From owner-freebsd-security Sun Feb 3 7:37:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 9841937B405 for ; Sun, 3 Feb 2002 07:37:09 -0800 (PST) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.6/8.11.5) with SMTP id g13Fa4D28870; Sun, 3 Feb 2002 10:36:04 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Sun, 3 Feb 2002 10:36:03 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: suporte Cc: freebsd-security@freebsd.org Subject: Re: crashs on 4.5RC In-Reply-To: <008c01c1ab66$b0692820$616156d1@DSGX1WZFFGDP93> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 1 Feb 2002, suporte wrote: > i updated my 4.4 to an 4.5RC the first time that i compiled .. it was > crashing almost everysingle hour .. i booted up again on the old > 4.5PRE-RELEASE .. and recompile the kernel with the new updates from > cvsup .. k so was finally stable again .. now i can't get an uptime more > than 4 days .. so i tryed again yesterday made another update using the > cvsup there was a bunch of things new there .. i compile again .. how > many time do u guys think this thing gonna keep reseting me and a bunch > of friends we're having the same problems .. we really use the machine > is not just a simple for mails .. is for eggdrops/apache/ircds/bncs .. > stuffs like that .. can anybody give me a light ? You need to be more specific. What do you mean by "crash" -- do you get a system panic, a system hang, a reboot without a message? Is any output generated along the way? One common pitfall identified in the release notes was a change in default sizing of socket buffers, which requires some busy sites to increase nmbclusters (either by recompiling with different kernel configuration settings, or simply updating loader.conf to use a larger hard-coded value). Potentially, you could be running into that. If you're getting a panic, this can be debugged using the kernel debugging recommendations in the FreeBSD handbook. You'll either want to enable dumping of system core, or include options DDB in the kernel so you can debug live. You'll also want to build the kernel using debugging symbols so that the results are useful. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 3 14:57:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id 827BC37B416 for ; Sun, 3 Feb 2002 14:57:53 -0800 (PST) Received: (qmail 33839 invoked by uid 1000); 3 Feb 2002 22:57:48 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 3 Feb 2002 22:57:48 -0000 Date: Sun, 3 Feb 2002 14:57:44 -0800 (PST) From: Jason Stone X-X-Sender: To: Subject: Re: crashs on 4.5RC In-Reply-To: Message-ID: <20020203143638.N6370-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > i updated my 4.4 to an 4.5RC the first time that i compiled .. it was > > crashing almost everysingle hour .. i booted up again on the old > > 4.5PRE-RELEASE .. and recompile the kernel with the new updates from > > You need to be more specific. What do you mean by "crash" -- do you > get a system panic, a system hang, a reboot without a message? Is any > output generated along the way? One common pitfall identified in the > release notes was a change in default sizing of socket buffers, which > requires some busy sites to increase nmbclusters (either by > recompiling with different kernel configuration settings, or simply > updating loader.conf to use a larger hard-coded value). Potentially, > you could be running into that. I may have had a similar experience. My server running 4.5RC crashed inexplicably a couple days ago. The kernel panicked, and I think it hung while trying to generate a crashdump (the tech who rebooted it said there was a message about, "unable to open ata device," or somesuch - sorry I can't be more specific - I couldn't get to the console, and there was no crashdump after rebooting). The last messages in my logs before the box went down were: Feb 2 11:47:28 walter /kernel: m_retry failed, consider increase mbuf value Feb 2 11:47:28 walter /kernel: m_retryhdr failed, consider increase mbuf value Feb 2 11:47:29 walter /kernel: fxp0: mbuf allocation failed, packet dropped! Feb 2 11:47:29 walter last message repeated 15 times So my question is, is it possible to panic and crash a FreeBSD box by overflowing its nmbclusters? -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8XcBsswXMWWtptckRAk3tAJ4zQSxJ+iVjAJtVeFSDYm6QnTB1JwCeOtwD vporCSXlvOmgB4r8Bpl2TI0= =c3FZ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 3 16:53:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from patrocles.silby.com (d45.as3.nwbl0.wi.voyager.net [169.207.92.173]) by hub.freebsd.org (Postfix) with ESMTP id 4230037B41D for ; Sun, 3 Feb 2002 16:53:07 -0800 (PST) Received: from localhost (silby@localhost) by patrocles.silby.com (8.11.6/8.11.6) with ESMTP id g13IuBg12763; Sun, 3 Feb 2002 18:56:24 GMT (envelope-from silby@silby.com) X-Authentication-Warning: patrocles.silby.com: silby owned process doing -bs Date: Sun, 3 Feb 2002 18:56:10 +0000 (GMT) From: Mike Silbersack To: Jason Stone Cc: freebsd-security@freebsd.org Subject: Re: crashs on 4.5RC In-Reply-To: <20020203143638.N6370-100000@walter> Message-ID: <20020203185219.P11305-100000@patrocles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 3 Feb 2002, Jason Stone wrote: > The last messages in my logs before the box went down were: > > Feb 2 11:47:28 walter /kernel: m_retry failed, consider increase mbuf value > Feb 2 11:47:28 walter /kernel: m_retryhdr failed, consider increase mbuf value > Feb 2 11:47:29 walter /kernel: fxp0: mbuf allocation failed, packet dropped! > Feb 2 11:47:29 walter last message repeated 15 times > > So my question is, is it possible to panic and crash a FreeBSD box by > overflowing its nmbclusters? > > -Jason In theory, no. However, if there's a piece of code which doesn't expect to have mbuf allocations ever fail, then a panic and crash could very well occur. Also, network connections failing could cause a userland app to start acting really strange. So, we'd need more information to really know. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 3 18:44:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id 83FAC37B404 for ; Sun, 3 Feb 2002 18:44:10 -0800 (PST) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.4/8.11.3) with ESMTP id g142hvD25782; Sun, 3 Feb 2002 21:43:57 -0500 (EST) Date: Sun, 3 Feb 2002 21:43:57 -0500 (EST) From: Ralph Huntington To: Mike Silbersack Cc: Jason Stone , Subject: Re: crashs on 4.5RC In-Reply-To: <20020203185219.P11305-100000@patrocles.silby.com> Message-ID: <20020203214321.P34108-100000@mohegan.mohawk.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Gentlemen, this is not a security issue. Please take it to the appropriate list. Please. Thank you. ;-) On Sun, 3 Feb 2002, Mike Silbersack wrote: > > On Sun, 3 Feb 2002, Jason Stone wrote: > > > The last messages in my logs before the box went down were: > > > > Feb 2 11:47:28 walter /kernel: m_retry failed, consider increase mbuf value > > Feb 2 11:47:28 walter /kernel: m_retryhdr failed, consider increase mbuf value > > Feb 2 11:47:29 walter /kernel: fxp0: mbuf allocation failed, packet dropped! > > Feb 2 11:47:29 walter last message repeated 15 times > > > > So my question is, is it possible to panic and crash a FreeBSD box by > > overflowing its nmbclusters? > > > > -Jason > > In theory, no. However, if there's a piece of code which doesn't expect > to have mbuf allocations ever fail, then a panic and crash could very well > occur. Also, network connections failing could cause a userland app to > start acting really strange. > > So, we'd need more information to really know. > > Mike "Silby" Silbersack > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 3 19:35: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-168.zoominternet.net [24.154.28.168]) by hub.freebsd.org (Postfix) with ESMTP id 8FF1E37B404 for ; Sun, 3 Feb 2002 19:35:00 -0800 (PST) Received: from topperwein (topperwein [192.168.168.10]) by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id g143Z0G70979 for ; Sun, 3 Feb 2002 22:35:01 -0500 (EST) (envelope-from behanna@zbzoom.net) Date: Sun, 3 Feb 2002 22:34:55 -0500 (EST) From: Chris BeHanna Reply-To: Chris BeHanna To: Subject: Re: weird server activity In-Reply-To: Message-ID: <20020203223304.Q70920-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 26 Jan 2002, William J. Borskey wrote: > I am running FreeBSD 4.4. I use Apache-fp and openssh. About a week ago my > system went down and I wasnt > able to log in or look at any web pages. I could connect, but it woud not > spawn a process to log me in, or serve me a > web document. I got someone to reboot the machine from the console, I was > then able to log into the machine. > Starting processes was slow but top reports normal system loads. Then after > about an hour the machine would no > longer run any processes and quickly shut me out by killing the sshd i was > connected with. I did get a chance to > look at some of my logs, not all unfortuantly. The httpd-access file had > some weird sequences of windows > sounding paths, but it wasnt code red or anything like code red: > 147.46.54.38 - - [19/Jan/2002:15:12:57 -0600] "GET > /scripts/root.exe?/c+dir HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:12:57 -0600] "GET > /scripts/root.exe?/c+dir HTTP/1.0" 404 200 "-" "-" > 147.46.54.38 - - [19/Jan/2002:15:12:57 -0600] "GET /MSADC/root.exe?/c+dir > HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:12:57 -0600] "GET /MSADC/root.exe?/c+dir > HTTP/1.0" 404 200 "-" "-" > 147.46.54.38 - - [19/Jan/2002:15:12:58 -0600] "GET > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:12:58 -0600] "GET > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" > [...snip...] This looks like NIMDA, which can generate enough 404 traffic to choke your machine's pipe. Unless your setup allows for La Brea, it's best to blackhole these things rather than issue responses. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 4 7:37:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from fbi.gov (plovdivppp130.internet-bg.net [213.137.32.130]) by hub.freebsd.org (Postfix) with ESMTP id 80E3037B400 for ; Mon, 4 Feb 2002 07:36:50 -0800 (PST) Received: (from petko@localhost) by fbi.gov (8.11.6/8.11.4) id g14FNPf64122 for freebsd-security@freebsd.org; Mon, 4 Feb 2002 17:23:25 +0200 (EET) (envelope-from petko) Date: Mon, 4 Feb 2002 17:23:25 +0200 From: Petko Popadiyski To: freebsd-security@freebsd.org Subject: Reliable shell logs Message-ID: <20020204152325.GA64082@fbi.gov> Reply-To: petko@freebsd-bg.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="SUOF0GtieIMvvwua" Content-Disposition: inline User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --SUOF0GtieIMvvwua Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Recently one of my systems was hacked. I succeded in stopping the hacker of= deleting files, so my logs from the syslogd weren't touched. The problem i= s that I don't know what commends the hacker used while he was logged in my= system. i am using zshell 4.0.4, but I don't think that .history file is r= eliable. In my case the shell was killed and it didn't managed to write the= logs from the loggin in the file. there are options like INC_APPEND_HISTOR= Y, where the new history lines are added as soon as they are entered, but i= n this case tha intruder can delete the history file, and i will see in it = only "rm .history". I would like to know is there a way to log the used com= mands incrementally with syslogd , which will provide secure logging (if sy= slogd uses another computer for storing them).=20 Also i would like to ask hot to make a user .history file unaccessible for= his owner ( to prevent it from deleting)?=20 --=20 Best wishes, Petko Popadiyski ICQ: 59468934 --SUOF0GtieIMvvwua Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8XqdtJeZoJ/z3pAwRAkRDAJ9jqN8uG4b8OCQPF+YWLo7CVGZ02gCfc0NI GKN7mkWAU0kL63LuJGDTsFc= =OLmD -----END PGP SIGNATURE----- --SUOF0GtieIMvvwua-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 4 8:39:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail50.fg.online.no (mail50-s.fg.online.no [148.122.161.50]) by hub.freebsd.org (Postfix) with ESMTP id 94B0237B41F for ; Mon, 4 Feb 2002 08:39:48 -0800 (PST) Received: from elixor (ti500720a080-0536.bb.online.no [146.172.50.24]) by mail50.fg.online.no (8.9.3/8.9.3) with SMTP id RAA03025; Mon, 4 Feb 2002 17:39:19 +0100 (MET) Message-ID: <001401c1ad9a$7be6d9e0$0100a8c0@elixor> From: =?iso-8859-1?Q?Geir_R=E5ness?= To: Cc: References: <20020204152325.GA64082@fbi.gov> Subject: Re: Reliable shell logs Date: Mon, 4 Feb 2002 17:39:09 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You always could set your users to the shell bash, that is patched with the "bofh" logging. That's one way you could secure log your users, but it could be found. It all depends on the intruder. This you can do something about however, you can have an locale log server, that the "shell" server sends the log to, with upload access only. So the intruder cant delete the logs, you probaly shuld make this server an local login only. Geir Råness PulZ @ efnet ----- Original Message ----- From: "Petko Popadiyski" To: Sent: Monday, February 04, 2002 4:23 PM Subject: Reliable shell logs To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 4 8:54:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from relay3-gui.server.ntli.net (relay3-gui.server.ntli.net [194.168.4.200]) by hub.freebsd.org (Postfix) with ESMTP id 410DD37B421 for ; Mon, 4 Feb 2002 08:54:07 -0800 (PST) Received: from pc4-card4-0-cust162.cdf.cable.ntl.com ([80.4.14.162] helo=rhadamanth.private.submonkey.net ident=mailnull) by relay3-gui.server.ntli.net with esmtp (Exim 3.03 #2) id 16XmNI-0005Eu-00; Mon, 04 Feb 2002 16:53:48 +0000 Received: from setantae by rhadamanth.private.submonkey.net with local (Exim 3.34 #1) id 16XmNH-0001QI-00; Mon, 04 Feb 2002 16:53:47 +0000 Date: Mon, 4 Feb 2002 16:53:47 +0000 From: Ceri To: Geir =?iso-8859-1?Q?R=E5ness?= Cc: petko@freebsd-bg.org, freebsd-security@freebsd.org Subject: Re: Reliable shell logs Message-ID: <20020204165347.GA5362@rhadamanth> References: <20020204152325.GA64082@fbi.gov> <001401c1ad9a$7be6d9e0$0100a8c0@elixor> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <001401c1ad9a$7be6d9e0$0100a8c0@elixor> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Feb 04, 2002 at 05:39:09PM +0100, Geir Råness wrote: > You always could set your users to the shell bash, that is patched with the > "bofh" logging. There is a tcsh version of that patch around somewhere too. Ceri -- keep a mild groove on To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 4 9: 3:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id F202E37B41A for ; Mon, 4 Feb 2002 09:03:26 -0800 (PST) Received: (from cez@localhost) by pkl.net (8.9.3/8.9.3) id RAA13046; Mon, 4 Feb 2002 17:03:08 GMT Date: Mon, 4 Feb 2002 17:03:08 GMT Message-Id: <200202041703.RAA13046@pkl.net> From: Ceri Storey To: Petko Popadiyski Cc: freebsd-security@FreeBSD.ORG Subject: Re: Reliable shell logs References: <20020204152325.GA64082@fbi.gov> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020204152325.GA64082@fbi.gov> X-Mutt-References: <20020204152325.GA64082@fbi.gov> X-Mutt-Fcc: =mbox Status: RO Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Feb 04, 2002 at 05:23:25PM +0200, Petko Popadiyski wrote: > I don't think that .history file is reliable. In my case the shell You'd be right there. > in it only "rm .history". I would like to know is there a way to > log the used commands incrementally with syslogd , which will provide > secure logging (if syslogd uses another computer for storing them). Yes, there's a wonderful thing known as process accounting, which will record every command excecuted. Although i'm unsure whether it's possible to log command line arguments. > Also i would like to ask hot to make a user .history file unaccessible > for his owner ( to prevent it from deleting)? use "chflags sappend ", this will set the "system append only flag", ie: you may only append to the file, and it's only set/unsettable by root. In any case, there's nothing stopping a user from running his own shell (unless you've taken somewhat fachist measures to prevent this, eg: mounting user-writable filesystems no-execute) which does not log commands issued. -- Ceri Storey http://pkl.net/~cez/ vi(1)! postfix(7)! pie(5)! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 4 10:18:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from dc.cis.okstate.edu (dc.cis.okstate.edu [139.78.100.219]) by hub.freebsd.org (Postfix) with ESMTP id DDAD937B42A for ; Mon, 4 Feb 2002 10:18:42 -0800 (PST) Received: from dc.cis.okstate.edu (localhost.cis.okstate.edu [127.0.0.1]) by dc.cis.okstate.edu (8.11.6/8.11.3) with ESMTP id g14IIgM69616 for ; Mon, 4 Feb 2002 12:18:42 -0600 (CST) (envelope-from martin@dc.cis.okstate.edu) Message-Id: <200202041818.g14IIgM69616@dc.cis.okstate.edu> To: freebsd-security@FreeBSD.ORG Subject: Port 113 Traffic Date: Mon, 04 Feb 2002 12:18:42 -0600 From: Martin McCormick Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Why might a FreeBSD system be generating traffic on port 113? We have noticed occasional traffic from a FreeBSD system of ours to various addresses outside our network on Port 113. If I blocked it altogether with IPFW, would it effect ssh in any way? I am theorizing right now that hosts in the big wide world are occasionally probing this port and the traffic might be a response of some kind, maybe nothing more than "I don't know you. Goodbye!" Hopefully, our sniffer will eventually see one of the exchanges and we will have a better idea of what is going on. Martin McCormick WB5AGZ Stillwater, OK OSU Center for Computing and Information Services Network Operations Group To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 4 10:21:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by hub.freebsd.org (Postfix) with ESMTP id 4660337B419 for ; Mon, 4 Feb 2002 10:21:19 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1192) id 195CA10DDF7; Mon, 4 Feb 2002 10:21:19 -0800 (PST) Date: Mon, 4 Feb 2002 10:21:19 -0800 From: Alfred Perlstein To: Martin McCormick Cc: freebsd-security@FreeBSD.ORG Subject: Re: Port 113 Traffic Message-ID: <20020204102119.C12744@elvis.mu.org> References: <200202041818.g14IIgM69616@dc.cis.okstate.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200202041818.g14IIgM69616@dc.cis.okstate.edu>; from martin@dc.cis.okstate.edu on Mon, Feb 04, 2002 at 12:18:42PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Martin McCormick [020204 10:18] wrote: > Why might a FreeBSD system be generating traffic on port > 113? We have noticed occasional traffic from a FreeBSD system of > ours to various addresses outside our network on Port 113. Do some research on "ident". -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 4 10:24:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.fpsn.net (mail.fpsn.net [63.224.69.57]) by hub.freebsd.org (Postfix) with ESMTP id B93B737B49C for ; Mon, 4 Feb 2002 10:23:55 -0800 (PST) Received: from fpsn.net (control.fpsn.net [63.224.69.60]) (authenticated) by mail.fpsn.net (8.11.6/8.11.6) with ESMTP id g14IN5m61304; Mon, 4 Feb 2002 11:23:05 -0700 (MST) Message-ID: <3C5ED186.3B2801CF@fpsn.net> Date: Mon, 04 Feb 2002 11:23:02 -0700 From: Colin Faber Organization: fpsn.net, Inc. (http://www.fpsn.net) X-Mailer: Mozilla 4.78 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Martin McCormick Cc: freebsd-security@FreeBSD.ORG Subject: Re: Port 113 Traffic References: <200202041818.g14IIgM69616@dc.cis.okstate.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, cat /etc/services | grep 113 auth 113/tcp ident tap #Authentication Service auth 113/udp ident tap #Authentication Service Martin McCormick wrote: > > Why might a FreeBSD system be generating traffic on port > 113? We have noticed occasional traffic from a FreeBSD system of > ours to various addresses outside our network on Port 113. > > If I blocked it altogether with IPFW, would it effect ssh > in any way? > > I am theorizing right now that hosts in the big wide > world are occasionally probing this port and the traffic might be > a response of some kind, maybe nothing more than "I don't know > you. Goodbye!" > > Hopefully, our sniffer will eventually see one of the > exchanges and we will have a better idea of what is going on. > > Martin McCormick WB5AGZ Stillwater, OK > OSU Center for Computing and Information Services Network Operations Group > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Colin Faber (303) 859-1491 fpsn.net, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 4 10:25: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from theinternet.com.au (c20631.kelvn1.qld.optusnet.com.au [203.164.207.8]) by hub.freebsd.org (Postfix) with ESMTP id AB7FC37B41D for ; Mon, 4 Feb 2002 10:24:20 -0800 (PST) Received: (from akm@localhost) by theinternet.com.au (8.11.6/8.11.4) id g14IN4D39896; Tue, 5 Feb 2002 04:23:04 +1000 (EST) (envelope-from akm) Date: Tue, 5 Feb 2002 04:23:04 +1000 From: Andrew Kenneth Milton To: Martin McCormick Cc: freebsd-security@FreeBSD.ORG Subject: Re: Port 113 Traffic Message-ID: <20020205042304.K32999@zeus.theinternet.com.au> References: <200202041818.g14IIgM69616@dc.cis.okstate.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200202041818.g14IIgM69616@dc.cis.okstate.edu>; from martin@dc.cis.okstate.edu on Mon, Feb 04, 2002 at 12:18:42PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org +-------[ Martin McCormick ]---------------------- | Why might a FreeBSD system be generating traffic on port | 113? We have noticed occasional traffic from a FreeBSD system of | ours to various addresses outside our network on Port 113. 113 is the ident/auth port. There are a number of things that query the ident port, IRC servers, sendmail, and squid to name a few. It's probably nothing to be worried about. If you block it and something stops working, I'm sure someone will scream at you d8) -- Totally Holistic Enterprises Internet| | Andrew Milton The Internet (Aust) Pty Ltd | | ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au| To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 4 10:25:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns.ulstu.ru (ns.ulstu.ru [62.76.34.36]) by hub.freebsd.org (Postfix) with ESMTP id DE0F737B434 for ; Mon, 4 Feb 2002 10:24:48 -0800 (PST) Received: by ns.ulstu.ru (Postfix-ULSTU, from userid 3909) id D9443107861; Mon, 4 Feb 2002 21:24:46 +0300 (MSK) Date: Mon, 4 Feb 2002 21:24:46 +0300 From: zhuravlev alexander To: freebsd-security@FreeBSD.ORG Subject: Re: Port 113 Traffic Message-ID: <20020204212446.A94743@ulstu.ru> Reply-To: zhuravlev alexander Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <200202041818.g14IIgM69616@dc.cis.okstate.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i In-Reply-To: <200202041818.g14IIgM69616@dc.cis.okstate.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Feb 04, 2002 at 12:18:42PM -0600, Martin McCormick wrote: > Why might a FreeBSD system be generating traffic on port > 113? We have noticed occasional traffic from a FreeBSD system of > ours to various addresses outside our network on Port 113. > > If I blocked it altogether with IPFW, would it effect ssh > in any way? > your system try to send ident requests to other systems you can safely block this requests. > I am theorizing right now that hosts in the big wide > world are occasionally probing this port and the traffic might be > a response of some kind, maybe nothing more than "I don't know > you. Goodbye!" > > Hopefully, our sniffer will eventually see one of the > exchanges and we will have a better idea of what is going on. > > Martin McCormick WB5AGZ Stillwater, OK > OSU Center for Computing and Information Services Network Operations Group > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- zhuravlev alexander u l s t u c t c e-mail:zaa@ulstu.