From owner-freebsd-security Sun Apr 16 11:55:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from totem.fix.no (totem.freenix.no [195.0.166.42]) by hub.freebsd.org (Postfix) with ESMTP id EE38837B7E8; Sun, 16 Apr 2000 11:55:34 -0700 (PDT) (envelope-from anders@totem.fix.no) Received: by totem.fix.no (Postfix, from userid 1000) id BEFEA573F; Sun, 16 Apr 2000 20:55:28 +0200 (CEST) Date: Sun, 16 Apr 2000 20:55:28 +0200 From: Anders Nordby To: freebsd-ipfw@freebsd.org Cc: freebsd-security@freebsd.org Subject: Closing incoming access to private (and other) networks with ipfw (and running natd) Message-ID: <20000416205528.F20667@totem.fix.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i X-Operating-System: FreeBSD 3.4-STABLE X-Warning: Listen, and thou shall not fear. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm not really sure where I should ask this question, since it's (at least to me) both natd and ipfw related. I'm building a firewall with three network cards (3Com xl ones), that routes both public and private networks to and from the Internet. Natd works -- NICs on the segment routed directly to the Internet sees traffic from NICs on private networks as if it came from the IP of the NIC on the firewall on the same segment. Now, my problem is not routing/forwarding on the firewall, nor network address translation. I need to prevent incoming access to private networks through the firewall (and be sure it really works :-)). I've tried configuring natd with deny_incoming, but I can still ping IPs on private networks through xl0 (which is the NIC on the Firewall routed directly to the Internet). Now, that might be due to me using an extra alias on xl0 and routing through it. But I need to be able to block access from one network to the other, and still be able to access the one network from the other (and receive response to tcp/udp/icmp back with the same protocol). I've tried accomplishing this with stuff like ipfw add n deny all from any to 172.n.n.n in via xl0 and by using the keep-state/check-state etc. stuff introduced in FreeBSD 4.0, with no luck. :/ Either all traffic is denied (and I don't get replies back on requests which goes the legal permitted way), or all traffic (including unwanted) goes through. Does anyone have a solution for this? Any help appreciated -- examples, ideas, whatever. Cheers. -- Anders. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 17 8:38:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from storm.FreeBSD.org.uk (storm.freebsd.org.uk [194.242.139.170]) by hub.freebsd.org (Postfix) with ESMTP id A76AC37B5C4; Mon, 17 Apr 2000 08:38:02 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (hak.nat.Awfulhak.org [172.31.0.12]) by storm.FreeBSD.org.uk (8.9.3/8.9.3) with ESMTP id QAA96274; Mon, 17 Apr 2000 16:37:55 +0100 (BST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id NAA16155; Mon, 17 Apr 2000 13:20:52 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200004171220.NAA16155@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.1 10/15/1999 To: Anders Nordby Cc: freebsd-ipfw@FreeBSD.org, freebsd-security@FreeBSD.org, brian@hak.lan.Awfulhak.org Subject: Re: Closing incoming access to private (and other) networks with ipfw (and running natd) In-Reply-To: Message from Anders Nordby of "Sun, 16 Apr 2000 20:55:28 +0200." <20000416205528.F20667@totem.fix.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 17 Apr 2000 13:20:52 +0100 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The default (despite the libalias documentation, but in line with the natd documentation) behaviour when receiving new traffic bound for the internal network(s) *used* to be to let it through. This could be overridden with PacketAliasSetTarget() (-target_address to natd). *now* (in -stable & -current), PacketAliasSetTarget(INADDR_ANY) behaves as before and PacketAliasSetTarget(INADDR_NONE) goes to the alias address. The default is INADDR_NONE. Either way, if you ``-target_address 1.2.3.4'' where 1.2.3.4 is your alias address, you should effectively block connections from outside. > I'm not really sure where I should ask this question, since it's (at least > to me) both natd and ipfw related. I'm building a firewall with three > network cards (3Com xl ones), that routes both public and private networks > to and from the Internet. Natd works -- NICs on the segment routed > directly to the Internet sees traffic from NICs on private networks as if > it came from the IP of the NIC on the firewall on the same segment. > > Now, my problem is not routing/forwarding on the firewall, nor network > address translation. I need to prevent incoming access to private networks > through the firewall (and be sure it really works :-)). I've tried > configuring natd with deny_incoming, but I can still ping IPs on private > networks through xl0 (which is the NIC on the Firewall routed directly to > the Internet). Now, that might be due to me using an extra alias on xl0 > and routing through it. But I need to be able to block access from one > network to the other, and still be able to access the one network from the > other (and receive response to tcp/udp/icmp back with the same > protocol). I've tried accomplishing this with stuff like ipfw add n deny > all from any to 172.n.n.n in via xl0 and by using the > keep-state/check-state etc. stuff introduced in FreeBSD 4.0, with no > luck. :/ Either all traffic is denied (and I don't get replies back on > requests which goes the legal permitted way), or all traffic (including > unwanted) goes through. Does anyone have a solution for this? > > Any help appreciated -- examples, ideas, whatever. > > Cheers. > > -- > Anders. -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 17 13:46:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from attrition.dynamine.net (dnai-216-15-97-113.cust.dnai.com [216.15.97.113]) by hub.freebsd.org (Postfix) with ESMTP id 6DADD37B9E7 for ; Mon, 17 Apr 2000 13:46:46 -0700 (PDT) (envelope-from michael@dynamine.net) Received: from lucretia (host1.auctionwatch.com [64.14.25.32]) by attrition.dynamine.net (8.9.3/8.9.3) with SMTP id NAA27314 for ; Mon, 17 Apr 2000 13:46:44 -0700 Message-ID: <005601bfa8ae$0ad3ece0$7f00800a@corp.auctionwatch.com> From: "Michael S. Fischer" To: Subject: Fw: Re: imapd4r1 v12.264 Date: Mon, 17 Apr 2000 13:46:42 -0700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0053_01BFA873.5D2E8B20" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0053_01BFA873.5D2E8B20 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: 7bit This is the current version in the ports collection. Help! ----- Original Message ----- From: "Tibor Pittich" To: Sent: Monday, April 17, 2000 3:38 AM Subject: Re: imapd4r1 v12.264 ------=_NextPart_000_0053_01BFA873.5D2E8B20 Content-Type: text/plain; name="ATT00071.txt" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="ATT00071.txt" On 16. Apr 2000 o 14:19, Michal Zalewski wrote: > * OK nimue IMAP4rev1 v12.264 server ready > 1 login lcamtuf test > 1 OK LOGIN completed > 1 list "" AAAAAAAAAAAAAAAAAAAAAAAAAAA...[yes, a lot of 'A's ;]=20 > Program received signal SIGSEGV, Segmentation fault. > 0x41414141 in ?? () Older version, imap-4.5-4 seems to be ok.. * OK localhost IMAP4rev1 v12.250 server ready 1 login test test 1 OK LOGIN completed 1 list "" 'lot of AAAAA....' 1 OK LIST completed in other imap-4.6-3 too: * OK localhost IMAP4rev1 v12.252 server ready 1 login future test 1 OK LOGIN completed 1 list "" 'lot of AAAA......' 1 OK LIST completed I think, this is new "feature" coming from Washington university;) Best regards --=20 +------------------------+-----------------------------------------------= -+ + Tibor "FuturE" Pittich | Email : Tibor.Pittich@phuture.sk +------------------------+ HomePage : http://c0re.phuture.sk/future PGPkey v5.0i: pgpk -a finger://c0re.phuture.sk/future +-------------------------> p=ED=B9te mi v ISO-8859-2 = <-----------------------+ ------=_NextPart_000_0053_01BFA873.5D2E8B20 Content-Type: application/octet-stream; name="ATT00074.dat" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="ATT00074.dat" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4+umIjtVzQtYTy78RAqgTAJ9Wirak6tDim9svZAWw8xweb58ZJgCgjzLX gIJ7mszVwR721a4uquJ+wjs= =NmH2 -----END PGP SIGNATURE----- ------=_NextPart_000_0053_01BFA873.5D2E8B20-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 17 18:18:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id B6F6137B6BE; Mon, 17 Apr 2000 18:18:44 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id SAA95510; Mon, 17 Apr 2000 18:18:43 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Mon, 17 Apr 2000 18:18:43 -0700 (PDT) From: Kris Kennaway To: "Michael S. Fischer" Cc: security@freebsd.org Subject: Re: Fw: Re: imapd4r1 v12.264 In-Reply-To: <005601bfa8ae$0ad3ece0$7f00800a@corp.auctionwatch.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 17 Apr 2000, Michael S. Fischer wrote: > This is the current version in the ports collection. Help! Briefly, the vulnerability seems to be that someone who has a mail account on the server can get access to the user account which runs imapd. I don't think it's something that can be exploited by an outsider, so it might be that in your environment the threat is not significant. As for workarounds, stay tuned..I havent seen a patch yet. Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 17 18:33: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id DBB7D37B64F; Mon, 17 Apr 2000 18:33:01 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id SAA96704; Mon, 17 Apr 2000 18:33:01 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Mon, 17 Apr 2000 18:33:01 -0700 (PDT) From: Kris Kennaway To: "Michael S. Fischer" Cc: security@freebsd.org Subject: Re: Fw: Re: imapd4r1 v12.264 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 17 Apr 2000, Kris Kennaway wrote: > On Mon, 17 Apr 2000, Michael S. Fischer wrote: > > > This is the current version in the ports collection. Help! > > Briefly, the vulnerability seems to be that someone who has a mail account > on the server can get access to the user account which runs imapd. I don't > think it's something that can be exploited by an outsider, so it might be > that in your environment the threat is not significant. According to the message I just read on bugtraq by the vendor, it doesn't seem to be as bad as I described it above: imapd has dropped privileges by the time it hits the vulnerability, so exploiting it will only give access to the shell account of the user who has logged in to imap. This may still be a problem in some installations, i.e. if they don't provide shell access to their mail users on the imap server. Note that I haven't heard independent confirmation of the above, so it's subject to revision :-) Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 17 18:44:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from attrition.dynamine.net (dnai-216-15-97-113.cust.dnai.com [216.15.97.113]) by hub.freebsd.org (Postfix) with ESMTP id 35BDF37B8FD; Mon, 17 Apr 2000 18:44:48 -0700 (PDT) (envelope-from michael@dynamine.net) Received: from lucretia (host1.auctionwatch.com [64.14.25.32]) by attrition.dynamine.net (8.9.3/8.9.3) with SMTP id SAA28108; Mon, 17 Apr 2000 18:44:46 -0700 Message-ID: <00ae01bfa8d7$ad5188a0$7f00800a@corp.auctionwatch.com> From: "Michael S. Fischer" To: "Kris Kennaway" Cc: References: Subject: Re: Fw: Re: imapd4r1 v12.264 Date: Mon, 17 Apr 2000 18:44:46 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 17 Apr 2000, Kris Kennaway wrote: > > > On Mon, 17 Apr 2000, Michael S. Fischer wrote: > > > > > This is the current version in the ports collection. Help! > > > > Briefly, the vulnerability seems to be that someone who has a mail account > > on the server can get access to the user account which runs imapd. I don't > > think it's something that can be exploited by an outsider, so it might be > > that in your environment the threat is not significant. > > According to the message I just read on bugtraq by the vendor, it doesn't > seem to be as bad as I described it above: imapd has dropped privileges by > the time it hits the vulnerability, so exploiting it will only give access > to the shell account of the user who has logged in to imap. This may still > be a problem in some installations, i.e. if they don't provide shell > access to their mail users on the imap server. > > Note that I haven't heard independent confirmation of the above, so it's > subject to revision :-) Are you saying that remotely giving access to the user's account isn't bad enough? In my environment, certain users have sudo access... --Michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 17 20: 4:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 3987237B91B; Mon, 17 Apr 2000 20:04:37 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id UAA06278; Mon, 17 Apr 2000 20:04:37 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Mon, 17 Apr 2000 20:04:36 -0700 (PDT) From: Kris Kennaway To: "Michael S. Fischer" Cc: security@FreeBSD.org Subject: Re: Fw: Re: imapd4r1 v12.264 In-Reply-To: <00ae01bfa8d7$ad5188a0$7f00800a@corp.auctionwatch.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 17 Apr 2000, Michael S. Fischer wrote: > Are you saying that remotely giving access to the user's account isn't bad > enough? In my environment, certain users have sudo access... No, I'm saying that in some (perhaps most) environments the user already has shell access to the machine, so it's not a risk (if my interpretation of the vulnerability is correct). If you have a machine which doesn't allow shell access, but serves users with imap, then they can exploit the vulnerability to gain shell access to the machine. Note that you need to successfully log into an account on the imap server to exploit the problem, which means knowing the password. Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 17 20: 9:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from attrition.dynamine.net (dnai-216-15-97-113.cust.dnai.com [216.15.97.113]) by hub.freebsd.org (Postfix) with ESMTP id B5A7C37B804; Mon, 17 Apr 2000 20:09:35 -0700 (PDT) (envelope-from michael@dynamine.net) Received: from lucretia (host1.auctionwatch.com [64.14.25.32]) by attrition.dynamine.net (8.9.3/8.9.3) with SMTP id UAA28296; Mon, 17 Apr 2000 20:09:33 -0700 Message-ID: <013301bfa8e3$8521f160$7f00800a@corp.auctionwatch.com> From: "Michael S. Fischer" To: "Kris Kennaway" Cc: References: Subject: Re: Fw: Re: imapd4r1 v12.264 Date: Mon, 17 Apr 2000 20:09:32 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > On Mon, 17 Apr 2000, Michael S. Fischer wrote: > > > Are you saying that remotely giving access to the user's account isn't bad > > enough? In my environment, certain users have sudo access... > > No, I'm saying that in some (perhaps most) environments the user already > has shell access to the machine, so it's not a risk (if my interpretation > of the vulnerability is correct). If you have a machine which doesn't > allow shell access, but serves users with imap, then they can exploit the > vulnerability to gain shell access to the machine. Note that you need to > successfully log into an account on the imap server to exploit the > problem, which means knowing the password. Understood. Thanks for clearing that up, --Michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 17 21:46:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 114D637BF8F; Mon, 17 Apr 2000 21:46:17 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id AAA15640; Tue, 18 Apr 2000 00:46:15 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Tue, 18 Apr 2000 00:46:15 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Kris Kennaway , "Michael S. Fischer" Cc: security@FreeBSD.org Subject: Re: Fw: Re: imapd4r1 v12.264 (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 17 Apr 2000, Kris Kennaway wrote: > According to the message I just read on bugtraq by the vendor, it doesn't > seem to be as bad as I described it above: imapd has dropped privileges by > the time it hits the vulnerability, so exploiting it will only give access > to the shell account of the user who has logged in to imap. This may still > be a problem in some installations, i.e. if they don't provide shell > access to their mail users on the imap server. I consider the post by the vendor in the bugtraq forum to be some sort of poor joke. At this point, it would appear that anyone who takes security seriously should use some other mail package, or risk their systems' integrity. In particular, the thing about chroot'ing to /tmp is fairly laughable. While partitioning can be a useful scheme for reducing risk, "/tmp" is not the place to chroot to, and chroot'ing is not a replacement for careful code auditing. The suggestion that stackguard should be required to make their software secure has wandered far beyond ``questionable,'' and well into the ``don't touch anything related to my system ever again.'' The University of Washington IMAP programmers have proven time and again that they are quite capable of releasing code that puts people's system's at risk. They also are reluctant to admit or fix the bugs, and have demonstrated poor understanding of systems security issues. In other words, they make the poorest of choices when it comes to selecting developers for security-sensitive software (i.e., remote mail access servers). Perhaps we should fedex the uw-imapd people to the OpenBSD camp for correctional treatment. Given that attitude of the developer, I would strongly recommend we mark the port as FORBIDDEN, and would also seriously consider any suggestion to simply drop it from the ports and packages collections. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 18 8:42:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from viper.lovett.com (hub.lovett.com [216.60.121.161]) by hub.freebsd.org (Postfix) with ESMTP id AEA1D37B9A3; Tue, 18 Apr 2000 08:42:30 -0700 (PDT) (envelope-from ade@lovett.com) Received: from anaconda.lovett.com ([10.0.0.6]) by viper.lovett.com with esmtp (Exim 3.13 #1) id 12ha8y-0001h3-00; Tue, 18 Apr 2000 10:42:28 -0500 Received: (from ade@localhost) by anaconda.lovett.com (8.9.3/8.9.3) id KAA53912; Tue, 18 Apr 2000 10:42:28 -0500 (CDT) (envelope-from ade@lovett.com) Date: Tue, 18 Apr 2000 10:42:28 -0500 From: Ade Lovett To: Robert Watson Cc: security@FreeBSD.org Subject: Re: Fw: Re: imapd4r1 v12.264 (fwd) Message-ID: <20000418104228.B10735@lovett.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from rwatson@FreeBSD.org on Tue, Apr 18, 2000 at 12:46:15AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Apr 18, 2000 at 12:46:15AM -0400, Robert Watson wrote: > > Given that attitude of the developer, I would strongly recommend we mark > the port as FORBIDDEN, and would also seriously consider any suggestion to > simply drop it from the ports and packages collections. It's worth noting that (at least) the following ports use the IMAP-UW c-client library, so either may be affected by the hole, or will cease to function if we forbid/kill the port. mail/tkrat, mail/tkrat2 www/apache13-php3, www/apache13-php4 (IMAP support) -aDe -- Ade Lovett, Austin, TX. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 18 8:47: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from madcap.dyndns.org (as604936.singnet.com.sg [165.21.207.85]) by hub.freebsd.org (Postfix) with ESMTP id 50EC337BD2B for ; Tue, 18 Apr 2000 08:46:57 -0700 (PDT) (envelope-from ngps@madcap.dyndns.org) Received: by madcap.dyndns.org (Postfix, from userid 100) id 5FF0434AFB; Tue, 18 Apr 2000 23:42:59 +0800 (SGT) Date: Tue, 18 Apr 2000 23:42:59 +0800 From: Ng Pheng Siong To: freebsd-security@freebsd.org Subject: StackGuard, etc.? Message-ID: <20000418234259.K593@madcap.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, Just wondering if StackGuard, Solar Designer's non-executable stack design, etc. apply to FreeBSD. If not, are there others that do? TIA. Cheers. -- Ng Pheng Siong * http://www.post1.com/home/ngps To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 18 8:58:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from zeus.dnt.md (dnt.md [195.138.124.37]) by hub.freebsd.org (Postfix) with ESMTP id 53FC637B65D for ; Tue, 18 Apr 2000 08:58:23 -0700 (PDT) (envelope-from vg@dnt.md) Received: from ccna.dnt.md (ccna.dnt.md [195.138.126.45] (may be forged)) by zeus.dnt.md (8.9.3/8.9.3) with ESMTP id SAA16589 for ; Tue, 18 Apr 2000 18:58:08 +0300 (EEST) Date: Tue, 18 Apr 2000 18:58:10 +0300 From: Vladimir Girnetz X-Mailer: The Bat! (v1.36/DNT) Reply-To: Vladimir Girnetz Organization: Asociatia DNT X-Priority: 3 (Normal) Message-ID: <18790.000418@dnt.md> To: security@freebsd.org Subject: about spwd.db Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello FreeBSD security, I have on FreeBSD machine about 33000 users and this number grow! To add a new user takes about 1 minute.At this time the machine is very busy :( I use the standart pw, and pwd_mkdb Are there any solutions to make it more easely? I tried this idea: the spwd.db file is in DB3 format (as is written in man pages of pwd_mkdb). with perl database manager I tried to make some changes there, but without any succes. Does somebody know how can I make it? Best regards, Vladimir mailto:vg@dnt.md To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 18 9: 3:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from naiad.eclipse.net.uk (naiad.eclipse.net.uk [195.188.32.29]) by hub.freebsd.org (Postfix) with ESMTP id 1EA2237B9A3 for ; Tue, 18 Apr 2000 09:03:51 -0700 (PDT) (envelope-from stuart@eclipse.net.uk) Received: by naiad.eclipse.net.uk (Postfix, from userid 475) id 5DCE614620; Tue, 18 Apr 2000 17:04:47 +0100 (BST) Date: Tue, 18 Apr 2000 17:04:47 +0100 From: Stuart Henderson To: Vladimir Girnetz Cc: security@freebsd.org Subject: Re: about spwd.db Message-ID: <20000418170447.A26457@naiad.eclipse.net.uk> References: <18790.000418@dnt.md> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.1.2i In-Reply-To: <18790.000418@dnt.md>; from vg@dnt.md on Tue, Apr 18, 2000 at 06:58:10PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Apr 18, 2000 at 06:58:10PM +0300, Vladimir Girnetz wrote: > Hello FreeBSD security, You should probably write to freebsd-questions with a question of this kind. > I have on FreeBSD machine about 33000 users and this number grow! > To add a new user takes about 1 minute.At this time the machine is > very busy :( You need to recompile pwd_mkdb with a higher cache value. See the comments in the source code. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 18 12:34:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id B233F37BBEA; Tue, 18 Apr 2000 12:34:55 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id MAA99128; Tue, 18 Apr 2000 12:34:55 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Tue, 18 Apr 2000 12:34:55 -0700 (PDT) From: Kris Kennaway To: Ng Pheng Siong Cc: freebsd-security@freebsd.org Subject: Re: StackGuard, etc.? In-Reply-To: <20000418234259.K593@madcap.dyndns.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 18 Apr 2000, Ng Pheng Siong wrote: > Just wondering if StackGuard, Solar Designer's non-executable > stack design, etc. apply to FreeBSD. > > If not, are there others that do? The basic design is compatible with FreeBSD, but it needs to be ported. Because it modifies gcc, it's linux-specific at present. It would be a *very* useful project for someone who wants to work on a compiler project. Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 18 21: 0: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from ducky.nz.freebsd.org (chilled.unixathome.org [203.79.82.27]) by hub.freebsd.org (Postfix) with ESMTP id 40D9B37B998 for ; Tue, 18 Apr 2000 21:00:00 -0700 (PDT) (envelope-from dan@langille.org) Received: from localhost (dan@localhost) by ducky.nz.freebsd.org (8.9.3/8.9.3) with ESMTP id PAA20435 for ; Wed, 19 Apr 2000 15:59:53 +1200 (NZST) Date: Wed, 19 Apr 2000 15:59:51 +1200 (NZST) From: Dan Langille X-Sender: dan@ducky.nz.freebsd.org To: freebsd-security@freebsd.org Subject: using mysql over ssh Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I want to access a mysql database remotely. I've had success with the following approach: ssh user@mydomain.org /usr/local/mysql/bin/mysql -uuserid -ppassword dbname < mysql.sql where mysql.sql contains the SQL statements I wish to run. I have two issues with this approach: 1 - The mysql password is supplied on the command line. I don't like that. How can I avoid that? 2 - To achieve the ssh login, I copied the contents of ~/.ssh/identity.pub to ~/.ssh/authorized_keys on the remote box. How much of a risk is it allowing logins like that? My feeling is that if I trust the security on the local box, it's not an issue. Comments? Any other suggestions/recommendations will be appreciated. cheers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 18 23:20:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.andrew.cmu.edu (SMTP1.ANDREW.CMU.EDU [128.2.10.81]) by hub.freebsd.org (Postfix) with ESMTP id 8797337BBEB; Tue, 18 Apr 2000 23:20:37 -0700 (PDT) (envelope-from Harry_M_Leitzell@cmu.edu) Received: from unix4.andrew.cmu.edu (UNIX4.ANDREW.CMU.EDU [128.2.15.8]) by smtp1.andrew.cmu.edu (8.9.3/8.9.3) with SMTP id CAA12315; Wed, 19 Apr 2000 02:20:29 -0400 (EDT) Date: Wed, 19 Apr 2000 02:20:28 -0400 (EDT) From: "Harry M. Leitzell" X-Sender: Harry_M_Leitzell@unix4.andrew.cmu.edu To: Kris Kennaway Cc: Ng Pheng Siong , freebsd-security@freebsd.org Subject: Re: StackGuard, etc.? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org StackGuard modifies the compiler ( the latest version also includes some method of canary injection that prevents heap exploitation as well I do believe? ), but Solar Designers code modifies the kernel. Basically, if you look at from the standpoint of which would be nicer to have, I would say having flags within the kernel would be best. Even though Solaris does a crappy job of stack protection, it is a nice model to aspire to. Have a flag that anything with +s gets run through the stack / heap protection code, or if its being run as root, or is a daemon, etc ... You set the parameters, it doesn't matter if you got it in binary only format, it protects you none the less. Anyhow, there are a couple different ways to protect the stack and if they aren't implemented correctly together, the protection is pretty worthless. For more detail on why stack protection isn't enough, visit http://www.w00w00.org/files/articles/heaptut.txt which is a good article by Matt Conover. Enough ranting, I will start coding and putting out results for everyone to pour over and chuckle about =]. Only thing that is bugging me is some method of doing heap protection at run time that doesn't break things. If anyone has any thoughts on how to do this, please send me an email so I can hack away at it. Toodles On Tue, 18 Apr 2000, Kris Kennaway wrote: > On Tue, 18 Apr 2000, Ng Pheng Siong wrote: > > > Just wondering if StackGuard, Solar Designer's non-executable > > stack design, etc. apply to FreeBSD. > > > > If not, are there others that do? > > The basic design is compatible with FreeBSD, but it needs to be > ported. Because it modifies gcc, it's linux-specific at present. > > It would be a *very* useful project for someone who wants to work on a > compiler project. > > Kris > > ---- > In God we Trust -- all others must submit an X.509 certificate. > -- Charles Forsythe > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > [-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-] Harry M. Leitzell - Harry_M_Leitzell@cmu.edu Carnegie Mellon University Finger for PGP Public Key [-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 18 23:36:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from ducky.nz.freebsd.org (chilled.unixathome.org [203.79.82.27]) by hub.freebsd.org (Postfix) with ESMTP id 8A0A437B58B for ; Tue, 18 Apr 2000 23:36:20 -0700 (PDT) (envelope-from dan@langille.org) Received: from wocker (wocker.int.nz.freebsd.org [192.168.0.99]) by ducky.nz.freebsd.org (8.9.3/8.9.3) with ESMTP id SAA21329 for ; Wed, 19 Apr 2000 18:36:18 +1200 (NZST) Message-Id: <200004190636.SAA21329@ducky.nz.freebsd.org> From: "Dan Langille" Organization: langille.org To: freebsd-security@freebsd.org Date: Wed, 19 Apr 2000 18:36:05 +1200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: using mysql over ssh Reply-To: dan@langille.org In-Reply-To: X-mailer: Pegasus Mail for Win32 (v3.12b) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I want to access a mysql database remotely. I've had success with the > following approach: > > ssh user@mydomain.org /usr/local/mysql/bin/mysql -uuserid > -ppassword dbname < mysql.sql Please note: the above code resides within a script and I'm not running this from the command line. -- Dan Langille [I'm looking for more work] http://www.langille.org/ | http://www.unixathome.org/ http://www.racingsystem.com/ | http://www.freebsddiary.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 19 0:31: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from ducky.nz.freebsd.org (chilled.unixathome.org [203.79.82.27]) by hub.freebsd.org (Postfix) with ESMTP id 5039A37B6BD for ; Wed, 19 Apr 2000 00:31:02 -0700 (PDT) (envelope-from dan@langille.org) Received: from wocker (wocker.int.nz.freebsd.org [192.168.0.99]) by ducky.nz.freebsd.org (8.9.3/8.9.3) with ESMTP id TAA21657 for ; Wed, 19 Apr 2000 19:30:58 +1200 (NZST) Message-Id: <200004190730.TAA21657@ducky.nz.freebsd.org> From: "Dan Langille" Organization: langille.org To: freebsd-security@freebsd.org Date: Wed, 19 Apr 2000 19:30:34 +1200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: using mysql over ssh Reply-To: dan@langille.org In-Reply-To: X-mailer: Pegasus Mail for Win32 (v3.12b) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I want to access a mysql database remotely. I've had success with > the following approach: > > ssh user@mydomain.org /usr/local/mysql/bin/mysql -uuserid > -ppassword dbname < mysql.sql There is nothing like finding the answer shortly after posting a question. I found the solution at: http://www.mysql.com/php/manual.php3?section=Password_security You create ~/.my.cnf and add this: [client] password=your_pass Then you don't need to specify the password on the command line as shown above. I'd still like feedback about my points 1 and 2 in my original post. cheers. -- Dan Langille [I'm looking for more work] http://www.langille.org/ | http://www.unixathome.org/ http://www.racingsystem.com/ | http://www.freebsddiary.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 19 2:58: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id DAD8C37B551 for ; Wed, 19 Apr 2000 02:58:02 -0700 (PDT) (envelope-from adam@algroup.co.uk) Received: from algroup.co.uk ([192.168.192.2]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id JAA06520; Wed, 19 Apr 2000 09:56:33 GMT Message-ID: <38FD82D2.F4449B52@algroup.co.uk> Date: Wed, 19 Apr 2000 10:56:34 +0100 From: Adam Laurie X-Mailer: Mozilla 4.7 [en-gb] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: dan@langille.org Cc: freebsd-security@FreeBSD.ORG Subject: Re: using mysql over ssh References: <200004190730.TAA21657@ducky.nz.freebsd.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dan Langille wrote: > > > I want to access a mysql database remotely. I've had success with > > the following approach: > > > > ssh user@mydomain.org /usr/local/mysql/bin/mysql -uuserid > > -ppassword dbname < mysql.sql > > There is nothing like finding the answer shortly after posting a question. > > I found the solution at: > > http://www.mysql.com/php/manual.php3?section=Password_security > > You create ~/.my.cnf and add this: > > [client] > password=your_pass > > Then you don't need to specify the password on the command line as > shown above. > > I'd still like feedback about my points 1 and 2 in my original post. Open two terminal windows... In window one, do: ssh -L 3306:localhost:3306 user@mydomain.org In window two, do: mysql -h localhost -u userid -p dbname < mysql.sql the mysql client will tunnel it's connection to the remote server, and you will be prompted locally for the password (if you're using an up to date copy of mysql). You can also use this method for an interactive session... You will need to have the remote server up to use MYSQL_TCP_PORT instead of the default MYSQL_UNIX_PORT, and it's a good idea to bind it to loopback to that only local or tunneled clients can connect. cheers, Adam -- Adam Laurie Tel: +44 (181) 742 0755 A.L. Digital Ltd. Fax: +44 (181) 742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 19 8:29:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.aye.net (phoenix.aye.net [198.7.192.5]) by hub.freebsd.org (Postfix) with SMTP id 464A637BCBE for ; Wed, 19 Apr 2000 08:29:25 -0700 (PDT) (envelope-from barrett@aye.net) Received: (qmail 21188 invoked by uid 1000); 19 Apr 2000 15:29:23 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 19 Apr 2000 15:29:23 -0000 Date: Wed, 19 Apr 2000 11:29:23 -0400 (EDT) From: Barrett Richardson To: Ng Pheng Siong Cc: freebsd-security@freebsd.org Subject: Re: StackGuard, etc.? In-Reply-To: <20000418234259.K593@madcap.dyndns.