From owner-freebsd-security Sun Mar 5 10:17: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from msk2.mail.ru (mx2.mail.ru [194.67.23.33]) by hub.freebsd.org (Postfix) with ESMTP id ADF3237BA67; Sun, 5 Mar 2000 10:16:56 -0800 (PST) (envelope-from rakukin@mail.ru) Received: from f2.int ([10.0.0.49] helo=f2.mail.ru) by msk2.mail.ru with esmtp (Exim 3.02 #116) id 12Rfcw-000HXU-00; Sun, 05 Mar 2000 21:19:38 +0300 Received: from mail by f2.mail.ru with local (Exim 3.02 #108) id 12RfYo-000KAk-00; Sun, 05 Mar 2000 21:15:22 +0300 Received: from [194.85.224.35] by koi.mail.ru with HTTP; Sun, 05 Mar 2000 18:15:22 +0000 (GMT) From: "A. Rakukin" To: "Alexander Leidinger" Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re[4]: X authorization Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: 194.85.229.131 via proxy [194.85.224.35] In-Reply-To: <200002261524.QAA02773@Magelan.Leidinger.net> Reply-To: "A. Rakukin" Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: Date: Sun, 05 Mar 2000 21:15:22 +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! Yes, $HOME is shared... I guessed that it is the reason after a while... :) Thank you anyway! Yours, Alexey -----Original Message----- From: Alexander Leidinger To: rakukin@mail.ru Date: Sat, 26 Feb 2000 16:24:13 +0100 (CET) Subject: Re: Re[2]: X authorization > On 26 Feb, A. Rakukin wrote: > > [CC striped] > > > sshd is not running on the host which has been accessed... > > I am aware of the X-connections forwarding ability of ssh, > > but it is not the case... > > [...] > > > I know that xhost is insecure. But it worked earlier! > > And now I have a situation as follows: I merely start X (via xdm) on host A, > > no windows/commands there, then go to host B, > > type `export DISPLAY=A:0; xterm' and see xterm window > > opened on the display of A! Then test `xhost' on A and see no hosts allowed... > > Is your ${HOME} shared between those hosts? > > What does "xauth list" print (don't post it here, look at it carefully > by yourself)? > > Bye, > Alexander. > > -- > Sarcasm is just one of the many services we offer. > > http://www.Leidinger.net Alexander+Home @ Leidinger.net > Key fingerprint = 7423 F3E6 3A7E B334 A9CC B10A 1F5F 130A A638 6E7E > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 5 13:24:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from sprout.cgf.net (adsl-207-215-8-122.dsl.snfc21.pacbell.net [207.215.8.122]) by hub.freebsd.org (Postfix) with ESMTP id 4B6C037B995 for ; Sun, 5 Mar 2000 13:24:38 -0800 (PST) (envelope-from tomb@cgf.net) Received: from cgf.net (localhost.cgf.net [127.0.0.1]) by sprout.cgf.net (8.9.3/8.9.3) with ESMTP id NAA13312 for ; Sun, 5 Mar 2000 13:27:49 -0800 (PST) (envelope-from tomb@cgf.net) Message-ID: <38C2D154.C7E670B@cgf.net> Date: Sun, 05 Mar 2000 13:27:49 -0800 From: tom brown Organization: Badger Basters (We do it with Lard) X-Mailer: Mozilla 4.61 [en] (X11; U; FreeBSD 3.4-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: strange file ! Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I'm busy trying to update my sources. I thought I blow away the broken tree by deleteing /usr/src. I can't remove this one file /usr/src/sys/i386 c---r-S--x 1 2633515 2895918 38, 0x00210020 Jan 28 1970 i386 Now although it might be uneraseable for a reason, I expect to be able to erase anything as root. I'm probably trying to do something realy stupid, it makes me a little paranoid to say the least. Any ideas? Tom To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 5 13:44:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from sasami.jurai.net (sasami.jurai.net [63.67.141.99]) by hub.freebsd.org (Postfix) with ESMTP id 3BAF537BB0F for ; Sun, 5 Mar 2000 13:44:38 -0800 (PST) (envelope-from scanner@jurai.net) Received: from localhost (scanner@localhost) by sasami.jurai.net (8.9.3/8.8.7) with ESMTP id QAA87411; Sun, 5 Mar 2000 16:44:36 -0500 (EST) Date: Sun, 5 Mar 2000 16:44:35 -0500 (EST) From: To: tom brown Cc: freebsd-security@FreeBSD.ORG Subject: Re: strange file ! In-Reply-To: <38C2D154.C7E670B@cgf.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 5 Mar 2000, tom brown wrote: > I can't remove this one file > c---r-S--x 1 2633515 2895918 38, 0x00210020 Jan 28 1970 i386 > > Now although it might be uneraseable for a reason, I expect to be able > to erase anything as root. The only ime root shouldnt be able to delete a file is if its had chflg with "schg" appended to it. Meaning not even root can rm it. do ls -lo on the file in question if it looks like this: -r-xr-xr-x 1 root wheel schg 1257406 Feb 21 21:24 /kernel Notice the 4rd field "schg" it cant be rm'ed. You must use chflag to remove it. "chflag noschg filename" Then rm it. ============================================================================= -Chris Watson (316) 326-3862 | FreeBSD Consultant, FreeBSD Geek Work: scanner@jurai.net | Open Systems Inc., Wellington, Kansas Home: scanner@deceptively.shady.org | http://open-systems.net ============================================================================= WINDOWS: "Where do you want to go today?" LINUX: "Where do you want to go tommorow?" BSD: "Are you guys coming or what?" ============================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 5 13:46:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from home.ephemeron.org (dt090n4a.san.rr.com [204.210.46.74]) by hub.freebsd.org (Postfix) with ESMTP id AD8F137BB8C for ; Sun, 5 Mar 2000 13:46:12 -0800 (PST) (envelope-from bigby@ephemeron.org) Received: from localhost (bigby@localhost) by home.ephemeron.org (8.9.3/8.9.3) with ESMTP id NAA56178; Sun, 5 Mar 2000 13:46:34 GMT (envelope-from bigby@ephemeron.org) Date: Sun, 5 Mar 2000 13:46:33 +0000 (GMT) From: Bigby Findrake To: tom brown Cc: freebsd-security@FreeBSD.ORG Subject: Re: strange file ! In-Reply-To: <38C2D154.C7E670B@cgf.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 5 Mar 2000, tom brown wrote: > Hi, > > I'm busy trying to update my sources. I thought I blow away the broken > tree by deleteing /usr/src. > > I can't remove this one file > > /usr/src/sys/i386 > > c---r-S--x 1 2633515 2895918 38, 0x00210020 Jan 28 1970 i386 > > Now although it might be uneraseable for a reason, I expect to be able > to erase anything as root. > > I'm probably trying to do something realy stupid, it makes me a little > paranoid to say the least. > > Any ideas? On 3 different freebsd systems that I checked out that file is supposed to be a directory. I would guess that some filesystem corruption has occurred. I suggest that you take the system down to single user, unmount that filesystem, fsck it, remount it after fsck is done, then try to use rm or unlink to blast the file away. BTW, this probably belongs more on Freebsd-Questions than Freebsd-Security. /-------------------------------------------------------------------------/ Millions long for immortality who do not know what to do with themselves on a rainy Sunday afternoon. -- Susan Ertz finger bigby@ephemeron.org for my pgpkey or http://home.ephemeron.org/~bigby/pgp_key.txt e-mail bigby@pager.ephemeron.org to page me /-------------------------------------------------------------------------/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 5 22:25:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from lowrider.rjm.net (lowrider.rjm.net [207.246.237.135]) by hub.freebsd.org (Postfix) with ESMTP id CE00537BC15 for ; Sun, 5 Mar 2000 22:25:32 -0800 (PST) (envelope-from matthew@subnetmask.net) Received: from mail.reverse.net (bay3-415.nyc.ziplink.net [209.206.22.162]) by lowrider.rjm.net (Postfix) with ESMTP id 708D92FE43 for ; Mon, 6 Mar 2000 01:25:24 -0500 (EST) Received: from 3rdfloor (3rdfloor.reverse.net [192.168.2.30]) by mail.reverse.net (Postfix) with ESMTP id 819FF10F51 for ; Mon, 6 Mar 2000 01:25:23 -0500 (EST) From: "Matthew McGehrin" To: freebsd-security@freebsd.org Date: Mon, 6 Mar 2000 01:25:21 -0500 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: (Fwd) Re: @Home Server Scanner? X-mailer: Pegasus Mail for Win32 (v3.12b) Message-Id: <20000306062523.819FF10F51@mail.reverse.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 2 Mar 00, at 7:39, Cy Schubert - ITSD Open Syste wrote: > In message <20000301113847.B37590@cc942873-a.ewndsr1.nj.home.com>, > "Crist J. Cl > ark" writes: > > I appear to be scanned regularly by an @Home host, > > > > Name: ops-scan.home.net > > Address: 24.0.94.130 > with "unsubscribe freebsd-security" in the body of the message So deny the host in the access rules, and you never need to worry about @home looking for services ;) ------- End of forwarded message ------- end ### To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 6 0:58:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from alecto.physics.uiuc.edu (alecto.physics.uiuc.edu [130.126.8.20]) by hub.freebsd.org (Postfix) with ESMTP id 8D94937BCE0 for ; Mon, 6 Mar 2000 00:58:07 -0800 (PST) (envelope-from igor@alecto.physics.uiuc.edu) Received: (from igor@localhost) by alecto.physics.uiuc.edu (8.9.0/8.9.0) id CAA07208 for security@freebsd.org; Mon, 6 Mar 2000 02:58:06 -0600 (CST) From: Igor Roshchin Message-Id: <200003060858.CAA07208@alecto.physics.uiuc.edu> Subject: named started by any user will be running until killed... To: security@freebsd.org Date: Mon, 6 Mar 2000 02:58:06 -0600 (CST) X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! I've got a situation when an ordinary shell user on a FreeBSD-3.4-RELEASE box started the named server (by a mistake). (Currently, this host is not running named) The server wrote barked (to the syslog): Feb 29 06:57:06 MYHOST named[22132]: limit files set to fdlimit ( 1024) Feb 29 06:57:06 MYHOST named[22132]: db_load could not open: loca lhost.rev: No such file or directory Feb 29 06:57:06 MYHOST named[22132]: ctl_server: bind: Permission denied Feb 29 06:57:06 MYHOST named[22132]: couldn't create pid file '/va r/run/named.pid' but did not exit. Instead, it continued with periodic messages like: Feb 29 06:57:06 MYHOST named[22132]: bind(dfd=20, [XXX.XXX.XXX.1].53): Permission denied Feb 29 06:57:06 MYHOST named[22132]: deleting interface [XXX.XXX.XXX.1].53 Feb 29 06:57:06 MYHOST named[22132]: bind(dfd=20, [XXX.XXX.XXX.2].53): Permission denied Feb 29 06:57:06 MYHOST named[22132]: deleting interface [XXX.XXX.XXX.2].53 ... going over all IPs (I have several IP aliases on that host) associated with the network interface. These messages were repeated in the syslog every hour until the named was manually killed. I am not sure if this created any problems for the system, at least, I didn't see any obvious slowdown, or resource exhaustion, but I would think there should be mechanism which would allow to prevent such accidents. Obviously, it can be done using "jail" and FreeBSD 4.x, but even in FBSD-3.x there should be some way preventing users from running system daemons. I've been thinking about possible solutions: 1. to strip off the executable permissions for "others". Possible drawback: since named can be run as "bind" in a sandbox, this most likely will have side effects. (I didn't check it, but logically expect such potential problem) 2. Making the file owned by "bind" (or nobody in case of httpd), and then executable only by that user does not sound like a wise idea to me (am I wrong ?) 