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 4 11:14:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from dc.cis.okstate.edu (dc.cis.okstate.edu [139.78.100.219]) by hub.freebsd.org (Postfix) with ESMTP id 080B837B400 for ; Mon, 4 Feb 2002 11:14:45 -0800 (PST) Received: from dc.cis.okstate.edu (localhost.cis.okstate.edu [127.0.0.1]) by dc.cis.okstate.edu (8.11.6/8.11.3) with ESMTP id g14JEiM74583 for ; Mon, 4 Feb 2002 13:14:44 -0600 (CST) (envelope-from martin@dc.cis.okstate.edu) Message-Id: <200202041914.g14JEiM74583@dc.cis.okstate.edu> To: freebsd-security@FreeBSD.ORG Subject: Re: Port 113 Traffic Date: Mon, 04 Feb 2002 13:14:44 -0600 From: Martin McCormick Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thank you to all of you who have answered. One of the first things I did was to look in /etc/services which is what I usually do if there is a question about what this or that port is used for and it did show up as auth, all right. A man on auth yielded the auth_getval function in C and not much else so I knew it was some kind of authorization engine and that's where my trail ran a bit cold. I checked out ident and learned what rcs is for, but never found any reference to auth so I greatly appreciate the information that links it with sendmail, etc. I may block it experimentally and see if anything does break since I have ipfw running and it is a simple matter to add a new rule or remove it later. Sendmail is the only service I am running that I might break by closing that port so I will close it and see if sendmail still runs. Martin Andrew Kenneth Milton writes: >113 is the ident/auth port. > >There are a number of things that query the ident port, IRC servers, >sendmail, and squid to name a few. It's probably nothing to be worried about. > >If you block it and something stops working, I'm sure someone will scream >at you d8) > >-- >Totally Holistic Enterprises Internet| | Andrew Milton >The Internet (Aust) Pty Ltd | | >ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon >PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au| > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 4 11:25:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id BA56137B41E for ; Mon, 4 Feb 2002 11:25:37 -0800 (PST) Received: (qmail 86599 invoked by uid 1000); 4 Feb 2002 19:25:32 -0000 Date: Mon, 4 Feb 2002 20:25:32 +0100 From: Bart Matthaei To: Martin McCormick Cc: freebsd-security@freebsd.org Subject: Re: Port 113 Traffic Message-ID: <20020204202532.P34448@heresy.dreamflow.nl> References: <200202041914.g14JEiM74583@dc.cis.okstate.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="a8Wt8u1KmwUX3Y2C" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200202041914.g14JEiM74583@dc.cis.okstate.edu>; from martin@dc.cis.okstate.edu on Mon, Feb 04, 2002 at 01:14:44PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --a8Wt8u1KmwUX3Y2C Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Feb 04, 2002 at 01:14:44PM -0600, Martin McCormick wrote: [snip] You don't wanna block ident. Its trivial. If you block it, ident requests to your machine will time out, resulting in a slow initialization of connections like irc, to name one. If your sure you don't wanna use identd, it's best to just shut the service down, instead of blocking it. The ident server thats connecting to your server will just see a connection refused and cary on. With Regards, Bart Matthaei --=20 Bart Matthaei bart@dreamflow.nl=20 Support wildlife -- vote for an orgy. --a8Wt8u1KmwUX3Y2C Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8XuAsgcc6pR+tCegRAhlQAKCUQnwC0KVi9zpw9v0GpvSUlgzXfwCdEci3 Sbkx26p68KLeCdIqVdmQY8g= =sPaP -----END PGP SIGNATURE----- --a8Wt8u1KmwUX3Y2C-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 4 11:29:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from pi.yip.org (pi.yip.org [199.45.111.121]) by hub.freebsd.org (Postfix) with ESMTP id 2E0D737B41E for ; Mon, 4 Feb 2002 11:29:35 -0800 (PST) Received: (from melange@localhost) by pi.yip.org (8.11.3/8.11.3) id g14JTWM03512; Mon, 4 Feb 2002 14:29:32 -0500 (EST) (envelope-from melange@yip.org) Date: Mon, 4 Feb 2002 14:29:32 -0500 From: Bob K To: Martin McCormick Cc: freebsd-security@FreeBSD.ORG Subject: Re: Port 113 Traffic Message-ID: <20020204142931.K454@yip.org> References: <200202041914.g14JEiM74583@dc.cis.okstate.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200202041914.g14JEiM74583@dc.cis.okstate.edu>; from martin@dc.cis.okstate.edu on Mon, Feb 04, 2002 at 01:14:44PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Feb 04, 2002 at 01:14:44PM -0600, Martin McCormick wrote: > > I may block it experimentally and see if anything does > break since I have ipfw running and it is a simple matter to add > a new rule or remove it later. Sendmail is the only service I am > running that I might break by closing that port so I will close > it and see if sendmail still runs. Handy tip: When you block it, I would suggest having your firewall rule reset the TCP connection instead of simply dropping it - otherwise all programs that are attempting to ident things will have to wait for the ident request to time out. Use the 'reset' action as opposed to the 'deny' action for ipfw... -- Bob | There's more to life than e-mail, supposedly. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 4 11:38:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 07C9937B427 for ; Mon, 4 Feb 2002 11:38:38 -0800 (PST) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [192.168.11.2]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with SMTP id 79E8C1DA7; Mon, 4 Feb 2002 19:38:39 +0000 (GMT) Date: Mon, 4 Feb 2002 20:38:15 +0100 From: Krzysztof Zaraska To: "Bart Matthaei" Cc: martin@dc.cis.okstate.edu, freebsd-security@freebsd.org Subject: Re: Port 113 Traffic Message-Id: <20020204203815.09a893b9.kzaraska@student.uci.agh.edu.pl> In-Reply-To: <20020204202532.P34448@heresy.dreamflow.nl> References: <200202041914.g14JEiM74583@dc.cis.okstate.edu> <20020204202532.P34448@heresy.dreamflow.nl> Organization: Univ. of Mining And Metallurgy X-Mailer: Sylpheed version 0.6.6 (GTK+ 1.2.10; i386--freebsd5.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 4 Feb 2002 20:25:32 +0100 "Bart Matthaei" wrote: > You don't wanna block ident. Its trivial. If you block it, ident > requests to your machine will time out, resulting in a slow > initialization of connections like irc, to name one. Not necessarily. Just make your firewall reply to port 113 traffic with RST instead of silently dropping the packet. For the remote host it will look like you weren't running ident daemon. -- // Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl // Prelude IDS: http://www.prelude-ids.org/ // A dream will always triumph over reality, once it is given the chance. // -- Stanislaw Lem To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 4 14:35: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (snafu.adept.org [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id 3832537B431 for ; Mon, 4 Feb 2002 14:35:03 -0800 (PST) Received: by snafu.adept.org (Postfix, from userid 1000) id 8F08E9EE33; Mon, 4 Feb 2002 14:34:59 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id 8776C9B001; Mon, 4 Feb 2002 14:34:59 -0800 (PST) Date: Mon, 4 Feb 2002 14:34:59 -0800 (PST) From: Mike Hoskins To: Martin McCormick Cc: Subject: Re: Port 113 Traffic In-Reply-To: <200202041914.g14JEiM74583@dc.cis.okstate.edu> Message-ID: <20020204142741.A53154-100000@snafu.adept.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 4 Feb 2002, Martin McCormick wrote: > auth, all right. A man on auth yielded the auth_getval function > in C and not much else so I knew it was some kind of > authorization engine and that's where my trail ran a bit cold. 'Auth' as used here provides the ident service, formerly provided by things like pidentd, and now served from FreeBSD's inetd as the 'auth' service. From /etc/inetd.conf, # Provide internally a real "ident" service which provides ~/.fakeid support, # provides ~/.noident support, reports UNKNOWN as the operating system type # and times out after 30 seconds. #auth stream tcp nowait root internal auth -r -f -n -o \ UNKNOWN -t 30 Ident provides a historically trivially-bypassable (say that three times fast) means of identifying a remote user. As pointed out here, many services attempt ident queries. Some (IRC) may fail to connect at all if ident is unavailable, others (mail) often continue on after the ident request times out... so be sure to configure your firewall per previous instructions in this thread. Later, -Mike -- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." --Benjamin Franklin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 4 14:43:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from rambo.simx.org (rambo.simx.org [194.17.208.54]) by hub.freebsd.org (Postfix) with ESMTP id 397D037B425 for ; Mon, 4 Feb 2002 14:43:28 -0800 (PST) Received: from rambo.simx.org (rocky [192.168.0.2]) by rambo.simx.org (8.11.6/8.11.6) with ESMTP id g14Mh8Z09287; Mon, 4 Feb 2002 22:43:12 GMT (envelope-from listsub@rambo.simx.org) Message-ID: <3C5F0E7B.4020508@rambo.simx.org> Date: Mon, 04 Feb 2002 23:43:07 +0100 From: "Roger 'Rocky' Vetterberg" Reply-To: listsub@rambo.simx.org User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4) Gecko/20011128 Netscape6/6.2.1 X-Accept-Language: en-us MIME-Version: 1.0 To: Geir =?ISO-8859-1?Q?R=E5ness?= Cc: petko@freebsd-bg.org, freebsd-security@FreeBSD.ORG Subject: Re: Reliable shell logs References: <20020204152325.GA64082@fbi.gov> <001401c1ad9a$7be6d9e0$0100a8c0@elixor> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Geir Råness wrote: > You always could set your users to the shell bash, that is patched with the > "bofh" logging. > That's one way you could secure log your users, but it could be found. > It all depends on the intruder. Do you know where I could find this patch? I tried google.com/bsd and found a bounch of sh patches, but none for bash. And what stops the user from changing his shell? 'chsh' would let him change shell to csh, tcsh or whatever is available on the system, right? How can I prevent this? > This you can do something about however, you can have an locale log server, > that the "shell" server sends the log to, > with upload access only. > So the intruder cant delete the logs, you probaly shuld make this server an > local login only. > > Geir Råness > PulZ @ efnet -- R To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 4 15: 7:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from axis.tdd.lt (axis.tdd.lt [213.197.128.94]) by hub.freebsd.org (Postfix) with ESMTP id E464537B400 for ; Mon, 4 Feb 2002 15:07:21 -0800 (PST) Received: from localhost (midom@localhost) by axis.tdd.lt (8.11.6/8.11.6) with ESMTP id g14N9BX53776 for ; Tue, 5 Feb 2002 01:09:11 +0200 (EET) (envelope-from domas.mituzas@delfi.lt) X-Authentication-Warning: axis.tdd.lt: midom owned process doing -bs Date: Tue, 5 Feb 2002 01:09:11 +0200 (EET) From: Domas Mituzas X-X-Sender: To: Subject: Re: Reliable shell logs In-Reply-To: <3C5F0E7B.4020508@rambo.simx.org> Message-ID: <20020205010230.U49413-100000@axis.tdd.lt> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi there, > And what stops the user from changing his shell? 'chsh' > would let him change shell to csh, tcsh or whatever is > available on the system, right? How can I prevent this? as well as nothing prevents user from invoking perl and running shell comands from there. or... putting his own wrapper for syscall(SYS_exec,). Userland isn't solution. Process accounting maybe is. Or even syscall accounting, aka auditing (TrustedBSD part?). Or the best way - do not let users invoke any commands on your system at all. Least privillege principle still works. Of course, if you still wish to track your users, you should track all communication your system does with outer world - keyboards, network bits coming to both sides. If you have too many of bits coming to and thro, you'd find how to filter not interesting ones. And then you'll have what is called IDS, rather sensitive one, of course. Script kiddies can be traced using bash logs, but not blackhats. -- Cheers, Domas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 4 15:23:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.slc.edu (Weir-01a.SLC.Edu [198.83.6.252]) by hub.freebsd.org (Postfix) with ESMTP id 364AA37B449 for ; Mon, 4 Feb 2002 15:23:20 -0800 (PST) Received: (from aschneid@localhost) by mail.slc.edu (8.11.6/8.11.6) id g14IN9d01720; Mon, 4 Feb 2002 18:23:09 GMT (envelope-from aschneid@mail.slc.edu) Date: Mon, 4 Feb 2002 18:23:09 +0000 From: Anthony Schneider To: Ceri Storey Cc: Petko Popadiyski , freebsd-security@FreeBSD.ORG Subject: Re: Reliable shell logs Message-ID: <20020204182309.C1633@mail.slc.edu> References: <20020204152325.GA64082@fbi.gov> <200202041703.RAA13046@pkl.net> <20020204121317.A16234@mail.slc.edu> <20020204175744.B1056@mail.slc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="KDt/GgjP6HVcx58l" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020204175744.B1056@mail.slc.edu>; from aschneid@mail.slc.edu on Mon, Feb 04, 2002 at 05:57:44PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --KDt/GgjP6HVcx58l Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > > Also i would like to ask hot to make a user .history file unaccessible > > for his owner ( to prevent it from deleting)? > use "chflags sappend ", this will set the "system append only > flag", ie: you may only append to the file, and it's only set/unsettable > by root.=20 a user may still change the histfile (tcsh) or HISTFILE (bash, zsh) variable to simply point to another file, such as /dev/null. You may make this variable readonly by issuing the shell-builtin command (bash and zsh): readonly HISTFILE If you put this in your system-wide shell config files and chflags them to be immutable, you can ensure that the history will be written only to the named HISTFILE. But, like someone else mentioned, this can easily be overcome by merely writing a simple perl shell and issuing system calls. I believe that there is/was a kernel module at some point which allowed for more extensive logging of commands (full command-line minus symbols interpreted by the shell) which gives for at least somewhat more detailed logging than your basic accounting, assuming of course that accounting can't be made to do this already. -Anthony. p.s. sincerest apologies to anyone who has received multiple copies of this email. I've been having a few mail difficulties. --KDt/GgjP6HVcx58l Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjxe0YwACgkQ+rDjkNht5F02mgCfcVX5UhNOSKAnng5Onv+2EKip JF0An3nwZxTu2PepT0yxy6yx5orJzFfH =R+3H -----END PGP SIGNATURE----- --KDt/GgjP6HVcx58l-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 4 16:15:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by hub.freebsd.org (Postfix) with SMTP id 9297A37B42C for ; Mon, 4 Feb 2002 16:15:15 -0800 (PST) Received: (qmail 7361 invoked by uid 1001); 5 Feb 2002 00:14:49 -0000 Date: Mon, 4 Feb 2002 19:14:49 -0500 From: "Peter C. Lai" To: freebsd-security@freebsd.org Subject: netscape 4.76 is forbidden? Message-ID: <20020204191449.A7351@cowbert.2y.net> Reply-To: peter.lai@uconn.edu Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi - I tried to install netscape 4.76 the other day, and the port said it was forbidden, but I haven't seen a security announcement about this. Where can I get info on this? Particularly since some of my boxes had 4.76 on them before they became forbidden... -- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ 860.427.4542 (Room) 860.486.1899 (Lab) 203.206.3784 (Cellphone) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 4 17: 9:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from gramsc1.dyndns.org (h00609774e769.ne.mediaone.net [24.91.224.187]) by hub.freebsd.org (Postfix) with ESMTP id 3BD3637B420 for ; Mon, 4 Feb 2002 17:09:20 -0800 (PST) Received: from tr0tsky (tr0tsky [10.0.0.4]) by gramsc1.dyndns.org (8.12.1/8.12.1) with SMTP id g151984Z017916; Mon, 4 Feb 2002 20:09:08 -0500 (EST)?g (envelope-from resopmok@gramsc1.dyndns.org)œ Date: Mon, 4 Feb 2002 20:09:06 -0500 From: Chris Thomas To: freebsd-security@freebsd.org Cc: Bart Matthaei Subject: Re: Port 113 Traffic Message-Id: <20020204200906.5559b083.resopmok@gramsc1.dyndns.org> In-Reply-To: <20020204202532.P34448@heresy.dreamflow.nl> References: <200202041914.g14JEiM74583@dc.cis.okstate.edu> <20020204202532.P34448@heresy.dreamflow.nl> X-Mailer: Sylpheed version 0.6.5 (GTK+ 1.2.10; i386--freebsd4.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi folks- If i might make suggestions that will both fulfill security concerns and provide identd services. I ran across a program on freshmeat called bsidentd (http://freshmeat.net/projects/bsidentd/) which will provide a random auth response each time it is queried. It does not interact with user processes, yet prevents programs such as sendmail from hanging during auth query and allows services such as IRC, while at the same time protecting valuable information about user names. As some may know, auth is a potential security risk when providing actual usernames, due in part to a feature in nmap which, during a connect scan, will query for the owner of open ports. Using bsidentd, you will generate a repsonse such as this: State Service Owner 21/tcp open ftp ykpqe 22/tcp open ssh cqxw 25/tcp open smtp achrmp 80/tcp open http achrmp 110/tcp open pop-3 untzdr 113/tcp open auth ykpqes In this way valuable information about your system is protected, but an auth response is created, allowing services to run appropriately (It's also useful for avoiding IRC banmasks ;). Anyway, this is not a plug for the program, but a solution I have found to be useful for protecting anonymity yet still provide full services. Enjoy, -chris On Mon, 4 Feb 2002 20:25:32 +0100 Bart Matthaei wrote about Re: Port 113 Traffic: ||On Mon, Feb 04, 2002 at 01:14:44PM -0600, Martin McCormick wrote: ||[snip] || ||You don't wanna block ident. Its trivial. If you block it, ident ||requests to your machine will time out, resulting in a slow ||initialization of connections like irc, to name one. ||If your sure you don't wanna use identd, it's best to just shut the ||service down, instead of blocking it. The ident server thats ||connecting to your server will just see a connection refused and cary ||on. || ||With Regards, || ||Bart Matthaei || ||-- ||Bart Matthaei bart@dreamflow.nl || ||Support wildlife -- vote for an orgy. || To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 4 17:23:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from palanthas.neverending.org (palanthas.neverending.org [167.206.208.232]) by hub.freebsd.org (Postfix) with ESMTP id A876837B416 for ; Mon, 4 Feb 2002 17:23:06 -0800 (PST) Received: by palanthas.neverending.org (Postfix, from userid 1000) id F31EA26EBA; Mon, 4 Feb 2002 20:23:06 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by palanthas.neverending.org (Postfix) with ESMTP id EE05822EEC; Mon, 4 Feb 2002 20:23:06 -0500 (EST) Date: Mon, 4 Feb 2002 20:23:06 -0500 (EST) From: Frank Tobin To: Chris Thomas Cc: freebsd-security@freebsd.org Subject: Re: Port 113 Traffic In-Reply-To: <20020204200906.5559b083.resopmok@gramsc1.dyndns.org> Message-ID: <20020204202140.H3351-100000@palanthas.neverending.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Chris Thomas, at 20:09 -0500 on 2002-02-04, wrote: > As some may know, auth is a potential security risk when providing > actual usernames, due in part to a feature in nmap which, during a > connect scan, will query for the owner of open ports. Using bsidentd, > you will generate a repsonse such as this: man inetd, search for -g. -- Frank Tobin http://www.neverending.org/~ftobin/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 4 18:31:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from Amelia.bsdprophet.org (cherry46.theshop.net [63.67.33.111]) by hub.freebsd.org (Postfix) with ESMTP id B66FF37B41E for ; Mon, 4 Feb 2002 18:31:16 -0800 (PST) Received: from osef.org (localhost.bsdprophet.org [127.0.0.1]) by Amelia.bsdprophet.org (8.11.6/8.11.6) with ESMTP id g152Who48897; Mon, 4 Feb 2002 20:32:43 -0600 (CST) (envelope-from scott@osef.org) Message-ID: <3C5F444B.20A1BA74@osef.org> Date: Mon, 04 Feb 2002 20:32:43 -0600 From: Scott Corey Organization: Open Source Educational Foundation X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 To: peter.lai@uconn.edu Cc: freebsd-security@FreeBSD.ORG Subject: Re: netscape 4.76 is forbidden? References: <20020204191449.A7351@cowbert.2y.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Here it is: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:66.netscape.asc Scott "Peter C. Lai" wrote: > > Hi - > I tried to install netscape 4.76 the other day, and the port said > it was forbidden, but I haven't seen a security announcement about this. > Where can I get info on this? > Particularly since some of my boxes had 4.76 on them before they > became forbidden... > -- > Peter C. Lai > University of Connecticut > Dept. of Residential Life | Programmer > Dept. of Molecular and Cell Biology | Undergraduate Research Assistant > http://cowbert.2y.net/ > 860.427.4542 (Room) > 860.486.1899 (Lab) > 203.206.3784 (Cellphone) > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 4 19:39: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.6]) by hub.freebsd.org (Postfix) with ESMTP id A687237B427 for ; Mon, 4 Feb 2002 19:39:01 -0800 (PST) Received: from localhost (trevor@localhost) by blues.jpj.net (8.11.6/8.11.6) with ESMTP id g153d0c10406; Mon, 4 Feb 2002 22:39:00 -0500 (EST) Date: Mon, 4 Feb 2002 22:39:00 -0500 (EST) From: Trevor Johnson To: peter.lai@uconn.edu Cc: freebsd-security@FreeBSD.ORG Subject: Re: netscape 4.76 is forbidden? In-Reply-To: <20020204191449.A7351@cowbert.2y.net> Message-ID: <20020204223322.W9388-100000@blues.jpj.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I tried to install netscape 4.76 the other day, and the port said > it was forbidden, but I haven't seen a security announcement about this. > Where can I get info on this? http://www.securityfocus.com/archive/1/175060 http://dividuum.de/security/netscape/ -- Trevor Johnson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 4 20: 3:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from email3.gm20.com (email3.gm20.com [164.109.174.92]) by hub.freebsd.org (Postfix) with SMTP id 4EC2737B48C for ; Mon, 4 Feb 2002 20:02:53 -0800 (PST) Message-ID: <3519662.1012881965895.Kada.Kada2(pc-92)@email3.gm20.com> Date: Mon, 4 Feb 2002 23:06:05 -0500 (EST) From: "marketing@aboutjcmorris.com" To: freebsd-security@freebsd.org Subject: Company Merger Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_65966_6674361.1012881965895" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ------=_Part_65966_6674361.1012881965895 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable YOU ARE RECEIVING THIS EMAIL BECAUSE YOU HAVE EXPRESSED INTEREST IN PRODUCT= S THAT WE CAN SAVE YOU MONEY ON. IF YOU WOULD LIKE TO BE REMOVED FROM OUR = MAILING LIST PLEASE CLICK THE UNSUBSCRIBE LINK AT THE BOTTOM OF THIS EMAIL.= WE CAN ASSURE YOU THAT YOU WILL BE REMOVED IMMEDIATELY. =09=09 IImportant Announcement from J.C. Morris & Company =09=09=09=09=09=09=09=09=09=09=09=09=09=09 For the past few years, our customers have enjoyed the ability to purchase = computers and related products from manufacturers like Sony, Apple, IBM, To= shiba and Compaq at prices below wholesale. J.C. Morris & Company has been= able to accomplish this because of our direct relationship with distributo= rs that use our Advertising & Marketing Services. Now, J.C. Morris & Company has teamed up with and additional distributor, A= llied Interactive Micro-Systems, a company that specializes in the world-wi= de distribution of computer hardware, software and electronics, from manufa= cturers like Bose, Pioneer and Canon. Here=92s your chance to get to know us, and from now until February 8, 2002= if you visit us on-line or in person and would like to make a purchase, we= will give you an additional 30% off our current selling price. This is our way of saying thank you for taking the time to visit our compan= y. Should you have any questions please feel free to call us at 1-800-845-6215= or direct at 404-521-3624. If you would like to be remove from our mailin= g list just click on the link below.=20 Sincerely, Jim Morris Vice President J.C. Morris & Company http://gm12.com/r.html?c=3D110218&r=3D110140&t=3D18247177&l=3D1&d=3D8163453= &u=3Dhttp://www.aboutjcmorris.com =09=09 Apple iMac $1099.00 =09=09 http://gm12.com/r.html?c=3D110218&r=3D110140&t=3D18247177&l=3D1&d=3D8163453= &u=3Dhttp://www.aboutjcmorris.com =09=09 Tower Place Center Suite 1800, 3340 Peachtree Road NE Atlanta, GA 30326 1-888-567-2444 Click here: mailto:cmprn110140@gm20.com?subject=3Dunsubscribe!freebsd-secur= ity@freebsd.org!18247177 to unsubscribe from our mailing list. Or reply to= this message with the word unsubscribe in the subject line. ------=_Part_65966_6674361.1012881965895 Content-Type: text/html Content-Transfer-Encoding: quoted-printable =09=09=09=09=09=09eNewsletter 2=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09
For the past few years, our customers have enjoyed the ability to purchase= computers and related products from manufacturers like Sony, Apple, IBM, T= oshiba and Compaq at prices below wholesale. J.C. Morris & Company has bee= n able to accomplish this because of our direct relationship with distribut= ors that use our Advertising & Marketing Services.

