From owner-freebsd-security@freebsd.org Mon Jan 21 20:19:02 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0C13914B6785 for ; Mon, 21 Jan 2019 20:19:02 +0000 (UTC) (envelope-from stb@lassitu.de) Received: from gilb.zs64.net (gilb.zs64.net [IPv6:2a00:14b0:4200:32e0::1ea]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gilb.zs64.net", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 13CB676BFF for ; Mon, 21 Jan 2019 20:19:01 +0000 (UTC) (envelope-from stb@lassitu.de) Received: by gilb.zs64.net (Postfix, from stb@lassitu.de) id 2AF472077CF for ; Mon, 21 Jan 2019 20:19:00 +0000 (UTC) From: Stefan Bethke Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Subject: PEAR packages potentially contain malicious code Message-Id: <442DD3E6-5954-4B5B-808B-A2DFE5D7DE4D@lassitu.de> Date: Mon, 21 Jan 2019 21:18:59 +0100 To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.3445.102.3) X-Rspamd-Queue-Id: 13CB676BFF X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of stb@lassitu.de designates 2a00:14b0:4200:32e0::1ea as permitted sender) smtp.mailfrom=stb@lassitu.de X-Spamd-Result: default: False [-0.25 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.24)[-0.240,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-0.36)[-0.361,0]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MX_GOOD(-0.01)[cached: gilb.zs64.net]; DMARC_NA(0.00)[lassitu.de]; NEURAL_SPAM_SHORT(0.09)[0.087,0]; IP_SCORE(0.07)[ipnet: 2a00:14b0::/32(0.20), asn: 13135(0.16), country: DE(-0.01)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:13135, ipnet:2a00:14b0::/32, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2019 20:19:02 -0000 I=E2=80=99ve just learned that the repository for the PHP PEAR set of = extensions had their distribution server compromised. https://twitter.com/pear/status/1086634503731404800 I don=E2=80=99t really work with PHP much apart from installing packages = of popular PHP web apps on my servers, so I can=E2=80=99t tell whether = this code made it onto machines building from PEAR sources, or even into = FreeBSD binary packages of PEAR extensions. Given the large user base = for these packages, some advice to FreeBSD users might be well received. Thanks, Stefan --=20 Stefan Bethke Fon +49 151 14070811 From owner-freebsd-security@freebsd.org Mon Jan 21 20:24:03 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 65B6F14B6B51; Mon, 21 Jan 2019 20:24:03 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from smtp-out.elvandar.org (smtp-out.elvandar.org [IPv6:2a01:7c8:aaba:ae::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BA2587785A; Mon, 21 Jan 2019 20:24:02 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from mail2.jr-hosting.nl (nakur.elvandar.org [95.216.49.43]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp-out.elvandar.org (Postfix) with ESMTPS id 9E8C14707C1; Mon, 21 Jan 2019 21:23:54 +0100 (CET) Received: from [10.0.2.7] (095-096-154-040.static.chello.nl [95.96.154.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail2.jr-hosting.org (Postfix) with ESMTPSA id 22270185981; Mon, 21 Jan 2019 21:23:54 +0100 (CET) Content-Type: multipart/signed; boundary="Apple-Mail=_3BE09786-6B09-4EA9-A262-44915DCC6DE3"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Subject: Re: PEAR packages potentially contain malicious code From: Remko Lodder In-Reply-To: <442DD3E6-5954-4B5B-808B-A2DFE5D7DE4D@lassitu.de> Date: Mon, 21 Jan 2019 21:23:53 +0100 Cc: freebsd-security@freebsd.org, "ports-secteam@freebsd.org" Message-Id: <8090C0B2-AF5C-4031-93A5-2F33F28B9959@FreeBSD.org> References: <442DD3E6-5954-4B5B-808B-A2DFE5D7DE4D@lassitu.de> To: Stefan Bethke X-Mailer: Apple Mail (2.3445.102.3) X-Rspamd-Queue-Id: BA2587785A X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.97 