3. ? Just recently I was thinking if there should be some general way of restricting daemons being run by users (on any port). I would separate two parts of this problem: a) preventing user from running it by an accident (like in the recent example, when the user typed "named" by a mistake) b) preventing user from running a daemon (e.g. one's own httpd on a different port) intentionally. (Note that in principle, removing daemons or restricting access to them should be combined with with mounting users' home partition as non-executable, so they cannot bring it from outside, but in my case users need to run some scripts and small programs from their partitions) May be I missed some existing mechanism ? I'd appreciate any pointers. {\raw_stream_of_mind Otherwise - how about some type of /etc/*.*rc file which will contain the list of users who can run daemons, and would be checked by the kernel each time a daemon program is started. Is there any criterion for kernel to decide what is daemon and what is not ? Listening to a port is not a reliable sign of a daemon [accepting connections from outside], is it ? Is there any situation when a legitimate user's process would be listening on a port ? Is daemon() (daemon(3)) a reliable sign of a daemon ? ... } Thanks, Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 6 3:51:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from wall.pdv.de (ns.pdv.de [194.139.111.2]) by hub.freebsd.org (Postfix) with ESMTP id E172F37BC51 for ; Mon, 6 Mar 2000 03:51:45 -0800 (PST) (envelope-from Dirk.Nerling@pdv.de) Received: (from mail@localhost) by wall.pdv.de (8.9.1a/8.9.1) id MAA19105 for ; Mon, 6 Mar 2000 12:51:41 +0100 (CET) From: Dirk.Nerling@pdv.de X-Authentication-Warning: wall.pdv.de: mail set sender to using -f Received: from khk.pdv.de(192.168.12.37) by wall via smap (V2.1+anti-relay+anti-spam) id xma019103; Mon, 6 Mar 00 12:51:30 +0100 Received: from pc-dirk1.pdv.de by khk.pdv.de with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1460.8) id 102V8C7C; Mon, 6 Mar 2000 12:51:34 +0100 Reply-To: To: Subject: FreeBSD 2.2.6 and CA-99-14 ??? Date: Mon, 6 Mar 2000 12:51:32 +0100 Message-ID: <6CC81B07CB44D311A1D20001FA7E9956115089@exchange.pdv.de> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, does anybody of you know something about the BIND problem mentioned in CA-99-14 and FreeBSD 2.2.6? Are there any vulnerabilities? best regards Dirk -- Dirk Nerling, PDV-Systeme Erfurt, Haarbergstr. 73, 99099 Erfurt, phone: ++49-361-4407144 PGP Fingerprint: C559 FF0E BAD0 9E09 F720 20F3 683E 357F 69B5 CC83 http://www.pdv.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 6 3:57:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail4.uunet.ca (mail4.uunet.ca [209.167.141.34]) by hub.freebsd.org (Postfix) with ESMTP id DF33237B83E for ; Mon, 6 Mar 2000 03:57:11 -0800 (PST) (envelope-from matt@ARPA.MAIL.NET) Received: from epsilon.lucida.qc.ca ([216.95.146.6]) by mail4.uunet.ca with ESMTP id <208227-8495>; Mon, 6 Mar 2000 06:57:04 -0500 Date: Mon, 6 Mar 2000 06:56:59 -0500 From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: Dirk.Nerling@pdv.de Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD 2.2.6 and CA-99-14 ??? In-Reply-To: <6CC81B07CB44D311A1D20001FA7E9956115089@exchange.pdv.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is not OS specific, but purely bugs in the BIND software package, numerous ones - mostly of a DoS nature, however one is a root exploit. I'm unaware as to the status of the 4.9.x tree of BIND, however when it comes to 8.x, I recommend upgrade ASAP to 8.2.2-P5. Matt -- Matt Heckaman [matt@arpa.mail.net|matt@relic.net] [Please do not send me] !Powered by FreeBSD/x86! [http://www.freebsd.org] [any SPAM (UCE) e-mail] On Mon, 6 Mar 2000 Dirk.Nerling@pdv.de wrote: : Date: Mon, 6 Mar 2000 06:51:32 -0500 : From: Dirk.Nerling@pdv.de : To: freebsd-security@FreeBSD.ORG : Subject: FreeBSD 2.2.6 and CA-99-14 ??? : : Hello, : : does anybody of you know something about the BIND problem mentioned in : CA-99-14 and FreeBSD 2.2.6? Are there any vulnerabilities? : best regards Dirk : -- : Dirk Nerling, PDV-Systeme Erfurt, Haarbergstr. 73, 99099 Erfurt, phone: : ++49-361-4407144 : PGP Fingerprint: C559 FF0E BAD0 9E09 F720 20F3 683E 357F 69B5 : CC83 : http://www.pdv.de : : : : : To Unsubscribe: send mail to majordomo@FreeBSD.org : with "unsubscribe freebsd-security" in the body of the message : To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 6 4:16:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from castelan.in.skynet.cz (gate.in.skynet.cz [193.165.192.32]) by hub.freebsd.org (Postfix) with SMTP id 5607237BC51 for ; Mon, 6 Mar 2000 04:16:09 -0800 (PST) (envelope-from josef.pojsl@skynet.cz) Received: (qmail 22635 invoked from network); 6 Mar 2000 12:16:06 -0000 Received: from regent.in.skynet.cz (192.168.192.14) by hub.freebsd.org with SMTP; 6 Mar 2000 12:16:06 -0000 Received: (qmail 7245 invoked by uid 1000); 6 Mar 2000 12:16:04 -0000 From: "Josef Pojsl" Date: Mon, 6 Mar 2000 13:16:04 +0100 To: Dirk.Nerling@pdv.de Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD 2.2.6 and CA-99-14 ??? Message-ID: <20000306131604.B6735@regent.in.skynet.cz> Mail-Followup-To: Dirk.Nerling@pdv.de, freebsd-security@FreeBSD.ORG References: <6CC81B07CB44D311A1D20001FA7E9956115089@exchange.pdv.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.1.1i In-Reply-To: <6CC81B07CB44D311A1D20001FA7E9956115089@exchange.pdv.de>; from Dirk.Nerling@pdv.de on Mon, Mar 06, 2000 at 12:51:32PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dirk, identify your version of BIND (eg. by running named and looking in /var/log/messages). Then look it up in the table at the end of http://www.isc.org/products/BIND/bind-security-19991108.html Regards, Josef On Mon, Mar 06, 2000 at 12:51:32PM +0100, Dirk.Nerling@pdv.de wrote: > Hello, > > does anybody of you know something about the BIND problem mentioned in > CA-99-14 and FreeBSD 2.2.6? Are there any vulnerabilities? > best regards Dirk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 6 5:59:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 022EC37BD09 for ; Mon, 6 Mar 2000 05:59:18 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id FAA19429; Mon, 6 Mar 2000 05:59:00 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda19425; Mon Mar 6 05:58:41 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id FAA40528; Mon, 6 Mar 2000 05:58:40 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdE40526; Mon Mar 6 05:57:47 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id FAA07010; Mon, 6 Mar 2000 05:57:46 -0800 (PST) Message-Id: <200003061357.FAA07010@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdFw7006; Mon Mar 6 05:57:11 2000 X-Mailer: exmh version 2.1.1 10/15/1999 To: "Matthew McGehrin" Cc: freebsd-security@FreeBSD.ORG, cy@cwsys.cwsent.com Subject: Re: (Fwd) Re: @Home Server Scanner? In-Reply-To: Message from "Matthew McGehrin" of "Mon, 06 Mar 2000 01:25:21 EST." <20000306062523.819FF10F51@mail.reverse.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 06 Mar 2000 05:57:11 -0800 From: Cy Schubert Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20000306062523.819FF10F51@mail.reverse.net>, "Matthew McGehrin" wri tes: > On 2 Mar 00, at 7:39, Cy Schubert - ITSD Open Syste wrote: > > > In message <20000301113847.B37590@cc942873-a.ewndsr1.nj.home.com>, > > "Crist J. Cl > > ark" writes: > > > I appear to be scanned regularly by an @Home host, > > > > > > Name: ops-scan.home.net > > > Address: 24.0.94.130 > > with "unsubscribe freebsd-security" in the body of the message > > So deny the host in the access rules, and you never need to worry > about @home looking for services ;) Well duh. Actually doing just that, blocking just their scans, might violate your agreement with your cable company. I don't know about your agreement but mine specifically states that I cannot run any services. Failure to do so would mean revocation of service. Since I have no need to offer any services to the Internet, as I use my @home connection to VPN to work, I block all incoming traffic, then use a couple of tools including Swatch 3. Swatch 3 which prints violations in various colours. ops-scan.home.net is not a serious violator so I print them out in blue, accidental violations, e.g. from work via VPN are in black or white depending on the terminal, or just ignored, and violations I should concern myself with are in red. Messages in my logs that I consider priority one are red reverse video -- very noticiable. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC "COBOL IS A WASTE OF CARDS." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 6 8: 6:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from burka.carrier.kiev.ua (burka.carrier.kiev.ua [193.193.193.107]) by hub.freebsd.org (Postfix) with ESMTP id 1082A37BDEC for ; Mon, 6 Mar 2000 08:06:51 -0800 (PST) (envelope-from netch@lucky.net) Received: from netch@localhost by burka.carrier.kiev.ua id SCN29615; Mon, 6 Mar 2000 18:06:35 +0200 (EET) (envelope-from netch) Date: Mon, 6 Mar 2000 18:06:34 +0200 From: Valentin Nechayev To: Igor Roshchin Cc: security@FreeBSD.ORG Subject: Re: named started by any user will be running until killed... Message-ID: <20000306180634.A27970@lucky.net> Reply-To: netch@segfault.kiev.ua References: <200003060858.CAA07208@alecto.physics.uiuc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200003060858.CAA07208@alecto.physics.uiuc.edu>; from igor@physics.uiuc.edu on Mon, Mar 06, 2000 at 02:58:06AM -0600 X-42: On Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Igor Roshchin! Mon, Mar 06, 2000 at 02:58:06, igor wrote: > I've got a situation when an ordinary shell user on a FreeBSD-3.4-RELEASE > box started the named server (by a mistake). [skip] > These messages were repeated in the syslog every hour until the named > was manually killed. > I am not sure if this created any problems for the system, > at least, I didn't see any obvious slowdown, or resource exhaustion, > but I would think there should be mechanism which would allow > to prevent such accidents. > Obviously, it can be done using "jail" and FreeBSD 4.x, > but even in FBSD-3.x there should be some way preventing users > from running system daemons. There is nothing bad when a user can run bind. There is nothing bad when this user can run bind at its own port according to limitations *and system policy*. There is nothing bad when ordinary user failed to use port 53. The main (and imho single) *great* evil that ordinary user can contaminate system log with messages from its own program. [skip] > 2. Making the file owned by "bind" (or nobody in case of httpd), User can get named program from another host. Do you will set noexec flag to partition with his (her) home? > Just recently I was thinking if there should be some general > way of restricting daemons being run by users (on any port). The enough restriction is to deny port binding by such user. -- NVA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 6 10:15:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from neon.delete.org (cx638115-b.sthngtn1.ct.home.com [24.2.165.123]) by hub.freebsd.org (Postfix) with ESMTP id AC9CD37BD69 for ; Mon, 6 Mar 2000 10:15:29 -0800 (PST) (envelope-from alex@delete.org) Received: from localhost (alex@localhost) by neon.delete.org (8.10.0.Beta6/8.10.0.Beta6) with ESMTP id e26IF6c42718 for ; Mon, 6 Mar 2000 13:15:11 -0500 (EST) Date: Mon, 6 Mar 2000 13:15:06 -0500 (EST) From: Alex Michlin X-Sender: alex@cx638115-b.sthngtn1.ct.home.com To: freebsd-security@FreeBSD.ORG Subject: Host Secured Logon Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hey all! Is there an easy way to secure shell accounts with the hostname of the user (ie, only someone from *.anyisp.com can logon to shell1, and *.myisp.com can logon to any shell)? Also, is there any good resource where I can find which settings do what in the /etc/login.conf? Thanks. Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 6 11:20:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from foobar.franken.de (foobar.franken.de [194.94.249.81]) by hub.freebsd.org (Postfix) with ESMTP id 2054A37BFA4 for ; Mon, 6 Mar 2000 11:20:33 -0800 (PST) (envelope-from logix@foobar.franken.de) Received: (from logix@localhost) by foobar.franken.de (8.8.8/8.8.5) id UAA25081; Mon, 6 Mar 2000 20:20:36 +0100 (CET) Message-ID: <20000306202036.A24878@foobar.franken.de> Date: Mon, 6 Mar 2000 20:20:36 +0100 From: Harold Gutch To: Alex Michlin , freebsd-security@FreeBSD.ORG Subject: Re: Host Secured Logon References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Alex Michlin on Mon, Mar 06, 2000 at 01:15:06PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Mar 06, 2000 at 01:15:06PM -0500, Alex Michlin wrote: > Hey all! > > Is there an easy way to secure shell accounts with the hostname of the > user (ie, only someone from *.anyisp.com can logon to shell1, and > *.myisp.com can logon to any shell)? (I'm assuming "shell" and "shell1" are two different machines, not two shells [as in tcsh, bash, ksh etc.]) Hostnames are in the hands of the DNS-administrator for this specific network. I'd rather setup limits based on IP-addresses. Both can be done using TCP-wrappers ("man 5 hosts_access") using /etc/hosts.allow and /etc/hosts.deny. You will only be able to tighten up your _own_ services like this; a user will always be able to login from a "trusted" host, install his own sshd on an unpriviliged port and then login from anywhere to _his_ sshd. > Also, is there any good resource where I can find which settings do what > in the /etc/login.conf? "man login.conf"? bye, Harold -- Someone should do a study to find out how many human life spans have been lost waiting for NT to reboot. Ken Deboy on Dec 24 1999 in comp.unix.bsd.freebsd.misc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 6 13:14:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from dt051n0b.san.rr.com (dt051n0b.san.rr.com [204.210.32.11]) by hub.freebsd.org (Postfix) with ESMTP id 00F9737BF72 for ; Mon, 6 Mar 2000 13:14:25 -0800 (PST) (envelope-from Doug@gorean.org) Received: from slave (doug@slave [10.0.0.1]) by dt051n0b.san.rr.com (8.9.3/8.9.3) with ESMTP id NAA15151; Mon, 6 Mar 2000 13:14:19 -0800 (PST) (envelope-from Doug@gorean.org) Date: Mon, 6 Mar 2000 13:14:19 -0800 (PST) From: Doug Barton X-Sender: doug@dt051n0b.san.rr.com To: Dirk.Nerling@pdv.de Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD 2.2.6 and CA-99-14 ??? In-Reply-To: <6CC81B07CB44D311A1D20001FA7E9956115089@exchange.pdv.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 6 Mar 2000 Dirk.Nerling@pdv.de wrote: > Hello, > > does anybody of you know something about the BIND problem mentioned in > CA-99-14 and FreeBSD 2.2.6? Are there any vulnerabilities? > best regards Dirk Freebsd 2.2.6 is old, has some bugs, and may present a security risk to your site. BIND 4 is ancient, definitely has some bugs, and definitely DOES present a security risk to your site. You should immediately make plans to upgrade FreeBSD to 3.4-Release which comes with BIND 8. You should probably also upgrade to BIND 8.2.2p5 after you've gotten your new installation squared away. Good luck, Doug -- "Welcome to the desert of the real." - Laurence Fishburne as Morpheus, "The Matrix" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 6 15:49:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.sdca.home.com (ha1.rdc1.sdca.home.com [24.0.3.66]) by hub.freebsd.org (Postfix) with ESMTP id C77C737BEB2 for ; Mon, 6 Mar 2000 15:49:06 -0800 (PST) (envelope-from larry@interactivate.com) Received: from interactivate.com ([24.15.133.36]) by mail.rdc1.sdca.home.com (InterMail v4.01.01.00 201-229-111) with ESMTP id <20000306234906.UZRG4555.mail.rdc1.sdca.home.com@interactivate.com>; Mon, 6 Mar 2000 15:49:06 -0800 Message-ID: <38C4439B.3A79D6C0@interactivate.com> Date: Mon, 06 Mar 2000 15:47:40 -0800 From: Lawrence Sica Organization: Interactivate, Inc X-Mailer: Mozilla 4.72 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Alex Michlin Cc: freebsd-security@FreeBSD.ORG Subject: Re: Host Secured Logon References: Content-Type: multipart/mixed; boundary="------------4A85DE4ED47D9287925D2FC5" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. --------------4A85DE4ED47D9287925D2FC5 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Alex Michlin wrote: > Hey all! > > Is there an easy way to secure shell accounts with the hostname of the > user (ie, only someone from *.anyisp.com can logon to shell1, and > *.myisp.com can logon to any shell)? > Well if your using ssh look for sshd_config. You can edit that file to control who can login from where. if you installed hte port it's un /usr/local/etc --Larry --------------4A85DE4ED47D9287925D2FC5 Content-Type: text/x-vcard; charset=us-ascii; name="larry.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Lawrence Sica Content-Disposition: attachment; filename="larry.vcf" begin:vcard n:Sica;Lawrence tel;fax:858-793-4069 tel;work:858-793-4060 x-mozilla-html:FALSE url:http://www.interactivate.com org:Interactivate, Inc. adr:;;2244b Carmel Valley Rd;Del Mar;CA;92014;USA version:2.1 email;internet:larry@interactivate.com title:Systems Adminstrator fn:Lawrence Sica end:vcard --------------4A85DE4ED47D9287925D2FC5-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 6 17: 6: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail2.x-treme.gr (mail2.x-treme.gr [212.120.196.24]) by hub.freebsd.org (Postfix) with ESMTP id 3CB0937BD48 for ; Mon, 6 Mar 2000 17:05:25 -0800 (PST) (envelope-from keramida@ceid.upatras.gr) Received: from hades.hell.gr (pat33.x-treme.gr [212.120.197.225]) by mail2.x-treme.gr (8.9.3/8.9.3/IPNG-ADV-ANTISPAM-0.1) with SMTP id DAA19931 for ; Tue, 7 Mar 2000 03:05:18 +0200 Received: (qmail 85596 invoked by uid 1001); 7 Mar 2000 00:58:45 -0000 Date: Tue, 7 Mar 2000 02:58:45 +0200 From: Giorgos Keramidas To: Igor Roshchin Cc: security@freebsd.org Subject: Re: named started by any user will be running until killed... Message-ID: <20000307025845.E84318@hades.hell.gr> Reply-To: keramida@ceid.upatras.gr References: <200003060858.CAA07208@alecto.physics.uiuc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200003060858.CAA07208@alecto.physics.uiuc.edu>; from igor@physics.uiuc.edu on Mon, Mar 06, 2000 at 02:58:06AM -0600 X-PGP-Fingerprint: 62 45 D1 C9 26 F9 95 06 D6 21 2A C8 8C 16 C0 8E X-Phone-Number: +30-94-6203692, +30-93-2886457 X-Address: Theodorou Kirinaiou 61, 26334 Patra, Greece Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Mar 06, 2000 at 02:58:06AM -0600, Igor Roshchin wrote: > > Hello! > > I've got a situation when an ordinary shell user on a FreeBSD-3.4-RELEASE > box started the named server (by a mistake). > (Currently, this host is not running named) > The server wrote barked (to the syslog): > > Feb 29 06:57:06 MYHOST named[22132]: limit files set to fdlimit ( > 1024) > Feb 29 06:57:06 MYHOST named[22132]: db_load could not open: loca > lhost.rev: No such file or directory > Feb 29 06:57:06 MYHOST named[22132]: ctl_server: bind: Permission > denied > Feb 29 06:57:06 MYHOST named[22132]: couldn't create pid file '/va > r/run/named.pid' > > but did not exit. > Instead, it continued with periodic messages like: You can always chown the named executable to bind:bind and let only users from that group execute the binary. By carefully adding users to the group, you can control who can run the named executable, and still not stop the `bind' user from running nicely in a jail or outside of it. Oh, don't forget to chown named-xfer and all the other programs that named will want to use ;) -- Giorgos Keramidas, < keramida @ ceid . upatras . gr > For my public PGP key: finger keramida@diogenis.ceid.upatras.gr PGP fingerprint, phone and address in the headers of this message. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 6 19: 8:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail-green.research.att.com (H-135-207-30-103.research.att.com [135.207.30.103]) by hub.freebsd.org (Postfix) with ESMTP id E0FB837BE91 for ; Mon, 6 Mar 2000 19:08:55 -0800 (PST) (envelope-from fenner@research.att.com) Received: from alliance.research.att.com (alliance.research.att.com [135.207.26.26]) by mail-green.research.att.com (Postfix) with ESMTP id 559DA1E01E; Mon, 6 Mar 2000 22:08:54 -0500 (EST) Received: from windsor.research.att.com (windsor.research.att.com [135.207.26.46]) by alliance.research.att.com (8.8.7/8.8.7) with ESMTP id WAA12429; Mon, 6 Mar 2000 22:08:49 -0500 (EST) From: Bill Fenner Received: (from fenner@localhost) by windsor.research.att.com (8.8.8+Sun/8.8.5) id TAA23332; Mon, 6 Mar 2000 19:08:16 -0800 (PST) Message-Id: <200003070308.TAA23332@windsor.research.att.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII To: josef.pojsl@skynet.cz Subject: Re: FreeBSD 2.2.6 and CA-99-14 ??? Cc: dirk.nerling@pdv.de, freebsd-security@freebsd.org References: <6CC81B07CB44D311A1D20001FA7E9956115089@exchange.pdv.de> <20000306131604.B6735@regent.in.skynet.cz> Date: Mon, 6 Mar 2000 19:08:16 -0800 Versions: dmail (solaris) 2.2g/makemail 2.9a Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >identify your version of BIND (eg. by running named and looking in >/var/log/messages). Another way is: dig @localhost chaos txt version.bind Bill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 6 20:38:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id 0815C37BE71 for ; Mon, 6 Mar 2000 20:38:15 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id UAA50858; Mon, 6 Mar 2000 20:38:11 -0800 (PST) (envelope-from dillon) Date: Mon, 6 Mar 2000 20:38:11 -0800 (PST) From: Matthew Dillon Message-Id: <200003070438.UAA50858@apollo.backplane.com> To: Igor Roshchin Cc: security@FreeBSD.ORG Subject: Re: named started by any user will be running until killed... References: <200003060858.CAA07208@alecto.physics.uiuc.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :Hello! : :I've got a situation when an ordinary shell user on a FreeBSD-3.4-RELEASE :box started the named server (by a mistake). :(Currently, this host is not running named) :The server wrote barked (to the syslog): : :Feb 29 06:57:06 MYHOST named[22132]: limit files set to fdlimit ( :1024) :Feb 29 06:57:06 MYHOST named[22132]: db_load could not open: loca :lhost.rev: No such file or directory :Feb 29 06:57:06 MYHOST named[22132]: ctl_server: bind: Permission :... : :going over all IPs (I have several IP aliases on that host) associated :with the network interface. : :These messages were repeated in the syslog every hour until the named :was manually killed. :... :Igor Generally speaking you do not include /sbin or /usr/sbin or /usr/local/sbin in the user's default path, so users generally don't 'see' these programs. That they can run them anyway is not really a security issue -- it's no different from a user downloading, compiling up, and running the named source after all. Trying to do something more complex, like using jail or messing with program owner/group/permissions is going to mostly be a waste of time. If you are truely concerned you can chmod 750 and group-restrict the directories (/sbin, /usr/sbin, /usr/local/sbin). Personally I don't think it's worth the effort.... remember that every change you make to the base system is a change you have to remember to redo when you upgrade. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 6 20:50: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from dionis.omskelecom.ru (dionis.omskelecom.ru [195.162.32.3]) by hub.freebsd.org (Postfix) with ESMTP id DD81937BF01 for ; Mon, 6 Mar 2000 20:50:00 -0800 (PST) (envelope-from kev@itbank.omskelecom.ru) Received: by dionis.omskelecom.ru; Tue, 07 Mar 2000 10:45:52 +0600 (OMS) Message-Id: Date: Tue, 07 Mar 2000 10:56:26 +0600 (OMS) From: kev@itbank.omskelecom.ru To: security@freebsd.org Subject: ipsec inplementation Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hi*^ Can anyone advice complete guide/solution for vpn? I see, that there is ipsec stack in -current. But this all. Eugeny. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 6 21: 1: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id C7A1C37BE0B for ; Mon, 6 Mar 2000 21:01:05 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id VAA22244; Mon, 6 Mar 2000 21:01:03 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda22240; Mon Mar 6 21:00:56 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id VAA05073; Mon, 6 Mar 2000 21:00:56 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdYk5069; Mon Mar 6 21:00:07 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id VAA04119; Mon, 6 Mar 2000 21:00:06 -0800 (PST) Message-Id: <200003070500.VAA04119@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdHI4115; Mon Mar 6 21:00:02 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.4-RELEASE X-Sender: cy To: kev@itbank.omskelecom.ru Cc: security@FreeBSD.ORG Subject: Re: ipsec inplementation In-reply-to: Your message of "Tue, 07 Mar 2000 10:56:26 +0600." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 06 Mar 2000 21:00:02 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , kev@itbank.omskelecom.ru writes: > > hi*^ > > Can anyone advice complete guide/solution for vpn? > I see, that there is ipsec stack in -current. > But this all. I would think that IPsec in -current would ultimately be the best way to go, however for those of us using -stable, pipsecd is a solution. I've used pipsecd between various combinations of FreeBSD and Linux boxen successfully. I understand (thought I haven't tried it myself) it should work on Solaris 7 too. Combine it with NAT and you have a VPN gateway. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC "COBOL IS A WASTE OF CARDS." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 6 21:26:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from fgwmail5.fujitsu.co.jp (fgwmail5.fujitsu.co.jp [192.51.44.35]) by hub.freebsd.org (Postfix) with ESMTP id BB1A637BBE6 for ; Mon, 6 Mar 2000 21:26:29 -0800 (PST) (envelope-from shin@nd.net.fujitsu.co.jp) Received: from m5.gw.fujitsu.co.jp by fgwmail5.fujitsu.co.jp (8.9.3/3.7W-MX0002-Fujitsu Gateway) id OAA20430; Tue, 7 Mar 2000 14:26:22 +0900 (JST) (envelope-from shin@nd.net.fujitsu.co.jp) Received: from chisato.nd.net.fujitsu.co.jp by m5.gw.fujitsu.co.jp (8.9.3/3.7W-0002-Fujitsu Domain Master) id OAA04239; Tue, 7 Mar 2000 14:26:20 +0900 (JST) Received: from localhost (dhcp7173.nd.net.fujitsu.co.jp [10.18.7.173]) by chisato.nd.net.fujitsu.co.jp (8.8.5+2.7Wbeta5/3.3W8chisato-970826) with ESMTP id OAA12362; Tue, 7 Mar 2000 14:26:17 +0900 (JST) To: kev@itbank.omskelecom.ru Cc: security@FreeBSD.ORG Subject: Re: ipsec inplementation In-Reply-To: References: X-Mailer: Mew version 1.94 on Emacs 20.4 / Mule 4.0 (HANANOEN) X-Prom-Mew: Prom-Mew 1.93.4 (procmail reader for Mew) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20000307142712R.shin@nd.net.fujitsu.co.jp> Date: Tue, 07 Mar 2000 14:27:12 +0900 From: Yoshinobu Inoue X-Dispatcher: imput version 990905(IM130) Lines: 19 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > hi*^ > > Can anyone advice complete guide/solution for vpn? > I see, that there is ipsec stack in -current. > But this all. > Eugeny. Hi, If you have updated your current box recently, then there will be some descriptions about IPsec setup in /usr/share/example/IPv6/USAGE. The IPsec section in the USAGE document describe IPsec tunnel mode (setup router to router secure tunnel and useful for creating VPN), and IPsec transport mode (IPsec for socket level communication). Please try it. Thanks, Yoshinobu Inoue To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 7 13:53:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from skew2.kellogg.nwu.edu (skew2.kellogg.nwu.edu [129.105.16.97]) by hub.freebsd.org (Postfix) with ESMTP id F27F737BE7A for ; Tue, 7 Mar 2000 13:53:17 -0800 (PST) (envelope-from jjenkins@skew2.kellogg.nwu.edu) Received: from localhost (jjenkins@localhost) by skew2.kellogg.nwu.edu (8.9.3 (PHNE_18979)/8.9.3) with SMTP id PAA20459 for ; Tue, 7 Mar 2000 15:53:15 -0600 (CST) Date: Tue, 7 Mar 2000 15:53:15 -0600 (CST) From: Jason Jenkins To: freebsd-security@FreeBSD.ORG Subject: hosts allow Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi I have a question regarding the hosts.allow file. I am trying to simply deny everyone access, and only allow certain people to access my machine. So this is what I did: ALL : ALL : deny ALL : hostname : allow However, that did not seem to work. It would not allow me to log in from IP. Anything i am doing wrong? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 7 14: 0:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 3697837C159 for ; Tue, 7 Mar 2000 14:00:37 -0800 (PST) (envelope-from bright@fw.wintelcom.net) Received: (from bright@localhost) by fw.wintelcom.net (8.9.3/8.9.3) id OAA07843; Tue, 7 Mar 2000 14:32:06 -0800 (PST) Date: Tue, 7 Mar 2000 14:32:06 -0800 From: Alfred Perlstein To: Jason Jenkins Cc: freebsd-security@FreeBSD.ORG Subject: Re: hosts allow Message-ID: <20000307143206.K14279@fw.wintelcom.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from jjenkins@skew2.kellogg.nwu.edu on Tue, Mar 07, 2000 at 03:53:15PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Jason Jenkins [000307 14:27] wrote: > Hi I have a question regarding the hosts.allow file. I am trying to simply > deny everyone access, and only allow certain people to access my machine. > So this is what I did: > > > ALL : ALL : deny > ALL : hostname : allow > > However, that did not seem to work. It would not allow me to log in from > IP. Anything i am doing wrong? You have it backwards, it's a first match system, if you say deny all first it won't go any farther. Try swapping the entries. -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 7 14: 4: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail1.uunet.ca (mail1.uunet.ca [209.167.141.3]) by hub.freebsd.org (Postfix) with ESMTP id 0185F37BEEE for ; Tue, 7 Mar 2000 14:03:46 -0800 (PST) (envelope-from matt@ARPA.MAIL.NET) Received: from epsilon.lucida.qc.ca ([216.95.146.6]) by mail1.uunet.ca with ESMTP id <216957-6669>; Tue, 7 Mar 2000 17:03:21 -0500 Date: Tue, 7 Mar 2000 17:03:20 -0500 From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: Jason Jenkins Cc: freebsd-security@FreeBSD.ORG Subject: Re: hosts allow In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This matches on a first come first serve basis along the lines of ipfw, therefore you need to place your ALLOW rules /before/ your DENY rules for them to work as you want them to. So in other words: ALL : some.hostname : allow ALL : ALL : deny See hosts_access(5) and hosts_options(5) for more, hope that helps. Matt -- Matt Heckaman [matt@arpa.mail.net|matt@relic.net] [Please do not send me] !Powered by FreeBSD/x86! [http://www.freebsd.org] [any SPAM (UCE) e-mail] On Tue, 7 Mar 2000, Jason Jenkins wrote: : Date: Tue, 7 Mar 2000 16:53:15 -0500 : From: Jason Jenkins : To: freebsd-security@FreeBSD.ORG : Subject: hosts allow : : Hi I have a question regarding the hosts.allow file. I am trying to simply : deny everyone access, and only allow certain people to access my machine. : So this is what I did: : : : ALL : ALL : deny : ALL : hostname : allow : : However, that did not seem to work. It would not allow me to log in from : IP. Anything i am doing wrong? : : : : To Unsubscribe: send mail to majordomo@FreeBSD.org : with "unsubscribe freebsd-security" in the body of the message : To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 7 16:12:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from roam.psg.com (roam.psg.com [206.163.43.51]) by hub.freebsd.org (Postfix) with ESMTP id 3726937B51E for ; Tue, 7 Mar 2000 16:12:08 -0800 (PST) (envelope-from randy@psg.com) Received: from randy by roam.psg.com with local (Exim 3.12 #1) id 12SQza-0000iQ-00; Tue, 07 Mar 2000 12:54:10 -0800 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Alex Michlin Cc: freebsd-security@freebsd.org Subject: Re: Host Secured Logon Message-Id: Date: Tue, 07 Mar 2000 12:54:10 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Is there an easy way to secure shell accounts with the hostname of the > user (ie, only someone from *.anyisp.com can logon to shell1, and > *.myisp.com can logon to any shell)? i am not advocating doing this, as dns based security is weak, but use tcpd aka log_tcp and restrict the hosts in /usr/local/etc/hosts.allow. randy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 7 18:57:27 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 3EDF037BE62; Tue, 7 Mar 2000 18:57:25 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 38CCC2E815B; Tue, 7 Mar 2000 18:57:25 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Tue, 7 Mar 2000 18:57:25 -0800 (PST) From: Kris Kennaway To: Randy Bush Cc: Alex Michlin , freebsd-security@freebsd.org Subject: Re: Host Secured Logon In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 7 Mar 2000, Randy Bush wrote: > > Is there an easy way to secure shell accounts with the hostname of the > > user (ie, only someone from *.anyisp.com can logon to shell1, and > > *.myisp.com can logon to any shell)? > > i am not advocating doing this, as dns based security is weak, but use tcpd > aka log_tcp and restrict the hosts in /usr/local/etc/hosts.allow. Or you could use tcpd and restrict on source IP addresses, rather than insecure DNS addresses. Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 7 18:58:24 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id AD14737C184; Tue, 7 Mar 2000 18:58:21 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id AA5402E815B; Tue, 7 Mar 2000 18:58:21 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Tue, 7 Mar 2000 18:58:21 -0800 (PST) From: Kris Kennaway To: Matthew Dillon Cc: Igor Roshchin , security@FreeBSD.ORG Subject: Re: named started by any user will be running until killed... In-Reply-To: <200003070438.UAA50858@apollo.backplane.