From owner-freebsd-security Mon Oct 1 1:35:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from micomp.dp.ua (ns.micomp.net [195.248.178.1]) by hub.freebsd.org (Postfix) with ESMTP id D3D1037B401 for ; Mon, 1 Oct 2001 01:35:48 -0700 (PDT) Received: (from sl3one@localhost) by micomp.dp.ua (8.11.6/8.11.6) id f918ZYE85968 for freebsd-security@freebsd.org; Mon, 1 Oct 2001 11:35:34 +0300 (EEST) (envelope-from sl3one) Date: Mon, 1 Oct 2001 11:35:34 +0300 (EEST) From: Vladislav Pivovarenko Message-Id: <200110010835.f918ZYE85968@micomp.dp.ua> To: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 1 2:16:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from malraux.matranet.com (malraux.matranet.com [194.117.213.2]) by hub.freebsd.org (Postfix) with ESMTP id 78C6837B406 for ; Mon, 1 Oct 2001 02:16:11 -0700 (PDT) Received: by malraux.matranet.com; id LAA03131; Mon, 1 Oct 2001 11:17:31 +0200 (CEST) Message-Id: <200110010917.LAA03131@malraux.matranet.com> Date: Mon, 01 Oct 2001 11:21:51 +0200 From: Laurent Fabre User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.3) Gecko/20010924 X-Accept-Language: en-us MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: LaBrea for BSD Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ok what about two modes, one will acquire spare IP on the network, and the other won't. Instead rules will be loaded from a config file (and yep of course we need hooks, maybe the DHCPd log output could be sufficient but i didn't look at it yet). For the packet capture i insist we need something else than a socket or libpcap based thing. Any suggestion welcomed. I was thinking about adding a new device, still trying to figure out how he would behave to speed up things a bit (One step is to limit memory allocation, the other perhaps is to get rid of those filtering rules in the kernel and make our dark magic in the user land instead, but maybe i'm wrong). And last but not least, maybe should we found it a new name :) -- #--------------------------------------------# # Laurent Fabre # # fabre@matranet.com # /\ ASCII ribbon # EADS, Matranet Product Group # \/ campaign # # /\ against # "foreach if-diff, # / \ HTML email # you need to re-make world...." # #--------------------------------------------# To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 1 7:12:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from grif.newmail.ru (grif.newmail.ru [212.48.140.154]) by hub.freebsd.org (Postfix) with SMTP id 8CDEA37B413 for ; Mon, 1 Oct 2001 07:12:37 -0700 (PDT) Received: (qmail 32466 invoked by alias); 1 Oct 2001 13:40:16 -0000 Message-ID: <20011001134016.32465.qmail@grif.newmail.ru> From: "guron" To: freebsd-security@freebsd.org Reply-To: Subject: What is login -p process in 4.4 ? Date: Mon, 01 Oct 2001 17:40:16 +0400 MIME-Version: 1.0 X-UID: 3-12233 X-Originating-IP: [194.84.181.135] Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello All , Has put æÒÅÅ 4.4 release and has found out not clear process in "ps -ax " list type "login-p user" , user - that who has gone to system from the console. In former versions (4.1-4.3) like such process it was not observed, it that - feature 4.4? Or trojan ??? And, that the strangest, process appears after assignment of the password user, up to that is absent. What it meant? -- Best regards, andy mailto:andy@rocc.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 1 8:20:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from hermes.intergate.ca (hermes.intergate.ca [207.34.179.108]) by hub.freebsd.org (Postfix) with SMTP id DCE0337B416 for ; Mon, 1 Oct 2001 08:16:50 -0700 (PDT) Received: (qmail 90713 invoked by uid 1007); 1 Oct 2001 15:49:09 -0000 Received: from landons@uniserve.com by hermes.intergate.ca with qmail-scanner-0.93 (uvscan: v4.0.50/v4163. . Clean. Processed in 0.636997 secs); 01/10/2001 08:49:09 Received: from landons.vpp-office.uniserve.ca (HELO pirahna.uniserve.com) (216.113.198.10) by hermes.intergate.ca with SMTP; 1 Oct 2001 15:49:08 -0000 Message-Id: <5.1.0.14.0.20011001081624.00af9008@pop.uniserve.com> X-Sender: landons@pop.uniserve.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 01 Oct 2001 08:16:47 -0700 To: , freebsd-security@FreeBSD.ORG From: Landon Stewart Subject: Re: What is login -p process in 4.4 ? In-Reply-To: <20011001134016.32465.qmail@grif.newmail.ru> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_1635810050==_.ALT" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=====================_1635810050==_.ALT Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable From "man login": -p By default, login discards any previous environment. The -p option= =20 disables this behavior. At 05:40 PM 10/1/2001 +0400, guron wrote: >Hello All , > > Has put =E6=D2=C5=C5 4.4 release and has found out not clear >process in "ps > -ax " list type "login-p user" , user - that who has >gone to system > from the console. In former versions (4.1-4.3) like such >process it >was > not observed, it that - feature 4.4? Or trojan ??? And, >that the > strangest, process appears after assignment of the >password user, up >to > that is absent. What it meant? > >-- >Best regards, > andy mailto:andy@rocc.ru > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message --- Landon Stewart System Administrator Uniserve Online landons@uniserve.com Telephone: (604) 856-6281 ext 399 Toll Free: (877) UNI-Serve ext 399 Right of Use Disclaimer: "The sender intends this message for a specific recipient and, as it may=20 contain information that is privileged or confidential, any use,=20 dissemination, forwarding, or copying by anyone without permission from the= =20 sender is prohibited. Personal e-mail may contain views that are not=20 necessarily those of the company." --=====================_1635810050==_.ALT Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable From "man login":

-p      By default, login discards any previous environment.  The -p option disables this behavior.




At 05:40 PM 10/1/2001 +0400, guron wrote:

Hello All ,

  Has put =E6=D2=C5=C5 4.4 release and has found out not clear
process in "ps
  -ax " list  type  "login-p user" , user - that who has
gone to system
  from the console. In former versions (4.1-4.3) like such
process it
was
  not observed, it that - feature  4.4? Or trojan ??? And,
that the
  strangest, process appears after assignment of the
password user, up
to
   that is absent. What it meant?

--
Best regards,
 andy           =             &nbs= p;  mailto:andy@rocc.ru



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

---
Landon Stewart
System Administrator
Uniserve Online
landons@uniserve.com
Telephone: (604) 856-6281 ext 399
Toll Free: (877) UNI-Serve ext 399


