From owner-freebsd-security Sun Nov 8 01:38:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA18594 for freebsd-security-outgoing; Sun, 8 Nov 1998 01:38:13 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gilberto.physik.RWTH-Aachen.DE (gilberto.physik.rwth-aachen.de [137.226.30.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA18589 for ; Sun, 8 Nov 1998 01:38:11 -0800 (PST) (envelope-from kuku@gilberto.physik.RWTH-Aachen.DE) Received: (from kuku@localhost) by gilberto.physik.RWTH-Aachen.DE (8.8.8/8.8.7) id KAA06024 for freebsd-security@freebsd.org; Sun, 8 Nov 1998 10:38:06 +0100 (MET) (envelope-from kuku) Date: Sun, 8 Nov 1998 10:38:06 +0100 (MET) From: Christoph Kukulies Message-Id: <199811080938.KAA06024@gilberto.physik.RWTH-Aachen.DE> To: freebsd-security@FreeBSD.ORG Subject: port 1080 scans Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In our campus network we are increasingly observing port scan attacks from outer sites on port 1080 (socks). Does anyone know of any recent security hole related to this service on any platform (possibly linux - but I want to be prepared wrt FreeBSD). -- Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 8 02:22:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA21149 for freebsd-security-outgoing; Sun, 8 Nov 1998 02:22:52 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (p1-max6.wlg.ihug.co.nz [209.78.48.129]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA21144 for ; Sun, 8 Nov 1998 02:22:48 -0800 (PST) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.8/8.8.7) with SMTP id XAA13294; Sun, 8 Nov 1998 23:22:18 +1300 (NZDT) (envelope-from andrew@squiz.co.nz) Date: Sun, 8 Nov 1998 23:22:17 +1300 (NZDT) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Christoph Kukulies cc: freebsd-security@FreeBSD.ORG Subject: Re: port 1080 scans In-Reply-To: <199811080938.KAA06024@gilberto.physik.RWTH-Aachen.DE> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 8 Nov 1998, Christoph Kukulies wrote: > In our campus network we are increasingly observing port > scan attacks from outer sites on port 1080 (socks). > > Does anyone know of any recent security hole related to this service > on any platform (possibly linux - but I want to be prepared wrt FreeBSD). I've noticed a spate of these lately also. If a socks service is accessible from the outside internet then that is itself a security issue. It's useful to anyone who wants to bounce through your machine on the way to hacking something else. When that gets traced you get some administrator giving you urgent calls to try to find out where the connection is coming from. Make sure the socks service is blocked and logged at the firewall (if you run it) and then if you've got the time, contact the administrators upstream (probably owners of misused socks services). Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 8 02:46:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA23503 for freebsd-security-outgoing; Sun, 8 Nov 1998 02:46:51 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gjp.erols.com (alex-va-n008c079.moon.jic.com [206.156.18.89]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA23497 for ; Sun, 8 Nov 1998 02:46:49 -0800 (PST) (envelope-from gjp@gjp.erols.com) Received: from gjp.erols.com (gjp@localhost.erols.com [127.0.0.1]) by gjp.erols.com (8.9.1/8.8.7) with ESMTP id FAA10080; Sun, 8 Nov 1998 05:46:15 -0500 (EST) (envelope-from gjp@gjp.erols.com) X-Mailer: exmh version 2.0.1 12/23/97 To: Christoph Kukulies cc: freebsd-security@FreeBSD.ORG From: "Gary Palmer" Subject: Re: port 1080 scans In-reply-to: Your message of "Sun, 08 Nov 1998 10:38:06 +0100." <199811080938.KAA06024@gilberto.physik.RWTH-Aachen.DE> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 08 Nov 1998 05:46:14 -0500 Message-ID: <10076.910521974@gjp.erols.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Christoph Kukulies wrote in message ID <199811080938.KAA06024@gilberto.physik.RWTH-Aachen.DE>: > In our campus network we are increasingly observing port > scan attacks from outer sites on port 1080 (socks). My bet is that they are not looking for security holes, but rather open socks `relays' to be used like open WinGates and mask the packet trails. I had socks5 on my machine at home for less than 24 hours before someone tried to use it to gain access to an IRC server, making it look like my machine was the packet source. Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 8 12:11:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA15595 for freebsd-security-outgoing; Sun, 8 Nov 1998 12:11:20 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tasam.com (tasam.com [198.232.144.22]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA15589 for ; Sun, 8 Nov 1998 12:11:17 -0800 (PST) (envelope-from security@tasam.com) Received: from localhost (security@localhost) by tasam.com (8.9.1/8.9.1) with SMTP id PAA18898 for ; Sun, 8 Nov 1998 15:10:58 -0500 (EST) Date: Sun, 8 Nov 1998 15:10:58 -0500 (EST) From: Security To: freebsd-security@FreeBSD.ORG Subject: Re: port 1080 scans In-Reply-To: <199811080938.KAA06024@gilberto.physik.RWTH-Aachen.DE> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've noticed our socks5 dumping core quite often. It's stopped now, but about a week ago it was acting up. On Sun, 8 Nov 1998, Christoph Kukulies wrote: > In our campus network we are increasingly observing port > scan attacks from outer sites on port 1080 (socks). > > Does anyone know of any recent security hole related to this service > on any platform (possibly linux - but I want to be prepared wrt FreeBSD). > > -- > Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 8 13:21:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA23240 for freebsd-security-outgoing; Sun, 8 Nov 1998 13:21:59 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id NAA23235 for ; Sun, 8 Nov 1998 13:21:56 -0800 (PST) (envelope-from imp@village.org) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0zccHE-0003L4-00; Sun, 8 Nov 1998 14:21:40 -0700 Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.1/8.8.3) with ESMTP id OAA20841; Sun, 8 Nov 1998 14:21:16 -0700 (MST) Message-Id: <199811082121.OAA20841@harmony.village.org> To: Security Subject: Re: port 1080 scans Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Sun, 08 Nov 1998 15:10:58 EST." References: Date: Sun, 08 Nov 1998 14:21:16 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Security writes: : I've noticed our socks5 dumping core quite often. It's stopped now, but : about a week ago it was acting up. The socks folks fixed a security hole (usual buffer overrun) in socks5 1.0r5 or so. I'd upgrade to the latest socks if you haven't already. The latest FreeBSD port of socks5 has this fix in it. The core dumps may indicate that you are under attack and the attacker are Script | Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA19285 for freebsd-security-outgoing; Sun, 8 Nov 1998 22:59:07 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA19280 for ; Sun, 8 Nov 1998 22:59:05 -0800 (PST) (envelope-from narvi@haldjas.folklore.ee) Received: from haldjas.folklore.ee (haldjas.folklore.ee [172.17.2.1] (may be forged)) by haldjas.folklore.ee (8.8.8/8.8.4) with SMTP id IAA23265; Mon, 9 Nov 1998 08:58:45 +0200 (EET) Date: Mon, 9 Nov 1998 08:58:45 +0200 (EET) From: Narvi To: Security cc: freebsd-security@FreeBSD.ORG Subject: Re: port 1080 scans In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 8 Nov 1998, Security wrote: > I've noticed our socks5 dumping core quite often. It's stopped now, but > about a week ago it was acting up. > Port 1080 scans are very often just that - people looking for a misconfigured Socks server that allows them free access. > On Sun, 8 Nov 1998, Christoph Kukulies wrote: > > > In our campus network we are increasingly observing port > > scan attacks from outer sites on port 1080 (socks). > > > > Does anyone know of any recent security hole related to this service > > on any platform (possibly linux - but I want to be prepared wrt FreeBSD). > > > > -- > > Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de Sander There is no love, no good, no happiness and no future - all these are just illusions. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 9 00:30:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA28455 for freebsd-security-outgoing; Mon, 9 Nov 1998 00:30:35 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.rwth-aachen.de (mail.RWTH-Aachen.DE [137.226.144.9]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA28450 for ; Mon, 9 Nov 1998 00:30:26 -0800 (PST) (envelope-from stegers@bth.rwth-aachen.de) Received: from bth.rwth-aachen.de (mercury.bth.RWTH-Aachen.DE) by mail.rwth-aachen.de (PMDF V5.1-10 #30440) with ESMTP id <01J3YQXILLD800046K@mail.rwth-aachen.de> for freebsd-security@freebsd.org; Mon, 9 Nov 1998 09:28:29 +0100 Received: from BTH1/SpoolDir by bth.rwth-aachen.de (Mercury 1.43); Mon, 09 Nov 1998 09:30:33 +0200 Received: from SpoolDir by BTH1 (Mercury 1.43); Mon, 09 Nov 1998 09:30:11 +0200 Date: Mon, 09 Nov 1998 09:30:05 +0000 From: Rainer Stegers To: freebsd-security@FreeBSD.ORG Message-id: <46A58CE2152@bth.rwth-aachen.de> MIME-version: 1.0 X-Mailer: Pegasus Mail for Windows (v2.52DE) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org subscribe --------------------------------------------------------------- RWTH Aachen - Hochschulbibliothek ADV - Abteilung Tel: 0241/80-4450 Fax: 0241/8888273 mailto:stegers@bth.rwth-aachen.de ---------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 9 02:43:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA13011 for freebsd-security-outgoing; Mon, 9 Nov 1998 02:43:07 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from heidegger.uol.com.br (mx2.uol.com.br [200.230.198.82]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA12975 for ; Mon, 9 Nov 1998 02:42:27 -0800 (PST) (envelope-from agora@agoractvm.com.br) Received: from agoractvm.com.br (rjo-max195.homeshopping.com.br [200.255.48.195] (may be forged)) by heidegger.uol.com.br (8.9.1/8.9.1) with ESMTP id IAA12493; Mon, 9 Nov 1998 08:41:19 -0200 (EDT) Message-ID: <3646C558.8CB9FC6F@agoractvm.com.br> Date: Mon, 09 Nov 1998 08:35:05 -0200 From: =?iso-8859-1?Q?Teleinform=E1tica?= Reply-To: agora@uol.com.br Organization: =?iso-8859-1?Q?=C1GORA?= C.T.V.M. S/A X-Mailer: Mozilla 4.5 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: "H. Eckert" CC: FreeBSD Security , agora@uol.com.br Subject: Re: [Fwd: CERT Vendor-Initiated Bulletin VB-98.13 - Cisco_IOS_DFS] References: <3642D460.9205ECA2@agoractvm.com.br> <19981106230929.A20604@nostromo.in-berlin.de> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- It's about security in internet's systems, so... it's relevance for us... "H. Eckert" wrote: > Quoting Teleinformática (agora@uol.com.br): > > These vulnerabilities apply only to the Cisco 7xxx router family. The Cisco > > 7xxx family are large, rack-mounted backbone routers used primarily by > > Internet service providers and in large enterprise networks. > > Is there any direct relevance to FreeBSD as an operating system ? > I don't think so, so this does *not* belong on freebsd-security. > > Greetings, > Ripley > -- > H. Eckert, 10777 Berlin, Germany, http://www.in-berlin.de/User/nostromo/ > ISO 8859-1: Ä=Ae, Ö=Oe, Ü=Ue, ä=ae, ö=oe, ü=ue, ß=sz. > "(Technobabbel)" (Jetrel) - "Müssen wir uns diesen Schwachsinn wirklich > anhören?" (Neelix) > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Regards, _______________________ | Nelson 'Stderr' Brito |_________________________________ |_________________________________________________________| |Finger Print: | A2E0 D90E 413A 515A 10C9 C0CE 4855 D523 | | E-mail: | nelson@cyberspace.org | | URL: | http://www.angelfire.com/sd/stderr | | Public key: | See the URL | |______________|__________________________________________| |ooooooooooooooooooooooooooooooooooooooooooooooooooooooooo| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.5.3i for non-commercial use iQCVAwUBNkbFGintOG9aOFmrAQEmUgP/UKHyKqNGlIeW0s9RUzTZvdqwx7esQApE tRSIzI9FuDWbt2SycuiXiu9wao1YHyA2p0XLmx73aVyJ6XyYLoE6Ayalgv4ZutJR dx4WI3GGqnoLLpjqWqM3wcAbvtoUZEDGUjozTU1bW5HRCbLo/7RhQElwr7fYZvdZ YbvZMgpQKeE= =scj6 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 9 03:36:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA17801 for freebsd-security-outgoing; Mon, 9 Nov 1998 03:36:09 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from banshee.cs.uow.edu.au (banshee.cs.uow.edu.au [130.130.188.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA17791 for ; Mon, 9 Nov 1998 03:36:04 -0800 (PST) (envelope-from ncb05@banshee.cs.uow.edu.au) Received: (from ncb05@localhost) by banshee.cs.uow.edu.au (8.9.1a/8.9.1) id WAA01896; Mon, 9 Nov 1998 22:35:22 +1100 (EST) Date: Mon, 9 Nov 1998 22:35:22 +1100 (EST) From: Nicholas Charles Brawn X-Sender: ncb05@banshee.cs.uow.edu.au To: =?iso-8859-1?Q?Teleinform=E1tica?= cc: freebsd-security@FreeBSD.ORG Subject: Re: [Fwd: CERT Vendor-Initiated Bulletin VB-98.13 - Cisco_IOS_DFS] In-Reply-To: <3646C558.8CB9FC6F@agoractvm.com.br> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by hub.freebsd.org id DAA17794 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 9 Nov 1998, [iso-8859-1] Teleinformática wrote: : -----BEGIN PGP SIGNED MESSAGE----- : : It's about security in internet's systems, so... it's relevance for : us... : : "H. Eckert" wrote: The charter for freebsd-security is (afaik), strictly pertaining to vulnerabilities that affect the FreeBSD platform. There are other forums for discussing problems such as the one described in the cert advisory. Examples include bugtraq, firewalls, firewall-wizards, etc. Nick -- Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 9 05:06:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA29546 for freebsd-security-outgoing; Mon, 9 Nov 1998 05:06:54 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA29539 for ; Mon, 9 Nov 1998 05:06:47 -0800 (PST) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.9.1/8.8.8) id FAA09579; Mon, 9 Nov 1998 05:05:53 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda09575; Mon Nov 9 05:05:39 1998 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.1/8.9.1) id FAA04329; Mon, 9 Nov 1998 05:05:38 -0800 (PST) Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by passer.osg.gov.bc.ca, id smtpdnN4321; Mon Nov 9 05:05:08 1998 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.1/8.9.1) id UAA15806; Sun, 8 Nov 1998 20:40:04 -0800 (PST) Message-Id: <199811090440.UAA15806@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdP15799; Sun Nov 8 20:40:02 1998 X-Mailer: exmh version 2.0.2 2/24/98 Reply-to: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: cy To: Brett Glass cc: tarkhil@synchroline.ru, mwlucas@exceptionet.com, freebsd-security@FreeBSD.ORG Subject: Re: *huge* setuid diffs In-reply-to: Your message of "Fri, 06 Nov 1998 09:21:03 MST." <4.1.19981106091836.04eb61b0@127.0.0.1> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 08 Nov 1998 20:39:59 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <4.1.19981106091836.04eb61b0@127.0.0.1>, Brett Glass writes: > This might be a breakin, but it also might be due to the VM > bug that changes file mod dates. (We went to red alert > over that one before we found out about it.) > > This bug shouldn't be allowed to persist, as it causes problems > with tripwire, etc. I understand that this has been fixed in 3.0. > > --Brett > > At 05:19 PM 11/6/98 +0300, Alexander B. Povolotsky wrote: > > > <199811061258.HAA22049@easeway.com>mwlucas@exceptionet.com writes: > >>I just got /etc/security mail from two 2.2.6 servers I administer. The > >>setuid diffs list every setuid program on the server as having been removed > >>and replaced. > >> > >>We haven't done a make world. We haven't touched much of anything. > >> > >>Is this normal, or should I be worried? > >*IMMEDIATLY* shut down both server and do not bring them to Internet until > >you'll found the reason. > > > >It is *QUITE* abnormal. I would not call it "exploit", but it is something t > o > >understand at once. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 10 04:32:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA17538 for freebsd-security-outgoing; Tue, 10 Nov 1998 04:32:46 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.webspan.net (mail.webspan.net [206.154.70.