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 18 Apr 2000, Ng Pheng Siong wrote: > Hello, > > Just wondering if StackGuard, Solar Designer's non-executable > stack design, etc. apply to FreeBSD. > > If not, are there others that do? > > TIA. Cheers. It takes some minor hackage to get it going under FreeBSD. - Barrett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 19 9: 2:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 8558C37B551; Wed, 19 Apr 2000 09:01:02 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id JAA08776; Wed, 19 Apr 2000 09:01:02 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda08764; Wed Apr 19 08:59:29 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id IAA04446; Wed, 19 Apr 2000 08:59:28 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdmX4444; Wed Apr 19 08:58:56 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.10.1/8.9.1) id e3JFvdX00892; Wed, 19 Apr 2000 08:57:39 -0700 (PDT) Message-Id: <200004191557.e3JFvdX00892@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdJMk888; Wed Apr 19 08:57:35 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.4-RELEASE X-Sender: cy To: Robert Watson Cc: Kris Kennaway , "Michael S. Fischer" , security@FreeBSD.ORG Subject: Re: Fw: Re: imapd4r1 v12.264 (fwd) In-reply-to: Your message of "Tue, 18 Apr 2000 00:46:15 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 19 Apr 2000 08:57:34 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Robe rt Watson writes: > Given that attitude of the developer, I would strongly recommend we mark > the port as FORBIDDEN, and would also seriously consider any suggestion to > simply drop it from the ports and packages collections. Let me second that opinion. I'd prefer just dropping it from ports collection. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 19 9:57:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 6E5E237BCD7; Wed, 19 Apr 2000 09:57:18 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id JAA22163; Wed, 19 Apr 2000 09:57:18 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Wed, 19 Apr 2000 09:57:17 -0700 (PDT) From: Kris Kennaway To: Cy Schubert - ITSD Open Systems Group Cc: Robert Watson , "Michael S. Fischer" , security@FreeBSD.ORG Subject: Re: Fw: Re: imapd4r1 v12.264 (fwd) In-Reply-To: <200004191557.e3JFvdX00892@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 19 Apr 2000, Cy Schubert - ITSD Open Systems Group wrote: > Let me second that opinion. I'd prefer just dropping it from ports > collection. The problem is the lack of an alternative IMAP server in ports. There's cyrus, but apparently that is slightly intrusive to install. Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 19 13:20:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from Cantor.suse.de (Cantor.suse.de [194.112.123.193]) by hub.freebsd.org (Postfix) with ESMTP id 6120637B604; Wed, 19 Apr 2000 13:20:47 -0700 (PDT) (envelope-from marc@suse.de) Received: from Hermes.suse.de (Hermes.suse.de [194.112.123.136]) by Cantor.suse.de (Postfix) with ESMTP id 81C0C1E1C7; Wed, 19 Apr 2000 22:20:44 +0200 (MEST) Received: from Galois.suse.de (Galois.suse.de [10.0.0.1]) by Hermes.suse.de (Postfix) with ESMTP id 750F710A032; Wed, 19 Apr 2000 22:20:29 +0200 (MEST) Received: by Galois.suse.de (Postfix, from userid 224) id 603DB67A5; Wed, 19 Apr 2000 22:20:28 +0200 (MEST) Subject: Re: [suse-security] imapd4r1 v12.264 and Security Implications To: suse-security@suse.com Date: Wed, 19 Apr 2000 22:20:28 +0200 (MEST) Cc: FBob@wt.net, rwatson@FreeBSD.ORG, security@FreeBSD.ORG, michael@dynamine.net X-Mailer: ELM [version 2.4ME+ PL47 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2840 Message-Id: <20000419202028.603DB67A5@Galois.suse.de> From: marc@suse.de (Marc Heuse) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi > The following was posted on FreeBSD-Security today. I was interested > in the official SuSE position since I run both OS's. here it is: >> I consider the post by the vendor in the bugtraq forum to be some sort of >> poor joke. At this point, it would appear that anyone who takes security >> seriously should use some other mail package, or risk their systems' >> integrity. In particular, the thing about chroot'ing to /tmp is fairly >> laughable. While partitioning can be a useful scheme for reducing risk, >> "/tmp" is not the place to chroot to, and chroot'ing is not a replacement >> for careful code auditing. The suggestion that stackguard should be >> required to make their software secure has wandered far beyond >> ``questionable,'' and well into the ``don't touch anything related to my >> system ever again.'' although the language is a bit rude, he is absolutely correct. >> The University of Washington IMAP programmers have proven time and again >> that they are quite capable of releasing code that puts people's system's >> at risk. They also are reluctant to admit or fix the bugs, and have >> demonstrated poor understanding of systems security issues. In other >> words, they make the poorest of choices when it comes to selecting >> developers for security-sensitive software (i.e., remote mail access >> servers). Perhaps we should fedex the uw-imapd people to the OpenBSD camp >> for correctional treatment. well ... it's not the first vulnerability in wu-imap. and the response of the wu-imap programmer really shows that he does not know about secure coding. a security audit of the code would really be needed, however, after half a year new vulnerabilities would be there and the thing would start over. >> Given that attitude of the developer, I would strongly recommend we mark >> the port as FORBIDDEN, and would also seriously consider an suggestion to >> simply drop it from the ports and packages collections. this is unrealistic. people want and some even depend on imapd. and if we would do that to imapd, we would have to do the same for pop3, ftp etc. so the solution is to switch to a imapd with more knowlegable programmers. not a very easy task ... we will provide an update for wu-imapd. but we propose the use another imapd. as far as I remember, there is another imapd server on the SuSE CDs (there are far too much packages to remember them all ;-))). Let's hope that the code of that one is better ... well, time to do a sourcecode audit :( *sigh* Greets, Marc -- Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka" Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 19 14:26:50 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id D585837BD34; Wed, 19 Apr 2000 14:26:38 -0700 (PDT) From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-00:13.generic-nqs Reply-To: security-officer@freebsd.org From: FreeBSD Security Officer Message-Id: <20000419212638.D585837BD34@hub.freebsd.org> Date: Wed, 19 Apr 2000 14:26:38 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:13 Security Advisory FreeBSD, Inc. Topic: generic-nqs contains a local root compromise Category: ports Module: generic-nqs Announced: 2000-04-19 Credits: Philippe Andersson via BugTraq Affects: Ports collection before the correction date. Corrected: 2000-04-16 Vendor status: Updated version released. FreeBSD only: NO I. Background Generic-NQS is a Network Queuing System for batch-processing jobs across multiple machines. II. Problem Description Generic-NQS versions 3.50.7 and earlier contain a security vulnerability which allow a local user to easily obtain root privileges. Unfortunately, further details of the location and nature of the vulnerability were not provided by the original poster, upon request of the Generic-NQS developers. The generic-nqs port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3200 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.0 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact A local user can obtain root privileges by exploiting a vulnerability in the generic-nqs package. If you have not chosen to install the generic-nqs port/package, then your system is not vulnerable to this problem. IV. Workaround Remove the generic-nqs port, if you you have installed it. V. Solution 1) Upgrade your entire ports collection and rebuild the generic-nqs port. 2) Reinstall a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/generic-nqs-3.50.9.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/generic-nqs-3.50.9.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/net/generic-nqs-3.50.9.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/generic-nqs-3.50.9.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/net/generic-nqs-3.50.9.tgz Note that it may be a few days before the updated package is available. 3) download a new port skeleton for the generic-nqs port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOP4kUVUuHi5z0oilAQGmYAQAntm5ianpGoWd2dr2Nf294InKoxRK5tt+ 61yGHUdZiFIWNUcEEow158vCnmAid1XyBRrYdeZLCs0EU0gaHRL21a1RpKab31T1 oc8pPK5mCyygwrXCf/u4aZES/HQyVbpryEqnvrggSzjlXExhsl6i+4YEBYHUO2Mi s8xowH91Sy4= =eXhd -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 19 15: 6: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from ducky.nz.freebsd.org (chilled.unixathome.org [203.79.82.27]) by hub.freebsd.org (Postfix) with ESMTP id 6BB6437B5AD for ; Wed, 19 Apr 2000 15:06:00 -0700 (PDT) (envelope-from dan@langille.org) Received: from wocker (wocker.int.nz.freebsd.org [192.168.0.99]) by ducky.nz.freebsd.org (8.9.3/8.9.3) with ESMTP id KAA26315 for ; Thu, 20 Apr 2000 10:05:58 +1200 (NZST) Message-Id: <200004192205.KAA26315@ducky.nz.freebsd.org> From: "Dan Langille" Organization: langille.org To: freebsd-security@FreeBSD.ORG Date: Thu, 20 Apr 2000 10:05:56 +1200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: using mysql over ssh Reply-To: dan@langille.org In-reply-to: <38FD82D2.F4449B52@algroup.co.uk> X-mailer: Pegasus Mail for Win32 (v3.12b) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 19 Apr 00, at 10:56, Adam Laurie wrote: > Dan Langille wrote: > > > > > I want to access a mysql database remotely. I've had success with the > > > following approach: > > > > > > ssh user@mydomain.org /usr/local/mysql/bin/mysql -uuserid > > > -ppassword dbname < mysql.sql > > > > There is nothing like finding the answer shortly after posting a > > question. > > > > I found the solution at: > > > > http://www.mysql.com/php/manual.php3?section=Password_security > > > > You create ~/.my.cnf and add this: > > > > [client] > > password=your_pass > > > > Then you don't need to specify the password on the command line as > > shown above. > > > > I'd still like feedback about my points 1 and 2 in my original post. > > Open two terminal windows... > > In window one, do: > > ssh -L 3306:localhost:3306 user@mydomain.org > > In window two, do: > > mysql -h localhost -u userid -p dbname < mysql.sql > > the mysql client will tunnel it's connection to the remote server, and you > will be prompted locally for the password (if you're using an up to date > copy of mysql). You can also use this method for an interactive session... > > You will need to have the remote server up to use MYSQL_TCP_PORT instead of > the default MYSQL_UNIX_PORT, and it's a good idea to bind it to loopback to > that only local or tunneled clients can connect. What is the point of two windows? Note: the goal is to put all of this into a script. It will not be interactive. There will be nobody there to reply to a prompt. That's why I like the ~/.my.cnf entry so much. thanks. -- Dan Langille [I'm looking for more work] http://www.langille.org/ | http://www.unixathome.org/ http://www.racingsystem.com/ | http://www.freebsddiary.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 19 15:25:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from ares.trc.adelaide.edu.au (ares.trc.adelaide.edu.au [129.127.246.5]) by hub.freebsd.org (Postfix) with ESMTP id A387837B542; Wed, 19 Apr 2000 15:25:28 -0700 (PDT) (envelope-from glewis@ares.trc.adelaide.edu.au) Received: (from glewis@localhost) by ares.trc.adelaide.edu.au (8.9.3/8.9.3) id HAA37301; Thu, 20 Apr 2000 07:55:25 +0930 (CST) (envelope-from glewis) From: Greg Lewis Message-Id: <200004192225.HAA37301@ares.trc.adelaide.edu.au> Subject: Re: Fw: Re: imapd4r1 v12.264 (fwd) In-Reply-To: from Kris Kennaway at "Apr 19, 2000 09:57:17 am" To: Kris Kennaway Date: Thu, 20 Apr 2000 07:55:25 +0930 (CST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL70 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Let me second that opinion. I'd prefer just dropping it from ports > > collection. > > The problem is the lack of an alternative IMAP server in ports. There's > cyrus, but apparently that is slightly intrusive to install. > > Kris When I was looking at IMAP servers there were two things which basically put me off Cyrus (with respect to what I wanted it for): 1. It differs from other IMAP server implementations in that it is run on "sealed" servers, where users are not normally permitted to log in. (Direct quote from one of their web pages.) 2. It doesn't work with Berkeley mailbox format. That said, it does have a lot greater focus on security than the UW server appears to have... The only other non-commercial imap server I know of is Courier (see http://www.inter7.com/courierimap/). But again, this doesn't handle the Berkeley mailbox format but wants things in Maildir mailboxes. Also, its not in the Ports collection. -- Greg Lewis glewis@trc.adelaide.edu.au Computing Officer +61 8 8303 5083 Teletraffic Research Centre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 19 18:43:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail-04-real.cdsnet.net (mail-04-real.cdsnet.net [204.118.244.94]) by hub.freebsd.org (Postfix) with SMTP id 00B2937BD8A for ; Wed, 19 Apr 2000 18:43:09 -0700 (PDT) (envelope-from mrcpu@internetcds.com) Received: (qmail 11158 invoked from network); 20 Apr 2000 01:43:08 -0000 Received: from schizo.cdsnet.net (204.118.244.32) by mail-03-real.cdsnet.net with SMTP; 20 Apr 2000 01:43:08 -0000 Date: Wed, 19 Apr 2000 18:38:45 -0700 (PDT) From: Jaye Mathisen X-Sender: mrcpu@schizo.cdsnet.net To: Kris Kennaway Cc: Cy Schubert - ITSD Open Systems Group , Robert Watson , "Michael S. Fischer" , security@FreeBSD.ORG Subject: Re: Fw: Re: imapd4r1 v12.264 (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well, it all depends on what you're looking for. If you use maildir format for NFS mailbox storage via qmail/procmail/whathave you, then courier-imap in ports is a slick IMAP server for it that works like a champ. I don't think it's necessarily FreeBSD's responsibility to "grade" ports, if somebody went to the work of submitting it, and it's not a "trivial" program, then we should stuff it in there. On Wed, 19 Apr 2000, Kris Kennaway wrote: > On Wed, 19 Apr 2000, Cy Schubert - ITSD Open Systems Group wrote: > > > Let me second that opinion. I'd prefer just dropping it from ports > > collection. > > The problem is the lack of an alternative IMAP server in ports. There's > cyrus, but apparently that is slightly intrusive to install. > > Kris > > ---- > In God we Trust -- all others must submit an X.509 certificate. > -- Charles Forsythe > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 20 2: 2:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from bofh.banat.ro (bofh.banat.ro [193.230.196.3]) by hub.freebsd.org (Postfix) with ESMTP id 210C737BDDA for ; Thu, 20 Apr 2000 02:02:04 -0700 (PDT) (envelope-from camelia@office.banat.ro) Received: from office.banat.ro (camelia@bofh.banat.ro [193.230.196.3]) by bofh.banat.ro (8.9.3/8.9.3) with ESMTP id MAA22993; Thu, 20 Apr 2000 12:01:52 +0300 (EEST) Message-ID: <38FEC780.24BC377B@office.banat.ro> Date: Thu, 20 Apr 2000 12:01:52 +0300 From: Camelia Nastase Organization: AS Computer GBG X-Mailer: Mozilla 4.72 [en] (X11; I; FreeBSD 3.4-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Dan Langille Cc: freebsd-security@FreeBSD.ORG Subject: Re: using mysql over ssh References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dan Langille wrote: > > I want to access a mysql database remotely. I've had success with the > following approach: > > ssh user@mydomain.org /usr/local/mysql/bin/mysql -uuserid > -ppassword dbname < mysql.sql > > where mysql.sql contains the SQL statements I wish to run. > > I have two issues with this approach: > > 1 - The mysql password is supplied on the command line. I don't like > that. How can I avoid that? give yourself permissions to connect remotely ro the server, then mysql -h remote_host -u userid --password= dbname. that if you have mysql_client on the machine you work on. > > 2 - To achieve the ssh login, I copied the contents of ~/.ssh/identity.pub > to ~/.ssh/authorized_keys on the remote box. How much of a risk is it > allowing logins like that? My feeling is that if I trust the security on > the local box, it's not an issue. Comments? no comment on this. > > Any other suggestions/recommendations will be appreciated. > Camelia N. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 20 3:34:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id 4046F37B5C3 for ; Thu, 20 Apr 2000 03:34:29 -0700 (PDT) (envelope-from adam@algroup.co.uk) Received: from algroup.co.uk ([192.168.192.2]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id KAA10119; Thu, 20 Apr 2000 10:33:42 GMT Message-ID: <38FEDD00.6AF2E2FB@algroup.co.uk> Date: Thu, 20 Apr 2000 11:33:36 +0100 From: Adam Laurie X-Mailer: Mozilla 4.7 [en-gb] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: dan@langille.org Cc: freebsd-security@FreeBSD.ORG Subject: Re: using mysql over ssh References: <200004191926.HAA25058@ducky.nz.freebsd.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dan Langille wrote: > > > > Open two terminal windows... > > > > In window one, do: > > > > ssh -L 3306:localhost:3306 user@mydomain.org > > > > In window two, do: > > > > mysql -h localhost -u userid -p dbname < mysql.sql > > > > the mysql client will tunnel it's connection to the remote server, and you > > will be prompted locally for the password (if you're using an up to date > > copy of mysql). You can also use this method for an interactive session... > > > > You will need to have the remote server up to use MYSQL_TCP_PORT instead of > > the default MYSQL_UNIX_PORT, and it's a good idea to bind it to loopback to > > that only local or tunneled clients can connect. > > What is the point of two windows? The first one gives you an ssh tunnel. The second one uses the tunnel. > > Note: the goal is to put all of this into a script. It will not be interactive. > There will be nobody there to reply to a prompt. That's why I like the > ~/.my.cnf entry so much. I would go with that then. Just make sure it's owner-readable only. cheers, Adam -- Adam Laurie Tel: +44 (181) 742 0755 A.L. Digital Ltd. Fax: +44 (181) 742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 20 6:57: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from falcon.kdu.edu.my (owns.modestos.net [203.106.26.199]) by hub.freebsd.org (Postfix) with ESMTP id 63F6D37B612 for ; Thu, 20 Apr 2000 06:56:43 -0700 (PDT) (envelope-from najib@kdu.edu.my) Received: (from nobody@localhost) by falcon.kdu.edu.my (8.9.3/8.9.3) id WAA25907; Thu, 20 Apr 2000 22:10:56 +0800 (MYT) Date: Thu, 20 Apr 2000 22:10:56 +0800 (MYT) Message-Id: <200004201410.WAA25907@falcon.kdu.edu.my> X-Authentication-Warning: falcon.kdu.edu.my: nobody set sender to najib@kdu.edu.my using -f From: Muhammad Najib To: freebsd-security@freebsd.org Reply-To: Muhammad Najib MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit User-Agent: IMP/PHP3 Imap webMail Program 2.0.11 X-Originating-IP: 203.106.26.198 Subject: VPN using IPSec Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've just install the latest -RELEASE of FreeBSD and cvsup to -STABLE. I've read through the documentation and found it kinda confusing, yet I've tried to do what's in the doc and failed. This is my intention: - setting up VPN connection between two organization located at different geographical area - at the same time allow Internet connectivity throughout the world using NAT I've been understood by the doc that I need to use the 'tunnel mode' instead to achieve this. I followed the documentation in the handbook (http://www.freebsd.org/handbook/ipsec.html) but failed. Here's the conf files: HOST A = 100.200.100.1 (not real IP) HOST B = 200.100.100.1 (not real IP) dmz network behind HOST A = 10.1.2.0/24 dmz network behind HOST B = 10.1.1.0/24 ----------------------HOST A CONF STARTS----------------------------- add 100.200.100.1 200.100.200.1 ah-old 0x10003 -m any -A keyed-md5 "this is the test" ; add 200.100.200.1 100.200.100.1 ah-old 0x10004 -m any -A keyed-md5 "this is the test" ; spdadd 10.1.2.0/24 10.1.1.0/24 any -P out ipsec ah/tunnel/100.200.100.1-200.100.200.1/require ; spdadd 10.1.1.0/24 10.1.2.0/24 any -P in ipsec ah/tunnel/200.100.200.1-100.200.100.1/require ; ----------------------HOST B CONF STARTS----------------------------- add 100.200.100.1 200.100.200.1 ah-old 0x10003 -m any -A keyed-md5 "this is the test" ; add 200.100.200.1 100.200.100.1 ah-old 0x10004 -m any -A keyed-md5 "this is the test" ; spdadd 10.1.1.0/24 10.1.2.0/24 any -P out ipsec ah/tunnel/200.100.200.1-100.200.100.1/require ; spdadd 10.1.2.0/24 10.1.1.0/24 any -P in ipsec ah/tunnel/100.200.100.1-200.100.200.1/require ; ----------------------HOST B CONF ENDS------------------------------- I hope somebody out there that has already done with this VPN-style setup to point me if there's any flaw in this configuration. Thanx in advance :) regards, *~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~* MUHAMMAD NAJIB ABDUL MUKTHI member of My-Linux.ORG WEB PROGRAMMER http://www.my-linux.org Kolej Damansara Utama, SS22/41, najib@csi-x.net 47400 Petaling Jaya, Selangor. najib@kaypo.net http://www.kdu.edu.my najib@kdu.edu.my Tel : +603 77288123 ext.320 najib@my-linux.org *~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~* _______________________________________________ UNIX - it makes the world go round :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 20 7:15:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 3B81A37B708 for ; Thu, 20 Apr 2000 07:15:22 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id KAA32872; Thu, 20 Apr 2000 10:14:47 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Thu, 20 Apr 2000 10:14:46 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Marc Heuse Cc: suse-security@suse.com, FBob@wt.net, security@FreeBSD.ORG, michael@dynamine.net Subject: Re: [suse-security] imapd4r1 v12.264 and Security Implications In-Reply-To: <20000419202028.603DB67A5@Galois.suse.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 19 Apr 2000, Marc Heuse wrote: > > The following was posted on FreeBSD-Security today. I was interested > > in the official SuSE position since I run both OS's. > > here it is: > > >> I consider the post by the vendor in the bugtraq forum to be some sort of > >> poor joke. At this point, it would appear that anyone who takes security > >> seriously should use some other mail package, or risk their systems' > >> integrity. In particular, the thing about chroot'ing to /tmp is fairly > >> laughable. While partitioning can be a useful scheme for reducing risk, > >> "/tmp" is not the place to chroot to, and chroot'ing is not a replacement > >> for careful code auditing. The suggestion that stackguard should be > >> required to make their software secure has wandered far beyond > >> ``questionable,'' and well into the ``don't touch anything related to my > >> system ever again.'' > > although the language is a bit rude, he is absolutely correct. I would tend to agree with both assessments. Then, being the author I would have a natural tendency to support the latter, although perhaps less so the former. That said, it was a response of frustration, so we'll leave it at that. > well ... it's not the first vulnerability in wu-imap. and the response > of the wu-imap programmer really shows that he does not know about > secure coding. a security audit of the code would really be needed, > however, after half a year new vulnerabilities would be there and the > thing would start over. And also not the second vulnerability. I agree with the assessment that uw-imapd will be a continued source of vulnerabilities unless it is substantially audited and possibly rewritten. My recollection is that the c-client is a complex piece of code, largely in response to the complex format of the IMAP protocol, which requires a fair amount of string parsing and pushing. I.e., IMAP doesn't encourage secure coding styles in a language such as C. :-) > >> Given that attitude of the developer, I would strongly recommend we mark > >> the port as FORBIDDEN, and would also seriously consider an suggestion to > >> simply drop it from the ports and packages collections. > > this is unrealistic. people want and some even depend on imapd. and if we > would do that to imapd, we would have to do the same for pop3, ftp etc. > so the solution is to switch to a imapd with more knowlegable programmers. > not a very easy task ... I depend on IMAP also, although I use the Cyrus server which has proven far more satisfying in a number of ways. However, as with the qmail IMAP server, it relies on a mailbox format that is not standard with most UNIX systems, and as such neither is a serious alternative as part of the base system. I would really like to have an IMAP daemon that I can promote as an easy way to provide remote mail access out of the box, but have a lot of trouble seeing that--given the long delay since the last vulnerability, and the claim of a complete code audit, I had mistakenly assumed that it was safe to do so. It is true that the current vulnerability is not a serious problem in a number of environments (primarily open shell boxes where IMAP is a convenience, not a necessity, and the vulnerability doesn't open up new weaknesses), but the response to the vulnerability is what is particularly worrying. I am willing to accept that programs can and will have vulnerabilities, even after serious code audits (in fact, a code audit is only part of the process of securing a code base), but having the code provider indicate that security either is not a serious issue, or be unable or unwilling to proactively address such a problem is a serious issue. This bodes ill for the remainder of the source base, and the environment in which it was developed. My immediate suggestion of marking IMAPd and/or c-client as "FORBIDDEN" seems realistic--in FreeBSD, the FORBIDDEN or BROKEN tags indicate that it should not be built as a binary package for the base system, and must be intentionally enabled and built by the user. The patches are still provided and it's still part of the build infrastructure. Out-right removing it from the ports collection is probably unwise until a decent alternative is located or developed, but should one exist, I would continue to support a move to simply remove the distribution as provided by UW. > we will provide an update for wu-imapd. but we propose the use another > imapd. as far as I remember, there is another imapd server on the SuSE CDs > (there are far too much packages to remember them all ;-))). Let's hope that > the code of that one is better ... well, time to do a sourcecode audit :( > *sigh* This is great news--at this point I can't volunteer to assist in such an audit due to time constraints from other projects, but eagerly anticipate the release of an alternative/audited uw-imap, or the inclusion of the results of such an audit in the base UW distribution. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 20 7:16:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id 43ACD37B810 for ; Thu, 20 Apr 2000 07:16:41 -0700 (PDT) (envelope-from itojun@itojun.org) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id XAA11597; Thu, 20 Apr 2000 23:16:18 +0900 (JST) To: Muhammad Najib Cc: freebsd-security@freebsd.org In-reply-to: najib's message of Thu, 20 Apr 2000 22:10:56 +0800. <200004201410.WAA25907@falcon.kdu.edu.my> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: VPN using IPSec From: itojun@iijlab.net Date: Thu, 20 Apr 2000 23:16:18 +0900 Message-ID: <11595.956240178@coconut.itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >I've just install the latest -RELEASE of FreeBSD and cvsup to -STABLE. >I've read through the documentation and found it kinda confusing, yet >I've tried to do what's in the doc and failed. This is my intention: >- setting up VPN connection between two organization located at >different geographical area >- at the same time allow Internet connectivity throughout the world >using NAT > >I've been understood by the doc that I need to use the 'tunnel mode' >instead to achieve this. I followed the documentation in the handbook >(http://www.freebsd.org/handbook/ipsec.html) but failed. Here's the >conf files: NAT - IPsec interaction will be very tricky, so I will not talk about that. The current KAME (origin of FreeBSD IPsec) implementation has some issue with AH tunnel. In short, the receiving node will not consider packet tunnelled by AH tunnel as authentic (AH authenticates the outer packet, not the inner) and drop the packet if you set "require" policy for inbound. This will be corrected in future KAME releases. If you use ESP tunnel instead, your configuration should work fine. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 20 7:57:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from hera.ik.bme.hu (hera.ik.bme.hu [152.66.243.132]) by hub.freebsd.org (Postfix) with ESMTP id B725237B507 for ; Thu, 20 Apr 2000 07:57:09 -0700 (PDT) (envelope-from mohacsi@hera.ik.bme.hu) Received: from localhost (mohacsi@localhost) by hera.ik.bme.hu (8.9.3/8.9.3) with ESMTP id QAA07952 for ; Thu, 20 Apr 2000 16:57:44 +0200 (MET DST) Date: Thu, 20 Apr 2000 16:57:43 +0200 (MET DST) From: Mohacsi Janos To: security@FreeBSD.ORG Subject: why not use crypt() written by Kris Kennaway? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I saw the initative of Kris Kennaway to modify the password scheme in the FreeBSD (integrated blowfish, SHA-1, and new DES). What happened with it? In the CVS tree the SHA scheme marked dead. Why? Is not possible to distribute FreeBSD with DES/Blowfish integrated since the beginning of this year? Don't we want to mantain cross platform (at least cross BSD) password schemes? In the FreeBSD 5.0? Cheers, Janos Mohacsi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 20 9:10:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from netvalue-gw.netvalue.fr (netvalue-gw.netvalue.fr [195.115.44.161]) by hub.freebsd.org (Postfix) with ESMTP id 4A56037B7D0 for ; Thu, 20 Apr 2000 09:10:33 -0700 (PDT) (envelope-from erwan@netvalue.com) Received: (from bin@localhost) by netvalue-gw.netvalue.fr (8.9.3/8.8.8) id SAA85679 for ; Thu, 20 Apr 2000 18:10:28 +0200 (CEST) (envelope-from erwan@netvalue.com) X-Authentication-Warning: netvalue-gw.netvalue.fr: bin set sender to using -f Received: from (dauphine.netvalue.fr [192.168.1.13]) by netvalue-gw.netvalue.fr via smap (V2.1) id xma085650; Thu, 20 Apr 00 18:10:10 +0200 Received: from netvalue.com ([192.168.1.100]) by mail.netvalue.fr (Netscape Messaging Server 3.6) with ESMTP id AAA434E; Thu, 20 Apr 2000 18:10:09 +0200 Message-ID: <38FF2BE1.FBBCBF1@netvalue.com> Date: Thu, 20 Apr 2000 18:10:09 +0200 From: Erwan Arzur Organization: NetValue S.A. X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.12 i386) X-Accept-Language: en, fr-FR MIME-Version: 1.0 To: itojun@iijlab.net Cc: Muhammad Najib , freebsd-security@FreeBSD.ORG Subject: Re: VPN using IPSec References: <11595.956240178@coconut.itojun.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > >- at the same time allow Internet connectivity throughout the world > >using NAT > > > >I've been understood by the doc that I need to use the 'tunnel mode' > >instead to achieve this. I followed the documentation in the handbook > >(http://www.freebsd.org/handbook/ipsec.html) but failed. Here's the > >conf files: > > NAT - IPsec interaction will be very tricky, so I will not talk about > that. I tried for hours to get the same kind of network setup than the original poster, did not understand why icmp packets were normally coming in the gateway through the tunnel while the responses were always sent without any kind of encapsulation, until i discovered that all these packets were natted, thus never matched by the SPD ... NAT is not your friend when you try to setup an IPSEC tunnel. -- UNIX *IS* user friendly. It's just selective about who its friends are. --unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 20 9:33:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from lily.ezo.net (lily.ezo.net [206.102.130.13]) by hub.freebsd.org (Postfix) with ESMTP id 0F3BE37B708 for ; Thu, 20 Apr 2000 09:33:21 -0700 (PDT) (envelope-from jflowers@ezo.net) Received: from lily.ezo.net (jflowers@localhost.ezo.net [127.0.0.1]) by lily.ezo.net (8.8.7/8.8.7) with SMTP id MAA21555; Thu, 20 Apr 2000 12:32:04 -0400 (EDT) Date: Thu, 20 Apr 2000 12:32:03 -0400 (EDT) From: Jim Flowers To: Erwan Arzur Cc: itojun@iijlab.net, Muhammad Najib , freebsd-security@FreeBSD.ORG Subject: Re: VPN using IPSec In-Reply-To: <38FF2BE1.FBBCBF1@netvalue.