Now, J.C. Morris = & Company has teamed up with and additional distributor, Allied Interactive= Micro-Systems, a company that specializes in the world-wide distribution o= f computer hardware, software and electronics, from manufacturers like Bose= , Pioneer and Canon.

Here=92s your chance to get to know us, and fro= m now until February 8, 2002 if you visit us on-line or in person and would= like to make a purchase, we will give you an additional 30% off our curren= t selling price.

This is our way of saying thank you for taking the = time to visit our company.

Should you have any questions please feel= free to call us at 1-800-845-6215 or direct at 404-521-3624. If you would= like to be remove from our mailing list just click on the link below.
=
Sincerely,
Jim Morris
Vice President
J.C. Morris & Company
= Come visit us today!

=09=09=09=09=09=09=09=09

=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09

YOU ARE RECEIVING THIS EMAIL BECAUSE YOU HAVE EXPRESSED INTEREST IN PRODUC= TS THAT WE CAN SAVE YOU MONEY ON. IF YOU WOULD LIKE TO BE REMOVED FROM OUR= MAILING LIST PLEASE CLICK THE UNSUBSCRIBE LINK AT THE BOTTOM OF THIS EMAIL= . WE CAN ASSURE YOU THAT YOU WILL BE REMOVED IMMEDIATELY.
<= /font>=09=09
IImportant Announcement from J.C. Morris & Compa= ny=09=09
=09=09=09=09
=09=09=09=093D""= =09=09=09=09
=09=09=09=09=09=09=09=09

=09=09=09=09=09=09=09=09
=09= =09=09=09=09=09=09=09

=09=09=09=09=09=09=09=09
=09=09=09=09=09=09=09= =09

=09=09=09=09=09=09=09=09
=09=09=09=09=09=09=09=09

=09=09=09=09= =09=09=09=09
=09=09=09=09=09=09

=09=09=09		=09=09=09=09
=09=09

= =09=09=09=09
=09=09=09=09

=09=09=09=09


Apple iMac

$1099.00

=09=09=09=09=09

=09=09=09=09
Visit our Company on-line!=09=09<= /center>=09=09
Tower Place Center Suite 1800, 3340= Peachtree Road NE

Atlanta, GA 30326

1-888-567-2444
<= /font>
=09=09
=09=09=09=09

Click here to unsubscribe from our mailing list. = Or reply to this message with the word unsubscribe in the subject line.


------=_Part_65966_6674361.1012881965895-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 4 21:11:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from alpha.inovuus.com (alpha.inovuus.com [203.81.47.103]) by hub.freebsd.org (Postfix) with ESMTP id C408237B421 for ; Mon, 4 Feb 2002 21:11:23 -0800 (PST) Received: from alpha [203.81.47.104] by alpha.inovuus.com (SMTPD32-7.03) id AA648C920224; Tue, 05 Feb 2002 13:15:16 +0800 Received: from 211.218.252.190 by alpha (InterScan E-Mail VirusWall NT); Tue, 05 Feb 2002 13:15:07 +0800 From: rwatson To: security@FreeBSD.org Subject: Hello,sos! MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=M9e8PwlnpCu Message-Id: <200202051315453.SM05096@alpha> Date: Tue, 5 Feb 2002 13:15:18 +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --M9e8PwlnpCu Content-Type: text/plain; charset=ISO-2022-JP Content-Transfer-Encoding: 7bit ****** Message from InterScan E-Mail VirusWall NT ****** ** WARNING! Attached file $B8.4*=:(B.exe contains: WORM_KLEZ.F virus It has been deleted. ***************** End of message *************** --M9e8PwlnpCu Content-Type: text/html; Content-Transfer-Encoding: quoted-printable --M9e8PwlnpCu --M9e8PwlnpCu Content-Type: application/octet-stream; name=thumbimage[3].jpg Content-Transfer-Encoding: base64 Content-ID: R0lGODlhaABVAPf/AAAAAP///87OzllTX4aEiD83S2dibx8XNVtWaHh0gx8VPBkTLR0XMB8X Px8XPSEZQR4XOhgQOhsUPRwVPx0XPx8ZPx8ZPTUW/Tcc3kEh/DEcu0Mq5ycZgFA1/k0z9gkG HBMPLRwXPSAbPR0ZNy0dnh8VZkAuzE4861RD3m5c/R8aQh0ZQBoWOB0ZPSEcRB8bP1ZOmz06 VjUySmxqfBQPTBkTUFNA/SghcTsypBcTPB8bRmdb6hgVNHVn/S8rXi0mgQ0LJSEdXBwZTWBT +hkWQyUhYi0pZiEeSisnYCYjVVlRwTo1fC4qYh0bPyYjUSAeQionVXJq5IF4/C4rWpCI/hIQ Nx0aVDIti0pFyhkXPygmXhsZPkpHpiAeRjIwZiUjSTEvX4eB/h8eNZWR/iMiOz08r0NBtRsa R1lV3zAvc0E/ljU0e05LsCQjTo6M9RUVQk5N0hcXOxoaQh8fTiIiVSEhUR4eSSEhTh0dQiYm VioqXiEhShoaOikpWjU1ci8vYx4ePyYmTi4uXh0dOzc3bCsrVCYmSkhIioCA6TIyV6Gi+j8/ X6+v/3l5mV9fdJKSmhkaSyQmWy0vbSorYi4vZjAyaCYnUjw+fyEiRjM1ajo7dj5Aezk6cENF fXByylZYmkBBczs8akxNgCorRVNUgUhJaru9/woMOSgrZiYpYSsuZzE0cysuYjE0bjg7eysu XkdMmkFEiUdLk1FVpSwuWmds0EBDgjEzY2Zrw0pNjikrS3Z61jc5YW9zwWxwtJGV7YCF0Y6T 4Vlbi5yg8U1PdmVolhQXPhoeSiImVh8iTiIlTTM4cFxkyCcqVTY6dVJZsENIj01SnFhesV5k uURIhE1SlFhdo05SjGJnrHh+yaOp/5qf5n+DuKSp5xIVMyEmUiUqW2p12i4zXiYpRY2Tz6uy 9pee2hAWPq+26w8TKh8lS6Kr3L7H+bjB6srW/BETGdXh/Ojy/A0RD8DAwMG/m+vp3dnTuOLd zN/Yw7awo7m0qbu4sQEBAf///wAAAAAAACH5BAEAAPMALAAAAABoAFUAQAj/AAEIHEiwoMGD CBMqXMiwocJ5EAH0m0ixosWLGDNq3Mixo8eMAASIBICAyJ47R1RAOMDDWxVvIHiEcBGI1i1O a1xtAsXJy58+Seg4ubNnzhw7c5xYgjLFxx8vlVr5cUbVmStXVJct87NqFddWq5Zx4tSq0p8/ 4PJ8S3anyxMRFZ48cdHlyJ07deq0feGggd8JVRKEHDkABIsGR+ggQ/atixwWBw5AaPBiT6FM m2LJqpbr0KZMU75gwqTuW6E+SJwdsoatVzZgwHZ58tTLFzZruD99mhWtd7RcsmQdorbpqrNl qLTUOfPmTRw8e+pYyqOFiQ8od+xU8MudgoTAgwWQ/5RTIcu58+dm5iEEChSYSBouyM+AoQSE 1dJmqcHSwcaJKk+wkoYavpjTwxBDpJDCDkvw8ok1s8ASCzS1hCFFGFS4gcgn2ACTDW3T/KKI NiQykog3ffjhii2atDJJMjpw14ALc9QRSCDJqJBFYPyIJB4CEXDngA5tRILEkXlg8kIDIogx BwkYZCClBx104IEN/qkxSznwsOPJNVwkqGAPO2wiTDbmdJMNF2rAEgUVcFIxhhugKLNKJX3k MqI2jJhijiFfJLFHF3tY4gMhznjFyh5L+lUBIF04ocsdOQjmI0kSZEGBjBXYUYceifyAwQX0 vfHOHshQAgo1ZtjQnw1DcP/wTiCZrGILMwqm0EMPXIDxCW2+4IJIGBjKiQgYH4CRCzbZBCNi iX0KA4Q3SCWBCjnuwNNOKR/gUUEIcTRQQRffTAGGJV20EIGlhEWgQFzKfFNHFyIQcUUZ+Oab rxn88quvvjjs2+/AZvxbBg6+2KOwPfgoTI89j2ABBxb9GvyvGVcEoUcletShQwjGnOeNN8aA d6kjfADyxAsSRFBFHAsA8QEIICzAgwRnHPHELbbwwUIgK+Dhc41ybNHEF4UEMl0lmdDCSiWU eHHLLX9kQkgmlFQCVSahjLXJJqKIIgwpux3iB8d7bEGNK96kQ/MCMQ3ShTLN0EJLIVC0oYMD kR3/sAC74n0k+OCEF254eBIZrvjijA+OeOOQRy55P4g3jI/l9dTTsMKXd855w/fUc8/CDHe+ +eX2ZD76wqYvvHrmm3/uOer4iE666aeDbjvrlyNeWAjeLCAZBDrY0QwYYDCBRCRz6LBCCA5U 8AIemFjySiadcDiNJ9nssgsuuEyT3yzVVCMLNNAccgg0sgDXvvqH2LKJJmf/IYgg4ICDTB96 6DHJWVP7AxP68I1v7MEFK4jDeYxhjBBI7wluWcG6EOeIM9ToCH5hSTq84QAV1GESq3DGGuIz nwxogAMlKAEHNmClDmChGObYRjaecQUzIEhMO1DDEtTAhij0QApAlAIi/zyBm2jYYhWSoEQn QOGLEY2IEd0oBjEW8QQipMQvK3iCp/LAmDl0gTsTmOClgNSALDSwAV2whCAqcQtBWOIFECCB fEglpQ2YwAxroIM66pAHI6wBFr1oRzzgsY4dDGEHY1JDIYpBDmCQwxzmIAciLhSnMfiCD5VY xiVikQ1tPNEUjWABC4pSB1aoaBPLYEUSVOCAvojrCHmpwxwqhTgE5EBGDSCSFlKRCmR0oQgk CCYdAiGJWFhDGKH4AZWwhCUchCIYbnDDMHqQq10tAQzFAAYkzbGObrghDG6A0xg8wYA2tOIP lLDFNvjEiD7xIg5zaMsZkiEMbnDDF5zQAxRUEP+CTVEmOsn4xiwBRxIiNO9bWdiCXyiwBTtw QAMaiFIGqFQlK5kABzdgwTiyNwtp7OCjIAVpFEY60lrgQhq5CEUMSMENRZSjG+sABi52EYxg bGMb3cjpOtDBU3S046dANcAH0nFLcvXBB0wAxxxUQIGQnYKgA6jCShzgzy6oYBVYyAk0XAGN Z/jGFc+QxTNgAQtoTEMWWoCFEvDwjLba4hnSkMY0wjcNazDjGbmYBjOkET5rhCMcuGAGMyYE jbIyww4sYEMsgOAMWEijqx1lBi6iEddM8IEHB2AAAzDbABUcoUZ2qFSPRpIPfehjH/nIxz5W q4/Uuta1p0XtaU3b2tb/lra2rFXtPkxbWtimNratZa1tfVva1RZ3t7+9bW1nq1vevjYfj5uc dKf7kfBAZB4+yq52t8vd7nr3u+ANr3jFmzjqmve8FQHAdcuL3vZON7ruja/kfLcACaxAB3Ow whyO4IIKsKAlG/RGHLaABzvcQQut4EQnqGGLWMTiEJ2Ynx8y4QVKUOIPYPgfE1ShCkp0WBWS SIMkRjziVrQiDSaWRCVQkYpIMEaW+zXKHIRglLx8gw4ybh4EFNAXCDhAAQqQwN9qKQEIjIAF mmWAzeKQhTPQYRKZGAshbjEFS+wBE08ABCDw8AQd3CEJG9OELXIBi45O48zTsM1trBGNsjpY /36XqMoyTNyKTND5znW+hR7AQYdk2EEF2/HLFlrgAh18dg4H3A4EnkpfzR6goXWIRIvpcIeV WSAEZrxvHf4AimtY4xlpxsYnctEJTXhhErToQx76MIUp3A8MUQGLH2btDE1QxRVLcMUaLmGL XrNozqwAh0CNEtBV94GXkUg2MvaggyxkoQEt6KdfHvACFhAUAVXAb17s4LyQVaEKIdDBB/3w NTWYYAMSnZIH7GgCLvgCGNv4BYJylasdkIlMOxgpLsK6CarI2hViluYvBj7wm+KUHLzgwQtU QKhkJAEJemDMFbnTMoI64hhzcEEWvMGCphpDDh9E1C1ENccMkOAD7/+AwiUoi4Jl3qALF/bB KxLBhhvqigu8KEZtcBOFIGIIEdKIRviwUY1LTAIbTtSGKYrhjSTohBOsQMafHcXwZAS0DXvY DgvEOBIESKABITuHMSjQBSj8YRmZEAQmSkDC+WiAF8IoxjXWIIkb3KAEZ4iDK7jgiXYEoBvz 1pUSQlEMm25jGMPYxiSJBSc3WOMbspCGa4CxJ6WbgwwgSEYkKEFuTaSyMZyCZV6O0ASu/yhI 3MHDF6DABCaAAQpZZ8Eb5Cil2nvg9h4wwQ9S0YlZAAMe8djGNNSABjEp6BrFyMZJp4ENXzSL 8XJyAzaekEQvaCIYJOKTKUoxArzMIaCqWMP/EjSBJztYYDJ+UcEd5JUM05ME9X55gR3oIAgw 8JleIxADICwxBVqkAQfnVlGvYgM40FLlsA3YoATG1wNKUE/AUBtq5gnFIidj0AuAkAnL8Ae0 4AvQsnRPEBRuYQffgGA64QfgkHXcERc1kgxzEAfXFgGuxB3zZyR8Fh/0UQMLgGCH8Am9wR8n cAJYUgSAAA3NIgULiAaEIArYsIS+4HzD0nhjgA1AgAeUsAprAA290IHkQAYsIGNvcA3okC2N wAd28EULFW4FtBZ2wAPXRgQNsAKaIiM6UCgklAEbQAIlcAM/QAImcAIDiAM6MA6bcAlqoAZc gEhjwoDTsAuIMFJA/xQGY1CBpRADjRCG8TBI7FAOntRO7cQNxeAL9sQN5sAO7AAPjyAGHxBo uTQHeSAIPqA3DhACJtMuKnBBKgCHIQMJQVAEkcBFVvCLQRAEQpADLgEJkXADV3AJ0MAF+pEG qIAEPmBhmTBrfrAEg2gLsmAN02BS3PAIBEAAjxCO3zgDBXAKNVADQWAEaVCNrVAEVkADp3AK QBCPVhAE0vEHWvMKloAHWxAy3nAOjDZGETABIdBZ0bEcrUAcyeAMlPABQBATWVAXlpAI1TAN hVAIYHAT1kAN0JAHzhALdJAHf3AL7LFg1/AgZ6aNuNCEveAJtfBX2ZANvmANuWALhEAN0f9g CRDAAzWzACPAB0/QBrQABq/AP5GQEnyjWSwQBxDwAHYACS/4XywwGQ+wAMqgYMsgC7FwCXFm C87QZrKwDKoAC1/JCXxAC9JQDdSgBqjwDLYwC+qgBtHAC8ERCrMADatiFdBgC9BADWPpDLPQ CtEQCxICCy6wDMxADdZQC44lDr3BCrFQCZVgCzzwATwwlS0wh0mADDimAxXAk1AFbltgNE3Q BFtgRudQBfEodisgB5BAY3kgDrfgBSYGNR0mCRzGYazACn9QYiO2DCtCDaJwDcQJHLBQiGR1 PrHQIqjAZ8lwDGewBRLQMhEgARWABzWCDJKGBFqQBH6WBf+1AOL/KZ5AQFDydZ6QA1/ouZ6E o57s+Z4dYV0QMV70WZ/2eZ/4ORLwuZ/xuV78+Z8gcSkAOqDpJaAESqDueaD7maAK+p6IQwAI YAASOgMzkAAUKqEYKqGOkKEUmgAe2ggg2gjcEKIhmgAl6qEWaqKNgKIrqqIoSqEdeqEyWgwW KqMzUAwwOgMYeqEZagAI8AijJR5RRQRnIARnQAQSkANVAALp0KTp8G1ZIIKpIAma0AlWKmGS YARIkAdBQQd0kBdOAAVJ0AdkqgW7tEuogAq5OWIghgokNmJpOml0AAl0CgnRKQdyQKRn8Jqv KQR2mgUREKiB2jIg0IZ48AIVAAGatQAu/xEBB7ACR9AHtxAK7UEWP5EE2YEHeNAFx2AHnpoM TtAHVaMiDZY+wQEc6PNmEXYJAKcJnOAMfqAVY6EVdEYJEYcMdWAHLtAArSQuLwBBNTYvKsAd ChCQ7QIBI+NoIyACmJAEkeCmSVRle4AHgDAIFtAEkJIMefAKhGAL1aCStRCuu5ANvdALc7WE RQSWfUkcWVEJHXYWf7CbHSaZdTZlf7Bny2ZVDRAC58BkIcBwhLIHT1ABgDED9KWoBxAC94Uq /yMIUJAMeDABEsBkr5QHt6AJsRANztcL4FNXoxZhnHA1WJM1I5YGXeEHtuYKvOZgscBgrLoM lRBsBZQMirFqWv/gAzjLBC2Gq13wAOYhdsbwbA8ECO5XGMJTAXPwDfuTB3cQIzFYATQSCa2w g8VwG2rZE4KgapagDFaHDHrgBZygCZtwCLLQG7NwtrzRG8EBDW/GlZfQCb3Wb5nACpGAYzJW bODQYpHQB9hhhrjkF7Q0RqcgAZ+VF160AsbQNjygACtgB33QCp1AnAFjAhpgApRLAj+gBc0g DplgC5/QkoiACAOnIeEwG4E1Dc8QITXZYLHQYOsTHNk4C7rxCZxBau0RCoawqZ4SkjhrCX72 ALj0Hdf2BjXiMX7BAiNzSzrwZKugCZeAA6NCR3WUAVViAx6AAsBQDuygDYY0BLASeLv/sitB BERRIA1aeQlIxGHOEAyK0L7Zp3Sm4A7mkAggAGhxQSh0EAl6EAl1cASqGEYWdwyypAJMeQAK FAceNAlg0QpQUnIkII8MMA6hwB9UggNw9wmHwAmDcAU2x4BHIMGgAAM953Nh4AmzgA1BZwvL YAkg0Anuq3TcAAFAkAOWoAd0MHFxcRIFVAc58hemxw8IcAxPAHbokQUrsAd6wB6E0AdyNEf1 IQ+S0FVthQJVcgI1kAV0oAWqAAqfUHzGpwah4AvfMw3RMAsXAkRwsgt5Ra6+YL6UtyfbFwfp JD9QRwd2sFCd1QV3EKaB0AUVUHG19Gxhdw5G3AaCwAmhQAi6/2AFbUcfHCADHGINsrAEZuAB J4ADIFAInRANvUCKUTBvPYAGoCAMNdVIM1kLF4Ih0QQDm+AaspENw7AnUDQKIJAEf9AKX0N+ fYAJw8od4sbD8xIC7mdLRJwF/6oMNjE1zfAENVCHtWcChyAKmyAJqVAHTcACgCAJsOAJ6BAP ATAMHcwGUAAKEPIMzldTlBQnvvAEy2AL0TANlJd9psANI8ADeNEHmUAVnIAnd9DLfuECeCFL djCLQgp/b3gHZndhU9AGL8ADJTAqtVd7G7ABOBAEeJAKa5BX3RAA8EAO0lB89BYLjrBT6wBJ 3YAOw5DOc+ILg4CPnLAJwJB90cID0P/xfeAgCSuiCZSQB3uDfp2VDDCWAzMQpO8nI6qHGtaR JNvBAEJAAhG9AdRLUZfcCdawDfHgDrvwCcRXTTsgNr5wZmxQVrOwCxM4J5/wBHeiB5cwDNDS DYnwAk4gS+tnSrq2CnpgB3xBdUfgBIWgDMNs0E9wB8gwCUlFB0oiLqMRCD+gAVAtgK+CBbKw DqSYDdVQc9WkBDvoCcGwDtkQDYaICHEiJ8AABrSwDJTQB9Yg0/OMCW2QBHYACMbjA68Kq3ow B6r4KJ4SCANVS7fEHU4JZn8wCXQgsHNhB07ABH5wCaXACSTAQgNIgMXwC25QDsCAiIlECju1 DcHwSOswDGX//QugwAd+IAlVE9PsZAqk8AJ50QWe2geV4AwR1gp90AVP2wV5wYLGYHEwKCPq l2wthglNXB9iMAmuUA26YQsmYL1YMgRX0Aa98AthgAjWTSaSQAu5cA3f+mkVUknBAApAgASU IAl+8AlP1E7dMArwhGhvUAnrAA8dzQtH0AbPQwEUMBPxsha7PUa9LSNdoHmCUAg3YIMYQAPp UAeo4Aq5UA1cgALMNAQoAAKYcIW9EAX0xoCgwA05BVPd8AsqvQuAkA7isAnLOA3Yd96NYDOf dQdz4Avs4A7u4AhT6M/isgdQ0AfIkAwSdG3GHIcpOAeRkAhXANFDLg/6pw5pYAZ+/8hMmJwF qPYKrAAH1dQDsbAI2LBv0zDCGDIGiAAKIiAKaNIOLt4O0OJOH1AFkIAMWkAN65At6yADHwC8 +/rT4AAGoaECFRekQFwDOvAAp9kdD/AEgWCDtYcBE01RWHLJmDAK1PAJHy0m4Ru+PkcFxDJE MJAIlIgOwNcl7XTeptDtptDmbp4t2RIP3AAEQKBQuXQHeaAHPpAHdwwyxvojOeApduCzztZU 3sADl1kDKkQCEKUBwcQBNSAzC3AL1GCcXHAFaZAGS5BrXNlrELYTocALvEAM2PBI5iCT1gBh Y1MKoVAKIE8MxEAKjkAKpCDyIF8KA8AAM8NwXnsWSJAjLf8QdvEOAAMQJC4QHW3xAAp0BRIj MXAQ9Fgw9ET/80F/9GiQ9Eq/9Ey/9CiABY1gDw+DD6HzMPZADiYAB0v/UUl/9EUPB2VQBI/L Md/QbOixQQT9fn3xAHdgdXpxpFXgkA5p7jHBAw7QJE+wBy2AvC5RBalZBTnQZHugNFBAC6/g A7TQamDgA4LwCrSwCDn6oY3wCMJAHIQgDpZAAVWQDuYuM3T/befwBkjcB0sVAvo+MnEQBxQg WgIpATzQABTgWUeAB2zABZsbC5xAC4QgmavQuQ4WDc+gC9UQC34QC+GwDKkbDbJADbNw4TTJ GtuoV8xgDbtQC4wUDOEQurWADbP/oJizQAhtAAvPEAc8UAn99hmbsOw8OAuxkAf8xANJdgAK 0AB5PwdncG2GwQIxGAFQABC3oKl5Fi0WrFmzYD27BAvas2eymOUS52TaM3DM1DCzxczZs2nQ mD1zxWwWKGvSIEKclYuZSFfPFkZjxqcLs1WVaj2rRQ3krJexpi0DAoIHgwMQKOiwM6dOnSMr qiQAIMAqAEchWoRgwSOHBAg81DXjY0cZJmV1vqlzNStTCxbg5OxpEyJPK0Hi2lgixKoSuGWu aIlbdovQn1uVlDUT10wPq2+sXv0BrIpTJlCEos2iBs0WpVubrFVKhwnQID4gFkBQ0UWdJShT ItXR0eDA/wEgVK0KAIAgTosXwVtIOFfF+KkqOVYwnZOE1jdDiW6BmcRKDzg9fbL78CFI0B9K klotc+bqki1q1A4dylVNFiz4CRNaw4bN2idql/xQ0uLkjo5jvEmHBwgcqAAPO+qIRA/vCmkD jy0gOIABBhbIraqrDJAhBg5jWOTDDjlMZMQQFwmllFKIUVEUFlt0kUVSRCFlRhpJEeYaYXLU kUYVQfnwx0VK/BHFFFVEMZQgYyhgSSaXlIEADHnrZ0oqq7TySiyz1HJLLrv0MssoAfhyTDLL NPPMMM9Uc002y0yzTTjjlPNNOeu0k0w679RzzyvDBOBPQAMVdFBCCzX0UEQTVRbU0N3mcXQ3 SCOVdFJKK7X0UkwzzTQgADs8YnI+CjxiPldhcm5pbmc8L2I+OiAgU3VwcGxpZWQgYXJndW1l bnQgaXMgbm90IGEgdmFsaWQgTXlTUUwtTGluayByZXNvdXJjZSBpbiA8Yj4vaG9tZS93b3cv aHRkb2NzL2Jicy9pbmMvZGVmYXVsdC5odG1sPC9iPiBvbiBsaW5lIDxiPjE3NjwvYj48YnI+ Cj== --M9e8PwlnpCu-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 4 21:37:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from addu.axelero.hu (mail02.axelero.hu [195.228.240.77]) by hub.freebsd.org (Postfix) with ESMTP id 09F8F37B41C for ; Mon, 4 Feb 2002 21:37:41 -0800 (PST) Received: from Picasso.Zahemszky.HU (adsl-28-79.adsl-pool.axelero.hu [62.201.79.28]) by mail02.axelero.hu (iPlanet Messaging Server 5.1 (built Jan 30 2002)) with ESMTP id <0GR100NI9OYR1K@mail02.axelero.hu> for freebsd-security@freebsd.org; Tue, 05 Feb 2002 06:37:39 +0100 (MET) Received: (from zgabor@localhost) by Picasso.Zahemszky.HU (8.11.6/8.11.6) id g155ehg00270 for freebsd-security@freebsd.org; Tue, 05 Feb 2002 06:40:43 +0100 (CET envelope-from zgabor) Date: Tue, 05 Feb 2002 06:40:43 +0100 From: Zahemszky =?iso-8859-1?Q?G=E1bor?= Subject: Re: Port 113 Traffic In-reply-to: <20020204200906.5559b083.resopmok@gramsc1.dyndns.org> To: freebsd-security@freebsd.org Message-id: <20020205054043.GA210@Picasso.Zahemszky.HU> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.3.27i References: <200202041914.g14JEiM74583@dc.cis.okstate.edu> <20020204202532.P34448@heresy.dreamflow.nl> <20020204200906.5559b083.resopmok@gramsc1.dyndns.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Feb 04, 2002 at 08:09:06PM -0500, Chris Thomas wrote: > Hi folks- > > If i might make suggestions that will both fulfill security concerns and > provide identd services. I ran across a program on freshmeat called > bsidentd (http://freshmeat.net/projects/bsidentd/) which will provide a > random auth response each time it is queried. It does not interact with > user processes, yet prevents programs such as sendmail from hanging during > auth query and allows services such as IRC, while at the same time > protecting valuable information about user names. Hi! And what about the FBSD's inetd's builtin identd (auth) and the -g option? man inetd: Currently, the only internal service to take arguments is ``auth''. Without options, the service will always return ``ERROR : HIDDEN-USER''. The available arguments to this service that alter its behavior are: -g Instead of returning the user's name to the ident requester, report a username made up of random alphanumeric characters, e.g. ``c0c993''. The -g flag overrides not only the user names, but also any fallback name, .fakeid or .noident files. Bye, ZGabor < Gabor at Zahemszky dot HU > -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 5 0: 2: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from mta04ps.bigpond.com (mta04ps.bigpond.com [144.135.25.136]) by hub.freebsd.org (Postfix) with ESMTP id 9240837B42A for ; Tue, 5 Feb 2002 00:01:37 -0800 (PST) Received: from MICHAEL2 ([144.135.25.87]) by mta04ps.bigpond.com (Netscape Messaging Server 4.15) with SMTP id GR1VYN00.9VJ for ; Tue, 5 Feb 2002 18:08:47 +1000 Received: from CPE-203-45-56-251.vic.bigpond.net.au ([203.45.56.251]) by psmam07.mailsvc.email.bigpond.com(MailRouter V3.0h 125/6804500); 05 Feb 2002 18:01:34 Message-ID: <028101c1ae1b$55ee38b0$2e01a8c0@MICHAEL2> From: "Michael Vince" To: Subject: SSH Date: Tue, 5 Feb 2002 19:01:36 +1100 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_027E_01C1AE77.88EF2600" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_027E_01C1AE77.88EF2600 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hey all. I was thinking about setting up a maximum lazyness maximum security = security policy for my self. I just wanted to know how dangerous are ssh keys with no password = phrases? I mean if some one is packet sniffing you how much more bad is = it to have a ssh2 key with no pass phrase compared to one that does.. And how bad would it be to have all the servers I have access to with = different keys but the exact same password phrase like "pepsi"? And is it more secure to have a pass phraseless (no pass phrase) ssh key = compared to just using ssh with no keys and just using a password that = belongs to the unix account? I just find my self having alot of passwords to remember and looking and = changing the way I do things. ------=_NextPart_000_027E_01C1AE77.88EF2600 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hey all.
I was thinking about setting up a = maximum lazyness=20 maximum security security policy for my self.
I just wanted to know how dangerous are = ssh keys=20 with no password phrases? I mean if some one is packet sniffing you how = much=20 more bad is it to have a ssh2 key with no pass phrase compared to one = that=20 does..
And how bad would it be to have all the = servers I=20 have access to with different keys but the exact same password phrase = like=20 "pepsi"?
And is it more secure to have = a pass=20 phraseless (no pass phrase) ssh key compared to just using ssh with = no keys=20 and just using a password that belongs to the unix account?
I just find my self having alot of = passwords to=20 remember and looking and changing the way I do things.
 