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA17533 for ; Tue, 10 Nov 1998 04:32:45 -0800 (PST) (envelope-from opsys@mail.webspan.net) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970608) with SMTP id HAA20274 for ; Tue, 10 Nov 1998 07:32:29 -0500 (EST) Date: Tue, 10 Nov 1998 07:32:28 -0500 (EST) From: Open Systems Networking X-Sender: opsys@orion.webspan.net To: freebsd-security@FreeBSD.ORG Subject: chflags on log files question Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ok I setup a firewall box running with secure level 3. And added the following flags to /var/log files, uappnd and sappnd. This should allow syslog to continue to write to the files correct? For instance: -rw-r--r-- 1 root bin uappnd,sappnd 6581 Nov 3 01:15 sec-log Is where my sshd connections are logged, although why it hasn't logged any since the 3rd im still working on. But the flags should still allow syslog to write to them correct? Chris -- "You both seem to be ignoring the fact that the networking market is driven by so-called 'IT professionals' these days, most of whom can't tell the difference between an ARP and a carp." --Wes Peters ===================================| Open Systems FreeBSD Consulting. FreeBSD 3.0 is available now! | Phone: (402)573-9124 / ICQ # 20016186 -----------------------------------| 3335 N. 103 Plaza, Omaha, NE 68134 FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net http://www.freebsd.org | Consulting, Network Engineering, Security ===================================| http://open-systems.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 10 05:44:30 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA23688 for freebsd-security-outgoing; Tue, 10 Nov 1998 05:44:30 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from unix1.it-datacntr.louisville.edu (unix1.it-datacntr.louisville.edu [136.165.4.27]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA23683 for ; Tue, 10 Nov 1998 05:44:29 -0800 (PST) (envelope-from k.stevenson@louisville.edu) Received: from homer.louisville.edu (ktstev01@homer.it-datacntr.louisville.edu [136.165.1.20]) by unix1.it-datacntr.louisville.edu (8.8.8/8.8.7) with ESMTP id IAA20114 for ; Tue, 10 Nov 1998 08:44:12 -0500 Received: (from ktstev01@localhost) by homer.louisville.edu (8.8.8/8.8.8) id IAA16815 for freebsd-security@FreeBSD.ORG; Tue, 10 Nov 1998 08:44:12 -0500 (EST) Message-ID: <19981110084411.B13216@homer.louisville.edu> Date: Tue, 10 Nov 1998 08:44:11 -0500 From: Keith Stevenson To: freebsd-security@FreeBSD.ORG Subject: Re: chflags on log files question References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Open Systems Networking on Tue, Nov 10, 1998 at 07:32:28AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Nov 10, 1998 at 07:32:28AM -0500, Open Systems Networking wrote: > > Ok I setup a firewall box running with secure level 3. > And added the following flags to /var/log files, uappnd and sappnd. > This should allow syslog to continue to write to the files correct? > > For instance: > > -rw-r--r-- 1 root bin uappnd,sappnd 6581 Nov 3 01:15 sec-log > > Is where my sshd connections are logged, although why it hasn't logged > any since the 3rd im still working on. But the flags should still allow > syslog to write to them correct? I'm not sure that both flags are necessary. It is my understanding that the uappnd flag makes the file append only for non-root users (root can still manipulate the file), while the sappnd flag stops even root from doing anything other than appends. I'm running at securelevel=2 on several of my servers. I've flagged several log files (lastlog, messages, wtmp) as schg. With the exception of lastlog, all of these files appear to be updated correctly. Regards, --Keith Stevenson-- -- Keith Stevenson System Programmer - Data Center Services - University of Louisville k.stevenson@louisville.edu PGP key fingerprint = 4B 29 A8 95 A8 82 EA A2 29 CE 68 DE FC EE B6 A0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 10 05:54:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA24641 for freebsd-security-outgoing; Tue, 10 Nov 1998 05:54:40 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from zeus.tds.edu (zeus.tds.edu [38.149.131.15]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA24636 for ; Tue, 10 Nov 1998 05:54:38 -0800 (PST) (envelope-from willow@tds.edu) Received: from zeus.tds.edu (willow@zeus.tds.edu [38.149.131.15]) by zeus.tds.edu (8.9.1a/8.9.1a) with ESMTP id IAA11528; Tue, 10 Nov 1998 08:53:18 -0500 (EST) Date: Tue, 10 Nov 1998 08:53:17 -0500 (EST) From: Willow To: =?iso-8859-1?Q?Teleinform=E1tica?= cc: "H. Eckert" , FreeBSD Security Subject: Re: [Fwd: CERT Vendor-Initiated Bulletin VB-98.13 - Cisco_IOS_DFS] In-Reply-To: <3646C558.8CB9FC6F@agoractvm.com.br> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by hub.freebsd.org id FAA24637 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Wrong, it has nothing to do with security on/with FreeBSD therefor it doesnt belong on this list. There are *hundreds* of security related lists dedicated to specific topics. Cisco for example has one such list. I would imagine that alot of people here also subscribe to CERT and the other security lists so reposting it here is a waste of bandwidth. -- willow@tds.edu -- On Mon, 9 Nov 1998, [iso-8859-1] Teleinformática wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > It's about security in internet's systems, so... it's relevance for > us... > > "H. Eckert" wrote: > > > Quoting Teleinformática (agora@uol.com.br): > > > These vulnerabilities apply only to the Cisco 7xxx router family. The Cisco > > > 7xxx family are large, rack-mounted backbone routers used primarily by > > > Internet service providers and in large enterprise networks. > > > > Is there any direct relevance to FreeBSD as an operating system ? > > I don't think so, so this does *not* belong on freebsd-security. > > > > Greetings, > > Ripley > > -- > > H. Eckert, 10777 Berlin, Germany, http://www.in-berlin.de/User/nostromo/ > > ISO 8859-1: Ä=Ae, Ö=Oe, Ü=Ue, ä=ae, ö=oe, ü=ue, ß=sz. > > "(Technobabbel)" (Jetrel) - "Müssen wir uns diesen Schwachsinn wirklich > > anhören?" (Neelix) > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > Regards, > _______________________ > | Nelson 'Stderr' Brito |_________________________________ > |_________________________________________________________| > |Finger Print: | A2E0 D90E 413A 515A 10C9 C0CE 4855 D523 | > | E-mail: | nelson@cyberspace.org | > | URL: | http://www.angelfire.com/sd/stderr | > | Public key: | See the URL | > |______________|__________________________________________| > |ooooooooooooooooooooooooooooooooooooooooooooooooooooooooo| > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 5.5.3i for non-commercial use > > iQCVAwUBNkbFGintOG9aOFmrAQEmUgP/UKHyKqNGlIeW0s9RUzTZvdqwx7esQApE > tRSIzI9FuDWbt2SycuiXiu9wao1YHyA2p0XLmx73aVyJ6XyYLoE6Ayalgv4ZutJR > dx4WI3GGqnoLLpjqWqM3wcAbvtoUZEDGUjozTU1bW5HRCbLo/7RhQElwr7fYZvdZ > YbvZMgpQKeE= > =scj6 > -----END PGP SIGNATURE----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 10 06:11:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA26159 for freebsd-security-outgoing; Tue, 10 Nov 1998 06:11:07 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from phoenix (phoenix.aye.net [206.185.8.134]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id GAA26150 for ; Tue, 10 Nov 1998 06:11:05 -0800 (PST) (envelope-from brich@aye.net) Received: (qmail 15928 invoked by uid 7506); 10 Nov 1998 14:09:16 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 10 Nov 1998 14:09:16 -0000 Date: Tue, 10 Nov 1998 09:09:16 -0500 (EST) From: Barrett Richardson To: Open Systems Networking cc: freebsd-security@FreeBSD.ORG Subject: Re: chflags on log files question In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Maybe syslog is opening the file read/write and then positioning the file pointer at the end. That will fail when the uappnd flag is set (it must be opened for append). - Barrett On Tue, 10 Nov 1998, Open Systems Networking wrote: > > Ok I setup a firewall box running with secure level 3. > And added the following flags to /var/log files, uappnd and sappnd. > This should allow syslog to continue to write to the files correct? > > For instance: > > -rw-r--r-- 1 root bin uappnd,sappnd 6581 Nov 3 01:15 sec-log > > Is where my sshd connections are logged, although why it hasn't logged > any since the 3rd im still working on. But the flags should still allow > syslog to write to them correct? > > Chris > > -- > "You both seem to be ignoring the fact that the networking market is > driven by so-called 'IT professionals' these days, most of whom can't > tell the difference between an ARP and a carp." --Wes Peters > > ===================================| Open Systems FreeBSD Consulting. > FreeBSD 3.0 is available now! | Phone: (402)573-9124 / ICQ # 20016186 > -----------------------------------| 3335 N. 103 Plaza, Omaha, NE 68134 > FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net > http://www.freebsd.org | Consulting, Network Engineering, Security > ===================================| http://open-systems.net > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 10 07:09:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA03184 for freebsd-security-outgoing; Tue, 10 Nov 1998 07:09:06 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.webspan.net (mail.webspan.net [206.154.70.