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.996,0]; NEURAL_HAM_SHORT(-0.98)[-0.979,0]; ASN(0.00)[asn:20857, ipnet:2a01:7c8::/32, country:NL]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2019 20:24:03 -0000 --Apple-Mail=_3BE09786-6B09-4EA9-A262-44915DCC6DE3 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi Stefan, > On 21 Jan 2019, at 21:18, Stefan Bethke wrote: >=20 > I=E2=80=99ve just learned that the repository for the PHP PEAR set of = extensions had their distribution server compromised. >=20 > https://twitter.com/pear/status/1086634503731404800 >=20 > I don=E2=80=99t really work with PHP much apart from installing = packages of popular PHP web apps on my servers, so I can=E2=80=99t tell = whether this code made it onto machines building from PEAR sources, or = even into FreeBSD binary packages of PEAR extensions. Given the large = user base for these packages, some advice to FreeBSD users might be well = received. Thank you for sending the headsup to the FreeBSD users. I have CC=E2=80=99ed ports-secteam, they will handle with due care when = more information is available and they can act upon something. I have BCC=E2=80=99ed the maintainer for the PHP port(s), but I am not = entirely sure whether he maintains all the pear ports as well. Again, thank you. Best regards, Remko Hat: Security Team >=20 >=20 > Thanks, > Stefan >=20 > -- > Stefan Bethke Fon +49 151 14070811 >=20 > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" --Apple-Mail=_3BE09786-6B09-4EA9-A262-44915DCC6DE3 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEUZm6tSR1fPPy/V/fqMPbslnzjLAFAlxGKlkACgkQqMPbslnz jLCBbxAAgPsLZY66G5PnHVckkkHfTAm03+SL6SfbL1DhCP10zN7Ir0FeevPHrz/T sTiAGwemfHswhZElIwYoQljWi7C9uhYD+hAUar3raS0Tlbfd6AIsYjBKDiEFd+CM aG5LwdCeW/2piXOaQbzQPFbudEnFRGMXqONgXcm9U4ZDylUnDwMl0xIbKr68GApN ekvepcWpJ546dEx/LZVi7JmcfUgZyB3ddl2M5731pClBDYRP1+JlNz7sDN5Qc4yQ oS9NwYllLo2wiQOq4tby1L+9OgxNBWWvsiYxkHnRzNdM0lWIA+Rt0YRt4kqWviv9 HxDtwkDUtPYk7uZODxLzKmCnzJ93CCV4jTjOBhUcvFfmv7xH2W0Vv98OmhSVlYuv f4cKrdMpvmwU0h2qivZM1yYHGjHcEgF0BoNRI92Bvu9f/tggwxQC14mjgWPdcRnA U/XDOmvKIVg7AoRQ2RcJcyuj+zNOSA+PVo3NbHw19A6yqnl9dC/ThDriA2MAPmRD R+Iwf1rYeod8FqOLUEGxOrr+ZVLxzqtQHv4ZZve3w6zJk/8JqqGgoDvBPYkepZNp a2+2+mah6jb2T/XRGF6EOI/dyYRuQe3Ajh4Esp7NWQcJ/yQgxBgM+yuMHguEk225 kLc49iAV2kcKScZA+2SZhsrPE/Lp9DkcstrhgBgwv337b8YJY4I= =0JCm -----END PGP SIGNATURE----- --Apple-Mail=_3BE09786-6B09-4EA9-A262-44915DCC6DE3-- From owner-freebsd-security@freebsd.org Tue Jan 22 06:09:06 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C147214AEFD5; Tue, 22 Jan 2019 06:09:06 +0000 (UTC) (envelope-from joneum@FreeBSD.org) Received: from toco-domains.de (mail.toco-domains.de [IPv6:2a01:4f8:150:50a5::6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6167273646; Tue, 22 Jan 2019 06:09:06 +0000 (UTC) (envelope-from joneum@FreeBSD.org) Received: from phantomias.home.jochen-neumeister.de (p5B0FDBE8.dip0.t-ipconnect.de [91.15.219.232]) by toco-domains.de (Postfix) with ESMTPA id 5D29413512CE; Tue, 22 Jan 2019 07:09:05 +0100 (CET) Subject: Re: PEAR packages potentially contain malicious code To: Remko Lodder Cc: freebsd-security@freebsd.org, "ports-secteam@freebsd.org" References: <442DD3E6-5954-4B5B-808B-A2DFE5D7DE4D@lassitu.de> <8090C0B2-AF5C-4031-93A5-2F33F28B9959@FreeBSD.org> From: Jochen Neumeister Message-ID: <97c1a502-293a-d5b0-3910-2954ca19c5ff@FreeBSD.org> Date: Tue, 22 Jan 2019 07:09:03 +0100 MIME-Version: 1.0 In-Reply-To: <8090C0B2-AF5C-4031-93A5-2F33F28B9959@FreeBSD.