From owner-freebsd-security Sun Aug 31 12:05:49 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id MAA13870 for security-outgoing; Sun, 31 Aug 1997 12:05:49 -0700 (PDT) Received: from cwsys.cwent.com (0@cschuber.net.gov.bc.ca [142.31.240.113]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id MAA13865 for ; Sun, 31 Aug 1997 12:05:41 -0700 (PDT) Received: (from uucp@localhost) by cwsys.cwent.com (8.8.7/8.6.10) id LAA03326; Sun, 31 Aug 1997 11:47:48 -0700 (PDT) Message-Id: <199708311847.LAA03326@cwsys.cwent.com> Received: from localhost.cwent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwent.com, id smtpd003323; Sun Aug 31 18:47:26 1997 Reply-to: cschuber@uumail.gov.bc.ca X-Mailer: MH To: Andrew Brown cc: BUGTRAQ@netspace.org, freebsd-security@freebsd.org Subject: Re: DDB/securelevel In-reply-to: Your message of "Sat, 30 Aug 1997 14:16:54 EDT." <199708301816.OAA09934@untraceable.net> Date: Sun, 31 Aug 1997 11:47:25 -0700 From: Cy Schubert Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk There's a lot to be said about physical security. If one has a sensitive application, physically secure the machine. Secondly, DDB should not be compiled into the kernel of a production machine unless you are trying to resolve a software or hardware problem. Once a problem is resolved, remove the option from the kernel config, not only for security reason but to generally improve performance. I, for example don't include the KTRACE or bpfilter options for a production machine unless I am trying to solve a problem. Most security publications and auditors agree that removing bpfilter can improve network security. Removing these options on a production machine can also improve performance because the kernel is not executing rarely used code Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 UNIX Support OV/VM: BCSC02(CSCHUBER) ITSD BITNET: CSCHUBER@BCSC02.BITNET Government of BC Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it." > >The most straightforward solution to this is to simply not allow > >DDB to be run when securelevel > 0. Enclosed is a simple patch > >against 2.2.1 to do this. > > > this is just about the dumbest thing i've ever heard. while i > realize that freebsd usually runs in securelevel -1, most other bsd's > run at 0 or 1 (or even 2 for the paranoid). when would you *ever* > build a kernel with ddb where console security was even close to being > an issue. not being able to run ddb defeats the purpose of building > ddb into the kernel in the first place. what if you were trying to > debug code that only got called when the machine was at a high > securelevel and it caused the machine to panic? you wouldn't be able > to fix it very easily. > > first of all, ddb can be used for a lot more things than just lowering > the securelevel. you can a) raise your privelege level (walk the > process list, find the cred stuff for the appropriate process, and > change it :), b) make the machine panic c) remove the code that > prevents you from doing any number of things while at a higher > securelevel, d) remove the code that prevents you from removing the > code that prevents you from doing things at a higher securelevel, etc. > > i first thought about this when the problem with the init image under > the proc filesystem was pointed out. then i patched ddb so that you > could not write to the securelevel, naively thinking that would take > care of it. about ten minutes later i had eliminated the code that > checked to see if you were writing the securelevel and had changed the > securelevel back. then i briefly considered having ddb keep a map of > what pages it can modify and what pages it can't (including in the > map, the pages that contained the map and the pages that contained the > code that checked the map. i decided against this, since it would > probably cause more problems than it fixed. > > it doesn't stop there. when i was working in the computer lab at > college, the gateway computers there had nice, fancy programmable > keyboards. i had occasion to watch somebody log in, crash the > machine, reboot and *watch the keyboard log him back in*. assume that > you don't even need console access to this computer, you can still > probably program the keyboard to drop into ddb, lower the securelevel > for you, and continue. > > basically, what it comes down to is that running with ddb in your > kernel is equivalent to running with the securelevel set to "fly > unzipped". not that ddb isn't a good, thing, you just need to be > aware of it. > > > thanks for listening... :) > > -- > |-----< "CODE WARRIOR" >-----| > andrew@echonyc.com (TheMan) * "ah! i see you have the internet > codewarrior@daemon.org that goes *ping*!" > warfare@graffiti.com * "information is power -- share the wealth." > From owner-freebsd-security Sun Aug 31 14:18:36 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id OAA18867 for security-outgoing; Sun, 31 Aug 1997 14:18:36 -0700 (PDT) Received: from shell.firehouse.net (brian@shell.firehouse.net [209.42.203.45]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id OAA18862 for ; Sun, 31 Aug 1997 14:18:32 -0700 (PDT) Received: from localhost (brian@localhost) by shell.firehouse.net (8.8.5/8.8.5) with SMTP id RAA12554; Sun, 31 Aug 1997 17:18:10 -0400 (EDT) Date: Sun, 31 Aug 1997 17:18:08 -0400 (EDT) From: Brian Mitchell To: cschuber@uumail.gov.bc.ca cc: Andrew Brown , BUGTRAQ@netspace.org, freebsd-security@FreeBSD.ORG Subject: Re: DDB/securelevel In-Reply-To: <199708311847.LAA03326@cwsys.cwent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Sun, 31 Aug 1997, Cy Schubert wrote: > There's a lot to be said about physical security. If one has a sensitive > application, physically secure the machine. > > Secondly, DDB should not be compiled into the kernel of a production > machine unless you are trying to resolve a software or hardware problem. > Once a problem is resolved, remove the option from the kernel config, not > only for security reason but to generally improve performance. I, for > example don't include the KTRACE or bpfilter options for a production > machine unless I am trying to solve a problem. Most security publications > and auditors agree that removing bpfilter can improve network security. > Removing these options on a production machine can also improve performance > because the kernel is not executing rarely used code What _possible_ improvement in security does removing ktrace offer? There is absolutely none, that I can determine. (Note: Most of what ktrace does can be done via shared libraries). From owner-freebsd-security Sun Aug 31 18:31:49 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id SAA28482 for security-outgoing; Sun, 31 Aug 1997 18:31:49 -0700 (PDT) Received: from obie.softweyr.ml.org ([199.104.124.49]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id SAA28473; Sun, 31 Aug 1997 18:31:40 -0700 (PDT) Received: (from wes@localhost) by obie.softweyr.ml.org (8.7.5/8.6.12) id TAA04894; Sun, 31 Aug 1997 19:34:50 -0600 (MDT) Date: Sun, 31 Aug 1997 19:34:50 -0600 (MDT) Message-Id: <199709010134.TAA04894@obie.softweyr.ml.org> From: Wes Peters To: "Jonathan M. Bresler" CC: security@FreeBSD.ORG Subject: Re: FW: syslogd fun (fwd) In-Reply-To: <199708291933.MAA23443@hub.freebsd.org> References: <199708291817.LAA03314@hokkshideh.jetcafe.org> <199708291933.MAA23443@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Jonathan M. Bresler writes: > Dave Hayes wrote: > > > > > filter syslog at your firewall. falls under teh general rule: > > > "unless you need it, filter it out" jmb > > > > This is still -not- a guarantee of safety. > > ;)))) > > if you have people inside your security perimeter that are > a threat to your servers....you have a management problem, > -not- a technical problem. It's important to keep in mind "Rob Clyde's Rule:" If your security measures cost more than your potential loss, you're guaranteed to lose money. Possibly the only intelligent thing Rob ever said in my association with him. ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.xmission.com/~softweyr softweyr@xmission.com From owner-freebsd-security Mon Sep 1 07:13:23 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id HAA27841 for security-outgoing; Mon, 1 Sep 1997 07:13:23 -0700 (PDT) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id HAA27836 for ; Mon, 1 Sep 1997 07:13:21 -0700 (PDT) Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.7/8.6.10) id HAA20786; Mon, 1 Sep 1997 07:12:52 -0700 (PDT) Message-Id: <199709011412.HAA20786@passer.osg.gov.bc.ca> Received: from localhost(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost, id smtpdaasgBa; Mon Sep 1 07:12:47 1997 Reply-to: cschuber@uumail.gov.bc.ca X-Mailer: MH X-Sender: cschuber To: Brian Mitchell cc: cschuber@uumail.gov.bc.ca, Andrew Brown , BUGTRAQ@netspace.org, freebsd-security@freebsd.org Subject: Re: DDB/securelevel In-reply-to: Your message of "Sun, 31 Aug 1997 17:18:08 EDT." Date: Mon, 01 Sep 1997 07:12:46 -0700 From: Cy Schubert - ITSD Open Systems Group Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > On Sun, 31 Aug 1997, Cy Schubert wrote: > > > There's a lot to be said about physical security. If one has a sensitive > > application, physically secure the machine. > > > > Secondly, DDB should not be compiled into the kernel of a production > > machine unless you are trying to resolve a software or hardware problem. > > Once a problem is resolved, remove the option from the kernel config, not > > only for security reason but to generally improve performance. I, for > > example don't include the KTRACE or bpfilter options for a production > > machine unless I am trying to solve a problem. Most security publications > > and auditors agree that removing bpfilter can improve network security. > > Removing these options on a production machine can also improve performance > > because the kernel is not executing rarely used code > > What _possible_ improvement in security does removing ktrace offer? There > is absolutely none, that I can determine. (Note: Most of what ktrace does > can be done via shared libraries). > It doesn't add any security. My point was that some kernel features may also impact performance, such as KTRACE, henceforth I remove them. Bpfilter also can impact network security so you now have two reasons to remove it from production environments. Generally, the fewer features you compile into your kernel the better it will perform and you have, in some cases better security. IMO these are two very good reasons to keep the kernel thin. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 UNIX Support OV/VM: BCSC02(CSCHUBER) ITSD BITNET: CSCHUBER@BCSC02.BITNET Government of BC Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it." From owner-freebsd-security Wed Sep 3 01:43:00 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id BAA00280 for security-outgoing; Wed, 3 Sep 1997 01:43:00 -0700 (PDT) Received: from asterix.insight.co.za (asterix.insight.co.za [196.27.7.9]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id BAA00252 for ; Wed, 3 Sep 1997 01:42:41 -0700 (PDT) Received: from tony by asterix.insight.co.za with local (Exim 1.70 #3) id 0x6B14-0003Mv-00; Wed, 3 Sep 1997 10:42:22 +0200 Subject: Bugs Website ? To: freebsd-security@freebsd.org Date: Wed, 3 Sep 1997 10:42:22 +0200 (SAT) X-Mailer: ELM [version 2.4 PL24 ME8a] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-Id: From: Tony Harverson Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Morning All, I was just wondering if anyone out there was maintaining a web page of which bugs affect what versions of BSD ? For new users, the facility to install 2.2.2 and then look at the page and install whatever patches are recommended would be a lot easier than rooting through old Cert advisories or bugtraq archives.. Anyone know the URL of something like this ? Tony (who will offer to maintain something like this, but only if its not re-inventing the wheel...) From owner-freebsd-security Wed Sep 3 01:43:11 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id BAA00319 for security-outgoing; Wed, 3 Sep 1997 01:43:11 -0700 (PDT) Received: from paranoid.convey.ru (ws03.convey.ru [195.182.128.18]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id BAA00275; Wed, 3 Sep 1997 01:42:57 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id MAA14571; Wed, 3 Sep 2036 12:40:10 +0400 From: ArkanoiD Message-Id: <203609030840.MAA14571@paranoid.convey.ru> Subject: log connection attempts? To: firewalls@greatcircle.com Date: Wed, 3 Sep 136 12:40:07 +0400 (MSD) Cc: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk nuqneH, Did anyone try to patch the kernel to log connection attempts for ports (tcp and maybe udp) where no program accepts connection? (2.1.7) I _know_ i can do nearly the same with IP filtering/logging but i prefer another way.. -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-freebsd-security Wed Sep 3 05:22:50 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id FAA08707 for security-outgoing; Wed, 3 Sep 1997 05:22:50 -0700 (PDT) Received: from cicero.cybercity.dk (cicero.cybercity.dk [195.8.128.13]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id FAA08682; Wed, 3 Sep 1997 05:22:43 -0700 (PDT) Received: from schizo.dk.tfs.com (mail.trw.dk [195.8.133.123]) by cicero.cybercity.dk (8.8.5/8.8.5) with ESMTP id OAA18648; Wed, 3 Sep 1997 14:16:49 +0200 (CEST) Received: from critter.freebsd.dk (critter.dk.tfs.com [140.145.230.252]) by schizo.dk.tfs.com (8.8.5/8.7.3) with ESMTP id LAA13138; Wed, 3 Sep 1997 11:52:55 +0200 (MET DST) Received: from critter.freebsd.dk (localhost.dk.tfs.com [127.0.0.1]) by critter.freebsd.dk (8.8.7/8.8.7) with ESMTP id LAA04928; Wed, 3 Sep 1997 11:52:29 +0200 (CEST) To: ArkanoiD cc: firewalls@greatcircle.com, freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Subject: Re: log connection attempts? In-reply-to: Your message of "Wed, 03 Sep 0136 12:40:07 +0400." <203609030840.MAA14571@paranoid.convey.ru> Date: Wed, 03 Sep 1997 11:52:29 +0200 Message-ID: <4926.873280349@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <203609030840.MAA14571@paranoid.convey.ru>, ArkanoiD writes: >nuqneH, > >Did anyone try to patch the kernel to log connection attempts for ports >(tcp and maybe udp) where no program accepts connection? (2.1.7) Set these two sysctl variables to non-zero: net.inet.tcp.log_in_vain: 0 net.inet.udp.log_in_vain: 0 -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." From owner-freebsd-security Wed Sep 3 21:14:41 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id VAA02855 for security-outgoing; Wed, 3 Sep 1997 21:14:41 -0700 (PDT) Received: from counterintelligence.ml.org (mdean.vip.best.com [206.86.94.101]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id VAA02850; Wed, 3 Sep 1997 21:14:37 -0700 (PDT) Received: from localhost (jamil@localhost) by counterintelligence.ml.org (8.8.7/8.8.5) with SMTP id VAA21461; Wed, 3 Sep 1997 21:13:56 -0700 (PDT) Date: Wed, 3 Sep 1997 21:13:56 -0700 (PDT) From: "Jamil J. Weatherbee" To: freebsd-stable@freebsd.org cc: freebsd-security@freebsd.org Subject: Kernel Install Permissions Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk This is just a personal opinion, and maybye it is uneducated, but is there really some reason for the kernel to be installed chmod 555, wouldn't 544 or even maybye 444 do (I'm not to familiar with the bootloader, I would guess that it doesn't execute /kernel in the same way a coff binary is executed so permissions probably don't matter hunh?) From owner-freebsd-security Wed Sep 3 23:00:58 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id