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA03177 for ; Tue, 10 Nov 1998 07:09:04 -0800 (PST) (envelope-from opsys@mail.webspan.net) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970608) with SMTP id JAA07846; Tue, 10 Nov 1998 09:21:03 -0500 (EST) Date: Tue, 10 Nov 1998 09:21:02 -0500 (EST) From: Open Systems Networking X-Sender: opsys@orion.webspan.net To: Barrett Richardson cc: freebsd-security@FreeBSD.ORG Subject: Re: chflags on log files question In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 10 Nov 1998, Barrett Richardson wrote: > > Maybe syslog is opening the file read/write and then positioning > the file pointer at the end. That will fail when the uappnd flag is > set (it must be opened for append). Hadn't thought about it. But I just installed the flags yesterday. And the file has not been written to since the 3rd. So I have some other problem I ned to figure out. But im glad you mentioned it. It says uappnd is the user append flag. since the file is owned by root syslog should be able to write to it. Hmm Chris -- "You both seem to be ignoring the fact that the networking market is driven by so-called 'IT professionals' these days, most of whom can't tell the difference between an ARP and a carp." --Wes Peters ===================================| Open Systems FreeBSD Consulting. FreeBSD 3.0 is available now! | Phone: (402)573-9124 / ICQ # 20016186 -----------------------------------| 3335 N. 103 Plaza, Omaha, NE 68134 FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net http://www.freebsd.org | Consulting, Network Engineering, Security ===================================| http://open-systems.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 10 07:15:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA04011 for freebsd-security-outgoing; Tue, 10 Nov 1998 07:15:18 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from pn.wagsky.com (wagsky.vip.best.com [206.86.71.127]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA04004 for ; Tue, 10 Nov 1998 07:15:03 -0800 (PST) (envelope-from Jeff@Wagsky.com) Received: from [192.168.6.3] (mac.pn.wagsky.com [192.168.6.3]) by pn.wagsky.com (8.8.8/8.8.8) with ESMTP id HAA11451; Tue, 10 Nov 1998 07:12:30 -0800 (PST) (envelope-from Jeff@Wagsky.com) X-Sender: mailman@mail.pn.wagsky.com Message-Id: In-Reply-To: <199811070924.UAA01040@mail.aussie.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 10 Nov 1998 07:04:26 -0800 To: "Hallam Oaks" From: Jeff Kletsky Subject: Re: hmmmm ... Doubleclick Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >I visited a site which had a doubleclick ad on it, >[...] two seperate IP addresses had attempted to make TCP >connections to port 53 (DNS) of the machine that hosts my proxy. That IP >address does NOT host any DNS server. [...] >Now, I'm not suggesting that doubleclick are doing anything they shouldn't >here, but I'm still curious as to why they would attempt to make a TCP >connection to a non-existant DNS server, based purely on the IP address of >someone who's viewed one of their ads (it was at the Dilbert zone BTW). Yes, the will verbally acknowledge this if you call them. They don't give a good reason, but I believe it is to build their database of demographics so that they can justify charges for their ad placements. I don't believe that it matters *which* Doubleclick-related site you visit. Yet another reason to disable zone transfers either/both with a firewall and your DNS configuration files (c.f. secure_zone)... Jeff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 10 10:18:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA26029 for freebsd-security-outgoing; Tue, 10 Nov 1998 10:18:26 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA26021 for ; Tue, 10 Nov 1998 10:18:25 -0800 (PST) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) id KAA28248; Tue, 10 Nov 1998 10:16:24 -0800 (PST) Message-ID: <19981110101623.A27769@best.com> Date: Tue, 10 Nov 1998 10:16:23 -0800 From: "Jan B. Koum " To: Keith Stevenson , freebsd-security@FreeBSD.ORG Subject: Re: chflags on log files question References: <19981110084411.B13216@homer.louisville.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <19981110084411.B13216@homer.louisville.edu>; from Keith Stevenson on Tue, Nov 10, 1998 at 08:44:11AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Nov 10, 1998 at 08:44:11AM -0500, Keith Stevenson wrote: > On Tue, Nov 10, 1998 at 07:32:28AM -0500, Open Systems Networking wrote: > > > > Ok I setup a firewall box running with secure level 3. > > And added the following flags to /var/log files, uappnd and sappnd. > > This should allow syslog to continue to write to the files correct? > > > > For instance: > > > > -rw-r--r-- 1 root bin uappnd,sappnd 6581 Nov 3 01:15 sec-log > > > > Is where my sshd connections are logged, although why it hasn't logged > > any since the 3rd im still working on. But the flags should still allow > > syslog to write to them correct? > > I'm not sure that both flags are necessary. It is my understanding that the > uappnd flag makes the file append only for non-root users (root can still > manipulate the file), while the sappnd flag stops even root from doing anything > other than appends. > > I'm running at securelevel=2 on several of my servers. I've flagged several > log files (lastlog, messages, wtmp) as schg. With the exception of lastlog, > all of these files appear to be updated correctly. > With securelevel of 3 one can not change ipfw rules. Which is why that is a better level for firewall then 2 :) -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 10 15:24:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA04099 for freebsd-security-outgoing; Tue, 10 Nov 1998 15:24:04 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from enya.hilink.com.au (enya.hilink.com.au [203.8.14.116]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA03972; Tue, 10 Nov 1998 15:23:18 -0800 (PST) (envelope-from danny@enya.hilink.com.au) Received: from localhost (danny@localhost) by enya.hilink.com.au (8.8.8/8.8.7) with SMTP id KAA14999; Wed, 11 Nov 1998 10:22:24 +1100 (EST) (envelope-from danny@enya.hilink.com.au) Date: Wed, 11 Nov 1998 10:22:23 +1100 (EST) From: "Daniel O'Callaghan" To: Juergen Nickelsen cc: Chad Thunberg , freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: firewall + internal mail server In-Reply-To: <362F773A.AB9F196B@tellique.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 22 Oct 1998, Juergen Nickelsen wrote: > the external mail server, but it only forwards the mail to the > internal mail server.(*) The firewall also acts as FTP and WWW server, > but since the mail resides only for seconds on it, the risk is > minimized. > > As we are just a few people here yet, this is bearable, but for a > long-term solution I'll have to work out a sendmail configuration > where the mail exchanger for the domain delivers the mail to a > non-MX. I am sure there is a simple way, but I don't know it yet. In this situation I use the TryNullMXList option, and declare domain.com with the IP of the internal mail server, while the external mail server has the highest priority MX. TryNullMXList means "if I am the best MX for this domain, but don't handle the domain myself, try the domain as a host, rather than generating local config error". Works a treat! Danny To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 11 06:26:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA19408 for freebsd-security-outgoing; Wed, 11 Nov 1998 06:26:45 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA19402 for ; Wed, 11 Nov 1998 06:26:41 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id JAA25145; Wed, 11 Nov 1998 09:26:00 -0500 (EST) Date: Wed, 11 Nov 1998 09:25:59 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Keith Stevenson cc: freebsd-security@FreeBSD.ORG Subject: Re: chflags on log files question In-Reply-To: <19981110084411.B13216@homer.louisville.