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I spent quite a bit of time investigating the interaction of Skip tunnels with NAT and was finally able to configure just about every possible combination. The technique lies in trapping the inbound processed packets (unencapsulated, authenticated, and decrypted) with an ipfw rule before they are processed by the divert rule and trapping the outbound packets similarly (different rule). In both cases the rules select on destination addresses (look carefully) and interface and you should have one-pass set so that ipfw stops processing when a rule is matched. Nomads (individual hosts with dynamic IP addresses) are a little different but can also be handled if you know how. While I have not studied the FreeBSD implementation, the only requirement I see for this technique to work just as well with IPSec is that IPSec processing be conducted between the interface driver and ipfw (Skip is shimmed between the driver and the IP layer). I'll be glad when you guys get the bugs worked out on a stable IPSec and a suitable key administration strategy. I feel like the Lone Ranger using Skip (which does everything I want to do with VPNs). Additional information can be found on my posts to freebsd-security by searching for skip AND nat. Jim Flowers #4 ISP on C|NET, #1 in Ohio On Thu, 20 Apr 2000, Erwan Arzur wrote: > > >- at the same time allow Internet connectivity throughout the world > > >using NAT > > > > > >I've been understood by the doc that I need to use the 'tunnel mode' > > >instead to achieve this. I followed the documentation in the handbook > > >(http://www.freebsd.org/handbook/ipsec.html) but failed. Here's the > > >conf files: > > > > NAT - IPsec interaction will be very tricky, so I will not talk about > > that. > > I tried for hours to get the same kind of network setup than the > original poster, did not > understand why icmp packets were normally coming in the gateway through > the tunnel while the responses were always sent without any kind of > encapsulation, until i discovered that all these packets were natted, > thus never matched by the SPD ... > > NAT is not your friend when you try to setup an IPSEC tunnel. > -- > UNIX *IS* user friendly. It's just selective about who its friends are. > --unknown > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 20 11: 2:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from mel.alcatel.fr (mel.alcatel.fr [212.208.74.132]) by hub.freebsd.org (Postfix) with ESMTP id B6DDA37B58E for ; Thu, 20 Apr 2000 11:02:12 -0700 (PDT) (envelope-from Stephane.Lentz@ansf.alcatel.fr) Received: from aifhs2.alcatel.fr (mailhub.alcatel.fr [155.132.180.80]) by mel.alcatel.fr (ALCANET/SMTP) with ESMTP id TAA26696 for ; Thu, 20 Apr 2000 19:59:08 +0200 From: Stephane.Lentz@ansf.alcatel.fr Received: from nsfws7.ansf.alcatel.fr (nsfws7.ansf.alcatel.fr [155.132.195.132]) by aifhs2.alcatel.fr (ALCANET/SMTP2) with ESMTP id UAA05944 for ; Thu, 20 Apr 2000 20:02:02 +0200 (MET DST) Received: (from angel@localhost) by nsfws7.ansf.alcatel.fr (ALCANET/SMTP) id UAA09216 for security@FreeBSD.ORG; Thu, 20 Apr 2000 20:01:27 +0200 Date: Thu, 20 Apr 2000 20:01:27 +0200 To: security@FreeBSD.ORG Subject: restricted accounts : restricting access/programs solutions Message-ID: <20000420200127.A9188@nsfws7.ansf.alcatel.fr> Reply-To: Stephane.Lentz@ansf.alcatel.fr Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 1.0.1i Organization: Alcanet International Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi everybody, Any idea if osh (Operator Shell) is still being developped ? Any homepage for this product - http://www.engarde.com/ does not work anylonger . I just found another way to restrict shell access : flash (http://www.netsoc.ucd.ie/flash/) which is a ncurses application that will only execute administrator defined programs. Any opinion on this product ? Thanks, STéphane. -------------------------------------------------------------- "The best way to predict the future is to invent it" (Alan Kay) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 20 11:29:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from rock.ghis.net (rock.ghis.net [209.222.164.7]) by hub.freebsd.org (Postfix) with ESMTP id 8B72937B6C6 for ; Thu, 20 Apr 2000 11:29:38 -0700 (PDT) (envelope-from will@blackdawn.com) Received: from argon.blackdawn.com (deepspace9.dcds.edu [207.231.151.2]) by rock.ghis.net (8.9.3/8.9.3) with ESMTP id LAA12408; Thu, 20 Apr 2000 11:29:29 -0700 (PDT) Received: by argon.blackdawn.com (Postfix, from userid 1000) id A57E2191B; Thu, 20 Apr 2000 14:28:47 -0400 (EDT) Date: Thu, 20 Apr 2000 14:28:47 -0400 From: Will Andrews To: Stephane.Lentz@ansf.alcatel.fr Cc: security@FreeBSD.ORG Subject: Re: restricted accounts : restricting access/programs solutions Message-ID: <20000420142847.B395@argon.blackdawn.com> References: <20000420200127.A9188@nsfws7.ansf.alcatel.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <20000420200127.A9188@nsfws7.ansf.alcatel.fr>; from Stephane.Lentz@ansf.alcatel.fr on Thu, Apr 20, 2000 at 08:01:27PM +0200 X-Operating-System: FreeBSD 5.0-CURRENT i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Please don't use mail clients that allow lines longer than 80 characters. (I would prefer 76, but 80 is fine). On Thu, Apr 20, 2000 at 08:01:27PM +0200, Stephane.Lentz@ansf.alcatel.fr wrote: > I just found another way to restrict shell access : flash > (http://www.netsoc.ucd.ie/flash/) which is a ncurses application that > will only execute administrator defined programs. Any opinion on this > product ? As the maintainer of the shells/flash port, I can only say that it seems flash is mildly useful and user-friendly. It needs more development but probably could be used in a production environment. I'm certain there are other programs like flash that you can use. -- Will Andrews GCS/E/S @d- s+:+>+:- a--->+++ C++ UB++++ P+ L- E--- W+++ !N !o ?K w--- ?O M+ V-- PS+ PE++ Y+ PGP+>+++ t++ 5 X++ R+ tv+ b++>++++ DI+++ D+ G++>+++ e->++++ h! r-->+++ y? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 20 11:59:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from slip.csosl.co.uk (slip.csosl.co.uk [194.205.66.135]) by hub.freebsd.org (Postfix) with SMTP id 588F237B605 for ; Thu, 20 Apr 2000 11:59:17 -0700 (PDT) (envelope-from nick@loman.net) Received: (qmail 33423 invoked by uid 1001); 20 Apr 2000 18:54:05 -0000 From: "Nick Loman" Date: Thu, 20 Apr 2000 19:54:05 +0100 (BST) To: freebsd-security@freebsd.org Subject: 10 days Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've moved my mail server from RedHat 6.0/Linux over to FreeBSD 4.0-STABLE/qmail for security (lots of relay hacking and Linux newbie hackers). Anyway, pleased to see only 10 days into running a FreeBSD installation the spam kiddies are trying to hack in again :-) hosts.allow: ALL : PARANOID : RFC931 20 : deny ftpd : a few select hosts : allow telnetd : a few select hosts : allow popa3d : ALL : allow ALL : ALL : deny qmail running off tcpserver. Hack attempts are standard trying to get in through ftp and telnet. Also a request from a root@ to the DNS port. Given that I'm a FreeBSD newbie, and notwithstanding general security tips, what should I be looking out for in these early days? Regards, Nick. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 20 12: 9: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from scl-ims.phoenix.com (scl-ims.phoenix.com [134.122.1.73]) by hub.freebsd.org (Postfix) with ESMTP id 9D1B837BE7F for ; Thu, 20 Apr 2000 12:08:59 -0700 (PDT) (envelope-from craig@allmaui.com) Received: from allmaui.com (dashiz.phoenix.com [134.122.9.17]) by scl-ims.phoenix.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id JJKDG7BG; Thu, 20 Apr 2000 12:07:33 -0700 Message-ID: <38FF5572.BFF9E5F2@allmaui.com> Date: Thu, 20 Apr 2000 12:07:30 -0700 From: Craig Cowen X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.8 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: telnet problems Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am having trouble telneting to my machine after installing Rel4.0 I am able to enter my login and pass and then it just hangs. This happens from other machines on my network as well as logging in at the console and then trying to telnet to it. Is this a security feature? Thanks, Craig To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 20 12:19: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id B7FF837BA14; Thu, 20 Apr 2000 12:19:05 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id MAA57811; Thu, 20 Apr 2000 12:19:05 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 20 Apr 2000 12:19:04 -0700 (PDT) From: Kris Kennaway To: Mohacsi Janos Cc: security@FreeBSD.ORG Subject: Re: why not use crypt() written by Kris Kennaway? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 20 Apr 2000, Mohacsi Janos wrote: > I saw the initative of Kris Kennaway to modify the password scheme > in the FreeBSD (integrated blowfish, SHA-1, and new DES). > What happened with it? It needs to be polished up a bit. It's still on my list, and I hope to get to it in the next month or two. > In the CVS tree the SHA scheme marked dead. Why? Because the tree version of SHA-1 passwords was incompatible with my new one and I didn't want to introduce a new feature in 4.0 only have to deprecate it soon after and live with the legacy. > Is not possible to distribute FreeBSD with DES/Blowfish integrated since > the beginning of this year? Don't we want to mantain cross platform (at > least cross BSD) password schemes? In the FreeBSD 5.0? It will most probably appear in 5.0 but not before, unless there is overwhelming demand for it once it appears in -current. Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 20 12:20:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail3.gmx.net (mail.gmx.net [194.221.183.63]) by hub.freebsd.org (Postfix) with SMTP id 7973B37B88F for ; Thu, 20 Apr 2000 12:20:34 -0700 (PDT) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 11796 invoked by uid 0); 20 Apr 2000 19:20:30 -0000 Received: from p3e9e7909.dip.t-dialin.net (HELO speedy.gsinet) (62.158.121.9) by mail.gmx.net with SMTP; 20 Apr 2000 19:20:30 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id UAA20538 for freebsd-security@FreeBSD.ORG; Thu, 20 Apr 2000 20:53:22 +0200 Date: Thu, 20 Apr 2000 20:53:22 +0200 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Subject: Re: using mysql over ssh Message-ID: <20000420205322.B18618@speedy.gsinet> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <200004191926.HAA25058@ducky.nz.freebsd.org> <38FEDD00.6AF2E2FB@algroup.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <38FEDD00.6AF2E2FB@algroup.co.uk>; from adam@algroup.co.uk on Thu, Apr 20, 2000 at 11:33:36AM +0100 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Apr 20, 2000 at 11:33 +0100, Adam Laurie wrote: > Dan Langille wrote: > > > > > > Open two terminal windows... > > > > > > In window one, do: > > > > > > ssh -L 3306:localhost:3306 user@mydomain.org > > > > > > In window two, do: > > > > > > mysql -h localhost -u userid -p dbname < mysql.sql > > > > > > [ ... ] > > > > What is the point of two windows? > > The first one gives you an ssh tunnel. The second one uses the > tunnel. That's the moment when you sometimes see constructions like these: ssh -L ... user@host sleep 10 & do something [ $MAYBE ] && kill $! I remember some fetchmail docs saying so: Do a sleep 10 or something to keep up the ssh connection for the time needed to establish the tunnelled connection. AFAIK the ssh connection will last until the tunnel is freed, too. Even if the actual command finished sooner. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 20 12:24:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from peace.mahoroba.org (peace.calm.imasy.or.jp [202.227.26.34]) by hub.freebsd.org (Postfix) with ESMTP id 8259737BE88 for ; Thu, 20 Apr 2000 12:24:18 -0700 (PDT) (envelope-from ume@mahoroba.org) Received: from localhost (IDENT:OzXKdmdiPUCwXFIK+jXEtqPOyZ2RwBQznIDnAYRiuo2yWWXinLS6oHaL8Hgo7koB@localhost [::1]) by peace.mahoroba.org (8.10.1/3.7W-peace) with ESMTP id e3KJLE035279; Fri, 21 Apr 2000 04:21:15 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Fri, 21 Apr 2000 04:21:15 +0900 (JST) Message-Id: <200004201921.e3KJLE035279@peace.mahoroba.org> To: craig@allmaui.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: telnet problems In-Reply-To: <38FF5572.BFF9E5F2@allmaui.com> References: <38FF5572.BFF9E5F2@allmaui.com> X-Mailer: xcite1.20> Mew version 1.94.2 on Emacs 20.6 / Mule 4.0 =?iso-2022-jp?B?KBskQjJWMWMbKEIp?= X-PGP-Public-Key: http://www.imasy.org/~ume/publickey.asc X-PGP-Fingerprint: 6B 0C 53 FC 5D D0 37 91 05 D0 B3 EF 36 9B 6A BC X-URL: http://www.imasy.org/~ume/ X-OS: FreeBSD 5.0-CURRENT Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: Hajimu UMEMOTO (=?ISO-2022-JP?B?GyRCR19LXBsoQiA=?= =?ISO-2022-JP?B?GyRCSCUbKEI=?=) X-Dispatcher: imput version 20000228(IM140) Lines: 23 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, >>>>> On Thu, 20 Apr 2000 12:07:30 -0700 >>>>> Craig Cowen said: craig> I am having trouble telneting to my machine after installing Rel4.0 craig> I am able to enter my login and pass and then it just hangs. craig> This happens from other machines on my network as well as logging in at craig> the console and then trying to telnet to it. craig> Is this a security feature? Possibly no. Do you have reachability to the internet at that time? If no, it may IPv6 related DNS problem. Please try recent changes to libc. http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libc/net/getaddrinfo.c.diff?r1=1.9&r2=1.9.2.1 http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libc/net/name6.c.diff?r1=1.6.2.1&r2=1.6.2.2 -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@FreeBSD.org http://www.imasy.org/~ume/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 20 12:28:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from vtopus.cs.vt.edu (vtopus.cs.vt.edu [128.173.40.24]) by hub.freebsd.org (Postfix) with ESMTP id 7530937BDC8 for ; Thu, 20 Apr 2000 12:28:03 -0700 (PDT) (envelope-from dhagan@cs.vt.edu) Received: from localhost (dhagan@localhost) by vtopus.cs.vt.edu (8.9.1a/8.9.1) with ESMTP id PAA03714; Thu, 20 Apr 2000 15:27:53 -0400 (EDT) Date: Thu, 20 Apr 2000 15:27:53 -0400 (EDT) From: Daniel Hagan To: Will Andrews Cc: Stephane.Lentz@ansf.alcatel.fr, security@FreeBSD.ORG Subject: Re: restricted accounts : restricting access/programs solutions In-Reply-To: <20000420142847.B395@argon.blackdawn.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 20 Apr 2000, Will Andrews wrote: > I'm certain there are other programs like flash that you can use. We have a local program that I keep meaning to submit as a port, but it's available at ftp://ftp.cs.vt.edu/pub/tools/sash-2.10.tar.gz. Lets the user mount/unmount floppies and (optionally) reboot the machine. Don't know if it's what you're looking for or not. Should compile out of the box on FreeBSD. Read over the readme for options you may want to enable/disable. I'll try to move it over to ftp3.freebsd.org and make it a port sometime in the relatively near future. Daniel -- Daniel Hagan Computer Science CSE dhagan@cs.vt.edu http://www.cs.vt.edu/~dhagan/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 20 12:44:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from scl-ims.phoenix.com (scl-ims.phoenix.com [134.122.1.73]) by hub.freebsd.org (Postfix) with ESMTP id 1271B37BDCE for ; Thu, 20 Apr 2000 12:44:36 -0700 (PDT) (envelope-from craig@allmaui.com) Received: from allmaui.com (dashiz.phoenix.com [134.122.9.17]) by scl-ims.phoenix.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id JJKDG7LJ; Thu, 20 Apr 2000 12:44:35 -0700 Message-ID: <38FF5E23.7F14368F@allmaui.com> Date: Thu, 20 Apr 2000 12:44:35 -0700 From: Craig Cowen X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.8 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: "freebsd-security@FreeBSD.ORG" Subject: [Fwd: telnet problems] Content-Type: multipart/mixed; boundary="------------DD17BC9732D37B7ED997339E" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. --------------DD17BC9732D37B7ED997339E Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit --------------DD17BC9732D37B7ED997339E Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Mozilla-Status2: 00000000 Message-ID: <38FF5B27.5FA924C2@allmaui.com> Date: Thu, 20 Apr 2000 12:31:51 -0700 From: Craig Cowen X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.8 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: Hajimu, UMEMOTO Subject: Re: telnet problems References: <38FF5572.BFF9E5F2@allmaui.com> <200004201921.e3KJLE035279@peace.mahoroba.org> Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit "Hajimu UMEMOTO ($BG_K\(B $BH%(B)" wrote:
Hi,