XAA07907 for security-outgoing; Wed, 3 Sep 1997 23:00:58 -0700 (PDT) Received: from ot.stpn.soft.net (freebie.opentech.stpn.soft.net [204.143.126.74]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id XAA07875; Wed, 3 Sep 1997 23:00:39 -0700 (PDT) Received: from andes (andes.opentech.stpn.soft.net [204.143.126.66]) by ot.stpn.soft.net (8.6.12/8.6.12) with ESMTP id LAA11479; Thu, 4 Sep 1997 11:33:43 +0530 Message-ID: <340EE174.C45D396F@opentech.stpn.soft.net> Date: Thu, 04 Sep 1997 11:27:33 -0500 From: Prashant Dongre Reply-To: pdongre@opentech.stpn.soft.net X-Mailer: Mozilla 4.01 [en] (WinNT; I) MIME-Version: 1.0 To: ArkanoiD CC: firewalls@greatcircle.com, freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: log connection attempts? X-Priority: 3 (Normal) References: <203609030840.MAA14571@paranoid.convey.ru> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk ArkanoiD wrote: > nuqneH, > > Did anyone try to patch the kernel to log connection attempts for ports > (tcp and maybe udp) where no program accepts connection? (2.1.7) > > I _know_ i can do nearly the same with IP filtering/logging but i > prefer another way.. > > -- > _ _ _ _ _ _ _ > {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ > (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| > > [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! Have you configured kernel for IPFW (IP Firewall) ?. IPFW does log connection attempts for the ports which are blocked for a network. Messages get into /var/log/messages and also displayed on the console. Prashant From owner-freebsd-security Wed Sep 3 23:25:14 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id XAA09349 for security-outgoing; Wed, 3 Sep 1997 23:25:14 -0700 (PDT) Received: from burka.rdy.com (dima@burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id XAA09344; Wed, 3 Sep 1997 23:25:12 -0700 (PDT) Received: by burka.rdy.com id XAA27183; (8.8.7/RDY) Wed, 3 Sep 1997 23:24:25 -0700 (PDT) Message-Id: <199709040624.XAA27183@burka.rdy.com> Subject: Re: Kernel Install Permissions In-Reply-To: from "Jamil J. Weatherbee" at "Sep 3, 97 09:13:56 pm" To: jamil@counterintelligence.ml.org (Jamil J. Weatherbee) Date: Wed, 3 Sep 1997 23:24:24 -0700 (PDT) Cc: freebsd-stable@FreeBSD.ORG, freebsd-security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Jamil J. Weatherbee writes: > > This is just a personal opinion, and maybye it is uneducated, but is there > really some reason for the kernel to be installed chmod 555, wouldn't 544 > or even maybye 444 do (I'm not to familiar with the bootloader, I would > guess that it doesn't execute /kernel in the same way a coff binary is > executed so permissions probably don't matter hunh?) Perhaps even 550 or 540 with group kmem or something. > > -- dima From owner-freebsd-security Thu Sep 4 00:41:07 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id AAA13149 for security-outgoing; Thu, 4 Sep 1997 00:41:07 -0700 (PDT) Received: from central.webforum.de (uucp@central.webforum.de [193.141.169.166]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id AAA13136 for ; Thu, 4 Sep 1997 00:41:01 -0700 (PDT) Received: (from uucp@localhost) by central.webforum.de (8.7.6/8.7.6-webforum) id JAA26278; Thu, 4 Sep 1997 09:40:02 +0100 Received: from localhost (klaus@localhost) by gaston.m.isar.de (8.7.6/8.7.6-webforum) with SMTP id JAA27332; Thu, 4 Sep 1997 09:38:10 +0100 Date: Thu, 4 Sep 1997 09:38:10 +0100 (WET DST) From: Klaus Lichtenwalder To: Prashant Dongre cc: ArkanoiD , firewalls@GreatCircle.COM, freebsd-security@FreeBSD.ORG Subject: Re: log connection attempts? In-Reply-To: <340EE174.C45D396F@opentech.stpn.soft.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Thu, 4 Sep 1997, Prashant Dongre wrote: > ArkanoiD wrote: > > nuqneH, > > > > Did anyone try to patch the kernel to log connection attempts for ports > > (tcp and maybe udp) where no program accepts connection? (2.1.7) > > > > I _know_ i can do nearly the same with IP filtering/logging but i > > prefer another way.. > > > [...] > Have you configured kernel for IPFW (IP Firewall) ?. > > IPFW does log connection attempts for the ports which are blocked for a network. > > Messages get into /var/log/messages and also displayed on the console. > > Prashant > There's a patch for linux out that logs connection attempts to unserved ports. Might be worth a look if somebody tries to port sth like this to different os'. Klaus -- Klaus Lichtenwalder, Dipl. Inform., PGP Key: email to key@Four11.com Lichtenwalder@ACM.org http://www.wp.com/Klaus K.Lichtenwalder@Computer.org fax: +49-89-91072699 No wonder nobody comes here--it's too crowded. -Yogi Berra From owner-freebsd-security Thu Sep 4 05:55:03 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id FAA25634 for security-outgoing; Thu, 4 Sep 1997 05:55:03 -0700 (PDT) Received: from paranoid.convey.ru (ws03.convey.ru [195.182.128.18]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id FAA25609; Thu, 4 Sep 1997 05:54:49 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id PAA00746; Thu, 4 Sep 1997 15:58:07 +0400 From: ArkanoiD Message-Id: <199709041158.PAA00746@paranoid.convey.ru> Subject: Re: log connection attempts? To: pdongre@opentech.stpn.soft.net