >> 1.29.2.1 >> RELENG_6_4 >> src/UPDATING 1.416.2.40.2.11 >> src/sys/conf/newvers.sh 1.69.2.18.2.13 >> src/sys/kern/kern_event.c 1.93.2.6.6.2 >> src/sys/kern/kern_fork.c 1.252.2.7.4.2 >> src/sys/kern/sys_pipe.c 1.184.2.4.2.3 >> src/sys/sys/event.h >> 1.32.12.2 >> src/sys/sys/pipe.h >> 1.29.16.2 >> RELENG_6_3 >> src/UPDATING 1.416.2.37.2.18 >> src/sys/conf/newvers.sh 1.69.2.15.2.17 >> src/sys/kern/kern_event.c 1.93.2.6.4.1 >> src/sys/kern/kern_fork.c 1.252.2.7.2.1 >> src/sys/kern/sys_pipe.c 1.184.2.2.6.3 >> src/sys/sys/event.h >> 1.32.10.1 >> src/sys/sys/pipe.h >> 1.29.12.1 >> - >> --- >> --- >> ------------------------------------------------------------------- >> >> Subversion: >> >> Branch/path >> Revision >> - >> --- >> --- >> ------------------------------------------------------------------- >> stable/6/ >> r197715 >> releng/6.4/ >> r197715 >> releng/6.3/ >> r197715 >> - >> --- >> --- >> ------------------------------------------------------------------- >> >> VII. References >> >> http://svn.freebsd.org/viewvc/base?view=revision&revision=179243 >> >> The latest revision of this advisory is available at >> http://security.FreeBSD.org/advisories/FreeBSD-SA-09:13.pipe.asc >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.10 (FreeBSD) >> >> iD8DBQFKxlthFdaIBMps37IRAlk2AJ9mUrNPd1RMztbzO4w7g+AxosqJzgCgmr5l >> FKxrbF0G4v9P6SyyfAdVOFY= >> =TWhC >> -----END PGP SIGNATURE----- >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org >> " > From owner-freebsd-security@FreeBSD.ORG Sat Oct 3 03:01:56 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 895361065676 for ; Sat, 3 Oct 2009 03:01:56 +0000 (UTC) (envelope-from stef-list@memberwebs.com) Received: from memberwebs.com (memberwebs.com [94.75.203.95]) by mx1.freebsd.org (Postfix) with ESMTP id 40BAD8FC18 for ; Sat, 3 Oct 2009 03:01:56 +0000 (UTC) Received: from [172.27.5.159] (unknown [172.27.5.159]) by memberwebs.com (Postfix) with ESMTP id 5985283E4DD; Sat, 3 Oct 2009 03:01:54 +0000 (UTC) Message-ID: <4AC6BE97.1030406@memberwebs.com> Date: Fri, 02 Oct 2009 22:01:43 -0500 From: Stef Walter User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: freebsd-stable@freebsd.org References: <200910022012.n92KCtLI004038@freefall.freebsd.org> In-Reply-To: <200910022012.n92KCtLI004038@freefall.freebsd.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sat, 03 Oct 2009 03:17:38 +0000 Cc: "freebsd-security@freebsd.org" Subject: Re: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-09:05.null X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: stef@memberwebs.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Oct 2009 03:01:56 -0000 FreeBSD Errata Notices wrote: > To actually enable the feature in FreeBSD 6.x and 7.x, add the > following to either /boot/loader.conf or /etc/sysctl.conf: > > security.bsd.map_at_zero="0" The sysctl.conf setting must not have quotes. Or you get this: sysctl: invalid integer '"0"' Instead one should use: security.bsd.map_at_zero=0 Cheers, Stef From owner-freebsd-security@FreeBSD.ORG Sat Oct 3 11:26:03 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5773A106568D for ; Sat, 3 Oct 2009 11:26:03 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id 1717F8FC12 for ; Sat, 3 Oct 2009 11:26:02 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id E84596D41B; Sat, 3 Oct 2009 11:26:01 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id BEA8A84426; Sat, 3 Oct 2009 13:26:01 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Ian Smith References: <4AC545C3.9020608@johnea.net> <19141.20047.694147.865710@hergotha.csail.mit.edu> <4AC61C0B.3050704@johnea.net> <20091003042802.O10039@sola.nimnet.asn.au> Date: Sat, 03 Oct 2009 13:26:01 +0200 In-Reply-To: <20091003042802.O10039@sola.nimnet.asn.au> (Ian Smith's message of "Sat, 3 Oct 2009 04:43:08 +1000 (EST)") Message-ID: <86hbugyb06.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.95 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, johnea Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Oct 2009 11:26:03 -0000 Ian Smith writes: > http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers provides a= =20 > reasonably useful list of ports NOT to choose for an obscure ssh port. In practice, you have no choice but to use someting like 443 or 8080, because corporate firewalls often block everything but a small number of ports (usually 20, 22, 80, 443, 8080, and odds are that 20, 80 and 8080 go through a transparent proxy) DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Sat Oct 3 12:18:40 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9D5811065670 for ; Sat, 3 Oct 2009 12:18:40 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id E47508FC15 for ; Sat, 3 Oct 2009 12:18:39 +0000 (UTC) Received: (qmail invoked by alias); 03 Oct 2009 12:18:37 -0000 Received: from u18-124.dsl.vianetworks.de (EHLO u18-124.dsl.vianetworks.de) [194.231.39.124] by mail.gmx.net (mp035) with SMTP; 03 Oct 2009 14:18:37 +0200 X-Authenticated: #1956535 X-Provags-ID: V01U2FsdGVkX1/fbLxhYH3fJL58dr5QgOFELOu3QqUdJf5x84CJqo 