>>>>> On Thu, 20 Apr 2000 12:07:30 -0700
>>>>> Craig Cowen <craig@allmaui.com> said:

craig> I am having trouble telneting to my machine after installing Rel4.0
craig> I am able to enter my login and pass and then it just hangs.
craig> This happens from other machines on my network as well as logging in at
craig> the console and then trying to telnet to it.
craig> Is this a security feature?

Possibly no.
Do you have reachability to the internet at that time?  If no, it may
IPv6 related DNS problem.
Please try recent changes to libc.

http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libc/net/getaddrinfo.c.diff?r1=1.9&r2=1.9.2.1
http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libc/net/name6.c.diff?r1=1.6.2.1&r2=1.6.2.2

--
Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
ume@mahoroba.org  ume@bisd.hitachi.co.jp  ume@FreeBSD.org
http://www.imasy.org/~ume/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Interesting, I have a natd and it was trying to dial every time I attempted the telnet connection.

I commented out ipv6 entries in inetd.conf and made a change to the hosts.allow file ( I ma not in front of it right now) to allow everything just incase.  I will try the changes you reccommended.

Thank you,
Craig.
  --------------DD17BC9732D37B7ED997339E-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 20 13: 9: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from hayseed.net (hayseed.net [207.181.249.194]) by hub.freebsd.org (Postfix) with ESMTP id 6764937BFE3 for ; Thu, 20 Apr 2000 13:08:54 -0700 (PDT) (envelope-from enkhyl@pobox.com) Received: from localhost (localhost [127.0.0.1]) by hayseed.net (8.9.3/8.9.3) with ESMTP id MAA02883; Thu, 20 Apr 2000 12:02:59 -0700 Date: Thu, 20 Apr 2000 12:02:57 -0700 (PDT) From: Christopher Nielsen X-Sender: enkhyl@hayseed.net To: Nick Loman Cc: freebsd-security@FreeBSD.ORG Subject: Re: 10 days In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 20 Apr 2000, Nick Loman wrote: > Given that I'm a FreeBSD newbie, and notwithstanding general security > tips, what should I be looking out for in these early days? Something you might want to do, if you haven't already, is enable log_in_vain in /etc/rc.conf by adding 'log_in_vain="YES"'. It will log connection attempts on ports that have nothing listening on them. It can be very enlightening. Some other options you might want to consider are: tcp_restrict_rst="NO" # Set to YES to restrict emission of RST icmp_drop_redirect="NO" # Set to YES to ignore ICMP REDIRECT packets icmp_log_redirect="NO" # Set to YES to log ICMP REDIRECT packets and if you don't mind breaking T/TCP tcp_drop_synfin="NO" # Set to YES to drop TCP packets with SYN+FIN # NOTE: this breaks rfc1644 extensions (T/TCP) -- Christopher Nielsen (enkhyl|cnielsen)@pobox.com Enkhyl on IRC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 20 13:34:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from lily.ezo.net (lily.ezo.net [206.102.130.13]) by hub.freebsd.org (Postfix) with ESMTP id 858FB37BE9F for ; Thu, 20 Apr 2000 13:34:22 -0700 (PDT) (envelope-from jflowers@ezo.net) Received: from lily.ezo.net (jflowers@localhost.ezo.net [127.0.0.1]) by lily.ezo.net (8.8.7/8.8.7) with SMTP id QAA00802; Thu, 20 Apr 2000 16:33:50 -0400 (EDT) Date: Thu, 20 Apr 2000 16:33:50 -0400 (EDT) From: Jim Flowers To: Nick Loman Cc: freebsd-security@FreeBSD.ORG Subject: Re: 10 days In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Setup ipfw, deny-everything then allow only-what-you-want. Specify as tightly as you can. man ipfw. Jim Flowers #4 ISP on C|NET, #1 in Ohio On Thu, 20 Apr 2000, Nick Loman wrote: > > I've moved my mail server from RedHat 6.0/Linux over to FreeBSD > 4.0-STABLE/qmail for security (lots of relay hacking and Linux newbie > hackers). > > Anyway, pleased to see only 10 days into running a FreeBSD installation > the spam kiddies are trying to hack in again :-) > > hosts.allow: > > ALL : PARANOID : RFC931 20 : deny > ftpd : a few select hosts : allow > telnetd : a few select hosts : allow > popa3d : ALL : allow > ALL : ALL : deny > > qmail running off tcpserver. > > Hack attempts are standard trying to get in through ftp and telnet. Also a > request from a root@ to the DNS port. > > Given that I'm a FreeBSD newbie, and notwithstanding general security > tips, what should I be looking out for in these early days? > > Regards, > > Nick. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 20 13:34:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from scl-ims.phoenix.com (scl-ims.phoenix.com [134.122.1.73]) by hub.freebsd.org (Postfix) with ESMTP id 40D8037BC1A for ; Thu, 20 Apr 2000 13:34:17 -0700 (PDT) (envelope-from craig@allmaui.com) Received: from allmaui.com (dashiz.phoenix.com [134.122.9.17]) by scl-ims.phoenix.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id JJKDG76D; Thu, 20 Apr 2000 13:34:15 -0700 Message-ID: <38FF69C7.1AAD315D@allmaui.com> Date: Thu, 20 Apr 2000 13:34:15 -0700 From: Craig Cowen X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.8 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: "freebsd-security@FreeBSD.ORG" Subject: [Fwd: [Fwd: telnet problems]] Content-Type: multipart/mixed; boundary="------------734DFBD401DC51D2648647BD" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. --------------734DFBD401DC51D2648647BD Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit --------------734DFBD401DC51D2648647BD Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Mozilla-Status2: 00000000 Message-ID: <38FF642B.DC58388C@allmaui.com> Date: Thu, 20 Apr 2000 13:10:19 -0700 From: Craig Cowen X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.8 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: "tjk@tksoft.com" Subject: Re: [Fwd: telnet problems] References: <200004202007.NAA05565@uno.tksoft.com> Content-Type: multipart/alternative; boundary="------------3827BF5B9336C386334D7D26" --------------3827BF5B9336C386334D7D26 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit "tjk@tksoft.com" wrote: > Craig, > > Do you have an entry for the remote host you are login in from > in your /etc/hosts file? > > telnet hangs if it can't get reverse dns on a host. > > Try "nslookup remotehost" and see what you get. > > Troy > > > > > This is a multi-part message in MIME format. > > --------------DD17BC9732D37B7ED997339E > > Content-Type: text/plain; charset=us-ascii > > Content-Transfer-Encoding: 7bit > > > > > > > > --------------DD17BC9732D37B7ED997339E > > Content-Type: message/rfc822 > > Content-Transfer-Encoding: 7bit > > Content-Disposition: inline > > > > X-Mozilla-Status2: 00000000 > > Message-ID: <38FF5B27.5FA924C2@allmaui.com> > > Date: Thu, 20 Apr 2000 12:31:51 -0700 > > From: Craig Cowen > > X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.8 sun4u) > > X-Accept-Language: en > > MIME-Version: 1.0 > > To: Hajimu, UMEMOTO > > Subject: Re: telnet problems > > References: <38FF5572.BFF9E5F2@allmaui.com> <200004201921.e3KJLE035279@peace.mahoroba.org> > > Content-Type: text/html; charset=us-ascii > > Content-Transfer-Encoding: 7bit > > > > > > > > "Hajimu UMEMOTO ($BG_K\(B $BH%(B)" wrote: > >

Hi, > >

>>>>> On Thu, 20 Apr 2000 12:07:30 -0700 > >
>>>>> Craig Cowen <craig@allmaui.com> said: > >

craig> I am having trouble telneting to my machine after installing > > Rel4.0 > >
craig> I am able to enter my login and pass and then it just hangs. > >
craig> This happens from other machines on my network as well as logging > > in at > >
craig> the console and then trying to telnet to it. > >
craig> Is this a security feature? > >

Possibly no. > >
Do you have reachability to the internet at that time?  If no, > > it may > >
IPv6 related DNS problem. > >
Please try recent changes to libc. > >

http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libc/net/getaddrinfo.c.diff?r1=1.9&r2=1.9.2.1 > >
http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libc/net/name6.c.diff?r1=1.6.2.1&r2=1.6.2.2 > >

-- > >
Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan > >
ume@mahoroba.org  ume@bisd.hitachi.co.jp  ume@FreeBSD.org > >
http://www.imasy.org/~ume/ > >

To Unsubscribe: send mail to majordomo@FreeBSD.org > >
with "unsubscribe freebsd-security" in the body of the message

> > Interesting, I have a natd and it was trying to dial every time I attempted > > the telnet connection. > >

I commented out ipv6 entries in inetd.conf and made a change to the > > hosts.allow file ( I ma not in front of it right now) to allow everything > > just incase.  I will try the changes you reccommended. > >

Thank you, > >
Craig. > >
  > > > > > > --------------DD17BC9732D37B7ED997339E-- > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > Yes I do have it in the hosts file. Would this cause me not being able to telnet to my machine from my machine? Craig --------------3827BF5B9336C386334D7D26 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit "tjk@tksoft.com" wrote:

Craig,

Do you have an entry for the remote host you are login in from
in your /etc/hosts file?

telnet hangs if it can't get reverse dns on a host.