 
------=_NextPart_000_027E_01C1AE77.88EF2600-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 5 1:20:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from gilberto.physik.RWTH-Aachen.DE (gilberto.physik.RWTH-Aachen.DE [137.226.46.168]) by hub.freebsd.org (Postfix) with ESMTP id C341637B400 for ; Tue, 5 Feb 2002 01:20:54 -0800 (PST) Received: (from kuku@localhost) by gilberto.physik.RWTH-Aachen.DE (8.11.6/8.11.6) id g159KrP55937 for freebsd-security@freebsd.org; Tue, 5 Feb 2002 10:20:53 +0100 (CET) (envelope-from kuku) Date: Tue, 5 Feb 2002 10:20:53 +0100 (CET) From: Christoph Kukulies Message-Id: <200202050920.g159KrP55937@gilberto.physik.RWTH-Aachen.DE> To: freebsd-security@freebsd.org Subject: .forward+ group writable directory Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Since two days my procmail filter isn't working anymore and I see these logs in my maillog. It's FreeBSD 4.4 with ESMTP Sendmail 8.11.6/8.11.6 (the stock that comes withthe distribution). Is it likely that I have been hacked? I see otherwise no signs thereof. Feb 5 00:00:04 host sendmail[52966]: g14N03M52963: forward /home/user/.forward.host+: Group writable directory Feb 5 00:00:04 host sendmail[52966]: g14N03M52963: forward /home/user/.forward+: Group writable directory Feb 5 00:00:04 host sendmail[52966]: g14N03M52963: forward /home/user/.forward.host: Group writable directory Feb 5 00:00:04 host sendmail[52966]: g14N03M52963: forward /home/user/.forward: Group writable directory -- Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 5 1:26:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by hub.freebsd.org (Postfix) with ESMTP id 4056A37B41C for ; Tue, 5 Feb 2002 01:26:48 -0800 (PST) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id g159PTD31341; Tue, 5 Feb 2002 01:25:29 -0800 (PST) (envelope-from jan@caustic.org) Date: Tue, 5 Feb 2002 01:25:28 -0800 (PST) From: "f.johan.beisser" X-X-Sender: jan@localhost To: Christoph Kukulies Cc: freebsd-security@FreeBSD.ORG Subject: Re: .forward+ group writable directory In-Reply-To: <200202050920.g159KrP55937@gilberto.physik.RWTH-Aachen.DE> Message-ID: <20020205012231.Q21734-100000@localhost> X-Ignore: This statement isn't supposed to be read by you X-TO-THE-FBI-CIA-AND-NSA: HI! HOW YA DOIN? MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 5 Feb 2002, Christoph Kukulies wrote: > > Since two days my procmail filter isn't working anymore and I > see these logs in my maillog. > > It's FreeBSD 4.4 with ESMTP Sendmail 8.11.6/8.11.6 (the stock > that comes withthe distribution). Is it likely that I have been > hacked? I see otherwise no signs thereof. > > > Feb 5 00:00:04 host sendmail[52966]: g14N03M52963: forward /home/user/.forward.host+: Group writable directory > Feb 5 00:00:04 host sendmail[52966]: g14N03M52963: forward /home/user/.forward+: Group writable directory > Feb 5 00:00:04 host sendmail[52966]: g14N03M52963: forward /home/user/.forward.host: Group writable directory > Feb 5 00:00:04 host sendmail[52966]: g14N03M52963: forward /home/user/.forward: Group writable directory i would start with checking your permissions on those files. most likely either A) the .forward file has 660 permissions (it *should* default to 755, i think.. depending on your umask), or B) your home directory has a similar permissions issue. hope this gives you something to start with.. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 5 2: 2:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from gilberto.physik.RWTH-Aachen.DE (gilberto.physik.RWTH-Aachen.DE [137.226.46.168]) by hub.freebsd.org (Postfix) with ESMTP id 04E7937B43B for ; Tue, 5 Feb 2002 02:02:29 -0800 (PST) Received: (from kuku@localhost) by gilberto.physik.RWTH-Aachen.DE (8.11.6/8.11.6) id g15A2PR56374; Tue, 5 Feb 2002 11:02:25 +0100 (CET) (envelope-from kuku) Date: Tue, 5 Feb 2002 11:02:25 +0100 From: Christoph Kukulies To: "f.johan.beisser" Cc: Christoph Kukulies , freebsd-security@FreeBSD.ORG Subject: Re: .forward+ group writable directory Message-ID: <20020205110225.B56176@gil.physik.rwth-aachen.de> References: <200202050920.g159KrP55937@gilberto.physik.RWTH-Aachen.DE> <20020205012231.Q21734-100000@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20020205012231.Q21734-100000@localhost>; from jan@caustic.org on Tue, Feb 05, 2002 at 01:25:28AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Feb 05, 2002 at 01:25:28AM -0800, f.johan.beisser wrote: > On Tue, 5 Feb 2002, Christoph Kukulies wrote: > > > > > Since two days my procmail filter isn't working anymore and I > > see these logs in my maillog. > > > > It's FreeBSD 4.4 with ESMTP Sendmail 8.11.6/8.11.6 (the stock > > that comes withthe distribution). Is it likely that I have been > > hacked? I see otherwise no signs thereof. > > > > > > Feb 5 00:00:04 host sendmail[52966]: g14N03M52963: forward /home/user/.forward.host+: Group writable directory > > Feb 5 00:00:04 host sendmail[52966]: g14N03M52963: forward /home/user/.forward+: Group writable directory > > Feb 5 00:00:04 host sendmail[52966]: g14N03M52963: forward /home/user/.forward.host: Group writable directory > > Feb 5 00:00:04 host sendmail[52966]: g14N03M52963: forward /home/user/.forward: Group writable directory > > i would start with checking your permissions on those files. most likely > either A) the .forward file has 660 permissions (it *should* default to > 755, i think.. depending on your umask), or B) your home directory has a > similar permissions issue. Neither .forward+ nor .forward.host exist. But the problem immediately went away when I changed the homedirectory /home/user from mode 775 to mode 755. I have a .forward but that one has mode 600. I believe 'group writable' refers to the parent directory. But I still do not know why that happened. I cannot recall to have advertently changed the homedirectory to group writable. -- Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 5 2: 5: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from gilberto.physik.RWTH-Aachen.DE (gilberto.physik.RWTH-Aachen.DE [137.226.46.168]) by hub.freebsd.org (Postfix) with ESMTP id 2CE5837B434 for ; Tue, 5 Feb 2002 02:04:59 -0800 (PST) Received: (from kuku@localhost) by gilberto.physik.RWTH-Aachen.DE (8.11.6/8.11.6) id g15A4ta56409; Tue, 5 Feb 2002 11:04:55 +0100 (CET) (envelope-from kuku) Date: Tue, 5 Feb 2002 11:04:55 +0100 From: Christoph Kukulies To: "f.johan.beisser" Cc: Christoph Kukulies , freebsd-security@FreeBSD.ORG Subject: Re: .forward+ group writable directory Message-ID: <20020205110455.C56176@gil.physik.rwth-aachen.de> References: <200202050920.g159KrP55937@gilberto.physik.RWTH-Aachen.DE> <20020205012231.Q21734-100000@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20020205012231.Q21734-100000@localhost>; from jan@caustic.org on Tue, Feb 05, 2002 at 01:25:28AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Feb 05, 2002 at 01:25:28AM -0800, f.johan.beisser wrote: > On Tue, 5 Feb 2002, Christoph Kukulies wrote: > > > > > Since two days my procmail filter isn't working anymore and I > > see these logs in my maillog. Could it be that sendmail stopped using my procmail filter due to heave CPU load? And then 'latched' into a mode where it first time detected that my home directory was mode 775 and stayed complaining in this mode. Just a wild guess. > > > > It's FreeBSD 4.4 with ESMTP Sendmail 8.11.6/8.11.6 (the stock > > that comes withthe distribution). Is it likely that I have been > > hacked? I see otherwise no signs thereof. > > > > > > Feb 5 00:00:04 host sendmail[52966]: g14N03M52963: forward /home/user/.forward.host+: Group writable directory > > Feb 5 00:00:04 host sendmail[52966]: g14N03M52963: forward /home/user/.forward+: Group writable directory > > Feb 5 00:00:04 host sendmail[52966]: g14N03M52963: forward /home/user/.forward.host: Group writable directory > > Feb 5 00:00:04 host sendmail[52966]: g14N03M52963: forward /home/user/.forward: Group writable directory > > i would start with checking your permissions on those files. most likely > either A) the .forward file has 660 permissions (it *should* default to > 755, i think.. depending on your umask), or B) your home directory has a > similar permissions issue. > > hope this gives you something to start with.. -- Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 5 2:53:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from memphis.mephi.ru (memphis.mephi.ru [194.67.67.234]) by hub.freebsd.org (Postfix) with ESMTP id ACEBE37B420 for ; Tue, 5 Feb 2002 02:53:06 -0800 (PST) Received: (from timon@localhost) by memphis.mephi.ru (8.11.6/8.11.3) id g15AqtM86807; Tue, 5 Feb 2002 13:52:55 +0300 (MSK) (envelope-from timon) Date: Tue, 5 Feb 2002 13:52:55 +0300 (MSK) From: "Artem 'Zazoobr' Ignatjev" Message-Id: <200202051052.g15AqtM86807@memphis.mephi.ru> To: freebsd-security@FreeBSD.ORG, kuku@gilberto.physik.RWTH-Aachen.DE Subject: Re: .forward+ group writable directory In-Reply-To: <200202050920.g159KrP55937@gilberto.physik.RWTH-Aachen.DE> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > From: Christoph Kukulies > To: freebsd-security@FreeBSD.ORG > Subject: .forward+ group writable directory > > Since two days my procmail filter isn't working anymore and I > see these logs in my maillog. > > It's FreeBSD 4.4 with ESMTP Sendmail 8.11.6/8.11.6 (the stock > that comes withthe distribution). Is it likely that I have been > hacked? I see otherwise no signs thereof. > > > Feb 5 00:00:04 host sendmail[52966]: g14N03M52963: forward /home/user/.forward.host+: Group writable directory > Feb 5 00:00:04 host sendmail[52966]: g14N03M52963: forward /home/user/.forward+: Group writable directory > Feb 5 00:00:04 host sendmail[52966]: g14N03M52963: forward /home/user/.forward.host: Group writable directory > Feb 5 00:00:04 host sendmail[52966]: g14N03M52963: forward /home/user/.forward: Group writable directory Sendmail treats group/world writable files/dirs (aliases, mail queue, etc) as insecure. You should either `chmod g-w /home/user' or read sendmail documentation (especially for security issues and "DontBlameSendmail" option). Sinceherely yours, Artem 'Zazoobr' Ignatjev. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 5 5:20:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail50.fg.online.no (mail50-s.fg.online.no [148.122.161.50]) by hub.freebsd.org (Postfix) with ESMTP id 17DBA37B422 for ; Tue, 5 Feb 2002 05:20:36 -0800 (PST) Received: from elixor (ti500720a080-0536.bb.online.no [146.172.50.24]) by mail50.fg.online.no (8.9.3/8.9.3) with SMTP id OAA22586; Tue, 5 Feb 2002 14:20:27 +0100 (MET) Message-ID: <003501c1ae47$dd96e790$0100a8c0@elixor> From: =?iso-8859-1?Q?Geir_R=E5ness?= To: Cc: References: <20020204152325.GA64082@fbi.gov> <001401c1ad9a$7be6d9e0$0100a8c0@elixor> <3C5F0E7B.4020508@rambo.simx.org> Subject: Re: Reliable shell logs Date: Tue, 5 Feb 2002 14:20:20 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yeah, i have put them up at www.pulz.no/files/freebsd/Logging Read the readme files in them, and you probaly would find the url to the folx who made the patches... You can infact remove an users right to change his shell, this you could do by limiting the users access to chsh and so on, you could set it to wheel group only. Or you could remove the shell from the /etc/shells (i think). Best Regards Geir Råness PulZ @ efnet ----- Original Message ----- From: "Roger 'Rocky' Vetterberg" To: "Geir Råness" Cc: ; Sent: Monday, February 04, 2002 11:43 PM Subject: Re: Reliable shell logs > Geir Råness wrote: > > > You always could set your users to the shell bash, that is patched with the > > "bofh" logging. > > That's one way you could secure log your users, but it could be found. > > It all depends on the intruder. > > > Do you know where I could find this patch? > I tried google.com/bsd and found a bounch of sh patches, but > none for bash. > And what stops the user from changing his shell? 'chsh' > would let him change shell to csh, tcsh or whatever is > available on the system, right? How can I prevent this? > > > This you can do something about however, you can have an locale log server, > > that the "shell" server sends the log to, > > with upload access only. > > So the intruder cant delete the logs, you probaly shuld make this server an > > local login only. > > > > Geir Råness > > PulZ @ efnet > > > -- > R > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 5 6:19:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.6]) by hub.freebsd.org (Postfix) with ESMTP id 9298037B400 for ; Tue, 5 Feb 2002 06:19:12 -0800 (PST) Received: from localhost (trevor@localhost) by blues.jpj.net (8.11.6/8.11.6) with ESMTP id g15EJ9O28144; Tue, 5 Feb 2002 09:19:09 -0500 (EST) Date: Tue, 5 Feb 2002 09:19:09 -0500 (EST) From: Trevor Johnson To: Scott Corey Cc: peter.lai@uconn.edu, Subject: Re: netscape 4.76 is forbidden? In-Reply-To: <3C5F444B.20A1BA74@osef.org> Message-ID: <20020205091733.F27987-100000@blues.jpj.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Scott Corey wrote: > Here it is: > ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:66.netscape.asc No, that one pertains to 4.75 and earlier versions. It describes a bug that is fixed in 4.76. > "Peter C. Lai" wrote: > > > > Hi - > > I tried to install netscape 4.76 the other day, and the port said > > it was forbidden, but I haven't seen a security announcement about this. > > Where can I get info on this? > > Particularly since some of my boxes had 4.76 on them before they > > became forbidden... -- Trevor Johnson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 5 6:27:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from shikima.mine.nu (pc1-card4-0-cust77.cdf.cable.ntl.com [62.252.49.77]) by hub.freebsd.org (Postfix) with ESMTP id 02EB637B436 for ; Tue, 5 Feb 2002 06:27:17 -0800 (PST) Received: from rasputin by shikima.mine.nu with local (Exim 3.33 #1) id 16Y6Yk-0004no-00; Tue, 05 Feb 2002 14:26:58 +0000 Date: Tue, 5 Feb 2002 14:26:58 +0000 From: Rasputin To: Michael Vince Cc: security@freebsd.org Subject: Re: SSH Message-ID: <20020205142658.A18406@shikima.mine.nu> Reply-To: Rasputin References: <028101c1ae1b$55ee38b0$2e01a8c0@MICHAEL2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <028101c1ae1b$55ee38b0$2e01a8c0@MICHAEL2>; from michael@roq.com on Tue, Feb 05, 2002 at 07:01:36PM +1100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Michael Vince [020205 08:05]: > Hey all. > I was thinking about setting up a maximum lazyness maximum security security policy for my self. > I just wanted to know how dangerous are ssh keys with no password phrases? You need to keep them safe, since any old monkey can use them to get into boxes as you ( although you can restirct that slightly - see the AUTHORIZED_KEYS part in sshd(8) ) > I mean if some one is packet sniffing you how much more bad is it to have a ssh2 > key with no pass phrase compared to one that does.. Makes no difference as far as sniffing is concerned - network traffic relies on the key, not the phrase. > And how bad would it be to have all the servers I have access to with different keys > but the exact same password phrase like "pepsi"? The nyou're replacing multiple passwords with multiple keys, don't see how that'd help you. At least one key being stolen won't compromise all servers. > And is it more secure to have a pass phraseless (no pass phrase) ssh key compared to > just using ssh with no keys and just using a password that belongs to the unix account? If you can't kee pa key safe, then a frequently-changed password will do, I guess - although bear in mind you don't have the same ability to stop logins from other boxes (not in SSH itself, anyway) -- Democracy is a government where you can say what you think even if you don't think. Rasputin :: Jack of All Trades - Master of Nuns :: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 5 6:34:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail48.fg.online.no (mail48-s.fg.online.no [148.122.161.48]) by hub.freebsd.org (Postfix) with ESMTP id 6FB4537B420 for ; Tue, 5 Feb 2002 06:34:48 -0800 (PST) Received: from elixor (ti500720a080-0536.bb.online.no [146.172.50.24]) by mail48.fg.online.no (8.9.3/8.9.3) with SMTP id PAA29081; Tue, 5 Feb 2002 15:34:41 +0100 (MET) Message-ID: <004401c1ae52$3c3d5bd0$0100a8c0@elixor> From: =?iso-8859-1?Q?Geir_R=E5ness?= To: "Kerberus" Cc: References: <20020204152325.GA64082@fbi.gov><001401c1ad9a$7be6d9e0$0100a8c0@elixor> <3C5F0E7B.4020508@rambo.simx.org> <003501c1ae47$dd96e790$0100a8c0@elixor> <1012920704.24834.17.camel@vpan.netwolves.com> Subject: Re: Reliable shell logs Date: Tue, 5 Feb 2002 15:34:31 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yes it is, thanks for it. I have seen the shell patches before but not the bash secure patch.. :) Best Regards Geir Råness PulZ @ efnet ----- Original Message ----- From: "Kerberus" To: "Geir Råness" Sent: Tuesday, February 05, 2002 3:51 PM Subject: Re: Reliable shell logs Hrmmm looks like the file i sent over!! : )) On Tue, 2002-02-05 at 08:20, Geir Råness wrote: > Yeah, i have put them up at www.pulz.no/files/freebsd/Logging > Read the readme files in them, and you probaly would find the url to the > folx who made the patches... > > You can infact remove an users right to change his shell, this you could do > by limiting the users access to chsh and so on, you could set it to wheel > group only. > Or you could remove the shell from the /etc/shells (i think). > > Best Regards > > Geir Råness > PulZ @ efnet > > ----- Original Message ----- > From: "Roger 'Rocky' Vetterberg" > To: "Geir Råness" > Cc: ; > Sent: Monday, February 04, 2002 11:43 PM > Subject: Re: Reliable shell logs > > > > Geir Råness wrote: > > > > > You always could set your users to the shell bash, that is patched with > the > > > "bofh" logging. > > > That's one way you could secure log your users, but it could be found. > > > It all depends on the intruder. > > > > > > Do you know where I could find this patch? > > I tried google.com/bsd and found a bounch of sh patches, but > > none for bash. > > And what stops the user from changing his shell? 'chsh' > > would let him change shell to csh, tcsh or whatever is > > available on the system, right? How can I prevent this? > > > > > This you can do something about however, you can have an locale log > server, > > > that the "shell" server sends the log to, > > > with upload access only. > > > So the intruder cant delete the logs, you probaly shuld make this server > an > > > local login only. > > > > > > Geir Råness > > > PulZ @ efnet > > > > > > -- > > R > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 5 6:57: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from crimelords.org (crimelords.org [199.233.213.8]) by hub.freebsd.org (Postfix) with ESMTP id 0000F37B42A for ; Tue, 5 Feb 2002 06:57:00 -0800 (PST) Received: from localhost (admin@localhost) by crimelords.org (8.11.6/8.11.6) with ESMTP id g15ElFG16217; Tue, 5 Feb 2002 08:47:15 -0600 (CST) (envelope-from admin@crimelords.org) Date: Tue, 5 Feb 2002 08:47:15 -0600 (CST) From: admin To: "Roger 'Rocky' Vetterberg" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Reliable shell logs In-Reply-To: <3C5F0E7B.4020508@rambo.simx.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org bofh bash and tcsh are at http://www.ccitt5.net/new/ - emacs On Mon, 4 Feb 2002, Roger 'Rocky' Vetterberg wrote: > Geir R=E5ness wrote: > > > You always could set your users to the shell bash, that is patched with= the > > "bofh" logging. > > That's one way you could secure log your users, but it could be found. > > It all depends on the intruder. > > > Do you know where I could find this patch? > I tried google.com/bsd and found a bounch of sh patches, but > none for bash. > And what stops the user from changing his shell? 