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: de-DE X-Rspamd-Queue-Id: 6167273646 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.93 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; NEURAL_HAM_SHORT(-0.93)[-0.934,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jan 2019 06:09:06 -0000 Hi all, I just took net/pear-Net_SMTP as an example and compared it with "make makesum" SHA256 and SIZE. The values are the same. So the packages are not compromised. But today I will start testing all PEAR ports for different values. This can unfortunately take time. If a port has different values, it would be good to mark it as BROKEN and if the project is on GitHub, to switch. Greetings Jochen On 21.01.19 21:23, Remko Lodder wrote: > Hi Stefan, > >> On 21 Jan 2019, at 21:18, Stefan Bethke wrote: >> >> I’ve just learned that the repository for the PHP PEAR set of extensions had their distribution server compromised. >> >> https://twitter.com/pear/status/1086634503731404800 >> >> I don’t really work with PHP much apart from installing packages of popular PHP web apps on my servers, so I can’t tell whether this code made it onto machines building from PEAR sources, or even into FreeBSD binary packages of PEAR extensions. Given the large user base for these packages, some advice to FreeBSD users might be well received. > Thank you for sending the headsup to the FreeBSD users. > I have CC’ed ports-secteam, they will handle with due care when more information is available and they can act upon something. > I have BCC’ed the maintainer for the PHP port(s), but I am not entirely sure whether he maintains all the pear ports as well. > > Again, thank you. > > Best regards, > Remko > Hat: Security Team > >> >> Thanks, >> Stefan >> >> -- >> Stefan Bethke Fon +49 151 14070811 >> >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@freebsd.org Tue Jan 22 16:03:16 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1B87314A6711; Tue, 22 Jan 2019 16:03:16 +0000 (UTC) (envelope-from stb@lassitu.de) Received: from gilb.zs64.net (gilb.zs64.net [IPv6:2a00:14b0:4200:32e0::1ea]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gilb.zs64.net", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id ADD7092233; Tue, 22 Jan 2019 16:03:15 +0000 (UTC) (envelope-from stb@lassitu.de) Received: by gilb.zs64.net (Postfix, from stb@lassitu.de) id EB25F20E15F; Tue, 22 Jan 2019 16:03:12 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Subject: Re: PEAR packages potentially contain malicious code From: Stefan Bethke In-Reply-To: <97c1a502-293a-d5b0-3910-2954ca19c5ff@FreeBSD.org> Date: Tue, 22 Jan 2019 17:03:11 +0100 Cc: Remko Lodder , freebsd-security@freebsd.org, "ports-secteam@freebsd.org" Content-Transfer-Encoding: quoted-printable Message-Id: <9F62C279-D5B3-443C-91F6-E0D4339A68D4@lassitu.de> References: <442DD3E6-5954-4B5B-808B-A2DFE5D7DE4D@lassitu.de> <8090C0B2-AF5C-4031-93A5-2F33F28B9959@FreeBSD.org> <97c1a502-293a-d5b0-3910-2954ca19c5ff@FreeBSD.org> To: Jochen Neumeister X-Mailer: Apple Mail (2.3445.102.3) X-Rspamd-Queue-Id: ADD7092233 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.96 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[]; NEURAL_HAM_SHORT(-0.96)[-0.963,0] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jan 2019 16:03:16 -0000 Am 22.01.2019 um 07:09 schrieb Jochen Neumeister : > On 21.01.19 21:23, Remko Lodder wrote: >> Hi Stefan, >>=20 >>> On 21 Jan 2019, at 21:18, Stefan Bethke wrote: >>>=20 >>> I=E2=80=99ve just learned that the repository for the PHP PEAR set = of extensions had their distribution server compromised. >>>=20 >>> https://twitter.com/pear/status/1086634503731404800 >>>=20 >>> I don=E2=80=99t really work with PHP much apart from installing = packages of popular PHP web apps on my servers, so I can=E2=80=99t tell = whether this code made it onto machines building from PEAR sources, or = even into FreeBSD binary packages of PEAR extensions. Given the large = user base for these packages, some advice to FreeBSD users might be well = received. >> Thank you for sending the headsup to the FreeBSD users. >> I have CC=E2=80=99ed ports-secteam, they will handle with due care = when more information is available and they can act upon something. >> I have BCC=E2=80=99ed the maintainer for the PHP port(s), but