Right of Use Disclaimer:
"The sender intends this message for a specific recipient and, as it may contain information that is privileged or confidential, any use, dissemination, forwarding, or copying by anyone without permission from the sender is prohibited. Personal e-mail may contain views that are not necessarily those of the company."
 --=====================_1635810050==_.ALT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 1 10:36:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id C5F5537B401 for ; Mon, 1 Oct 2001 10:34:01 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id LAA08152; Mon, 1 Oct 2001 11:33:40 -0600 (MDT) Message-Id: <4.3.2.7.2.20011001113137.046d1600@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 01 Oct 2001 11:33:21 -0600 To: Laurent Fabre , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: LaBrea for BSD In-Reply-To: <200110010917.LAA03131@malraux.matranet.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 03:21 AM 10/1/2001, Laurent Fabre wrote: >Ok what about two modes, one will acquire spare IP on the network, and the other won't. Instead rules will be loaded from a config file (and yep of course we need hooks, maybe the DHCPd log output could be sufficient but i didn't look at it yet). This would be virtually the same as using divert(4) sockets or BPF. The nice thing about divert(4) sockets is that IPFW can pre-filter packets so that they only receive relevant traffic. You can eliminate a lot of redundant effort. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 1 13:29:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from falcon.mail.pas.earthlink.net (falcon.mail.pas.earthlink.net [207.217.120.74]) by hub.freebsd.org (Postfix) with ESMTP id 57FD337B40A for ; Mon, 1 Oct 2001 13:29:47 -0700 (PDT) Received: from blossom.cjclark.org (dialup-209.245.140.234.Dial1.SanJose1.Level3.net [209.245.140.234]) by falcon.mail.pas.earthlink.net (8.11.5/8.9.3) with ESMTP id f91KSZC07364; Mon, 1 Oct 2001 13:28:39 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id f91KPpw01131; Mon, 1 Oct 2001 13:25:51 -0700 (PDT) (envelope-from cjc) Date: Mon, 1 Oct 2001 13:25:28 -0700 From: "Crist J. Clark" To: "Karsten W. Rohrbach" Cc: gkshenaut@ucdavis.edu, security@FreeBSD.ORG Subject: Re: How to config IPFW for enable ping and traceroute Message-ID: <20011001132528.C304@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20010927061935.UUFZ16495.mta10.onebox.com@onebox.com> <200109271736.f8RHZrA20332@thistle.bogs.org> <20010929013148.B37579@mail.webmonster.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010929013148.B37579@mail.webmonster.de>; from karsten@rohrbach.de on Sat, Sep 29, 2001 at 01:31:48AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Sep 29, 2001 at 01:31:48AM +0200, Karsten W. Rohrbach wrote: > stateful rules woud be better, i don't know if this can be done with > ipfw (but i guess it should work somehow). There isn't really a good way to do it with dynamic rules in ipfw(8). > that's the ipfilter config for getting traceroute to work, for those who > are interested... > > # traceroute=30 > pass in quick proto icmp from any to 0.0.0.0/32 icmp-type 30 keep state > pass out quick proto icmp from 0.0.0.0/32 to any icmp-type 30 keep state If you actually find a traceroute program that uses the RFC1393 protocol, I'd like to see it. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 1 13:34:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from pintail.mail.pas.earthlink.net (pintail.mail.pas.earthlink.net [207.217.120.122]) by hub.freebsd.org (Postfix) with ESMTP id 0DF4B37B409 for ; Mon, 1 Oct 2001 13:34:17 -0700 (PDT) Received: from blossom.cjclark.org (dialup-209.245.140.234.Dial1.SanJose1.Level3.net [209.245.140.234]) by pintail.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id NAA18826; Mon, 1 Oct 2001 13:33:24 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id f91KWnA01152; Mon, 1 Oct 2001 13:32:49 -0700 (PDT) (envelope-from cjc) Date: Mon, 1 Oct 2001 13:32:49 -0700 From: "Crist J. Clark" To: Martin Hermanowski Cc: security@FreeBSD.ORG Subject: Re: ipfw logging complete packets Message-ID: <20011001133249.D304@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20010929223004.M70637@mh57.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010929223004.M70637@mh57.net>; from martin@mh57.net on Sat, Sep 29, 2001 at 10:30:05PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Sep 29, 2001 at 10:30:05PM +0200, Martin Hermanowski wrote: > Hi list, > I would like not only to log some ip packets with ipfw, but to write > them to a file, preferred in a format compatible to tcpdump. > > Is there a way to do this? Not within ipfw(8). But there are ways to do this. One obvious choice is Snort, but this completely bypasses ipfw(8). Another idea is to write a very lightweight daemon that gets fed packets from a divert(4) rule and writes the packets to a file. I've considered writing something to do this and a few other capabilities, but have never gotten around to it. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 1 16:59:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from alchemistry.net (alchemistry.net [66.114.66.158]) by hub.freebsd.org (Postfix) with ESMTP id D16F637B40B for ; Mon, 1 Oct 2001 16:59:42 -0700 (PDT) Received: from amavis by alchemistry.net with scanned-ok (Exim 3.33 #1) id 15oCyH-0003K0-00 for security@FreeBSD.ORG; Mon, 01 Oct 2001 19:59:37 -0400 Received: from [192.168.0.1] (helo=ilya) by alchemistry.net with smtp (TLSv1:RC4-MD5:128) (Exim 3.33 #1) id 15oCyG-0003Jq-00 for security@FreeBSD.ORG; Mon, 01 Oct 2001 19:59:36 -0400 Message-ID: <006001c14ad5$5e5283c0$0100a8c0@ilya> From: "Ilya" To: References: <20010929223004.M70637@mh57.net> <20011001133249.D304@blossom.cjclark.org> Subject: 2 questions about ipfw Date: Mon, 1 Oct 2001 20:01:21 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 X-Virus-Scanned: by AMaViS snapshot-20010714 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have a freebsd natd box with two interfaces (external ed0 and internal fxp0). I found a dynamic ipfw example by Peter Brezny, and it seems to work pretty good, except that nothing gets to rule number 2700. But if i move that rule before divert the whole lan looses connection to internet. And any place after that gets 0 hits. Any suggestions on how to make this ruleset more efficient/secure? thank you PS thank you Peter for providing your ruleset to public ipfw show|more 00100 7466 518126 allow ip from any to any via lo0 00200 0 0 deny log logamount 200 ip from any to 127.0.0.0/8 00300 0 0 deny log logamount 200 ip from 192.168.0.0/24 to any in recv ed0 00400 0 0 deny log logamount 200 ip from not 192.168.0.0/24 to any in recv fxp0 00500 0 0 deny log logamount 200 ip from 192.168.0.0/16 to any in recv ed0 00600 0 0 deny log logamount 200 ip from 172.16.0.0/12 to any in recv ed0 00700 0 0 deny log logamount 200 ip from 10.0.0.0/8 to any in recv ed0 00800 0 0 deny log logamount 200 ip from any to 192.168.0.0/16 in recv ed0 00900 0 0 deny log logamount 200 ip from any to 172.16.0.0/12 in recv ed0 01000 0 0 deny log logamount 200 ip from any to 10.0.0.0/8 in recv ed0 01100 0 0 deny log logamount 200 ip from 0.0.0.0/8 to any in recv ed0 01200 0 0 deny log logamount 200 ip from 169.254.0.0/16 to any in recv ed0 01300 0 0 deny log logamount 200 ip from 192.0.2.0/24 to any in recv ed0 01400 0 0 deny log logamount 200 ip from 224.0.0.0/4 to any in recv ed0 01500 0 0 deny log logamount 200 ip from 240.0.0.0/4 to any in recv ed0 01600 0 0 deny log logamount 200 ip from any to 0.0.0.0/8 in recv ed0 01700 0 0 deny log logamount 200 ip from any to 169.254.0.0/16 in recv ed0 01800 0 0 deny log logamount 200 ip from any to 192.0.2.0/24 in recv ed0 01900 0 0 deny log logamount 200 ip from any to 224.0.0.0/4 in recv ed0 02000 0 0 deny log logamount 200 ip from any to 240.0.0.0/4 in recv ed0 02100 427386 189325029 divert 8668 ip from any to any via ed0 02200 390818 343974531 allow tcp from any to any established 02300 34 1808 allow tcp from any to $myexternalip 22,80,443,25 setup 02400 3438 192784 allow log logamount 200 icmp from any to any icmptype 3,4,11,12 02500 1 58 allow udp from any 53 to $myexternalip 53 02600 55 3365 allow udp from any 1024-65535 to $myexternalip 02700 0 0 check-state 02800 177231 9731222 allow ip from $myexternalip to any keep-state out xmit ed0 02900 290474 27027605 allow ip from 192.168.0.0/24 to any keep-state via fxp0 65534 56 3788 deny log logamount 200 ip from any to any in recv ed0 65535 56 18207 allow ip from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 1 20:57:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from magnitka.ru (banner.magnitka.ru [212.57.131.40]) by hub.freebsd.org (Postfix) with ESMTP id 5F6F137B409 for ; Mon, 1 Oct 2001 20:57:49 -0700 (PDT) Received: from there (mmk-gw.mgn.chel.su [195.54.3.18]) by magnitka.ru (8.9.3/8.9.3) with SMTP id JAA09995 for ; Tue, 2 Oct 2001 09:57:05 +0600 Message-Id: <200110020357.JAA09995@magnitka.ru> Content-Type: text/plain; charset="koi8-r" From: Vladislav Timofeev Reply-To: vlad@magnitka.ru Organization: TTK To: freebsd-security@FreeBSD.ORG Subject: Need an advice... Date: Tue, 2 Oct 2001 09:56:39 +0600 X-Mailer: KMail [version 1.3] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have a problem... I need an imap/pop3 servers configured on my FreeBSD 4.3 box. I need an advice... Which server is better Cyrus-imap, wu-imapd or another? And which FTP server I must use? proftpd, wu-ftpd or ....? Thanx for help... -- With best regards, Vladislav Timofeev. Email: vlad@magnitka.ru vlad@suttk.ru ICQ UIN: 32635864 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 1 21:13:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe72.law12.hotmail.com [64.4.18.207]) by hub.freebsd.org (Postfix) with ESMTP id 1FFE337B40B; Mon, 1 Oct 2001 21:13:16 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 1 Oct 2001 21:13:16 -0700 X-Originating-IP: [216.228.133.13] Reply-To: "default" From: "default" To: , Subject: file permission question Date: Mon, 1 Oct 2001 23:13:11 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-ID: X-OriginalArrivalTime: 02 Oct 2001 04:13:16.0035 (UTC) FILETIME=[8F582D30:01C14AF8] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I am allowing a couple of ppl to have a shell account on one of my machines, and I am making a few changes to disallow them from using certain things... like chmoding the 'ps' command to 550 etc... I wanted to ask, is there any reason why one wouldn't want to chmod to 640 the passwd file and other similar files? ... Thanks, Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 1 21:26:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id 1CD1737B40C; Mon, 1 Oct 2001 21:26:28 -0700 (PDT) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f923Mf761124; Mon, 1 Oct 2001 20:22:41 -0700 (PDT) Date: Mon, 1 Oct 2001 20:22:41 -0700 (PDT) From: David Kirchner X-X-Sender: To: default Cc: , Subject: Re: file permission question In-Reply-To: Message-ID: <20011001202015.R85958-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org /etc/passwd (probably really /etc/pwd.db) are used for several user-land programs including 'ls'. It's highly recommended that /etc/passwd stay readable to the world. Btw, the output of 'ps' can be easily reconstructed via access to the /proc filesystem. You can unmount this partition, but ps will operate differently. With /proc unmounted, you can still get a process listing for everyone - you can disable this by setting the sysctl kern.ps_showallprocs to 0. On Mon, 1 Oct 2001, default wrote: > Hi, > > I am allowing a couple of ppl to have a shell account on one of my machines, > and I am making a few changes to disallow them from using certain things... > like chmoding the 'ps' command to 550 etc... > > I wanted to ask, is there any reason why one wouldn't want to chmod to 640 > the passwd file and other similar files? ... > > Thanks, > > Jordan > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 1 21:26:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by hub.freebsd.org (Postfix) with ESMTP id D292237B411; Mon, 1 Oct 2001 21:26:34 -0700 (PDT) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.0/ignatz) with ESMTP id f924QXn77140; Mon, 1 Oct 2001 21:26:34 -0700 (PDT) Date: Mon, 1 Oct 2001 21:26:33 -0700 (PDT) From: "f.johan.beisser" To: default Cc: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: file permission question In-Reply-To: Message-ID: X-Ignore: This statement isn't supposed to be read by you MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 1 Oct 2001, default wrote: > Hi, > > I am allowing a couple of ppl to have a shell account on one of my machines, > and I am making a few changes to disallow them from using certain things... > like chmoding the 'ps' command to 550 etc... > > I wanted to ask, is there any reason why one wouldn't want to chmod to 640 > the passwd file and other similar files? ... the base system is relativly secure on it's own. changing the permissions on things like the passwd file breaks some programs that need it to read user information. since the encrypted passwords are in /etc/master.passwd, (which is permission 0600) you don't really need to change that. honestly, changing permissions of 'standard' applications and utilities is not going to stop a determined user on your server from abusing resources. since having any users, other than yourself, on a machine is technically a security risk. your best bet is to meticuously comb through your installed files, and only allow trusted users on your machines. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "if my thought-dreams could be seen.. "they'd probably put my head in a gillotine" -- Bob Dylan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 1 21:28:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id 9AAF137B40F; Mon, 1 Oct 2001 21:28:52 -0700 (PDT) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f923P0q61137; Mon, 1 Oct 2001 20:25:00 -0700 (PDT) Date: Mon, 1 Oct 2001 20:25:00 -0700 (PDT) From: David Kirchner X-X-Sender: To: "f.johan.beisser" Cc: default , , Subject: Re: file permission question In-Reply-To: Message-ID: <20011001202424.X85958-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 1 Oct 2001, f.johan.beisser wrote: > your best bet is to meticuously comb through your installed files, and > only allow trusted users on your machines. Running a file integrity check such as tripwire is also a good idea - as long as you run tripwire from a read-only floppy or something similar that is. :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 1 21:34:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by hub.freebsd.org (Postfix) with ESMTP id BFA7037B40A; Mon, 1 Oct 2001 21:34:14 -0700 (PDT) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.0/ignatz) with ESMTP id f924YDU77196; Mon, 1 Oct 2001 21:34:13 -0700 (PDT) Date: Mon, 1 Oct 2001 21:34:13 -0700 (PDT) From: "f.johan.beisser" To: David Kirchner Cc: default , freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: file permission question In-Reply-To: <20011001202424.X85958-100000@localhost> Message-ID: X-Ignore: This statement isn't supposed to be read by you MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 1 Oct 2001, David Kirchner wrote: > On Mon, 1 Oct 2001, f.johan.beisser wrote: > > Running a file integrity check such as tripwire is also a good idea - as > long as you run tripwire from a read-only floppy or something similar that > is. :-) excellent point, one that i totally flaked on. although, tripwire is only semi-preventative, it's more of a manner of making sure that someone has been able to change either binaries or directories on the server. sadly, it can't help with changed files. there are some excellent documents on 'hardening' your OS-of-choice out there, including some on hardening FreeBSD. a quick google search should turn some up. i would suggest reading some of the infomation available on SecurityFocus.com's site. -- jan -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "if my thought-dreams could be seen.. "they'd probably put my head in a gillotine" -- Bob Dylan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 1 21:34:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from web.gwds.net (web.gwds.net [64.49.223.228]) by hub.freebsd.org (Postfix) with ESMTP id 502BC37B413 for ; Mon, 1 Oct 2001 21:34:16 -0700 (PDT) Received: from jewfish.net (lion.olivet.edu [12.21.76.6]) by web.gwds.net (8.11.4/8.11.4) with ESMTP id f924YAD20747; Tue, 2 Oct 2001 00:34:10 -0400 (EDT) (envelope-from jewfish@jewfish.net) Message-ID: <3BB943B8.9030305@jewfish.net> Date: Mon, 01 Oct 2001 23:34:00 -0500 From: Jewfish User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.2) Gecko/20010726 Netscape6/6.1 X-Accept-Language: en-us MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Cc: vlad@magnitka.ru Subject: Re: Need an advice... References: <200110020357.JAA09995@magnitka.ru> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I use Cyrus-imap, and I like it a lot. I haven't used the others personally, however. Using Cyrus, you don't have to enter each user into the system in order for them to have an e-mail account (like so many out there), and it supports a lot of security features, all quite easy to set up. Just make sure you read the docs. James Vladislav Timofeev wrote: >I have a problem... >I need an imap/pop3 servers configured on my FreeBSD 4.3 box. >I need an advice... Which server is better Cyrus-imap, wu-imapd or another? >And which FTP server I must use? proftpd, wu-ftpd or ....? > >Thanx for help... > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 1 21:35:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-172.zoominternet.net [24.154.28.172]) by hub.freebsd.org (Postfix) with ESMTP id 3CA4F37B40D for ; Mon, 1 Oct 2001 21:35:05 -0700 (PDT) Received: from topperwein.dyndns.org (topperwein.dyndns.org [192.168.168.10]) by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id f924ZC291249 for ; Tue, 2 Oct 2001 00:35:12 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Tue, 2 Oct 2001 00:35:07 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: Subject: Re: file permission question In-Reply-To: Message-ID: <20011002003111.D90494-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 1 Oct 2001, default wrote: > Hi, > > I am allowing a couple of ppl to have a shell account on one of my machines, > and I am making a few changes to disallow them from using certain things... > like chmoding the 'ps' command to 550 etc... ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Why? "ps" can be a valuable diagnostic tool--even for (l)users. Quite a few things can break without being able to access it; e.g., any script that relies upon ps to monitor the health of a running process. > I wanted to ask, is there any reason why one wouldn't want to chmod to 640 > the passwd file and other similar files? ... Uh, because any userland process that calls getpwent() or getgrent() will fail to run? -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 1 23:28:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from bubo.vslib.cz (bubo.vslib.cz [147.230.16.1]) by hub.freebsd.org (Postfix) with ESMTP id 5121C37B401 for ; Mon, 1 Oct 2001 23:28:20 -0700 (PDT) Received: from A410A (a410a.kolej.vslib.cz [147.230.152.17]) by bubo.vslib.cz (Postfix) with SMTP id 0E014834A for ; Tue, 2 Oct 2001 08:28:19 +0200 (CEST) Message-ID: <000701c14b0b$b18e48e0$1198e693@kolej.vslib.cz> From: "Martin Vana" To: Subject: TOOR Date: Tue, 2 Oct 2001 08:30:13 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hi, i wonder if user toor with uid0 is created during instalation or if i was hacked. How to destroy user with uid0? thankx To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 1 23:36: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from skif.net (dallas.skif.net [195.58.224.34]) by hub.freebsd.org (Postfix) with ESMTP id 3F96037B401 for ; Mon, 1 Oct 2001 23:36:03 -0700 (PDT) Received: from [195.58.225.122] (HELO brick.dol.donetsk.ua) by skif.net (CommuniGate Pro SMTP 3.5b3) with ESMTP id 585081 for security@FreeBSD.ORG; Tue, 02 Oct 2001 09:35:58 +0300 Received: from simplyi2 (simplyi.skif.net [195.58.224.69]) by brick.dol.donetsk.ua (8.9.3/8.9.3) with SMTP id JAA40141 for ; Tue, 2 Oct 2001 09:35:52 +0300 (EEST) (envelope-from simplyi@skif.net) Message-ID: <004701c14b0c$ce44f140$45e03ac3@skif.net> From: "Igor Melnichuk" To: Subject: login.conf & FreeBSD 4.4 Date: Tue, 2 Oct 2001 09:38:05 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I need advise. I have a server with installed FreeBSD 4.4 RELEASE . Limiting users I've created new class "webuser" in login.conf ( fixed limit on resource - max mem usage, cpu time, core dump size) and do all necessary steps (compile base `cap_mkdb /etc/login.conf` and assign new class to user `chclass user1`) But in fact this _not_ works when I logged like user1 or run perl script (infinite loop) with his privileges. On machine with FreeBSD 4.3 RELEASE this works well (kernel kill script according to login.conf rules) Any ideas ? PS I've read FreeBSD 4.4-RELEASE Errata ( http://www.freebsd.org/releases/4.4R/errata.html ) 2 Security Advisories (Support for per-user ~/.login_conf files) I believe it has no relation to problem login.conf -------------- webuser:\ :cputime=10s:\ :filesize=unlimited:\ :datasize=20M:\ :stacksize=20M:\ :coredumpsize=unlimited:\ :memoryuse=20M:\ :memorylocked=20M:\ :maxproc=20:\ :openfiles=20:\ :priority=0: --------------- Igor Melnichuk simplyi@skif.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 1 23:46:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from science.slc.edu (Science.SLC.Edu [198.83.6.248]) by hub.freebsd.org (Postfix) with ESMTP id F3EA537B408 for ; Mon, 1 Oct 2001 23:46:46 -0700 (PDT) Received: (from aschneid@localhost) by science.slc.edu (8.11.0/8.11.0) id f926kGL22254; Tue, 2 Oct 2001 02:46:16 -0400 (EDT) (envelope-from aschneid) Date: Tue, 2 Oct 2001 02:46:16 -0400 From: Anthony Schneider To: Igor Melnichuk Cc: security@FreeBSD.ORG Subject: Re: login.conf & FreeBSD 4.4 Message-ID: <20011002024615.A22225@mail.slc.edu> References: <004701c14b0c$ce44f140$45e03ac3@skif.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <004701c14b0c$ce44f140$45e03ac3@skif.net>; from simplyi@skif.net on Tue, Oct 02, 2001 at 09:38:05AM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org would you mind posting the exact perl script that you ran? On Tue, Oct 02, 2001 at 09:38:05AM +0300, Igor Melnichuk wrote: > I need advise. > > I have a server with installed FreeBSD 4.4 RELEASE . > > Limiting users I've created new class "webuser" in login.conf ( fixed limit > on resource - max mem usage, cpu time, core dump size) and do all necessary > steps (compile base `cap_mkdb /etc/login.conf` and assign new class to user > `chclass user1`) > > But in fact this _not_ works when I logged like user1 or run perl script > (infinite loop) with his privileges. > > On machine with FreeBSD 4.3 RELEASE this works well (kernel kill script > according to login.conf rules) > > Any ideas ? > > PS I've read FreeBSD 4.4-RELEASE Errata ( > http://www.freebsd.org/releases/4.4R/errata.html ) 2 Security Advisories > (Support for per-user ~/.login_conf files) I believe it has no relation to > problem > > login.conf > -------------- > webuser:\ > :cputime=10s:\ > :filesize=unlimited:\ > :datasize=20M:\ > :stacksize=20M:\ > :coredumpsize=unlimited:\ > :memoryuse=20M:\ > :memorylocked=20M:\ > :maxproc=20:\ > :openfiles=20:\ > :priority=0: > --------------- > > Igor Melnichuk > simplyi@skif.net > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 1 23:47: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from bluenugget.net (bsd.st [64.3.150.188]) by hub.freebsd.org (Postfix) with ESMTP id ADFBE37B408 for ; Mon, 1 Oct 2001 23:46:59 -0700 (PDT) Received: by bluenugget.net (Postfix, from userid 1000) id E70A41366F; Mon, 1 Oct 2001 23:47:07 -0700 (PDT) Date: Mon, 1 Oct 2001 23:47:07 -0700 From: Jason DiCioccio To: Martin Vana Cc: freebsd-security@freebsd.org Subject: Re: TOOR Message-ID: <20011001234707.A17960@bluenugget.net> References: <000701c14b0b$b18e48e0$1198e693@kolej.vslib.cz> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="RnlQjJ0d97Da+TV1" Content-Disposition: inline In-Reply-To: <000701c14b0b$b18e48e0$1198e693@kolej.vslib.cz> User-Agent: Mutt/1.3.21i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Oct 02, 2001 at 08:30:13AM +0200, Martin Vana wrote: > hi, > i wonder if user toor with uid0 is created during instalation > or if i was hacked. How to destroy user with uid0? > thankx 'toor' is a default account and isn't a risk. I wouldn't bother deleting i= t. But if you really want to you can probably just vipw(8) and remove the line. Cheers, -JD- --=20 Jason DiCioccio - geniusj@bsd.st - PGP Key @ http://bsd.st/~geniusj/pgpkey.= asc PGP Key Fingerprint C442 04E2 26B0 3809 8357 96AB D350 9596 0436 7C08 --RnlQjJ0d97Da+TV1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQA/AwUBO7li69NQlZYENnwIEQKPqACg+R1VajxdKAowG96wc/FkRwfNW7AAn09A uERagbZCgcyKviKozvwAMsCe =7lqF -----END PGP SIGNATURE----- --RnlQjJ0d97Da+TV1-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 1 23:51:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.ecstasy.sk (ecstasy.sk [195.168.3.34]) by hub.freebsd.org (Postfix) with SMTP id 7CC9937B408 for ; Mon, 1 Oct 2001 23:51:16 -0700 (PDT) Received: (qmail 77606 invoked from network); 2 Oct 2001 06:52:00 -0000 Received: from fw.in.nextra.sk (HELO kremen) (195.168.29.2) by mail.ecstasy.sk with SMTP; 2 Oct 2001 06:52:00 -0000 Message-ID: <009201c14b0e$5a69e800$9c197a0a@kremen> From: "Kremen" To: , References: <200110020357.JAA09995@magnitka.ru> Subject: Re: Need an advice... Date: Tue, 2 Oct 2001 08:49:15 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I personally use Courier-imapd, which also comes with pop3d. You can get it from ports collection. It has SSL support and many other features. Check it out. Kremen ----- Original Message ----- From: "Vladislav Timofeev" To: Sent: Tuesday, October 02, 2001 5:56 AM Subject: Need an advice... : I have a problem... : I need an imap/pop3 servers configured on my FreeBSD 4.3 box. : I need an advice... Which server is better Cyrus-imap, wu-imapd or another? : And which FTP server I must use? proftpd, wu-ftpd or ....? : : Thanx for help... : -- : With best regards, Vladislav Timofeev. : Email: vlad@magnitka.ru : vlad@suttk.ru : ICQ UIN: 32635864 : : To Unsubscribe: send mail to majordomo@FreeBSD.org : with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 2 0:32: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f216.pav1.hotmail.com [64.4.31.216]) by hub.freebsd.org (Postfix) with ESMTP id BE2E737B406 for ; Tue, 2 Oct 2001 00:31:58 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 2 Oct 2001 00:31:58 -0700 Received: from 212.30.183.3 by pv1fd.pav1.hotmail.msn.com with HTTP; Tue, 02 Oct 2001 07:31:58 GMT X-Originating-IP: [212.30.183.3] From: "Magdalinin Kirill" To: freebsd-security@FreeBSD.ORG Subject: file integrity checking Date: Tue, 02 Oct 2001 11:31:58 +0400 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 02 Oct 2001 07:31:58.0577 (UTC) FILETIME=[51BBB610:01C14B14] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, which directories and files should be checked for file integrity on a regular basis? /bin /etc /kernel /modules /sbin /stand /usr/bin /usr/lib /usr/libdata /usr/libexec /usr/sbin /usr/local/etc /usr/local/bin /usr/local/lib /usr/local/libexec /usr/local/sbin Did I miss anything? May be it's a good idea to add those to http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/securing-freebsd.html#SECURITY-INTEGRITY thanks, Kirill Magdalinin bsdforumen@hotmail.com _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 2 0:46:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id 5705437B408 for ; Tue, 2 Oct 2001 00:46:18 -0700 (PDT) Received: by elvis.mu.org (Postfix, from userid 1192) id 2D71B81D05; Tue, 2 Oct 2001 02:46:13 -0500 (CDT) Date: Tue, 2 Oct 2001 02:46:13 -0500 From: Alfred Perlstein To: security@freebsd.org Subject: drop the notice from the homepage? Message-ID: <20011002024613.Z59854@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org So, about time to ditch the notice on the homepage? :) -- -Alfred Perlstein [alfred@freebsd.org] 'Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 2 0:49:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from falcon.mail.pas.earthlink.net (falcon.mail.pas.earthlink.net [207.217.120.74]) by hub.freebsd.org (Postfix) with ESMTP id 280DF37B408 for ; Tue, 2 Oct 2001 00:49:10 -0700 (PDT) Received: from blossom.cjclark.org (dialup-209.245.128.178.Dial1.SanJose1.Level3.net [209.245.128.178]) by falcon.mail.pas.earthlink.net (8.11.5/8.9.3) with ESMTP id f927n7C21559; Tue, 2 Oct 2001 00:49:07 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id f927n0Q03543; Tue, 2 Oct 2001 00:49:00 -0700 (PDT) (envelope-from cjc) Date: Tue, 2 Oct 2001 00:49:00 -0700 From: "Crist J. Clark" To: Ilya Cc: security@FreeBSD.ORG Subject: Re: 2 questions about ipfw Message-ID: <20011002004900.I304@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20010929223004.M70637@mh57.net> <20011001133249.D304@blossom.cjclark.org> <006001c14ad5$5e5283c0$0100a8c0@ilya> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <006001c14ad5$5e5283c0$0100a8c0@ilya>; from mail@krel.org on Mon, Oct 01, 2001 at 08:01:21PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Oct 01, 2001 at 08:01:21PM -0400, Ilya wrote: > I have a freebsd natd box with two interfaces (external ed0 and internal > fxp0). I found a dynamic ipfw example by Peter Brezny, and it seems to work > pretty good, except that nothing gets to rule number 2700. But if i move > that rule before divert the whole lan looses connection to internet. And any > place after that gets 0 hits. Any suggestions on how to make this ruleset > more efficient/secure? > > thank you > > PS thank you Peter for providing your ruleset to public > > ipfw show|more [snip] > 02100 427386 189325029 divert 8668 ip from any to any via ed0 > 02200 390818 343974531 allow tcp from any to any established > 02300 34 1808 allow tcp from any to $myexternalip 22,80,443,25 > setup > 02400 3438 192784 allow log logamount 200 icmp from any to any icmptype > 3,4,11,12 > 02500 1 58 allow udp from any 53 to $myexternalip 53 > 02600 55 3365 allow udp from any 1024-65535 to $myexternalip > 02700 0 0 check-state > 02800 177231 9731222 allow ip from $myexternalip to any keep-state out > xmit ed0 > 02900 290474 27027605 allow ip from 192.168.0.0/24 to any keep-state via > fxp0 > 65534 56 3788 deny log logamount 200 ip from any to any in recv ed0 > 65535 56 18207 allow ip from any to any First off, it is kind of pointless to be doing dynamic rules when you have rule 2200. All of the TCP stuff that would get passed at the check-state rule are getting passed at 2200. Second, rule 2700 _is_ being hit. However, when a check-state rule is hit, the keep-state "parent" rule is the one whose count is incremented. Other issues, your UDP rules leave you pretty much wide open. Your ICMP rule log limit is too low with respect to your traffic levels. And more. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 2 0:51:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-227.dsl.lsan03.pacbell.net [64.165.226.227]) by hub.freebsd.org (Postfix) with ESMTP id 6A23437B407 for ; Tue, 2 Oct 2001 00:51:56 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id EDB5F66D6F; Tue, 2 Oct 2001 00:51:55 -0700 (PDT) Date: Tue, 2 Oct 2001 00:51:55 -0700 From: Kris Kennaway To: Alfred Perlstein Cc: security@FreeBSD.ORG Subject: Re: drop the notice from the homepage? Message-ID: <20011002005155.A92064@xor.obsecurity.org> References: <20011002024613.Z59854@elvis.mu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ibTvN161/egqYuK8" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011002024613.Z59854@elvis.mu.org>; from bright@mu.org on Tue, Oct 02, 2001 at 02:46:13AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --ibTvN161/egqYuK8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Oct 02, 2001 at 02:46:13AM -0500, Alfred Perlstein wrote: > So, about time to ditch the notice on the homepage? :) Nah, I want to leave it there for another month or two. We're still hearing of people noticing it for the first time. Kris --ibTvN161/egqYuK8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7uXIbWry0BWjoQKURAowSAJ9K2prMX2n+GbPB0kT1HWxZNlnXKACeNWsW qtOzWy6LSXxkGHoh6AuUwbo= =9+CV -----END PGP SIGNATURE----- --ibTvN161/egqYuK8-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 2 1: 0:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.cksoft.de (ns1.cksoft.de [62.111.66.1]) by hub.freebsd.org (Postfix) with ESMTP id D794337B405 for ; Tue, 2 Oct 2001 01:00:34 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by ns1.cksoft.de (Postfix) with ESMTP id 38A0814F9B; Tue, 2 Oct 2001 10:02:58 +0200 (CEST) Received: by ns1.cksoft.de (Postfix, from userid 66) id 1591C14F95; Tue, 2 Oct 2001 10:02:57 +0200 (CEST) Received: by hirvi.cksoft.de (Postfix, from userid 1000) id 6060F8798; Tue, 2 Oct 2001 09:59:12 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by hirvi.cksoft.de (Postfix) with ESMTP id 5DD0277B2; Tue, 2 Oct 2001 09:59:12 +0200 (CEST) Date: Tue, 2 Oct 2001 09:59:12 +0200 (CEST) From: Christian Kratzer To: Igor Melnichuk Cc: Subject: Re: login.conf & FreeBSD 4.4 In-Reply-To: <004701c14b0c$ce44f140$45e03ac3@skif.net> Message-ID: X-Spammer-Kill-Ratio: 75% X-Jihad: Will hunt down all cases of Spam and Net abuse. MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, On Tue, 2 Oct 2001, Igor Melnichuk wrote: > I need advise. > > I have a server with installed FreeBSD 4.4 RELEASE . > > Limiting users I've created new class "webuser" in login.conf ( fixed limit > on resource - max mem usage, cpu time, core dump size) and do all necessary > steps (compile base `cap_mkdb /etc/login.conf` and assign new class to user > `chclass user1`) > > But in fact this _not_ works when I logged like user1 or run perl script > (infinite loop) with his privileges. > > On machine with FreeBSD 4.3 RELEASE this works well (kernel kill script > according to login.conf rules) > > Any ideas ? > > PS I've read FreeBSD 4.4-RELEASE Errata ( > http://www.freebsd.org/releases/4.4R/errata.html ) 2 Security Advisories > (Support for per-user ~/.login_conf files) I believe it has no relation to > problem > > login.conf > -------------- > webuser:\ > :cputime=10s:\ > :filesize=unlimited:\ > :datasize=20M:\ > :stacksize=20M:\ > :coredumpsize=unlimited:\ > :memoryuse=20M:\ > :memorylocked=20M:\ > :maxproc=20:\ > :openfiles=20:\ > :priority=0: > --------------- If you are talking about cgi scripts run by apache you might want to patch suexec to do this. There is nothgin in apache that would normally set the requested privilidges. we added following to apache-x-x-x/src/support/suexec.c to actually enforce setting of resource limits. There is nothing in apache that would normally set these up for you. At the top after the includes ---snipp--- #include #ifdef __FreeBSD__ # include #endif #include "suexec.h" ---snipp--- Further to the bottom shortly before setting the euid ---snipp--- #ifdef __FreeBSD__ /* * set resource limits from /etc/login.conf * allows one to limit cpu and memory consumption by cgi's */ setclasscontext( "apache-suexec", LOGIN_SETRESOURCES|LOGIN_SETPRIORITY ); #endif /* * setuid() to the target user. Error out on fail. */ if ((setuid(uid)) != 0) { log_err("emerg: failed to setuid (%ld: %s)\n", uid, cmd); exit(110); } ---snipp--- Greetings Christian -- Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen Email: ck@cksoft.de Phone: +49 7452 889-135 Fax: +49 7452 889-136 FreeBSD spoken here! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 2 1:17:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id C721337B408 for ; Tue, 2 Oct 2001 01:17:18 -0700 (PDT) Received: by elvis.mu.org (Postfix, from userid 1192) id 95FDC81D05; Tue, 2 Oct 2001 03:17:18 -0500 (CDT) Date: Tue, 2 Oct 2001 03:17:18 -0500 From: Alfred Perlstein To: Kris Kennaway Cc: security@FreeBSD.ORG Subject: Re: drop the notice from the homepage? Message-ID: <20011002031718.A59854@elvis.mu.org> References: <20011002024613.Z59854@elvis.mu.org> <20011002005155.A92064@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011002005155.A92064@xor.obsecurity.org>; from kris@obsecurity.org on Tue, Oct 02, 2001 at 12:51:55AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Kris Kennaway [011002 02:52] wrote: > On Tue, Oct 02, 2001 at 02:46:13AM -0500, Alfred Perlstein wrote: > > So, about time to ditch the notice on the homepage? :) > > Nah, I want to leave it there for another month or two. We're still > hearing of people noticing it for the first time. Ok, perhaps we can switch it later to a link to a security page. Sort of like the newsflash on the side, but on a seperate page. -- -Alfred Perlstein [alfred@freebsd.org] 'Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 2 2: 7:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from breg.mc.mpls.visi.com (breg.mc.mpls.visi.com [208.42.156.101]) by hub.freebsd.org (Postfix) with ESMTP id DCF7237B40A for ; Tue, 2 Oct 2001 02:07:45 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by breg.mc.mpls.visi.com (Postfix) with ESMTP id D06182D0542; Tue, 2 Oct 2001 04:07:44 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f9297d695258; Tue, 2 Oct 2001 04:07:39 -0500 (CDT) (envelope-from hawkeyd) Date: Tue, 2 Oct 2001 04:07:39 -0500 (CDT) Message-Id: <200110020907.f9297d695258@sheol.localdomain> Mime-Version: 1.0 X-Newsreader: knews 0.9.8a Reply-To: hawkeyd@visi.com Organization: if (!FIFO) if (!LIFO) break; References: <004701c14b0c$ce44f140$45e03ac3_skif.net@ns.sol.net> In-Reply-To: From: hawkeyd@visi.com (D J Hawkey Jr) Subject: Re: login.conf & FreeBSD 4.4 X-Original-Newsgroups: sol.lists.freebsd.security To: ck@cksoft.de, freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In article , ck@cksoft.de writes: > > If you are talking about cgi scripts run by apache you might want to > patch suexec to do this. There is nothgin in apache that would normally > set the requested privilidges. > > we added following to apache-x-x-x/src/support/suexec.c to actually > enforce setting of resource limits. There is nothing in apache that would > normally set these up for you. > > [SNIP] Reading between the lines, are you saying that any app "not from FreeBSD" running on FreeBSD isn't likely to be accounted for because they pro'lly don't set up limiting resources (by way of the C function you hacked in)? Badly phrased, I know, but you get my drift? > Greetings > Christian Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 2 2:20:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (straylight.ringlet.net [217.75.134.254]) by hub.freebsd.org (Postfix) with SMTP id A401437B40B for ; Tue, 2 Oct 2001 02:20:00 -0700 (PDT) Received: (qmail 6197 invoked by uid 1000); 2 Oct 2001 09:08:31 -0000 Date: Tue, 2 Oct 2001 12:08:31 +0300 From: Peter Pentchev To: D J Hawkey Jr Cc: ck@cksoft.de, freebsd-security@freebsd.org Subject: Re: login.conf & FreeBSD 4.4 Message-ID: <20011002120831.A704@ringworld.oblivion.bg> Mail-Followup-To: D J Hawkey Jr , ck@cksoft.de, freebsd-security@freebsd.org References: <004701c14b0c$ce44f140$45e03ac3_skif.net@ns.sol.net> <200110020907.f9297d695258@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200110020907.f9297d695258@sheol.localdomain>; from hawkeyd@visi.com on Tue, Oct 02, 2001 at 04:07:39AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Oct 02, 2001 at 04:07:39AM -0500, D J Hawkey Jr wrote: > In article , > ck@cksoft.de writes: > > > > If you are talking about cgi scripts run by apache you might want to > > patch suexec to do this. There is nothgin in apache that would normally > > set the requested privilidges. > > > > we added following to apache-x-x-x/src/support/suexec.c to actually > > enforce setting of resource limits. There is nothing in apache that would > > normally set these up for you. > > > > [SNIP] > > Reading between the lines, are you saying that any app "not from FreeBSD" > running on FreeBSD isn't likely to be accounted for because they pro'lly > don't set up limiting resources (by way of the C function you hacked in)? Exactly. It has to call setusercontext(3) or some other of the functions listed in the setclasscontext(3) manual page. G'luck, Peter -- I am not the subject of this sentence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 2 2:28:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.cksoft.de (ns1.cksoft.de [62.111.66.1]) by hub.freebsd.org (Postfix) with ESMTP id 85EEA37B408 for ; Tue, 2 Oct 2001 02:28:27 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by ns1.cksoft.de (Postfix) with ESMTP id 00B9314F9B; Tue, 2 Oct 2001 11:30:51 +0200 (CEST) Received: by ns1.cksoft.de (Postfix, from userid 66) id D5F3B14F95; Tue, 2 Oct 2001 11:30:49 +0200 (CEST) Received: by hirvi.cksoft.de (Postfix, from userid 1000) id C027D8798; Tue, 2 Oct 2001 09:33:31 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by hirvi.cksoft.de (Postfix) with ESMTP id BE60F77B2; Tue, 2 Oct 2001 09:33:31 +0200 (CEST) Date: Tue, 2 Oct 2001 09:33:31 +0200 (CEST) From: Christian Kratzer To: D J Hawkey Jr Cc: Subject: Re: login.conf & FreeBSD 4.4 In-Reply-To: <200110020907.f9297d695258@sheol.localdomain> Message-ID: X-Spammer-Kill-Ratio: 75% X-Jihad: Will hunt down all cases of Spam and Net abuse. MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, On Tue, 2 Oct 2001, D J Hawkey Jr wrote: > In article , > ck@cksoft.de writes: > > > > If you are talking about cgi scripts run by apache you might want to > > patch suexec to do this. There is nothgin in apache that would normally > > set the requested privilidges. > > > > we added following to apache-x-x-x/src/support/suexec.c to actually > > enforce setting of resource limits. There is nothing in apache that would > > normally set these up for you. > > > > [SNIP] > > Reading between the lines, are you saying that any app "not from FreeBSD" > running on FreeBSD isn't likely to be accounted for because they pro'lly > don't set up limiting resources (by way of the C function you hacked in)? > > Badly phrased, I know, but you get my drift? it's not as bad as you may think. Any user logging in through the "usual" channels like sshd,telnetd,console,etc... should get the limits automatically setup for them. We only need to patch applications like apache which start child processes and use seteuid() to change their effective uid etc... and are not aware of the freebsd specific possibilities. Of course it would now be nice if someone would get the apache group to add an #ifdef FreeBSD to the suexec code. Of the top of my head I cannot think of any other applications in the isp area that would require similar manual intervention. Greetings Christian -- Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen Email: ck@cksoft.de Phone: +49 7452 889-135 Fax: +49 7452 889-136 FreeBSD spoken here! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 2 2:38:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18]) by hub.freebsd.org (Postfix) with ESMTP id 8C6F537B401 for ; Tue, 2 Oct 2001 02:37:31 -0700 (PDT) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [fec0::1:12]) by Awfulhak.org (8.11.6/8.11.6) with ESMTP id f929V5v31276; Tue, 2 Oct 2001 10:32:54 +0100 (BST) (envelope-from brian@freebsd-services.com) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.6/8.11.6) with ESMTP id f929R3l39720; Tue, 2 Oct 2001 10:27:03 +0100 (BST) (envelope-from brian@freebsd-services.com) Message-Id: <200110020927.f929R3l39720@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: "jack xiao" Cc: freebsd-security@FreeBSD.ORG, brian@freebsd-services.com Subject: Re: L2TP In-Reply-To: Message from "jack xiao" of "Fri, 28 Sep 2001 15:02:40 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 02 Oct 2001 10:27:03 +0100 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org FreeBSD doesn't support L2TP I'm afraid. > Hi, > > I am going to set up L2TP tunnel under FreeBSD, and then set IPSEC over = > this tunnel. Because l2tpd is new for me, I need your help to configure = > it and then to confirm it can work under FreeBSD. Here is my question as = > follows, > > 1. In order to get l2tpd running, need I have ppp-2.3.3 or later = > version? > 1.1 If I want to realize l2tp tunnel and pptp tunnel at the same time, > should I define 2 or more pseudo devices in the kenel's conf? > 2. I want to use 2 FreeBSD to set up l2tp tunnel, is it possible? > 3. I need some sample configuration about LAC and LNS? > 4. In addition, I can not get enough document about L2TP. If possible, > could you give me more? > > Thanks a lot! > > Jack -- Brian http://www.freebsd-services.com/ Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 2 2:39:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from brea.mc.mpls.visi.com (brea.mc.mpls.visi.com [208.42.156.100]) by hub.freebsd.org (Postfix) with ESMTP id 4538137B406 for ; Tue, 2 Oct 2001 02:39:33 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by brea.mc.mpls.visi.com (Postfix) with ESMTP id 4748D2DDBA2; Tue, 2 Oct 2001 04:39:31 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f929dRu95431; Tue, 2 Oct 2001 04:39:27 -0500 (CDT) (envelope-from hawkeyd) Date: Tue, 2 Oct 2001 04:39:27 -0500 From: D J Hawkey Jr To: Christian Kratzer , freebsd-security@freebsd.org Cc: Peter Pentchev Subject: Re: login.conf & FreeBSD 4.4 Message-ID: <20011002043927.A95391@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <200110020907.f9297d695258@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from ck@cksoft.de on Tue, Oct 02, 2001 at 09:33:31AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Oct 02, at 09:33 AM, Christian Kratzer wrote: > > Hi, > > On Tue, 2 Oct 2001, D J Hawkey Jr wrote: > > > In article , > > ck@cksoft.de writes: > > > > > > If you are talking about cgi scripts run by apache you might want to > > > patch suexec to do this. There is nothgin in apache that would normally > > > set the requested privilidges. > > > > > > we added following to apache-x-x-x/src/support/suexec.c to actually > > > enforce setting of resource limits. There is nothing in apache that would > > > normally set these up for you. > > > > > > [SNIP] > > > > Reading between the lines, are you saying that any app "not from FreeBSD" > > running on FreeBSD isn't likely to be accounted for because they pro'lly > > don't set up limiting resources (by way of the C function you hacked in)? > > > > Badly phrased, I know, but you get my drift? > > it's not as bad as you may think. > > Any user logging in through the "usual" channels like sshd,telnetd,console,etc... > should get the limits automatically setup for them. Running X apps remotely falls into the above group, I assume? > We only need to patch applications like apache which start child processes > and use seteuid() to change their effective uid etc... and are not aware of > the freebsd specific possibilities. This make sense [to me], but Peter seems to disagree. Can either of you address the other's position? > Greetings > Christian Thanks, Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 2 3:14: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (straylight.ringlet.net [217.75.134.254]) by hub.freebsd.org (Postfix) with SMTP id 79D2E37B40A for ; Tue, 2 Oct 2001 03:13:59 -0700 (PDT) Received: (qmail 10179 invoked by uid 1000); 2 Oct 2001 10:02:49 -0000 Date: Tue, 2 Oct 2001 13:02:49 +0300 From: Peter Pentchev To: D J Hawkey Jr Cc: Christian Kratzer , freebsd-security@freebsd.org Subject: Re: login.conf & FreeBSD 4.4 Message-ID: <20011002130249.B704@ringworld.oblivion.bg> Mail-Followup-To: D J Hawkey Jr , Christian Kratzer , freebsd-security@freebsd.org References: <200110020907.f9297d695258@sheol.localdomain> <20011002043927.A95391@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011002043927.A95391@sheol.localdomain>; from hawkeyd@visi.com on Tue, Oct 02, 2001 at 04:39:27AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Oct 02, 2001 at 04:39:27AM -0500, D J Hawkey Jr wrote: > On Oct 02, at 09:33 AM, Christian Kratzer wrote: > > > > Hi, > > > > On Tue, 2 Oct 2001, D J Hawkey Jr wrote: > > > > > In article , > > > ck@cksoft.de writes: > > > > > > > > If you are talking about cgi scripts run by apache you might want to > > > > patch suexec to do this. There is nothgin in apache that would normally > > > > set the requested privilidges. > > > > > > > > we added following to apache-x-x-x/src/support/suexec.c to actually > > > > enforce setting of resource limits. There is nothing in apache that would > > > > normally set these up for you. > > > > > > > > [SNIP] > > > > > > Reading between the lines, are you saying that any app "not from FreeBSD" > > > running on FreeBSD isn't likely to be accounted for because they pro'lly > > > don't set up limiting resources (by way of the C function you hacked in)? > > > > > > Badly phrased, I know, but you get my drift? > > > > it's not as bad as you may think. > > > > Any user logging in through the "usual" channels like sshd,telnetd,console,etc... > > should get the limits automatically setup for them. > > Running X apps remotely falls into the above group, I assume? > > > We only need to patch applications like apache which start child processes > > and use seteuid() to change their effective uid etc... and are not aware of > > the freebsd specific possibilities. > > This make sense [to me], but Peter seems to disagree. Can either of you > address the other's position? I think Christian's right, and I'm sorry for the confusion which my hasty reply brought :) Of course the context needs only be set once, when changing uid's. G'luck, Peter -- What would this sentence be like if it weren't self-referential? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 2 3:21:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.cksoft.de (ns1.cksoft.de [62.111.66.1]) by hub.freebsd.org (Postfix) with ESMTP id 57C9D37B405 for ; Tue, 2 Oct 2001 03:21:31 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by ns1.cksoft.de (Postfix) with ESMTP id 5939514F9B; Tue, 2 Oct 2001 12:23:55 +0200 (CEST) Received: by ns1.cksoft.de (Postfix, from userid 66) id 443FB14F95; Tue, 2 Oct 2001 12:23:54 +0200 (CEST) Received: by hirvi.cksoft.de (Postfix, from userid 1000) id 966028798; Tue, 2 Oct 2001 10:28:24 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by hirvi.cksoft.de (Postfix) with ESMTP id 9170777B2; Tue, 2 Oct 2001 10:28:24 +0200 (CEST) Date: Tue, 2 Oct 2001 10:28:24 +0200 (CEST) From: Christian Kratzer To: D J Hawkey Jr Cc: , Peter Pentchev Subject: Re: login.conf & FreeBSD 4.4 In-Reply-To: <20011002043927.A95391@sheol.localdomain> Message-ID: X-Spammer-Kill-Ratio: 75% X-Jihad: Will hunt down all cases of Spam and Net abuse. MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, On Tue, 2 Oct 2001, D J Hawkey Jr wrote: [snipp] > > Any user logging in through the "usual" channels like sshd,telnetd,console,etc... > > should get the limits automatically setup for them. > > Running X apps remotely falls into the above group, I assume? I usually ssh into remote machines and then start x sessions from there. Even telnetting or using rlogin to get there should get your limits setup for you. I am not sure xdm and it's variants do the right thing. Greetings Christian -- Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen Email: ck@cksoft.de Phone: +49 7452 889-135 Fax: +49 7452 889-136 FreeBSD spoken here! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 2 4: 0:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f145.pav1.hotmail.com [64.4.31.145]) by hub.freebsd.org (Postfix) with ESMTP id A87D337B403 for ; Tue, 2 Oct 2001 04:00:26 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 2 Oct 2001 04:00:26 -0700 Received: from 212.30.183.204 by pv1fd.pav1.hotmail.msn.com with HTTP; Tue, 02 Oct 2001 11:00:25 GMT X-Originating-IP: [212.30.183.204] From: "Magdalinin Kirill" To: ck@cksoft.de, simplyi@skif.net Cc: security@FreeBSD.ORG Subject: Re: Re: login.conf & FreeBSD 4.4 Date: Tue, 02 Oct 2001 15:00:25 +0400 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 02 Oct 2001 11:00:26.0545 (UTC) FILETIME=[71102A10:01C14B31] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I didn't find out why, but similar patch that was used on a busy web server on 4.1R box caused serious problems: cpu limits worked fine and did kill cgi's, but memory limits caused the server to stall, because child processes were not been killed when they reached their limit. These links might be helpfull: http://www.freebsd.org/cgi/query-pr.cgi?pr=13606 http://www.freebsd.org/cgi/getmsg.cgi?fetch=28683+32382+/usr/local/www/db/text/2000/freebsd-isp/20000806.freebsd-isp I tried them both, but as I said not for memory limiting P.S.: apache RLimit directives seem not to work Kirill Magdalinin magcyril@hotmail.com >From: Christian Kratzer >To: Igor Melnichuk >CC: >Subject: Re: login.conf & FreeBSD 4.4 >Date: Tue, 2 Oct 2001 09:59:12 +0200 (CEST) > >Hi, > >On Tue, 2 Oct 2001, Igor Melnichuk wrote: > > > I need advise. > > > > I have a server with installed FreeBSD 4.4 RELEASE . > > > > Limiting users I've created new class "webuser" in login.conf ( fixed >limit > > on resource - max mem usage, cpu time, core dump size) and do all >necessary > > steps (compile base `cap_mkdb /etc/login.conf` and assign new class to >user > > `chclass user1`) > > > > But in fact this _not_ works when I logged like user1 or run perl script > > (infinite loop) with his privileges. > > > > On machine with FreeBSD 4.3 RELEASE this works well (kernel kill script > > according to login.conf rules) > > > > Any ideas ? > > > > PS I've read FreeBSD 4.4-RELEASE Errata ( > > http://www.freebsd.org/releases/4.4R/errata.html ) 2 Security Advisories > > (Support for per-user ~/.login_conf files) I believe it has no relation >to > > problem > > > > login.conf > > -------------- > > webuser:\ > > :cputime=10s:\ > > :filesize=unlimited:\ > > :datasize=20M:\ > > :stacksize=20M:\ > > :coredumpsize=unlimited:\ > > :memoryuse=20M:\ > > :memorylocked=20M:\ > > :maxproc=20:\ > > :openfiles=20:\ > > :priority=0: > > --------------- > >If you are talking about cgi scripts run by apache you might want to >patch suexec to do this. There is nothgin in apache that would normally >set the requested privilidges. > >we added following to apache-x-x-x/src/support/suexec.c to actually >enforce setting of resource limits. There is nothing in apache that would >normally set these up for you. > > At the top after the includes > ---snipp--- > #include > > #ifdef __FreeBSD__ > # include > #endif > > #include "suexec.h" > ---snipp--- > > Further to the bottom shortly before setting the euid > ---snipp--- > #ifdef __FreeBSD__ > /* > * set resource limits from /etc/login.conf > * allows one to limit cpu and memory consumption by cgi's > */ > setclasscontext( "apache-suexec", LOGIN_SETRESOURCES|LOGIN_SETPRIORITY >); > #endif > > /* > * setuid() to the target user. Error out on fail. > */ > if ((setuid(uid)) != 0) { > log_err("emerg: failed to setuid (%ld: %s)\n", uid, cmd); > exit(110); > } > ---snipp--- > >Greetings >Christian > >-- >Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen >Email: ck@cksoft.de >Phone: +49 7452 889-135 >Fax: +49 7452 889-136 FreeBSD spoken here! > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 2 6: 1:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from spitfire.velocet.net (spitfire.velocet.net [216.138.223.227]) by hub.freebsd.org (Postfix) with ESMTP id B6DCC37B408 for ; Tue, 2 Oct 2001 06:01:34 -0700 (PDT) Received: from nomad.tor.lets.net (H74.C220.tor.velocet.net [216.138.220.74]) by spitfire.velocet.net (Postfix) with SMTP id B9AA944AA5F for ; Tue, 2 Oct 2001 13:01:33 +0000 (GMT) Received: (qmail 3342 invoked by uid 1001); 2 Oct 2001 12:56:31 -0000 Date: Tue, 2 Oct 2001 08:56:31 -0400 From: Steve Shorter To: default Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Re: file permission question Message-ID: <20011002085631.A3337@nomad.lets.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from default013subscriptions@hotmail.com on Mon, Oct 01, 2001 at 11:13:11PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Oct 01, 2001 at 11:13:11PM -0500, default wrote: > Hi, > > I am allowing a couple of ppl to have a shell account on one of my machines, > and I am making a few changes to disallow them from using certain things... > like chmoding the 'ps' command to 550 etc... Sounds like jail(8) could be a preffered solution. -steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 2 8:23:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from gamma.root-servers.ch (gamma.root-servers.ch [195.49.62.126]) by hub.freebsd.org (Postfix) with SMTP id 61CB037B408 for ; Tue, 2 Oct 2001 08:23:26 -0700 (PDT) Received: (qmail 73821 invoked from network); 2 Oct 2001 15:23:25 -0000 Received: from dclient217-162-128-224.hispeed.ch (HELO athlon550) (217.162.128.224) by 0 with SMTP; 2 Oct 2001 15:23:25 -0000 Date: Tue, 2 Oct 2001 17:27:48 +0200 From: Gabriel Ambuehl X-Mailer: The Bat! (v1.53bis) Educational Organization: BUZ Internet Services X-Priority: 3 (Normal) Message-ID: <149681895413.20011002172748@buz.ch> To: Vladislav Timofeev Cc: freebsd-security@FreeBSD.ORG Subject: Re: Need an advice... In-Reply-To: <200110020357.JAA09995@magnitka.ru> References: <200110020357.JAA09995@magnitka.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hello Vladislav, Tuesday, October 02, 2001, 5:56:39 AM, you wrote: > I have a problem... > I need an imap/pop3 servers configured on my FreeBSD 4.3 box. > I need an advice... Which server is better Cyrus-imap, wu-imapd or > another? And which FTP server I must use? proftpd, wu-ftpd or ....? We run courier-imap cause that fits best into our qmail/vpopmail env. YMMV, of course. As for FTPd: if you don't need the feature bloat, proftpd and wu-ftpd provide, I suggest to stick with ftpd since for that one, FreeBSD takes care of the security issues which in all cases is better than either one of other two. Best regards, Gabriel -----BEGIN PGP SIGNATURE----- Version: PGP 6.5i iQEVAwUBO7nO6MZa2WpymlDxAQFRGwf+O//EmsaRUtYCg93e3AK00LkCSPlIiZ1s xGzb3qKn3x/hyJcTAjKhkDdSXeGXzsDtK5vd317MCt5prIXIrCEB6Fwq0FLPscSS pCNMIdtSrrYdFMYJ8LlRujN3jauM8EAjUOiJviFlD4d5dg+ddCCkJy1NG1QilG6P 1ofBeJz3bOvdUPv/+XJa/4O9k1FwkSPe3x3gzqO/YOAT4ZcgjIpOafeq7IDNxho1 35qyW2wLIMhkiDNuMcdk9u0/Yvu3OzWz1TkPMT6kbHd47L4XLRLpQ4HBQybTstQx acUaJINtJKW6u4RIGa+hiIS8+XRRmV2X8t3A0Sgz15iZNIeAPQ9jWw== =i0UL -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 2 8:24:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from hermes.intergate.ca (hermes.intergate.ca [207.34.179.108]) by hub.freebsd.org (Postfix) with SMTP id 76B6837B408 for ; Tue, 2 Oct 2001 08:24:41 -0700 (PDT) Received: (qmail 89958 invoked by uid 1007); 2 Oct 2001 15:57:11 -0000 Received: from landons@uniserve.com by hermes.intergate.ca with qmail-scanner-0.93 (uvscan: v4.0.50/v4163. . Clean. Processed in 0.638771 secs); 02/10/2001 08:57:11 Received: from landons.vpp-office.uniserve.ca (HELO pirahna.uniserve.com) (216.113.198.10) by hermes.intergate.ca with SMTP; 2 Oct 2001 15:57:10 -0000 Message-Id: <5.1.0.14.0.20011002081912.03753c00@pop.uniserve.com> X-Sender: landons@pop.uniserve.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 02 Oct 2001 08:24:38 -0700 To: "default" , , From: Landon Stewart Subject: Re: file permission question In-Reply-To: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_1722692120==_.ALT" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=====================_1722692120==_.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed At 11:13 PM 10/1/2001 -0500, default wrote: >Hi, > >I am allowing a couple of ppl to have a shell account on one of my machines, >and I am making a few changes to disallow them from using certain things... Firstly, don't just chmod them, chown them with an alternate group like (staff) and then chmod them to 750 or something. Some utilities require the suid bit so make sure you check if the binary is suid before you chmod it and then include the suid bit if necissary (WARNING: failure to do this could lock you out of your own system). >like chmoding the 'ps' command to 550 etc... Rather than getting rid of the 'ps' command, let them see their own processes only by putting 'kern.ps_showallprocs=0' in your /etc/sysctl.conf file If you don't want to reboot for it to take effect just run "sysctl kern.ps_showallprocs=0" >I wanted to ask, is there any reason why one wouldn't want to chmod to 640 >the passwd file and other similar files? ... Many utilities that does not run as root or wheel require passwd file information (but not master.passwd file, which is where the important stuff is). For instance, apache requires it to figure out where home directories are when someone uses the http://www.domain.com/~username --- Landon Stewart --=====================_1722692120==_.ALT Content-Type: text/html; charset="us-ascii" At 11:13 PM 10/1/2001 -0500, default wrote:

Hi,

I am allowing a couple of ppl to have a shell account on one of my machines,
and I am making a few changes to disallow them from using certain things...

Firstly, don't just chmod them, chown them with an alternate group like (staff) and then chmod them to 750 or something.  Some utilities require the suid bit so make sure you check if the binary is suid before you chmod it and then include the suid bit if necissary (WARNING: failure to do this could lock you out of your own system).

like chmoding the 'ps' command to 550 etc...

Rather than getting rid of the 'ps' command, let them see their own processes only by putting 'kern.ps_showallprocs=0' in your /etc/sysctl.conf file

If you don't want to reboot for it to take effect just run "sysctl kern.ps_showallprocs=0"

I wanted to ask, is there any reason why one wouldn't want to chmod to 640
the passwd file and other similar files? ...

Many utilities that does not run as root or wheel require passwd file information (but not master.passwd file, which is where the important stuff is).  For instance, apache requires it to figure out where home directories are when someone uses the http://www.domain.com/~username

---
Landon Stewart
 --=====================_1722692120==_.ALT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 2 8:31:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from hermes.intergate.ca (hermes.intergate.ca [207.34.179.108]) by hub.freebsd.org (Postfix) with SMTP id 8BC5C37B408 for ; Tue, 2 Oct 2001 08:31:32 -0700 (PDT) Received: (qmail 91175 invoked by uid 1007); 2 Oct 2001 16:04:02 -0000 Received: from landons@uniserve.com by hermes.intergate.ca with qmail-scanner-0.93 (uvscan: v4.0.50/v4163. . Clean. Processed in 0.438383 secs); 02/10/2001 09:04:02 Received: from landons.vpp-office.uniserve.ca (HELO pirahna.uniserve.com) (216.113.198.10) by hermes.intergate.ca with SMTP; 2 Oct 2001 16:04:01 -0000 Message-Id: <5.1.0.14.0.20011002082924.0375ee68@pop.uniserve.com> X-Sender: landons@pop.uniserve.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 02 Oct 2001 08:31:29 -0700 To: vlad@magnitka.ru, freebsd-security@FreeBSD.ORG From: Landon Stewart Subject: Re: Need an advice... In-Reply-To: <200110020357.JAA09995@magnitka.ru> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_1723103351==_.ALT" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=====================_1723103351==_.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed At 09:56 AM 10/2/2001 +0600, Vladislav Timofeev wrote: >I have a problem... >I need an imap/pop3 servers configured on my FreeBSD 4.3 box. >I need an advice... Which server is better Cyrus-imap, wu-imapd or another? >And which FTP server I must use? proftpd, wu-ftpd or ....? I agree with james on this one. Cyrus is by far one of the better ones, actually the best one I've tried. I've trued wu-imapd and you have to use it with washington universities pop3d. WU-Imapd creates a place holder message as the very first message and only wu's pop3d knows to ignore it. As far as FTP servers go, I would 100% recomend proftpd, mostly because of the configurability, but some say its got some security problems, personally I havn't noticed any security problems. --- Landon Stewart --=====================_1723103351==_.ALT Content-Type: text/html; charset="us-ascii" At 09:56 AM 10/2/2001 +0600, Vladislav Timofeev wrote:

I have a problem...
I need an imap/pop3 servers configured on my FreeBSD 4.3 box.
I need an advice... Which server is better Cyrus-imap, wu-imapd or another?
And which FTP server I must use? proftpd, wu-ftpd or ....?

I agree with james on this one.  Cyrus is by far one of the better ones, actually the best one I've tried.  I've trued wu-imapd and you have to use it with washington universities pop3d.  WU-Imapd creates a place holder message as the very first message and only wu's pop3d knows to ignore it.

As far as FTP servers go, I would 100% recomend proftpd, mostly because of the configurability, but some say its got some security problems, personally I havn't noticed any security problems.

---
Landon Stewart
 --=====================_1723103351==_.ALT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 2 9:19:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from kosh.etchings.com (kosh.etchings.com [216.231.38.40]) by hub.freebsd.org (Postfix) with ESMTP id EF0AA37B406 for ; Tue, 2 Oct 2001 09:19:24 -0700 (PDT) Received: by kosh.etchings.com (Postfix, from userid 1000) id 7B3F97C38; Tue, 2 Oct 2001 09:19:24 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by kosh.etchings.com (Postfix) with ESMTP id 689B37C31; Tue, 2 Oct 2001 09:19:24 -0700 (PDT) Date: Tue, 2 Oct 2001 09:19:24 -0700 (PDT) From: Brian Kraemer To: Landon Stewart Cc: Subject: Re: Need an advice... In-Reply-To: <5.1.0.14.0.20011002082924.0375ee68@pop.uniserve.com> Message-ID: <20011002091610.J69001-100000@kosh.etchings.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 2 Oct 2001, Landon Stewart wrote: > I agree with james on this one. Cyrus is by far one of the better ones, > actually the best one I've tried. I've trued wu-imapd and you have to use > it with washington universities pop3d. WU-Imapd creates a place holder > message as the very first message and only wu's pop3d knows to ignore it. Actually it's imapd-uw you're referring to, not wu-imapd. AFAIK, there is no product named wu-imapd. WU is Washington University in St. Louis, MO (the makers of wu-ftpd). UW is the University of Washington in Seattle, WA (the makers of pine). It's amazing how many people make this mistake. -Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 2 13:14:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from web10903.mail.yahoo.com (web10903.mail.yahoo.com [216.136.131.39]) by hub.freebsd.org (Postfix) with SMTP id 2EE1337B406 for ; Tue, 2 Oct 2001 13:14:26 -0700 (PDT) Message-ID: <20011002201426.49616.qmail@web10903.mail.yahoo.com> Received: from [64.70.59.93] by web10903.mail.yahoo.com via HTTP; Tue, 02 Oct 2001 13:14:26 PDT Date: Tue, 2 Oct 2001 13:14:26 -0700 (PDT) From: Todd Wagner Subject: Re: file integrity checking To: Magdalinin Kirill , freebsd-security@FreeBSD.ORG In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Perhaps, /boot Todd --- Magdalinin Kirill wrote: > Hello, > > which directories and files should be checked for > file integrity on a > regular basis? > > /bin > /etc > /kernel > /modules > /sbin > /stand > /usr/bin > /usr/lib > /usr/libdata > /usr/libexec > /usr/sbin > /usr/local/etc > /usr/local/bin > /usr/local/lib > /usr/local/libexec > /usr/local/sbin > > Did I miss anything? > > May be it's a good idea to add those to > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/securing-freebsd.html#SECURITY-INTEGRITY > > thanks, > > Kirill Magdalinin > bsdforumen@hotmail.com > > _________________________________________________________________ > Get your FREE download of MSN Explorer at > http://explorer.msn.com/intl.asp > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message __________________________________________________ Do You Yahoo!? Listen to your Yahoo! Mail messages from any phone. http://phone.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 2 13:29: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from as.astro.su.se (as.astro.su.se [130.237.166.29]) by hub.freebsd.org (Postfix) with SMTP id 77DCE37B405 for ; Tue, 2 Oct 2001 13:28:57 -0700 (PDT) Received: (qmail 9309 invoked by alias); 2 Oct 2001 20:28:55 -0000 Received: (qmail 9302 invoked from network); 2 Oct 2001 20:28:55 -0000 Received: from dioscuri.astro.su.se (130.237.166.114) by as.astro.su.se with SMTP; 2 Oct 2001 20:28:55 -0000 Received: (from alex@localhost) by dioscuri.astro.su.se (8.9.1b+Sun/8.9.1) id WAA22896; Tue, 2 Oct 2001 22:28:52 +0200 (MET DST) Date: Tue, 2 Oct 2001 22:28:52 +0200 (MET DST) From: Alexey Koptsevich To: security@freebsd.org Subject: access from monitoring host Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, There is a discussion about ways of access from centralized monitoring host at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/securing-freebsd.html Except for its network traffic, NFS is the least visible method - allowing you to monitor the filesystems on each client box virtually undetected. If your limited-access server is connected to the client boxes through a switch, the NFS method is often the better choice. If your limited-access server is connected to the client boxes through a hub, or through several layers of routing, the NFS method may be too insecure (network-wise) and using ssh may be the better choice even with the audit-trail tracks that ssh lays. I dp not understand, why access method should be different in cases when monitoring host is behind the switch or connected through the hub? Thanks, Alex PS Please cc: me your reply. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 2 14: 3:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id D74A037B407 for ; Tue, 2 Oct 2001 14:03:35 -0700 (PDT) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id B8EE31D2A; Tue, 2 Oct 2001 23:03:24 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 38A6A5545; Tue, 2 Oct 2001 23:03:23 +0200 (CEST) Date: Tue, 2 Oct 2001 23:03:23 +0200 (CEST) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: Alexey Koptsevich Cc: security@FreeBSD.ORG Subject: Re: access from monitoring host In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 2 Oct 2001, Alexey Koptsevich wrote: > > Hello, > > There is a discussion about ways of access from centralized monitoring > host at > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/securing-freebsd.html > > Except for its network traffic, NFS is the least visible method - allowing > you to monitor the filesystems on each client box virtually undetected. If > your limited-access server is connected to the client boxes through a > switch, the NFS method is often the better choice. If your limited-access > server is connected to the client boxes through a hub, or through several > layers of routing, the NFS method may be too insecure (network-wise) and > using ssh may be the better choice even with the audit-trail tracks that > ssh lays. > > I dp not understand, why access method should be different in cases when > monitoring host is behind the switch or connected through the hub? If your network is connected with a switch then all traffic between hosts A and B is not visible by any other host; if it is otherwise, all other hosts on this Ethernet segment can see this traffic. So, if someone on this segment has bad will s/he can watch your NFS transfers or even insert data in your session. The same applies if both hosts are on distant networks and the traffic goes through multiple untrusted networks. Generally use of unencrypted connections over untrusted environment for administrative work and authorization is not acceptable. Krzysztof > > Thanks, > Alex > > PS Please cc: me your reply. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 2 16:59: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from web20909.mail.yahoo.com (web20909.mail.yahoo.com [216.136.226.231]) by hub.freebsd.org (Postfix) with SMTP id A905037B40A for ; Tue, 2 Oct 2001 16:58:59 -0700 (PDT) Message-ID: <20011002235859.74079.qmail@web20909.mail.yahoo.com> Received: from [213.165.134.13] by web20909.mail.yahoo.com via HTTP; Wed, 03 Oct 2001 00:58:59 BST Date: Wed, 3 Oct 2001 00:58:59 +0100 (BST) From: =?iso-8859-1?q?Thomas=20Beauchamp?= To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! Anybody with experience/knowledge of recovering erased files with stupid 'rm -r / *' command? I understand that the couple 'unrm' 'lazarus' can help in this. Any ideas? I have been qioted over £2,000 for that job by commercila data recovery company ... TIA roboTomas ____________________________________________________________ Do You Yahoo!? Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk or your free @yahoo.ie address at http://mail.yahoo.ie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 2 22:43:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.acns.ab.ca (h24-68-206-125.sbm.shawcable.net [24.68.206.125]) by hub.freebsd.org (Postfix) with ESMTP id C1D5E37B403 for ; Tue, 2 Oct 2001 22:43:52 -0700 (PDT) Received: from colnta.internal (colnta.internal [192.168.1.2]) by mail.acns.ab.ca (8.11.6/8.11.3) with ESMTP id f935ice01085 for ; Tue, 2 Oct 2001 23:44:38 -0600 (MDT) (envelope-from davidc@colnta.internal) Received: (from davidc@localhost) by colnta.internal (8.11.6/8.11.3) id f935icU94925 for freebsd-security@freebsd.org; Tue, 2 Oct 2001 23:44:38 -0600 (MDT) (envelope-from davidc) Date: Tue, 2 Oct 2001 23:44:38 -0600 From: Chad David To: freebsd-security@freebsd.org Subject: new ipfw command Message-ID: <20011002234438.A94897@colnta.internal> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have started writing a new ipfw command (fwadm) that is much like ipfw, but differs in a number of areas: 1) I use lex and yacc to support a more flexable grammar. 2) I support command line, file, and interactive modes. (the interactive mode uses readline) 3) I've started an interactive help mode.. I'm thinking about modeling it after the Cisco IOS. 4) The code is modular enough to be useful to someone who didn't write it. What I am looking for are ideas, and before I put too much effort into this, an opinion on whether or not a more "friendly" ipfw is even a good idea. I have a number of my own ideas, but "usefulness" is my primary goal. Any comments or requests for the code in its current state are welcome. -- Chad David davidc@acns.ab.ca ACNS Inc. Calgary, Alberta Canada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 2 23:34:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from rage.abc.ro (goanga.com [193.231.240.30]) by hub.freebsd.org (Postfix) with ESMTP id 7578E37B403 for ; Tue, 2 Oct 2001 23:34:42 -0700 (PDT) Received: from abc.ro (rage.abc.ro [193.231.240.30]) by rage.abc.ro (8.11.3/8.11.3) with ESMTP id f936YYZ13766 for ; Wed, 3 Oct 2001 09:34:35 +0300 (EEST) (envelope-from andrei@abc.ro) Message-ID: <3BBAB17A.BBB55441@abc.ro> Date: Wed, 03 Oct 2001 09:34:34 +0300 From: ANdrei Organization: Cronon AG - tech department X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: ro, de, en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: last Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org excuse me if this is off-topic, or maybe a silly/simple question, but when doing a LAST, i got the following output: user ttyp2 :0.0 Tue Oct 2 12:12 still logged in user ttyp1 :0.0 Tue Oct 2 12:08 still logged in reboot ~ Mon Oct 1 19:07 user ttyp1 :0.0 Mon Oct 1 17:51 - crash (01:15) user ttyp2 :0.0 Mon Oct 1 17:25 - 17:59 (00:34) user ttyp1 :0.0 Mon Oct 1 14:40 - 17:50 (03:09) so, what's buzzing me is the line with the reboot: who did it? my box can not be rebooted by a Ctrl-Alt-Del, only root can do that... it wasn't a crash i think, because no FS-checks were made when rebooting. (or at least i found nothing in the logs...) it wasn't for sure me :), but i just had my firewall down for a few mins, and then it happened... was this just a coincidence? and smtg else: what ports and protocol are used when accesing a samba share? i'm talking about a broadcast network, where people should be able to access public shares from other computers, which have firewalls... thanks! -- "I live in my own little world - but it's ok, they know me here!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 3 3:33:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id 16D9837B406 for ; Wed, 3 Oct 2001 03:33:34 -0700 (PDT) Received: from localhost (rik@localhost) by pkl.net (8.9.3/8.9.3) with ESMTP id LAA03630; Wed, 3 Oct 2001 11:33:16 +0100 Date: Wed, 3 Oct 2001 11:33:16 +0100 (BST) From: rik@rikrose.net X-Sender: rik@pkl.net To: ANdrei Cc: freebsd-security@FreeBSD.ORG Subject: Re: last In-Reply-To: <3BBAB17A.BBB55441@abc.ro> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 3 Oct 2001, ANdrei wrote: > it wasn't for sure me :), but i just had my firewall down for a few > mins, and then it happened... was this just a coincidence? It could have been a power cut, or even a brown out, or someone else while you were working on the firewall :) > and smtg else: what ports and protocol are used when accesing a samba > share? i'm talking about a broadcast network, where people should be > able to access public shares from other computers, which have > firewalls... 137-140 roughly, depending on what version of Windows you're using. I noticed 2000 has lots more useless ports open than any of the others, by default, sometimes including qotd, although I've not found the setting to control it. Some machines it's on, some it's not. I don't know why, but then I understand so little of MicroSofts products... -- PGP Key: D2729A3F - Keyserver: wwwkeys.uk.pgp.net - rich at rdrose dot org Key fingerprint = 5EB1 4C63 9FAD D87B 854C 3DED 1408 ED77 D272 9A3F Public key also encoded with outguess on http://rikrose.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 3 4: 5:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from rage.abc.ro (goanga.com [193.231.240.30]) by hub.freebsd.org (Postfix) with ESMTP id A1FF737B401 for ; Wed, 3 Oct 2001 04:05:16 -0700 (PDT) Received: from abc.ro (rage.abc.ro [193.231.240.30]) by rage.abc.ro (8.11.3/8.11.3) with ESMTP id f93B4NZ27532; Wed, 3 Oct 2001 14:04:28 +0300 (EEST) (envelope-from andrei@abc.ro) Message-ID: <3BBAF0B7.2CC21C7B@abc.ro> Date: Wed, 03 Oct 2001 14:04:23 +0300 From: ANdrei Organization: Cronon AG - tech department X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: ro, de, en MIME-Version: 1.0 To: rik@rikrose.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: last References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org rik@rikrose.net wrote: > > On Wed, 3 Oct 2001, ANdrei wrote: > > it wasn't for sure me :), but i just had my firewall down for a few > > mins, and then it happened... was this just a coincidence? > > It could have been a power cut, or even a brown out, or someone else while > you were working on the firewall :) nope, in that case you don't get that log entry from last (i'm almost sure about that) and your file-systems get checked at startup for sure, and mine didn't... it was a clkean shutdown... plus there was no power cut, because we have about 40 computers in the company, and none rebooted except mine... I'm so suspicious because I had a few times people trying to hack me, and 2 times they were real profis, and i believe they got through this time and left almost no evidence of their passing... > > > and smtg else: what ports and protocol are used when accesing a samba > > share? i'm talking about a broadcast network, where people should be > > able to access public shares from other computers, which have > > firewalls... > > 137-140 roughly, depending on what version of Windows you're using. I > noticed 2000 has lots more useless ports open than any of the others, > by default, sometimes including qotd, although I've not found the setting > to control it. Some machines it's on, some it's not. I don't know why, > but then I understand so little of MicroSofts products... I understand little about M$ too :) I found out i have an error in my configuration of samba, or something like that, the ports i knew were good: 135, 137, 138 and 139 maybe anybody has other ideas about the weird TILDA ~ in the "last"-output, and what/who it was... > > -- > PGP Key: D2729A3F - Keyserver: wwwkeys.uk.pgp.net - rich at rdrose dot org > Key fingerprint = 5EB1 4C63 9FAD D87B 854C 3DED 1408 ED77 D272 9A3F > Public key also encoded with outguess on http://rikrose.net > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- "I live in my own little world - but it's ok, they know me here!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 3 5: 3:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id ADF5537B405 for ; Wed, 3 Oct 2001 05:03:39 -0700 (PDT) Received: from chimp.simianscience.com (cage.simianscience.com [64.7.134.1]) by smtp1.sentex.ca (8.11.6/8.11.6) with SMTP id f93C3cQ77178 for ; Wed, 3 Oct 2001 08:03:38 -0400 (EDT) (envelope-from mike@sentex.net) From: Mike Tancsa To: security@freebsd.org Subject: remote root exploit (was Re: cvs commit: ports/ftp/wu-ftpd Makefile ports/ftp/wu-ftpd/filespatch-aa) Date: Wed, 03 Oct 2001 08:03:38 -0400 Message-ID: References: In-Reply-To: X-Mailer: Forte Agent 1.8/32.548 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Does anyone know if these OPIE fixes were / are root exploitable ? It = was possible to sig 11 wu-ftpd remotely prior to this patch. ---Mike On Sat, 29 Sep 2001 19:03:12 +0000 (UTC), in sentex.lists.freebsd.cvs you wrote: >ache 2001/09/29 12:03:03 PDT > > Modified files: > ftp/wu-ftpd Makefile=20 > ftp/wu-ftpd/files patch-aa=20 > Log: > Fix the case when opie keys not used > =20 > Revision Changes Path > 1.38 +2 -2 ports/ftp/wu-ftpd/Makefile > 1.15 +53 -17 ports/ftp/wu-ftpd/files/patch-aa > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe cvs-all" in the body of the message Mike Tancsa (mdtancsa@sentex.net) =09 Sentex Communications Corp, =09 Waterloo, Ontario, Canada "Given enough time, 100 monkeys on 100 routers=20 could setup a national IP network." (KDW2) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 3 5:40:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 8E73437B401 for ; Wed, 3 Oct 2001 05:40:34 -0700 (PDT) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id f93CeX414618; Wed, 3 Oct 2001 07:40:33 -0500 (CDT) Received: from centtech.com (andersonpc [192.168.42.18]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id HAA10276; Wed, 3 Oct 2001 07:40:32 -0500 (CDT) Message-ID: <3BBB0797.C18CBA8B@centtech.com> Date: Wed, 03 Oct 2001 07:42:00 -0500 From: Eric Anderson X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: ANdrei Cc: rik@rikrose.net, freebsd-security@freebsd.org Subject: Re: last References: <3BBAF0B7.2CC21C7B@abc.ro> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have had my FreeBSD boxes crash like this a few times. Typically, it's been a CPU overheating for me. It really IS a crash. The ~ is what last puts in there when the system is rebooted without a user abruptly. All hackers leave a trace. Eric ANdrei wrote: > rik@rikrose.net wrote: > > > > On Wed, 3 Oct 2001, ANdrei wrote: > > > it wasn't for sure me :), but i just had my firewall down for a few > > > mins, and then it happened... was this just a coincidence? > > > > It could have been a power cut, or even a brown out, or someone else while > > you were working on the firewall :) > > nope, in that case you don't get that log entry from last (i'm almost > sure about that) and your file-systems get checked at startup for sure, > and mine didn't... it was a clkean shutdown... plus there was no power > cut, because we have about 40 computers in the company, and none > rebooted except mine... > > I'm so suspicious because I had a few times people trying to hack me, > and 2 times they were real profis, and i believe they got through this > time and left almost no evidence of their passing... > > > > > > and smtg else: what ports and protocol are used when accesing a samba > > > share? i'm talking about a broadcast network, where people should be > > > able to access public shares from other computers, which have > > > firewalls... > > > > 137-140 roughly, depending on what version of Windows you're using. I > > noticed 2000 has lots more useless ports open than any of the others, > > by default, sometimes including qotd, although I've not found the setting > > to control it. Some machines it's on, some it's not. I don't know why, > > but then I understand so little of MicroSofts products... > > I understand little about M$ too :) I found out i have an error in my > configuration of samba, or something like that, the ports i knew were > good: 135, 137, 138 and 139 > > maybe anybody has other ideas about the weird TILDA ~ in the > "last"-output, and what/who it was... > > > > > -- > > PGP Key: D2729A3F - Keyserver: wwwkeys.uk.pgp.net - rich at rdrose dot org > > Key fingerprint = 5EB1 4C63 9FAD D87B 854C 3DED 1408 ED77 D272 9A3F > > Public key also encoded with outguess on http://rikrose.net > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > "I live in my own little world - but it's ok, they know me here!" > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 3 5:58:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (straylight.ringlet.net [217.75.134.254]) by hub.freebsd.org (Postfix) with SMTP id 846BC37B401 for ; Wed, 3 Oct 2001 05:58:19 -0700 (PDT) Received: (qmail 88324 invoked by uid 1000); 3 Oct 2001 12:29:08 -0000 Date: Wed, 3 Oct 2001 15:29:08 +0300 From: Peter Pentchev To: ANdrei Cc: rik@rikrose.net, freebsd-security@FreeBSD.ORG Subject: Re: last Message-ID: <20011003152907.A88233@ringworld.oblivion.bg> Mail-Followup-To: ANdrei , rik@rikrose.net, freebsd-security@FreeBSD.ORG References: <3BBAF0B7.2CC21C7B@abc.ro> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3BBAF0B7.2CC21C7B@abc.ro>; from andrei@abc.ro on Wed, Oct 03, 2001 at 02:04:23PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Oct 03, 2001 at 02:04:23PM +0300, ANdrei wrote: > rik@rikrose.net wrote: > > > > On Wed, 3 Oct 2001, ANdrei wrote: > > > it wasn't for sure me :), but i just had my firewall down for a few > > > mins, and then it happened... was this just a coincidence? > > > > It could have been a power cut, or even a brown out, or someone else while > > you were working on the firewall :) > > nope, in that case you don't get that log entry from last (i'm almost > sure about that) and your file-systems get checked at startup for sure, > and mine didn't... it was a clkean shutdown... No, it wasn't. It was either a power failure, or somebody hitting the power button, but it was by no means a clean shutdown. Had it been a clean shutdown, last(1) would have said something like: reboot ~ Sun Sep 30 21:20 shutdown ~ Sun Sep 30 21:13 roam ttyv0 Sun Sep 30 21:08 - shutdown (00:05) That is, there would have been an entry named 'shutdown', and the logout time of the still-logged-in users would have been marked as 'shutdown', not 'crash' as in your logs. The absence of a 'shutdown' entry in your logs means that the system did not record a wtmp entry at the time of the shutdown, meaning the system was not really doing a clean shutdown. The 'crash' in the logout time field means that upon starting at the next boot-up, the system found still unclosed wtmp records, and concluded that there had been an unclean reboot. G'luck, Peter -- I am not the subject of this sentence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 3 6:40:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id CA6ED37B403 for ; Wed, 3 Oct 2001 06:40:47 -0700 (PDT) Received: from hades.hell.gr (patr530-a206.otenet.gr [212.205.215.206]) by mailsrv.otenet.gr (8.11.5/8.11.5) with ESMTP id f93DehI10409; Wed, 3 Oct 2001 16:40:44 +0300 (EEST) Received: (from charon@localhost) by hades.hell.gr (8.11.6/8.11.6) id f93C5jr24326; Wed, 3 Oct 2001 15:05:45 +0300 (EEST) (envelope-from charon@labs.gr) Date: Wed, 3 Oct 2001 15:05:45 +0300 From: Giorgos Keramidas To: Chad David Cc: freebsd-security@FreeBSD.ORG Subject: Re: new ipfw command Message-ID: <20011003150545.A24185@hades.hell.gr> References: <20011002234438.A94897@colnta.internal> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20011002234438.A94897@colnta.internal> User-Agent: Mutt/1.3.22.1i X-GPG-Fingerprint: C1EB 0653 DB8B A557 3829 00F9 D60F 941A 3186 03B6 X-URL: http://labs.gr/~charon/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Chad David wrote: > I have started writing a new ipfw command (fwadm) that > is much like ipfw, but differs in a number of areas: > ... > 3) I've started an interactive help mode.. I'm thinking > about modeling it after the Cisco IOS. I really like this part :-) -giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 3 9:29: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts19-srv.bellnexxia.net (tomts19.bellnexxia.net [209.226.175.73]) by hub.freebsd.org (Postfix) with ESMTP id 7C90937B401 for ; Wed, 3 Oct 2001 09:28:59 -0700 (PDT) Received: from khan.anarcat.dyndns.org ([65.92.161.107]) by tomts19-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP id <20011003162858.OTEW3504.tomts19-srv.bellnexxia.net@khan.anarcat.dyndns.org>; Wed, 3 Oct 2001 12:28:58 -0400 Received: from shall.anarcat.dyndns.org (shall.anarcat.dyndns.org [192.168.0.1]) by khan.anarcat.dyndns.org (Postfix) with ESMTP id DB6BA1B2E; Wed, 3 Oct 2001 12:28:52 -0400 (EDT) Received: by shall.anarcat.dyndns.org (Postfix, from userid 1000) id 978C520BE1; Wed, 3 Oct 2001 12:28:52 -0400 (EDT) Date: Wed, 3 Oct 2001 12:28:52 -0400 From: The Anarcat To: Chad David Cc: freebsd-security@freebsd.org Subject: Re: new ipfw command Message-ID: <20011003122851.A497@shall.anarcat.dyndns.org> Mail-Followup-To: Chad David , freebsd-security@freebsd.org References: <20011002234438.A94897@colnta.internal> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="1yeeQ81UyVL57Vl7" Content-Disposition: inline In-Reply-To: <20011002234438.A94897@colnta.internal> User-Agent: Mutt/1.3.22.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --1yeeQ81UyVL57Vl7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue Oct 02, 2001 at 11:44:38PM -0600, Chad David wrote: > > 4) The code is modular enough to be useful to someone who > didn't write it. And I like this one.. :) Currently, ipfw has a good amount of prs open that are not commited or fixed. I htink this might be due to the spaghetti nature of the code.=20 Having a clean implementation woulnd't hurt at all, go for it! I'm not sure it would make it in the base system though. :( A. --1yeeQ81UyVL57Vl7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAju7PMIACgkQttcWHAnWiGdLNACeOdNSBl3j3mzpQ6SD7JkEoU2j BrkAniPSGU81jY/KWftR4vDOrbxHNupX =ajep -----END PGP SIGNATURE----- --1yeeQ81UyVL57Vl7-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 3 10:12:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id AE0E237B401 for ; Wed, 3 Oct 2001 10:12:38 -0700 (PDT) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.6/8.11.5) with SMTP id f93HCNW17957 for ; Wed, 3 Oct 2001 13:12:23 -0400 (EDT) (envelope-from arr@watson.org) Date: Wed, 3 Oct 2001 13:12:22 -0400 (EDT) From: "Andrew R. Reiter" To: freebsd-security@freebsd.org Subject: Creation of trustedbsd-audit mailing list (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org FYI. *-------------................................................. | Andrew R. Reiter | arr@fledge.watson.org | "It requires a very unusual mind | to undertake the analysis of the obvious" -- A.N. Whitehead ---------- Forwarded message ---------- Date: Tue, 2 Oct 2001 17:37:02 -0400 (EDT) From: Robert Watson To: trustedbsd-discuss@TrustedBSD.org Subject: Creation of trustedbsd-audit mailing list At the request of Andrew Reiter , I've created a new mailing list for the discussion of fine-grained event auditing, as well as related issues (audit reduction, storage, IDS processing of audit data, etc). You can subscribe to that list by sending mail to majordomo@trustedbsd.org with contents of "susbcribe trustedbsd-audit". This doesn't preclude discussing audit issues on trustedbsd-discuss, but given the anticipated rise in implementation-oriented discussion on the audit topic, a seperate list makes sense. Andrew and the rest of the audit team hope to post an initial design document in the next week or so, and are moving forward with the implementation. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@trustedbsd.org with "unsubscribe trustedbsd-discuss" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 3 10:33:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id BC76E37B408 for ; Wed, 3 Oct 2001 10:33:08 -0700 (PDT) Received: from IBMKA (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with ESMTP id VAA47943; Wed, 3 Oct 2001 21:33:02 +0400 (MSD) Date: Wed, 3 Oct 2001 21:32:20 +0400 From: "Nickolay A.Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A.Kritsky" X-Priority: 3 (Normal) Message-ID: <144185592117.20011003213220@internethelp.ru> To: "Andrew R. Reiter" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Creation of trustedbsd-audit mailing list (fwd) In-reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Andrew, Wednesday, October 03, 2001, 9:12:22 PM, you wrote: ARR> FYI. ARR> At the request of Andrew Reiter , I've created a new ARR> mailing list for the discussion of fine-grained event auditing, as well as ARR> related issues (audit reduction, storage, IDS processing of audit data, ARR> etc). You can subscribe to that list by sending mail to ARR> majordomo@trustedbsd.org with contents of ARR> "susbcribe trustedbsd-audit". ---------^^ did you mean "subscribe trustedbsd-audit" ? I think so ;-) ARR> Robert N M Watson FreeBSD Core Team, TrustedBSD Project ARR> robert@fledge.watson.org NAI Labs, Safeport Network Services ;------------------------------------------- ; NKritsky ; SysAdmin InternetHelp.Ru ; http://www.internethelp.ru ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 3 10:39:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from hermes.intergate.ca (hermes.intergate.ca [207.34.179.108]) by hub.freebsd.org (Postfix) with SMTP id 3D4D437B407 for ; Wed, 3 Oct 2001 10:39:35 -0700 (PDT) Received: (qmail 24761 invoked by uid 1007); 3 Oct 2001 18:12:17 -0000 Received: from landons@uniserve.com by hermes.intergate.ca with qmail-scanner-0.93 (uvscan: v4.0.50/v4163. . Clean. Processed in 0.785026 secs); 03/10/2001 11:12:16 Received: from landons.vpp-office.uniserve.ca (HELO pirahna.uniserve.com) (216.113.198.10) by hermes.intergate.ca with SMTP; 3 Oct 2001 18:12:16 -0000 Message-Id: <5.1.0.14.0.20011003103852.00ac93d0@pop.uniserve.com> X-Sender: landons@pop.uniserve.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 03 Oct 2001 10:39:31 -0700 To: "Nickolay A.Kritsky" , "Andrew R. Reiter" From: Landon Stewart Subject: Re: Creation of trustedbsd-audit mailing list (fwd) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <144185592117.20011003213220@internethelp.ru> References: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_1817197782==_.ALT" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=====================_1817197782==_.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed At 09:32 PM 10/3/2001 +0400, Nickolay A.Kritsky wrote: >Hello Andrew, >ARR> majordomo@trustedbsd.org with contents of >ARR> "susbcribe trustedbsd-audit". >---------^^ >did you mean "subscribe trustedbsd-audit" ? I think so ;-) "Oh the bandwidth that we waste when we do not cut and paste." --- Landon Stewart --=====================_1817197782==_.ALT Content-Type: text/html; charset="us-ascii" At 09:32 PM 10/3/2001 +0400, Nickolay A.Kritsky wrote:

Hello Andrew,
ARR> majordomo@trustedbsd.org with contents of
ARR>  "susbcribe trustedbsd-audit".
---------^^
did you mean "subscribe trustedbsd-audit" ? I think so ;-)

"Oh the bandwidth that we waste when we do not cut and paste."


---
Landon Stewart
 --=====================_1817197782==_.ALT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 3 11:39: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from cowpie.acm.vt.edu (cowpie.acm.vt.edu [128.173.42.253]) by hub.freebsd.org (Postfix) with ESMTP id 729FE37B405 for ; Wed, 3 Oct 2001 11:38:57 -0700 (PDT) Received: (from dlacroix@localhost) by cowpie.acm.vt.edu (8.11.4/8.11.3) id f93IcEe40800; Wed, 3 Oct 2001 14:38:14 -0400 (EDT) (envelope-from dlacroix) From: David La Croix Message-Id: <200110031838.f93IcEe40800@cowpie.acm.vt.edu> Subject: SMBmkdir (REQUEST) packets in tcpdump? To: freebsd-security@freebsd.org Date: Wed, 3 Oct 2001 13:38:14 -0500 (CDT) Cc: dlacroix@cowpie.acm.vt.edu (David La Croix) X-Mailer: ELM [version 2.5 PL5] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In attempting to get something else working, I was running TCP dump, watching specifically for broadcasted traffic, and I came across the following puzzling output from TCPdump: 13:12:35.579986 10.10.10.251.138 > 10.10.10.255.138: >>> NBT UDP PACKET(138) Res=0x110A ID=0x77B7 IP=10 (0xa).10 (0xa).10 (0xa).251 ( 0xfb) Port=138 (0x8a) Length=213 (0xd5) Res2=0x0 SourceName=NARF NameType=0x00 (Workstation) DestName=LA NameType=0x00 (Workstation) SMB PACKET: SMBmkdir (REQUEST) 13:12:35.580115 10.10.10.251.138 > 10.10.10.255.138: >>> NBT UDP PACKET(138) Res=0x110A ID=0x77B8 IP=10 (0xa).10 (0xa).10 (0xa).251 ( 0xfb) Port=138 (0x8a) Length=205 (0xcd) Res2=0x0 SourceName=NARF NameType=0x00 (Workstation) DestName=`a NameType=0x00 (Workstation) SMB PACKET: SMBmkdir (REQUEST) This is on a 4.3-secure FreeBSD box behind a nat/firewall (Samba version 2.0.9). The Firewall is an old 486 running 4.3-secure with natd and only ssh and httpd ports open. (The SAMBA is running for one client (win98) that happens to be off at the time of these messages). Can anybody explain this (known bug in Samba???) or point me to a FAQ on the topic? For reference ... just noticed another occurrence: 13:24:36.307205 10.10.10.251.138 > 10.10.10.255.138: >>> NBT UDP PACKET(138) Res=0x110A ID=0x77B9 IP=10 (0xa).10 (0xa).10 (0xa).251 (0xfb) Port=138 (0x8a) Length=213 (0xd5) Res2=0x0 SourceName=NARF NameType=0x00 (Workstation) DestName=LA NameType=0x00 (Workstation) SMB PACKET: SMBmkdir (REQUEST) 13:24:36.307347 10.10.10.251.138 > 10.10.10.255.138: >>> NBT UDP PACKET(138) Res=0x110A ID=0x77BA IP=10 (0xa).10 (0xa).10 (0xa).251 (0xfb) Port=138 (0x8a) Length=205 (0xcd) Res2=0x0 SourceName=NARF NameType=0x00 (Workstation) DestName=`a NameType=0x00 (Workstation) SMB PACKET: SMBmkdir (REQUEST) Thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 3 13:30:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from medialab.lostboys.nl (medialab.lostboys.nl [194.109.72.254]) by hub.freebsd.org (Postfix) with ESMTP id B435A37B401 for ; Wed, 3 Oct 2001 13:30:45 -0700 (PDT) Received: from buur.medialab.lostboys.nl (root@buur.medialab.lostboys.nl [194.109.110.8]) by medialab.lostboys.nl (8.9.3/8.9.3) with ESMTP id WAA21138; Wed, 3 Oct 2001 22:36:39 +0200 (CEST) Received: from darkroom.medialab.lostboys.nl (ip-037.medialab.lostboys.nl [194.109.110.37]) by buur.medialab.lostboys.nl (8.9.3/8.9.3/Debian 8.9.3-21) with ESMTP id WAA04790; Wed, 3 Oct 2001 22:31:50 +0200 Received: by darkroom.medialab.lostboys.nl (Postfix, from userid 1000) id EDF7715F7; Wed, 3 Oct 2001 22:30:38 +0200 (CEST) Date: Wed, 3 Oct 2001 22:30:38 +0200 From: Martijn Lina To: Thomas Beauchamp Cc: freebsd-security@freebsd.org Subject: Re: recovery from 'rm -rf /' Message-ID: <20011003223038.G28329@medialab.lostboys.nl> Mail-Followup-To: Thomas Beauchamp , freebsd-security@freebsd.org References: <20011002235859.74079.qmail@web20909.mail.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="+PbGPm1eXpwOoWkI" Content-Disposition: inline In-Reply-To: <20011002235859.74079.qmail@web20909.mail.yahoo.com> User-Agent: Mutt/1.3.22.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --+PbGPm1eXpwOoWkI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Once upon a 03-10-2001, Thomas Beauchamp hit keys in the following order: > =20 > Anybody with experience/knowledge of recovering > erased > files with stupid 'rm -r / *' command?=20 first of all, be sure that absolutely nothing is writing to the disk anymor= e. the inodes that have been freed last, will be the first to be used again. that's why my initial reaction of restoring the backup caused me a lot of problems, because the backup appeared to be incomplete. > I understand that the couple 'unrm' 'lazarus' can > help > in this. those tools can probably be of help, i guess, but it looks to me that it's = only useful for analysing it for some hackers activity clearing up logs etc. i've been able to succesfully restore few m$word documents from the output of um= rm, but only those that luckly had been stored in an unfragmented way on the di= sk. in case of fragmentation, i guess it would be necessary to know which inodes would be the next in the chain. i haven't figured out how though. if your filesystem is still not rewritten, i think 'ils' could be of use. it can list all inodes of removed files. it's also part of The Coroners Toolki= t, like unrm and lazarus. i don't know how much empty space you have to work w= ith, but lazarus isn't very well written and crashes after processing 2GB of dat= a: out of memory. the docs from tct are pretty helpful. not too much to read, so take a look = at that and decides which tools would be most helpful for your situation. i've only played with unrm and lazarus. unrm takes all unallocated inodes from t= he rm-ed partition and puts it in one big file. lazarus uses that file to spli= t it up in blocks and recognizing if it's text, binary, compressed, gif/jpg, mai= l, etc. if you have to look for binary data, like me, i don't know if this out= put could be of any use, unless the original file was small enough to fit in one block. and of course, a hexeditor could always help. i liked ports/editors/hexedit= the best, for it's speedy search on my 3GB unrm-file. goodluck martijn --+PbGPm1eXpwOoWkI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE7u3Vuw/5eikYCPQYRAsTcAJ4gqpv88/BoDskKXV8lu6/hk7fQ0wCgg/rC wu1NAbpIHqcb0yqcvg5qm3g= =mHwz -----END PGP SIGNATURE----- --+PbGPm1eXpwOoWkI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 3 14: 8: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from sln.esc.edu (sln.esc.edu [138.116.200.3]) by hub.freebsd.org (Postfix) with ESMTP id 1C58337B407 for ; Wed, 3 Oct 2001 14:08:04 -0700 (PDT) To: freebsd-security@freebsd.org Subject: odd sockstat output X-Mailer: Lotus Notes Release 5.0.2c February 2, 2000 Message-ID: From: Bill.Melvin@esc.edu Date: Wed, 3 Oct 2001 17:04:40 -0400 X-MIMETrack: MIME-CD by Trend MailScan on mail.esc.edu/SUNY(Release 5.0.4 |June 8, 2000) at 10/03/2001 05:04:41 PM, MIME-CD complete at 10/03/2001 05:04:41 PM, Serialize by Router on sln.esc.edu/SUNY(Release 5.0.2c |February 2, 2000) at 10/03/2001 05:07:02 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Why would sockstat show me something like this: USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root sshd 4580 5 tcp4 192.168.120.1:22 192.168.120.2:38 root sshd 155 4 tcp4 *:22 *:* root syslogd 129 5 udp4 *:514 *:* root syslogd 129 18 ? ? ? Line with the ?s. Same PID but different FD. I did another sockstat right away but it was gone. /b To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 3 18:18:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from web13904.mail.yahoo.com (web13904.mail.yahoo.com [216.136.175.67]) by hub.freebsd.org (Postfix) with SMTP id 70CAD37B406 for ; Wed, 3 Oct 2001 18:18:40 -0700 (PDT) Message-ID: <20011004011840.74747.qmail@web13904.mail.yahoo.com> Received: from [156.34.214.23] by web13904.mail.yahoo.com via HTTP; Wed, 03 Oct 2001 18:18:40 PDT Date: Wed, 3 Oct 2001 18:18:40 -0700 (PDT) From: Caitlen Subject: default cipher types in openssh To: security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm noticed that openssh, even when connecting with protocol 2, seems to default to 3des. While that's a pretty conversative stance, isn't AES256 a little more secure? The order of preferrence seems to a little off. For example. 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se I believe are the default cipher types. Why is arcfour even in the list? I removed it many months ago on my production servers (with no ill effect). Infact right now I'm running with. Host * Ciphers rijndael256-cbc in my ~/.ssh/config and Ciphers rijndael256-cbc in my /etc/ssh/sshd_config, with no ill effect. SecureCRT from vandyke seems to support AES 256 with no difficulty either. Now I'm not suggesting we remove all of the other cipher types except for AES, that would certainly backwards compability. I am however suggesting that we should have some open dicussion on the order of preference here. Certainly arcfour should not be listed as being more preferrable then AES. Personally I think it should be something along the lines of. Ciphers AES256, AES192, AES128, blowfish, 3des As I stand back in january, it'd sure be niced if failed ssh logins showed up in the logs (at all) by default.... auth.info really should be in the default syslog.conf, most people dont know to add it in themselves. Sparing that, in sshd_config move the logging facility to security. __________________________________________________ Do You Yahoo!? NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 3 19:14:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from va.cs.wm.edu (va.cs.wm.edu [128.239.2.31]) by hub.freebsd.org (Postfix) with ESMTP id B1DCD37B403 for ; Wed, 3 Oct 2001 19:14:22 -0700 (PDT) Received: from dali.cs.wm.edu (dali [128.239.26.26]) by va.cs.wm.edu (8.11.4/8.9.1) with ESMTP id f942DVV15227 for ; Wed, 3 Oct 2001 22:13:31 -0400 (EDT) Received: (from zvezdan@localhost) by dali.cs.wm.edu (8.11.6/8.9.1) id f942ELH28251 for security@FreeBSD.ORG; Wed, 3 Oct 2001 22:14:21 -0400 Date: Wed, 3 Oct 2001 22:14:21 -0400 From: Zvezdan Petkovic To: security@FreeBSD.ORG Subject: Re: default cipher types in openssh Message-ID: <20011003221421.A28053@dali.cs.wm.edu> Mail-Followup-To: security@FreeBSD.ORG References: <20011004011840.74747.qmail@web13904.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011004011840.74747.qmail@web13904.mail.yahoo.com>; from caitlen888@yahoo.com on Wed, Oct 03, 2001 at 06:18:40PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Oct 03, 2001 at 06:18:40PM -0700, Caitlen wrote: > I'm noticed that openssh, even when connecting with > protocol 2, seems to default to 3des. While that's a > pretty conversative stance, isn't AES256 a little more > secure? The order of preferrence seems to a little > off. It obviously depends on the version of OpenSSH. My OpenBSD and Linux systems both give: zvezdan:7$ ssh -v OpenSSH_2.9.9, SSH protocols 1.5/2.0, OpenSSL 0x0090600f ... debug1: Local version string SSH-2.0-OpenSSH_2.9.9 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent ... As you can see, it uses AES. Unfortunately, I can't test on the FreeBSD right now since it doesn't support my laptop's Linkys PCMLM56 Ethernet/Modem multifunction PCMCIA card. I can use FreeBSD only with my wireless Orinico card when I'm at work. :-) Frankly, the default version in the 4.4-release is 2.3.0 which is _old_. Ports have 2.9 but that one became old recently after a security advisory from OpenSSH. I updated immediately to 2.9.9. > For example. > 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se > "man ssh" on my system gives: ... Ciphers Specifies the ciphers allowed for protocol version 2 in order of preference. Multiple ciphers must be comma-separated. The default is ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc'' ... > > Now I'm not suggesting we remove all of the other > cipher types except for AES, that would certainly > backwards compability. I am however suggesting that > we should have some open dicussion on the order of > preference here. Certainly arcfour should not be > listed as being more preferrable then AES. > Personally I think it should be something along the > lines of. > According to the above we just need to update the stable branch to 2.9.9, or at least the port (which seems to be on the way). Other people probably know what would be better solution. Best regards, -- Zvezdan Petkovic http://www.cs.wm.edu/~zvezdan/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 4 0:49:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (straylight.ringlet.net [217.75.134.254]) by hub.freebsd.org (Postfix) with SMTP id 28FB337B405 for ; Thu, 4 Oct 2001 00:49:44 -0700 (PDT) Received: (qmail 3858 invoked by uid 1000); 4 Oct 2001 07:48:39 -0000 Date: Thu, 4 Oct 2001 10:48:39 +0300 From: Peter Pentchev To: Zvezdan Petkovic Cc: security@FreeBSD.ORG Subject: Re: default cipher types in openssh Message-ID: <20011004104839.A1959@ringworld.oblivion.bg> Mail-Followup-To: Zvezdan Petkovic , security@FreeBSD.ORG References: <20011004011840.74747.qmail@web13904.mail.yahoo.com> <20011003221421.A28053@dali.cs.wm.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011003221421.A28053@dali.cs.wm.edu>; from zvezdan@CS.WM.EDU on Wed, Oct 03, 2001 at 10:14:21PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Oct 03, 2001 at 10:14:21PM -0400, Zvezdan Petkovic wrote: > According to the above we just need to update the stable branch to > 2.9.9, or at least the port (which seems to be on the way). > Other people probably know what would be better solution. -STABLE is at 2.9.0 as of September 28th. It seems to use AES128 now, too. G'luck, Peter -- Thit sentence is not self-referential because "thit" is not a word. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 4 2:30:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from harrier.mail.pas.earthlink.net (harrier.mail.pas.earthlink.net [207.217.121.12]) by hub.freebsd.org (Postfix) with ESMTP id 4AF2937B406 for ; Thu, 4 Oct 2001 02:30:42 -0700 (PDT) Received: from blossom.cjclark.org (dialup-209.247.136.207.Dial1.SanJose1.Level3.net [209.247.136.207]) by harrier.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id CAA14192; Thu, 4 Oct 2001 02:30:38 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id f949UZk14178; Thu, 4 Oct 2001 02:30:35 -0700 (PDT) (envelope-from cjc) Date: Thu, 4 Oct 2001 02:30:34 -0700 From: "Crist J. Clark" To: D J Hawkey Jr Cc: Alexander Langer , deepak@ai.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20011004023034.U8391@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <200109081052.f88AqRG30016@sheol.localdomain> <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> <20010908074445.A77252@sheol.localdomain> <20010908181537.A840@ringworld.oblivion.bg> <20010908102816.B77764@sheol.localdomain> <20010908183728.D840@ringworld.oblivion.bg> <20010908105308.A78138@sheol.localdomain> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="h31gzZEtNLTqOjlF" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010908105308.A78138@sheol.localdomain>; from hawkeyd@visi.com on Sat, Sep 08, 2001 at 10:53:08AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --h31gzZEtNLTqOjlF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sat, Sep 08, 2001 at 10:53:08AM -0500, D J Hawkey Jr wrote: > On Sep 08, at 06:37 PM, Peter Pentchev wrote: > > > > > Q: Can the kernel be "forced" to load a module from within itself? That > > > is, does a cracker need to be in userland? > > > > Yes, certainly; all kldload(8) does is invoke the kldload(2) syscall, > > nothing more, nothing userspace-magical. > > All a kernel routine needs to do is either invoke that syscall, or > > call the internal kernel functions that kldload(2) calls, like e.g. > > linker_find_file_by_name() and linker_load_file() in sys/kern/kern_linker.c > > Ah. Well then, as I wrote to Kris, the kernel has to deny KLD loading > altogether, it should be a build-time option, and it should have nothing > to over-ride this. > > Or am I still being too simplistic? I haven't been using KLD- or LKM- > aware systems very long (~one year), but so far I've had little use for > them (the modules). I get a box, I configure the kernel to it, and that's > that. If the box changes, I build a new kernel. At least for the servers > I've set up, this works fine. Now, a development or users' box, well... Yes, I am still catching up on email almost a month old. I went in and made a very simple kernel-build option which disables the use of kldload(2) (and kldunload(2)) at all times. This is not as good as raising securelevel(8) since root can still write to /dev/mem. However, a lot of people in this thread still seem to want this ability. Since you can still write to /dev/mem, it is only raises the bar a bit for an attacker. But it does raise the bar enough to possibly foil a skr1pt k1ddi3 or two. To use the patches, # cd /usr/src # patch < /path/to/sys_patch Add the line, options NO_KLD To your kernel configuration and build it in the usual manner. Have fun. Unless there is outpouring from people who love the idea, I'm not going to commit these to FreeBSD. -- Crist J. Clark cjclark@alum.mit.edu cjclark@jhu.edu cjc@freebsd.org --h31gzZEtNLTqOjlF Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="sys_stable.patch" Index: sys/conf/options =================================================================== RCS file: /export/ncvs/src/sys/conf/options,v retrieving revision 1.191.2.36 diff -u -r1.191.2.36 options --- sys/conf/options 2001/09/15 00:50:35 1.191.2.36 +++ sys/conf/options 2001/10/04 08:21:10 @@ -464,3 +464,6 @@ FDC_DEBUG opt_fdc.h PCFCLOCK_VERBOSE opt_pcfclock.h PCFCLOCK_MAX_RETRIES opt_pcfclock.h + +# Disable loading and unloading of kernel modules +NO_KLD opt_kern_linker.h Index: sys/kern/kern_linker.c =================================================================== RCS file: /export/ncvs/src/sys/kern/kern_linker.c,v retrieving revision 1.41.2.2 diff -u -r1.41.2.2 kern_linker.c --- sys/kern/kern_linker.c 2000/07/16 13:13:32 1.41.2.2 +++ sys/kern/kern_linker.c 2001/10/04 08:10:05 @@ -27,6 +27,7 @@ */ #include "opt_ddb.h" +#include "opt_kern_linker.h" #include #include @@ -648,6 +649,10 @@ int kldload(struct proc* p, struct kldload_args* uap) { +#ifdef NO_KLD + /* Always return error. */ + return EPERM; +#else char* filename = NULL, *modulename; linker_file_t lf; int error = 0; @@ -685,11 +690,16 @@ if (filename) free(filename, M_TEMP); return error; +#endif } int kldunload(struct proc* p, struct kldunload_args* uap) { +#ifdef NO_KLD + /* Always fail. */ + return EPERM; +#else linker_file_t lf; int error = 0; @@ -716,6 +726,7 @@ out: return error; +#endif } int --h31gzZEtNLTqOjlF Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="sys_current.patch" Index: sys/conf/options =================================================================== RCS file: /export/ncvs/src/sys/conf/options,v retrieving revision 1.295 diff -u -r1.295 options --- sys/conf/options 2001/09/29 22:32:00 1.295 +++ sys/conf/options 2001/10/04 08:07:37 @@ -526,3 +527,6 @@ # ed driver ED_NO_MIIBUS opt_ed.h + +# Disable loading and unloading of kernel modules +NO_KLD opt_kern_linker.h Index: sys/i386/conf/NOTES =================================================================== RCS file: /export/ncvs/src/sys/i386/conf/NOTES,v retrieving revision 1.961 diff -u -r1.961 NOTES --- sys/i386/conf/NOTES 2001/09/29 22:31:57 1.961 +++ sys/i386/conf/NOTES 2001/10/04 08:07:51 @@ -106,6 +106,10 @@ # options ROOTDEVNAME=\"ufs:da0s2e\" +# This prevents KLDs from being loaded at all. For those who want the +# added security but cannot run at an elevated securelevel(8). +#options NO_KLD + ##################################################################### # SMP OPTIONS: Index: sys/kern/kern_linker.c =================================================================== RCS file: /export/ncvs/src/sys/kern/kern_linker.c,v retrieving revision 1.69 diff -u -r1.69 kern_linker.c --- sys/kern/kern_linker.c 2001/09/12 08:37:44 1.69 +++ sys/kern/kern_linker.c 2001/10/04 07:47:05 @@ -27,6 +27,7 @@ */ #include "opt_ddb.h" +#include "opt_kern_linker.h" #include #include @@ -685,6 +686,10 @@ int kldload(struct thread* td, struct kldload_args* uap) { +#ifdef NO_KLD + /* Always fail */ + return EPERM; +#else char *kldname, *modname; char *pathname = NULL; linker_file_t lf; @@ -727,6 +732,7 @@ free(pathname, M_TEMP); mtx_unlock(&Giant); return (error); +#endif } /* @@ -735,6 +741,10 @@ int kldunload(struct thread* td, struct kldunload_args* uap) { +#ifdef NO_KLD + /* Always fail */ + return EPERM; +#else linker_file_t lf; int error = 0; @@ -764,6 +774,7 @@ out: mtx_unlock(&Giant); return (error); +#endif } /* --h31gzZEtNLTqOjlF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 4 2:33:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id CBE0E37B406; Thu, 4 Oct 2001 02:33:46 -0700 (PDT) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.6/8.11.2) id f949EBc43222; Thu, 4 Oct 2001 12:14:11 +0300 (EEST) (envelope-from ru) Date: Thu, 4 Oct 2001 12:14:11 +0300 From: Ruslan Ermilov To: security-officer@GFreeBSD.org Cc: stable@FreeBSD.org, security@FreeBSD.org Subject: Re: cvs commit: src/libexec/fingerd fingerd.c Message-ID: <20011004121411.A37406@sunbay.com> References: <200110040907.f9497iN21124@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200110040907.f9497iN21124@freefall.freebsd.org>; from ru@FreeBSD.org on Thu, Oct 04, 2001 at 02:07:44AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is the RELENG_4_4 candidate. On Thu, Oct 04, 2001 at 02:07:44AM -0700, Ruslan Ermilov wrote: > ru 2001/10/04 02:07:44 PDT > > Modified files: (Branch: RELENG_4) > libexec/fingerd fingerd.c > Log: > MFC: 1.18: Terminate the array of execv(3) pointers by a NULL pointer. > > Revision Changes Path > 1.16.2.2 +4 -2 src/libexec/fingerd/fingerd.c -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 4 2:44:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-227.dsl.lsan03.pacbell.net [64.165.226.227]) by hub.freebsd.org (Postfix) with ESMTP id 20C7037B407 for ; Thu, 4 Oct 2001 02:44:27 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 3DDD466D66; Thu, 4 Oct 2001 02:44:26 -0700 (PDT) Date: Thu, 4 Oct 2001 02:44:26 -0700 From: Kris Kennaway To: Peter Pentchev Cc: Zvezdan Petkovic , security@FreeBSD.ORG, markus@openbsd.org Subject: Re: default cipher types in openssh Message-ID: <20011004024425.A47260@xor.obsecurity.org> References: <20011004011840.74747.qmail@web13904.mail.yahoo.com> <20011003221421.A28053@dali.cs.wm.edu> <20011004104839.A1959@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="UlVJffcvxoiEqYs2" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011004104839.A1959@ringworld.oblivion.bg>; from roam@ringlet.net on Thu, Oct 04, 2001 at 10:48:39AM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --UlVJffcvxoiEqYs2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Oct 04, 2001 at 10:48:39AM +0300, Peter Pentchev wrote: > On Wed, Oct 03, 2001 at 10:14:21PM -0400, Zvezdan Petkovic wrote: > > According to the above we just need to update the stable branch to > > 2.9.9, or at least the port (which seems to be on the way). > > Other people probably know what would be better solution. >=20 > -STABLE is at 2.9.0 as of September 28th. It seems to use AES128 now, to= o. Hmm, I didn't even know it could do that :) Someone needs to update the usage message for ssh: -c cipher Select encryption algorithm: ``3des'', ``blowfish'' Kris --UlVJffcvxoiEqYs2 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7vC95Wry0BWjoQKURApveAJwIW2KDcD+INEqXEw2aIkMtH6nb1wCdH/YV ov2uwMSMvl03GK4d70Z45xI= =wnk+ -----END PGP SIGNATURE----- --UlVJffcvxoiEqYs2-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 4 3:23:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 6344437B403 for ; Thu, 4 Oct 2001 03:23:20 -0700 (PDT) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.6/8.11.2) id f94AMjh53219; Thu, 4 Oct 2001 13:22:45 +0300 (EEST) (envelope-from ru) Date: Thu, 4 Oct 2001 13:22:45 +0300 From: Ruslan Ermilov To: Bill.Melvin@esc.edu Cc: freebsd-security@FreeBSD.ORG Subject: Re: odd sockstat output Message-ID: <20011004132245.B48758@sunbay.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from Bill.Melvin@esc.edu on Wed, Oct 03, 2001 at 05:04:40PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Oct 03, 2001 at 05:04:40PM -0400, Bill.Melvin@esc.edu wrote: > > Why would sockstat show me something like this: > > USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS > root sshd 4580 5 tcp4 192.168.120.1:22 192.168.120.2:38 > root sshd 155 4 tcp4 *:22 *:* > root syslogd 129 5 udp4 *:514 *:* > root syslogd 129 18 ? ? ? > > Line with the ?s. > Same PID but different FD. I did another sockstat > right away but it was gone. > sockstat(1) is not atomical. It calls netstat(1) first, then fstat(1). Most probably, syslogd(8) closed the FD in between. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 4 3:24: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from faui02.informatik.uni-erlangen.de (faui02.informatik.uni-erlangen.de [131.188.30.102]) by hub.freebsd.org (Postfix) with ESMTP id 1F3D037B406 for ; Thu, 4 Oct 2001 03:24:04 -0700 (PDT) Received: (from msfriedl@localhost) by faui02.informatik.uni-erlangen.de (8.9.1/8.1.16-FAU) id MAA22519; Thu, 4 Oct 2001 12:23:45 +0200 (MEST) Date: Thu, 4 Oct 2001 12:23:45 +0200 From: Markus Friedl To: Kris Kennaway Cc: Peter Pentchev , Zvezdan Petkovic , security@FreeBSD.ORG, openssh@Openbsd.org Subject: Re: default cipher types in openssh Message-ID: <20011004122345.A18375@faui02.informatik.uni-erlangen.de> References: <20011004011840.74747.qmail@web13904.mail.yahoo.com> <20011003221421.A28053@dali.cs.wm.edu> <20011004104839.A1959@ringworld.oblivion.bg> <20011004024425.A47260@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii In-Reply-To: <20011004024425.A47260@xor.obsecurity.org>; from kris@obsecurity.org on Thu, Oct 04, 2001 at 02:44:26AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Oct 04, 2001 at 02:44:26AM -0700, Kris Kennaway wrote: > On Thu, Oct 04, 2001 at 10:48:39AM +0300, Peter Pentchev wrote: > > On Wed, Oct 03, 2001 at 10:14:21PM -0400, Zvezdan Petkovic wrote: > > > According to the above we just need to update the stable branch to > > > 2.9.9, or at least the port (which seems to be on the way). > > > Other people probably know what would be better solution. > > > > -STABLE is at 2.9.0 as of September 28th. It seems to use AES128 now, too. > > Hmm, I didn't even know it could do that :) > > Someone needs to update the usage message for ssh: > > -c cipher Select encryption algorithm: ``3des'', ``blowfish'' the ssh binary says: -c cipher Select encryption algorithm the manpage says: -c blowfish|3des|des Selects the cipher to use for encrypting the session. 3des is used by default. It is believed to be secure. 3des (triple-des) is an encrypt-decrypt-encrypt triple with three different keys. blowfish is a fast block cipher, it appears very secure and is much faster than 3des. des is only supported in the ssh client for interoperability with legacy protocol 1 implementations that do not support the 3des cipher. Its use is strongly discouraged due to cryptographic weaknesses. -c cipher_spec Additionally, for protocol version 2 a comma-separated list of ciphers can be specified in order of preference. See Ciphers for more information. perhaps we should merge the 2 entries. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 4 4: 3:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 92C3337B403 for ; Thu, 4 Oct 2001 04:03:23 -0700 (PDT) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 15p6Hm-000GnM-00; Thu, 04 Oct 2001 13:03:26 +0200 From: Sheldon Hearn To: Martijn Lina Cc: Thomas Beauchamp , freebsd-security@freebsd.org Subject: Re: recovery from 'rm -rf /' In-reply-to: Your message of "Wed, 03 Oct 2001 22:30:38 +0200." <20011003223038.G28329@medialab.lostboys.nl> Date: Thu, 04 Oct 2001 13:03:26 +0200 Message-ID: <64563.1002193406@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 03 Oct 2001 22:30:38 +0200, Martijn Lina wrote: > first of all, be sure that absolutely nothing is writing to the disk > anymore. the inodes that have been freed last, will be the first to be > used again. Are you sure about that? Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 4 4:23:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from medialab.lostboys.nl (medialab.lostboys.nl [194.109.72.254]) by hub.freebsd.org (Postfix) with ESMTP id BEFC637B401 for ; Thu, 4 Oct 2001 04:23:09 -0700 (PDT) Received: from buur.medialab.lostboys.nl (root@buur.medialab.lostboys.nl [194.109.110.8]) by medialab.lostboys.nl (8.9.3/8.9.3) with ESMTP id NAA23746; Thu, 4 Oct 2001 13:28:56 +0200 (CEST) Received: from darkroom.medialab.lostboys.nl (ip-037.medialab.lostboys.nl [194.109.110.37]) by buur.medialab.lostboys.nl (8.9.3/8.9.3/Debian 8.9.3-21) with ESMTP id NAA14016; Thu, 4 Oct 2001 13:24:08 +0200 Received: by darkroom.medialab.lostboys.nl (Postfix, from userid 1000) id 1514315F7; Thu, 4 Oct 2001 13:22:57 +0200 (CEST) Date: Thu, 4 Oct 2001 13:22:56 +0200 From: Martijn Lina To: freebsd-security@freebsd.org Cc: Thomas Beauchamp Subject: Re: recovery from 'rm -rf /' Message-ID: <20011004132256.J28329@medialab.lostboys.nl> Mail-Followup-To: freebsd-security@freebsd.org, Thomas Beauchamp References: <20011003223038.G28329@medialab.lostboys.nl> <64563.1002193406@axl.seasidesoftware.co.za> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="1hKfHPzOXWu1rh0v" Content-Disposition: inline In-Reply-To: <64563.1002193406@axl.seasidesoftware.co.za> User-Agent: Mutt/1.3.22.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --1hKfHPzOXWu1rh0v Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Once upon a 04-10-2001, Sheldon Hearn hit keys in the following order: >=20 > > first of all, be sure that absolutely nothing is writing to the disk > > anymore. the inodes that have been freed last, will be the first to be > > used again. >=20 > Are you sure about that? pretty sure. Wietse Venema said that in a Dr. Dobb's journal: For all intents and purposes, when you delete a file with "rm" it is gone. Once you "rm" a file, the system totally forgets which blocks scattered around the disk were part of your file. Even worse, the blocks from the file you just deleted are going to be the first ones taken and scribbled upon when the system needs more disk space. http://www.ddj.com/articles/2000/0012/0012h/0012h.htm i think it's because of better performance. if the system has no info about which inodes are free to write to, it would have to look on the disc which = one can be used. if inodes are deleted, the system would benifit from keeping references of those unallocated inodes in memory, so it wouldn't have to lo= ok on the disc. saves time... some other links to similar articles can be found here: http://www.fish.com/forensics/ just when i was in search of that article, i found tctutils, an extention to Wietse's tct which might be usefull: http://www.cerias.purdue.edu/homes/carrier/forensics/ martijn --1hKfHPzOXWu1rh0v Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE7vEaQw/5eikYCPQYRAiXWAJ9FJBvy57veMFyeBlZ1nY3NAgxepgCdEjnk arRhfoViqTRxfjFioCHHkWY= =jtm1 -----END PGP SIGNATURE----- --1hKfHPzOXWu1rh0v-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 4 6:23:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from hale.inty.net (hale.inty.net [195.92.21.144]) by hub.freebsd.org (Postfix) with ESMTP id 55E6C37B40A for ; Thu, 4 Oct 2001 06:23:29 -0700 (PDT) Received: from inty.hq.inty.net (inty.hq.inty.net [213.38.150.150]) by hale.inty.net (8.11.3/8.11.2) with ESMTP id f94DNMn09231 for ; Thu, 4 Oct 2001 14:23:23 +0100 (BST) Received: from tariq ([10.0.1.156]) by inty.hq.inty.net (8.9.3/8.9.3) with SMTP id OAA14119 for ; Thu, 4 Oct 2001 14:23:21 +0100 (BST) From: "Terry" To: Subject: isakmpd policy file ignored? and CPU usage at 99% Date: Thu, 4 Oct 2001 14:23:34 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org using the isakmpd port to freebsd 4.4. the policy file (/etc/isakmpd.policy) seems to be ignored: KeyNote-Version: 2 Comment: This policy accepts ESP SAs from a remote that uses the right password Authorizer: "POLICY" Licensees: "passphrase:secret3" Conditions: app_domain == "IPsec policy" && esp_present == "yes" -> "true"; the isakmpd.conf file contains : Policy-File= /etc/isakmpd.policy and isakmpd is run with a "-c /etc/isakmpd.conf". The isakmpd.conf has a chmod of 0600. Now, changing the secret passphrase has no effect at all negotiations. restarting all isakmpds fails to recognise the false passphrase. is this a known issue? -- also why does teh daemon repeatedy give: 131338.287868 Default pf_key_v2_flow: SPDADD: File exists isakmpd in free(): warning: junk pointer, too high to make sense. and the isakmpd CPU usage remains at 98-99% ? terry ----------------------------------------------- Information in this electronic mail message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient any use, disclosure, copying or distribution of this message is prohibited and may be unlawful. When addressed to our customers, any information contained in this message is subject to Intelligent Network Technology Ltd Terms & Conditions. ----------------------------------------------- Take part in the intY 2001 Email Usage survey online at http://www.inty.net/email/survey.html ----------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 4 8: 9: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from web13904.mail.yahoo.com (web13904.mail.yahoo.com [216.136.175.67]) by hub.freebsd.org (Postfix) with SMTP id D11A537B40B for ; Thu, 4 Oct 2001 08:09:03 -0700 (PDT) Message-ID: <20011004150901.93436.qmail@web13904.mail.yahoo.com> Received: from [156.34.214.23] by web13904.mail.yahoo.com via HTTP; Thu, 04 Oct 2001 08:09:01 PDT Date: Thu, 4 Oct 2001 08:09:01 -0700 (PDT) From: Caitlen Subject: Re: default cipher types in openssh To: security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Great... it's good to know that AES is the default now. I'm running FreeBSD 4.4-STABLE #0: Thu Sep 27 17:50:26 ADT 2001 root@pain.nb.vibe.net:/usr/src/sys/compile/PAIN i386 and it looks like the upgrade to openssh 2.9 was just committed. So I'll have to make world today while I'm working on something else. I'm glad it's defaulting to aes 128, but we should ask ourselves about the rest of the allowable cipher types. IS arcfour something we want to leave in there? Is it really needed? Also, we should think about the order of preferrance... I realize that most people who know anything about cipher types are going to alter this ciphers parameter based on personal preferrances, but we should get something that's reasonable fast/secure for most people who can't be bothered. As for AES at 256 or 128 bit... which do you think we should issue as the default. Certainly AES256bit is a more secure cipher.... however it probably comes at a much higher cpu cost. So maybe it's best not to make it the default. Is there any reason we need to keep cast128 and arcfour in the default ciphers string for the client or the server? I can understand keeping it in the client configuration in case of connecting to legacy hosts, but isn't almost everyone with protocol 2 ssh capable of doing 3des or blowfish atleast? I still think changing the default logging facility to "security" might be a good idea.. or atleast logging "auth" by default :) Anyways, I'm personally setting Ciphers AES256 in my sshd_config files and ssh client configuration files (including securecrt from vandyke on my windoze box). Yeah it may waste more horse power, but I feel safer... Though I seriously doubt anyone can crack AES128 at the momment. Or 3des for that matter.... __________________________________________________ Do You Yahoo!? NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 4 8:11: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from hermes.intergate.ca (hermes.intergate.ca [207.34.179.108]) by hub.freebsd.org (Postfix) with SMTP id 5D2CE37B40A for ; Thu, 4 Oct 2001 08:11:02 -0700 (PDT) Received: (qmail 11927 invoked by uid 1007); 4 Oct 2001 15:43:54 -0000 Received: from landons@uniserve.com by hermes.intergate.ca with qmail-scanner-0.93 (uvscan: v4.0.50/v4164. . Clean. Processed in 0.446727 secs); 04/10/2001 08:43:53 Received: from landons.vpp-office.uniserve.ca (HELO pirahna.uniserve.com) (216.113.198.10) by hermes.intergate.ca with SMTP; 4 Oct 2001 15:43:52 -0000 Message-Id: <5.1.0.14.0.20011004080937.03006990@pop.uniserve.com> X-Sender: landons@pop.uniserve.