Date: Thu, 4 Sep 1997 15:58:07 +0400 (MSD) Cc: firewalls@greatcircle.com, freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG In-Reply-To: <340EE174.C45D396F@opentech.stpn.soft.net> from "Prashant Dongre" at Sep 4, 97 11:27:33 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk nuqneH, > > ArkanoiD wrote: > > > nuqneH, > > > > Did anyone try to patch the kernel to log connection attempts for ports > > (tcp and maybe udp) where no program accepts connection? (2.1.7) > > > > I _know_ i can do nearly the same with IP filtering/logging but i > > prefer another way.. > > > > -- > > _ _ _ _ _ _ _ > > {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ > > (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| > > > > [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! > > Have you configured kernel for IPFW (IP Firewall) ?. > > IPFW does log connection attempts for the ports which are blocked for a network. > > Messages get into /var/log/messages and also displayed on the console. > > Prashant > No , (btw i use IPFilter,not ipfw), do not want to log blocked packets/ create additional filtering rules etc. As i said i do know how to do that. I just do not want to. I want to log connection attempts without that. -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-freebsd-security Thu Sep 4 06:14:14 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id GAA26575 for security-outgoing; Thu, 4 Sep 1997 06:14:14 -0700 (PDT) Received: from paranoid.convey.ru (ws03.convey.ru [195.182.128.18]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id GAA26553; Thu, 4 Sep 1997 06:14:02 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id QAA00831; Thu, 4 Sep 1997 16:17:51 +0400 From: ArkanoiD Message-Id: <199709041217.QAA00831@paranoid.convey.ru> Subject: Re: log connection attempts? To: phk@critter.freebsd.dk (Poul-Henning Kamp) Date: Thu, 4 Sep 1997 16:17:51 +0400 (MSD) Cc: firewalls@greatcircle.com, freebsd-security@freebsd.org, freebsd-hackers@freebsd.org In-Reply-To: <4926.873280349@critter.freebsd.dk> from "Poul-Henning Kamp" at Sep 3, 97 11:52:29 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk nuqneH, > > In message <203609030840.MAA14571@paranoid.convey.ru>, ArkanoiD writes: > >nuqneH, > > > >Did anyone try to patch the kernel to log connection attempts for ports > >(tcp and maybe udp) where no program accepts connection? (2.1.7) > > Set these two sysctl variables to non-zero: > net.inet.tcp.log_in_vain: 0 > net.inet.udp.log_in_vain: 0 > fourth level name log_in_vain in net.inet.tcp.log_in_vain is invalid ..and i don't remember smth like that when browsing the sources. -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-freebsd-security Thu Sep 4 06:56:37 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id GAA28829 for security-outgoing; Thu, 4 Sep 1997 06:56:37 -0700 (PDT) Received: from cicero.cybercity.dk (cicero.cybercity.dk [195.8.128.13]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id GAA28801; Thu, 4 Sep 1997 06:56:26 -0700 (PDT) Received: from schizo.dk.tfs.com (mail.trw.dk [195.8.133.123]) by cicero.cybercity.dk (8.8.5/8.8.5) with ESMTP id PAA05983; Thu, 4 Sep 1997 15:48:51 +0200 (CEST) Received: from critter.freebsd.dk (critter.dk.tfs.com [140.145.230.252]) by schizo.dk.tfs.com (8.8.7/8.7.3) with ESMTP id PAA09607; Thu, 4 Sep 1997 15:46:49 +0200 (MET DST) Received: from critter.freebsd.dk (localhost.dk.tfs.com [127.0.0.1]) by critter.freebsd.dk (8.8.7/8.8.7) with ESMTP id PAA01810; Thu, 4 Sep 1997 15:46:42 +0200 (CEST) To: ArkanoiD cc: firewalls@greatcircle.com, freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Subject: Re: log connection attempts? In-reply-to: Your message of "Thu, 04 Sep 1997 16:17:51 +0400." <199709041217.QAA00831@paranoid.convey.ru> Date: Thu, 04 Sep 1997 15:46:41 +0200 Message-ID: <1808.873380801@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <199709041217.QAA00831@paranoid.convey.ru>, ArkanoiD writes: >nuqneH, > >> >> In message <203609030840.MAA14571@paranoid.convey.ru>, ArkanoiD writes: >> >nuqneH, >> > >> >Did anyone try to patch the kernel to log connection attempts for ports >> >(tcp and maybe udp) where no program accepts connection? (2.1.7) >> >> Set these two sysctl variables to non-zero: >> net.inet.tcp.log_in_vain: 0 >> net.inet.udp.log_in_vain: 0 >> >fourth level name log_in_vain in net.inet.tcp.log_in_vain is invalid > >..and i don't remember smth like that when browsing the sources. Upgrade to 2.2.2 then. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." From owner-freebsd-security Thu Sep 4 07:15:04 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id HAA00726 for security-outgoing; Thu, 4 Sep 1997 07:15:04 -0700 (PDT) Received: from paranoid.convey.ru (ws03.convey.ru [195.182.128.18]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id HAA00681; Thu, 4 Sep 1997 07:14:51 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id RAA00931; Thu, 4 Sep 1997 17:09:07 +0400 From: ArkanoiD Message-Id: <199709041309.RAA00931@paranoid.convey.ru> Subject: Re: log connection attempts? To: phk@critter.freebsd.dk (Poul-Henning Kamp) Date: Thu, 4 Sep 1997 17:09:06 +0400 (MSD) Cc: firewalls@greatcircle.com, freebsd-security@freebsd.org, freebsd-hackers@freebsd.org In-Reply-To: <1808.873380801@critter.freebsd.dk> from "Poul-Henning Kamp" at Sep 4, 97 03:46:41 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk nuqneH, > >> > >> Set these two sysctl variables to non-zero: > >> net.inet.tcp.log_in_vain: 0 > >> net.inet.udp.log_in_vain: 0 > >> > >fourth level name log_in_vain in net.inet.tcp.log_in_vain is invalid > > > >..and i don't remember smth like that when browsing the sources. > > Upgrade to 2.2.2 then. > > -- > Poul-Henning Kamp FreeBSD coreteam member > phk@FreeBSD.ORG "Real hackers run -current on their laptop." > I really don't want to ;) i'd prefer a small patch for 2.1.7.1. -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-freebsd-security Thu Sep 4 07:35:41 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id HAA02176 for security-outgoing; Thu, 4 Sep 1997 07:35:41 -0700 (PDT) Received: from cyrus.watson.org (robert@AMALTHEA.RES.CMU.EDU [128.2.91.57]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id HAA02152; Thu, 4 Sep 1997 07:35:35 -0700 (PDT) Received: from localhost (robert@localhost) by cyrus.watson.org (8.8.5/8.8.5) with SMTP id KAA01567; Thu, 4 Sep 1997 10:35:12 -0400 (EDT) Date: Thu, 4 Sep 1997 10:35:11 -0400 (EDT) From: Robert Watson Reply-To: Robert Watson To: ArkanoiD cc: pdongre@opentech.stpn.soft.net, firewalls@greatcircle.com, freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: log connection attempts? In-Reply-To: <199709041158.PAA00746@paranoid.convey.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Thu, 4 Sep 1997, ArkanoiD wrote: > No , (btw i use IPFilter,not ipfw), do not want to log blocked packets/ > create additional filtering rules etc. As i said i do know how to do that. > I just do not want to. I want to log connection attempts without that. Take a look at these two locations -- there was mention of a better syslog here on freebsd-security recently. There were also statistics-gathering modifications on disconnected ports. http://minnie.cs.adfa.oz.au/Seminars/AUUG96/index.html ftp://minnie.cs.adfa.oz.au/pub/NetSecurity/ Hope that helps. Robert N Watson Junior, Logic+Computation, Carnegie Mellon University http://www.cmu.edu/ Network Administrator, SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org rwatson@safeport.com http://www.watson.org/~robert/ From owner-freebsd-security Thu Sep 4 07:50:10 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id HAA02901 for security-outgoing; Thu, 4 Sep 1997 07:50:10 -0700 (PDT) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id HAA02896 for ; Thu, 4 Sep 1997 07:50:07 -0700 (PDT) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.7/8.6.9) with ESMTP id HAA00590; Thu, 4 Sep 1997 07:45:04 -0700 (PDT) To: ArkanoiD cc: phk@critter.freebsd.dk (Poul-Henning Kamp), firewalls@greatcircle.com, freebsd-security@FreeBSD.ORG Subject: Re: log connection attempts? In-reply-to: Your message of "Thu, 04 Sep 1997 16:17:51 +0400." <199709041217.QAA00831@paranoid.convey.ru> Date: Thu, 04 Sep 1997 07:45:04 -0700 Message-ID: <587.873384304@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > nuqneH, Is something wrong with your editor? :-) Jordan From owner-freebsd-security Thu Sep 4 09:51:47 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id JAA10774 for security-outgoing; Thu, 4 Sep 1997 09:51:47 -0700 (PDT) Received: from paranoid.convey.ru (ws03.convey.ru [195.182.128.18]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id JAA10768 for ; Thu, 4 Sep 1997 09:51:37 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id TAA00158; Thu, 4 Sep 1997 19:48:37 +0400 From: ArkanoiD Message-Id: <199709041548.TAA00158@paranoid.convey.ru> Subject: Re: log connection attempts? To: jkh@time.cdrom.com (Jordan K. Hubbard) Date: Thu, 4 Sep 1997 19:48:37 +0400 (MSD) Cc: phk@critter.freebsd.dk, firewalls@greatcircle.com, freebsd-security@FreeBSD.ORG In-Reply-To: <587.873384304@time.cdrom.com> from "Jordan K. Hubbard" at Sep 4, 97 07:45:04 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk nuqneH, > Is something wrong with your editor? :-) > Jordan > Nope,that's just a greeting. The language is tlhIngan Hol ;). -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-freebsd-security Thu Sep 4 13:15:15 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id NAA20703 for security-outgoing; Thu, 4 Sep 1997 13:15:15 -0700 (PDT) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id NAA20695 for ; Thu, 4 Sep 1997 13:15:10 -0700 (PDT) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.8.7/8.8.7) with UUCP id OAA03966; Thu, 4 Sep 1997 14:14:10 -0600 (MDT) Received: from localhost (marcs@localhost) by alive.znep.com (8.7.5/8.7.3) with SMTP id OAA25081; Thu, 4 Sep 1997 14:13:21 -0600 (MDT) Date: Thu, 4 Sep 1997 14:13:20 -0600 (MDT) From: Marc Slemko To: ArkanoiD cc: freebsd-security@FreeBSD.ORG Subject: Re: log connection attempts? In-Reply-To: <199709041309.RAA00931@paranoid.convey.