'chsh' > would let him change shell to csh, tcsh or whatever is > available on the system, right? How can I prevent this? > > > This you can do something about however, you can have an locale log se= rver, > > that the "shell" server sends the log to, > > with upload access only. > > So the intruder cant delete the logs, you probaly shuld make this serve= r an > > local login only. > > > > Geir R=E5ness > > PulZ @ efnet > > > -- > R > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 5 8:20:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from pc1-dale5-0-cust136.not.cable.ntl.com (pc1-dale5-0-cust136.not.cable.ntl.com [80.1.76.136]) by hub.freebsd.org (Postfix) with SMTP id A5C9F37B427 for ; Tue, 5 Feb 2002 08:20:11 -0800 (PST) Received: (qmail 53768 invoked from network); 5 Feb 2002 16:20:05 -0000 Received: from localhost (HELO matt.thebigchoice.com) (127.0.0.1) by localhost with SMTP; 5 Feb 2002 16:20:05 -0000 Date: Tue, 5 Feb 2002 16:20:05 +0000 From: Matt H To: "Colin Faber" Cc: martin@dc.cis.okstate.edu, freebsd-security@FreeBSD.ORG Subject: Re: Port 113 Traffic Message-Id: <20020205162005.36a51fca.matt@proweb.co.uk> In-Reply-To: <3C5ED186.3B2801CF@fpsn.net> References: <200202041818.g14IIgM69616@dc.cis.okstate.edu> <3C5ED186.3B2801CF@fpsn.net> X-Mailer: Sylpheed version 0.7.0 (GTK+ 1.2.10; i386--freebsd4.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 04 Feb 2002 11:23:02 -0700 "Colin Faber" wrote: > cat /etc/services | grep 113 > auth 113/tcp ident tap #Authentication Service > auth 113/udp ident tap #Authentication Service or : grep 113 /etc/services :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 5 9:50:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from ca.astound.net (ca.astound.net [64.85.239.2]) by hub.freebsd.org (Postfix) with ESMTP id CD91437B41E for ; Tue, 5 Feb 2002 09:50:36 -0800 (PST) Received: from [192.168.1.2] (astound-64-85-230-199.ca.astound.net [64.85.230.199]) by ca.astound.net (8.12.1/8.12.1) with ESMTP id g15Hpajv004667 for ; Tue, 5 Feb 2002 09:51:36 -0800 (PST) User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Date: Tue, 05 Feb 2002 09:50:30 -0800 Subject: Is this evidence of a break-in attempt? From: Victor Grey To: Message-ID: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have a server co-located at a data center, running FreeBSD 4.4 release. According to /var/log/messages it rebooted itself at one minute before midnight the night before last, and then (I think that's what the lines in messages mean) discovered a mouse attached as it booted up. Then at 43 minutes past midnight there were six login failures, three as root. (Running tripwire yesterday morning showed nothing suspicious.) Well - there shouldn't be any mouse attached, it's a headless server. Furthermore, if I understand it correctly, a login failure at ttyv0 means it happened at the local console -- not a remote break-in attempt over the network. The data center personnel swear there was no one in there last night. Can someone verify for me that I am interpreting the log correctly before I pursue it further with them? Specifically, is there any way for the log to show a login failure at ttyv0 if no keyboard or mouse is attached to the machine? Or any other insights/things I should look at? Here are the relevant lines from /var/log/messages: ----------------------------- Feb 3 23:56:20 p2 syslogd: exiting on signal 15 Feb 3 23:58:59 p2 /kernel: FreeBSD 4.4-RELEASE-p2 #0: Wed Dec 26 12:01:30 PST 2001 Feb 3 23:59:00 p2 /kernel: psm0: irq 12 on atkbdc0 Feb 3 23:59:00 p2 /kernel: psm0: model Generic PS/2 mouse, device ID 0 Feb 4 00:43:38 p2 login: 3 LOGIN FAILURES ON ttyv0 Feb 4 00:43:38 p2 login: 3 LOGIN FAILURES ON ttyv0, root ----------------------------- Thanks, Victor Grey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 5 10: 5:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by hub.freebsd.org (Postfix) with ESMTP id EDAB837B477 for ; Tue, 5 Feb 2002 10:05:02 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1192) id C3E8410DDF8; Tue, 5 Feb 2002 10:05:02 -0800 (PST) Date: Tue, 5 Feb 2002 10:05:02 -0800 From: Alfred Perlstein To: Victor Grey Cc: freebsd-security@freebsd.org Subject: Re: Is this evidence of a break-in attempt? Message-ID: <20020205100502.D59017@elvis.mu.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from victor@customdynamic.net on Tue, Feb 05, 2002 at 09:50:30AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Victor Grey [020205 09:53] wrote: > I have a server co-located at a data center, running FreeBSD 4.4 release. > According to /var/log/messages it rebooted itself at one minute before > midnight the night before last, and then (I think that's what the lines in > messages mean) discovered a mouse attached as it booted up. Then at 43 > minutes past midnight there were six login failures, three as root. (Running > tripwire yesterday morning showed nothing suspicious.) > > Well - there shouldn't be any mouse attached, it's a headless server. > Furthermore, if I understand it correctly, a login failure at ttyv0 means it > happened at the local console -- not a remote break-in attempt over the > network. [snip] Sure looks like someone was trying something, most likely a result of incompetance rather than malice. When I was managing servers for a company that used a colo the NOC people were pretty bad, multiple times after requesting assistance in our cage I'd get a callback from the NOC people who would be in the wrong cage: "Hi this is from services, I'm in your cage." "Ok *grumble* (only took 20 minutes) *grumble*, I need you to power cycle the red server." "Which red server?" "What do you mean which? We only have one, it's fire engine red, you can't miss it!" "They're all red!" "Uh, what cage are you in?" "Cage 57." "Ok, that's our cage... ummm.. hmmm.. oh! What building are you in?" "Building 2" (we happen to actually be located in building 3) "OH!!! I just remebered, we got those delievered on saturday, they weren't supposed to be powered on yet and they're stealing our main server's IP address!" "Oh, what do I do?" "Well I need you to remove the power cables from all the boxes." "All five hundred of them?" "YES! and call me back when you're done." "Ok" *click* (actually I told him he was in the wrong building and my server was eventually brough back into service, it just took about 45 minutes longer than it should have.) -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 5 10:14: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from osi-east2.nersc.gov (osi-east2.nersc.gov [128.55.6.20]) by hub.freebsd.org (Postfix) with ESMTP id 65DDF37B420 for ; Tue, 5 Feb 2002 10:14:00 -0800 (PST) Received: from gemini.nersc.gov (gemini.nersc.gov [128.55.16.111]) by osi-east2.nersc.gov (8.9.2/8.9.2) with ESMTP id KAA06697; Tue, 5 Feb 2002 10:13:59 -0800 (PST) Received: from gemini.nersc.gov (localhost [127.0.0.1]) by gemini.nersc.gov (Postfix) with ESMTP id 8AEBD3B1AB; Tue, 5 Feb 2002 10:13:57 -0800 (PST) X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: "Michael Vince" Cc: security@FreeBSD.ORG Subject: Re: SSH In-Reply-To: Message from "Michael Vince" of "Tue, 05 Feb 2002 19:01:36 +1100." <028101c1ae1b$55ee38b0$2e01a8c0@MICHAEL2> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_-259710762P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Tue, 05 Feb 2002 10:13:57 -0800 From: Eli Dart Message-Id: <20020205181357.8AEBD3B1AB@gemini.nersc.gov> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --==_Exmh_-259710762P Content-Type: text/plain; charset=us-ascii In reply to "Michael Vince" : > Hey all. > I was thinking about setting up a maximum lazyness maximum security = > security policy for my self. > I just wanted to know how dangerous are ssh keys with no password = > phrases? I mean if some one is packet sniffing you how much more bad is = > it to have a ssh2 key with no pass phrase compared to one that does.. It won't help someone sniffing the wire. If someone eats the machine that contains the keys, you're much worse off. > And how bad would it be to have all the servers I have access to with = > different keys but the exact same password phrase like "pepsi"? If someone owns your keystrokes (and, we can assume, your machine), they now own all the servers instead of just the ones you logged into while they were capturing keystrokes. As an aside, choosing a pass phrase that is subject to dictionary attack or short enough to brute-force isn't a good idea ("pepsi" has both problems). > And is it more secure to have a pass phraseless (no pass phrase) ssh key = > compared to just using ssh with no keys and just using a password that = > belongs to the unix account? Again, it depends on how you get owned. If you have keys with no pass phrase, rooting a service on the machine is enough. If you require input from the user as well, then the attacker has to go through the additional step of capturing keystrokes. > I just find my self having alot of passwords to remember For me, this is a fact of life. I've worked at it for a while and am now reasonably good at it. Changing things to make your life easier will generally provide attackers with additional points of leverage. I prefer to practice my memorization skills..... --eli --==_Exmh_-259710762P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: This is a comment. iD8DBQE8YCDlLTFEeF+CsrMRAn+OAJwIF33yjcBjRgmOnkcBBgmwGXMxpACgllZp 1fD6ESGCqnkcMO/37pL0HFU= =0EBo -----END PGP SIGNATURE----- --==_Exmh_-259710762P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 5 10:17:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from void.xpert.com (xpert.com [199.203.132.1]) by hub.freebsd.org (Postfix) with ESMTP id EABD337B41A for ; Tue, 5 Feb 2002 10:17:41 -0800 (PST) Received: from mailserv.xpert.com ([199.203.132.135]) by void.xpert.com with esmtp (Exim 3.22 #1) id 16YA7p-0001uH-00; Tue, 05 Feb 2002 20:15:25 +0200 Received: by mailserv.xpert.com with Internet Mail Service (5.5.2650.21) id ; Tue, 5 Feb 2002 20:17:29 +0200 Message-ID: From: Yonatan Bokovza To: 'Alfred Perlstein' , Victor Grey Cc: freebsd-security@freebsd.org Subject: RE: Is this evidence of a break-in attempt? Date: Tue, 5 Feb 2002 20:17:28 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > -----Original Message----- > From: Alfred Perlstein [mailto:bright@mu.org] > Sent: Tuesday, February 05, 2002 20:05 > To: Victor Grey > Cc: freebsd-security@freebsd.org > Subject: Re: Is this evidence of a break-in attempt? > > > * Victor Grey [020205 09:53] wrote: > > I have a server co-located at a data center, running > FreeBSD 4.4 release. > > According to /var/log/messages it rebooted itself at one > minute before > > midnight the night before last, and then (I think that's > what the lines in > > messages mean) discovered a mouse attached as it booted up. > Then at 43 > > minutes past midnight there were six login failures, three > as root. (Running > > tripwire yesterday morning showed nothing suspicious.) > > > > Well - there shouldn't be any mouse attached, it's a > headless server. > > Furthermore, if I understand it correctly, a login failure > at ttyv0 means it > > happened at the local console -- not a remote break-in > attempt over the > > network. > > [snip] > > Sure looks like someone was trying something, most likely a result I agree. If you'd include the whole dmesg and the output of find / -atime -ls > "OH!!! I just remebered, we got those delievered on saturday, they > weren't supposed to be powered on yet and they're stealing our main > server's IP address!" > > "Oh, what do I do?" > > "Well I need you to remove the power cables from all the boxes." > > "All five hundred of them?" > > "YES! and call me back when you're done." > > "Ok" *click* Presenting: "Perlstein. Alfred Perlstein! BOFH!!" ;-) Reagrds, Yonatan. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 5 10:41:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail7.wlv.netzero.net (mail7.wlv.netzero.net [209.247.163.57]) by hub.freebsd.org (Postfix) with SMTP id 3C3E437B438 for ; Tue, 5 Feb 2002 10:41:28 -0800 (PST) Received: (qmail 14033 invoked from network); 5 Feb 2002 18:41:27 -0000 Received: from ppp-65-91-242-41.mclass.broadwing.net (HELO daleco) (65.91.242.41) by mail7.wlv.netzero.net with SMTP; 5 Feb 2002 18:41:27 -0000 Message-ID: <002001c1ae74$dc2f20c0$29f25b41@daleco> From: "Kevin Kinsey" To: Cc: References: Subject: Re: Is this evidence of a break-in attempt? Date: Tue, 5 Feb 2002 12:42:23 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org From: "Yonatan Bokovza" > > From: Alfred Perlstein [mailto:bright@mu.org] > > * Victor Grey [020205 09:53] wrote: > > Presenting: "Perlstein. Alfred Perlstein! BOFH!!" ;-) > > Reagrds, > Yonatan. Well, maybe. How 'bout "XA that made me ROTFLMAO!!" ; Tue, 5 Feb 2002 10:45:43 -0800 (PST) Received: (qmail 94177 invoked by uid 1000); 5 Feb 2002 18:45:42 -0000 Date: Tue, 5 Feb 2002 18:45:42 +0000 From: David McNett To: Michael Vince , security@FreeBSD.ORG Subject: Re: SSH Message-ID: <20020205184542.GA92808@dazed.slacker.com> References: <028101c1ae1b$55ee38b0$2e01a8c0@MICHAEL2> <20020205181357.8AEBD3B1AB@gemini.nersc.gov> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020205181357.8AEBD3B1AB@gemini.nersc.gov> User-Agent: Mutt/1.3.25i X-Operating-System: FreeBSD 4.4-STABLE i386 X-Distributed: Join the Effort! http://www.distributed.net/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 05-Feb-2002, Eli Dart wrote: > In reply to "Michael Vince" : > > I just wanted to know how dangerous are ssh keys with no password = > > phrases? > > I just find my self having alot of passwords to remember > > If someone owns your keystrokes (and, we can assume, your machine), > they now own all the servers instead of just the ones you logged into > while they were capturing keystrokes. As an aside, choosing a pass > phrase that is subject to dictionary attack or short enough to > brute-force isn't a good idea ("pepsi" has both problems). Eli raises some good points about how important it can be to select passphrases which are sufficiently secure. I think that "pepsi" would be insufficient to make me feel secure. From an theoretical standpoint, it's possible that an attacker who gained access to several private keys all known to be encrypted with the same passphrase might be able to accelerate there attempts to access the keys with that knowledge, but I'm not aware of any such method. I doubt it's relevant to real-world security concerns. Bottom line, though, it sounds like what you really want is to familiarize yourself with the use of ssh-agent to cache your sufficiently-long passphrase for local use. OpenSSH has a tool designed to strike a comfortable balance between security and ease of use which will allow you to cache your passphrase in memory (accessible only to you and root) and then use the cached, decrypted copy of the private key for all subsequent authorizations. As long as you're mindful to clear the cache when you're done or step away (I have my screensaver do it automatically) it doesn't add nearly as much risk as keeping unprotected private keys in your homedir. And since it reduces the number of times you have to type your passphrase, you'll be less motivated to select an unsafe passphrase. man ssh-agent for a start, and take a look at the ssh-askpass port if you're in X for a nice GUI supplement to the tool. -- ________________________________________________________________________ |David McNett |To ensure privacy and data integrity this message has| |nugget@slacker.com|been encrypted using dual rounds of ROT-13 encryption| |Austin, TX USA |Please encrypt all important correspondence with PGP!| To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 5 10:53:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by hub.freebsd.org (Postfix) with ESMTP id 2F32937B419 for ; Tue, 5 Feb 2002 10:53:21 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1192) id 025E110DDF9; Tue, 5 Feb 2002 10:53:20 -0800 (PST) Date: Tue, 5 Feb 2002 10:53:20 -0800 From: Alfred Perlstein To: Kevin Kinsey Cc: daleco@daleco.biz, freebsd-security@freebsd.org Subject: Re: Is this evidence of a break-in attempt? Message-ID: <20020205105320.I59017@elvis.mu.org> References: <002001c1ae74$dc2f20c0$29f25b41@daleco> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <002001c1ae74$dc2f20c0$29f25b41@daleco>; from k_a_kinsey@netzero.net on Tue, Feb 05, 2002 at 12:42:23PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Kevin Kinsey [020205 10:43] wrote: > From: "Yonatan Bokovza" > > > > > From: Alfred Perlstein [mailto:bright@mu.org] > > > * Victor Grey [020205 09:53] wrote: > > > > Presenting: "Perlstein. Alfred Perlstein! BOFH!!" ;-) > > > > Reagrds, > > Yonatan. > > Well, maybe. How 'bout "XA that made me ROTFLMAO!!" > > And, on a related tangent ... are we assuming that since the reboot > occurred around midnight someone was attempting to circumvent the > logs due to their rollover time? (Pardon me if I seem an idiot, I'm > still laughing....) I think you guys are seriously giving the NOC more credit than they are due. :-) As per-phk's .sig: "Never attribute to malice what can easily be explained by incompetance." -- -Alfred Perlstein [alfred@freebsd.org] 'Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.' Tax deductable donations for FreeBSD: http://www.freebsdfoundation.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 5 11:55:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 625E437B41B for ; Tue, 5 Feb 2002 11:55:05 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA10222; Tue, 5 Feb 2002 12:54:46 -0700 (MST) Message-Id: <4.3.2.7.2.20020205125336.02758450@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 05 Feb 2002 12:54:41 -0700 To: Victor Grey , From: Brett Glass Subject: Re: Is this evidence of a break-in attempt? In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In a word, yes. Looks like they went to the box with a keyboard and a mouse, rebooted, and tried to log in. Clearly, they were so clueless that they did not know about single-user mode. --Brett At 10:50 AM 2/5/2002, Victor Grey wrote: ----------------------------- >Feb 3 23:56:20 p2 syslogd: exiting on signal 15 > >Feb 3 23:58:59 p2 /kernel: FreeBSD 4.4-RELEASE-p2 #0: Wed Dec 26 12:01:30 >PST 2001 > >Feb 3 23:59:00 p2 /kernel: psm0: irq 12 on atkbdc0 >Feb 3 23:59:00 p2 /kernel: psm0: model Generic PS/2 mouse, device ID 0 > >Feb 4 00:43:38 p2 login: 3 LOGIN FAILURES ON ttyv0 >Feb 4 00:43:38 p2 login: 3 LOGIN FAILURES ON ttyv0, root >----------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 5 16:24:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from mirage.nlink.com.br (mirage.nlink.com.br [200.249.195.3]) by hub.freebsd.org (Postfix) with SMTP id 6029637B434 for ; Tue, 5 Feb 2002 16:24:54 -0800 (PST) Received: (qmail 39965 invoked from network); 6 Feb 2002 00:24:50 -0000 Received: from foker.nlink.com.br (200.249.197.10) by mirage.nlink.com.br with SMTP; 6 Feb 2002 00:24:50 -0000 Date: Tue, 5 Feb 2002 22:24:24 -0200 (BRST) From: Paulo Fragoso To: Subject: Auditing Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, We have a client which was using 4.2-RELEASE and telnetd enabled. In that machine was running an ircd installed and started by a hacker, probaly exploiting telnetd hole. We have instaled 4.5-RELEASE using another HD and log_vain="YES" in the rc.conf. Some time after that upgrade, someone try to connect in this machine: Connection attempt to UDP mmm.mmm.mmm.mmm:22 from hhh.hhh.hhh.hhh:1384 How can we found in the old system all mechanism to enable remotely ircd or backdoor? Are there any rootkit which it has a backdoor at UDP port 22? Paulo. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 5 16:48:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from osi-east2.nersc.gov (osi-east2.nersc.gov [128.55.6.20]) by hub.freebsd.org (Postfix) with ESMTP id 4F99C37B422 for ; Tue, 5 Feb 2002 16:48:48 -0800 (PST) Received: from gemini.nersc.gov (gemini.nersc.gov [128.55.16.111]) by osi-east2.nersc.gov (8.9.2/8.9.2) with ESMTP id QAA14163; Tue, 5 Feb 2002 16:48:40 -0800 (PST) Received: from gemini.nersc.gov (localhost [127.0.0.1]) by gemini.nersc.gov (Postfix) with ESMTP id 806533B1AB; Tue, 5 Feb 2002 16:48:40 -0800 (PST) X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Paulo Fragoso Cc: freebsd-security@FreeBSD.ORG Subject: Re: Auditing In-Reply-To: Message from Paulo Fragoso of "Tue, 05 Feb 2002 22:24:24 -0200." Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_-932282952P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Tue, 05 Feb 2002 16:48:40 -0800 From: Eli Dart Message-Id: <20020206004840.806533B1AB@gemini.nersc.gov> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --==_Exmh_-932282952P Content-Type: text/plain; charset=us-ascii I don't know all the details involving your particular incident, but at one time there was a bug in PC-Anywhere that caused it to listen on UDP port 22 (they didn't put their port number in network byte order as I remember). I still see scanners looking for UDP port 22 every once in a while (script kiddies looking for poorly configured PC-Anywhere instances). So, this could be unrelated to your incident, and just be some random script kiddie. In general, if you turn on log_in_vain on a box that is directly connected to the Internet, you'll see a lot of random cruft.... --eli In reply to Paulo Fragoso : > Hi, > > We have a client which was using 4.2-RELEASE and telnetd enabled. In that > machine was running an ircd installed and started by a hacker, probaly > exploiting telnetd hole. > > We have instaled 4.5-RELEASE using another HD and log_vain="YES" in the > rc.conf. Some time after that upgrade, someone try to connect in this > machine: > > Connection attempt to UDP mmm.mmm.mmm.mmm:22 from hhh.hhh.hhh.hhh:1384 > > How can we found in the old system all mechanism to enable remotely ircd > or backdoor? Are there any rootkit which it has a backdoor at UDP port 22? > > Paulo. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --==_Exmh_-932282952P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: This is a comment. iD8DBQE8YH1oLTFEeF+CsrMRAhd4AJ9qe+Ih9T8B/h0XLRjX/bTpNDXarwCghMxd KTYAQh0z9P4/vxVRYenWbjk= =rPAA -----END PGP SIGNATURE----- --==_Exmh_-932282952P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 6 1:54: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (29.74.149.210.economy.2iij.net [210.149.74.29]) by hub.freebsd.org (Postfix) with SMTP id B3E6837B421; Wed, 6 Feb 2002 01:53:27 -0800 (PST) Received: from 158.26.35.129 ([158.26.35.129]) by hd.regsoft.net with asmtp; Wed, 06 Feb 2002 00:54:11 -0300 Received: from 32.241.57.187 ([32.241.57.187]) by q4.quik.com with local; 05 Feb 2002 15:50:02 +0600 Received: from [198.181.75.231] by n9.groups.yahoo.com with smtp; Wed, 06 Feb 2002 05:45:54 -0800 Received: from [197.61.143.88] by rly-yk04.mx.aol.com with NNFMP; Tue, 05 Feb 2002 20:41:46 +0100 Received: from unknown (HELO smtp-server1.cfl.rr.com) (155.40.236.237) by n9.groups.yahoo.com with QMQP; Tue, 05 Feb 2002 17:37:38 +0400 Reply-To: Message-ID: <004d36b40dda$1442e6c7$2eb00db1@fdymoq> From: To: Cc: , , , , , , , , Subject: See Real Babes (0384CuMg3-126YqKc6577@20) MiME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_00C4_03E14D8D.A0707E67" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: QUALCOMM Windows Eudora Version 5.1 Importance: Normal Date: Wed, 6 Feb 2002 01:53:27 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ------=_NextPart_000_00C4_03E14D8D.A0707E67 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: base64 PGh0bWw+DQo8aGVhZD4NCjwvaGVhZD4NCjxib2R5Pg0KPGZvbnQgc2l6ZT0i MiI+PHU+PGI+V0FSTklORzwvYj48L3U+OiBUaGUgZm9sbG93aW5nIG1hdGVy aWFsIGlzIG9mIGFuIGV4dHJlbWUNCmFkdWx0IG5hdHVyZS4gSWYgeW91IGFy ZTxicj4NCm9mZmVuZGVkIGJ5IGV4cGxpY2l0IGFkdWx0IG1hdGVyaWFsIG9y IGFyZSB1bmRlciB0aGUgYWdlIG9mIDE4LCZuYnNwOyBkZWxldGUNCnRoaXMg ZW1haWwgbm93PC9mb250Pjxmb250IHNpemU9IjEiPi48L2ZvbnQ+DQo8cD4N CjxhIGltZyBTUkM9ImcwMS5qcGciIEJPUkRFUj0iMCIgaGVpZ2h0PSIxMDUi IHdpZHRoPSIxNDAiIGhyZWY9Imh0dHA6Ly93d3cuZnJlZXdlYmhvc3Q0dS5j b20vc2V4eTA4L2luZGV4b3MuaHRtIj4NCjxpbWcgU1JDPSJodHRwOi8vd3d3 OS5raW5naG9zdC5jb20vdGVlbi90bTMxNDUwLzIzLmpwZyIgQk9SREVSPTAg aGVpZ2h0PTEwNSB3aWR0aD0xNDA+DQo8aW1nIFNSQz0iaHR0cDovL3d3dzku a2luZ2hvc3QuY29tL3RlZW4vdG0zMTQ1MC9idXR0MS5qcGciIEJPUkRFUj0w IGhlaWdodD0xMDUgd2lkdGg9MTQwPg0KPGltZyBTUkM9Imh0dHA6Ly93d3c5 Lmtpbmdob3N0LmNvbS90ZWVuL3RtMzE0NTAvc2hlMS5qcGciIEJPUkRFUj0w IGhlaWdodD0xMDUgd2lkdGg9MTQwPg0KDQo8L2E+PC9wPg0KPHA+PGEgaW1n IFNSQz0iZzAxLmpwZyIgQk9SREVSPSIwIiBoZWlnaHQ9IjEwNSIgd2lkdGg9 IjE0MCIgaHJlZj0iaHR0cDovL3d3dy5mcmVld2ViaG9zdDR1LmNvbS9zZXh5 MDgvaW5kZXhvcy5odG0iPg0KPHU+VEhFIDxmb250IGNvbG9yPSIjRkYwMDAw Ij48Yj5IT1QtRVNUPC9iPjwvZm9udD4mbmJzcDsmbmJzcDsgKipYWFgqKiZu YnNwOw0KVEVFTiBIQVJEQ09SRSA8YnI+DQpBQ1RJT04gT04gVEhFIE5FVCBU T0RBWSEhPC91PjwvYT48L3A+DQo8cD48YSBpbWcgU1JDPSJnMDEuanBnIiBC T1JERVI9IjAiIGhlaWdodD0iMTA1IiB3aWR0aD0iMTQwIiBocmVmPSJodHRw Oi8vd3d3LmZyZWV3ZWJob3N0NHUuY29tL3NleHkwOC9pbmRleG9zLmh0bSI+ DQoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKio8YnI+DQpD TElDSyBIRVJFIEZPUiBJTlNUQU5UIEFDQ0VTUzxicj4NCioqKioqKioqKioq KioqKioqKioqKioqKioqKioqKioqKioqKjwvYT48L3A+DQo8cD48dT48Yj5C ZXN0IGNvbnRlbnQgYXJvdW5kPC9iPjwvdT4gLSA8YnI+DQpDVU1TSE9UIEZh bnRhc2llczxicj4NCkFTUyBGYW50YXNpZXM8YnI+DQpTTVVUIEZhbnRhc2ll czxicj4NCkxFU0JJQU4gRmFudGFzaWVzPGJyPg0KT1JJRU5UQUwgRmFudGFz aWVzIEdBTE9SRTwvcD4NCjxwPjx1PlNQRUNJQUwgQk9OVVMgRk9SIFRSSUFM IE1FTUJFUlNISVA8YnI+DQo8L3U+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 IDxmb250IHNpemU9IjQiPiEhITkgYnJhbmQgbmV3IGNlbGViIG1vdmllcyEh ITwvZm9udD48L3A+DQo8cD4qKioqKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqKioqPGJyPg0KJm5ic3A7Jm5ic3A7Jm5ic3A7IDxhIGhyZWY9Imh0 dHA6Ly93d3cuZnJlZXdlYmhvc3Q0dS5jb20vc2V4eTA4L2luZGV4b3MuaHRt Ij5DTElDSw0KSEVSRSBGT1IgSU5TVEFOVCBBQ0NFU1M8L2E+PGJyPg0KKioq KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKjxicj4NCklmIHlv dSBoYXZlIHJlY2VpdmVkIHRoaXMgbWVzc2FnZSBpbiBlcnJvciZuYnNwOzxi cj4NCmFuZCB3aXNoIHRvIGJlIHJlbW92ZWQgcGxlYXNlIDxhIGhyZWY9Im1h aWx0bzp0bTMxMDQ1NkB5YWhvby5jb20iPmNsaWNrDQpoZXJlPC9hPiBhbmQg cHV0Jm5ic3A7PGJyPg0KJnF1b3Q7R0VUIE1FIE9GRiZxdW90OyBpbiB0aGUg c3ViamVjdCBsaW5lPC9wPg0KPHA+Jm5ic3A7PC9wPg0KPC9ib2R5Pg0KPC9o dG1sPg0KDQpbMDM4NEA0XQ0K To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 6 3: 5:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from memphis.mephi.ru (memphis.mephi.ru [194.67.67.234]) by hub.freebsd.org (Postfix) with ESMTP id B3F6F37B404 for ; Wed, 6 Feb 2002 03:05:46 -0800 (PST) Received: (from timon@localhost) by memphis.mephi.ru (8.11.6/8.11.3) id g16B5Uo33060; Wed, 6 Feb 2002 14:05:30 +0300 (MSK) (envelope-from timon) Date: Wed, 6 Feb 2002 14:05:30 +0300 (MSK) From: "Artem 'Zazoobr' Ignatjev" Message-Id: <200202061105.g16B5Uo33060@memphis.mephi.ru> To: brett@lariat.org, freebsd-security@FreeBSD.ORG, victor@customdynamic.net Subject: Re: Is this evidence of a break-in attempt? In-Reply-To: <4.3.2.7.2.20020205125336.02758450@localhost> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > From owner-freebsd-security@FreeBSD.ORG Tue Feb 5 22:59:39 2002 > Date: Tue, 05 Feb 2002 12:54:41 -0700 > To: Victor Grey , > From: Brett Glass > Subject: Re: Is this evidence of a break-in attempt? > > In a word, yes. Looks like they went to the box with a > keyboard and a mouse, rebooted, and tried to log in. > Clearly, they were so clueless that they did not know > about single-user mode. > Well, if console is marked as `insecure' (which is MY default policy) single mode couldn't help them too much. But there is a way to get contents of any file in root filesystem from loader(8), so they could get root hash. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 6 4:26: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id E3B4737B419 for ; Wed, 6 Feb 2002 04:26:01 -0800 (PST) Received: (from rik@localhost) by pkl.net (8.9.3/8.9.3) id MAA01710 for freebsd-security@FreeBSD.ORG; Wed, 6 Feb 2002 12:26:00 GMT Date: Wed, 6 Feb 2002 12:26:00 +0000 From: Rik To: freebsd-security@FreeBSD.ORG Subject: Re: Auditing Message-ID: <20020206122600.GA1558@spoon.pkl.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.25i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Feb 05, 2002 at 10:24:24PM -0200, Paulo Fragoso wrote: > Connection attempt to UDP mmm.mmm.mmm.mmm:22 from hhh.hhh.hhh.hhh:1384 Isn't that a failed connection? -- PGP Key: D2729A3F - Keyserver: wwwkeys.uk.pgp.net - rich at rdrose dot org Key fingerprint = 5EB1 4C63 9FAD D87B 854C 3DED 1408 ED77 D272 9A3F Public key also encoded with outguess on http://rikrose.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 6 5:20: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from joule.excelsus.com (joule.excelsus.net [209.96.190.225]) by hub.freebsd.org (Postfix) with ESMTP id EB51A37B423 for ; Wed, 6 Feb 2002 05:19:53 -0800 (PST) Received: from joule.excelsus.com (localhost [127.0.0.1]) by joule.excelsus.com (8.12.1/8.12.1) with ESMTP id g16DJFRt056802; Wed, 6 Feb 2002 08:19:16 -0500 (EST) Received: from localhost (weldon@localhost) by joule.excelsus.com (8.12.1/8.12.1/Submit) with ESMTP id g16DJFgq056799; Wed, 6 Feb 2002 08:19:15 -0500 (EST) Date: Wed, 6 Feb 2002 08:19:15 -0500 (EST) From: Weldon S Godfrey 3 To: Brett Glass Cc: Victor Grey , Subject: Re: Is this evidence of a break-in attempt? In-Reply-To: <4.3.2.7.2.20020205125336.02758450@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Good point. I recommend that any box placed into a colo or a location that the security isn't under your direct control to mark your console as "insecure" in /etc/ttys so that root password will be asked when someone boots into single user mode. Weldon If memory serves me right, sometime around Yesterday, Brett Glass told me: > In a word, yes. Looks like they went to the box with a > keyboard and a mouse, rebooted, and tried to log in. > Clearly, they were so clueless that they did not know > about single-user mode. > > --Brett > > At 10:50 AM 2/5/2002, Victor Grey wrote: > > ----------------------------- > >Feb 3 23:56:20 p2 syslogd: exiting on signal 15 > > > >Feb 3 23:58:59 p2 /kernel: FreeBSD 4.4-RELEASE-p2 #0: Wed Dec 26 12:01:30 > >PST 2001 > > > >Feb 3 23:59:00 p2 /kernel: psm0: irq 12 on atkbdc0 > >Feb 3 23:59:00 p2 /kernel: psm0: model Generic PS/2 mouse, device ID 0 > > > >Feb 4 00:43:38 p2 login: 3 LOGIN FAILURES ON ttyv0 > >Feb 4 00:43:38 p2 login: 3 LOGIN FAILURES ON ttyv0, root > >----------------------------- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 6 7:48:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.anu.edu.au (mail.anu.edu.au [150.203.2.7]) by hub.freebsd.org (Postfix) with ESMTP id DAE5237B41D for ; Wed, 6 Feb 2002 07:48:07 -0800 (PST) Received: from nucl03.anu.edu.au (nucl03.anu.edu.au [150.203.19.120]) by mail.anu.edu.au (8.9.3/8.9.3) with ESMTP id CAA28526; Thu, 7 Feb 2002 02:48:05 +1100 (EST) Received: (from gjl103@localhost) by nucl03.anu.edu.au (8.11.6/8.11.6) id g16Fm4Q28623; Thu, 7 Feb 2002 02:48:04 +1100 (EST) (envelope-from gjl103) Date: Thu, 7 Feb 2002 02:48:04 +1100 From: Greg Lane To: Weldon S Godfrey 3 Cc: Brett Glass , Victor Grey , freebsd-security@FreeBSD.ORG Subject: Re: Is this evidence of a break-in attempt? Message-ID: <20020207024804.A28463@nucl03.anu.edu.au> Reply-To: gregory.lane@anu.edu.au References: <4.3.2.7.2.20020205125336.02758450@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from weldon@excelsus.com on Wed, Feb 06, 2002 at 08:19:15AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I recommend that any box placed into a colo or a location that the > security isn't under your direct control to mark your console as > "insecure" in /etc/ttys so that root password will be asked when someone > boots into single user mode. > > Weldon It will slow someone down, but as you no doubt know, if a box is not under your direct control and someone has a clue then that doesn't help much. All it takes is the fixit floppy. Mount / and /usr, edit the passwd file, pwd_mkdb, instant root. We've had to do this to an embarrassingly large number of boxes where we've forgotten the root passwords. Bios passwords, disabled floppy drives and other tricks might slow you down, but in the end, physical access to the box and the game is pretty much already over... Greg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 6 8: 4:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 42AD337B423; Wed, 6 Feb 2002 08:04:09 -0800 (PST) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g16G49v43845; Wed, 6 Feb 2002 08:04:09 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Wed, 6 Feb 2002 08:04:09 -0800 (PST) Message-Id: <200202061604.g16G49v43845@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory FreeBSD-SA-02:10.rsync Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:10 Security Advisory FreeBSD, Inc. Topic: rsync port contains remotely exploitable vulnerability Category: ports Module: rsync Announced: 2002-02-06 Credits: Sebastian Krahmer Affects: Ports collection prior to the correction date Corrected: 2002-01-23 23:32:21 UTC FreeBSD only: NO I. Background rsync is a powerful network file distribution/synchronization utility. II. Problem Description The rsync port, versions prior to rsync-2.5.1_1, is not careful enough about reading integers from the network. In several places, signed and unsigned numbers are mixed, resulting in erroneous computations of buffer offsets. The rsync port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 6000 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.5 contains the corrected version of this port (rsync-2.5.1_1). FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact A remote attacker may cause rsync to write NUL bytes onto its stack. This can be exploited in order to execute arbitrary code with the privileges of the user running rsync. This is particularly damaging for sites running rsync in server mode, although a hostile server may also affect rsync clients. IV. Workaround 1) Deinstall the rsync ports/packages if you have them installed. V. Solution 1) Upgrade your entire ports collection and rebuild the port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/rsync-2.5.1_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/rsync-2.5.1_1.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. NOTE: It may be several days before updated packages are available. 3) Download a new port skeleton for the rsync port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/Latest/portcheckout.tgz VI. Correction details The following list contains the $FreeBSD$ revision numbers of each file that was corrected in the FreeBSD source. Path Revision - ------------------------------------------------------------------------- ports/net/rsync/Makefile 1.61 ports/net/rsync/files/patch-251-secfix 1.1 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPGFAr1UuHi5z0oilAQFwZwP/fssLUKJ8mnaIPZhCj4XYT1rQJStyXnVQ kI3OFdHX/xoYTEffohoHAJqHkGfVTeriDOgRhEFy9jCreQwsIevyqEKPnBE4Kotx NhdOfLRO+kKndpDj/oqc/rGzm5tuofsg88fw7ZINqZDdQy0OGpbA8mqyB18g1aEL DDA6wACcxbA= =XnJ+ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 6 8: 4:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 4297437B41F; Wed, 6 Feb 2002 08:03:40 -0800 (PST) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g16G3eh43771; Wed, 6 Feb 2002 08:03:40 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Wed, 6 Feb 2002 08:03:40 -0800 (PST) Message-Id: <200202061603.g16G3eh43771@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-02:09.fstatfs Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:09 Security Advisory FreeBSD, Inc. Topic: fstatfs race condition may allow local denial of service via procfs Category: core Module: kernel Announced: 2002-02-06 Credits: Stefan Esser Affects: All released versions of FreeBSD prior to 4.5-RELEASE Corrected: 2002-01-07 20:47:34 UTC (RELENG_4) 2002-01-17 15:46:46 UTC (RELENG_4_4) 2002-01-17 15:47:04 UTC (RELENG_4_3) FreeBSD only: YES I. Background fstatfs() is a function that retrieves filesystem statistics in the kernel. procfs is the process filesystem, which presents a filesystem interface to the system process table and associated data. II. Problem Description A race condition existed where a file could be removed between calling fstatfs() and the point where the file is accessed causing the file descriptor to become invalid. This may allow unprivileged local users to cause a kernel panic. Currently only the procfs filesystem is known to be vulnerable. III. Impact On vulnerable FreeBSD systems where procfs is mounted, unprivileged local users may be able to cause a kernel panic. IV. Workaround Unmount all instances of the procfs filesystem using the umount(8) command by performing the following as root: # umount -f -a -t procfs Disable the automatic mounting of all instances of procfs in /etc/fstab, remove or comment out the line(s) of the following form: proc /proc procfs rw 0 0 Note that unmounting procfs may have a negative impact on the operation of the system: under older versions of FreeBSD it is required for some aspects of the ps(1) command, and unmounting it may also break use of userland inter-process debuggers such as gdb. Other installed binaries including emulated Linux binaries may require access to procfs for correct operation. V. Solution 1) Upgrade your vulnerable FreeBSD system to 4.5-RELEASE or 4.5-STABLE, or the RELENG_4_5, RELENG_4_4, or RELENG_4_3 security branches dated after their respective correction dates. 2) FreeBSD 4.x systems prior to the correction date: The following patch has been verified to apply to all FreeBSD 4.x releases dated prior to the correction date. This patch may or may not apply to older, unsupported releases of FreeBSD. Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:09/fstatfs.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:09/fstatfs.patch.asc Execute the following commands as root: # cd /usr/src # patch -p < /path/to/patch If procfs is statically compiled into the kernel (i.e. the kernel configuration file contains the line 'options PROCFS'), rebuild and reinstall your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system with the new kernel for the changes to take effect. If procfs is dynamically loaded by KLD (use the kldstat command to verify whether this is the case) and the system securelevel has not been raised, the system can be patched at run-time without requiring a reboot by the execution of the following commands after patching the source as described above: # cd /usr/src/sys/modules/procfs # make depend && make all install # umount -f -a -t procfs # kldunload procfs # kldload procfs # mount -a -t procfs VI. Correction details The following list contains the $FreeBSD$ revision numbers of the file that was corrected in the FreeBSD source. Path Revision Branch - ------------------------------------------------------------------------- src/sys/kern/vfs_syscalls.c HEAD 1.216 RELENG_4 1.151.2.13 RELENG_4_4 1.151.2.9.2.1 RELENG_4_3 1.151.2.7.2.1 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPGFTc1UuHi5z0oilAQGoMgP/REVJNr2Y+khbQAVX1VM+bnySdGxFKDVS 0niQ7ZrnI/Ffs7Kw0Nf5T82kvL2gFKRKPW1F2bl+A3qwDO2CBq/mKWLPuP+Ha/Id oLtLeE446o/Gv6wdYpKzcdzUtPFcAhaPdD8DxSmdXyVjXuIYXgojM4wPgQcf5PVL YW7uAAQ2cM0= =T2JK -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 6 8:39:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from joule.excelsus.com (joule.excelsus.net [209.96.190.225]) by hub.freebsd.org (Postfix) with ESMTP id 13AA337B702 for ; Wed, 6 Feb 2002 08:14:20 -0800 (PST) Received: from joule.excelsus.com (localhost [127.0.0.1]) by joule.excelsus.com (8.12.1/8.12.1) with ESMTP id g16GC2Rt057890; Wed, 6 Feb 2002 11:12:02 -0500 (EST) Received: from localhost (weldon@localhost) by joule.excelsus.com (8.12.1/8.12.1/Submit) with ESMTP id g16GC2ri057887; Wed, 6 Feb 2002 11:12:02 -0500 (EST) Date: Wed, 6 Feb 2002 11:12:02 -0500 (EST) From: Weldon S Godfrey 3 To: Greg Lane Cc: Brett Glass , Victor Grey , Subject: Re: Is this evidence of a break-in attempt? In-Reply-To: <20020207024804.A28463@nucl03.anu.