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 04 Oct 2001 08:10:59 -0700 To: "Karl M. Joch" , freebsd-security@FreeBSD.ORG From: Landon Stewart Subject: Re: Windows 2000 Server behind IPFW/NAT tries to update external DNS? In-Reply-To: <3BB4743E.5080906@kmjeuro.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >also if i would replace this stupid thing with samba, there is no way for >it. any idea how to get this stupid M$ thing to not try to update the DNS? >i know there are things in W2K regarding active directory and DNS, but >still havnt found a way. I think what you are running into is the DHCP Client software on the window's machines automatically send an update when they give their host name. Try not supplying a host name in the config at all on the Windows boxes, therefor it can't send anything to update. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 4 10:27:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id B283537B405; Thu, 4 Oct 2001 10:27:02 -0700 (PDT) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id TAA52914; Thu, 4 Oct 2001 19:27:01 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: arch@freebsd.org Subject: Removing ptrace(2)'s dependency on procfs(5) From: Dag-Erling Smorgrav Date: 04 Oct 2001 19:27:00 +0200 Message-ID: Lines: 51 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [Bcc:ed to -security, please followup on -arch] The ptrace(2) syscall, which is mainly used by gdb(1), implements some of its functionality by faking up a struct uio and making calls into the guts of procfs(5). This is why four of the source files that make up procfs(5) are listed as "standard" rather than as "optional procfs" in src/sys/conf/files. The funny thing is that there's no reason for the ptrace(2) code to call any procfs(5) code, since the functions it calls are actually (mostly) wrappers around MD code, with some extra error checking. The errors they check for are of the kind that Can't Happen[tm] when these wrappers are called from ptrace(2) because ptrace(2) already checks for them before calling the procfs(5) code. For instance, all procfs_domem() does is check that uio->uio_resid is non-zero (ptrace() sets it to sizeof(int)) and that the requesting process is allowed to debug the target process (already checked by ptrace()), and then pass its arguments unmodified to procfs_rwmem(). What I propose to do is: - move procfs_rwmem() from src/sys/fs/procfs/procfs_mem.c into src/sys/kern/sys_process.c or some other convenient location where both ptrace(2) and procfs(5) can access it (and also move its prototype to a convenient header file). - rewrite the remaining cases (PT_{GET,SET}{,DB,FP}REGS) to call procfs_{read,write}_regs() (which is implemented in each port's procfs_machdep.c) directly, instead of calling procfs_do*(). - make the permission checks at the top of ptrace(2) slightly more aggressive (immediately return EINVAL if the target process is a system process; immediately return EPERM if p_candebug() returns non-zero and an operation other that PT_TRACE_ME was requested). This will slightly reduce the size (and speed up the build) of a procfs(5)-less kernel. I would also like to implement a kernel option named NO_DEBUGGING (or something similar) which replaces ptrace(2) and the MD parts of procfs(5) with stubs that simply return EINVAL or EPERM, thus making it impossible to use gdb(1), truss(1) and similar tools; I will also change procfs(5) to not list debugging-related files (ctl, regs etc.) when loaded by a kernel that was built with NO_DEBUGGING. Comments? Flames? DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 4 10:39:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from osi-east2.nersc.gov (osi-east2.nersc.gov [128.55.6.20]) by hub.freebsd.org (Postfix) with ESMTP id A1B2F37B403 for ; Thu, 4 Oct 2001 10:39:14 -0700 (PDT) Received: from gemini.nersc.gov (gemini.nersc.gov [128.55.16.111]) by osi-east2.nersc.gov (8.9.2/8.9.2) with ESMTP id KAA05778 for ; Thu, 4 Oct 2001 10:39:13 -0700 (PDT) Received: from gemini.nersc.gov (localhost [127.0.0.1]) by gemini.nersc.gov (Postfix) with ESMTP id 0A2DE3B19D for ; Thu, 4 Oct 2001 10:35:35 -0700 (PDT) X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: freebsd-security@freebsd.org Subject: Re: Kernel-loadable Root Kits In-Reply-To: Your message of Thu, 04 Oct 2001 02:30:34 PDT. <20011004023034.U8391@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_-1030261826P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Thu, 04 Oct 2001 10:35:34 -0700 From: Eli Dart Message-Id: <20011004173535.0A2DE3B19D@gemini.nersc.gov> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --==_Exmh_-1030261826P Content-Type: text/plain; charset=us-ascii In reply to "Crist J. Clark" : [snip] > Have fun. Unless there is outpouring from people who love the idea, > I'm not going to commit these to FreeBSD. Please consider this as part of an outpouring of support from people who love the idea. I don't always have the option of running a box in securelevel 1, and I would like to have this knob available, even though it doesn't fix the problem all the way. Something similar used to exist in FreeBSD 3.x -- I was sorry when it went away. --eli > -- > Crist J. Clark cjclark@alum.mit.edu > cjclark@jhu.edu > cjc@freebsd.org > > --h31gzZEtNLTqOjlF > Content-Type: text/plain; charset=us-ascii > Content-Disposition: attachment; filename="sys_stable.patch" > > Index: sys/conf/options > =================================================================== > RCS file: /export/ncvs/src/sys/conf/options,v > retrieving revision 1.191.2.36 > diff -u -r1.191.2.36 options > --- sys/conf/options 2001/09/15 00:50:35 1.191.2.36 > +++ sys/conf/options 2001/10/04 08:21:10 > @@ -464,3 +464,6 @@ > FDC_DEBUG opt_fdc.h > PCFCLOCK_VERBOSE opt_pcfclock.h > PCFCLOCK_MAX_RETRIES opt_pcfclock.h > + > +# Disable loading and unloading of kernel modules > +NO_KLD opt_kern_linker.h > Index: sys/kern/kern_linker.c > =================================================================== > RCS file: /export/ncvs/src/sys/kern/kern_linker.c,v > retrieving revision 1.41.2.2 > diff -u -r1.41.2.2 kern_linker.c > --- sys/kern/kern_linker.c 2000/07/16 13:13:32 1.41.2.2 > +++ sys/kern/kern_linker.c 2001/10/04 08:10:05 > @@ -27,6 +27,7 @@ > */ > > #include "opt_ddb.h" > +#include "opt_kern_linker.h" > > #include > #include > @@ -648,6 +649,10 @@ > int > kldload(struct proc* p, struct kldload_args* uap) > { > +#ifdef NO_KLD > + /* Always return error. */ > + return EPERM; > +#else > char* filename = NULL, *modulename; > linker_file_t lf; > int error = 0; > @@ -685,11 +690,16 @@ > if (filename) > free(filename, M_TEMP); > return error; > +#endif > } > > int > kldunload(struct proc* p, struct kldunload_args* uap) > { > +#ifdef NO_KLD > + /* Always fail. */ > + return EPERM; > +#else > linker_file_t lf; > int error = 0; > > @@ -716,6 +726,7 @@ > > out: > return error; > +#endif > } > > int > > --h31gzZEtNLTqOjlF > Content-Type: text/plain; charset=us-ascii > Content-Disposition: attachment; filename="sys_current.patch" > > Index: sys/conf/options > =================================================================== > RCS file: /export/ncvs/src/sys/conf/options,v > retrieving revision 1.295 > diff -u -r1.295 options > --- sys/conf/options 2001/09/29 22:32:00 1.295 > +++ sys/conf/options 2001/10/04 08:07:37 > @@ -526,3 +527,6 @@ > > # ed driver > ED_NO_MIIBUS opt_ed.h > + > +# Disable loading and unloading of kernel modules > +NO_KLD opt_kern_linker.h > Index: sys/i386/conf/NOTES > =================================================================== > RCS file: /export/ncvs/src/sys/i386/conf/NOTES,v > retrieving revision 1.961 > diff -u -r1.961 NOTES > --- sys/i386/conf/NOTES 2001/09/29 22:31:57 1.961 > +++ sys/i386/conf/NOTES 2001/10/04 08:07:51 > @@ -106,6 +106,10 @@ > # > options ROOTDEVNAME=\"ufs:da0s2e\" > > +# This prevents KLDs from being loaded at all. For those who want the > +# added security but cannot run at an elevated securelevel(8). > +#options NO_KLD > + > > ##################################################################### > # SMP OPTIONS: > Index: sys/kern/kern_linker.c > =================================================================== > RCS file: /export/ncvs/src/sys/kern/kern_linker.c,v > retrieving revision 1.69 > diff -u -r1.69 kern_linker.c > --- sys/kern/kern_linker.c 2001/09/12 08:37:44 1.69 > +++ sys/kern/kern_linker.c 2001/10/04 07:47:05 > @@ -27,6 +27,7 @@ > */ > > #include "opt_ddb.h" > +#include "opt_kern_linker.h" > > #include > #include > @@ -685,6 +686,10 @@ > int > kldload(struct thread* td, struct kldload_args* uap) > { > +#ifdef NO_KLD > + /* Always fail */ > + return EPERM; > +#else > char *kldname, *modname; > char *pathname = NULL; > linker_file_t lf; > @@ -727,6 +732,7 @@ > free(pathname, M_TEMP); > mtx_unlock(&Giant); > return (error); > +#endif > } > > /* > @@ -735,6 +741,10 @@ > int > kldunload(struct thread* td, struct kldunload_args* uap) > { > +#ifdef NO_KLD > + /* Always fail */ > + return EPERM; > +#else > linker_file_t lf; > int error = 0; > > @@ -764,6 +774,7 @@ > out: > mtx_unlock(&Giant); > return (error); > +#endif > } > > /* > > --h31gzZEtNLTqOjlF-- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --==_Exmh_-1030261826P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: This is a comment. iD8DBQE7vJ3mLTFEeF+CsrMRAtzVAKCKBeMdrN1POOyVUvEaa5jVQ9bDDwCgj7Li xr9Vxrm32E8N/QruZsl2fpY= =671C -----END PGP SIGNATURE----- --==_Exmh_-1030261826P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 4 10:49:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id 1956537B405 for ; Thu, 4 Oct 2001 10:49:41 -0700 (PDT) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f94GjrW66689 for ; Thu, 4 Oct 2001 09:45:53 -0700 (PDT) Date: Thu, 4 Oct 2001 09:45:53 -0700 (PDT) From: David Kirchner X-X-Sender: To: Subject: Re: Kernel-loadable Root Kits In-Reply-To: <20011004173535.0A2DE3B19D@gemini.nersc.gov> Message-ID: <20011004094416.O85958-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It would be great if there were a way to not only disable the kldload/unload functionality, but also somehow entirely #ifdef out all code related to modules. IE: If we could add an option to the kernel that would basically make it "read only", that'd be a bonus. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 4 16: 3: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.ipfw.org (cr308584-a.wlfdle1.on.wave.home.com [24.114.52.208]) by hub.freebsd.org (Postfix) with ESMTP id 1914037B403 for ; Thu, 4 Oct 2001 16:03:07 -0700 (PDT) Received: from apollo (apollo.objtech.com [192.168.111.5]) by mail.ipfw.org (Postfix) with ESMTP id 05D3731F9; Thu, 4 Oct 2001 19:02:51 -0400 (EDT) Date: Thu, 4 Oct 2001 19:02:51 -0400 From: Peter Chiu X-Mailer: The Bat! (v1.53bis) Reply-To: Peter Chiu X-Priority: 3 (Normal) Message-ID: <179163465981.20011004190251@ipfw.org> To: "Crist J. Clark" Cc: D J Hawkey Jr , cjclark@alum.mit.edu, Alexander Langer , , Subject: Re: Kernel-loadable Root Kits In-Reply-To: <20011004023034.U8391@blossom.cjclark.org> References: <200109081052.f88AqRG30016@sheol.localdomain> <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> <20010908074445.A77252@sheol.localdomain> <20010908181537.A840@ringworld.oblivion.bg> <20010908102816.B77764@sheol.localdomain> <20010908183728.D840@ringworld.oblivion.bg> <20010908105308.A78138@sheol.localdomain> <20011004023034.U8391@blossom.cjclark.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Crist, I love this idea. However, how does it affect vinum? Extracted from LINT # Configuring Vinum into the kernel is not necessary, since the kld # module gets started automatically when vinum(8) starts. This # device is also untested. Use at your own risk. # Thursday, October 04, 2001, 5:30:34 AM, you wrote: CJC> Have fun. Unless there is outpouring from people who love the idea, CJC> I'm not going to commit these to FreeBSD. -- Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 4 18:32:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id D897D37B401 for ; Thu, 4 Oct 2001 18:32:28 -0700 (PDT) Received: (qmail 4472 invoked by uid 1000); 5 Oct 2001 01:32:26 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 5 Oct 2001 01:32:26 -0000 Date: Thu, 4 Oct 2001 20:32:26 -0500 (CDT) From: Mike Silbersack To: Alfred Perlstein Cc: Subject: Re: drop the notice from the homepage? In-Reply-To: <20011002024613.Z59854@elvis.mu.org> Message-ID: <20011004203110.U4359-100000@achilles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 2 Oct 2001, Alfred Perlstein wrote: > So, about time to ditch the notice on the homepage? :) > > -- > -Alfred Perlstein [alfred@freebsd.org] And replace it with one about how long we've gone without a remote security hole? :) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 4 19: 6:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.lewman.org (lowrider.rootme.org [209.67.240.51]) by hub.freebsd.org (Postfix) with ESMTP id 26DDE37B403 for ; Thu, 4 Oct 2001 19:06:38 -0700 (PDT) Received: by mail.lewman.org (Postfix, from userid 1004) id 7BDF33DBC; Thu, 4 Oct 2001 22:06:37 -0400 (EDT) Date: Thu, 4 Oct 2001 22:06:37 -0400 From: Sean Lutner To: freebsd-security@freebsd.org Subject: HA/Failover options Message-ID: <20011004220637.B525@rentul.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello... I've recently been tasked with coming up with a redundant/failover firewall= solution to replace our managed firewalls. The goal is to have more contro= l, and spen dless money. So, after some research I decided FreeBSD with ipf= w and vrrp would do the trick. I set out to in stall and configure everythi= ng. I noticed when trying to install vrrp from ports that it's been tagged = forbidden, and confirmed this after searching the -security archives. The p= roblem I'm running into is this. I grabbed the code that /usr/ports/net/vrr= p would have, and built it, but the implementation has some problems. Once = failed over (slave taking over for master), it does not fail back without i= ntervention. If you down an interface with a vrid on it, somehow the vip st= ays in the interface causing problems. My basic question is this. Is there = anyone else out there running redundant/failover firewalls using freebsd? I= f so, what are you running? I found one other piece of software at http://l= inux-ha.org that said would build on freebsd, but no such luck. If anyone h= as any ideas, pointers, products, or thwaps in the right direction, i'd app= reciate them. Thanks Sean --=20 Sean Lutner | www: http://www.rentul.net e-mail: sean@rentul.net | gpg: http://www.rentul.net/sean.sig "Imagination is more important than knowledge." -- Albert Einstein To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 4 19:12:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id 99DE737B401 for ; Thu, 4 Oct 2001 19:12:13 -0700 (PDT) Received: from chimp.sentex.net (cage.simianscience.com [64.7.134.1]) by smtp1.sentex.ca (8.11.6/8.11.6) with ESMTP id f952CBf42186; Thu, 4 Oct 2001 22:12:11 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20011004220840.04858b48@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 04 Oct 2001 22:12:10 -0400 To: Sean Lutner From: Mike Tancsa Subject: Re: HA/Failover options Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20011004220637.B525@rentul.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What do you have behind the firewall ? Are all the boxes capable of any sort of dynamic routing ? Using OSPF for example, you could have your 2 boxes advertising the default gateway, one with a more attractive cost that the other. Even Win2K has OSPF capabilities. It might be an easier way to go. ---Mike At 10:06 PM 10/4/2001 -0400, Sean Lutner wrote: >Hello... >I've recently been tasked with coming up with a redundant/failover >firewall solution to replace our managed firewalls. The goal is to have >more control, and spen dless money. So, after some research I decided >FreeBSD with ipfw and vrrp would do the trick. I set out to in stall and >configure everything. I noticed when trying to install vrrp from ports >that it's been tagged forbidden, and confirmed this after searching the >-security archives. The problem I'm running into is this. I grabbed the >code that /usr/ports/net/vrrp would have, and built it, but the >implementation has some problems. Once failed over (slave taking over for >master), it does not fail back without intervention. If you down an >interface with a vrid on it, somehow the vip stays in the interface >causing problems. My basic question is this. Is there anyone else out >there running redundant/failover firewalls using freebsd? If so, what are >you running? I found one other piece of software at http://linux-ha.org th! > at said would build on freebsd, but no such luck. If anyone has any > ideas, pointers, products, or thwaps in the right direction, i'd > appreciate them. > >Thanks > >Sean > >-- >Sean Lutner | www: http://www.rentul.net >e-mail: sean@rentul.net | gpg: http://www.rentul.net/sean.sig > >"Imagination is more important than knowledge." -- Albert Einstein > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 4 19:42:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.lewman.org (lowrider.rootme.org [209.67.240.51]) by hub.freebsd.org (Postfix) with ESMTP id B5E7A37B401 for ; Thu, 4 Oct 2001 19:42:48 -0700 (PDT) Received: by mail.lewman.org (Postfix, from userid 1004) id 569C33DEC; Thu, 4 Oct 2001 22:42:48 -0400 (EDT) Date: Thu, 4 Oct 2001 22:42:48 -0400 From: Sean Lutner To: Mike Tancsa Cc: freebsd-security@FreeBSD.ORG Subject: Re: HA/Failover options Message-ID: <20011004224248.C525@rentul.net> References: <20011004220637.B525@rentul.net> <5.1.0.14.0.20011004220840.04858b48@192.168.0.12> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.1.0.14.0.20011004220840.04858b48@192.168.0.12>; from mike@sentex.net on Thu, Oct 04, 2001 at 10:12:10PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Behind the firewalls is two sets of switches, load balancers and then a farm of sun boxes. I've thought about OSPF, but I didn't want to have to run routing protocols on my firewall. It would most likely work however, maybe I'll test that too. Thanks sean On Thu, Oct 04, 2001 at 10:12:10PM -0400, Mike Tancsa wrote: > > What do you have behind the firewall ? Are all the boxes capable of any > sort of dynamic routing ? Using OSPF for example, you could have your 2 > boxes advertising the default gateway, one with a more attractive cost that > the other. Even Win2K has OSPF capabilities. It might be an easier way to go. > > ---Mike > > At 10:06 PM 10/4/2001 -0400, Sean Lutner wrote: > >Hello... > >I've recently been tasked with coming up with a redundant/failover > >firewall solution to replace our managed firewalls. The goal is to have > >more control, and spen dless money. So, after some research I decided > >FreeBSD with ipfw and vrrp would do the trick. I set out to in stall and > >configure everything. I noticed when trying to install vrrp from ports > >that it's been tagged forbidden, and confirmed this after searching the > >-security archives. The problem I'm running into is this. I grabbed the > >code that /usr/ports/net/vrrp would have, and built it, but the > >implementation has some problems. Once failed over (slave taking over for > >master), it does not fail back without intervention. If you down an > >interface with a vrid on it, somehow the vip stays in the interface > >causing problems. My basic question is this. Is there anyone else out > >there running redundant/failover firewalls using freebsd? If so, what are > >you running? I found one other piece of software at http://linux-ha.org th! > > at said would build on freebsd, but no such luck. If anyone has any > > ideas, pointers, products, or thwaps in the right direction, i'd > > appreciate them. > > > >Thanks > > > >Sean > > > >-- > >Sean Lutner | www: http://www.rentul.net > >e-mail: sean@rentul.net | gpg: http://www.rentul.net/sean.sig > > > >"Imagination is more important than knowledge." -- Albert Einstein > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > -------------------------------------------------------------------- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, mike@sentex.net > Providing Internet since 1994 www.sentex.net > Cambridge, Ontario Canada www.sentex.net/mike > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Sean Lutner | www: http://www.rentul.net e-mail: sean@rentul.net | gpg: http://www.rentul.net/sean.sig "Imagination is more important than knowledge." -- Albert Einstein To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 4 22:52:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.tgd.net (rand.tgd.net [64.81.67.117]) by hub.freebsd.org (Postfix) with SMTP id A03CE37B401 for ; Thu, 4 Oct 2001 22:52:29 -0700 (PDT) Received: (qmail 98130 invoked by uid 1001); 5 Oct 2001 05:52:24 -0000 Date: Thu, 4 Oct 2001 22:52:24 -0700 From: Sean Chittenden To: Sean Lutner Cc: Mike Tancsa , freebsd-security@FreeBSD.ORG Subject: Re: HA/Failover options Message-ID: <20011004225224.A98030@rand.tgd.net> References: <20011004220637.B525@rentul.net> <5.1.0.14.0.20011004220840.04858b48@192.168.0.12> <20011004224248.C525@rentul.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20011004224248.C525@rentul.net>; from "sean@rentul.net" on Thu, Oct 04, 2001 at = 10:42:48PM X-PGP-Key: 0x1EDDFAAD X-PGP-Fingerprint: C665 A17F 9A56 286C 5CFB 1DEA 9F4F 5CEF 1EDD FAAD X-Web-Homepage: http://sean.chittenden.org/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Few things: 1) ipfilter 4 is supposed to do this, but isn't out yet 2) Wackamole with will handle the failover of a virtual IP. http://www.backhand.org/wackamole/ You could use that with ipfilter/ipfw and you'd be pretty good to go. If you used a state table on either you'd loose your established connections, but you'd at least be redundant. How's that sound? -sc > > At 10:06 PM 10/4/2001 -0400, Sean Lutner wrote: > > >Hello... > > >I've recently been tasked with coming up with a redundant/failover > > >firewall solution to replace our managed firewalls. The goal is to have > > >more control, and spen dless money. So, after some research I decided > > >FreeBSD with ipfw and vrrp would do the trick. I set out to in stall and > > >configure everything. I noticed when trying to install vrrp from ports > > >that it's been tagged forbidden, and confirmed this after searching the > > >-security archives. The problem I'm running into is this. I grabbed the > > >code that /usr/ports/net/vrrp would have, and built it, but the > > >implementation has some problems. Once failed over (slave taking over for > > >master), it does not fail back without intervention. If you down an > > >interface with a vrid on it, somehow the vip stays in the interface > > >causing problems. My basic question is this. Is there anyone else out > > >there running redundant/failover firewalls using freebsd? If so, what are > > >you running? I found one other piece of software at http://linux-ha.org th! > > > at said would build on freebsd, but no such luck. If anyone has any > > > ideas, pointers, products, or thwaps in the right direction, i'd > > > appreciate them. > > > > > >Thanks > > > > > >Sean > > > > > >-- > > >Sean Lutner | www: http://www.rentul.net > > >e-mail: sean@rentul.net | gpg: http://www.rentul.net/sean.sig > > > > > >"Imagination is more important than knowledge." -- Albert Einstein > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > > >with "unsubscribe freebsd-security" in the body of the message > > > > -------------------------------------------------------------------- > > Mike Tancsa, tel +1 519 651 3400 > > Sentex Communications, mike@sentex.net > > Providing Internet since 1994 www.sentex.net > > Cambridge, Ontario Canada www.sentex.net/mike > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > Sean Lutner | www: http://www.rentul.net > e-mail: sean@rentul.net | gpg: http://www.rentul.net/sean.sig > > "Imagination is more important than knowledge." -- Albert Einstein > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Sean Chittenden To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 4 23:38:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120]) by hub.freebsd.org (Postfix) with ESMTP id 46E0637B401 for ; Thu, 4 Oct 2001 23:38:43 -0700 (PDT) Received: from blossom.cjclark.org (dialup-209.245.134.128.Dial1.SanJose1.Level3.net [209.245.134.128]) by albatross.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id XAA24454; Thu, 4 Oct 2001 23:38:32 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id f956L8H03024; Thu, 4 Oct 2001 23:21:08 -0700 (PDT) (envelope-from cjc) Date: Thu, 4 Oct 2001 23:21:08 -0700 From: "Crist J. Clark" To: Peter Chiu Cc: D J Hawkey Jr , cjclark@alum.mit.edu, Alexander Langer , deepak@ai.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20011004232108.L297@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> <20010908074445.A77252@sheol.localdomain> <20010908181537.A840@ringworld.oblivion.bg> <20010908102816.B77764@sheol.localdomain> <20010908183728.D840@ringworld.oblivion.bg> <20010908105308.A78138@sheol.localdomain> <20011004023034.U8391@blossom.cjclark.org> <179163465981.20011004190251@ipfw.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <179163465981.20011004190251@ipfw.org>; from pccb@yahoo.com on Thu, Oct 04, 2001 at 07:02:51PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Oct 04, 2001 at 07:02:51PM -0400, Peter Chiu wrote: > Hello Crist, > > I love this idea. However, how does it affect vinum? > > Extracted from LINT > # Configuring Vinum into the kernel is not necessary, since the kld > # module gets started automatically when vinum(8) starts. This > # device is also untested. Use at your own risk. > # I like I said, this will prevent you from loading KLDs. (period) -- Crist J. Clark cjclark@alum.mit.edu cjclark@jhu.edu cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 5 0: 7:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id E900837B407 for ; Fri, 5 Oct 2001 00:07:53 -0700 (PDT) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 15pP5D-000JON-00; Fri, 05 Oct 2001 09:07:43 +0200 From: Sheldon Hearn To: Mike Tancsa Cc: Sean Lutner , freebsd-security@FreeBSD.ORG Subject: Re: HA/Failover options In-reply-to: Your message of "Thu, 04 Oct 2001 22:12:10 -0400." <5.1.0.14.0.20011004220840.04858b48@192.168.0.12> Date: Fri, 05 Oct 2001 09:07:43 +0200 Message-ID: <74546.1002265663@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 04 Oct 2001 22:12:10 -0400, Mike Tancsa wrote: > What do you have behind the firewall ? Are all the boxes capable of any > sort of dynamic routing ? Using OSPF for example, you could have your 2 > boxes advertising the default gateway, one with a more attractive cost that > the other. Even Win2K has OSPF capabilities. It might be an easier way to go. Where can I read more about this with respect to the "client" (sheltered hosts) and "server" (firewall hosts) configuration of such a network? Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 5 2: 8:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from shikima.mine.nu (pc1-card3-0-cust143.cdf.cable.ntl.com [62.252.49.143]) by hub.freebsd.org (Postfix) with ESMTP id 23E2237B407 for ; Fri, 5 Oct 2001 02:08:11 -0700 (PDT) Received: from rasputin by shikima.mine.nu with local (Exim 3.33 #1) id 15pQy8-00009K-00 for security@freebsd.org; Fri, 05 Oct 2001 10:08:32 +0100 Date: Fri, 5 Oct 2001 10:08:32 +0100 From: Rasputin To: security@freebsd.org Subject: Re: Kernel-loadable Root Kits Message-ID: <20011005100832.A547@shikima.mine.nu> Reply-To: Rasputin References: <20011004023034.U8391@blossom.cjclark.org> <20011004173535.0A2DE3B19D@gemini.nersc.gov> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011004173535.0A2DE3B19D@gemini.nersc.gov>; from dart@nersc.gov on Thu, Oct 04, 2001 at 10:35:34AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Eli Dart [011004 19:30]: > > In reply to "Crist J. Clark" : > > [snip] > > > Have fun. Unless there is outpouring from people who love the idea, > > I'm not going to commit these to FreeBSD. > > Please consider this as part of an outpouring of support from people > who love the idea. "me too". Isn't this fairly common among the other BSDs as well? An alternative to securelevel is sometimes useful, and KLDs are a fairly well-known attack method against *BSD. I don't see any harm in adding it as an option - it's doesn't have to (definitely shouldn't be) the default, of course. > I don't always have the option of running a box > in securelevel 1, and I would like to have this knob available, even > though it doesn't fix the problem all the way. Something similar > used to exist in FreeBSD 3.x -- I was sorry when it went away. > > --eli -- Rasputin :: Jack of All Trades - Master of Nuns :: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 5 2:40: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from malraux.matranet.com (malraux.matranet.com [194.117.213.2]) by hub.freebsd.org (Postfix) with ESMTP id 758C937B401 for ; Fri, 5 Oct 2001 02:39:53 -0700 (PDT) Received: by malraux.matranet.com; id LAA25147; Fri, 5 Oct 2001 11:40:53 +0200 (CEST) Message-Id: <200110050940.LAA25147@malraux.matranet.com> Date: Fri, 05 Oct 2001 11:44:40 +0200 From: Laurent Fabre User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.3) Gecko/20010924 X-Accept-Language: en-us MIME-Version: 1.0 To: Rasputin Cc: security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits References: <20011004023034.U8391@blossom.cjclark.org> <20011004173535.0A2DE3B19D@gemini.nersc.gov> <200110050910.LAA22480@malraux.matranet.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Rasputin wrote: > * Eli Dart [011004 19:30]: > >>In reply to "Crist J. Clark" : >> >>[snip] >> >> >>>Have fun. Unless there is outpouring from people who love the idea, >>>I'm not going to commit these to FreeBSD. >>> >>Please consider this as part of an outpouring of support from people >>who love the idea. >> > > "me too". > > Isn't this fairly common among the other BSDs as well? > > An alternative to securelevel is sometimes useful, > and KLDs are a fairly well-known attack method against *BSD. > > I don't see any harm in adding it as an option - it's doesn't have to > (definitely shouldn't be) the default, of course. > > >>I don't always have the option of running a box >>in securelevel 1, and I would like to have this knob available, even >>though it doesn't fix the problem all the way. Something similar >>used to exist in FreeBSD 3.x -- I was sorry when it went away. >> >> --eli >> > > -- > Rasputin :: Jack of All Trades - Master of Nuns :: > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > please do commit it :) -- #--------------------------------------------# # Laurent Fabre # # fabre@matranet.com # /\ ASCII ribbon # EADS, Matranet Product Group # \/ campaign # # /\ against # "foreach if-diff, # / \ HTML email # you need to re-make world...." # #--------------------------------------------# To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 5 2:55:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from shikima.mine.nu (pc1-card3-0-cust143.cdf.cable.ntl.com [62.252.49.143]) by hub.freebsd.org (Postfix) with ESMTP id 5CC3237B406 for ; Fri, 5 Oct 2001 02:55:38 -0700 (PDT) Received: from rasputin by shikima.mine.nu with local (Exim 3.33 #1) id 15pRi4-0005er-00 for security@freebsd.org; Fri, 05 Oct 2001 10:56:00 +0100 Date: Fri, 5 Oct 2001 10:56:00 +0100 From: Rasputin To: security@freebsd.org Subject: Re: Kernel-loadable Root Kits Message-ID: <20011005105559.A21670@shikima.mine.nu> Reply-To: Rasputin References: <20011004023034.U8391@blossom.cjclark.org> <20011004173535.0A2DE3B19D@gemini.nersc.gov> <200110050910.LAA22480@malraux.matranet.com> <200110050940.LAA25147@malraux.matranet.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200110050940.LAA25147@malraux.matranet.com>; from fabre@matranet.com on Fri, Oct 05, 2001 at 11:44:40AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Laurent Fabre [011005 10:50]: > Rasputin wrote: > > * Eli Dart [011004 19:30]: > >>>Have fun. Unless there is outpouring from people who love the idea, > >>>I'm not going to commit these to FreeBSD. > >>> > >>Please consider this as part of an outpouring of support from people > >>who love the idea. > >> > > > > "me too". > > > > Isn't this fairly common among the other BSDs as well? > > > > An alternative to securelevel is sometimes useful, > > and KLDs are a fairly well-known attack method against *BSD. > > > > I don't see any harm in adding it as an option - it's doesn't have to > > (definitely shouldn't be) the default, of course. > >>I don't always have the option of running a box > >>in securelevel 1, and I would like to have this knob available, even > >>though it doesn't fix the problem all the way. Something similar > >>used to exist in FreeBSD 3.x -- I was sorry when it went away. > please do commit it :) Eh? If I was a committer, I would - think I've missed your point? -- "No one gets too old to learn a new way of being stupid." Rasputin :: Jack of All Trades - Master of Nuns :: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 5 3:50:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from malraux.matranet.com (malraux.matranet.com [194.117.213.2]) by hub.freebsd.org (Postfix) with ESMTP id AA93037B406 for ; Fri, 5 Oct 2001 03:50:49 -0700 (PDT) Received: by malraux.matranet.com; id MAA02644; Fri, 5 Oct 2001 12:52:21 +0200 (CEST) Message-Id: <200110051052.MAA02644@malraux.matranet.com> Date: Fri, 05 Oct 2001 12:55:56 +0200 From: Laurent Fabre User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.3) Gecko/20010924 X-Accept-Language: en-us MIME-Version: 1.0 To: Rasputin Cc: security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits References: <20011004023034.U8391@blossom.cjclark.org> <20011004173535.0A2DE3B19D@gemini.nersc.gov> <200110050910.LAA22480@malraux.matranet.com> <200110050940.LAA25147@malraux.matranet.com> <200110050958.LAA26593@malraux.matranet.