Try "nslookup remotehost" and see what you get.

Troy

>
> This is a multi-part message in MIME format.
> --------------DD17BC9732D37B7ED997339E
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit
>
>
>
> --------------DD17BC9732D37B7ED997339E
> Content-Type: message/rfc822
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> X-Mozilla-Status2: 00000000
> Message-ID: <38FF5B27.5FA924C2@allmaui.com>
> Date: Thu, 20 Apr 2000 12:31:51 -0700
> From: Craig Cowen <craig@allmaui.com>
> X-Mailer: Mozilla 4.7 [en] (X11; U; SunOS 5.8 sun4u)
> X-Accept-Language: en
> MIME-Version: 1.0
> To: Hajimu, UMEMOTO
> Subject: Re: telnet problems
> References: <38FF5572.BFF9E5F2@allmaui.com> <200004201921.e3KJLE035279@peace.mahoroba.org>
> Content-Type: text/html; charset=us-ascii
> Content-Transfer-Encoding: 7bit
>
> <!doctype html public "-//w3c//dtd html 4.0 transitional//en">
> <html>
> "Hajimu UMEMOTO ($BG_K\(B $BH%(B)" wrote:
> <blockquote TYPE=CITE>Hi,
> <p>>>>>> On Thu, 20 Apr 2000 12:07:30 -0700
> <br>>>>>> Craig Cowen &lt;craig@allmaui.com> said:
> <p>craig> I am having trouble telneting to my machine after installing
> Rel4.0
> <br>craig> I am able to enter my login and pass and then it just hangs.
> <br>craig> This happens from other machines on my network as well as logging
> in at
> <br>craig> the console and then trying to telnet to it.
> <br>craig> Is this a security feature?
> <p>Possibly no.
> <br>Do you have reachability to the internet at that time?&nbsp; If no,
> it may
> <br>IPv6 related DNS problem.
> <br>Please try recent changes to libc.
> <p><a href="http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libc/net/getaddrinfo.c.diff?r1=1.9&r2=1.9.2.1">http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libc/net/getaddrinfo.c.diff?r1=1.9&amp;r2=1.9.2.1</a>
> <br><a href="http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libc/net/name6.c.diff?r1=1.6.2.1&r2=1.6.2.2">http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libc/net/name6.c.diff?r1=1.6.2.1&amp;r2=1.6.2.2</a>
> <p>--
> <br>Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
> <br>ume@mahoroba.org&nbsp; ume@bisd.hitachi.co.jp&nbsp; ume@FreeBSD.org
> <br><a href="http://www.imasy.org/~ume/">http://www.imasy.org/~ume/</a>
> <p>To Unsubscribe: send mail to majordomo@FreeBSD.org
> <br>with "unsubscribe freebsd-security" in the body of the message</blockquote>
> Interesting, I have a natd and it was trying to dial every time I attempted
> the telnet connection.
> <p>I commented out ipv6 entries in inetd.conf and made a change to the
> hosts.allow file ( I ma not in front of it right now) to allow everything
> just incase.&nbsp; I will try the changes you reccommended.
> <p>Thank you,
> <br>Craig.
> <br>&nbsp;</html>
>
>
> --------------DD17BC9732D37B7ED997339E--
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

Yes I do have it in the hosts file.  Would this cause me not being able to telnet to my machine from my machine?