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org But isn't slowing down the name of the game? If someone is good enough and they want to break in bad enough, they are going to get in. Nothing replaces consistent security monitoring and investigation. The more hoops you put up, the greater the likelihood you will be able to catch it, stop it before it goes too far, or discourage them, and/or circumvent the less knowledgeable (which accounts for more attempts than the knowledgeable). It is the same as your car and house. If a thief is bold enough, no matter how many alarms you have, that won't stop them. It doesn't mean you should give up and leave keys in the ignition :) If memory serves me right, sometime around Tomorrow, Greg Lane told me: > > I recommend that any box placed into a colo or a location that the > > security isn't under your direct control to mark your console as > > "insecure" in /etc/ttys so that root password will be asked when someone > > boots into single user mode. > > > > Weldon > > It will slow someone down, but as you no doubt know, if a box is not under > your direct control and someone has a clue then that doesn't help much. All > it takes is the fixit floppy. Mount / and /usr, edit the passwd file, > pwd_mkdb, instant root. > > We've had to do this to an embarrassingly large number of boxes where > we've forgotten the root passwords. > > Bios passwords, disabled floppy drives and other tricks might slow you > down, but in the end, physical access to the box and the game is > pretty much already over... > > Greg > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 6 9: 0: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.6]) by hub.freebsd.org (Postfix) with ESMTP id 6FED437BFD8 for ; Wed, 6 Feb 2002 08:37:45 -0800 (PST) Received: from localhost (trevor@localhost) by blues.jpj.net (8.11.6/8.11.6) with ESMTP id g16Gb8d15618; Wed, 6 Feb 2002 11:37:08 -0500 (EST) Date: Wed, 6 Feb 2002 11:37:08 -0500 (EST) From: Trevor Johnson To: Greg Lane Cc: freebsd-security@FreeBSD.ORG Subject: Re: Is this evidence of a break-in attempt? In-Reply-To: <20020207024804.A28463@nucl03.anu.edu.au> Message-ID: <20020206110937.T12856-100000@blues.jpj.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Greg Lane wrote: > Bios passwords, disabled floppy drives and other tricks might slow you > down, but in the end, physical access to the box and the game is > pretty much already over... Daemon News has a tutorial on setting up the security/cfs port at http://www.freebsddiary.org/encrypted-fs.php (I haven't tried it). In this case, changing over to a somewhat trustworthy colo might not be a bad idea either. -- Trevor Johnson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 6 12:11:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 45F3537B41B for ; Wed, 6 Feb 2002 12:11:42 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id NAA26014; Wed, 6 Feb 2002 13:11:21 -0700 (MST) Message-Id: <4.3.2.7.2.20020206125755.01c716a0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 06 Feb 2002 13:11:16 -0700 To: Weldon S Godfrey 3 From: Brett Glass Subject: Re: Is this evidence of a break-in attempt? Cc: Victor Grey , In-Reply-To: References: <4.3.2.7.2.20020205125336.02758450@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org A good idea, though you can always boot from a floppy and bypass this. Or list the password file from the boot loader and then crack the root password offline. Fortunately, the intruders weren't anywhere near that bright. The fact that they installed a *mouse*, of all things, indicates that they were expecting to find an NT or W2K server. They were likely COMPLETELY out of their depth when they saw a UNIX login: prompt. So much so that all they could do was try, in desperation, to log in as "root" with no password. (Many NT and W2K admins leave their boxes with null or easily guessable administrative passwords, but UNIX admins know better.) In short, they couldn't even get into a UNIX box to which they probably had physical access for hours (sigh). My guess is that they were Microsoft weenies -- probably MCSEs, who are intentionally trained to be helpless without a GUI and are never taught the underlying principles behind what they're doing. (This keeps them from being able to deal with anything non-Microsoft, even if it's standards-based.) Microsoft also takes great pains to ensure that the dialogue boxes are complex and non-intuitive enough, and change *just enough* between versions, that recertification is required every few years. This guarantees Microsoft an income stream of thousands of dollars per year per MCSE. --Brett At 06:19 AM 2/6/2002, Weldon S Godfrey 3 wrote: >Good point. > >I recommend that any box placed into a colo or a location that the >security isn't under your direct control to mark your console as >"insecure" in /etc/ttys so that root password will be asked when someone >boots into single user mode. > >Weldon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 6 13:20:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id E596A37B426 for ; Wed, 6 Feb 2002 13:19:43 -0800 (PST) Received: from hades.hell.gr (patr530-a059.otenet.gr [212.205.215.59]) by mailsrv.otenet.gr (8.12.2/8.12.2) with ESMTP id g16LJFrA018620; Wed, 6 Feb 2002 23:19:33 +0200 (EET) Received: (from charon@localhost) by hades.hell.gr (8.11.6/8.11.6) id g16Jr9J23424; Wed, 6 Feb 2002 21:53:09 +0200 (EET) (envelope-from keramida@freebsd.org) Date: Wed, 6 Feb 2002 21:53:08 +0200 From: Giorgos Keramidas To: "Artem 'Zazoobr' Ignatjev" Cc: brett@lariat.org, freebsd-security@freebsd.org, victor@customdynamic.net Subject: Re: Is this evidence of a break-in attempt? Message-ID: <20020206195308.GA18171@hades.hell.gr> References: <4.3.2.7.2.20020205125336.02758450@localhost> <200202061105.g16B5Uo33060@memphis.mephi.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200202061105.g16B5Uo33060@memphis.mephi.ru> User-Agent: Mutt/1.3.25i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2002-02-06 14:05, Artem 'Zazoobr' Ignatjev wrote: > > From owner-freebsd-security@FreeBSD.ORG Tue Feb 5 22:59:39 2002 > > Date: Tue, 05 Feb 2002 12:54:41 -0700 > > To: Victor Grey , > > From: Brett Glass > > Subject: Re: Is this evidence of a break-in attempt? > > > > In a word, yes. Looks like they went to the box with a > > keyboard and a mouse, rebooted, and tried to log in. > > Clearly, they were so clueless that they did not know > > about single-user mode. > > > Well, if console is marked as `insecure' (which is MY default policy) > single mode couldn't help them too much. > But there is a way to get contents of any file in root filesystem from > loader(8), so they could get root hash. You're assuming the attacker (yes, it was a naive attack of some form) knows a lot of stuff. He didn't know about single-user mode[1]. He didn't have enough clue to come with fixit and just power-cycle the box. Is that the person you're expecting to have the knowledge it takes to use loader for password stealing+cracking? :P "loader? What do you mean? What the heck is that? I just plugged in my brand new PS/2 mouse, and a keyboard and rebooted. The fscking thing didn't even get to the point where Windows displays 'Press CTRL+ALT+DEL to log in.' so I pressed CTRL+ALT+DEL a few times. Can you guess? Yes, this FreeBSD thing is so obviously retarted it does NOTHING when you press CTRL+ALT+DEL! I had to power-cycle it again to remove my keyboard and mouse!" -- Giorgos Keramidas . . . . . . . . . keramida@{ceid.upatras.gr,freebsd.org} FreeBSD Documentation Project . . . http://www.freebsd.org/docproj/ FreeBSD: The power to serve . . . . http://www.freebsd.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 6 16:39:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.anu.edu.au (mail.anu.edu.au [150.203.2.7]) by hub.freebsd.org (Postfix) with ESMTP id 17DFE37B41F for ; Wed, 6 Feb 2002 16:39:10 -0800 (PST) Received: from nucl03.anu.edu.au (nucl03.anu.edu.au [150.203.19.120]) by mail.anu.edu.au (8.9.3/8.9.3) with ESMTP id LAA29330; Thu, 7 Feb 2002 11:39:08 +1100 (EST) Received: (from gjl103@localhost) by nucl03.anu.edu.au (8.11.6/8.11.6) id g170d5P31771; Thu, 7 Feb 2002 11:39:05 +1100 (EST) (envelope-from gjl103) Date: Thu, 7 Feb 2002 11:39:05 +1100 From: Greg Lane To: Weldon S Godfrey 3 Cc: Brett Glass , Trevor Johnson , Victor Grey , freebsd-security@FreeBSD.ORG Subject: Re: Is this evidence of a break-in attempt? Message-ID: <20020207113905.A31674@nucl03.anu.edu.au> Reply-To: gregory.lane@anu.edu.au References: <20020207024804.A28463@nucl03.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from weldon@excelsus.com on Wed, Feb 06, 2002 at 11:12:02AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I absolutely agree. Security in layers... I was not being critical, note the "as you no doubt know". I was only pointing out for the unititiated security-wise that this is not enough, as you point out also. If I have a publically accessible box, I mark everything insecure in /etc/ttys and usually go the whole hog, disconnecting the floppy and the cdrom, changing the boot order in the bios in case they do reconnect them, then password protect the bios. It only takes a minute or two to reverse if I ever need access, but will take quite a bit longer if you have to defeat each thing one at a time as you find it. I usually set some flags (like schg) on important files as well. If someone gets through that, they generally have enough knowledge that I'm screwed anyway. At that point as Trevor Johnson mentioned, encryption is your friend. Even then, however, you have to get some sort of key to the box to read the encrypted files and if someone has root already... In case you haven't noticed already, I am somewhat paranoid. I don't think I'd ever be able to trust a colocated box. Greg On Wed, Feb 06, 2002 at 11:12:02AM -0500, Weldon S Godfrey 3 wrote: > > But isn't slowing down the name of the game? If someone is good enough > and they want to break in bad enough, they are going to get in. Nothing > replaces consistent security monitoring and investigation. > > The more hoops you put up, the greater the likelihood you will be able to > catch it, stop it before it goes too far, or discourage them, > and/or circumvent the less knowledgeable (which accounts for more attempts > than the knowledgeable). > > It is the same as your car and house. If a thief is bold enough, no > matter how many alarms you have, that won't stop them. It doesn't mean > you should give up and leave keys in the ignition :) > > If memory serves me right, sometime around Tomorrow, Greg Lane told me: > > > > I recommend that any box placed into a colo or a location that the > > > security isn't under your direct control to mark your console as > > > "insecure" in /etc/ttys so that root password will be asked when someone > > > boots into single user mode. > > > > > > Weldon > > > > It will slow someone down, but as you no doubt know, if a box is not under > > your direct control and someone has a clue then that doesn't help much. All > > it takes is the fixit floppy. Mount / and /usr, edit the passwd file, > > pwd_mkdb, instant root. > > > > We've had to do this to an embarrassingly large number of boxes where > > we've forgotten the root passwords. > > > > Bios passwords, disabled floppy drives and other tricks might slow you > > down, but in the end, physical access to the box and the game is > > pretty much already over... > > > > Greg > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ================================================================== Dept of Nuclear Physics Email: Gregory.Lane@anu.edu.au Australian National University Phone: +61-2-6125 0375 Canberra ACT 0200 AUSTRALIA Fax: +61-2-6125 0748 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 6 18:46: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from lists01.iafrica.com (lists01.iafrica.com [196.7.0.141]) by hub.freebsd.org (Postfix) with ESMTP id 335D537B400 for ; Wed, 6 Feb 2002 18:46:05 -0800 (PST) Received: from nwl.fw.uunet.co.za ([196.31.2.162]) by lists01.iafrica.com with esmtp (Exim 3.12 #2) id 16YeZW-0003I0-00 for freebsd-security@freebsd.org; Thu, 07 Feb 2002 04:46:02 +0200 Received: (from nobody@localhost) by nwl.fw.uunet.co.za (8.8.8/8.6.9) id EAA27751 for ; Thu, 7 Feb 2002 04:46:01 +0200 (SAST) Received: by nwl.fw.uunet.co.za via recvmail id 27745; Thu Feb 7 04:45:57 2002 Received: from localhost ([127.0.0.1]) by yacko.ops.uunet.co.za with esmtp (Exim 3.31 #1) id 16YeZQ-000F5X-00 for freebsd-security@freebsd.org; Thu, 07 Feb 2002 04:45:56 +0200 Date: Thu, 7 Feb 2002 04:45:56 +0200 (SAST) From: Gareth Hopkins X-X-Sender: ghopkins@yacko.fw.uunet.co.za To: freebsd-security@freebsd.org Subject: Problem with openssh and kerberos Message-ID: <20020207043603.S54531-100000@yacko.fw.uunet.co.za> X-Cell: +27 82 389 5389 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi There, I am having a problem with the following. sshd is not recognising the KerberosOrLocalPasswd option in the sshd_config file. This is causing a problem with users logging into the machine with their kerberos password (without having kinited). Feb 7 04:39:10 sshd[22691]: error: /etc/ssh/sshd_config: line 58: Bad configuration option: KerberosOrLocalPasswd Feb 7 04:39:10 sshd[22691]: fatal: /etc/ssh/sshd_config: terminating, 1 bad configuration options I am using OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f which came with the base system of a 4.5-RC install. The following was included in my make.conf when I did a make world. KRB5_HOME= /usr/local MAKE_KERBEROS5= yes Anything else that I missed? --- Gareth Hopkins Server Operations UUNET SA, a WorldCom Company (o) +27.21.658.8700 (f) +27.21.658.8552 (m) +27.82.389.5389 http://www.uunet.co.za 08600 UUNET (08600 88638) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 6 19:17:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f198.law10.hotmail.com [64.4.15.198]) by hub.freebsd.org (Postfix) with ESMTP id 2917137B41F for ; Wed, 6 Feb 2002 19:17:47 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 6 Feb 2002 19:17:46 -0800 Received: from 132.203.30.181 by lw10fd.law10.hotmail.msn.com with HTTP; Thu, 07 Feb 2002 03:17:46 GMT X-Originating-IP: [132.203.30.181] From: "=?iso-8859-1?B?U3TpcGhhbmUgRmlsbGlvbg==?=" To: freebsd-security@FreeBSD.ORG Subject: swap partition and security Date: Wed, 06 Feb 2002 22:17:46 -0500 Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed Message-ID: X-OriginalArrivalTime: 07 Feb 2002 03:17:46.0976 (UTC) FILETIME=[03F21600:01C1AF86] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org can the swap partition be used to 'spy' what happenned into a box? can someone with physical access to a box put the hard drive in another computer and check into the swap to find password or email or ...? is this a security issue? what can i do about it? _________________________________________________________________ Téléchargez MSN Explorer gratuitement à l'adresse http://explorer.msn.fr/intl.asp. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 6 19:25: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from www.suntop-cn.com (www.suntop-cn.com [61.140.76.155]) by hub.freebsd.org (Postfix) with ESMTP id 0971137B41F for ; Wed, 6 Feb 2002 19:25:00 -0800 (PST) Received: from notebook ([61.140.191.15]) (authenticated) by www.suntop-cn.com (8.11.3/8.11.3) with ESMTP id g173OoJ23192 for ; Thu, 7 Feb 2002 11:24:51 +0800 (CST) (envelope-from slack@suntop-cn.com) Message-ID: <011b01c1af86$f5dacc00$0c0610ac@testterm.com> From: "Edwin Chen" To: References: Subject: how to detect a illegal connect on local network ? Date: Thu, 7 Feb 2002 11:24:31 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: base64 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org bWF5YmUgdGhpcyBtZXNzYWdlcyBpcyBvZmYgdG9waWMsIGJ1dCBpIGFtIG5vdCBpZGVhIHdoZXJl IHRvIGdvLiBpIHdhbnQgdG8ga25vdyBob3cgY2FuIGkgZG8gdG8gZGV0ZWN0IGFueSB1c2VyIG9u IG15IGxvY2FsIG5ldHdvcmsgdGhhdCB1c2UgZnJlZWJzZCBib3ggc3RpbGwgZGlhbC11cCBpbnRl cm5ldCB1c2Ugc2VyaWFsIGxpbmUgd2l0aCBhIG1vZGVtID8gdGhhbmtzLg0KDQoNCmVkd2luIGNo ZW4NCg0K To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 6 19:51:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id 85D8237B41E for ; Wed, 6 Feb 2002 19:51:54 -0800 (PST) Received: (qmail 16893 invoked by uid 1000); 7 Feb 2002 03:51:49 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 7 Feb 2002 03:51:49 -0000 Date: Wed, 6 Feb 2002 19:51:45 -0800 (PST) From: Jason Stone X-X-Sender: To: =?iso-8859-1?B?U3TpcGhhbmUgRmlsbGlvbg==?= Cc: Subject: Re: swap partition and security In-Reply-To: Message-ID: <20020206193226.L6370-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > can the swap partition be used to 'spy' what happenned into a box? > > can someone with physical access to a box put the hard drive in > another computer and check into the swap to find password or email or > ...? For the most part, any part of main memory can get swapped out at any time. If a process that handles passwords or keys gets some or all of its pages swapped out, then yes, you'll probablly be able retrieve those passwords or keys from the swap disk. This is mostly only an issue with long-running processes like ssh-agent. You can easily verify this for yourself - write a four-line program that allocates a buffer, sticks a constant string in it, and then sleeps forever. Then write a program that forks a bunch of times and each copy allocates as much memory as it can. Wait until the machine starts thrashing, kill all the memory eaters, and then run strings(1) on your swap partition - the constant string from the first program will almost certainly be in there. > what can i do about it? There is a system call called mlock(2) which allows a program to lock its memory pages in core, ensuring that they won't get swapped out. Security or performance oriented programs sometimes use this. The downside is that this call can only be made by root, so your programs have to be setuid root. The gnupg port has some pretty generic code that provides secure_malloc, secure_free, etc, using mlock. Alternatively, you could arrange for your swap to be encrypted somehow (swap to a file on a cryptfs or cfs mount) or else just not use swap. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8YfnVswXMWWtptckRAn/pAKCXa+jKyF0I7hsQNOaJ0PxV+9kRSgCfTE5R x9/TEI/h7f9PWVneVNT3fl0= =PiGg -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 7 0:56: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from scaup.prod.itd.earthlink.net (scaup.mail.pas.earthlink.net [207.217.120.49]) by hub.freebsd.org (Postfix) with ESMTP id 32E1837B423 for ; Thu, 7 Feb 2002 00:55:53 -0800 (PST) Received: from dialup-209.245.135.248.dial1.sanjose1.level3.net ([209.245.135.248] helo=blossom.cjclark.org) by scaup.