1QRBL0a2CFRfd/ Received: by u18-124.dsl.vianetworks.de (Postfix, from userid 1100) id 9698026145; Sat, 3 Oct 2009 14:18:31 +0200 (CEST) Date: Sat, 3 Oct 2009 14:18:30 +0200 From: olli hauer To: des@des.no, smithi@nimnet.asn.au Message-ID: <20091003121830.GA15170@sorry.mine.nu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Errors-To: ohauer@gmx.de (olli hauer) X-Header0: **** ohauer at sorry **** X-Header1: ** sorry ** User-Agent: Mutt/1.5.18 (2008-05-17) X-Y-GMX-Trusted: 0 X-FuHaFi: 0.67 Cc: freebsd-security@freebsd.org Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: olli hauer List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Oct 2009 12:18:40 -0000 >> http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers >> provides a >> reasonably useful list of ports NOT to choose for an obscure ssh >> port. > > In practice, you have no choice but to use someting like 443 or 8080, > because corporate firewalls often block everything but a small number > of > ports (usually 20, 22, 80, 443, 8080, and odds are that 20, 80 and > 8080 > go through a transparent proxy) This may work if the firewall does only port and no additional protocol filtering. For many products used in corporate envirion it is even possible to filter ssh v1, skype, stunnel, openvpn with a verry high success rate within the first packet's on the wire. In case for the ssh server take a look into this parameters - LoginGraceTime - MaxAuthTries - MaxSessions - MaxStartups -- olli From owner-freebsd-security@FreeBSD.ORG Sat Oct 3 21:50:11 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 52506106568D for ; Sat, 3 Oct 2009 21:50:11 +0000 (UTC) (envelope-from purpleshadow100@gmail.com) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.24]) by mx1.freebsd.org (Postfix) with ESMTP id 01BAD8FC15 for ; Sat, 3 Oct 2009 21:50:10 +0000 (UTC) Received: by qw-out-2122.google.com with SMTP id 5so677162qwi.7 for ; Sat, 03 Oct 2009 14:50:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:content-type; bh=gsEB+b7SuR94aTKKiF1bmiwWQ911+avuAgVNIsdMrAk=; b=ZIeFwUTFynip6qVl8y9OlS0fFE2wO6dwhSvnu6HN30I3kF39rumvaEosnAONUsAyVz OwhPyNyZ56qKb7/moYxfrdYQtzICq2I2Dk3mJHFBNh3cLWwKzv0oOARopS2dPhXhUFtR TxCFbQb4H9R04muMplLssrvA+cdjLJa8dn/zg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:x-enigmail-version:content-type; b=ZPp5rpKbelImv58qz0eXgkQ1jaRRUOzDe1PoTs7BHgwKtd96Cp1dTOfzFheZZ7qElV /TJWxTcMWVIkEtxCRE0qcGqi9dDywoZFlg0T4rWZbUZWFraF7dXm2IAJh3AoUGzqL0No pPWlXdFgfmrXzemHPXM0IoR1Tu7kO3msAoY0c= Received: by 10.224.86.227 with SMTP id t35mr2153286qal.121.1254602390710; Sat, 03 Oct 2009 13:39:50 -0700 (PDT) Received: from ?10.10.10.87? (cpe-70-112-151-108.austin.res.rr.com [70.112.151.108]) by mx.google.com with ESMTPS id 6sm507043qwd.37.2009.10.03.13.39.48 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sat, 03 Oct 2009 13:39:49 -0700 (PDT) Message-ID: <4AC7B690.1060607@gmail.com> Date: Sat, 03 Oct 2009 15:39:44 -0500 From: Eric Williams User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.4pre) Gecko/20090915 Lightning/1.0pre Thunderbird/3.0b4 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20091003121830.GA15170@sorry.mine.nu> In-Reply-To: <20091003121830.GA15170@sorry.mine.nu> X-Enigmail-Version: 0.96a Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigE634CD63AC237B25440518CC" Subject: Re: openssh concerns X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Oct 2009 21:50:11 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigE634CD63AC237B25440518CC Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 10/3/2009 7:18 AM, olli hauer wrote: >>> http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers >>> provides a=20 >>> reasonably useful list of ports NOT to choose for an obscure ssh >>> port. >> >> In practice, you have no choice but to use someting like 443 or 8080, >> because corporate firewalls often block everything but a small number >> of >> ports (usually 20, 22, 80, 443, 8080, and odds are that 20, 80 and >> 8080 >> go through a transparent proxy) >=20 > This may work if the firewall does only port and no additional protocol= > filtering. For many products used in corporate envirion it is even > possible to filter ssh v1, skype, stunnel, openvpn with a verry high > success rate within the first packet's on the wire. >=20 > In case for the ssh server take a look into this parameters > - LoginGraceTime > - MaxAuthTries > - MaxSessions > - MaxStartups The absolute best way to filter out the attacks is to disable authentication methods other than public keys. Obviously this isn't possible in all situations, but it's very effective. Most attack bots will just disconnect when they attempt login, and it's almost impossible to crack a key and gain access. --------------enigE634CD63AC237B25440518CC Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAkrHtpQACgkQnmzOjyfdA0H8AgCdEXZH/FFDgKScVIvmRbPf0EcH LJIAn1tSnlZSoYmcYK4tQ6ZVgNT9sWSq =isV6 -----END PGP SIGNATURE----- --------------enigE634CD63AC237B25440518CC--