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 6 Mar 2000, Matthew Dillon wrote: > Trying to do something more complex, like using jail or messing with > program owner/group/permissions is going to mostly be a waste of time. > If you are truely concerned you can chmod 750 and group-restrict > the directories (/sbin, /usr/sbin, /usr/local/sbin). Personally I > don't think it's worth the effort.... remember that every change you > make to the base system is a change you have to remember to redo when > you upgrade. And it still doesn't prevent them downloading or compiling their own binary. Doing *that* is harder again. Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 7 19:22:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from w2xo.pgh.pa.us (ipl-229-025.npt-sdsl.stargate.net [208.223.229.25]) by hub.freebsd.org (Postfix) with ESMTP id A281B37B561 for ; Tue, 7 Mar 2000 19:22:00 -0800 (PST) (envelope-from durham@w2xo.pgh.pa.us) Received: from w2xo.pgh.pa.us (shazam.w2xo.pgh.pa.us [192.168.5.3]) by w2xo.pgh.pa.us (8.9.3/8.9.3) with ESMTP id DAA15960 for ; Wed, 8 Mar 2000 03:21:52 GMT (envelope-from durham@w2xo.pgh.pa.us) Message-ID: <38C5C74C.6F377C4A@w2xo.pgh.pa.us> Date: Tue, 07 Mar 2000 22:21:48 -0500 From: Jim Durham Organization: dis- X-Mailer: Mozilla 4.08 [en] (X11; I; FreeBSD 3.4-RELEASE i386) MIME-Version: 1.0 To: FreeBSD-security@freebsd.org Subject: Anyone using SKIP? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm playing with skip from Sun using the skip port in 3.3. I'd like to see how this works to do a VPN to a protected LAN. I have skipd running on a 3.3 box. Other than an extra "/" in the path, it compiled and seems to be correct on the BSD end. I'm missing something on the Win95 end. I can't figure out exactly what they are looking for for keys/certificates etc. I made the keys as they described. I set the 95 client to "Discover Certificate", but it just connects in unencrypted mode. Anyone using SKIP ? -- Jim Durham To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 8 0:42:29 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 200C737C04F; Wed, 8 Mar 2000 00:42:26 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 1DFD22E815A; Wed, 8 Mar 2000 00:42:26 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Wed, 8 Mar 2000 00:42:26 -0800 (PST) From: Kris Kennaway To: security@freebsd.org Cc: ports@freebsd.org Subject: cvs commit: ports/games/omega Makefile (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm not going to generate a security advisory about this, but reinstall this port if you have it. In general, if you have anything installed which is setuid games on a multiuser machine, it's a good candidate for removal (games aren't the most securely-programmed things): find /usr/local/bin -user games -perm -4000 Ports maintainers who own such a file (please check the above!) please make the necessary changes to install it setgid games, not setuid foo. A user who exploits a game binary to get the games group probably can't do much apart from alter game score/save files (although this still might be a security risk if you can convince the game to somehow execute code you put in the file), whereas if they have setuid games they can trojan the binary directly for the next user. Kris Ports Security Officer ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe ---------- Forwarded message ---------- Date: Wed, 8 Mar 2000 00:33:23 -0800 (PST) From: Kris Kennaway To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: ports/games/omega Makefile kris 2000/03/08 00:33:22 PST Modified files: games/omega Makefile Log: Install this port setgid games, not setuid games. No response from: Maintainer Revision Changes Path 1.4 +7 -6 ports/games/omega/Makefile To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 8 0:52:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from m3.cs.berkeley.edu (m3.CS.Berkeley.EDU [128.32.45.179]) by hub.freebsd.org (Postfix) with ESMTP id 1746B37B5A5; Wed, 8 Mar 2000 00:52:45 -0800 (PST) (envelope-from asami@stampede.cs.berkeley.edu) Received: from silvia.hip.berkeley.edu (sji-ca1-183.ix.netcom.com [209.109.232.183]) by m3.cs.berkeley.edu (8.9.3/8.9.3) with ESMTP id AAA72252; Wed, 8 Mar 2000 00:52:35 -0800 (PST) (envelope-from asami@stampede.cs.berkeley.edu) Received: (from asami@localhost) by silvia.hip.berkeley.edu (8.9.3/8.6.9) id AAA53685; Wed, 8 Mar 2000 00:52:10 -0800 (PST) To: Kris Kennaway Cc: security@freebsd.org, ports@freebsd.org Subject: Re: cvs commit: ports/games/omega Makefile (fwd) References: From: asami@freebsd.org (Satoshi - Ports Wraith - Asami) Date: 08 Mar 2000 00:52:03 -0800 In-Reply-To: Kris Kennaway's message of "Wed, 8 Mar 2000 00:42:26 -0800 (PST)" Message-ID: Lines: 28 X-Mailer: Gnus v5.7/Emacs 20.5 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * From: Kris Kennaway * I'm not going to generate a security advisory about this, but reinstall * this port if you have it. Thanks, for catching it. * In general, if you have anything installed which is setuid games on a * multiuser machine, it's a good candidate for removal (games aren't the * most securely-programmed things): * * find /usr/local/bin -user games -perm -4000 * * Ports maintainers who own such a file (please check the above!) please * make the necessary changes to install it setgid games, not setuid foo. * * A user who exploits a game binary to get the games group probably can't do * much apart from alter game score/save files (although this still might be * a security risk if you can convince the game to somehow execute code you * put in the file), whereas if they have setuid games they can trojan the * binary directly for the next user. This should not be allowed to happen. Shouldn't all binaries be installed without write permission? That's the way it is in /usr, maybe we should mandate it in /usr/local and /usr/X11R6. (Hmm, why does imake config files want to install stuff with permission *755?) Satoshi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 8 1: 4: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 5DED137B57F; Wed, 8 Mar 2000 01:04:01 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 5C01A2E815A; Wed, 8 Mar 2000 01:04:01 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Wed, 8 Mar 2000 01:04:01 -0800 (PST) From: Kris Kennaway To: Satoshi - Ports Wraith - Asami Cc: security@freebsd.org, ports@freebsd.org Subject: Re: cvs commit: ports/games/omega Makefile (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 8 Mar 2000, Satoshi - Ports Wraith - Asami wrote: > * A user who exploits a game binary to get the games group probably can't do > * much apart from alter game score/save files (although this still might be > * a security risk if you can convince the game to somehow execute code you > * put in the file), whereas if they have setuid games they can trojan the > * binary directly for the next user. > > This should not be allowed to happen. Shouldn't all binaries be > installed without write permission? That's the way it is in /usr, > maybe we should mandate it in /usr/local and /usr/X11R6. (Hmm, why > does imake config files want to install stuff with permission *755?) It wouldn't help: if the binary is setuid games but not owner-writable, the games user can still change permissions and replace it (or any other games-owned binary) because he owns the file. Using setgid instead of setuid solves this, as long as no binaries are games _group_ writable (on my machine nothing except for save files is). Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 8 1:29:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from m3.cs.berkeley.edu (m3.CS.Berkeley.EDU [128.32.45.179]) by hub.freebsd.org (Postfix) with ESMTP id 275F037B5DF; Wed, 8 Mar 2000 01:29:12 -0800 (PST) (envelope-from asami@stampede.cs.berkeley.edu) Received: from silvia.hip.berkeley.edu (sji-ca1-183.ix.netcom.com [209.109.232.183]) by m3.cs.berkeley.edu (8.9.3/8.9.3) with ESMTP id BAA73586; Wed, 8 Mar 2000 01:28:41 -0800 (PST) (envelope-from asami@stampede.cs.berkeley.edu) Received: (from asami@localhost) by silvia.hip.berkeley.edu (8.9.3/8.6.9) id BAA53881; Wed, 8 Mar 2000 01:27:32 -0800 (PST) To: Kris Kennaway Cc: security@freebsd.org, ports@freebsd.org Subject: Re: cvs commit: ports/games/omega Makefile (fwd) References: From: asami@freebsd.org (Satoshi - Ports Wraith - Asami) Date: 08 Mar 2000 01:26:49 -0800 In-Reply-To: Kris Kennaway's message of "Wed, 8 Mar 2000 01:04:01 -0800 (PST)" Message-ID: Lines: 11 X-Mailer: Gnus v5.7/Emacs 20.5 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * From: Kris Kennaway * It wouldn't help: if the binary is setuid games but not owner-writable, * the games user can still change permissions and replace it (or any other * games-owned binary) because he owns the file. Using setgid instead of * setuid solves this, as long as no binaries are games _group_ writable (on * my machine nothing except for save files is). You're right, of course. Yes, setuid games are bad! Satoshi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 8 2:23:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt-link.bg (addr3.mt-mt.bg [212.56.10.195]) by hub.freebsd.org (Postfix) with ESMTP id 225C437B571 for ; Wed, 8 Mar 2000 02:23:24 -0800 (PST) (envelope-from nikky@mailandnews.com) Received: from mt-link1 (mt-link1.mt-link.bg [192.168.10.11]) by ns.mt-link.bg (8.9.0/8.8.7) with SMTP id MAA25507 for ; Wed, 8 Mar 2000 12:22:32 +0200 Message-ID: <003001bf88f0$916afe20$0b0aa8c0@mt-link1.mt-link.bg> From: "Nickola Kolev" To: Subject: sendmail Date: Wed, 8 Mar 2000 12:21:15 +0100 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0029_01BF88F8.CC7BDE00" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.1 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0029_01BF88F8.CC7BDE00 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable Hi there! I have a problem. I'm running a freebsd 3.4 release at home, and I've = set it up to send mail via my ISP. For the purpose I'm useing sendmail = with masquerading, 'coz I don't have any FQDN. So, I start sendmail = during startup with 'sendmail -bs -q30m', then, when I connect to my = ISP, I'm issuing 'sendmail -q' to flush the messages in the queue. To = fetch my messages from the ISP I'm using fetchmail, which is started = thru script. It's OK, I receive them, they're deliverred locally, but I = gotta flush sendmail again in order my other users (I mean local on my = machine) to receive mail. Then I have to wait until the mail is = delivered. Should I use procmail instead of mail.local?! Please, help! I'm still very new to FreeBSD...=20 So long, Nickola ------=_NextPart_000_0029_01BF88F8.CC7BDE00 Content-Type: text/html; charset="koi8-r" Content-Transfer-Encoding: quoted-printable
Hi there!
 
I have a problem. I'm running a = freebsd 3.4=20 release at home, and I've set it up to send mail via my ISP. For the = purpose I'm=20 useing sendmail with masquerading, 'coz I don't have any FQDN. So, I = start=20 sendmail during startup with 'sendmail -bs -q30m', then, when I connect = to my=20 ISP, I'm issuing 'sendmail -q' to flush the messages in the queue. To = fetch my=20 messages from the ISP I'm using fetchmail, which is started thru script. = It's=20 OK, I receive them, they're deliverred locally, but I gotta flush = sendmail again=20 in order my other users (I mean local on my machine) to receive mail. = Then I=20 have to wait until the mail is delivered.
 
Should I use procmail instead of=20 mail.local?!