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Rasputin wrote: > * Laurent Fabre [011005 10:50]: > >>Rasputin wrote: >> >>>* Eli Dart [011004 19:30]: >>> > >>>>>Have fun. Unless there is outpouring from people who love the idea, >>>>>I'm not going to commit these to FreeBSD. >>>>> >>>>> >>>>Please consider this as part of an outpouring of support from people >>>>who love the idea. >>>> >>>> >>>"me too". >>> >>>Isn't this fairly common among the other BSDs as well? >>> >>>An alternative to securelevel is sometimes useful, >>>and KLDs are a fairly well-known attack method against *BSD. >>> >>>I don't see any harm in adding it as an option - it's doesn't have to >>>(definitely shouldn't be) the default, of course. >>> > >>>>I don't always have the option of running a box >>>>in securelevel 1, and I would like to have this knob available, even >>>>though it doesn't fix the problem all the way. Something similar >>>>used to exist in FreeBSD 3.x -- I was sorry when it went away. >>>> > >>please do commit it :) >> > > Eh? If I was a committer, I would - think I've missed your point? > > yup sorry wrong reply :) -- #--------------------------------------------# # Laurent Fabre # # fabre@matranet.com # /\ ASCII ribbon # EADS, Matranet Product Group # \/ campaign # # /\ against # "foreach if-diff, # / \ HTML email # you need to re-make world...." # #--------------------------------------------# To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 5 4:23:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from mk-smarthost-1.mail.uk.worldonline.com (mk-smarthost-1.mail.uk.worldonline.com [212.74.112.71]) by hub.freebsd.org (Postfix) with ESMTP id E94ED37B401 for ; Fri, 5 Oct 2001 04:23:43 -0700 (PDT) Received: from scooby-s1.lineone.net ([194.75.152.224] helo=lineone.net) by mk-smarthost-1.mail.uk.worldonline.com with smtp (Exim 3.22 #3) id 15pT4s-0009hQ-00 for freebsd-security@freebsd.org; Fri, 05 Oct 2001 12:23:38 +0100 To: freebsd-security@freebsd.org From: tariq_rashid@lineone.net Subject: start topology "hub" ipsec vpn / routing? Message-Id: Date: Fri, 05 Oct 2001 12:23:38 +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Good afternoon all! Is the following theoretically possible? Star topology VPN: subnet--GW----- ------GW--subnet | | | | | | VPN subnet--GW----- "hub" ------GW--subnet | | | | | | subnet--GW----- ------GW--subnet that is, each remote site ipsec gateway (freebsd 4.4R running isakmpd, not racoon due to dynamic IP allocation) only has a tunnel to the central hub. the esential point is that once the traffic from a protected subnet emerges at the VPN "hub" the routing tables of this hub then determine wthe next ipsec gateway hop and the packets are then re-encrypted and sent throug the next tunnel. this way, only the central vpn hub needs to have its routing tables maintained. (i realise that if teh hub goes down the whol evpn goes down!) the usual method requires each vpn gatway to be configured with knowledge of every other gateway and subnet. thus not very scaleable. am i right or sorely mistaken?... any ideas or experiences would be appreciated! tariq To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 5 4:28:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id A546037B403 for ; Fri, 5 Oct 2001 04:28:11 -0700 (PDT) Received: from chimp.sentex.net (cage.simianscience.com [64.7.134.1]) by smtp1.sentex.ca (8.11.6/8.11.6) with ESMTP id f95BS8f86352; Fri, 5 Oct 2001 07:28:09 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20011005072634.04919180@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Fri, 05 Oct 2001 07:28:06 -0400 To: Sheldon Hearn From: Mike Tancsa Subject: Re: HA/Failover options Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <74546.1002265663@axl.seasidesoftware.co.za> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 09:07 AM 10/5/2001 +0200, Sheldon Hearn wrote: > > What do you have behind the firewall ? Are all the boxes capable of any > > sort of dynamic routing ? Using OSPF for example, you could have your 2 > > boxes advertising the default gateway, one with a more attractive cost > that > > the other. Even Win2K has OSPF capabilities. It might be an easier way > to go. > >Where can I read more about this with respect to the "client" (sheltered >hosts) and "server" (firewall hosts) configuration of such a network? Dont know. Now that I think of it, apart from simple password issues, I dont recall any of the routing books I have used put routing in the context of security as opposed to merely discussing it from a functional point of view. ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 5 6:16: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id AB39937B406 for ; Fri, 5 Oct 2001 06:15:59 -0700 (PDT) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id f95DFw418342; Fri, 5 Oct 2001 08:15:58 -0500 (CDT) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id IAA16869; Fri, 5 Oct 2001 08:15:58 -0500 (CDT) Message-ID: <3BBDB25B.FE44ADA3@centtech.com> Date: Fri, 05 Oct 2001 08:15:07 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: tariq_rashid@lineone.net Cc: freebsd-security@freebsd.org Subject: Re: start topology "hub" ipsec vpn / routing? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have something almost identical running right now (using the NET4501's on www.soekris.com). It works great, and I have built my own "VPN distro" with FreeBSD, to automate almost anything, and make it simple to admin (I have about 12 running now, with 20-30 more creeping in as fast as I can build 'em). Eric tariq_rashid@lineone.net wrote: > > Good afternoon all! > > Is the following theoretically possible? > > Star topology VPN: > > subnet--GW----- ------GW--subnet > | | > | | > | | > > VPN > subnet--GW----- "hub" ------GW--subnet > > | | > | | > | | > subnet--GW----- ------GW--subnet > > that is, each remote site ipsec gateway (freebsd 4.4R running isakmpd, not racoon due to dynamic > IP allocation) only has a tunnel to the central hub. > > the esential point is that once the traffic from a protected subnet emerges at the VPN "hub" the routing > tables of this hub then determine wthe next ipsec gateway hop and the packets are then re-encrypted and sent > throug the next tunnel. > > this way, only the central vpn hub needs to have its routing tables maintained. (i realise that if teh hub > goes down the whol evpn goes down!) > > the usual method requires each vpn gatway to be configured with knowledge of every other gateway and subnet. > thus not very scaleable. > > am i right or sorely mistaken?... > > any ideas or experiences would be appreciated! > > tariq > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology # rm -rf /bin/laden ------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 5 7:36: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from rage.abc.ro (goanga.com [193.231.240.30]) by hub.freebsd.org (Postfix) with ESMTP id 81C5A37B403 for ; Fri, 5 Oct 2001 07:35:53 -0700 (PDT) Received: from abc.ro (goanga.com [193.231.240.30]) by rage.abc.ro (8.11.3/8.11.3) with ESMTP id f95EZbL03677 for ; Fri, 5 Oct 2001 17:35:41 +0300 (EEST) (envelope-from andrei@abc.ro) Message-ID: <3BBDC538.4B115243@abc.ro> Date: Fri, 05 Oct 2001 17:35:36 +0300 From: ANdrei Organization: Cronon AG - tech department X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: de, ro, en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: recovery from 'rm -rf /' References: <64563.1002193406@axl.seasidesoftware.co.za> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i have no solution, bbut i heard smtg interesting on the radio this morning: there are only 3 companies in the world who are really specialised in doing such stuff, and one of these is in Hungary... they are said to be very helpful, and maybe you find them and talk to them about it... they have repeatedly offered help at no cost, so maybe you are lucky... unfortunately I do not know their name, so... maybe google will help aloha, ANdrei -- "I live in my own little world - but it's ok, they know me here!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 5 8:43:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from mk-smarthost-1.mail.uk.worldonline.com (mk-smarthost-1.mail.uk.worldonline.com [212.74.112.71]) by hub.freebsd.org (Postfix) with ESMTP id 02FE137B405 for ; Fri, 5 Oct 2001 08:43:19 -0700 (PDT) Received: from scooby-s1.lineone.net ([194.75.152.224] helo=lineone.net) by mk-smarthost-1.mail.uk.worldonline.com with smtp (Exim 3.22 #3) id 15pX81-000OQO-00; Fri, 05 Oct 2001 16:43:09 +0100 To: Eric Anderson Cc: freebsd-security@freebsd.org From: tariq_rashid@lineone.net Subject: Re: start topology "hub" ipsec vpn / routing? Message-Id: Date: Fri, 05 Oct 2001 16:43:09 +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org thanks for your email - do you mean that the "hub" is a freebsd box? or is this the net4501? can you give me an indication of the isakmpd configuration on the "hub" or "client" - the problem i have is that it appears that routing is decided by the ipsec policy as defined in the isakmpd.conf (Local-ID, Remote-ID, network=, netmask=) and as such it appears that the configuration files MUST reflect the possible paths from end-to-end (and not just to the hub as required). am i wrong? tariq ---------- >From: Eric Anderson >To: tariq_rashid@lineone.net >Subject: Re: start topology "hub" ipsec vpn / routing? >Date: Fri, 05 Oct 2001 08:15:07 -0500 > >I have something almost identical running right now (using the NET4501's on www.soekris.com). It works great, and I >have built my own "VPN distro" with FreeBSD, to automate almost anything, and make it simple to admin (I have about 12 >running now, with 20-30 more creeping in as fast as I can build 'em). > >Eric > > >tariq_rashid@lineone.net wrote: >> >> Good afternoon all! >> >> Is the following theoretically possible? >> >> Star topology VPN: >> >> subnet--GW----- ------GW--subnet >> | | >> | | >> | | >> >> VPN >> subnet--GW----- "hub" ------GW--subnet >> >> | | >> | | >> | | >> subnet--GW----- ------GW--subnet >> >> that is, each remote site ipsec gateway (freebsd 4.4R running isakmpd, not racoon due to dynamic >> IP allocation) only has a tunnel to the central hub. >> >> the esential point is that once the traffic from a protected subnet emerges at the VPN "hub" the routing >> tables of this hub then determine wthe next ipsec gateway hop and the packets are then re-encrypted and sent >> throug the next tunnel. >> >> this way, only the central vpn hub needs to have its routing tables maintained. (i realise that if teh hub >> goes down the whol evpn goes down!) >> >> the usual method requires each vpn gatway to be configured with knowledge of every other gateway and subnet. >> thus not very scaleable. >> >> am i right or sorely mistaken?... >> >> any ideas or experiences would be appreciated! >> >> tariq >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message > >-- >------------------------------------------------------------- >Eric Anderson anderson@centtech.com Centaur Technology ># rm -rf /bin/laden >------------------------------------------------------------- > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 5 8:53:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 8456237B405 for ; Fri, 5 Oct 2001 08:53:13 -0700 (PDT) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id f95FrC422018; Fri, 5 Oct 2001 10:53:12 -0500 (CDT) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id KAA20863; Fri, 5 Oct 2001 10:53:12 -0500 (CDT) Message-ID: <3BBDD735.DD5B07F1@centtech.com> Date: Fri, 05 Oct 2001 10:52:21 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: tariq_rashid@lineone.net Cc: freebsd-security@freebsd.org Subject: Re: start topology "hub" ipsec vpn / routing? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Well, I am using the net4501's for my "client" boxes, running at homes of employees for connectivity in to work. At work, I have a freebsd machine serving as my "hub" as you call it. All the "clients" connect to it. all routing takes place on the "hub". Basically, each ipsec host will have an interface (gif0 perhaps), and that interface will have a network number, and subnet mask, etc. The clients just set a default gateway, and I set things up to send all data bound for "internal" networks to the ipsec hub. I do not use isakmpd as of yet, so I'm still using racoon. The net4501 could be used as the hub also if you wanted. Does that help any? tariq_rashid@lineone.net wrote: > > thanks for your email - > > do you mean that the "hub" is a freebsd box? or is this the net4501? > > can you give me an indication of the isakmpd configuration on the "hub" or "client" - > > the problem i have is that it appears that routing is decided by the ipsec policy as defined in the isakmpd.conf (Local-ID, Remote-ID, network=, netmask=) and as such it appears that the configuration files MUST reflect the possible paths from end-to-end (and not just to the hub as required). > > am i wrong? > > tariq > > ---------- > >From: Eric Anderson > >To: tariq_rashid@lineone.net > >Subject: Re: start topology "hub" ipsec vpn / routing? > >Date: Fri, 05 Oct 2001 08:15:07 -0500 > > > >I have something almost identical running right now (using the NET4501's on www.soekris.com). It works great, and I > >have built my own "VPN distro" with FreeBSD, to automate almost anything, and make it simple to admin (I have about 12 > >running now, with 20-30 more creeping in as fast as I can build 'em). > > > >Eric > > > > > >tariq_rashid@lineone.net wrote: > >> > >> Good afternoon all! > >> > >> Is the following theoretically possible? > >> > >> Star topology VPN: > >> > >> subnet--GW----- ------GW--subnet > >> | | > >> | | > >> | | > >> > >> VPN > >> subnet--GW----- "hub" ------GW--subnet > >> > >> | | > >> | | > >> | | > >> subnet--GW----- ------GW--subnet > >> > >> that is, each remote site ipsec gateway (freebsd 4.4R running isakmpd, not racoon due to dynamic > >> IP allocation) only has a tunnel to the central hub. > >> > >> the esential point is that once the traffic from a protected subnet emerges at the VPN "hub" the routing > >> tables of this hub then determine wthe next ipsec gateway hop and the packets are then re-encrypted and sent > >> throug the next tunnel. > >> > >> this way, only the central vpn hub needs to have its routing tables maintained. (i realise that if teh hub > >> goes down the whol evpn goes down!) > >> > >> the usual method requires each vpn gatway to be configured with knowledge of every other gateway and subnet. > >> thus not very scaleable. > >> > >> am i right or sorely mistaken?... > >> > >> any ideas or experiences would be appreciated! > >> > >> tariq > >> > >> To Unsubscribe: send mail to majordomo@FreeBSD.org > >> with "unsubscribe freebsd-security" in the body of the message > > > >-- > >------------------------------------------------------------- > >Eric Anderson anderson@centtech.com Centaur Technology > ># rm -rf /bin/laden > >------------------------------------------------------------- > > -- ------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology # rm -rf /bin/laden ------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 5 9: 4:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from mk-smarthost-1.mail.uk.worldonline.com (mk-smarthost-1.mail.uk.worldonline.com [212.74.112.71]) by hub.freebsd.org (Postfix) with ESMTP id 82BEB37B405 for ; Fri, 5 Oct 2001 09:04:04 -0700 (PDT) Received: from scooby-s1.lineone.net ([194.75.152.224] helo=lineone.net) by mk-smarthost-1.mail.uk.worldonline.com with smtp (Exim 3.22 #3) id 15pXSE-000AfH-00; Fri, 05 Oct 2001 17:04:02 +0100 To: Eric Anderson Cc: freebsd-security@freebsd.org From: tariq_rashid@lineone.net Subject: Re: start topology "hub" ipsec vpn / routing? Message-Id: Date: Fri, 05 Oct 2001 17:04:02 +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ahh -> racoon. i think this problem is specific to isakmpd (the scope of the config files)... and i'm not using racoon as it definitely won't handle clients with dynamically allocated IP addresses - unless you know how! thanks for your help anyway! tariq ---------- >From: Eric Anderson >To: tariq_rashid@lineone.net >Subject: Re: start topology "hub" ipsec vpn / routing? >Date: Fri, 05 Oct 2001 10:52:21 -0500 > >Well, I am using the net4501's for my "client" boxes, running at homes of employees for connectivity in to work. At >work, I have a freebsd machine serving as my "hub" as you call it. All the "clients" connect to it. all routing takes >place on the "hub". Basically, each ipsec host will have an interface (gif0 perhaps), and that interface will have a >network number, and subnet mask, etc. The clients just set a default gateway, and I set things up to send all data >bound for "internal" networks to the ipsec hub. I do not use isakmpd as of yet, so I'm still using racoon. The net4501 >could be used as the hub also if you wanted. > >Does that help any? > > > >tariq_rashid@lineone.net wrote: >> >> thanks for your email - >> >> do you mean that the "hub" is a freebsd box? or is this the net4501? >> >> can you give me an indication of the isakmpd configuration on the "hub" or "client" - >> >> the problem i have is that it appears that routing is decided by the ipsec policy as defined in the isakmpd.conf (Local-ID, Remote-ID, network=, netmask=) and as such it appears that the configuration files MUST reflect the possible paths from end-to-end (and not just to the hub as required). >> >> am i wrong? >> >> tariq >> >> ---------- >> >From: Eric Anderson >> >To: tariq_rashid@lineone.net >> >Subject: Re: start topology "hub" ipsec vpn / routing? >> >Date: Fri, 05 Oct 2001 08:15:07 -0500 >> > >> >I have something almost identical running right now (using the NET4501's on www.soekris.com). It works great, and I >> >have built my own "VPN distro" with FreeBSD, to automate almost anything, and make it simple to admin (I have about 12 >> >running now, with 20-30 more creeping in as fast as I can build 'em). >> > >> >Eric >> > >> > >> >tariq_rashid@lineone.net wrote: >> >> >> >> Good afternoon all! >> >> >> >> Is the following theoretically possible? >> >> >> >> Star topology VPN: >> >> >> >> subnet--GW----- ------GW--subnet >> >> | | >> >> | | >> >> | | >> >> >> >> VPN >> >> subnet--GW----- "hub" ------GW--subnet >> >> >> >> | | >> >> | | >> >> | | >> >> subnet--GW----- ------GW--subnet >> >> >> >> that is, each remote site ipsec gateway (freebsd 4.4R running isakmpd, not racoon due to dynamic >> >> IP allocation) only has a tunnel to the central hub. >> >> >> >> the esential point is that once the traffic from a protected subnet emerges at the VPN "hub" the routing >> >> tables of this hub then determine wthe next ipsec gateway hop and the packets are then re-encrypted and sent >> >> throug the next tunnel. >> >> >> >> this way, only the central vpn hub needs to have its routing tables maintained. (i realise that if teh hub >> >> goes down the whol evpn goes down!) >> >> >> >> the usual method requires each vpn gatway to be configured with knowledge of every other gateway and subnet. >> >> thus not very scaleable. >> >> >> >> am i right or sorely mistaken?... >> >> >> >> any ideas or experiences would be appreciated! >> >> >> >> tariq >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> >> with "unsubscribe freebsd-security" in the body of the message >> > >> >-- >> >------------------------------------------------------------- >> >Eric Anderson anderson@centtech.com Centaur Technology >> ># rm -rf /bin/laden >> >------------------------------------------------------------- >> > > >-- >------------------------------------------------------------- >Eric Anderson anderson@centtech.com Centaur Technology ># rm -rf /bin/laden >------------------------------------------------------------- > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 5 9: 7:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 2D6F037B403 for ; Fri, 5 Oct 2001 09:07:12 -0700 (PDT) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id f95G7B422393; Fri, 5 Oct 2001 11:07:11 -0500 (CDT) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id LAA21217; Fri, 5 Oct 2001 11:07:11 -0500 (CDT) Message-ID: <3BBDDA7C.185020EA@centtech.com> Date: Fri, 05 Oct 2001 11:06:20 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: tariq_rashid@lineone.net Cc: freebsd-security@freebsd.org Subject: Re: start topology "hub" ipsec vpn / routing? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org racoon does not have any built it measures for dynamic ip allocation. However, it's rather easy to set up a simple way to "let the hub know" which IP it is coming from. I have this working all over the place. isakmpd should not be any problem with the routing, you'll (I'm sure) have to have some scripting to do routing, etc anyhow. Eric tariq_rashid@lineone.net wrote: > > ahh -> racoon. > > i think this problem is specific to isakmpd (the scope of the config files)... > > and i'm not using racoon as it definitely won't handle clients with dynamically allocated IP addresses - unless you know how! > > thanks for your help anyway! > > tariq > > ---------- > >From: Eric Anderson > >To: tariq_rashid@lineone.net > >Subject: Re: start topology "hub" ipsec vpn / routing? > >Date: Fri, 05 Oct 2001 10:52:21 -0500 > > > >Well, I am using the net4501's for my "client" boxes, running at homes of employees for connectivity in to work. At > >work, I have a freebsd machine serving as my "hub" as you call it. All the "clients" connect to it. all routing takes > >place on the "hub". Basically, each ipsec host will have an interface (gif0 perhaps), and that interface will have a > >network number, and subnet mask, etc. The clients just set a default gateway, and I set things up to send all data > >bound for "internal" networks to the ipsec hub. I do not use isakmpd as of yet, so I'm still using racoon. The net4501 > >could be used as the hub also if you wanted. > > > >Does that help any? > > > > > > > >tariq_rashid@lineone.net wrote: > >> > >> thanks for your email - > >> > >> do you mean that the "hub" is a freebsd box? or is this the net4501? > >> > >> can you give me an indication of the isakmpd configuration on the "hub" or "client" - > >> > >> the problem i have is that it appears that routing is decided by the ipsec policy as defined in the isakmpd.conf (Local-ID, Remote-ID, network=, netmask=) and as such it appears that the configuration files MUST reflect the possible paths from end-to-end (and not just to the hub as required). > >> > >> am i wrong? > >> > >> tariq > >> > >> ---------- > >> >From: Eric Anderson > >> >To: tariq_rashid@lineone.net > >> >Subject: Re: start topology "hub" ipsec vpn / routing? > >> >Date: Fri, 05 Oct 2001 08:15:07 -0500 > >> > > >> >I have something almost identical running right now (using the NET4501's on www.soekris.com). It works great, and I > >> >have built my own "VPN distro" with FreeBSD, to automate almost anything, and make it simple to admin (I have about 12 > >> >running now, with 20-30 more creeping in as fast as I can build 'em). > >> > > >> >Eric > >> > > >> > > >> >tariq_rashid@lineone.net wrote: > >> >> > >> >> Good afternoon all! > >> >> > >> >> Is the following theoretically possible? > >> >> > >> >> Star topology VPN: > >> >> > >> >> subnet--GW----- ------GW--subnet > >> >> | | > >> >> | | > >> >> | | > >> >> > >> >> VPN > >> >> subnet--GW----- "hub" ------GW--subnet > >> >> > >> >> | | > >> >> | | > >> >> | | > >> >> subnet--GW----- ------GW--subnet > >> >> > >> >> that is, each remote site ipsec gateway (freebsd 4.4R running isakmpd, not racoon due to dynamic > >> >> IP allocation) only has a tunnel to the central hub. > >> >> > >> >> the esential point is that once the traffic from a protected subnet emerges at the VPN "hub" the routing > >> >> tables of this hub then determine wthe next ipsec gateway hop and the packets are then re-encrypted and sent > >> >> throug the next tunnel. > >> >> > >> >> this way, only the central vpn hub needs to have its routing tables maintained. (i realise that if teh hub > >> >> goes down the whol evpn goes down!) > >> >> > >> >> the usual method requires each vpn gatway to be configured with knowledge of every other gateway and subnet. > >> >> thus not very scaleable. > >> >> > >> >> am i right or sorely mistaken?... > >> >> > >> >> any ideas or experiences would be appreciated! > >> >> > >> >> tariq > >> >> > >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org > >> >> with "unsubscribe freebsd-security" in the body of the message > >> > > >> >-- > >> >------------------------------------------------------------- > >> >Eric Anderson anderson@centtech.com Centaur Technology > >> ># rm -rf /bin/laden > >> >------------------------------------------------------------- > >> > > > > >-- > >------------------------------------------------------------- > >Eric Anderson anderson@centtech.com Centaur Technology > ># rm -rf /bin/laden > >------------------------------------------------------------- > > -- ------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology # rm -rf /bin/laden ------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 5 9:14:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from mk-smarthost-1.mail.uk.worldonline.com (mk-smarthost-1.mail.uk.worldonline.com [212.74.112.71]) by hub.freebsd.org (Postfix) with ESMTP id 32C4C37B406 for ; Fri, 5 Oct 2001 09:14:21 -0700 (PDT) Received: from scooby-s1.lineone.net ([194.75.152.224] helo=lineone.net) by mk-smarthost-1.mail.uk.worldonline.com with smtp (Exim 3.22 #3) id 15pXcA-000GxU-00; Fri, 05 Oct 2001 17:14:18 +0100 To: Eric Anderson Cc: freebsd-security@freebsd.org From: tariq_rashid@lineone.net Subject: Re: start topology "hub" ipsec vpn / routing? Message-Id: Date: Fri, 05 Oct 2001 17:14:18 +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "However, it's rather easy to set up a simple way to "let the hub know" which IP it is coming from." i'd love to know! i've only ever seen people write scripts to send/receive IP info when a new IP is allocated. having a script listening on the server "hub" seems an ugly hack! i gave up looking for the "correct" solution with racoon ("let the hub know which ip address i'm coming from") as people seemed to agree that it wasn;t possible! i'm intrigued! tariq ============ racoon does not have any built it measures for dynamic ip allocation. However, it's rather easy to set up a simple way to "let the hub know" which IP it is coming from. I have this working all over the place. isakmpd should not be any problem with the routing, you'll (I'm sure) have to have some scripting to do routing, etc anyhow. Eric To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 5 10:10:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from madcap.dyndns.org (bb157-215.singnet.com.sg [165.21.157.215]) by hub.freebsd.org (Postfix) with ESMTP id 7819137B406 for ; Fri, 5 Oct 2001 10:10:23 -0700 (PDT) Received: by madcap.dyndns.org (Postfix, from userid 100) id 427B61EC; Sat, 6 Oct 2001 00:46:14 +0800 (SGT) Date: Sat, 6 Oct 2001 00:46:14 +0800 From: Ng Pheng Siong To: freebsd-security@freebsd.org Subject: Amavis + Linux scanners Message-ID: <20011006004613.B1992@madcap.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I'm looking at running Amavis with Postfix. The Amavis site pointed to several scanner products which predictably offer Linux but not FreeBSD versions. Has anyone run Amavis on FreeBSD with Linux scanners? Any caveats, gotchas, better option? TIA. Cheers. -- Ng Pheng Siong * http://www.post1.com/home/ngps To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 5 10:32: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from gifw.genroco.com (genroco.com [205.254.195.202]) by hub.freebsd.org (Postfix) with ESMTP id C886D37B403 for ; Fri, 5 Oct 2001 10:31:57 -0700 (PDT) Received: from gi2.genroco.com (IDENT:root@gi2.genroco.com [192.133.120.3]) by gifw.genroco.com (8.9.3/8.9.3) with ESMTP id MAA12704; Fri, 5 Oct 2001 12:31:43 -0500 Received: from scot.genroco.com (scot.genroco.com [192.133.120.125]) by gi2.genroco.com (8.9.3/8.9.3) with SMTP id MAA23762; Fri, 5 Oct 2001 12:31:35 -0500 Message-ID: <010601c14dc3$976dc700$7d7885c0@genroco.com> From: "Scot W. Hetzel" To: "Ng Pheng Siong" , References: <20011006004613.B1992@madcap.dyndns.org> Subject: Re: Amavis + Linux scanners Date: Fri, 5 Oct 2001 12:31:35 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org From: "Ng Pheng Siong" > I'm looking at running Amavis with Postfix. The Amavis site pointed to > several scanner products which predictably offer Linux but not FreeBSD > versions. > > Has anyone run Amavis on FreeBSD with Linux scanners? Any caveats, gotchas, > better option? > We are running Amavisd on FreeBSD w/Sendmail+Milter and using a native FreeBSD virus scanner (McAfee VScan). McAfee VScan can be installed from /usr/port/security/vscan. NOTE: Ensure you update your ports collection, as the uvscan_dat port was recently updated. This port has a script that is used to fetch the updated definitions. I also created a port of Amavisd for use with Postfix (amavisd-postfix), but it hasn't been fully tested. The port is available from: ftp://ftp.westbend.net/pub/amavis/amavisd.tar.gz Scot To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 5 10:36:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id 9C13337B401 for ; Fri, 5 Oct 2001 10:36:20 -0700 (PDT) Received: from simoeon.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by smtp1.sentex.ca (8.11.6/8.11.6) with ESMTP id f95HaFW29980; Fri, 5 Oct 2001 13:36:15 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20011005133013.059bc9c0@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Fri, 05 Oct 2001 13:30:45 -0400 To: Ng Pheng Siong , freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: Re: Amavis + Linux scanners In-Reply-To: <20011006004613.B1992@madcap.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I tried the f-prot scanner for Linux and it seemed to work ok. Why not run the native FreeBSD version of the NAI/McAffee scanner ? It works well. ---Mike At 12:46 AM 10/6/01 +0800, Ng Pheng Siong wrote: >Hi, > >I'm looking at running Amavis with Postfix. The Amavis site pointed to >several scanner products which predictably offer Linux but not FreeBSD >versions. > >Has anyone run Amavis on FreeBSD with Linux scanners? Any caveats, gotchas, >better option? > >TIA. Cheers. >-- >Ng Pheng Siong * http://www.post1.com/home/ngps > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 5 10:52:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id 5DE7537B406 for ; Fri, 5 Oct 2001 10:52:40 -0700 (PDT) Received: from simoeon.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by smtp1.sentex.ca (8.11.6/8.11.6) with ESMTP id f95Hn6W31780; Fri, 5 Oct 2001 13:49:11 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20011005134238.04ccbce0@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Fri, 05 Oct 2001 13:43:37 -0400 To: "Scot W. Hetzel" , From: Mike Tancsa Subject: Re: Amavis + Linux scanners In-Reply-To: <010601c14dc3$976dc700$7d7885c0@genroco.com> References: <20011006004613.B1992@madcap.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:31 PM 10/5/01 -0500, Scot W. Hetzel wrote: >We are running Amavisd on FreeBSD w/Sendmail+Milter and using a native >FreeBSD virus scanner (McAfee VScan). McAfee VScan can be installed from >/usr/port/security/vscan. Does the daemon version work better than the non daemon version ? Faster ? More efficient ? ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 5 11:25:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from robin.mail.pas.earthlink.net (robin.mail.pas.earthlink.net [207.217.120.65]) by hub.freebsd.org (Postfix) with ESMTP id ACF2C37B407 for ; Fri, 5 Oct 2001 11:25:46 -0700 (PDT) Received: from blossom.cjclark.org (dialup-209.247.136.241.Dial1.SanJose1.Level3.net [209.247.136.241]) by robin.mail.pas.earthlink.net (8.11.5/8.9.3) with ESMTP id f95IPi922163; Fri, 5 Oct 2001 11:25:44 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id f95I0ZH00391; Fri, 5 Oct 2001 11:00:35 -0700 (PDT) (envelope-from cjc) Date: Fri, 5 Oct 2001 11:00:35 -0700 From: "Crist J. Clark" To: Rasputin Cc: security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20011005110034.A310@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20011004023034.U8391@blossom.cjclark.org> <20011004173535.0A2DE3B19D@gemini.nersc.gov> <20011005100832.A547@shikima.mine.nu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011005100832.A547@shikima.mine.nu>; from rasputin@submonkey.net on Fri, Oct 05, 2001 at 10:08:32AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Oct 05, 2001 at 10:08:32AM +0100, Rasputin wrote: > * Eli Dart [011004 19:30]: > > > > In reply to "Crist J. Clark" : > > > > [snip] > > > > > Have fun. Unless there is outpouring from people who love the idea, > > > I'm not going to commit these to FreeBSD. > > > > Please consider this as part of an outpouring of support from people > > who love the idea. > > "me too". > > Isn't this fairly common among the other BSDs as well? > > An alternative to securelevel is sometimes useful, > and KLDs are a fairly well-known attack method against *BSD. > > I don't see any harm in adding it as an option - it's doesn't have to > (definitely shouldn't be) the default, of course. The potential harm, and the reason I hesitated before doing it and still hesitate to add it to the code base, is that it may give a false sense of security. It blocks the kldload(2) syscall. That's it. This prevents someone from using the convenient KLD interface to hook code into the running kernel, it does not, - Stop someone from modifying the running kernel (through /dev/mem), or - Stop someome from putting a modified kernel (like one that allows KLDs, eep!) on your hard drive and rebooting the box. Both of these can potentially be stopped by the proper use of securelevel(8) (with all of its faults, it's still better). That's what people who really want to lock down their box should be doing, not this. But as I said originally, this may stop a script kiddie or two... until someone with a clue writes them a script that loads the kernel modifications via /dev/mem instead of kldload(8). -- Crist J. Clark cjclark@alum.mit.edu cjclark@jhu.edu cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 5 12: 7:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from gifw.genroco.com (genroco.com [205.254.195.202]) by hub.freebsd.org (Postfix) with ESMTP id B12B437B401 for ; Fri, 5 Oct 2001 12:07:40 -0700 (PDT) Received: from gi2.genroco.com (IDENT:root@gi2.genroco.com [192.133.120.3]) by gifw.genroco.com (8.9.3/8.9.3) with ESMTP id OAA13282; Fri, 5 Oct 2001 14:07:37 -0500 Received: from scot.genroco.com (scot.genroco.com [192.133.120.125]) by gi2.genroco.com (8.9.3/8.9.3) with SMTP id OAA24644; Fri, 5 Oct 2001 14:07:36 -0500 Message-ID: <01a501c14dd0$ff2c1560$7d7885c0@genroco.com> From: "Scot W. Hetzel" To: , "Mike Tancsa" References: <20011006004613.B1992@madcap.dyndns.org> <5.1.0.14.0.20011005134238.04ccbce0@marble.sentex.ca> Subject: Re: Amavis + Linux scanners Date: Fri, 5 Oct 2001 14:07:36 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org From: "Mike Tancsa" > At 12:31 PM 10/5/01 -0500, Scot W. Hetzel wrote: > >We are running Amavisd on FreeBSD w/Sendmail+Milter and using a native > >FreeBSD virus scanner (McAfee VScan). McAfee VScan can be installed from > >/usr/port/security/vscan. > > Does the daemon version work better than the non daemon version ? Faster ? > More efficient ? > I never used the non daemon version, so I don't know if the daemon version is faster or more efficient than the non daemon version. But according to the web site/doc's/mailing list, it is supposed to be. Scot To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 5 12:14: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [198.92.199.5]) by hub.freebsd.org (Postfix) with ESMTP id EA52D37B401 for ; Fri, 5 Oct 2001 12:14:04 -0700 (PDT) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.6/8.11.6) with ESMTP id f95JDSc98111; Fri, 5 Oct 2001 15:13:29 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Fri, 5 Oct 2001 15:13:25 -0400 (EDT) From: Rob Simmons To: Ng Pheng Siong Cc: Subject: Re: Amavis + Linux scanners In-Reply-To: <20011006004613.B1992@madcap.dyndns.org> Message-ID: <20011005150751.F96869-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 We are running Amavis with Sophos and Sendmail. Sophos is natively compiled. If you want to run it on 4.x you will need the Compat 3x libs. Other than that, it works great. Also, you can cron the following script to update your virus identities automatically: #!/bin/sh idesite="http://www.sophos.com/downloads/ide/" idedir="/usr/local/sav" fetch="/usr/bin/fetch" ${fetch} -q -o - "${idesite}list.txt" | cut -c 37- | while read d ; do ${fetch} -m -q -o ${idedir} "${idesite}${d}" done Of all the antivirus companies, Sophos seems to be the most aware of FreeBSD. Robert Simmons Systems Administrator http://www.wlcg.com/ On Sat, 6 Oct 2001, Ng Pheng Siong wrote: > Hi, > > I'm looking at running Amavis with Postfix. The Amavis site pointed to > several scanner products which predictably offer Linux but not FreeBSD > versions. > > Has anyone run Amavis on FreeBSD with Linux scanners? Any caveats, gotchas, > better option? > > TIA. Cheers. > -- > Ng Pheng Siong * http://www.post1.com/home/ngps > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7vgZYv8Bofna59hYRAxGlAKCuDhZFthSanqbvzYhnTF6Hbi0pdgCcDXcj +9c/3WhViraSVZLTAhOhlB8= =gJvM -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 5 12:31: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.pilikia.net (ns1.pilikia.net [63.173.194.12]) by hub.freebsd.org (Postfix) with ESMTP id 4BD0A37B407 for ; Fri, 5 Oct 2001 12:31:01 -0700 (PDT) Received: from gecko (gecko.local.net [10.25.0.9]) by ns1.pilikia.net (8.11.4/8.11.4) with ESMTP id f95JUfb60783; Fri, 5 Oct 2001 09:30:42 -1000 (HST) (envelope-from art@pilikia.net) Message-ID: <200110050930420740.360CC31D@smtp> In-Reply-To: <20011006004613.B1992@madcap.dyndns.org> References: <20011006004613.B1992@madcap.dyndns.org> X-Mailer: Calypso Version 3.20.02.00 (3) Date: Fri, 05 Oct 2001 09:30:42 -1000 Reply-To: art@pilikia.net From: "Arthur W. Neilson III" To: "Ng Pheng Siong" Cc: freebsd-security@freebsd.org Subject: Re: Amavis + Linux scanners Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: by AMaViS/NAI-uvscan-4.14 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org we are using amavisd snapshot 20010714 with NAI's uvscan for FreeBSD and it works great. On 10/6/01 at 12:46 AM Ng Pheng Siong wrote: > >Hi, > >I'm looking at running Amavis with Postfix. The Amavis site pointed to >several scanner products which predictably offer Linux but not FreeBSD >versions. > >Has anyone run Amavis on FreeBSD with Linux scanners? Any caveats,= gotchas, >better option? > >TIA. Cheers. >-- >Ng Pheng Siong * http://www.post1.com/home/ngps > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message -- __ / ) _/_ It is a capital mistake to theorise before one has data. /--/ __ / Insensibly one begins to twist facts to suit theories, / (_/ (_<__ Instead of theories to suit facts. -- Sherlock Holmes, "A Scandal in Bohemia" Arthur W. Neilson III, WH7N - FISTS #7448 Bank of Hawaii Network Services http://www.pilikia.net art@pilikia.net, aneilson@boh.com, wh7n@arrl.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 5 13:22:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from aries.ai.net (aries.ai.net [205.134.163.4]) by hub.freebsd.org (Postfix) with ESMTP id 002C137B401 for ; Fri, 5 Oct 2001 13:22:29 -0700 (PDT) Received: from blood (pool-138-88-103-108.res.east.verizon.net [138.88.103.108]) by aries.ai.net (8.9.3/8.9.3) with SMTP id QAA16646; Fri, 5 Oct 2001 16:35:27 -0400 (EDT) (envelope-from deepak@ai.net) Reply-To: From: "Deepak Jain" To: , "Peter Chiu" Cc: "D J Hawkey Jr" , "Alexander Langer" , Subject: RE: Kernel-loadable Root Kits Date: Fri, 5 Oct 2001 16:24:44 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal In-Reply-To: <20011004232108.L297@blossom.cjclark.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks Crist, This is a significant kiddie protection item and I for one would like to see it committed to future FreeBSD releases. [in case the patch stops working on a future code rev]. Deepak -----Original Message----- From: Crist J. Clark [mailto:cristjc@earthlink.net] Sent: Friday, October 05, 2001 2:21 AM To: Peter Chiu Cc: D J Hawkey Jr; cjclark@alum.mit.edu; Alexander Langer; deepak@ai.net; freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits On Thu, Oct 04, 2001 at 07:02:51PM -0400, Peter Chiu wrote: > Hello Crist, > > I love this idea. However, how does it affect vinum? > > Extracted from LINT > # Configuring Vinum into the kernel is not necessary, since the kld > # module gets started automatically when vinum(8) starts. This > # device is also untested. Use at your own risk. > # I like I said, this will prevent you from loading KLDs. (period) -- Crist J. Clark cjclark@alum.mit.edu cjclark@jhu.edu cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 5 21:42:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from freebsd.tekrealm.net (dsl081-247-162.sfo1.dsl.speakeasy.net [64.81.247.162]) by hub.freebsd.org (Postfix) with ESMTP id D63BE37B405 for ; Fri, 5 Oct 2001 21:42:41 -0700 (PDT) Received: (from root@localhost) by freebsd.tekrealm.net (8.11.6/8.11.4) id f964gfW88291 for freebsd-security@freebsd.org; Fri, 5 Oct 2001 21:42:41 -0700 (PDT) (envelope-from elitetek@tekrealm.net) Received: (from elitetek@localhost) by freebsd.tekrealm.net (8.11.6/8.11.4av) id f964gei88283 for freebsd-security@freebsd.org; Fri, 5 Oct 2001 21:42:40 -0700 (PDT) (envelope-from elitetek@tekrealm.net) X-Authentication-Warning: freebsd.tekrealm.net: elitetek set sender to elitetek@tekrealm.net using -f Date: Fri, 5 Oct 2001 21:42:40 -0700 From: Andrew Stuart To: freebsd-security@freebsd.org Subject: Re: Windows 2000 Server behind IPFW/NAT tries to update external DNS? Message-ID: <20011005214240.A87913@freebsd.tekrealm.net> Reply-To: elitetek@tekrealm.net References: <3BB4743E.5080906@kmjeuro.com> <5.1.0.14.0.20011004080937.03006990@pop.uniserve.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.1.0.14.0.20011004080937.03006990@pop.uniserve.com>; from landons@uniserve.com on Thu, Oct 04, 2001 at 08:10:59AM -0700 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 04 Oct 2001 at 08:10:59 -0700, Landon Stewart wrote: > > >also if i would replace this stupid thing with samba, there is no way for > >it. any idea how to get this stupid M$ thing to not try to update the DNS? > >i know there are things in W2K regarding active directory and DNS, but > >still havnt found a way. > DNS' you can find it via going to properites on ur network cards/modems, and then into the tcpip settings, its on one of the tabs, just uncheck the box, and click ok to save the changes, and you should be all set. Least.. It works for me at several different offices :) -- Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 5 23: 9: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from bogart.umail.ucsb.edu (bogart.umail.ucsb.edu [128.111.125.65]) by hub.freebsd.org (Postfix) with ESMTP id DFD8C37B407 for ; Fri, 5 Oct 2001 23:09:06 -0700 (PDT) Received: from bergman.umail.ucsb.edu ([128.111.125.61]) by bogart.umail.ucsb.edu with esmtp (Exim 3.16 #4) id 15pke2-0000UA-00 for freebsd-security@freebsd.org; Fri, 05 Oct 2001 23:09:06 -0700 Date: Fri, 5 Oct 2001 23:09:06 -0700 (PDT) From: David S Strait To: freebsd-security@freebsd.org Subject: Kern Secure Level Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org There is a little discussion about kern secure level in the 'man init' page, but its somewhat brief. On Kern level 1, I couldn't get X-windows to work so I wanted to lower it. (As it turned out later, this was the solution, and X-win worked.) I'm running FreeBSD 4.4 REL and basically: when kern_securelevel="0" in rc.conf, it just hops up to 1??????? But if you leave it: kern_securelevel="-1" or kern_securelevel="1", then it will go to -1, 1 respectively. Why on 0 does the level get bounced to 1? Is there a *serious* security issue with kern levels -1 and 0? Thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 5 23:36:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from drkshdw.org (user4.net011.fl.sprint-hsd.net [207.30.203.4]) by hub.freebsd.org (Postfix) with SMTP id 991A537B408 for ; Fri, 5 Oct 2001 23:36:43 -0700 (PDT) Received: (qmail 66261 invoked from network); 6 Oct 2001 06:36:41 -0000 Received: from unknown (HELO localhost) (127.0.0.1) by 0 with SMTP; 6 Oct 2001 06:36:41 -0000 Date: Sat, 6 Oct 2001 02:36:41 -0400 (EDT) From: Jeff Palmer To: David S Strait Cc: Subject: Re: Kern Secure Level In-Reply-To: Message-ID: <20011006022008.R66168-100000@Scorpio.drkshdw.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In my opinion, secure levels is nly a deterrant. In fact, most people don't even use it properly. The idea of secure levels is to set certain files as immutable (not even root or superusers can change the file.) The problem with it is twofold: 1) Most people fail to set the proper binaries as immutable, to stop them from being trojaned in the even of a succesful hack. 2) FreeBSD doesn't have the appropriate files set as immutable by default, nor after a buildworld. So unless you specifically set the files immutable, securelevels is pointless. especially when you factor in the fact that.. the intruder already has access to your mahine when securelevels comes into play. At this point, a foresics diagnostic should be performed to gain all available data about the intrusion. and then the machine should be formatted and a fresh OS installed. For those who don't know which files I'm talking about, when it comes to securelevels. A major one would be /etc/rc.conf. If the intruder has root access on your machine, all he has to do is edit /etc/rc.conf to set the securelevel to -1 and upon next reboot, your securelevels didn't do anything but delay his final outcome. I personally have all binaries that deal with passwords and remote authentication set immutable. My feeling is this: they already have access to my machine, why allow them to trojan ssh, ftp, telnet, login, etc etc and give them access to OTHER remote machines.. simply because mine was vulnerable. Securelevels will not stop your machine from being hacked or even attacked. It may, with proper configuration, help stop your machine from being the reason some other machine was hacked. Perfect example was the recent apache.org hack. An ISP was hacked and ssh was trojaned. An apache.org employee (or developer, I forget) then logged into the webserver. Upon doing so, the trojaned ssh client gave the attacker the password. If securelevels had been implemented, the ISP's machine would have still been compromised, however the immutable "ssh" would not have given the intruder access to apache.org Anywho, sorry for the long post.. all in all, to average joe blow FreeBSD user, no securelevels is of little value. To a security concious admin, who takes the time to research it, and set the proper permissions.. securelevels CAN stop your macine from passing certain information on to attackers. Another thing to consider.. A lot of newbie (please, no flames if this includes anyone reading this list) a lot of newbie admins will read about securelevels, and make the entire /bin /sbin and other directories immutable. This is a BAD THING! One of the easiest ways to tell if your machine has been compromised, is by using third party utilities to create checksums of all important files on the system. If (in the example above) you have been compromised, and did NOT have ssh immutable, but DID have a valid checksum of the file on record. the checksum would change, and that would be an immediate clue that you have a security breach. If you set entire directories of files immutable, you effectively eliminate that method of intrusion detection. (Most machines that have been hacked, are noticed because of this method.. or by other admins emailing administrators asking why there was a DoS launched or port probes from your machine. Wouldn't you prefer to know BEFORE your machine is used to launch other exploits?) Jeff Palmer scorpio@drkshdw.org On Fri, 5 Oct 2001, David S Strait wrote: > > There is a little discussion about kern secure level in the 'man init' > page, but its somewhat brief. > > On Kern level 1, I couldn't get X-windows to work so I wanted to lower > it. (As it turned out later, this was the solution, and X-win worked.) > > I'm running FreeBSD 4.4 REL and basically: > when kern_securelevel="0" in rc.conf, it just hops up to 1??????? > But if you leave it: kern_securelevel="-1" or kern_securelevel="1", then > it will go to -1, 1 respectively. Why on 0 does the level get bounced to > 1? > > Is there a *serious* security issue with kern levels -1 and 0? > > > Thanks. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 6 1:16:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from squigy.ddm.wox.org (p13b.neon2.sentex.ca [64.7.130.173]) by hub.freebsd.org (Postfix) with ESMTP id 996C237B401 for ; Sat, 6 Oct 2001 01:16:30 -0700 (PDT) Received: from rama.ddm.wox.org (rama.ddm.wox.org [204.50.152.20]) by squigy.ddm.wox.org (Postfix) with ESMTP id 349F98B94D; Sat, 6 Oct 2001 04:16:28 -0400 (EDT) Received: by rama.ddm.wox.org (Postfix, from userid 5000) id 9636A3200F; Sat, 6 Oct 2001 04:16:02 -0400 (EDT) Date: Sat, 6 Oct 2001 04:16:02 -0400 From: Dave Chapeskie To: Jeff Palmer Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kern Secure Level Message-ID: <20011006041601.A7815@ddm.wox.org> References: <20011006022008.R66168-100000@Scorpio.drkshdw.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011006022008.R66168-100000@Scorpio.drkshdw.org>; from scorpio@drkshdw.org on Sat, Oct 06, 2001 at 02:36:41AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Oct 06, 2001 at 02:36:41AM -0400, Jeff Palmer wrote: > A lot of newbie (please, no flames if this includes anyone reading this > list) a lot of newbie admins will read about securelevels, and make > the entire /bin /sbin and other directories immutable. This is a BAD > THING! Bzzzt! Thanks for playing! You have it backwards. There is no security (other than from typos) in making files in /sbin immutable if /sbin itself is not immutable. For example try this on your setup: $ chflags schg /sbin/init # just to be sure $ ls -lo /sbin/init # notice schg $ cp -R /sbin /.sbin.new $ mv /sbin /... && mv /.sbin.new /sbin $ ls -lo /sbin/init # notice no schg For /usr/sbin/* you must make BOTH /usr/sbin and /usr immutable to avoid the same problem. -- Dave Chapeskie OpenPGP Key KeyId: 3D2B6B34 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 6 2:37:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from shadow.booms.net (shadow.booms.net [204.188.101.238]) by hub.freebsd.org (Postfix) with ESMTP id 1AAEA37B406 for ; Sat, 6 Oct 2001 02:37:55 -0700 (PDT) Received: from theprodigy (c1735868-a.arvada1.co.home.com [65.7.159.215]) by shadow.booms.net (8.11.1/8.11.1) with SMTP id f95Iw2w45136 for ; Fri, 5 Oct 2001 12:58:03 -0600 (MDT) (envelope-from lists-inet@booms.net) From: "Brandon Harper" To: Subject: RE: Amavis + Linux scanners Date: Fri, 5 Oct 2001 12:55:45 -0600 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 In-Reply-To: <20011006004613.B1992@madcap.dyndns.org> Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > Has anyone run Amavis on FreeBSD with Linux scanners? Any > caveats, gotchas, > better option? > As others have posted, I too am running Amavis + the FreeBSD version of McAfee, and it works flawlessly thus far. It was a piece of cake to setup as well. You probably don't need it, but there are step-by-step instructions at this URL (though it appears that their site is currently down): http://www.defcon1.org/html/Linux_mode/install-swap/anti-virus-sendmail.html - Brandon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 6 3:32:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from internet.hilbrink.nl (ns.hilbrink.nl [212.136.135.66]) by hub.freebsd.org (Postfix) with ESMTP id 4661C37B406 for ; Sat, 6 Oct 2001 03:32:15 -0700 (PDT) Received: from cpqpc ([212.136.135.151]) by internet.hilbrink.nl (8.8.8/8.8.8) with SMTP id MAA28277; Sat, 6 Oct 2001 12:41:27 +0200 (CEST) (envelope-from cor@hilbrink.nl) Message-ID: <000801c14e51$0e95cb60$978788d4@hilbrink.nl> Reply-To: "Cor Hilbrink" From: "Cor Hilbrink" To: "Brandon Harper" , References: Subject: Re: Amavis + Linux scanners Date: Sat, 6 Oct 2001 12:24:18 +0200 Organization: Hilbrink IT Solutions MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Brandon, We are configuring FreeBSD machines with Sendmail/Amavis/Sophos for the moment. That's running fine. One thing still left, you have to update the virus-patterns every month from a CDrom. On a daily basis we can download new patterns, but that is not enough without the CD version. What do you mean with Linux scanners, as far as i know some anti virus software packages are also available for FreeBSD.. Sophos, Karspersky and if i'am right also mcfee. Regards, Cor Hilbrink. ----- Original Message ----- From: Brandon Harper To: Sent: Friday, October 05, 2001 8:55 PM Subject: RE: Amavis + Linux scanners > > > > > Has anyone run Amavis on FreeBSD with Linux scanners? Any > > caveats, gotchas, > > better option? > > > > As others have posted, I too am running Amavis + the FreeBSD version of > McAfee, and it works flawlessly thus far. It was a piece of cake to setup > as well. > > You probably don't need it, but there are step-by-step instructions at this > URL (though it appears that their site is currently down): > > http://www.defcon1.org/html/Linux_mode/install-swap/anti-virus-sendmail.html > > - Brandon > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 6 4:24: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from drkshdw.org (user4.net011.fl.sprint-hsd.net [207.30.203.4]) by hub.freebsd.org (Postfix) with SMTP id 96FC237B403 for ; Sat, 6 Oct 2001 04:23:58 -0700 (PDT) Received: (qmail 71554 invoked from network); 6 Oct 2001 11:23:57 -0000 Received: from unknown (HELO localhost) (127.0.0.1) by 0 with SMTP; 6 Oct 2001 11:23:57 -0000 Date: Sat, 6 Oct 2001 07:23:57 -0400 (EDT) From: Jeff Palmer To: Dave Chapeskie Cc: Subject: Re: Kern Secure Level In-Reply-To: <20011006041601.A7815@ddm.wox.org> Message-ID: <20011006072116.H71529-100000@Scorpio.drkshdw.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 6 Oct 2001, Dave Chapeskie wrote: > On Sat, Oct 06, 2001 at 02:36:41AM -0400, Jeff Palmer wrote: > > A lot of newbie (please, no flames if this includes anyone reading this > > list) a lot of newbie admins will read about securelevels, and make > > the entire /bin /sbin and other directories immutable. This is a BAD > > THING! > > Bzzzt! Thanks for playing! > > You have it backwards. There is no security (other than from typos) in > making files in /sbin immutable if /sbin itself is not immutable. > Bzzzt? thanks for playing? didn't reaize I was playing. And pardon me, but I thought "and make the entire /bin and /sbin directory..." meant the directory as well as the files? (Hint: the key operative word here is "entire") Pardon me, but I think it'd be better for everyone involved if you didn't try to make this into a gameshow. Instead of saying exactly what I said, try reading the post? Just an idea.. Jeff Palmer scorpio@drkshdw.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 6 7:47: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from breg.mc.mpls.visi.com (breg.mc.mpls.visi.com [208.42.156.101]) by hub.freebsd.org (Postfix) with ESMTP id A608E37B405 for ; Sat, 6 Oct 2001 07:46:53 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by breg.mc.mpls.visi.com (Postfix) with ESMTP id A45E92D0506; Sat, 6 Oct 2001 09:46:52 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f96Ekoo19680; Sat, 6 Oct 2001 09:46:50 -0500 (CDT) (envelope-from hawkeyd) Date: Sat, 6 Oct 2001 09:46:50 -0500 From: D J Hawkey Jr To: cjclark@alum.mit.edu Cc: Alexander Langer , deepak@ai.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20011006094650.A19631@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <200109081052.f88AqRG30016@sheol.localdomain> <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> <20010908074445.A77252@sheol.localdomain> <20010908181537.A840@ringworld.oblivion.bg> <20010908102816.B77764@sheol.localdomain> <20010908183728.D840@ringworld.oblivion.bg> <20010908105308.A78138@sheol.localdomain> <20011004023034.U8391@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011004023034.U8391@blossom.cjclark.org>; from cristjc@earthlink.net on Thu, Oct 04, 2001 at 02:30:34AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, Christ, On Oct 04, at 02:30 AM, Crist J. Clark wrote: > > [SNIP] > > I went in and made a very simple kernel-build option which disables > the use of kldload(2) (and kldunload(2)) at all times. This is not as > good as raising securelevel(8) since root can still write to > /dev/mem. However, a lot of people in this thread still seem to want > this ability. Since you can still write to /dev/mem, it is only raises > the bar a bit for an attacker. But it does raise the bar enough to > possibly foil a skr1pt k1ddi3 or two. Hey, thanks. I for one appreciate this hack. One Q though: Is there a config flag to link the screen-saver to the kernel? I can't seem to find it. > To use the patches, > > [SNIP] Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 6 11: 9:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from madcap.dyndns.org (bb158-58.singnet.com.sg [165.21.158.58]) by hub.freebsd.org (Postfix) with ESMTP id 5522437B407 for ; Sat, 6 Oct 2001 11:09:32 -0700 (PDT) Received: by madcap.dyndns.org (Postfix, from userid 100) id 02E541E4; Sun, 7 Oct 2001 02:08:51 +0800 (SGT) Date: Sun, 7 Oct 2001 02:08:51 +0800 From: Ng Pheng Siong To: Cor Hilbrink Cc: Brandon Harper , freebsd-security@FreeBSD.ORG Subject: Re: Amavis + Linux scanners Message-ID: <20011007020851.B663@madcap.dyndns.org> References: <000801c14e51$0e95cb60$978788d4@hilbrink.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <000801c14e51$0e95cb60$978788d4@hilbrink.nl>; from cor@hilbrink.nl on Sat, Oct 06, 2001 at 12:24:18PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Oct 06, 2001 at 12:24:18PM +0200, Cor Hilbrink wrote: > Hello Brandon, > > [...] > > What do you mean with Linux scanners, as far as i know some anti virus > software packages are also available for FreeBSD.. Sophos, Karspersky and if > i'am right also mcfee. Hi, *I* asked about Linux scanners, not Brandon. ;-) I asked because I did not know of FreeBSD-native ones, until now. Thanks to all who responded on- and off-list. Cheers. -- Ng Pheng Siong * http://www.post1.com/home/ngps To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 6 11:42:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from athena.za.net (athena.za.net [196.30.167.200]) by hub.freebsd.org (Postfix) with ESMTP id 1053137B403 for ; Sat, 6 Oct 2001 11:42:39 -0700 (PDT) Received: from jus (helo=localhost) by athena.za.net with local-esmtp (Exim 3.22 #1) id 15pwNt-0006OX-00; Sat, 06 Oct 2001 20:41:13 +0200 Date: Sat, 6 Oct 2001 20:41:13 +0200 (SAST) From: Justin Stanford X-Sender: jus@athena.za.net To: Ng Pheng Siong Cc: Cor Hilbrink , Brandon Harper , freebsd-security@FreeBSD.ORG, pldaniels@pldaniels.com Subject: Re: Amavis + Linux scanners In-Reply-To: <20011007020851.B663@madcap.dyndns.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org There is another little known, but very fast, FreeBSD native antivirus program available called NOD32 (http://www.nod32.com). Speak to the man @ pldaniels.com (of Inflex and Xamime fame) if you are interested in it. He will gladly supply a trial version. Regards, Justin -- Justin Stanford Internet/Network Security & Solutions Consultant 4D Digital Security http://www.4dds.co.za Cell: (082) 7402741 E-Mail: jus@security.za.net PGP Key: http://www.security.za.net/jus-pgp-key.txt On Sun, 7 Oct 2001, Ng Pheng Siong wrote: > On Sat, Oct 06, 2001 at 12:24:18PM +0200, Cor Hilbrink wrote: > > Hello Brandon, > > > > [...] > > > > What do you mean with Linux scanners, as far as i know some anti virus > > software packages are also available for FreeBSD.. Sophos, Karspersky and if > > i'am right also mcfee. > > Hi, > > *I* asked about Linux scanners, not Brandon. ;-) > > I asked because I did not know of FreeBSD-native ones, until now. > > Thanks to all who responded on- and off-list. > > Cheers. > > -- > Ng Pheng Siong * http://www.post1.com/home/ngps > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 6 14:40: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120]) by hub.freebsd.org (Postfix) with ESMTP id BFFE537B407 for ; Sat, 6 Oct 2001 14:39:56 -0700 (PDT) Received: from blossom.cjclark.org (dialup-209.247.136.222.Dial1.SanJose1.Level3.net [209.247.136.222]) by albatross.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id OAA16689; Sat, 6 Oct 2001 14:39:53 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id f96JqHb00524; Sat, 6 Oct 2001 12:52:17 -0700 (PDT) (envelope-from cjc) Date: Sat, 6 Oct 2001 12:52:17 -0700 From: "Crist J. Clark" To: Jeff Palmer Cc: David S Strait , freebsd-security@FreeBSD.ORG Subject: Re: Kern Secure Level Message-ID: <20011006125217.A350@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20011006022008.R66168-100000@Scorpio.drkshdw.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011006022008.R66168-100000@Scorpio.drkshdw.org>; from scorpio@drkshdw.org on Sat, Oct 06, 2001 at 02:36:41AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Oct 06, 2001 at 02:36:41AM -0400, Jeff Palmer wrote: > In my opinion, secure levels is nly a deterrant. In fact, most people > don't even use it properly. True. > The idea of secure levels is to set certain files as immutable (not even > root or superusers can change the file.) Making files immutable is only part of it. No more KLDs or write access to /dev/mem. > The problem with it is twofold: > > 1) Most people fail to set the proper binaries as immutable, to stop them > from being trojaned in the even of a succesful hack. Yep. > 2) FreeBSD doesn't have the appropriate files set as immutable by > default,... [snip] This is actually the same point. > I personally have all binaries that deal with passwords and remote > authentication set immutable. My feeling is this: they already have > access to my machine, why allow them to trojan ssh, ftp, telnet, login, > etc etc and give them access to OTHER remote machines.. simply because > mine was vulnerable. This does not necessarily stop anyone from collecting passwords. The easiest thing to do is to place a trojaned sshd (or telnetd, whatever) in /tmp/sshd, kill the running one, and manually start the one /tmp/sshd. The path will show up wrong in ps(1) output? A program can easily lie about that. It is also possible, but not easy, to grab passwords from the process as it runs without actually modifying it on disk. There are also some very interesting attacks possible on your immutable files on things like /usr/sbin/sshd and /usr/libexec/telnetd since you can still potentially mount and umount /usr (just how interesting depends on whether you are at securelevel = 1 or > 1). For anything going over the network in clear text, you can just run a sniffer and not worry about trojaned binaries at all. The minimum set of files that must be immutable to make a box reasonably secure goes far beyond /etc/rc.conf. You need to make _all_ files executed with root privs before the securelevel is raised immutable. A quick look at /etc/rc shows this includes ones you expect, /bin/sh /sbin/fsck /sbin/mount etc. And some others that don't immediately seem obvious, /bin/chmod /bin/rm /bin/stty /sbin/dmesg, /usr/bin/awk /usr/bin/chflags /usr/sbin/chown etc. > Securelevels will not stop your machine from being hacked or even > attacked. It may, with proper configuration, help stop your machine from > being the reason some other machine was hacked. Exactly. It will not stop a compromise. No matter what you do with securelevels, if you have a telnetd from before July of this year listening, someone can root your box. What it can do is make it difficult for the attacker to take complete control of the box and cover his tracks before he is detected. Difficult, but not impossible. -- Crist J. Clark cjclark@alum.mit.edu cjclark@jhu.edu cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 6 18:10: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from sv07e.atm-tzs.kmjeuro.com (sv07e.atm-tzs.kmjeuro.com [193.81.94.207]) by hub.freebsd.org (Postfix) with ESMTP id EF4AE37B403 for ; Sat, 6 Oct 2001 18:10:04 -0700 (PDT) Received: (from root@localhost) by sv07e.atm-tzs.kmjeuro.com (8.11.5/8.11.4) id f971A2u57537 for freebsd-security@freebsd.org; Sun, 7 Oct 2001 03:10:02 +0200 (CEST) (envelope-from k.joch@kmjeuro.com) Received: from karl (ba20bc0f5a4546876e4e36ad40a60e1d@adsl.ooe.kmjeuro.com [193.154.186.21]) (authenticated) by sv07e.atm-tzs.kmjeuro.com (8.11.5/8.11.4) with ESMTP id f9719vV57403 for ; Sun, 7 Oct 2001 03:09:57 +0200 (CEST) (envelope-from k.joch@kmjeuro.com) Message-ID: <02da01c14ecd$4610e8a0$0a05a8c0@ooe.kmjeuro.com> From: "Karl M. Joch" To: Subject: PHPNuke exploit Date: Sun, 7 Oct 2001 03:13:22 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X--virus-scanner: scanned for Virus and dangerous attachments on sv07e.atm-tzs.kmjeuro.com (System Setup/Maintainance: http://www.ctseuro.com/) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org For all running PHPNuke. There is a exploit in admin.php which allows copying/uploading files. there are 2 articles on www.freebsd.at. karl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 6 18:30:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from blort.org (blort.org [208.8.184.14]) by hub.freebsd.org (Postfix) with ESMTP id 6BFC937B405 for ; Sat, 6 Oct 2001 18:30:19 -0700 (PDT) Received: by blort.org (Postfix, from userid 1001) id 3A6DC21051; Sat, 6 Oct 2001 18:30:13 -0700 (PDT) Date: Sat, 6 Oct 2001 18:30:13 -0700 From: Kameron Gasso To: "Karl M. Joch" Cc: freebsd-security@FreeBSD.ORG Subject: Re: [Somewhat OT] PHPNuke exploit Message-ID: <20011006183012.A64097@blort.org> Reply-To: kgasso@blort.org References: <02da01c14ecd$4610e8a0$0a05a8c0@ooe.kmjeuro.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <02da01c14ecd$4610e8a0$0a05a8c0@ooe.kmjeuro.com>; from k.joch@kmjeuro.com on Sun, Oct 07, 2001 at 03:13:22AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * At 18:10PDT on 10/06/2001, Karl M. Joch wrote: > For all running PHPNuke. There is a exploit in admin.php which allows > copying/uploading files. there are 2 articles on www.freebsd.at. I know, this is a bit offtopic for the list, but... IIRC wasn't the vulnerability part of the file upload functionality in PHP-Nuke? I disabled this (through force, before all the nice patches were available ;) quite a while back on one of my sites, and haven't been able to successfully exploit myself. The problem is, this didn't get a lot of attention - especially considering how many sites actually do run PHP-Nuke. There's quite a bit of info, including patches at: http://www.phpnuke.org/article.php?sid=2662&mode=thread&order=0&thold=0 If there are any unpatched nukers amongst us, I suggest you go grab the available patches secure your site _now_ before some script kiddie defaces your page to impress his "friends", or worse, uses his newly gained local access to your machine to gain root. Cheers, Kameron Gasso kgasso@blort.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 6 22:57: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id E981337B401 for ; Sat, 6 Oct 2001 22:56:58 -0700 (PDT) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id HAA68407; Sun, 7 Oct 2001 07:56:54 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: cjclark@alum.mit.edu Cc: D J Hawkey Jr , Alexander Langer , deepak@ai.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits References: <200109081052.f88AqRG30016@sheol.localdomain> <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> <20010908074445.A77252@sheol.localdomain> <20010908181537.A840@ringworld.oblivion.bg> <20010908102816.B77764@sheol.localdomain> <20010908183728.D840@ringworld.oblivion.bg> <20010908105308.A78138@sheol.localdomain> <20011004023034.U8391@blossom.cjclark.org> From: Dag-Erling Smorgrav Date: 07 Oct 2001 07:56:54 +0200 In-Reply-To: <20011004023034.U8391@blossom.cjclark.org> Message-ID: Lines: 10 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Crist J. Clark" writes: > I went in and made a very simple kernel-build option which disables > the use of kldload(2) (and kldunload(2)) at all times. # vi /boot/loader.conf # shutdown -r now DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message