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk [cc list cut down to freebsd-security] On Thu, 4 Sep 1997, ArkanoiD wrote: > nuqneH, > > > >> > > >> Set these two sysctl variables to non-zero: > > >> net.inet.tcp.log_in_vain: 0 > > >> net.inet.udp.log_in_vain: 0 > > >> > > >fourth level name log_in_vain in net.inet.tcp.log_in_vain is invalid > > > > > >..and i don't remember smth like that when browsing the sources. > > > > Upgrade to 2.2.2 then. > > > > -- > > Poul-Henning Kamp FreeBSD coreteam member > > phk@FreeBSD.ORG "Real hackers run -current on their laptop." > > > I really don't want to ;) i'd prefer a small patch for 2.1.7.1. So make one. Below are the two messages that are obvious in the commit logs which apply. Get the CVS tree; you can use CVSup, and just get the sys tree, no need for the whole source tree. Checkout RELENG_2_1_0. Do a: cvs diff -c -r1.40 -r1.41 tcp_input.c ...and repeat for the other files. Apply the diff, either manually or with patch (depending on how much has changed, it may or may not be possible to apply it automatically). Poof, if all goes well you have it. phk 96/04/04 02:46:47 Modified: sys/netinet tcp_input.c udp_usrreq.c Log: Log TCP syn packets for ports we don't listen on. Controlled by: sysctl net.inet.tcp.log_in_vain: 1 Log UDP syn packets for ports we don't listen on. Controlled by: sysctl net.inet.udp.log_in_vain: 1 Suggested by: Warren Toomey Revision Changes Path 1.41 +13 -2 src/sys/netinet/tcp_input.c 1.21 +11 -1 src/sys/netinet/udp_usrreq.c ache 96/04/27 11:19:15 Modified: sys/netinet tcp_input.c udp_usrreq.c Log: inet_ntoa buffer was evaluated twice in log_in_vain, fix it. Thanx to: jdp Revision Changes Path 1.44 +7 -3 src/sys/netinet/tcp_input.c 1.23 +7 -3 src/sys/netinet/udp_usrreq.c From owner-freebsd-security Fri Sep 5 04:53:51 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id EAA02758 for security-outgoing; Fri, 5 Sep 1997 04:53:51 -0700 (PDT) Received: from relay1.cit.ru (relay1.cit.ru [193.125.82.100]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id EAA02719 for ; Fri, 5 Sep 1997 04:52:44 -0700 (PDT) Received: by relay1.cit.ru id PAA07987; (8.8.2-MVC-141196/vak/1.9) Fri, 5 Sep 1997 15:50:38 +0400 (MSD) Date: Fri, 5 Sep 1997 15:50:38 +0400 (MSD) From: vlad@relay1.cit.ru (Vladimir A. Zhilkin) Message-Id: <199709051150.PAA07987@relay1.cit.ru> To: freebsd-security@freebsd.org Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk help From owner-freebsd-security Fri Sep 5 06:45:03 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id GAA09044 for security-outgoing; Fri, 5 Sep 1997 06:45:03 -0700 (PDT) Received: from paranoid.convey.ru (ws04.convey.ru [195.182.128.19]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id GAA09015; Fri, 5 Sep 1997 06:44:50 -0700 (PDT) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id QAA01192; Fri, 5 Sep 1997 16:48:17 +0400 From: ArkanoiD Message-Id: <199709051248.QAA01192@paranoid.convey.ru> Subject: Re: log connection attempts? To: robert+freebsd@cyrus.watson.org Date: Fri, 5 Sep 1997 16:48:16 +0400 (MSD) Cc: pdongre@opentech.stpn.soft.net, firewalls@greatcircle.com, freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG In-Reply-To: from "Robert Watson" at Sep 4, 97 10:35:11 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk nuqneH, > > No , (btw i use IPFilter,not ipfw), do not want to log blocked packets/ > > create additional filtering rules etc. As i said i do know how to do that. > > I just do not want to. I want to log connection attempts without that. > > Take a look at these two locations -- there was mention of a better syslog > here on freebsd-security recently. There were also statistics-gathering > modifications on disconnected ports. > > http://minnie.cs.adfa.oz.au/Seminars/AUUG96/index.html > ftp://minnie.cs.adfa.oz.au/pub/NetSecurity/ Thanks! That's [nearly] the thing i was looking for. Actually it is for an older kernel version and requires minor modifications to be used with 2.1.7.1 but it should not be hard to do. -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From owner-freebsd-security Fri Sep 5 08:35:40 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id IAA14956 for security-outgoing; Fri, 5 Sep 1997 08:35:40 -0700 (PDT) Received: from soran.pacific.net.sg (soran.pacific.net.sg [203.120.90.76]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id IAA14921 for ; Fri, 5 Sep 1997 08:35:13 -0700 (PDT) Received: from madcap.dyn.ml.org (d125137.ppp125.cyberway.com.sg [203.116.125.137]) by soran.pacific.net.sg with ESMTP id XAA28096 for ; Fri, 5 Sep 1997 23:34:59 +0800 (SGT) Received: (qmail 1605 invoked by uid 100); 5 Sep 1997 15:31:03 -0000 Message-ID: <19970905233103.64953@dyn.ml.org> Date: Fri, 5 Sep 1997 23:31:03 +0800 From: Ng Pheng Siong To: ArkanoiD Cc: firewalls@greatcircle.com, freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: log connection attempts? References: <203609030840.MAA14571@paranoid.convey.