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 10 Nov 1998, Keith Stevenson wrote: > I'm not sure that both flags are necessary. It is my understanding that the > uappnd flag makes the file append only for non-root users (root can still > manipulate the file), while the sappnd flag stops even root from doing anything > other than appends. sappnd alone should be sufficient, assuming the directory hierarchy is protected adequately. Needless to say, newsyslog should be disabled if you are taking this approach. Or at least, run only at boot, etc. > I'm running at securelevel=2 on several of my servers. I've flagged several > log files (lastlog, messages, wtmp) as schg. With the exception of lastlog, > all of these files appear to be updated correctly. lastlog is not maintained by syslog, rather, by login and friends. From a brief perusal of login.c, we note that: if ((fd = open(_PATH_LASTLOG, O_RDWR, 0)) >= 0) { (void)lseek(fd, (off_t)pwd->pw_uid * sizeof(ll), L_SET); In other words, this is not a sequential log file, but an array with one entry per active user indicating when/where/etc they last logged in from. BTW, this is a good reason to keep /var/log on a partition that supports sparse files, and then to be very careful with the lastlog file (don't tar it :) in the event that you actually use large uid's, as you risk filling in all those empty blocks in between. Fortunately, it looks like if the file doesn't exist, it isn't created, meaning that you can just delete it if you don't care about finger displaying the information, and login displaying it at login. I have not reviewed related code in rshd/sshd that bypass login. Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 11 10:23:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA16287 for freebsd-security-outgoing; Wed, 11 Nov 1998 10:23:34 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from uucp.intac.com (uucp.intac.com [198.6.114.27]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA16280 for ; Wed, 11 Nov 1998 10:23:29 -0800 (PST) (envelope-from oortiz@LCSI.COM) From: oortiz@LCSI.COM Received: (uucp@localhost) by uucp.intac.com (8.9.1/8.9.1 dman) with UUCP id MAA03296 for freebsd-security@FreeBSD.Org; Wed, 11 Nov 1998 12:55:48 -0500 (EST) Received: from Connect2 Message Router by lcsi.LCSI.COM via Connect2-UUCP v1.00.34; Wed, 11 Nov 98 12:42:41 -0500 Message-Id: <3286493681000000@LCSI.COM> Date: Wed, 11 Nov 98 12:33:03 -0500 Organization: LCS Industries To: freebsd-security@FreeBSD.ORG Subject: Intruder Lockout Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7BIT X-Mailer: Connect2-UUCP v1.00.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is there anyway to have an Intruder Lockout in FreeBSD? Like if someone is trying to hack into my system with a certain user account, and if after 3 to 5 attempts of typing in the wrong password, will the system lock out the account instead of letting him try again like Netware does? Many Thanks... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 11 12:30:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA29330 for freebsd-security-outgoing; Wed, 11 Nov 1998 12:30:20 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA29322 for ; Wed, 11 Nov 1998 12:30:14 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id PAA01198; Wed, 11 Nov 1998 15:29:35 -0500 (EST) Date: Wed, 11 Nov 1998 15:29:35 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: oortiz@LCSI.COM cc: freebsd-security@FreeBSD.ORG Subject: Re: Intruder Lockout In-Reply-To: <3286493681000000@LCSI.COM> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have always found the lockout behavior of some operating systems a little upsetting; the opportunity for denying service is quite large, especially to the administrator. On the other hand, the excluding the administrator from lockout behavior of NT doesn't seem desirable quite right either :). Besides which, suppose someone enters the wrong password in the POP or IMAP mail reader -- it may retry the connection several times (if set to check mail often) before the user notices, and lockout can occur quickly in that kind of situation. Probably the best solution is to enforce better passwords, or use of PK-based authentication. Or one-time passwords. On Wed, 11 Nov 1998 oortiz@LCSI.COM wrote: > > Is there anyway to have an Intruder Lockout in FreeBSD? Like if > someone is trying to hack into my system with a certain user account, > and if after 3 to 5 attempts of typing in the wrong password, will the > system lock out the account instead of letting him try again like > Netware does? > > Many Thanks... > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 11 16:51:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA29258 for freebsd-security-outgoing; Wed, 11 Nov 1998 16:51:41 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA29246 for ; Wed, 11 Nov 1998 16:51:37 -0800 (PST) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id QAA27009; Wed, 11 Nov 1998 16:50:37 -0800 (PST) Received: from utah.XYLAN.COM by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id QAA07086; Wed, 11 Nov 1998 16:50:37 -0800 Received: from softweyr.com by utah.XYLAN.COM (SMI-8.6/SMI-SVR4 (xylan utah [SPOOL])) id RAA27057; Wed, 11 Nov 1998 17:50:36 -0700 Message-ID: <364A30DC.5D8FAF26@softweyr.com> Date: Wed, 11 Nov 1998 17:50:36 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 2.2.6-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: oortiz@LCSI.COM CC: freebsd-security@FreeBSD.ORG Subject: Re: Intruder Lockout References: <3286493681000000@LCSI.COM> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org oortiz@LCSI.COM wrote: > > > Is there anyway to have an Intruder Lockout in FreeBSD? Like if > someone is trying to hack into my system with a certain user account, > and if after 3 to 5 attempts of typing in the wrong password, will the > system lock out the account instead of letting him try again like > Netware does? > I wrote one once upon a time, for a company who shall remain nameless. They had no intention of selling it for FreeBSD, but I developed it there and then ported it to SunOS, Solaris, Ultrix, HP/UX, AIX, etc. I could easily do it for FreeBSD again. I'd be glad to take a contract to develop such a module and donate it to the FreeBSD Project. How much money do you have? ;^) -- Where am I, and what am I doing in this handbasket? Wes Peters +1.801.915.2061 Softweyr LLC wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 12 16:06:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA16638 for freebsd-security-outgoing; Thu, 12 Nov 1998 16:06:04 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from super-g.inch.com (super-g.com [207.240.140.161]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA16592 for ; Thu, 12 Nov 1998 16:05:54 -0800 (PST) (envelope-from spork@super-g.com) Received: from localhost (localhost [127.0.0.1]) by super-g.inch.com (8.8.8/8.8.5) with SMTP id TAA29493 for ; Thu, 12 Nov 1998 19:01:25 -0500 (EST) Date: Thu, 12 Nov 1998 19:01:24 -0500 (EST) From: spork X-Sender: spork@super-g.inch.com To: freebsd-security@FreeBSD.ORG Subject: securelib Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I was looking around today to try and find something like TCP_Wrappers for UDP and I stumbled upon "securelib". This was written for SunOS back in '92, and it's a replacement for libc that includes Wrapper-like access controls for anything linked against it. Cool stuff. Does anything like this exist for FBSD? Thanks, Charles --- Charles Sprickman spork@super-g.com --- "...there's no idea that's so good you can't ruin it with a few well-placed idiots." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 12 18:56:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA08488 for freebsd-security-outgoing; Thu, 12 Nov 1998 18:56:13 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cowpie.acm.vt.edu (cowpie.acm.vt.edu [128.173.42.253]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA08481 for ; Thu, 12 Nov 1998 18:56:11 -0800 (PST) (envelope-from dhagan@cowpie.acm.vt.edu) Received: (from dhagan@localhost) by cowpie.acm.vt.edu (8.8.8/8.8.8) id VAA23300 for security@FreeBSD.ORG; Thu, 12 Nov 1998 21:54:59 -0500 (EST) (envelope-from dhagan) Date: Thu, 12 Nov 1998 21:54:57 -0500 (EST) From: Daniel Hagan To: security@FreeBSD.ORG Subject: Re: security-digest V4 #181 In-Reply-To: <199811130006.QAA16645@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 12 Nov 1998, security-digest wrote: > From: Robert Watson > Subject: Re: Intruder Lockout [snip] > right either :). Besides which, suppose someone enters the wrong password > in the POP or IMAP mail reader -- it may retry the connection several > times (if set to check mail often) before the user notices, and lockout > can occur quickly in that kind of situation. [snip] Having been suckered into part-time WinNT administration, I can confirm this. We have users who print through our servers from Win95 boxes. When they put the wrong password in (to access the domain resources), the Win95 boxes bang on the domain until the account gets locked out and I have to clear it. What a pain in the butt. Daniel -- Daniel Hagan http://www.acm.vt.edu/~dhagan/ Head Admin dhagan@acm.vt.edu PGP 2.6.2 encouraged ACM at VT "The world is coming to an end. Please log off." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 12 21:34:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA24374 for freebsd-security-outgoing; Thu, 12 Nov 1998 21:34:40 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from galois.boolean.net (galois.boolean.net [209.133.111.74]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA24369 for ; Thu, 12 Nov 1998 21:34:39 -0800 (PST) (envelope-from Kurt@OpenLDAP.Org) Received: from gypsy (galois.boolean.net [209.133.111.74]) by galois.boolean.net (8.8.8/8.8.8) with SMTP id FAA25216; Fri, 13 Nov 1998 05:43:52 GMT (envelope-from Kurt@OpenLDAP.Org) Message-Id: <3.0.5.32.19981112214317.00a03840@localhost> X-Sender: guru@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Thu, 12 Nov 1998 21:43:17 -0800 To: spork From: "Kurt D. Zeilenga" Subject: Re: securelib Cc: freebsd-security@FreeBSD.ORG In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 07:01 PM 11/12/98 -0500, spork wrote: >Hi, > >I was looking around today to try and find something like TCP_Wrappers for >UDP and I stumbled upon "securelib". This was written for SunOS back in >'92, and it's a replacement for libc that includes Wrapper-like access >controls for anything linked against it. Cool stuff. > >Does anything like this exist for FBSD? tcp_wrappers' -lwrap? It's API is independent of transport protocol and only requires adding a small tidbit of code. Kurt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 13 06:54:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA15114 for freebsd-security-outgoing; Fri, 13 Nov 1998 06:54:18 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA15109 for ; Fri, 13 Nov 1998 06:54:16 -0800 (PST) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.9.1/8.8.8) id GAA20045; Fri, 13 Nov 1998 06:53:25 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda20043; Fri Nov 13 06:53:16 1998 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.1/8.9.1) id GAA23842; Fri, 13 Nov 1998 06:53:15 -0800 (PST) Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by passer.osg.gov.bc.ca, id smtpdN23840; Fri Nov 13 06:52:56 1998 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.1/8.9.1) id GAA15069; Fri, 13 Nov 1998 06:52:53 -0800 (PST) Message-Id: <199811131452.GAA15069@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdd15065; Fri Nov 13 06:52:43 1998 X-Mailer: exmh version 2.0.2 2/24/98 Reply-to: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: cy To: Robert Watson cc: oortiz@LCSI.COM, freebsd-security@FreeBSD.ORG Subject: Re: Intruder Lockout In-reply-to: Your message of "Wed, 11 Nov 1998 15:29:35 EST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 13 Nov 1998 06:52:40 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Robert Watson writes: > > I have always found the lockout behavior of some operating systems a > little upsetting; the opportunity for denying service is quite large, > especially to the administrator. On the other hand, the excluding the > administrator from lockout behavior of NT doesn't seem desirable quite > right either :). Besides which, suppose someone enters the wrong password > in the POP or IMAP mail reader -- it may retry the connection several > times (if set to check mail often) before the user notices, and lockout > can occur quickly in that kind of situation. > > Probably the best solution is to enforce better passwords, or use of > PK-based authentication. Or one-time passwords. How about Kerberos? FreeBSD comes with Kerberos IV and there is a Kerberos V port in the ports collection. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 13 08:36:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA28879 for freebsd-security-outgoing; Fri, 13 Nov 1998 08:36:17 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hosting.doublesquare.com (hosting.doublesquare.com [195.5.128.151]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA28658 for ; Fri, 13 Nov 1998 08:35:52 -0800 (PST) (envelope-from ark@eltex.ru) From: ark@eltex.ru Received: from eltex.ru (eltex-spiiras.nw.ru [195.19.204.46] (may be forged)) by hosting.doublesquare.com (8.8.8/8.8.8) with ESMTP id TAA04176; Fri, 13 Nov 1998 19:34:03 +0300 (MSK) Received: from border.eltex.spb.ru (root@border.eltex.ru [195.19.198.2]) by eltex.ru (8.8.8/8.8.8) with SMTP id TAA00239; Fri, 13 Nov 1998 19:33:56 +0300 (MSK) Received: by border.eltex.spb.ru (ssmtp TIS-0.5alpha, 19 Oct 1998); Fri, 13 Nov 1998 19:33:28 +0300 Received: from undisclosed-intranet-sender id xma008006; Fri, 13 Nov 98 19:33:07 +0300 Date: Fri, 13 Nov 1998 19:38:08 +0300 Message-Id: <199811131638.TAA14441@paranoid.eltex.spb.ru> In-Reply-To: <199811131452.GAA15069@cwsys.cwsent.com> from "Cy Schubert - ITSD Open Systems Group " Organization: "Klingon Imperial Intelligence Service" Subject: Re: Intruder Lockout To: cschuber@uumail.gov.bc.ca Cc: robert+freebsd@cyrus.watson.org, oortiz@LCSI.COM, freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, Kerberos is a big problem itself: you have to kerberize _everything_ that is even harder than SSLeay'ing it.. Cy Schubert - ITSD Open Systems Group said : > > in the POP or IMAP mail reader -- it may retry the connection several > > times (if set to check mail often) before the user notices, and lockout > > can occur quickly in that kind of situation. > > > > Probably the best solution is to enforce better passwords, or use of > > PK-based authentication. Or one-time passwords. > > How about Kerberos? FreeBSD comes with Kerberos IV and there is a > Kerberos V port in the ports collection. > with "unsubscribe freebsd-security" in the body of the message > _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNkxgbKH/mIJW9LeBAQGk1wP/TcSWp7VSm3uMKVjEYBbZANB53vPveEPZ tKqa8nKmrAM4HwV5oOjg22yGSrZuv3ZIF+T+eEu+/ASEy0qRtvKs23WDEycXokOA 76HUvZGwf8zhSWTLia9+1JRlYyKKfZKJ5exY8HN6ldOJyjIBCsWWFISl2a8zAMhL 8IE1bJsVEUA= =VoKE -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 13 09:40:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA06678 for freebsd-security-outgoing; Fri, 13 Nov 1998 09:40:12 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA06670 for ; Fri, 13 Nov 1998 09:40:07 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id MAA15280; Fri, 13 Nov 1998 12:39:18 -0500 (EST) Date: Fri, 13 Nov 1998 12:39:18 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Cy Schubert - ITSD Open Systems Group cc: oortiz@LCSI.COM, freebsd-security@FreeBSD.ORG Subject: Re: Intruder Lockout In-Reply-To: <199811131452.GAA15069@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 13 Nov 1998, Cy Schubert - ITSD Open Systems Group wrote: > > I have always found the lockout behavior of some operating systems a > > little upsetting; the opportunity for denying service is quite large, > > especially to the administrator. On the other hand, the excluding the > > administrator from lockout behavior of NT doesn't seem desirable quite > > right either :). Besides which, suppose someone enters the wrong password > > in the POP or IMAP mail reader -- it may retry the connection several > > times (if set to check mail often) before the user notices, and lockout > > can occur quickly in that kind of situation. > > > > Probably the best solution is to enforce better passwords, or use of > > PK-based authentication. Or one-time passwords. > > How about Kerberos? FreeBSD comes with Kerberos IV and there is a > Kerberos V port in the ports collection. I suppose an alternative to account lockout is to have an authentication scheme where keyspace search is infeasible :). I'm not so impressed with Kerberos since the DES key cracker was announced :). However, it's certainly better than nothing. I use Kerberos on my machines for this reason, and it certainly makes administration easier. Coda also supports kerberos (with my patches, available for download from andrew2.andrew.cmu.edu/dist). I've been thinking of patching the KerberosIV distribution with FreeBSD to use Blowfish from SSLeay instead of DES for local use -- would screw interoperability, but would be a lot more secure, I suspect. And Kerberos is the preferred authentication method for CMU's Cyrus mail server (which I use for my mail server). I don't think kerberos really addresses the lockout issue, as most people just use it as a centralized key management tool (which is what it was designed to be, really :). Any attempt to search passwords by repeated login attempts would still work, although there is now a centralized server where this could be monitored and possibly restricted. (i.e., if there are lots and lots of failed ticket requests, you could limit the rate at the kerberos server). Because users of kerberos use their password as the key to retrieve authenticators/tickets, it is as weak (for each principal) as the password used as the key. Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 13 10:00:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA09136 for freebsd-security-outgoing; Fri, 13 Nov 1998 10:00:06 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA09063 for ; Fri, 13 Nov 1998 09:59:58 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id MAA22375; Fri, 13 Nov 1998 12:59:20 -0500 (EST) (envelope-from wollman) Date: Fri, 13 Nov 1998 12:59:20 -0500 (EST) From: Garrett Wollman Message-Id: <199811131759.MAA22375@khavrinen.lcs.mit.edu> To: Robert Watson Cc: Cy Schubert - ITSD Open Systems Group , oortiz@LCSI.COM, freebsd-security@FreeBSD.ORG Subject: Re: Intruder Lockout In-Reply-To: References: <199811131452.GAA15069@cwsys.cwsent.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > designed to be, really :). Any attempt to search passwords by repeated > login attempts would still work, although there is now a centralized Not in Kerberos v5. Krb5 supports pre-authentication for TGT requests, such that in order to get a TGT you must already prove cryptographically that you know the password. That and replay protection are the two principal advances of v5 over v4. (Oh, it also allows parametric selection of crypto algorithms.) -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 13 10:23:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA11682 for freebsd-security-outgoing; Fri, 13 Nov 1998 10:23:33 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA11671 for ; Fri, 13 Nov 1998 10:23:29 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id NAA15547; Fri, 13 Nov 1998 13:22:48 -0500 (EST) Date: Fri, 13 Nov 1998 13:22:47 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Garrett Wollman cc: Cy Schubert - ITSD Open Systems Group , oortiz@LCSI.COM, freebsd-security@FreeBSD.ORG Subject: Re: Intruder Lockout In-Reply-To: <199811131759.MAA22375@khavrinen.lcs.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 13 Nov 1998, Garrett Wollman wrote: > < said: > > > designed to be, really :). Any attempt to search passwords by repeated > > login attempts would still work, although there is now a centralized > > Not in Kerberos v5. Krb5 supports pre-authentication for TGT > requests, such that in order to get a TGT you must already prove > cryptographically that you know the password. That and replay > protection are the two principal advances of v5 over v4. (Oh, it also > allows parametric selection of crypto algorithms.) I am referring to situations where users attempt to log in without using an authenticator -- that is, they telnet to a machine or sit at the console, etc, and attempt to provide a username and password. Because this is supported in most kerberos environments (as opposed to requiring all connections to use kerberized stuff), a key search is still feasible pretty much as it is without kerberos. So a lockout would still be useful to prevent a large volume of attempts against a particular principal's key. And it could be coordinated at the KDC instead of at the individual host level. On the other hand, in your average kerberos environment, there are some keys that are used a whole lot just by virtue of their nature (such as the imap key for your imap server :). Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 13 12:36:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA25650 for freebsd-security-outgoing; Fri, 13 Nov 1998 12:36:14 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from charon.npc.net (charon.finall.com [199.15.61.3] (may be forged)) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA25645 for ; Fri, 13 Nov 1998 12:36:11 -0800 (PST) (envelope-from mjung@npc.net) Received: from exchange.finall.com (exchange-gw.finall.com [10.0.158.37]) by charon.npc.net (8.9.1/8.8.8) with SMTP id PAA26696 for ; Fri, 13 Nov 1998 15:35:45 -0500 (EST) (envelope-from mjung@npc.net) Received: by exchange.finall.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.996.62) id <01BE0F1A.520813E0@exchange.finall.com>; Fri, 13 Nov 1998 15:28:53 -0500 Message-ID: From: "Jung, Michael" To: "'Daniel Hagan'" , "'security@FreeBSD.ORG'" Subject: RE: security-digest V4 #181 Date: Fri, 13 Nov 1998 15:28:52 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.996.62 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In NT you can control Account Lockout policies by user account. If you don't desire this behavior just change the policies. --mikej Michael Jung mjung@Npc.net >-----Original Message----- >From: Daniel Hagan [SMTP:dhagan@acm.vt.edu] >Sent: Thursday, November 12, 1998 9:55 PM >To: security@FreeBSD.ORG >Subject: Re: security-digest V4 #181 > >On Thu, 12 Nov 1998, security-digest wrote: > >> From: Robert Watson >> Subject: Re: Intruder Lockout > >[snip] >> right either :). Besides which, suppose someone enters the wrong password >> in the POP or IMAP mail reader -- it may retry the connection several >> times (if set to check mail often) before the user notices, and lockout >> can occur quickly in that kind of situation. >[snip] > >Having been suckered into part-time WinNT administration, I can confirm >this. We have users who print through our servers from Win95 boxes. When >they put the wrong password in (to access the domain resources), the Win95 >boxes bang on the domain until the account gets locked out and I have to >clear it. What a pain in the butt. > >Daniel > >-- >Daniel Hagan http://www.acm.vt.edu/~dhagan/ Head Admin >dhagan@acm.vt.edu PGP 2.6.2 encouraged ACM at VT > "The world is coming to an end. Please log off." > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 13 12:51:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA27436 for freebsd-security-outgoing; Fri, 13 Nov 1998 12:51:20 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.65]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA27426 for ; Fri, 13 Nov 1998 12:51:13 -0800 (PST) (envelope-from mark@grondar.za) Received: from greenpeace.grondar.za (IDENT:aIIJEKMpe5EHoo/MJFNJXh5PsWF4Z3rK@greenpeace.grondar.za [196.7.18.132]) by gratis.grondar.za (8.9.1/8.9.1) with ESMTP id WAA04262; Fri, 13 Nov 1998 22:50:44 +0200 (SAST) (envelope-from mark@grondar.za) Received: from grondar.za (IDENT:SyGwh5q4MeDwdZ86+4BfliqQLyO+3c9N@localhost [127.0.0.1]) by greenpeace.grondar.za (8.9.1/8.9.1) with ESMTP id WAA29529; Fri, 13 Nov 1998 22:50:39 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199811132050.WAA29529@greenpeace.grondar.za> To: ark@eltex.ru cc: cschuber@uumail.gov.bc.ca, robert+freebsd@cyrus.watson.org, oortiz@LCSI.COM, freebsd-security@FreeBSD.ORG Subject: Re: Intruder Lockout In-Reply-To: Your message of " Fri, 13 Nov 1998 19:38:08 +0300." <199811131638.TAA14441@paranoid.eltex.spb.ru> References: <199811131638.TAA14441@paranoid.eltex.spb.ru> Date: Fri, 13 Nov 1998 22:50:38 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Kerberos is a big problem itself: you have to kerberize _everything_ > that is even harder than SSLeay'ing it.. Ahah! PAM is in the wings. PAM is not much of a problem. In the beginning, maybe a PITA, but once its done, your security strategy is kinda easy ;-). M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 13 13:00:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA28729 for freebsd-security-outgoing; Fri, 13 Nov 1998 13:00:00 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA28692 for ; Fri, 13 Nov 1998 12:59:56 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id PAA16832; Fri, 13 Nov 1998 15:58:07 -0500 (EST) Date: Fri, 13 Nov 1998 15:58:07 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Mark Murray cc: ark@eltex.ru, cschuber@uumail.gov.bc.ca, oortiz@LCSI.COM, freebsd-security@FreeBSD.ORG Subject: Re: Intruder Lockout In-Reply-To: <199811132050.WAA29529@greenpeace.grondar.