I am = not entirely sure whether he maintains all the pear ports as well. >>=20 > I just took net/pear-Net_SMTP as an example and compared it with "make = makesum" SHA256 and SIZE. > The values are the same. So the packages are not compromised. > But today I will start testing all PEAR ports for different values. = This can unfortunately take time. > If a port has different values, it would be good to mark it as BROKEN = and if the project is on GitHub, to switch. I think the issue is not whether the FreeBSD packages have been = manipulated after they have been built, but have been built based on = compromised sources downloaded from pear.php.net. I haven=E2=80=99t = looked into the details of the port build processes with composer, but = it appears to me that packages built in the last 6 months would = (potentially) have downloaded sources from the compromised system. Stefan --=20 Stefan Bethke Fon +49 151 14070811 From owner-freebsd-security@freebsd.org Tue Jan 22 16:15:12 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0788B14A6CF6; Tue, 22 Jan 2019 16:15:12 +0000 (UTC) (envelope-from stb@lassitu.de) Received: from gilb.zs64.net (gilb.zs64.net [212.12.50.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gilb.zs64.net", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9E5C59282B; Tue, 22 Jan 2019 16:15:11 +0000 (UTC) (envelope-from stb@lassitu.de) Received: by gilb.zs64.net (Postfix, from stb@lassitu.de) id EEFB620E201; Tue, 22 Jan 2019 16:15:03 +0000 (UTC) From: Stefan Bethke Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Subject: Re: PEAR packages potentially contain malicious code Date: Tue, 22 Jan 2019 17:15:03 +0100 References: <442DD3E6-5954-4B5B-808B-A2DFE5D7DE4D@lassitu.de> <8090C0B2-AF5C-4031-93A5-2F33F28B9959@FreeBSD.org> <97c1a502-293a-d5b0-3910-2954ca19c5ff@FreeBSD.org> <9F62C279-D5B3-443C-91F6-E0D4339A68D4@lassitu.de> To: freebsd-security@freebsd.org, "ports-secteam@freebsd.org" In-Reply-To: <9F62C279-D5B3-443C-91F6-E0D4339A68D4@lassitu.de> Message-Id: X-Mailer: Apple Mail (2.3445.102.3) X-Rspamd-Queue-Id: 9E5C59282B X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.97 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[]; NEURAL_HAM_SHORT(-0.97)[-0.967,0] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jan 2019 16:15:12 -0000 Am 22.01.2019 um 17:03 schrieb Stefan Bethke : >=20 > Am 22.01.2019 um 07:09 schrieb Jochen Neumeister : >> On 21.01.19 21:23, Remko Lodder wrote: >>> Hi Stefan, >>>=20 >>>> On 21 Jan 2019, at 21:18, Stefan Bethke wrote: >>>>=20 >>>> I=E2=80=99ve just learned that the repository for the PHP PEAR set = of extensions had their distribution server compromised. >>>>=20 >>>> https://twitter.com/pear/status/1086634503731404800 >>>>=20 >>>> I don=E2=80=99t really work with PHP much apart from installing = packages of popular PHP web apps on my servers, so I can=E2=80=99t tell = whether this code made it onto machines building from PEAR sources, or = even into FreeBSD binary packages of PEAR extensions. Given the large = user base for these packages, some advice to FreeBSD users might be well = received. >>> Thank you for sending the headsup to the FreeBSD users. >>> I have CC=E2=80=99ed ports-secteam, they will handle with due care = when more information is available and they can act upon something. >>> I have BCC=E2=80=99ed the maintainer for the PHP port(s), but I am = not entirely sure whether he maintains all the pear ports as well. >>>=20 >> I just took net/pear-Net_SMTP as an example and compared it with = "make makesum" SHA256 and SIZE. >> The values are the same. So the packages are not compromised. >> But today I will start testing all PEAR ports for different values. = This can unfortunately take time. >> If a port has different values, it would be good to mark it as BROKEN = and if the project is on GitHub, to