Craig --------------3827BF5B9336C386334D7D26-- --------------734DFBD401DC51D2648647BD-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 20 14:22:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from as.tksoft.com (gyw.com [209.55.67.177]) by hub.freebsd.org (Postfix) with ESMTP id 242B737B61A for ; Thu, 20 Apr 2000 14:22:38 -0700 (PDT) (envelope-from tjk@tksoft.com) Received: (from tjk@tksoft.com) by uno.tksoft.com (8.8.8/8.8.8) id OAA07149; Thu, 20 Apr 2000 14:29:34 -0700 From: "tjk@tksoft.com" Message-Id: <200004202129.OAA07149@uno.tksoft.com> Subject: Re: [Fwd: telnet problems] To: craig@allmaui.com (Craig Cowen) Date: Thu, 20 Apr 2000 14:29:34 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <38FF7335.29A8B158@allmaui.com> from "Craig Cowen" at Apr 20, 0 02:14:30 pm Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Craig, On FreeBSD, you have des or md5. They behave the same in this case, though. Your /etc/pam.conf file tells you how your logins are authenticated. I would just keep going through the options until you find the fix. Troy > > "tjk@tksoft.com" wrote: > > > Craig, > > > > I would look into what kind of authentication is used. > > Do yyou use pam? Is local /etc/passwd file the first > > one looked up, or is a networked db used? > > See /etc/pam.conf, /etc/nsswitch.conf. > > > > Troy > > > > > > > > Thank you for your help but let me clarify the problem. > > > > > > I sit down in front of machineA a.k.a. 192.168.1.1 > > > then I loging in and telnet to machineA a.k.a. 192.168.1.1 > > > it allows me to give it my username and pass and then hangs. > > > > > > > > > Thanks, > > > Craig > > > > > > > > > > > I am not using nis however a good idea thank you. > I should be using des for authentication, correct? I wonder if I > installed something else. How would I check? > To all reading this, I am at work and will try your suggestions when I > get home so please keep them coming. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 20 14:34:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from rip.psg.com (rip.psg.com [147.28.0.39]) by hub.freebsd.org (Postfix) with ESMTP id A84A537B50D for ; Thu, 20 Apr 2000 14:34:41 -0700 (PDT) (envelope-from randy@psg.com) Received: from randy by rip.psg.com with local (Exim 3.13 #1) id 12iOat-000C0e-00; Thu, 20 Apr 2000 14:34:39 -0700 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Christopher Nielsen Cc: freebsd-security@freebsd.org Subject: Re: log-in-vain [ was: 10 days ] Message-Id: Date: Thu, 20 Apr 2000 14:34:39 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Something you might want to do, if you haven't already, is enable > log_in_vain in /etc/rc.conf by adding 'log_in_vain="YES"'. It will log > connection attempts on ports that have nothing listening on them. It can > be very enlightening. but what does one *do* with the info? there is so much scanning and so many baby cracker attempts that it does little good writing to source address admins. and the sources are spoofed in the majority of the cases anyway. while i think log watching is important, it can be massive data. so i try to keep it down to those data about which i can do something, either by changing my defenses or by dealing with the source of the problem. i am open to having my mind changed on this. randy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 20 15:34: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 9BD6937B765 for ; Thu, 20 Apr 2000 15:34:02 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id SAA36370; Thu, 20 Apr 2000 18:33:11 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Thu, 20 Apr 2000 18:33:11 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Randy Bush Cc: Christopher Nielsen , freebsd-security@freebsd.org Subject: Re: log-in-vain [ was: 10 days ] In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 20 Apr 2000, Randy Bush wrote: > > Something you might want to do, if you haven't already, is enable > > log_in_vain in /etc/rc.conf by adding 'log_in_vain="YES"'. It will log > > connection attempts on ports that have nothing listening on them. It can > > be very enlightening. > > but what does one *do* with the info? there is so much scanning and so many > baby cracker attempts that it does little good writing to source address > admins. and the sources are spoofed in the majority of the cases anyway. > > while i think log watching is important, it can be massive data. so i try > to keep it down to those data about which i can do something, either by > changing my defenses or by dealing with the source of the problem. > > i am open to having my mind changed on this. One of the fundamental problems with IDS is what you do with the results. The only intrusions you're interested in are the ones where they succeed -- the rest are just statistics you can use to bump your IT budget for security software :-). The best bet is to harden your boxes as much as you can, and watch for actual intrusions rather than attempts. Usually this means watching real system events, using tripwire or the like, and avoid any potential vulnerabilities (remove unnecesary services, only use cryptographically strong remote access mechanisms, limit access to the host to specific trusted IPs where possible, make use of one-time passwords, run services in chroot/jail sandboxes, et al). One nice feature of Jail is that you can limit all remotely started processes to running within a jail, only allowing console logins to gain strong privileges. Once we have our first pass at MAC in TrustedBSD, that will be a great way to limit vulnerability. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 20 16: 3:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from hayseed.net (hayseed.net [207.181.249.194]) by hub.freebsd.org (Postfix) with ESMTP id 365EA37B6BD for ; Thu, 20 Apr 2000 16:03:31 -0700 (PDT) (envelope-from enkhyl@pobox.com) Received: from localhost (localhost [127.0.0.1]) by hayseed.net (8.9.3/8.9.3) with ESMTP id OAA04664; Thu, 20 Apr 2000 14:58:53 -0700 Date: Thu, 20 Apr 2000 14:58:53 -0700 (PDT) From: Christopher Nielsen X-Sender: enkhyl@hayseed.net To: Randy Bush Cc: freebsd-security@freebsd.org Subject: Re: log-in-vain [ was: 10 days ] In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 20 Apr 2000, Randy Bush wrote: > > Something you might want to do, if you haven't already, is enable > > log_in_vain in /etc/rc.conf by adding 'log_in_vain="YES"'. It will log > > connection attempts on ports that have nothing listening on them. It can > > be very enlightening. > > but what does one *do* with the info? there is so much scanning and so many > baby cracker attempts that it does little good writing to source address > admins. and the sources are spoofed in the majority of the cases anyway. > > while i think log watching is important, it can be massive data. so i try > to keep it down to those data about which i can do something, either by > changing my defenses or by dealing with the source of the problem. You make very good points, Randy, and they are the same points applied to IDS. If you can figure out an answer, you'll likely be a rich man. Many people have already tried. Part of the problem is that IDS is still a young science. What you gain by copious amounts of logging is obviously more work, but you sometimes discover new attacks that you normally wouldn't find. From an academic perspective, that is important, but from the practical perspective of a network admin, the increase in work load is bothersome. Personally, I read my logs religiously, but I have a suite of homegrown scripts that distill it into a form I find more useful. The comments about using ipfw might be more applicable for others. -- Christopher Nielsen (enkhyl|cnielsen)@pobox.com Enkhyl on IRC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 20 17:12:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from fgwmail5.fujitsu.co.jp (fgwmail5.fujitsu.co.jp [192.51.44.35]) by hub.freebsd.org (Postfix) with ESMTP id 0656237B525 for ; Thu, 20 Apr 2000 17:12:44 -0700 (PDT) (envelope-from shin@nd.net.fujitsu.co.jp) Received: from m5.gw.fujitsu.co.jp by fgwmail5.fujitsu.co.jp (8.9.3/3.7W-MX0002-Fujitsu Gateway) id JAA07311; Fri, 21 Apr 2000 09:12:41 +0900 (JST) (envelope-from shin@nd.net.fujitsu.co.jp) Received: from chisato.nd.net.fujitsu.co.jp by m5.gw.fujitsu.co.jp (8.9.3/3.7W-0003-Fujitsu Domain Master) id JAA12615; Fri, 21 Apr 2000 09:12:39 +0900 (JST) Received: from localhost (dhcp7173.nd.net.fujitsu.co.jp [10.18.7.173]) by chisato.nd.net.fujitsu.co.jp (8.8.5+2.7Wbeta5/3.3W8chisato-970826) with ESMTP id JAA01535; Fri, 21 Apr 2000 09:12:38 +0900 (JST) To: craig@allmaui.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: telnet problems In-Reply-To: <38FF5572.BFF9E5F2@allmaui.com> References: <38FF5572.BFF9E5F2@allmaui.com> X-Mailer: Mew version 1.94 on Emacs 20.4 / Mule 4.0 (HANANOEN) X-Prom-Mew: Prom-Mew 1.93.4 (procmail reader for Mew) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20000421091344U.shin@nd.net.fujitsu.co.jp> Date: Fri, 21 Apr 2000 09:13:44 +0900 From: Yoshinobu Inoue X-Dispatcher: imput version 990905(IM130) Lines: 17 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I am having trouble telneting to my machine after installing Rel4.0 > I am able to enter my login and pass and then it just hangs. > This happens from other machines on my network as well as logging in at > the console and then trying to telnet to it. > Is this a security feature? > > Thanks, > Craig Hi, it might be due to a resolver problem fixed recently. Please try following patches and make, make install under src/lib/libc. http://www.jp.freebsd.org/cgi/cvsweb.cgi/src/lib/libc/net/getaddrinfo.c.diff?r1=1.9&r2=1.9.2.1 http://www.jp.freebsd.org/cgi/cvsweb.cgi/src/lib/libc/net/name6.c.diff?r1=1.6.2.1&r2=1.6.2.2 Yoshinobu Inoue To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 20 18:44:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (obie.softweyr.com [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id D781137B8A1 for ; Thu, 20 Apr 2000 18:44:23 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com (Foolstrustident!@homer.softweyr.com [204.68.178.39]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id TAA27818; Thu, 20 Apr 2000 19:44:17 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <38FFB270.C4C8DD9F@softweyr.com> Date: Thu, 20 Apr 2000 19:44:16 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.0-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Mike Silbersack Cc: security@FreeBSD.ORG Subject: Re: stream.c followup / MFC request References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mike Silbersack wrote: > > I've recently noticed that the patches to mitigate stream.c (RST rate > limiting + multicast filtering) which were applied to 4.0 haven't been > applied to the 3.x branch. Luckily, Wes Peters's patch still seems to > apply cleanly to the current 3.4-stable. > > It's available at > http://docs.freebsd.org/cgi/getmsg.cgi?fetch=325531+0+archive/2000/freebsd-security/20000130.freebsd-security > > So, my question is this: Would someone be willing to give Wes's patch > one more lookover and commit it to the RELENG_3 branch? If everyone is comfortable with it, I'll commit it. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 21 8:20:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from goofy.intcom.net (goofy.intcom.net [207.17.172.51]) by hub.freebsd.org (Postfix) with ESMTP id 8D15837B9B7 for ; Fri, 21 Apr 2000 08:20:10 -0700 (PDT) (envelope-from jason@iac.net) Received: from jason ([207.17.172.228]) by goofy.intcom.net (Netscape Messaging Server 3.6) with SMTP id AAA34BF for ; Fri, 21 Apr 2000 11:19:52 -0400 From: "Jason Portwood" To: Subject: RE: log-in-vain [ was: 10 days ] Date: Fri, 21 Apr 2000 11:17:34 -0400 Message-ID: <6381A6A8826BD31199500090279CAFBA106958@FOGHORN> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <6381A6A8826BD31199500090279CAFBA0D8BC2@FOGHORN> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > Something you might want to do, if you haven't already, is enable > > log_in_vain in /etc/rc.conf by adding 'log_in_vain="YES"'. > > It will log connection attempts on ports that have nothing listening on > > them. It can be very enlightening. > Same thing goes for logging ipfw on the rejects. It's interesting sometimes to fire up another IP alias and see the people scanning by... > but what does one *do* with the info? there is so much scanning and so > many baby cracker attempts that it does little good writing to source address > admins. and the sources are spoofed in the majority of the cases anyway. The best defense is to have as much control or rather restriction as possible over what goes on. If it's not needed why have it running. If a service on a machine only needs to talk to one other machine use ipfw and restrict it. Every little bit helps. Then sit back, keep things up to date, watch the mailing lists for bugs, and just watch what's going on. Like with spam you probably don't send complaints about everyone of them. > > while i think log watching is important, it can be massive > data. so i try to keep it down to those data about which i can do something, > either by changing my defenses or by dealing with the source of the problem. > I saw something mentioned a while back on the list that might be of help. It was a program that would watch for network scanners. Then when one was found scanning around it would send a route packet to your core router to forward all traffic from that scanners IP to the scan watching machine. The server then would route the detected scanner to I believe a null device or just let the scanner rescan that box again. You would just route small chunks of your network(s) to the scan detection machine. I thought it sounded great but haven't had the time to contact the author about it. I don't recall any further discussion on it but what do others think about that? Curious to know... Jason Portwood - jason@iac.net Systems Administrator - Strategic/Internet Access Cincinnati Sales and Tech Support - 513-860-9052 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 21 9: 5:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from attrition.dynamine.net (dnai-216-15-97-113.cust.dnai.com [216.15.97.113]) by hub.freebsd.org (Postfix) with ESMTP id 23E5137B618; Fri, 21 Apr 2000 09:05:41 -0700 (PDT) (envelope-from otterley@attrition.dynamine.net) Received: from localhost (otterley@localhost) by attrition.dynamine.net (8.9.3/8.9.3) with ESMTP id KAA03023; Wed, 19 Apr 2000 10:14:51 -0700 Date: Wed, 19 Apr 2000 10:14:51 -0700 (PDT) From: Otterley To: Cy Schubert - ITSD Open Systems Group Cc: Robert Watson , Kris Kennaway , "Michael S. Fischer" , security@FreeBSD.ORG Subject: Re: Fw: Re: imapd4r1 v12.264 (fwd) In-Reply-To: <200004191557.e3JFvdX00892@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 19 Apr 2000, Cy Schubert - ITSD Open Systems Group wrote: > In message >, Robe > rt Watson writes: > > Given that attitude of the developer, I would strongly recommend we mark > > the port as FORBIDDEN, and would also seriously consider any suggestion to > > simply drop it from the ports and packages collections. > > Let me second that opinion. I'd prefer just dropping it from ports > collection. No! Please no! Unless you can offer a viable alternative (NOT Cyrus, thank you very much), please do not remove it. I'd much prefer a patch. --Michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 21 10:58:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (law-f167.hotmail.com [209.185.131.230]) by hub.freebsd.org (Postfix) with SMTP id B329037B64B for ; Fri, 21 Apr 2000 10:58:30 -0700 (PDT) (envelope-from ronnetron@hotmail.com) Received: (qmail 78963 invoked by uid 0); 21 Apr 2000 17:58:30 -0000 Message-ID: <20000421175830.78962.qmail@hotmail.com> Received: from 24.130.48.52 by www.hotmail.com with HTTP; Fri, 21 Apr 2000 10:58:30 PDT X-Originating-IP: [24.130.48.52] From: "Ron Smith" To: freebsd-security@freebsd.org Subject: Using proxys with ipfw Date: Fri, 21 Apr 2000 10:58:30 PDT Mime-Version: 1.0 Content-Type: text/plain; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello All, I'm trying to determine if it's possible to implement smtp/pop, ftp, and www proxys with ipfw rules in place. If it is possible, which proxy software would be the best to use. I have a dual-homed gateway with ipfw rules in place. Everything works great , but I only have access to and from the Internet with NAT, at this point. I would like to add the ability to access a mail server behind a firewall from the outside world. I would also like to do the same for www and ftp services as well. Any pointers? TIA Ron Smith ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 21 11:12:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 7FB8B37BCD0 for ; Fri, 21 Apr 2000 11:12:42 -0700 (PDT) (envelope-from bright@fw.wintelcom.net) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id e3LIfBn16991; Fri, 21 Apr 2000 11:41:11 -0700 (PDT) Date: Fri, 21 Apr 2000 11:41:10 -0700 From: Alfred Perlstein To: Ron Smith Cc: freebsd-security@FreeBSD.ORG Subject: Re: Using proxys with ipfw Message-ID: <20000421114110.D10782@fw.wintelcom.net> References: <20000421175830.78962.qmail@hotmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <20000421175830.78962.qmail@hotmail.com>; from ronnetron@hotmail.com on Fri, Apr 21, 2000 at 10:58:30AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Ron Smith [000421 11:28] wrote: > Hello All, > > I'm trying to determine if it's possible to implement smtp/pop, ftp, and www > proxys with ipfw rules in place. If it is possible, which proxy software > would be the best to use. I have a dual-homed gateway with ipfw rules in > place. Everything works great , but I only have access to and from the > Internet with NAT, at this point. I would like to add the ability to access > a mail server behind a firewall from the outside world. I would also like to > do the same for www and ftp services as well. Any pointers? I'm pretty sure both ipfw and natd offer a "forward port" option, just check out the docs, it should be there. I would try the ipfw stuff first as it's probably more effecient. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 21 11:21:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id F046037BD7C for ; Fri, 21 Apr 2000 11:21:09 -0700 (PDT) (envelope-from adam@algroup.co.uk) Received: from algroup.co.uk (socks-fw.aldigital.co.uk [192.168.254.10]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id SAA14505; Fri, 21 Apr 2000 18:20:47 GMT Message-ID: <39009AA1.4880F38F@algroup.co.uk> Date: Fri, 21 Apr 2000 19:14:57 +0100 From: Adam Laurie X-Mailer: Mozilla 4.61 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Ron Smith Cc: freebsd-security@FreeBSD.ORG Subject: Re: Using proxys with ipfw References: <20000421175830.78962.qmail@hotmail.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ron Smith wrote: > > Hello All, > > I'm trying to determine if it's possible to implement smtp/pop, ftp, and www > proxys with ipfw rules in place. If it is possible, which proxy software > would be the best to use. I have a dual-homed gateway with ipfw rules in > place. Everything works great , but I only have access to and from the > Internet with NAT, at this point. I would like to add the ability to access > a mail server behind a firewall from the outside world. I would also like to > do the same for www and ftp services as well. Any pointers? Assuming you are using natd, try 'man natd' - the interesting bit being: -redirect_port proto targetIP:targetPORT [aliasIP:]aliasPORT [re- moteIP[:remotePORT]] Redirect incoming connections arriving to given port to an- other host and port. Proto is either tcp or udp, targetIP is the desired target IP number, targetPORT is the desired tar- get PORT number, aliasPORT is the requested PORT number and aliasIP is the aliasing address. RemoteIP and remotePORT can be used to specify the connection more accurately if neces- sary. For example, the argument tcp inside1:telnet 6666 means that tcp packets destined for port 6666 on this machine will be sent to the telnet port on the inside1 machine. cheers, Adam -- Adam Laurie Tel: +44 (181) 742 0755 A.L. Digital Ltd. Fax: +44 (181) 742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 21 11:26:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from neon.delete.org (cx638115-d.sthngtn1.ct.home.com [24.2.165.84]) by hub.freebsd.org (Postfix) with ESMTP id BC46037BCD0 for ; Fri, 21 Apr 2000 11:26:48 -0700 (PDT) (envelope-from alex@delete.org) Received: from localhost (alex@localhost) by neon.delete.org (8.10.0.Beta6/8.10.0.Beta6) with ESMTP id e3LIQeu05253 for ; Fri, 21 Apr 2000 14:26:40 -0400 (EDT) Date: Fri, 21 Apr 2000 14:26:40 -0400 (EDT) From: Alex Michlin X-Sender: alex@cx638115-d.sthngtn1.ct.home.com To: freebsd-security@FreeBSD.ORG In-Reply-To: <6381A6A8826BD31199500090279CAFBA106958@FOGHORN> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org How can a hacker enable promiscious mode though an ftp connection? I did a `last` to see who, if anyone, logged on and the only logon I saw was an ftp connection from an @home machine. I don't see any extra programs running on the machine. Do I need to be concerned about telnet passwords, etc? Apr 20 13:10:12 hostname /kernel: xl0: promiscuous mode enabled Thanks for your time. Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 21 14:39:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 344DE37B89C; Fri, 21 Apr 2000 14:39:45 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id OAA42303; Fri, 21 Apr 2000 14:39:45 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Fri, 21 Apr 2000 14:39:44 -0700 (PDT) From: Kris Kennaway To: Otterley Cc: Cy Schubert - ITSD Open Systems Group , Robert Watson , "Michael S. Fischer" , security@FreeBSD.ORG Subject: Re: Fw: Re: imapd4r1 v12.264 (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 19 Apr 2000, Otterley wrote: > No! Please no! Unless you can offer a viable alternative (NOT Cyrus, > thank you very much), please do not remove it. I'd much prefer a patch. Given that two vulnerabilities have already been found, and the author has not seen fit to release a patch to address them, I don't think this is going to be forthcoming - there are probably going to be a lot of other bugs discovered here, if the past history of the imap-uw port is any indication. Basically, the bottom line is that imap-uw is not safe to use in an environment where you have users who you don't want to have shell access to your machine, but unfortunately there isn't much in the way of alternatives. Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 21 15:46:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from teapot29.domain7.bigpond.com (teapot29.domain7.bigpond.com [139.134.5.236]) by hub.freebsd.org (Postfix) with SMTP id 83BAD37BAFB for ; Fri, 21 Apr 2000 15:46:08 -0700 (PDT) (envelope-from arakias@bigpond.com) Received: from localhost (localhost [127.0.0.1]) by teapot29.domain7.bigpond.com (NTMail 3.02.13) with ESMTP id qa564086 for ; Sat, 22 Apr 2000 08:45:22 +1000 Received: from MLIP-A-001-pool-23.tmns.net.au ([139.134.240.23]) by mail7.bigpond.com (Claudes-High-Frequency-MailRouter V2.7e 15/9097579); 22 Apr 2000 08:45:21 Message-Id: <4.2.0.58.20000422083806.00b4dee0@mail.bigpond.com> X-Sender: arakias@mail.bigpond.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Sat, 22 Apr 2000 08:42:39 +1000 To: freebsd-security@freebsd.org From: Duncan Subject: RE: logging (from freebsd-questions) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org yes the only thing i am getting in security is users logging in, su and bad su etc.... >Fri Apr 21 12:36:30 EDT 2000 >Hi, >I get my firewall logs in /var/log/security >Have you looked there. >Andrew. > > >On Fri, Apr 21, 2000 at 09:03:33PM +1000, Duncan wrote: > > Hello > > I'm am having trouble with my logs. > I have tried various things like adding ' log_in_vain="YES" ' in rc.conf > (which i read from a post on the security list) > > !ipfw > *.* /var/log/ipfw > > but the only information i am getting is stuff like : > > 00200 0 0 deny ip from any to 127.0.0.0/8 > 01400 20 1008 deny log tcp from any to any via ppp0 setup > 65535 602 28986 deny ip from any to any > > (from /var/log/ipfw.today) which by itself is useless for me. > I am trying to set it up so i can see the source address and ports so i at > least > can see more of what's going on. > > I have a custom kernel with the ipfirewall and divert for natd and am currently > running 3.2-release. > sorry for not giving more information but i am new to this and not sure > what else > to put. > > Any help is much appreciated > Thank you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 22 8:27: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail0.gncxnet.net (exch0.globalnetcorporation.com [216.115.32.5]) by hub.freebsd.org (Postfix) with ESMTP id 1771937B7AD for ; Sat, 22 Apr 2000 08:26:55 -0700 (PDT) (envelope-from moby@pcsn.net) Received: from u2.emp-reg1.com ([216.115.40.58]) by mail0.gncxnet.net (Post.Office MTA v3.5.3 release 223 ID# 0-59717U100L2S100V35) with SMTP id net; Sat, 22 Apr 2000 10:27:54 -0500 Received: from esi2 (esi2004033a506c1.emp-reg1.com [192.168.10.53]) by u2.emp-reg1.com (8.9.3/8.9.3) with SMTP id KAA23041; Sat, 22 Apr 2000 10:26:15 -0500 (CDT) (envelope-from moby@pcsn.net) From: "Mobeen Azhar" To: "Duncan" , Subject: RE: logging (from freebsd-questions) Date: Sat, 22 Apr 2000 10:26:36 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <4.2.0.58.20000422083806.00b4dee0@mail.bigpond.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You need to have the "log" keyword specified in your ipfw ruiles in order to log activities related to that rule. --Moby -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Duncan Sent: Friday, April 21, 2000 17:43 To: freebsd-security@FreeBSD.ORG Subject: RE: logging (from freebsd-questions) yes the only thing i am getting in security is users logging in, su and bad su etc.... >Fri Apr 21 12:36:30 EDT 2000 >Hi, >I get my firewall logs in /var/log/security >Have you looked there. >Andrew. > > >On Fri, Apr 21, 2000 at 09:03:33PM +1000, Duncan wrote: > > Hello > > I'm am having trouble with my logs. > I have tried various things like adding ' log_in_vain="YES" ' in rc.conf > (which i read from a post on the security list) > > !ipfw > *.* /var/log/ipfw > > but the only information i am getting is stuff like : > > 00200 0 0 deny ip from any to 127.0.0.0/8 > 01400 20 1008 deny log tcp from any to any via ppp0 setup > 65535 602 28986 deny ip from any to any > > (from /var/log/ipfw.today) which by itself is useless for me. > I am trying to set it up so i can see the source address and ports so i at > least > can see more of what's going on. > > I have a custom kernel with the ipfirewall and divert for natd and am currently > running 3.2-release. > sorry for not giving more information but i am new to this and not sure > what else > to put. > > Any help is much appreciated > Thank you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message