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 13 Nov 1998, Mark Murray wrote: > > Kerberos is a big problem itself: you have to kerberize _everything_ > > that is even harder than SSLeay'ing it.. > > Ahah! > > PAM is in the wings. PAM is not much of a problem. In the beginning, > maybe a PITA, but once its done, your security strategy is kinda > easy ;-). Mark, My understanding has always been that PAM is only good for talking to humans, and cannot be used to make things like kerberized ftp or kerberized imap any easier to write. That is, that it essentially performs a set of challenges/responses intended for humans and is not easily adaptable for server-server communication or unattended communication in secure protocols. Is this interpretation correct? (Not having it under BSD, I haven't had much opportunity to use it). Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 13 13:08:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA00234 for freebsd-security-outgoing; Fri, 13 Nov 1998 13:08:17 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.65]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA29927 for ; Fri, 13 Nov 1998 13:07:43 -0800 (PST) (envelope-from mark@grondar.za) Received: from greenpeace.grondar.za (IDENT:jM9HGutvSM4jH3r+Qs95DNj0pEBGBMFU@greenpeace.grondar.za [196.7.18.132]) by gratis.grondar.za (8.9.1/8.9.1) with ESMTP id XAA04299; Fri, 13 Nov 1998 23:07:08 +0200 (SAST) (envelope-from mark@grondar.za) Received: from grondar.za (IDENT:3I1b5GkeNP1KYklE+JE5EfRsq4FMBmKr@localhost [127.0.0.1]) by greenpeace.grondar.za (8.9.1/8.9.1) with ESMTP id XAA12704; Fri, 13 Nov 1998 23:07:07 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199811132107.XAA12704@greenpeace.grondar.za> To: Robert Watson cc: ark@eltex.ru, cschuber@uumail.gov.bc.ca, oortiz@LCSI.COM, freebsd-security@FreeBSD.ORG Subject: Re: Intruder Lockout In-Reply-To: Your message of " Fri, 13 Nov 1998 15:58:07 EST." References: Date: Fri, 13 Nov 1998 23:07:05 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Robert Watson wrote: > My understanding has always been that PAM is only good for talking to > humans, and cannot be used to make things like kerberized ftp or > kerberized imap any easier to write. That is, that it essentially > performs a set of challenges/responses intended for humans and is not > easily adaptable for server-server communication or unattended > communication in secure protocols. Is this interpretation correct? (Not > having it under BSD, I haven't had much opportunity to use it). That depends on the implementor. If the implementor is a twit, then sure, that is the case. If the implementor does it properly, and for PAM, this needs to be done properly _once_, then there should be no hassle. PAM is generalised, so the implementor needs to think about security in the general case; that makes life easier. If the implementor is an idiot, (s)he can screw it up royally, but a programmer worth his/her salt should manage without too much of a problem. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 13 13:29:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA03084 for freebsd-security-outgoing; Fri, 13 Nov 1998 13:29:46 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from super-g.inch.com (super-g.com [207.240.140.161]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA03077 for ; Fri, 13 Nov 1998 13:29:44 -0800 (PST) (envelope-from spork@super-g.com) Received: from localhost (localhost [127.0.0.1]) by super-g.inch.com (8.8.8/8.8.5) with SMTP id QAA08200; Fri, 13 Nov 1998 16:24:35 -0500 (EST) Date: Fri, 13 Nov 1998 16:24:34 -0500 (EST) From: spork X-Sender: spork@super-g.inch.com To: "Kurt D. Zeilenga" cc: freebsd-security@FreeBSD.ORG Subject: Re: securelib In-Reply-To: <3.0.5.32.19981112214317.00a03840@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 12 Nov 1998, Kurt D. Zeilenga wrote: (how to wrap udp question deleted) > tcp_wrappers' -lwrap? It's API is independent of transport protocol > and only requires adding a small tidbit of code. For those that don't code, how much of a snippet? I found that Wietse's portmap does compile OK, but what about the rest of the NFS suite? I have a second, closed network for NFS, but portmap, mountd, and nfsd want to bind to every available address, so I figure the next best thing to do is at least limit connections to the one machine I need to talk to... I've tried IPFW, but yech, it's nearly impossible to block all that RPC stuff properly. What are other folks doing in this situation? With nics so cheap these days, building a seperate 100MB net for NFS is a nice solution, I'd just like to do it safely... Thanks, Charles > Kurt > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 13 14:20:32 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA10979 for freebsd-security-outgoing; Fri, 13 Nov 1998 14:20:32 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from phobos.muc.de (phobos.muc.de [193.174.4.45]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA10940 for ; Fri, 13 Nov 1998 14:20:14 -0800 (PST) (envelope-from ras@phobos.muc.de) Received: (from ras@localhost) by phobos.muc.de (8.8.8/8.8.8) id XAA15293; Fri, 13 Nov 1998 23:16:09 +0100 (MET) (envelope-from ras) Date: Fri, 13 Nov 1998 23:16:08 +0100 (MET) From: Rudolf Schreiner To: freebsd-security@FreeBSD.ORG Subject: Re: Intruder Lockout In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 13 Nov 1998, Robert Watson wrote: > I suppose an alternative to account lockout is to have an authentication > scheme where keyspace search is infeasible :). I'm not so impressed with > Kerberos since the DES key cracker was announced :). tethys% SU ./ktutil list Version Type Principal 1 des host/tethys.technosec.com@TECHNOSEC.COM 1 des3 host/tethys.technosec.com@TECHNOSEC.COM [...] Heimdal supports Triple DES and works fine on FreeBSD. It's from Sweden, so there are no problems with US export laws. Another very interesting security mechanism is Sesame. The Sesame source distribution is *(&^#$*&^ and it contains very weak crypto (french laws...). I made a quick'n dirty port to FreeBSD. Basically it works, but it still contains many memory leaks. Fixing these problems would be no big problem, but the Sesame license is very strict. We just could use it "for experiments"... :-(# Rudi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 14 06:35:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA17672 for freebsd-security-outgoing; Sat, 14 Nov 1998 06:35:23 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from baerenklau.de.freebsd.org (baerenklau.de.freebsd.org [195.185.195.14]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA17667 for ; Sat, 14 Nov 1998 06:35:20 -0800 (PST) (envelope-from wosch@panke.de.freebsd.org) Received: (from uucp@localhost) by baerenklau.de.freebsd.org (8.8.8/8.8.8) with UUCP id PAA02815 for security@freebsd.org; Sat, 14 Nov 1998 15:34:59 +0100 (CET) (envelope-from wosch@panke.de.freebsd.org) Received: (from wosch@localhost) by campa.panke.de.freebsd.org (8.8.8/8.8.8) id PAA27009 for security@freebsd.org; Sat, 14 Nov 1998 15:33:32 +0100 (MET) (envelope-from wosch) Message-ID: <19981114153330.C26891@panke.de.freebsd.org> Date: Sat, 14 Nov 1998 15:33:30 +0100 From: Wolfram Schneider To: security@FreeBSD.ORG Subject: [jreavis@aistrat.com: Link to SecurityPortal.com] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Forwarded message from Jim Reavis ----- From: Jim Reavis To: "'webmaster@freebsd.org'" Subject: Link to SecurityPortal.com Date: Fri, 13 Nov 1998 17:36:28 -0800 If you have a place for Security Information Resources, I would like to request a link to our site, SecurityPortal.com. SecurityPortal.com is intended to be the comprehensive Web site for Internet Security. It is dedicated to providing corporate security professionals with the information and resources needed to protect their networks. We summarize breaking security news and provide a jumping off point for Security Alerts, Products, Tools, Tips & Tricks and other Resources. We update breaking security news several times a day, from several sources, and we hope you will check back often to find out more about the issues that concern you without being subscribed to a hundred mailing lists. The site will continually be revamped during Q4. The Security Portal is adding some very exciting features, like a "security aware" Internet search engine and online ordering of security products. We also value your input on features you would like to see. Our formal launch of the site is January 99. I am happy to provide an "in kind" link at your request. Best Regards, Jim Reavis SecurityPortal.com - The focal point for security on the Net Jreavis@aistrat.com (360) 739-9629 ----- End forwarded message ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message