switch. >=20 > I think the issue is not whether the FreeBSD packages have been = manipulated after they have been built, but have been built based on = compromised sources downloaded from pear.php.net. I haven=E2=80=99t = looked into the details of the port build processes with composer, but = it appears to me that packages built in the last 6 months would = (potentially) have downloaded sources from the compromised system. On top of ports and packages depending on PEAR modules, some ports = download archives containing vendored versions, for example, = mail/roundcube. For roundcube, I opened = https://github.com/roundcube/roundcubemail/issues/6598 to clarify. Stefan --=20 Stefan Bethke Fon +49 151 14070811 From owner-freebsd-security@freebsd.org Tue Jan 22 16:27:56 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1F0C614A7490; Tue, 22 Jan 2019 16:27:56 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from host64.shmhost.net (host64.shmhost.net [IPv6:2a01:4f8:a0:51d7::103:2]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B3FC49318A; Tue, 22 Jan 2019 16:27:55 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from [IPv6:2a02:8106:22a:4b02:acd3:9b54:2636:22b] (unknown [IPv6:2a02:8106:22a:4b02:acd3:9b54:2636:22b]) by host64.shmhost.net (Postfix) with ESMTPSA id 43kYjt3hB2zC5S0; Tue, 22 Jan 2019 17:27:46 +0100 (CET) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Subject: Re: PEAR packages potentially contain malicious code From: Franco Fichtner In-Reply-To: Date: Tue, 22 Jan 2019 17:27:45 +0100 Cc: freebsd-security@freebsd.org, "ports-secteam@freebsd.org" Content-Transfer-Encoding: quoted-printable Message-Id: <7E861664-7F7A-4461-969E-CA0570131706@lastsummer.de> References: <442DD3E6-5954-4B5B-808B-A2DFE5D7DE4D@lassitu.de> <8090C0B2-AF5C-4031-93A5-2F33F28B9959@FreeBSD.org> <97c1a502-293a-d5b0-3910-2954ca19c5ff@FreeBSD.org> <9F62C279-D5B3-443C-91F6-E0D4339A68D4@lassitu.de> To: Stefan Bethke X-Mailer: Apple Mail (2.3445.102.3) X-Virus-Scanned: clamav-milter 0.100.2 at host64.shmhost.net X-Virus-Status: Clean X-Rspamd-Queue-Id: B3FC49318A X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.99 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[]; NEURAL_HAM_SHORT(-0.99)[-0.989,0] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jan 2019 16:27:56 -0000 > On 22. Jan 2019, at 5:15 PM, Stefan Bethke wrote: >=20 > On top of ports and packages depending on PEAR modules, some ports = download archives containing vendored versions, for example, = mail/roundcube. For roundcube, I opened = https://github.com/roundcube/roundcubemail/issues/6598 to clarify. I fail to understand how mismatching package checksums for cached package files are indication of compromised distfiles which have pinned size and checksums in the FreeBSD ports tree since forever. If you say you build your own packages (and install them) a mismatch in pkg-cache files is normal because pkg will complain about a drift between the mirror-provided packages and your local ones when it detects them which happens when you have a package file created from different sources, the ports tree and the binary mirror. This will likely get rid of the mismatch by merely purging your local package cache... # pkg clean -ya Cheers, Franco= From owner-freebsd-security@freebsd.org Tue Jan 22 16:30:02 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8234914A75A3; Tue, 22 Jan 2019 16:30:02 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from host64.shmhost.net (host64.shmhost.net [213.239.241.64]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1EF029330C; Tue, 22 Jan 2019 16:30:01 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from [IPv6:2a02:8106:22a:4b02:acd3:9b54:2636:22b] (unknown [IPv6:2a02:8106:22a:4b02:acd3:9b54:2636:22b]) by host64.shmhost.net (Postfix) with ESMTPSA id 43kYmR72jbzC5VS; Tue, 22 Jan 