From owner-freebsd-security@FreeBSD.ORG Mon May 6 00:14:53 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 8402A15C for ; Mon, 6 May 2013 00:14:53 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-vb0-x233.google.com (mail-vb0-x233.google.com [IPv6:2607:f8b0:400c:c02::233]) by mx1.freebsd.org (Postfix) with ESMTP id 4018431B for ; Mon, 6 May 2013 00:14:53 +0000 (UTC) Received: by mail-vb0-f51.google.com with SMTP id x16so2533410vbf.38 for ; Sun, 05 May 2013 17:14:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=x-received:subject:from:content-type:x-mailer:message-id:date:to :content-transfer-encoding:mime-version; bh=CWgmwochS0FNwxStOOfAeJkqOkKZ0r3ODwS2ruWz9ko=; b=R9CyqGKbiW0aa6357pKscSI/4rC6zonHcWTtouqRdd0m9GSj0WdmS7VdBHJtKP7x9B gC6m5uRYvbbJhMmD+tj+/KePP+qiQqVZC2vB/Inive3/7dvURpdclNxotOs5XrFaYUtq EEjvLQtn8pZFXyKwfuF5H+eNtfN5syOTLU060= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:subject:from:content-type:x-mailer:message-id:date:to :content-transfer-encoding:mime-version:x-gm-message-state; bh=CWgmwochS0FNwxStOOfAeJkqOkKZ0r3ODwS2ruWz9ko=; b=STya/zqKlzFzk04J6Pq5OZ2pC2+upO52u3dRjMFuT4paPaG135r/b/Xs0/zlL5NBdx MyDPRC1pU0OoPZH3xTY5cDvmx4Rv4AG13Wx5quPlIlZSj1pOymxevct8nsJap7idoAGy I344d+/PQmRWSRvUUt7yf7lyFt/swymlA4/GaXwclm5Ca+Yjuj0n1yLf8bp6I/hPjpAh pWtojWdYCcC0oleRrgZ6B1Kr9QFhfWadw9U7KhRKMXb69UlII/Irou47uQik6Q4fFwWO ukvCSeDoI8AeRC4mlxJvOkGOUxJbUVlINNqLdw6HkUabRovK5R6BEHpqXorT7lUG4E+d tY0Q== X-Received: by 10.52.65.144 with SMTP id x16mr5193018vds.123.1367799292716; Sun, 05 May 2013 17:14:52 -0700 (PDT) Received: from [192.168.30.77] (24-236-152-143.dhcp.aldl.mi.charter.com. [24.236.152.143]) by mx.google.com with ESMTPSA id l6sm14941929vdh.3.2013.05.05.17.14.50 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 05 May 2013 17:14:51 -0700 (PDT) Subject: Login failures usefulness with OpenSSH 6.1 From: Jason Hellenthal X-Mailer: iPhone Mail (10B329) Message-Id: <358B4722-3277-4A3B-93F3-33479A7D4682@DataIX.net> Date: Sun, 5 May 2013 20:14:49 -0400 To: "freebsd-security@freebsd.org" , "freebsd-stable@freebsd.org" Mime-Version: 1.0 (1.0) X-Gm-Message-State: ALoCoQmddtfqTMU7JY7l40XOGsfwdnxlz9CsVia47yZrS0hz5mI5SF5pEuHvmcVeFyOjRpwCQOf2 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 May 2013 00:14:53 -0000 Hello everyone, It seems that the login failures reported by the security output of a nightl= y periodic job has become somewhat useless per OpenSSH 6.1. I used to get username and IP address in the output but it seems that the lo= gging format has changed. Instead of one line the log format now has two lin= es. One like the ones below and then another coinciding line that contains I= P address and username. I think it would be more beneficial outputting the lines with the ip and use= rname over the ones below for the security output. Not sure exactly when this changed but would like to gather some input befor= e I inspect further on the changes that would have to be made. My output is from SVN FreeBSD STABLE 8.3 as of yesterday. Thanks & Clean Regards, ...Sample output... login failures: May 4 00:04:35 disbatch sshd[48898]: fatal: Write failed: Operation not per= mitted May 4 14:54:14 disbatch sshd[9544]: input_userauth_request: invalid user ro= ot [preauth] May 4 18:44:04 disbatch sshd[18326]: fatal: Read from socket failed: Connec= tion reset by peer [preauth] --=20 Jason Hellenthal JJH48-ARIN -(2^(N-1)) From owner-freebsd-security@FreeBSD.ORG Mon May 6 18:45:15 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 16C92E9D; Mon, 6 May 2013 18:45:15 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id D0FEAA5F; Mon, 6 May 2013 18:45:14 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 36872DEE2; Mon, 6 May 2013 18:45:08 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id F252B35C4C; Mon, 6 May 2013 20:45:08 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Jason Hellenthal Subject: Re: Login failures usefulness with OpenSSH 6.1 References: <358B4722-3277-4A3B-93F3-33479A7D4682@DataIX.net> Date: Mon, 06 May 2013 20:45:08 +0200 In-Reply-To: <358B4722-3277-4A3B-93F3-33479A7D4682@DataIX.net> (Jason Hellenthal's message of "Sun, 5 May 2013 20:14:49 -0400") Message-ID: <86vc6wgd6z.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: "freebsd-security@freebsd.org" , "freebsd-stable@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 May 2013 18:45:15 -0000 Jason Hellenthal writes: > I used to get username and IP address in the output but it seems that > the logging format has changed. Instead of one line the log format now > has two lines. One like the ones below and then another coinciding > line that contains IP address and username. It will be much easier to help you if you show us exactly what you expected and what you got instead. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue May 7 04:54:22 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 27173816 for ; Tue, 7 May 2013 04:54:22 +0000 (UTC) (envelope-from cfp@ruxcon.org.au) Received: from ruxcon.org.au (ruxcon.org.au [192.30.33.242]) by mx1.freebsd.org (Postfix) with ESMTP id 09C4DE48 for ; Tue, 7 May 2013 04:54:21 +0000 (UTC) Received: by ruxcon.org.au (Postfix, from userid 1002) id C1C966CC0C; Tue, 7 May 2013 14:28:12 +1000 (EST) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ruxcon.org.au X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.3.2 Received: from ruxcon.org.au (localhost [127.0.0.1]) by ruxcon.org.au (Postfix) with ESMTP id 0E00C6CC1F for ; Tue, 7 May 2013 14:28:10 +1000 (EST) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: Ruxcon 2013 Call For Papers From: cfp@ruxcon.org.au To: freebsd-security@freebsd.org Message-Id: <20130507042810.0E00C6CC1F@ruxcon.org.au> Date: Tue, 7 May 2013 14:28:10 +1000 (EST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 May 2013 04:54:22 -0000 Ruxcon 2013 Call For Presentations Melbourne, Australia, October 26th-27th CQ Function Centre http://www.ruxcon.org.au/call-for-papers/ The Ruxcon team is pleased to announce the Call For Presentations for Ruxcon 2013. This year the conference will take place over the weekend of the 26th and 27th of October at the CQ Function Centre, Melbourne, Australia. .[x]. About Ruxcon .[x]. Ruxcon is ia premier technical computer security conference in the Australia. The conference aims to bring together the individual talents of the best and brightest security folk in the region, through live presentations, activities and demonstrations. The conference is held over two days in a relaxed atmosphere, allowing attendees to enjoy themselves whilst networking within the community and expanding their knowledge of security. Live presentations and activities will cover a full range of defensive and offensive security topics, varying from previously unpublished research to required reading for the security community. For more information, please visit the http://www.ruxcon.org.au .[x]. Important Dates .[x]. May 7th - Call For Presentations Open September 7th - Call For Presentations Close October 22-23 - Ruxcon/Breakpoint Training October 24-25 - Breakpoint Conference October 26-27 - Ruxcon Conference .[x]. Topic Scope .[x]. o Topics of interest include, but are not limited to: o Mobile Device Security o Virtualization, Hypervisor, and Cloud Security o Malware Analysis o Reverse Engineering o Exploitation Techniques o Rootkit Development o Code Analysis o Forensics and Anti-Forensics o Embedded Device Security o Web Application Security o Network Traffic Analysis o Wireless Network Security o Cryptography and Cryptanalysis o Social Engineering o Law Enforcement Activities o Telecommunications Security (SS7, 3G/4G, GSM, VOIP, etc) .[x]. Submission Guidelines .[x]. In order for us to process your submission we require the following information: 1. Presentation title 2. Detailed summary of your presentation material 3. Name/Nickname 4. Mobile phone number 5. Brief personal biography 6. Description of any demonstrations involved in the presentation 7. Information on where the presentation material has or will be presented before Ruxcon * As a general guideline, Ruxcon presentations are between 45 and 60 minutes, including question time. If you have any enquiries about submissions, or would like to make a submission, please send an email to presentations@ruxcon.org.au .[x]. Contact .