Please, help! I'm still very new to = FreeBSD...=20
 
So long,
Nickola
------=_NextPart_000_0029_01BF88F8.CC7BDE00-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 8 3:43:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from security.za.net (security.za.net [209.212.100.194]) by hub.freebsd.org (Postfix) with ESMTP id 545E837B5F8 for ; Wed, 8 Mar 2000 03:43:00 -0800 (PST) (envelope-from jus@security.za.net) Received: from localhost (jus@localhost) by security.za.net (8.9.3/8.9.3) with ESMTP id NAA01431; Wed, 8 Mar 2000 13:44:43 +0200 (SAST) (envelope-from jus@security.za.net) Date: Wed, 8 Mar 2000 13:44:43 +0200 (SAST) From: Justin Stanford To: Nickola Kolev Cc: freebsd-security@FreeBSD.ORG Subject: Re: sendmail In-Reply-To: <003001bf88f0$916afe20$0b0aa8c0@mt-link1.mt-link.bg> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Somehow this strikes me as something for freebsd-questions and not security.. Regards, jus -- Justin Stanford 082 7402741 jus@security.za.net www.security.za.net IT Security and Solutions On Wed, 8 Mar 2000, Nickola Kolev wrote: > Hi there! > > I have a problem. I'm running a freebsd 3.4 release at home, and I've set it up to send mail via my ISP. For the purpose I'm useing sendmail with masquerading, 'coz I don't have any FQDN. So, I start sendmail during startup with 'sendmail -bs -q30m', then, when I connect to my ISP, I'm issuing 'sendmail -q' to flush the messages in the queue. To fetch my messages from the ISP I'm using fetchmail, which is started thru script. It's OK, I receive them, they're deliverred locally, but I gotta flush sendmail again in order my other users (I mean local on my machine) to receive mail. Then I have to wait until the mail is delivered. > > Should I use procmail instead of mail.local?! > Please, help! I'm still very new to FreeBSD... > > So long, > Nickola > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 8 7:41:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from hydrant.intranova.net (msb-ts-slip12.UMDNJ.EDU [130.219.28.72]) by hub.freebsd.org (Postfix) with SMTP id 34A2C37BFAB for ; Wed, 8 Mar 2000 07:41:21 -0800 (PST) (envelope-from oogali@intranova.net) Received: (qmail 55133 invoked from network); 6 Mar 2000 19:15:07 -0000 Received: from hydrant.abuselabs.com (HELO hydrant) (@192.168.0.1) by hydrant.abuselabs.com with SMTP; 6 Mar 2000 19:15:07 -0000 Date: Mon, 6 Mar 2000 14:15:07 -0500 (EST) From: Omachonu Ogali To: Alex Michlin Cc: freebsd-security@FreeBSD.ORG Subject: Re: Host Secured Logon In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Check out /etc/hosts.allow (tcpwrappers). telnet : .anyisp.com : allow telnet : ALL : deny It works on a first matching rule. On Mon, 6 Mar 2000, Alex Michlin wrote: > Hey all! > > Is there an easy way to secure shell accounts with the hostname of the > user (ie, only someone from *.anyisp.com can logon to shell1, and > *.myisp.com can logon to any shell)? > > Also, is there any good resource where I can find which settings do what > in the /etc/login.conf? > > Thanks. > > Alex > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- +-------------------------------------------------------------------------+ | Omachonu Ogali oogali@intranova.net | | Intranova Networking Group http://tribune.intranova.net | | PGP Key ID: 0xBFE60839 | | PGP Fingerprint: C8 51 14 FD 2A 87 53 D1 E3 AA 12 12 01 93 BD 34 | +-------------------------------------------------------------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 8 7:42:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt-link.bg (addr3.mt-mt.bg [212.56.10.195]) by hub.freebsd.org (Postfix) with ESMTP id 8E95F37B5E3 for ; Wed, 8 Mar 2000 07:41:53 -0800 (PST) (envelope-from nikky@mt-link.bg) Received: from minus273.mt-link.bg (i_user4.mt-link.bg [192.168.2.123]) by ns.mt-link.bg (8.9.0/8.8.7) with ESMTP id RAA31105; Wed, 8 Mar 2000 17:40:53 +0200 Received: from localhost (nikky@localhost) by minus273.mt-link.bg (8.9.3/8.9.3) with ESMTP id RAA00343; Wed, 8 Mar 2000 17:42:52 GMT Date: Wed, 8 Mar 2000 17:42:51 +0000 (GMT) From: Nickola Kolev To: Justin Stanford Cc: Nickola Kolev , freebsd-security@FreeBSD.ORG Subject: Re: sendmail In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Somehow this strikes me as something for freebsd-questions and not > security..> > > Regards, > jus whoawww... sorry... Really, guys... It wont happen again. Bye. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 8 14:42:59 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id A60DD37B544; Wed, 8 Mar 2000 14:42:54 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id A06E92E814A for ; Wed, 8 Mar 2000 14:42:54 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Wed, 8 Mar 2000 14:42:54 -0800 (PST) From: Kris Kennaway To: security@freebsd.org Subject: Re: dump buffer overflow (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If anyone was wondering about this, Warner fixed it more than 3 months ago after the hole was found by the freebsd auditing project, and so 3.4-REL is not vulnerable. It would be nice for people at least to state which version they tested when making blanket claims of insecurity :-( Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe ---------- Forwarded message ---------- Date: Tue, 7 Mar 2000 21:14:32 -0000 From: Lamagra Argamal To: BUGTRAQ@SECURITYFOCUS.COM Subject: Re: dump buffer overflow On FreeBSD dump has the same hole i describes in my previous post. Only it is exploitable :-) Dump with kerberos has __atexit and __cleanup after all the other variables on the heap. By overwriting these variables you can start your shellcode. Most of the credits should go to zen-parse who found and tested this. -lamagra Greets to lurux, grue, typo, jolt-freak. http://lamagra/seKure.de Send someone a cool Dynamitemail flashcard greeting!! And get rewarded. GO AHEAD! http://cards.dynamitemail.com/index.php3?rid=fc-41 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 8 14:52:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailandnews.com (host62-6-92-59.btinternet.com [62.6.92.59]) by hub.freebsd.org (Postfix) with SMTP id 0033737B5F9 for ; Wed, 8 Mar 2000 14:51:51 -0800 (PST) (envelope-from bens_list@mailandnews.com) Date: Tue, 7 Mar 2000 23:00:57 +0000 From: Ben H To: freebsd-security@freebsd.org Subject: Using IPFILTER Message-ID: <20000307230057.A1357@lust.poo.pants> Mail-Followup-To: Ben H , freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.1.8i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello all, i (like im sure many) would like to use IPFILTER (ipf, ipnat) instead of/aswell as IPFIREWALL (ipf, natd). and i cant get it working. my KERNEL (well some of it) looks like: options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #print information about stuff options IPFIREWALL_FORWARD #enable transparent proxy support options IPDIVERT #divert sockets options IPFILTER #kernel ipfilter support options IPFILTER_LOG #ipfilter logging options IPSTEALTH #support for stealth forwarding options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN options TCP_RESTRICT_RST #restrict emission of TCP RST options "ICMP_BANDLIM" #Limit icmp bandywitdh ive tried removing IPFIREWALL but it complains about lack of ip services (i cant remember as i havent tried for a while due to non wanting downtime) i have all the required programs and sources, i even tried using the ipf-fil3.x.x.tar.gz but to no avail. so could someone who is more compentant spare the time to tell me what i need where to get it going. the rules and things im okay mainly due to OpenBSD experince... tankoo PS i hope/think this is the correct list.. -- Ben, "Doing the wrong thing for the right reasons is better than doing the right thing for the wrong reasons" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 8 21: 7: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 6AC6537B5DE; Wed, 8 Mar 2000 21:07:07 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 68A152E8157 for ; Wed, 8 Mar 2000 21:07:07 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Wed, 8 Mar 2000 21:07:07 -0800 (PST) From: Kris Kennaway To: security@freebsd.org Subject: cvs commit: ports/games/jetpack Makefile (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Another one to reinstall for safety. Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe ---------- Forwarded message ---------- Date: Wed, 8 Mar 2000 20:41:41 -0800 (PST) From: Kris Kennaway To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: ports/games/jetpack Makefile kris 2000/03/08 20:41:41 PST Modified files: games/jetpack Makefile Log: Install setgid games, not setuid games. Reviewed by: maintainer Revision Changes Path 1.20 +4 -4 ports/games/jetpack/Makefile To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 9 13:54:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from awfulhak.org (tun.AwfulHak.org [194.242.139.173]) by hub.freebsd.org (Postfix) with ESMTP id 90F1F37B93C for ; Thu, 9 Mar 2000 13:54:32 -0800 (PST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.awfulhak.org [172.16.0.12]) by awfulhak.org (8.9.3/8.9.3) with ESMTP id VAA05817; Thu, 9 Mar 2000 21:41:25 GMT (envelope-from brian@hak.lan.Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id IAA00544; Thu, 9 Mar 2000 08:23:59 GMT (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200003090823.IAA00544@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.1 10/15/1999 To: Omachonu Ogali Cc: Alex Michlin , freebsd-security@FreeBSD.org, brian@hak.lan.awfulhak.org Subject: Re: Host Secured Logon In-Reply-To: Message from Omachonu Ogali of "Mon, 06 Mar 2000 14:15:07 EST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 09 Mar 2000 08:23:59 +0000 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Check out /etc/hosts.allow (tcpwrappers). > > telnet : .anyisp.com : allow > telnet : ALL : deny > > It works on a first matching rule. [.....] Bear in mind that column zero contains the *program* name (as specified in inetd.conf), not the service name, so here, this should usually be telnetd. -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 9 17:15:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from povray.org (netplex.aussie.org [204.213.191.226]) by hub.freebsd.org (Postfix) with ESMTP id 6BAA337B86B for ; Thu, 9 Mar 2000 17:15:13 -0800 (PST) (envelope-from mlnn4@oaks.com.au) Received: from frankenputer (dubsat-ip23 [210.8.162.23]) by povray.org (8.9.3/8.9.3) with SMTP id UAA24924 for ; Thu, 9 Mar 2000 20:15:01 -0500 (EST) (envelope-from mlnn4@oaks.com.au) Message-ID: <000f01bf8a2e$104306a0$cc0010ac@melbbureau.central.dubsat.com.au> From: "Chris" To: Subject: pipsecd and Cisco PIX Date: Fri, 10 Mar 2000 12:13:53 +1100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm looking for advice (and perhaps even a config?) for getting pipsecd and a Cisco PIX to talk together using manual IPSEC. I am not even sure this is possible, though it probably is. A interoperability chart I saw indicated pipsecd can talk to Cisco IOS using manual configuration, but they didn't mention the Pix directly. Currently we have routers in the field that tunnel back to our Pix using 56-bit DES and IKE. Several of the admins of the system (incl me of course ;) use FreeBSD at home with a perm net link and want to be able to have a permanent tunnel up and running for when the pager goes off. So, firstly, has anyone done this ? Just knowing it is possible would make things a lot easier (as I'd be willing to spend more time on attempting to get it to go). But if someone can contribute a working config example, that'd be awesome ;) regards, -- Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 9 23: 8:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 6F06F37B8BB; Thu, 9 Mar 2000 23:08:13 -0800 (PST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id AAA70693; Fri, 10 Mar 2000 00:08:11 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id AAA14345; Fri, 10 Mar 2000 00:07:51 -0700 (MST) Message-Id: <200003100707.AAA14345@harmony.village.org> To: Kris Kennaway Subject: Re: dump buffer overflow (fwd) Cc: security@FreeBSD.ORG In-reply-to: Your message of "Wed, 08 Mar 2000 14:42:54 PST." References: Date: Fri, 10 Mar 2000 00:07:51 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Kris Kennaway writes: : If anyone was wondering about this, Warner fixed it more than 3 months ago : after the hole was found by the freebsd auditing project, and so 3.4-REL : is not vulnerable. It would be nice for people at least to state which : version they tested when making blanket claims of insecurity :-( He didn't reply to me when I sent mail to him. In fact, I think this is where they found out about it. We fixed it, people noticed. They looked at Linux, found the problem, yelled it to the world. Someone pulled in an old version of FreeBSD and thought FreeBSD was vulnerable.... Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 10 1:32:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from axl.ops.uunet.co.za (axl.ops.uunet.co.za [196.31.1.175]) by hub.freebsd.org (Postfix) with ESMTP id B69B437B993 for ; Fri, 10 Mar 2000 01:32:08 -0800 (PST) (envelope-from sheldonh@axl.ops.uunet.co.za) Received: from sheldonh (helo=axl.ops.uunet.co.za) by axl.ops.uunet.co.za with local-esmtp (Exim 3.13 #1) id 12TLlN-000Kez-00; Fri, 10 Mar 2000 11:31:17 +0200 From: Sheldon Hearn To: Brian Somers Cc: Omachonu Ogali , Alex Michlin , freebsd-security@FreeBSD.ORG, brian@hak.lan.awfulhak.org Subject: Re: Host Secured Logon In-reply-to: Your message of "Thu, 09 Mar 2000 08:23:59 GMT." <200003090823.IAA00544@hak.lan.Awfulhak.org> Date: Fri, 10 Mar 2000 11:31:16 +0200 Message-ID: <79420.952680676@axl.ops.uunet.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 09 Mar 2000 08:23:59 GMT, Brian Somers wrote: > Bear in mind that column zero contains the *program* name (as > specified in inetd.conf), not the service name, so here, this should > usually be telnetd. This is easy to misunderstand because we use the service name for inetd's internal services. :-( Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 10 8:15:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from anarcat.dyndns.org (phobos.IRO.UMontreal.CA [132.204.20.20]) by hub.freebsd.org (Postfix) with ESMTP id B220A37BA2D; Fri, 10 Mar 2000 08:15:32 -0800 (PST) (envelope-from spidey@anarcat.dyndns.org) Received: by anarcat.dyndns.org (Postfix, from userid 1000) id C089B1BF5; Fri, 10 Mar 2000 11:16:20 -0500 (EST) From: Spidey MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14537.8148.396885.574105@anarcat.dyndns.org> Date: Fri, 10 Mar 2000 11:16:20 -0500 (EST) To: asami@FreeBSD.ORG (Satoshi - Ports Wraith - Asami) Cc: Kris Kennaway , security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: cvs commit: ports/games/omega Makefile (fwd) References: X-Mailer: VM 6.72 under 21.1 (patch 8) "Bryce Canyon" XEmacs Lucid Reply-To: beaupran@iro.umontreal.ca Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have a better idea. Let's make the ports system install the file, with the permissions and standards described in the PLIST file, that could be in a mtree-like format. Even better, this scheme would allow us to do mtree (MD5, etc) checks on 3rd party software after it was installed. I was thinking of enforcing this in /etc/security too for checking the suids... A lot of work to do here.. :)) --- At 00:52 of March 8, Big Brother made Satoshi - Ports Wraith - Asami write: > * From: Kris Kennaway > > * I'm not going to generate a security advisory about this, but reinstall > * this port if you have it. > > Thanks, for catching it. > > * In general, if you have anything installed which is setuid games on a > * multiuser machine, it's a good candidate for removal (games aren't the > * most securely-programmed things): > * > * find /usr/local/bin -user games -perm -4000 > * > * Ports maintainers who own such a file (please check the above!) please > * make the necessary changes to install it setgid games, not setuid foo. > * > * A user who exploits a game binary to get the games group probably can't do > * much apart from alter game score/save files (although this still might be > * a security risk if you can convince the game to somehow execute code you > * put in the file), whereas if they have setuid games they can trojan the > * binary directly for the next user. > > This should not be allowed to happen. Shouldn't all binaries be > installed without write permission? That's the way it is in /usr, > maybe we should mandate it in /usr/local and /usr/X11R6. (Hmm, why > does imake config files want to install stuff with permission *755?) > > Satoshi > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Si l'image donne l'illusion de savoir C'est que l'adage pretend que pour croire, L'important ne serait que de voir Lofofora To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 10 15:48:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from MailAndNews.com (MailAndNews.com [199.29.68.160]) by hub.freebsd.org (Postfix) with ESMTP id 1DBD137B926 for ; Fri, 10 Mar 2000 15:48:34 -0800 (PST) (envelope-from bens_lists@mailandnews.com) Received: from sacred.poo.pants [213.1.112.36] (bens_lists@mailandnews.com); Fri, 10 Mar 2000 18:48:24 -0500 X-WM-Posted-At: MailAndNews.com; Fri, 10 Mar 00 18:48:24 -0500 Received: (qmail 97916 invoked from network); 7 Mar 2000 23:10:15 -0000 Received: from lust.poo.pants (192.168.0.1) by sacred.poo.pants with SMTP; 7 Mar 2000 23:10:15 -0000 Received: (qmail 1367 invoked by uid 1001); 7 Mar 2000 23:00:58 -0000 Date: Tue, 7 Mar 2000 23:00:57 +0000 From: Ben H To: freebsd-security@freebsd.org Subject: Using IPFILTER Message-ID: <20000307230057.A1357@lust.poo.pants> Mail-Followup-To: Ben H , freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.1.8i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello all, i (like im sure many) would like to use IPFILTER (ipf, ipnat) instead of/aswell as IPFIREWALL (ipf, natd). and i cant get it working. my KERNEL (well some of it) looks like: options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #print information about stuff options IPFIREWALL_FORWARD #enable transparent proxy support options IPDIVERT #divert sockets options IPFILTER #kernel ipfilter support options IPFILTER_LOG #ipfilter logging options IPSTEALTH #support for stealth forwarding options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN options TCP_RESTRICT_RST #restrict emission of TCP RST options "ICMP_BANDLIM" #Limit icmp bandywitdh ive tried removing IPFIREWALL but it complains about lack of ip services (i cant remember as i havent tried for a while due to non wanting downtime) i have all the required programs and sources, i even tried using the ipf-fil3.x.x.tar.gz but to no avail. so could someone who is more compentant spare the time to tell me what i need where to get it going. the rules and things im okay mainly due to OpenBSD experince... tankoo PS i hope/think this is the correct list.. -- Ben, "Doing the wrong thing for the right reasons is better than doing the right thing for the wrong reasons" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 10 19:19: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from backup.af.speednet.com.au (af.speednet.com.au [202.135.188.244]) by hub.freebsd.org (Postfix) with ESMTP id A749437BBB3 for ; Fri, 10 Mar 2000 19:18:43 -0800 (PST) (envelope-from andyf@speednet.com.au) Received: from backup.af.speednet.com.au (andyf@backup.af.speednet.com.au [172.22.2.4]) by backup.af.speednet.com.au (8.9.3/8.9.3) with ESMTP id OAA54394 for ; Sat, 11 Mar 2000 14:18:14 +1100 (EST) (envelope-from andyf@speednet.com.au) Date: Sat, 11 Mar 2000 14:18:13 +1100 (EST) From: Andy Farkas X-Sender: andyf@backup.af.speednet.com.au To: freebsd-security@freebsd.org Subject: security check output In-Reply-To: <200003101459.BAA03095@zippyii.af.speednet.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This may belong on -questions... How is it possible that I get connection attempts from outside my private subnet? My main concern is how the heck do these packets get routed to my workstation? I'm sure there are routers in between that drop RFC1918 addresses.. > > Connection attempt to TCP 172.22.2.9:1503 from 216.35.209.171:80 > > Connection attempt to TCP 172.22.2.9:1503 from 216.35.209.171:80 > > Connection attempt to TCP 172.22.2.9:1503 from 216.35.209.171:80 > > Connection attempt to TCP 172.22.2.9:1503 from 216.35.209.171:80 > > Connection attempt to TCP 172.22.2.9:1503 from 216.35.209.171:80 > > Connection attempt to TCP 172.22.2.9:1503 from 216.35.209.171:80 > > Connection attempt to TCP 172.22.2.9:1503 from 216.35.209.171:80 > > Connection attempt to UDP 172.22.2.9:1248 from 172.22.2.4:53 > > Connection attempt to TCP 172.22.2.9:1596 from 210.171.226.42:80 > > Connection attempt to TCP 172.22.2.9:1595 from 210.171.226.42:80 > > Connection attempt to TCP 172.22.2.9:1596 from 210.171.226.42:80 > > Connection attempt to TCP 172.22.2.9:1595 from 210.171.226.42:80 > > Connection attempt to TCP 172.22.2.9:1596 from 210.171.226.42:80 > > Connection attempt to TCP 172.22.2.9:1595 from 210.171.226.42:80 > > Connection attempt to TCP 172.22.2.9:1596 from 210.171.226.42:80 > > Connection attempt to TCP 172.22.2.9:1595 from 210.171.226.42:80 > > Connection attempt to TCP 172.22.2.9:1596 from 210.171.226.42:80 > > Connection attempt to TCP 172.22.2.9:1595 from 210.171.226.42:80 > > Connection attempt to TCP 172.22.2.9:1596 from 210.171.226.42:80 > > Connection attempt to TCP 172.22.2.9:1595 from 210.171.226.42:80 > > Connection attempt to TCP 172.22.2.9:1596 from 210.171.226.42:80 > > Connection attempt to TCP 172.22.2.9:1624 from 203.41.115.120:80 > > Connection attempt to TCP 172.22.2.9:1625 from 203.41.115.120:80 > > Connection attempt to TCP 172.22.2.9:1625 from 203.41.115.120:80 > > Connection attempt to TCP 172.22.2.9:1624 from 203.41.115.120:80 > > Connection attempt to TCP 172.22.2.9:1625 from 203.41.115.120:80 > > Connection attempt to TCP 172.22.2.9:1624 from 203.41.115.120:80 > > Connection attempt to TCP 172.22.2.9:1625 from 203.41.115.120:80 > > Connection attempt to TCP 172.22.2.9:1624 from 203.41.115.120:80 -- :{ andyf@speednet.com.au Andy Farkas System Administrator Speednet Communications http://www.speednet.com.au/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 10 19:47: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from foobar.franken.de (foobar.franken.de [194.94.249.81]) by hub.freebsd.org (Postfix) with ESMTP id AC33D37B969 for ; Fri, 10 Mar 2000 19:46:53 -0800 (PST) (envelope-from logix@foobar.franken.de) Received: (from logix@localhost) by foobar.franken.de (8.8.8/8.8.5) id EAA10217; Sat, 11 Mar 2000 04:46:58 +0100 (CET) Message-ID: <20000311044658.A10149@foobar.franken.de> Date: Sat, 11 Mar 2000 04:46:58 +0100 From: Harold Gutch To: Andy Farkas , freebsd-security@FreeBSD.ORG Subject: Re: security check output References: <200003101459.BAA03095@zippyii.af.speednet.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Andy Farkas on Sat, Mar 11, 2000 at 02:18:13PM +1100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Mar 11, 2000 at 02:18:13PM +1100, Andy Farkas wrote: > > This may belong on -questions... > > How is it possible that I get connection attempts from outside my private > subnet? My main concern is how the heck do these packets get routed to my > workstation? I'm sure there are routers in between that drop RFC1918 > addresses.. > > > > Connection attempt to TCP 172.22.2.9:1503 from 216.35.209.171:80 > > > Connection attempt to TCP 172.22.2.9:1503 from 216.35.209.171:80 [...] As you didn't say which version of FreeBSD you were using, I just grepped through a 2.2.8 sourcetree and guessed from the source that incoming SYN|ACK - packets were logged by log_in_vain. I might be wrong, but my guess is that you're seeing answers to outgoing HTTP-packets for which the local socket already timed out and therefore is closed already. These packets had the SYN (and the ACK-) flag set and therefore were logged by FreeBSD, although they basically were real replies from some outside machine. Your NAT-ting box overwrote the destination-address of these packets to match the internal address (172.22.2.9), therefore you're seeing packets to these addresses to closed sockets (hence the log-entries). bye, Harold -- Someone should do a study to find out how many human life spans have been lost waiting for NT to reboot. Ken Deboy on Dec 24 1999 in comp.unix.bsd.freebsd.misc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 11 6:49:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from MailAndNews.com (MailAndNews.com [199.29.68.160]) by hub.freebsd.org (Postfix) with ESMTP id 1946137BBF2 for ; Sat, 11 Mar 2000 06:49:42 -0800 (PST) (envelope-from bens_lists@mailandnews.com) Received: from sacred.poo.pants [213.1.84.147] (bens_lists@mailandnews.com); Sat, 11 Mar 2000 09:49:36 -0500 X-WM-Posted-At: MailAndNews.com; Sat, 11 Mar 00 09:49:36 -0500 Received: (qmail 86101 invoked from network); 11 Mar 1998 14:52:34 -0000 Received: from lust.poo.pants (192.168.0.1) by sacred.poo.pants with SMTP; 11 Mar 1998 14:52:34 -0000 Received: (qmail 1538 invoked by uid 1001); 11 Mar 2000 14:49:31 -0000 Date: Sat, 11 Mar 2000 14:49:31 +0000 From: Ben H To: freebsd-security@freebsd.org Subject: More ipf fun.. Message-ID: <20000311144931.A1531@lust.poo.pants> Mail-Followup-To: Ben H , freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.1.8i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks to all those who helped me get ipfilter in the kernel, now all i gotta do is figure why it doesnt work (: im wondering could it be because the kernel is 3.4 and teh ipf binaries are 3.3? if so how would i upgrade them? the current config is: ############### # sum filewall rules pass in quick all pass out quick all just for testing, but when run (with /sbin/ipf -Fa -v -f /etc/ipf.rules) i get: [pass in quick all] ioctl(SIOCADDFR): Invalid argument [pass out quick all] pass in quick from any to any ioctl(SIOCADDFR): Invalid argument pass out quick from any to any which im guessing is wrong, any ideas? and yes ive read loads (the obfust.. one is a good guide to rules, not setup) thanks.. -- Ben, "Doing the wrong thing for the right reasons is better than doing the right thing for the wrong reasons" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 11 8:45:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from area51.v-wave.com (area51.v-wave.com [24.108.26.39]) by hub.freebsd.org (Postfix) with SMTP id D2FC237BC54 for ; Sat, 11 Mar 2000 08:45:44 -0800 (PST) (envelope-from flatline@area51.v-wave.com) Received: (qmail 14162 invoked by uid 1001); 11 Mar 2000 16:46:31 -0000 Date: Sat, 11 Mar 2000 09:46:31 -0700 From: Chris Wasser To: Ben H Cc: freebsd-security@FreeBSD.ORG Subject: Re: More ipf fun.. Message-ID: <20000311094631.C13921@area51.v-wave.com> References: <20000311144931.A1531@lust.poo.pants> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <20000311144931.A1531@lust.poo.pants>; from bens_lists@mailandnews.com on Sat, Mar 11, 2000 at 02:49:31PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Mar 11, 2000 at 02:49:31PM +0000, Ben H wrote: > [pass in quick all] > ioctl(SIOCADDFR): Invalid argument > [pass out quick all] > pass in quick from any to any > ioctl(SIOCADDFR): Invalid argument > pass out quick from any to any The format is correct, however, I've seen that message when one a few things happen: (a) your ipfilter binaries are out of sync with the kernel, ie: you're using 3.3.8 in the kernel for example, yet trying to access it from userland with 3.3.3 binaries. (b) no kernel support for ipfilter is enabled. There are more, but it escapes me, here, it would probably help you if I show you how mine is set up, and you take that knowledge over to your box: IP Filter: initialized. Default = pass all, Logging = enabled IP Filter: v3.3.8 In dmesg, this should show up if IPFILTER is correctly intalled into the kernel. A quick test from the commandline will confirm the binary version: # ipf -V ipf: IP Filter: v3.3.8 (192) Kernel: IP Filter: v3.3.8 Running: yes Log Flags: 0 = none set Default: pass all, Logging: available Active list: 0 Make sure you only have one ipf/ipnat/ipmon et al. I remember problems in 3.x where people would install newer ipfilter src against the kernel and it would install new bins in different paths, creating much confusion. Your kernel should have the following directives: options IPFILTER #ipfilter support options IPFILTER_LOG #ipfilter logging If you're using 4.0 and want to get creative (but read the documentation, enabling some of these options are not a good idea) options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN options TCP_RESTRICT_RST #restrict emission of TCP RST options ICMP_BANDLIM #Rate limit bad replies options IPSTEALTH #support for stealth forwarding Assuming you're still using 4.0 [who isn't? :)] we proceed to modify /etc/rc.conf for extra goodies: rand_irqs="1 3 4 5 6 7 10 11 12 14" tcp_drop_synfin="YES" tcp_restrict_rst="NO" icmp_drop_redirect="YES" icmp_log_redirect="NO" icmp_bmcastecho="NO" forward_sourceroute="NO" accept_sourceroute="NO" This is for my configuration mind you, and your mileage will definitely vary (for example, the documentation states enabling drop_syn+fin is not a good idea for webservers) Check /etc/defaults/rc.conf for all the gory details, don't just copy my setup verbatim. Moving onward, we then supply ipfilter with some rules to do some nifty things, for example, my rule sets (and configuration) break tcp stealth scans (fin,xmas,null) as well as OS fingerprinting (-O option for nmap) and generally act paranoid to everyone and everything dealing with the wan interface (in my ruleset, dc0) block in log first level auth.alert proto tcp all with short block in log first level auth.alert all with ipopts block return-icmp-as-dest(port-unr) in log first level auth.alert on dc0 proto udp from any to 24.108.26.39/32 block return-rst in log first level auth.alert on dc0 proto tcp from any to 24.108.26.39/32 block in log first level auth.alert quick on dc0 from 192.168.0.0/16 to any block in log first level auth.alert quick on dc0 from 172.16.0.0/12 to any block in log first level auth.alert quick on dc0 from 10.0.0.0/8 to any block in log first level auth.alert quick on dc0 from 127.0.0.0/8 to any block in log first level auth.alert quick on dc0 from 24.108.26.39/32 to any pass out quick on dc0 proto tcp/udp from 24.108.26.39/32 to any keep state pass out quick on dc0 proto icmp from 24.108.26.39/32 to any keep state pass in quick on dc0 proto tcp from 206.75.216.200 to any port = 53 flags S pass in quick on dc0 proto udp from 206.75.216.200 to any port = 53 pass in quick on dc0 proto tcp from 206.75.216.210 to any port = 53 flags S pass in quick on dc0 proto udp from 206.75.216.210 to any port = 53 pass in quick on dc0 proto tcp from any to 24.108.26.39/32 port = 25 flags S keep state keep frags pass in quick on dc0 proto tcp from any to 24.108.26.39/32 port = 113 flags S keep state keep frags pass in quick on dc0 proto tcp from any to 24.108.26.39/32 port = 6667 flags S keep state keep frags pass in quick on dc0 proto tcp from any to any port = 21 flags S keep state keep frags pass in quick on dc0 proto tcp from any port = 20 to any flags S keep state keep frags pass in quick on dc0 proto icmp from any to any icmp-type 0 pass in quick on dc0 proto icmp from any to any icmp-type 3 pass in quick on dc0 proto icmp from any to any icmp-type 3 code 4 pass in quick on dc0 proto icmp from any to any icmp-type 11 block in log first level auth.alert quick on dc0 proto icmp from any to any As a side note, according to Building Internet Firewalls [O'Reilly] passing ICMP type 12 (parameter problem) should be OK as well, I didn't in my example above however, but if you're gungho to add it: pass in quick on dc0 proto icmp from any to any icmp-type 12 Hope this helps. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 11 10:27: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.numachi.com (numachi.numachi.com [198.175.254.2]) by hub.freebsd.org (Postfix) with SMTP id C277937BC02 for ; Sat, 11 Mar 2000 10:26:56 -0800 (PST) (envelope-from reichert@numachi.com) Received: (qmail 15246 invoked by uid 1001); 11 Mar 2000 17:18:37 -0000 Date: Sat, 11 Mar 2000 12:18:37 -0500 From: Brian Reichert To: Harold Gutch Cc: Andy Farkas , freebsd-security@FreeBSD.ORG Subject: Re: security check output Message-ID: <20000311121836.A15122@numachi.com> References: <200003101459.BAA03095@zippyii.af.speednet.com.au> <20000311044658.A10149@foobar.franken.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre4i In-Reply-To: <20000311044658.A10149@foobar.franken.de>; from logix@foobar.franken.de on Sat, Mar 11, 2000 at 04:46:58AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Mar 11, 2000 at 04:46:58AM +0100, Harold Gutch wrote: > On Sat, Mar 11, 2000 at 02:18:13PM +1100, Andy Farkas wrote: > > > > This may belong on -questions... > > > > How is it possible that I get connection attempts from outside my private > > subnet? My main concern is how the heck do these packets get routed to my > > workstation? I'm sure there are routers in between that drop RFC1918 > > addresses.. > > > > > > Connection attempt to TCP 172.22.2.9:1503 from 216.35.209.171:80 > > > > Connection attempt to TCP 172.22.2.9:1503 from 216.35.209.171:80 > [...] Wasn't there some issue with a class of HP printers having hijacked an IP block? I need to find a URL, gimme a few minutes... -- Brian 'you Bastard' Reichert reichert@numachi.com 37 Crystal Ave. #303 Daytime number: (781) 899-7484 x704 Derry NH 03038-1713 USA Intel architecture: the left-hand path To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 11 16:10:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from dfw-smtpout3.email.verio.net (dfw-smtpout3.email.verio.net [129.250.36.43]) by hub.freebsd.org (Postfix) with ESMTP id E8AA137BDB0 for ; Sat, 11 Mar 2000 16:10:14 -0800 (PST) (envelope-from bokr@accessone.com) Received: from [129.250.38.62] (helo=dfw-mmp2.email.verio.net) by dfw-smtpout3.email.verio.net with esmtp (Exim 3.12 #7) id 12TvxW-0000ce-00 for freebsd-security@freebsd.org; Sun, 12 Mar 2000 00:10:14 +0000 Received: from [204.250.68.168] (helo=gazelle) by dfw-mmp2.email.verio.net with smtp (Exim 3.12 #7) id 12TvxU-0005i4-00 for freebsd-security@freebsd.org; Sun, 12 Mar 2000 00:10:13 +0000 Message-Id: <3.0.5.32.20000311161302.00931af0@mail.accessone.com> X-Sender: bokr@mail.accessone.com X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Sat, 11 Mar 2000 16:13:02 -0800 To: freebsd-security@freebsd.org From: Bengt Richter Subject: is there a paranoia script ? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I would like a simple centralized interactive (if -i) way to make sure all the "doors" in my system are set to defined states for different modes of operation. By "doors" I mean various means of access to resources, e.g., fire-wall-controlled access, other daemon-controlled access, file-permission-controlled access, etc. Is there a configurable script that can make transitions gracefully (including restore to prev state if interrupted), without shutting down, along the lines of the following? (guided by paranoia.conf) paranoia -q check all "doors" quietly and make and log any necessary changes to conform to paranoia.conf defaults (good double-check at end of startup?) paranoia -s print status of all monitored "doors" to stdout paranoia -i [ -O | -C ] walk through all "doors" in default mode list in paranoia.conf and give option to "open" or "close" each. "-O" would just walk the default open list (the ones that "should be" open), and "-C" would walk the should-be-closed list for optional change. paranoia [ -i | -s ] [ -O | -C ] -m modeName same as above but for an alternate set of defaults in paranoia.conf tagged with "modeName" This would make for easy change between modes defining selective lockouts such as external net, local net, shared resources, etc. crontab could let you define hacker curfew times (e.g., by defining a mode with DSL/cable walled out), which you could interactively override if you get in early (and have priv to run paranoia), etc. This would also make it easier to experiment with toggling combinations of experimental restrictions on file/directory access, etc., with less risk of forgetting to restore something (assuming you defined opened/closed properly in paranoia.conf). This is a sketch of functionality that I'd like in one easy to use script. I'm guessing someone has had this itch before, and scratched it? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 11 16:43:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from dt051n0b.san.rr.com (dt051n0b.san.rr.com [204.210.32.11]) by hub.freebsd.org (Postfix) with ESMTP id 49A8537BAAC for ; Sat, 11 Mar 2000 16:43:33 -0800 (PST) (envelope-from Doug@gorean.org) Received: from gorean.org (doug@master [10.0.0.2]) by dt051n0b.san.rr.com (8.9.3/8.9.3) with ESMTP id QAA67744; Sat, 11 Mar 2000 16:43:31 -0800 (PST) (envelope-from Doug@gorean.org) Message-ID: <38CAE832.638931F4@gorean.org> Date: Sat, 11 Mar 2000 16:43:30 -0800 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.72 [en] (X11; U; FreeBSD 4.0-CURRENT-0307 i386) X-Accept-Language: en MIME-Version: 1.0 To: Bengt Richter Cc: freebsd-security@freebsd.org Subject: Re: is there a paranoia script ? References: <3.0.5.32.20000311161302.00931af0@mail.accessone.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Bengt Richter wrote: > Is there a configurable script that can > make transitions gracefully (including > restore to prev state if interrupted), > without shutting down, along the lines > of the following? No there isn't. Lots of discussion about similar ideas (read, wish lists) in the archives though. Patches are welcome. Good luck, Doug -- "Welcome to the desert of the real." - Laurence Fishburne as Morpheus, "The Matrix" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message