2019 17:29:59 +0100 (CET) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Subject: Re: PEAR packages potentially contain malicious code From: Franco Fichtner In-Reply-To: <7E861664-7F7A-4461-969E-CA0570131706@lastsummer.de> Date: Tue, 22 Jan 2019 17:29:59 +0100 Cc: freebsd-security@freebsd.org, "ports-secteam@freebsd.org" Content-Transfer-Encoding: quoted-printable Message-Id: References: <442DD3E6-5954-4B5B-808B-A2DFE5D7DE4D@lassitu.de> <8090C0B2-AF5C-4031-93A5-2F33F28B9959@FreeBSD.org> <97c1a502-293a-d5b0-3910-2954ca19c5ff@FreeBSD.org> <9F62C279-D5B3-443C-91F6-E0D4339A68D4@lassitu.de> <7E861664-7F7A-4461-969E-CA0570131706@lastsummer.de> To: Stefan Bethke X-Mailer: Apple Mail (2.3445.102.3) X-Virus-Scanned: clamav-milter 0.100.2 at host64.shmhost.net X-Virus-Status: Clean X-Rspamd-Queue-Id: 1EF029330C X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.99 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.99)[-0.989,0]; REPLY(-4.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jan 2019 16:30:02 -0000 Apologies, I mixed up this one and the other thread. Cheers, Franco > On 22. Jan 2019, at 5:27 PM, Franco Fichtner = wrote: >=20 >=20 >> On 22. Jan 2019, at 5:15 PM, Stefan Bethke wrote: >>=20 >> On top of ports and packages depending on PEAR modules, some ports = download archives containing vendored versions, for example, = mail/roundcube. For roundcube, I opened = https://github.com/roundcube/roundcubemail/issues/6598 to clarify. >=20 > I fail to understand how mismatching package checksums for > cached package files are indication of compromised distfiles > which have pinned size and checksums in the FreeBSD ports > tree since forever. >=20 > If you say you build your own packages (and install them) > a mismatch in pkg-cache files is normal because pkg will > complain about a drift between the mirror-provided packages > and your local ones when it detects them which happens when > you have a package file created from different sources, > the ports tree and the binary mirror. >=20 > This will likely get rid of the mismatch by merely purging > your local package cache... >=20 > # pkg clean -ya >=20 >=20 > Cheers, > Franco From owner-freebsd-security@freebsd.org Thu Jan 24 18:39:14 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 87C3214B978A; Thu, 24 Jan 2019 18:39:14 +0000 (UTC) (envelope-from tech-lists@zyxst.net) Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 500D877F6E; Thu, 24 Jan 2019 18:39:12 +0000 (UTC) (envelope-from tech-lists@zyxst.net) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id D1D32236DF; Thu, 24 Jan 2019 13:39:05 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Thu, 24 Jan 2019 13:39:05 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zyxst.net; h= date:from:to:cc:subject:message-id:mime-version:content-type; s= fm1; bh=m0K+YysQeWNbWsSq3ZpVl24pI9JbhZ5ZG+f4/PyW/CY=; b=KiC+c/oG t7wa9mZ91391ptRxxSKwdBjNiUufZoQ7ne92JAPBHoDOGohItR+rrHh3kJj627aq XaMlJjplvlCGerYXsnnexs50zDHhYOKks4qyBx3gVKWEH1dM/HkzFeZz3HE+sYPU ccY9452NKzq0xmdLl6Ja2fPlTWmXOc0ilKb76nR1Q7q2k7WutSyuUeGZd2jZz1d7 Uh1fNfsU8jez9dBWWVYITKEB9SOjlCfP7zndiVxZBXkRnTE2JAIbbBf+4VfLxtgC 4AAT3UmOFZM3SH1taeonFu32lAFhR4/ZQcCHf1IOdeNu9qxsaTXNTWJYBV+yM6fK SLeFO0T+DGG2Gg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=m0K+YysQeWNbWsSq3ZpVl24pI9Jbh Z5ZG+f4/PyW/CY=; b=AhKNZpRk/4tltjPWXM+SuvKjsRWJKSaEojgLRwHcqUscY V5bunXeYn4mW9XOh3f1QFaZ/F4WSlSAWNSggyAs5EJW976rYjrsEtOEYa8aXH23E vokwTeCc2cCLFWzY5fJFytgMi2XMQiqyzqJp+2fDCi3NqA4P2FXrBXWJTPQcpJ1d CRhh3sgvJceH0eclswbzXmi0dlcYS3xAfa47E7YL70Hj/fzIs+aGmdSqIqk552Ct 9OWjOft0G7UERVB7Y40ND38Nw7N+i5p6TOkU9hzpqIFRluQzdf4Biubj8y7+3W5/ whbGbGuzs1QF4PXMs8PmxWLqXINxDY2XEj+3VHRag== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtledriedvgdduudefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfquhhtnecuuegrihhlohhuthemucef tddtnecunecujfgurhepfffhvffukfggtggufgesthdtredttdervdenucfhrhhomhepth gvtghhqdhlihhsthhsuceothgvtghhqdhlihhsthhsseiihiigshhtrdhnvghtqeenucfk phepkedvrdejtddrledurddutddunecurfgrrhgrmhepmhgrihhlfhhrohhmpehtvggthh dqlhhishhtshesiiihgihsthdrnhgvthenucevlhhushhtvghrufhiiigvpedt X-ME-Proxy: Received: from rpi3.zyxst.net (rpi3.zyxst.net [82.70.91.101]) by mail.messagingengine.com (Postfix) with ESMTPA id E5C21E4668; Thu, 24 Jan 2019 13:39:04 -0500 (EST) Date: Thu, 24 Jan 2019 18:39:02 +0000 From: tech-lists To: freebsd-stable@freebsd.org Cc: freebsd-security@freebsd.org Subject: apache protection Message-ID: <20190124183902.GC30993@rpi3.zyxst.net> Mail-Followup-To: freebsd-stable@freebsd.org, freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline User-Agent: Mutt/1.11.2 (2019-01-07) X-Rspamd-Queue-Id: 500D877F6E X-Spamd-Bar: ------- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=zyxst.net header.s=fm1 header.b=KiC+c/oG; dkim=pass header.d=messagingengine.com header.s=fm1 header.b=AhKNZpRk; spf=pass (mx1.freebsd.org: domain of tech-lists@zyxst.net designates 66.111.4.29 as permitted sender) smtp.mailfrom=tech-lists@zyxst.net X-Spamd-Result: default: False [-7.10 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[zyxst.net:s=fm1,messagingengine.com:s=fm1]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:66.111.4.29]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[zyxst.net]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[4]; DKIM_TRACE(0.00)[zyxst.net:+,messagingengine.com:+]; RCPT_COUNT_TWO(0.00)[2]; MX_GOOD(-0.01)[in2-smtp.messagingengine.com,in1-smtp.messagingengine.com,in2-smtp.messagingengine.com,in1-smtp.messagingengine.com]; NEURAL_HAM_SHORT(-0.86)[-0.863,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:11403, ipnet:66.111.4.0/24, country:US]; IP_SCORE(-3.63)[ip: (-9.70), ipnet: 66.111.4.0/24(-4.69), asn: 11403(-3.66), country: US(-0.08)]; RCVD_IN_DNSWL_LOW(-0.10)[29.4.111.66.list.dnswl.org : 127.0.5.1] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2019 18:39:14 -0000 Hi, I already use sshguard to block woodpeckers on sshd. Is there something similar for apache? If so, would it work with sshguard? I use pf for firewall. Basically something that's causing 404s 5 times per second. How can I (automatically) block it? thanks, -- J. From owner-freebsd-security@freebsd.org Thu Jan 24 18:51:53 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E0ED614BA0D5; Thu, 24 Jan 2019 18:51:52 +0000 (UTC) (envelope-from mad@madpilot.net) Received: from mail.madpilot.net (vogon.madpilot.net [159.69.1.99]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BA3FB80FD0; Thu, 24 Jan 2019 18:51:50 +0000 (UTC) (envelope-from mad@madpilot.net) Received: from mail (mail [192.168.254.3]) by mail.madpilot.net (Postfix) with ESMTP id 43lrq33vrwz6dQp; Thu, 24 Jan 2019 19:51:43 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=madpilot.net; h= content-transfer-encoding:content-language:content-type :content-type:in-reply-to:mime-version:user-agent:date:date :message-id:from:from:references:subject:subject:received :received; s=mail; t=1548355901; x=1550170302; bh=g0j+o57a0fM3bX vuxAeSjRPe0Pms6DWSEkDuDgzznno=; b=lg399GVdIqtdocPN3kZO585ErcEpRe sawWqa8SrIo0KF+vf5Vs1G5R3ZDsez2iBc4NwqZGE44V5H3jOsDBtmK3+Y0cqPdU SX/wDVosPDbaLaCvXrz1hw7btDYmWrxsklqvTKay6t+ziloydaka/S4LYHbgZ3q0 sINfB1YrzbcGY= Received: from mail.madpilot.net ([192.168.254.3]) by mail (mail.madpilot.net [192.168.254.3]) (amavisd-new, port 10026) with ESMTP id 91Pat4XvACNw; Thu, 24 Jan 2019 19:51:41 +0100 (CET) Received: from tommy.madpilot.net (unknown [87.13.153.156]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail.madpilot.net (Postfix) with ESMTPSA; Thu, 24 Jan 2019 19:51:41 +0100 (CET) Subject: Re: apache protection To: freebsd-stable@freebsd.org, freebsd-security@freebsd.org References: <20190124183902.GC30993@rpi3.zyxst.net> From: Guido Falsi Openpgp: preference=signencrypt Autocrypt: addr=mad@madpilot.net; prefer-encrypt=mutual; keydata= mQENBE+G+l0BCADi/WBQ0aRJfnE7LBPsM0G3m/m3Yx7OPu4iYFvS84xawmRHtCNjWIntsxuX fptkmEo3Rsw816WUrek8dxoUAYdHd+EcpBcnnDzfDH5LW/TZ4gbrFezrHPdRp7wdxi23GN80 qPwHEwXuF0X4Wy5V0OO8B6VT/nA0ADYnBDhXS52HGIJ/GCUjgqJn+phDTdCFLvrSFdmgx4Wl c0W5Z1p5cmDF9l8L/hc959AeyNf7I9dXnjekGM9gVv7UDUYzCifR3U8T0fnfdMmS8NeI9NC+ wuREpRO4lKOkTnj9TtQJRiptlhcHQiAlG1cFqs7EQo57Tqq6cxD1FycZJLuC32bGbgalABEB AAG0Hkd1aWRvIEZhbHNpIDxtYWRAbWFkcGlsb3QubmV0PokBOQQTAQgAIwIbAwIeAQIXgAUL CQgHAwUVCgkICwQWAgMBBQJS79AgAhkBAAoJEBrmhg5Wy9KTc0kH/RO64ORBlTbTHaUaOj8F Je5O5NU2Pt9Cyt5ZWBRvxntr1zPTJGKRPS9ihlIfqT4ZvEngQGp57EUyFbCpI0UWasTerImM tt5WACnGmCzUTB39UXx8Oy4b1EgWeTJQ747e/F1mQLXTNa6ijRBE9fYlTb4gAkPN88/wVV9v 3PZozKLTg16ghBzHM/P7Lk8L7clPEZChX1FTa/6eSt3nvzfCuTMZbBPJF/ph+q1KyPqRgVfh tyhu5dvgMoPz/ni41IfeSrkJTD5RXzdyGR9q4Z1NYeBsLkRjC4LxKAP5KqUsvlOUjKvO1byj ApYdMarol+IGkaSk9e3zVYAJkWKjn/ni8Xa5Ag0EUxB7QQEQAKFhrDceoPdK/IHDSmoj6SQY isvM7VdhcleS7E9DoEAVt7yMbf6HbbMVTTY6ckvwTWQssywLBXNVqxgc4WLJjzfUhgef+WE7 5M3+WFYlOVQLGZY/zEVgma1raYnOHNAOzeHLDmEXjbZP6vGAeDyBbGfQPpE7qGYZ7ubeT3Xw QO+PklcCrvOPj2ZPcAxGNS2xVU/LzONqCrJqLMJSIcCdsbiSP4G5PnDFHtMokaTY6OEr8OEQ fOAerhcHUa/z7Uu8YtmaqKH+QGkE/WEgaRqSiTnv0JOTD+DxehaqvoKPPZ++2NpCZMHB2i6A /xifmQwEiIjEXtcueBRzkNUQkxhqZyS13SrhocL9ydtaVPBzZatAEjUDDEJmAMLVFs45qfyh MiNapHJo2n3MW/E5omqCvEkDdWX/en3P7CK2TemeaDghMsgkNKax/z0wNo5UZCkOPOz0xpNi UilOVbkuezZZNg65741qee2lfXhQIaZ66yT7hphc/N/z3PIAtLeze4u1VR2EXAuZ2sWAdlKC NTlJMsaU/x70BV11Wd/ypnVzM68dfdQIIAj1iMFAD/lXGlEUmKXg5Ov2VQDlTntQoanCYrAg +8CttPzjrydgLZFq3hrtQmfc0se5yv1WHS69+BsUOG09RvvawUDZxUjW19kyeN9THaNRgow3 kSuArUp6zSmJABEBAAGJAR8EGAEIAAkFAlMQe0ECGwwACgkQGuaGDlbL0pMN5wgA4bCkX/qw EVC06ToeR6C2putmSWQMgpDaqrv65Hubo+QGmg2P4ewTYQQ4g6oYWS03qHxqVVWhKz7FjfrV +dH8qbCLfSgIcvdBha7ayGZVrsiuMLKGbw36fcmkZPpSDOfHcP0XH8Z+u9CWj0xUkTxAlZ/7 i6gYSUpG2JWNtdmE/X8VVEyXusCLwy0K0BI60A/4dRTIX3C4QKrJ3ZbUXegz70ynjHf+lQMZ 9IZKASoRMuS5FozPQh6abvmwZEPdf5I9riUElzvHrqJ8Bx0t3Pujdoth+yNHpnBxrtO8LkQd rQ58P0SwcaIX33T2U9pG8bhu5YVR88FQ8OQ0cEsPBpDncg== Message-ID: Date: Thu, 24 Jan 2019 19:51:41 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.5.0 MIME-Version: 1.0 In-Reply-To: <20190124183902.GC30993@rpi3.zyxst.net> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: BA3FB80FD0 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=madpilot.net header.s=mail header.b=lg399GVd; spf=pass (mx1.freebsd.org: domain of mad@madpilot.net designates 159.69.1.99 as permitted sender) smtp.mailfrom=mad@madpilot.net X-Spamd-Result: default: False [-6.19 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[madpilot.net:s=mail]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[madpilot.net]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[4]; IP_SCORE(-2.75)[ip: (-9.60), ipnet: 159.69.0.0/16(-1.81), asn: 24940(-2.33), country: DE(-0.01)]; DKIM_TRACE(0.00)[madpilot.net:+]; RCPT_COUNT_TWO(0.00)[2]; MX_GOOD(-0.01)[eddie.gfratio.it,vogon.madpilot.net]; NEURAL_HAM_SHORT(-0.93)[-0.930,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:24940, ipnet:159.69.0.0/16, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[156.153.13.87.zen.spamhaus.org : 127.0.0.10] X-Mailman-Approved-At: Thu, 24 Jan 2019 19:13:35 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2019 18:51:53 -0000 On 24/01/19 19:39, tech-lists wrote: > Hi, > > I already use sshguard to block woodpeckers on sshd. Is there something > similar for apache? If so, would it work with sshguard? I use pf for > firewall. > > Basically something that's causing 404s 5 times per second. How can I > (automatically) block it? > security/py-fail2ban may be what you are looking for. It has modules to read various common log files (including apache) and to manage locks for various firewalls and other tools. It's also easy to create new modules. -- Guido Falsi