[x]. o Email: presentations@ruxcon.org.au o Twitter: @ruxcon From owner-freebsd-security@FreeBSD.ORG Tue May 7 09:16:50 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 0996A5D5 for ; Tue, 7 May 2013 09:16:50 +0000 (UTC) (envelope-from giaffy@gmail.com) Received: from mail-oa0-f49.google.com (mail-oa0-f49.google.com [209.85.219.49]) by mx1.freebsd.org (Postfix) with ESMTP id D1E89A80 for ; Tue, 7 May 2013 09:16:49 +0000 (UTC) Received: by mail-oa0-f49.google.com with SMTP id l20so333155oag.36 for ; Tue, 07 May 2013 02:16:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=8YyFVl+tw5NmKDq7M3kJ+D1J0v0gj6Vxgy19vvWWdoM=; b=IQJYq786k6o4JUo2VHY5XBkutzMD1PGX7TJmrnQA8m5634okOf5iH/r56pcWW2kYqt 5QGVxs15yDGIuX2wAk4ExZurAcRdsAL7NTk5wGZUClDvdzsnwU3ETzYbYfjk75dW3c8j agGKlikG5SDkpueZSyOu3H+2emRiczQOOZ0hrSVgBtf+DOKABTPbmW73Eo/vIuj+kFds eQaVFnNyk0Wt7pWiRybXFZ38OE0Z/5PddiRa3lTPDy1pDUZEW45UrB04LmNMJaonHgfy hnv6sS/Xb6bOQjv0cnBdABxd6stlMKFBvH+cDiy30vUsNH0kZpWrGgM8N7DL8zZL/Ggs 12NA== MIME-Version: 1.0 X-Received: by 10.60.57.201 with SMTP id k9mr325417oeq.30.1367918208972; Tue, 07 May 2013 02:16:48 -0700 (PDT) Received: by 10.60.37.34 with HTTP; Tue, 7 May 2013 02:16:48 -0700 (PDT) Date: Tue, 7 May 2013 11:16:48 +0200 Message-ID: Subject: packages (binary) update best practice From: Roberto To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 May 2013 09:16:50 -0000 Hi all, I have update recently to freebsd 9.1 via freebsd-update and I was quite happy with the process and the instructions on freebsd-handbook, I think well documented. But I would like to understand what is the best practice to update the ports too as I used the package tools (pkg_add -r) to add few package to the base install. Keeping in mind my server have disk space constrain (small disk install) I would ask an opinion about the followings methods to upgrade packages after a freebsd upgrade (in this case from 9.0 to 9.1): 1) perform # pkg_delete and then # pkg_add -r for each of them ? (I think about some package depends on other, this could create some little problem); 2) perform # pkg_add -F (not tried yet) and overwrite the already installed pkg ? 3) have a separate server on which create an update pkg from ports (ie from source) ? 4) use the new package system pkgng, converting the existing installation ? (this operation is not reversible, so I am waiting before doing this) I would have some ideas on this topic please, from a security perspective; Thanks Roberto From owner-freebsd-security@FreeBSD.ORG Thu May 9 04:02:00 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 3210C1F9 for ; Thu, 9 May 2013 04:02:00 +0000 (UTC) (envelope-from freebsd-security-local@be-well.ilk.org) Received: from be-well.ilk.org (be-well.ilk.org [23.30.133.173]) by mx1.freebsd.org (Postfix) with ESMTP id 0BDC31B7E for ; Thu, 9 May 2013 04:01:59 +0000 (UTC) Received: from lowell-desk.lan (lowell-desk.lan [172.30.250.41]) by be-well.ilk.org (Postfix) with ESMTP id 6E2C533C2A; Thu, 9 May 2013 00:01:54 -0400 (EDT) Received: by lowell-desk.lan (Postfix, from userid 1147) id 28A7439829; Thu, 9 May 2013 00:01:52 -0400 (EDT) From: Lowell Gilbert To: Roberto Subject: Re: packages (binary) update best practice References: Date: Thu, 09 May 2013 00:01:52 -0400 In-Reply-To: (Roberto's message of "Tue, 7 May 2013 11:16:48 +0200") Message-ID: <44vc6s243z.fsf@lowell-desk.lan> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 May 2013 04:02:00 -0000 Roberto writes: > Hi all, > I have update recently to freebsd 9.1 via freebsd-update and I was quite > happy with the process and the instructions on freebsd-handbook, I think > well documented. > > But I would like to understand what is the best practice to update the > ports too as I used the package tools (pkg_add -r) to add few package to > the base install. Keeping in mind my server have disk space constrain > (small disk install) I would ask an opinion about the followings methods to > upgrade packages after a freebsd upgrade (in this case from 9.0 to 9.1): > > 1) perform > > # pkg_delete > and then > # pkg_add -r > > for each of them ? (I think about some package depends on other, this could > create some little problem); > > 2) perform > # pkg_add -F > (not tried yet) and overwrite the already installed pkg ? > > 3) have a separate server on which create an update pkg from ports (ie from > source) ? > > 4) use the new package system pkgng, converting the existing installation ? > (this operation is not reversible, so I am waiting before doing this) > > I would have some ideas on this topic please, from a security perspective; >From a security perspective, there is little difference between these options. Using pkgng or not is completely irrelevant. Building your own packages in combination with portsnap would allow you to have cryptographic checks on the validity of what you download. The security concerns closed by this are relatively minor, but for both that and convenience reasons I'd recommend portsnap in the absence of any specific reasons to use anything else to get your ports tree. Also for convenience reasons, I would recommend using an upgrade tool, such and portmaster or portupgrade.