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.76e In-Reply-To: <203609030840.MAA14571@paranoid.convey.ru>; from ArkanoiD on Wed, Sep 03, 2036 at 12:40:07PM +0400 Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Sep 3, ArkanoiD wrote: > Did anyone try to patch the kernel to log connection attempts for ports > (tcp and maybe udp) where no program accepts connection? (2.1.7) About 2 years ago, some one from Oz did just that. Asking the search engines... Altavista... results totally irrelevant. (Seems that it is run by the Internic whois people these days. ;) Infoseek... hmmm, ip masquerade... Lycos... got it! First entry, too: http://minnie.cs.adfa.oz.au/Seminars/AUUG96/netpaper.html Off-hand I wonder if in-kernel logging might undo measures like syn-flood proofing, etc., and introduce DOS possibilities. BTW, read today that CMU is being awarded a patent for Lycos-related technology. -- Ng Pheng Siong From owner-freebsd-security Fri Sep 5 23:55:17 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id XAA28380 for security-outgoing; Fri, 5 Sep 1997 23:55:17 -0700 (PDT) Received: from apocalypse.saturn.net (user9482@apocalypse.saturn.net [208.192.215.27]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id XAA28373 for ; Fri, 5 Sep 1997 23:55:12 -0700 (PDT) Received: from localhost (brian@localhost) by apocalypse.saturn.net (8.8.5/8.8.5) with SMTP id CAA00174; Sat, 6 Sep 1997 02:53:27 -0400 (EDT) Date: Sat, 6 Sep 1997 02:53:25 -0400 (EDT) From: Brian Mitchell To: freebsd-security@freebsd.org cc: bugtraq@netspace.org Subject: procfs take II Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk There is a slight procfs hole that could allow a intruder to lower the securelevel. init's memory is not protected, so you can overwrite data/instructions in init and possibly lower the securelevel (although panicing the system is much more likely). Enclosed is a vulnerbility checker: #include #include #include #include #include main() { int tqbf=31337; int fd; int g0nz0; if(getuid()) { fprintf(stderr, "this attack needs root\n"); exit(1); } fd = open("/proc/1/mem", O_RDWR); if(fd < 0) { fprintf(stderr, "open of /proc/1/mem failed\n"); exit(2); } lseek(fd, 0x1000, SEEK_SET); g0nz0=write(fd, &tqbf, sizeof(int)); close(fd); if(g0nz0 >= 0) fprintf(stderr, "procfs is vulnerable!\n"); else fprintf(stderr, "procfs is not vulnerable!\n"); printf("returned %d\n", g0nz0); } Here is a simple patch, it disallows writes to pid 1's mem node if securelevel is > 0 (diff is based on 2.2.1 box with the securelevel fix applied): *** procfs_mem.c Sat Sep 6 02:36:39 1997 --- procfs_mem.c.new Sat Sep 6 02:38:25 1997 *************** *** 316,321 **** --- 316,325 ---- !(curp->p_cred->pc_ucred->cr_gid == KMEM_GROUP && uio->uio_rw == UIO_READ)) return EPERM; + + /* writing to init memory while securelevel > 0 is bad */ + if(uio->uio_rw == UIO_WRITE && p->p_pid == 1 && securelevel > 0) + return EPERM; error = procfs_rwmem(p, uio); Brian Mitchell brian@firehouse.net "BSD code sucks. Of course, everything else sucks far more." - Theo de Raadt (OpenBSD President) From owner-freebsd-security Sat Sep 6 10:50:06 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA24630 for security-outgoing; Sat, 6 Sep 1997 10:50:06 -0700 (PDT) Received: from kithrup.com (kithrup.com [205.179.156.40]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA24625 for ; Sat, 6 Sep 1997 10:50:02 -0700 (PDT) Received: (from sef@localhost) by kithrup.com (8.8.5/8.6.6) id KAA25203; Sat, 6 Sep 1997 10:49:05 -0700 (PDT) Date: Sat, 6 Sep 1997 10:49:05 -0700 (PDT) From: Sean Eric Fagan Message-Id: <199709061749.KAA25203@kithrup.com> To: brian@firehouse.net Subject: Re: procfs take II Newsgroups: kithrup.freebsd.security In-Reply-To: Organization: Kithrup Enterprises, Ltd. Cc: security@freebsd.org Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In article you write: >Here is a simple patch, it disallows writes to pid 1's mem node if >securelevel is > 0 (diff is based on 2.2.1 box with the securelevel fix >applied): Insufficient -- PTRACE_ATTACH allows the same hole. Also, the only place that kind of change really needs to go is in procfs_open(), when the file is originally opened. If securelevel > 0, then init should be read-only (or not even readable at all). A more general way of doing this should be provided, I think, rather than special-casing pid 1. Sean. From owner-freebsd-security Sat Sep 6 20:08:30 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id UAA22087 for security-outgoing; Sat, 6 Sep 1997 20:08:30 -0700 (PDT) Received: from shell.firehouse.net (brian@shell.firehouse.net [209.42.203.45]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id UAA22076 for ; Sat, 6 Sep 1997 20:08:25 -0700 (PDT) Received: from localhost (brian@localhost) by shell.firehouse.net (8.8.5/8.8.5) with SMTP id XAA16505; Sat, 6 Sep 1997 23:08:04 -0400 (EDT) Date: Sat, 6 Sep 1997 23:08:02 -0400 (EDT) From: Brian Mitchell To: Sean Eric Fagan cc: security@freebsd.org Subject: Re: procfs take II In-Reply-To: <199709061749.KAA25203@kithrup.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Sat, 6 Sep 1997, Sean Eric Fagan wrote: > In article you write: > >Here is a simple patch, it disallows writes to pid 1's mem node if > >securelevel is > 0 (diff is based on 2.2.1 box with the securelevel fix > >applied): > > Insufficient -- PTRACE_ATTACH allows the same hole. ptrace_attach was fixed in 2.2.2 > > Also, the only place that kind of change really needs to go is in > procfs_open(), when the file is originally opened. If securelevel > 0, then > init should be read-only (or not even readable at all). A more general way > of doing this should be provided, I think, rather than special-casing pid 1. > > Sean. > I agree, but the ptrace_attach was fixed with this same sorta thing.