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16YkLO-00028L-00; Thu, 07 Feb 2002 00:55:51 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id g178sfc04899; Thu, 7 Feb 2002 00:54:41 -0800 (PST) (envelope-from cjc) Date: Thu, 7 Feb 2002 00:54:34 -0800 From: "Crist J. Clark" To: Edwin Chen Cc: freebsd-security@FreeBSD.ORG Subject: Re: how to detect a illegal connect on local network ? Message-ID: <20020207005434.D2143@blossom.cjclark.org> References: <011b01c1af86$f5dacc00$0c0610ac@testterm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <011b01c1af86$f5dacc00$0c0610ac@testterm.com>; from slack@suntop-cn.com on Thu, Feb 07, 2002 at 11:24:31AM +0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Feb 07, 2002 at 11:24:31AM +0800, Edwin Chen wrote: > maybe this messages is off topic, but i am not idea where to go. i want to know how can i do to detect any user on my local network that use freebsd box still dial-up internet use serial line with a modem ? thanks. Go to each machine on your local network and look to see if there is a modem attached. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 7 2: 3: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail1.rambler.ru (mail1.rambler.ru [217.73.192.30]) by hub.freebsd.org (Postfix) with SMTP id 7EE4937B426 for ; Thu, 7 Feb 2002 02:02:57 -0800 (PST) Received: from 211.57.5.65 by rambler.ru with SMTP id AA08649 for freebsd-security@freebsd.org; Thu, 7 Feb 2002 10:53:54 +0300 (MSK) From: äÏÂÒÏÖÅÌÁÔÅÌØ To: "" <> Subject: ËÁË ÌÀÄÉ ÚÁÒÁÂÁÔÙ×ÁÀÔ × ÉÎÔÅÒÎÅÔÅ??? Organization: ÎÅÔÕ ÔÁËÏÊ! :) Reply-To: S-AS@yandex.ru X-Mailer: X-Mailer Mime-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Date: Thu, 7 Feb 2002 10:56:22 +0300 Message-Id: <3C623292.AA08649@mail1.rambler.ru> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org äÏÂÒÏÇÏ ×ÒÅÍÅÎÉ ÓÕÔÏË! åÓÌÉ ÷ÁÍ ÉÎÔÅÒÅÓÎÏ, ËÁË ÌÀÄÉ ÚÁÒÁÂÁÔÙ×ÁÀÔ ÄÅÎØÇÉ × ÓÅÔÉ ÉÎÔÅÒÎÅÔ É ×Ù ÓÁÍÉ ÈÏÔÉÔÅ ÉÈÚÁÒÁÂÁÔÙ×ÁÔØ... ôÏ $5 + ÎÅÍÎÏÇÏ ÕÓÅÒÄÉÑ = ÐÏÌÕÞÁÊÔÅ ÄÅÎØÇÉ ×ÓÀ ÖÉÚÎØ ðÏÄÒÏÂÎÏÓÔÉ: http://5dolors.non.ru ÉÌÉ http://5dolors.maza.ru/ úÁÒÅÇÉÓÔÒÉÒÏ×Á×ÛÉÓØ, ×Ù ÐÏÌÕÞÉÔÅ ÂÅÓÐÌÁÔÎÕÀ ËÏÎÓÕÌØÔÁÃÉÀ É ÎÁÂÏÒ ÐÒÏÇÒÁÍÍ ÎÅÏÂÈÏÄÉÍÙÈ ÄÌÑ ÒÁÂÏÔÙ!!! öÅÌÁÀ ÕÄÁÞÉ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 7 5:37:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from joule.excelsus.com (joule.excelsus.net [209.96.190.225]) by hub.freebsd.org (Postfix) with ESMTP id 9C28B37B419 for ; Thu, 7 Feb 2002 05:37:39 -0800 (PST) Received: from joule.excelsus.com (localhost [127.0.0.1]) by joule.excelsus.com (8.12.1/8.12.1) with ESMTP id g17DaQRt063986; Thu, 7 Feb 2002 08:36:26 -0500 (EST) Received: from localhost (weldon@localhost) by joule.excelsus.com (8.12.1/8.12.1/Submit) with ESMTP id g17DaPps063983; Thu, 7 Feb 2002 08:36:26 -0500 (EST) Date: Thu, 7 Feb 2002 08:36:25 -0500 (EST) From: Weldon S Godfrey 3 To: Greg Lane Cc: Brett Glass , Trevor Johnson , Victor Grey , Subject: Re: Is this evidence of a break-in attempt? In-Reply-To: <20020207113905.A31674@nucl03.anu.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If memory serves me right, sometime around 11:39am, Greg Lane told me: --snip-- > > In case you haven't noticed already, I am somewhat paranoid. I don't think > I'd ever be able to trust a colocated box. > I agree, you never know who works there. And depending on how they allow outsiders to access the colo area, you never know if a unwatched "customer" will try something funny. Weldon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 7 8:33:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.cise.ufl.edu (beach.cise.ufl.edu [128.227.205.211]) by hub.freebsd.org (Postfix) with ESMTP id DA5E637B404 for ; Thu, 7 Feb 2002 08:33:48 -0800 (PST) Received: from cise.ufl.edu (waterspout.cise.ufl.edu [128.227.205.52]) by mail.cise.ufl.edu (Postfix) with ESMTP id 51C606B29 for ; Thu, 7 Feb 2002 11:33:47 -0500 (EST) To: security@freebsd.org Subject: Questions (Rants?) About IPSEC X-mailer: nmh-1.0.3/vi Date: Thu, 07 Feb 2002 11:33:47 -0500 From: "James F. Hranicky" Message-Id: <20020207163347.51C606B29@mail.cise.ufl.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org After reading up on IPSEC, I have one major question: Is it really a good protocol? It may be that I don't understand it well enough, or that the implementations I've looked at are lacking in features that I want, but it seems to me that it simply isn't a good solution for anything more than a small number of users. Here are the problems I have with IPSEC: - IPSEC routers don't seem to be able to advertise routes for an arbitrary number of networks behind them - IPSEC routers have to basically be the border router for a site, as there is no post-decryption NAT protocol to get packets back to a router on the inside of the network (Apparently, Cisco VPN boxes have this capability, but it's an add-on to IPSEC AFAICT). - Clients with dynamic IPs are poorly supported. AFAICT, what I want is to be able to issuce x509 certs to any of my remote users for key exchange, and accept any cert from any client that was signed by my CA. That's what PKI is all about, right? Checking the racoon.conf man pages and sample racoon.conf files shows that I need to have the client's *private* key for a *specific* IP address. o Is this really the case, or am I just wrong here? o Isn't requiring the server to have the private cert key the same as having a shared secret? o If I'm not wrong, and cert's private keys are required per IP address, is there some problem with the scheme I detailed above? As a comparison, isn't the whole point of the ssh_known_hosts file to keep only the public keys on the remote server? I mean, wouldn't it be great if ssh supported x509 certs, obviating the need for even the ssh_known_hosts file, as host keys would be signed by the CA? Isn't this what we want for IPSEC??? In the end, if I go with a FreeBSD racoon or isakmpd solution, am I limited to the following setups ? : - One shared secret for all my users in the interest of manageability. I can only assume this means any user could theoretically listen in on the key exchange and thus be able to decrypt another's IPSEC communications - Different shared secrets for all users/client machines. Key management nightmare. - Different x509 certs for all users/client machines. See above. - GSSAPI Auth . Does this even work? Does it work with w2k clients and an MIT KDC? If it does, this would probably do what I need for any w2k boxes out there, but all the info I read said it didn't work with w2k yet. Never mind any other IPSEC client software. Is there another VPN solution (mpd-netgraph+PPTP) that would suit my needs any better? Any enlightenment I can receive that can convince me IPSEC is anything more than an alpha-quality protocol that requires vendors (a la Cisco) to fix it would be most appreciated. It's entirely possible I have no idea what I'm talking about. ---------------------------------------------------------------------- | Jim Hranicky, Senior SysAdmin UF/CISE Department | | E314D CSE Building Phone (352) 392-1499 | | jfh@cise.ufl.edu http://www.cise.ufl.edu/~jfh | ---------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 7 11:29:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from mighty.grot.org (mighty.grot.org [204.182.56.120]) by hub.freebsd.org (Postfix) with ESMTP id D0D8837B420 for ; Thu, 7 Feb 2002 11:29:44 -0800 (PST) Received: by mighty.grot.org (Postfix, from userid 515) id 747885D34; Thu, 7 Feb 2002 11:29:39 -0800 (PST) Date: Thu, 7 Feb 2002 11:29:39 -0800 From: "R.P. Aditya" To: "James F. Hranicky" Cc: security@freebsd.org Subject: Re: Questions (Rants?) About IPSEC Message-ID: <20020207192939.GB29005@mighty.grot.org> Reply-To: "R.P. Aditya" References: <20020207163347.51C606B29@mail.cise.ufl.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020207163347.51C606B29@mail.cise.ufl.edu> X-PGP-Key: http://www.grot.org/pubkey.asc X-PGP-Key-ID: 0x6405D8D5 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Feb 07, 2002 at 11:33:47AM -0500, James F. Hranicky wrote: > After reading up on IPSEC, I have one major question: Is it really > a good protocol? It has it's uses, yes. > - IPSEC routers don't seem to be able to advertise routes > for an arbitrary number of networks behind them IPSEC defines a standard for authentication and encryption of IP packets and doesn't participate in routing per se, so this quibble is not really "a problem". > - IPSEC routers have to basically be the border router for > a site, as there is no post-decryption NAT protocol to > get packets back to a router on the inside of the network > (Apparently, Cisco VPN boxes have this capability, but > it's an add-on to IPSEC AFAICT). If you use AH then this is a problem, with just ESP, it should not be a problem, however, given the intrinsic dependence on "static" IP addresses to base policy, using it with NAT is not "standardly supported". > - Clients with dynamic IPs are poorly supported. > > AFAICT, what I want is to be able to issuce x509 certs to > any of my remote users for key exchange, and accept any > cert from any client that was signed by my CA. That's what > PKI is all about, right? Checking the racoon.conf man pages > and sample racoon.conf files shows that I need to have the > client's *private* key for a *specific* IP address. > > o Is this really the case, or am I just wrong here? yes, this is really the case. > o Isn't requiring the server to have the private cert > key the same as having a shared secret? yes. > o If I'm not wrong, and cert's private keys are required per > IP address, is there some problem with the scheme I detailed > above? As a comparison, isn't the whole point of the > ssh_known_hosts file to keep only the public keys on the > remote server? I mean, wouldn't it be great if ssh supported > x509 certs, obviating the need for even the ssh_known_hosts > file, as host keys would be signed by the CA? > > Isn't this what we want for IPSEC??? This is what is wanted from a general VPN protocol, but IPSEC wasn't designed to solve that problem alone. > Is there another VPN solution (mpd-netgraph+PPTP) that would suit my needs > any better? probably. Unfortunately, they are not entirely IETF standards based and it's hard to find one that supports a wide variety of client OSes. > Any enlightenment I can receive that can convince me IPSEC is anything > more than an alpha-quality protocol that requires vendors (a la Cisco) > to fix it would be most appreciated. It's entirely possible I have > no idea what I'm talking about. It's not so simple -- you want IPSEC to do things it wasn't designed to do. There are efforts to extend it to do things like you want, but don't hold your breath. Depending on your clients, you should probably pick a commercial VPN vendor at this point or teach your user base to use ssh (close to impossible, I know). Hope that helps, Adi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 7 11:44:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from femail12.sdc1.sfba.home.com (femail12.sdc1.sfba.home.com [24.0.95.108]) by hub.freebsd.org (Postfix) with ESMTP id A31A837B419 for ; Thu, 7 Feb 2002 11:44:26 -0800 (PST) Received: from home.com ([68.61.32.116]) by femail12.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP id <20020207194425.HBMT16300.femail12.sdc1.sfba.home.com@home.com> for ; Thu, 7 Feb 2002 11:44:25 -0800 Message-ID: <3C62D82C.7070507@home.com> Date: Thu, 07 Feb 2002 14:40:28 -0500 From: Dexter Coffin User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4) Gecko/20011128 Netscape6/6.2.1 X-Accept-Language: en-us MIME-Version: 1.0 To: security@freebsd.org Subject: Re: Questions (Rants?) About IPSEC References: <20020207163347.51C606B29@mail.cise.ufl.edu> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Here are some thoughts. YMMV. Anyone, please feel free to confirm or denounce my info ... anyway, I HTH ... Please note that all of my IPSec experience comes from COTS products like CheckPoint, Cisco, Nokia, and Nortel. Never used S/WAN or racoon ... James F. Hranicky wrote: > After reading up on IPSEC, I have one major question: Is it really > a good protocol? Yes. Room for improvement abounds, tho. See the end of this reply for some more thoughts. > > It may be that I don't understand it well enough, or that the > implementations I've looked at are lacking in features that I want, > but it seems to me that it simply isn't a good solution for anything > more than a small number of users. Here are the problems I have with > IPSEC: > > - IPSEC routers don't seem to be able to advertise routes > for an arbitrary number of networks behind them > Stuff like OSPF, which uses a multicast address IIRC cannot work through IPSec, a definite shortcoming. The exception is like a Cisco to Cisco that both agree on a non-standard (read: not part of the IPSec standard which, for multicast, there is none) way of doing it. All routes must otherwise be static. > - IPSEC routers have to basically be the border router for > a site, as there is no post-decryption NAT protocol to > get packets back to a router on the inside of the network > (Apparently, Cisco VPN boxes have this capability, but > it's an add-on to IPSEC AFAICT). Cisco's add on also breaks some compatibility with other IPSec devices, like CheckPoint FireWall-1 4.0- IIRC. But, yes, the IPSec gateway does have to function as a router to some degree whether or not it is an actual router. This can be a real PITA if you have lots of incongrous and/or non-sequential networks behind it (like the RFC 1918 private addresses and some poorly chosen public networks that really are private ... if you get my meaning). One could do a one-legged IPSec device and let a router handle routing. ~~~~~~~~~~~~ ~ Internet ~ ~~~~~~~~~~~~ | | <------------------ default route, hopefully w/ FW in between | +---A----+ +-------+ | router B-+-C IPSec | <- outbound route for assigned client addresses +---D----+ | +-------+ or static gateway addresses (& protected | | LANs via remote gateway); device default | | routes to router interface B | | +-------+ | +-| DHCP | <- for inbound IPSec client IP assignment (maybe | +-------+ not a seperate host) | | <------------------ OSPF, BGP, etc. ... maybe FW here, too | ~~~~~~~~~~~~ ~ Private ~ ~ LAN ~ ~~~~~~~~~~~~ ... where interface A = public Internet routable address for all Internet traffic interface B = public Internet routable address for IPSec traffic interface C = public Internet routable address for IPSec traffic interface D = private address for unencrypted traffic and whatever network/pool you use for clients defaut routes from the internal LAN to the IPSec gateway w/ maybe static NAT involved. ... I have to admit that I don't know if one can have dynamic routing on but one router interface. I think you can specify trusted routers for OSPF, etc ... And, of course, don't forget a firewall (or two). > > - Clients with dynamic IPs are poorly supported. True. IPSec is too dependent upon static IPs for gateway to gateway connections (tunnel mode, I believe). Transport mode, the client to gateway stuff, works with DHCP or is supposed to. My experience shows that if a client's DHCP lease expires and they do not get the same IP back, they do have to either renegotiate or reauthenticate depending upon the flexibility of both peers. SSL does a nicer job in this regard ... Best case it (dynamic IPs and IPSec) consumes time and worse case the connection is lost. If I have transport and tunnel swapped please forgive. > > AFAICT, what I want is to be able to issuce x509 certs to > any of my remote users for key exchange, and accept any > cert from any client that was signed by my CA. That's what > PKI is all about, right? Checking the racoon.conf man pages > and sample racoon.conf files shows that I need to have the > client's *private* key for a *specific* IP address. > > o Is this really the case, or am I just wrong here? A predefined static IP is required for tunnel (gateway) mode, not transport (client). But you have the PKI thing right. It should be the client's public key, not private, that is exchanged. > > o Isn't requiring the server to have the private cert > key the same as having a shared secret? With a shared secret, it would theoretically be possible to launch a man-in-the-middle attack, because the math for the IPSec would be based partially on a known value. If I can find my Cisco IPSec class notes, I can send the formulas. Something like the remote public key is hashed with the local private key and there's a remainder/mod in there somewhere which is common to both, but never sent over the wire, to which the encryption is based. The authentication is somewhat independent and based off of the common root certifier ... CRLs and whatnot come into play. With shared secret, the secret is hashed and that is the basis for the encrytion *AND* authentication. Also, managing loads of shared secrets is a pain if you have lots of peers. ANX (Automotive Network eXchange, a huge IPSec network of auto manufacturers and suppliers) uses only shared secret at the moment (years after implementation ... but that is another story). > > o If I'm not wrong, and cert's private keys are required per > IP address, is there some problem with the scheme I detailed > above? As a comparison, isn't the whole point of the > ssh_known_hosts file to keep only the public keys on the > remote server? I mean, wouldn't it be great if ssh supported > x509 certs, obviating the need for even the ssh_known_hosts > file, as host keys would be signed by the CA? > > Isn't this what we want for IPSEC??? I think the private key thing in the racoon man page is a typo. Private keys are never shared, nor should ever be shared. > > In the end, if I go with a FreeBSD racoon or isakmpd solution, am I limited > to the following setups ? : > > - One shared secret for all my users in the interest of manageability. > > I can only assume this means any user could theoretically listen in > on the key exchange and thus be able to decrypt another's IPSEC > communications True. Bad form unless it is unavoidable. And, the sharing of the shared secret would need to be done over an OOB trusted media (like heavily encrypted email, trusted phone call, face to face, etc.). Tracking and troubleshooting also become exponetially more difficult in this scenario. Imagine having to change the secret if it is compromised! > > - Different shared secrets for all users/client machines. > > Key management nightmare. Indeed. See note above. > > - Different x509 certs for all users/client machines. > > See above. Well, a good PKI takes care of that. As long as the certs have a common root, everything should be good. That's what I'm doing with an 1100 user base, but all commercial software and hardware. Some combine other authentication methods, like S/Key or smartcards, into the mix. > > - GSSAPI Auth . > > Does this even work? Does it work with w2k clients and an MIT > KDC? If it does, this would probably do what I need for any w2k > boxes out there, but all the info I read said it didn't work > with w2k yet. Never mind any other IPSEC client software. > Beyond me on this one. > Is there another VPN solution (mpd-netgraph+PPTP) that would suit my needs > any better? > > Any enlightenment I can receive that can convince me IPSEC is anything > more than an alpha-quality protocol that requires vendors (a la Cisco) > to fix it would be most appreciated. It's entirely possible I have > no idea what I'm talking about. Well, an okay closed system is from Nokia that's relatively inexpensive. But they are negotiating with CheckPoint and the cost may well rise. > > ---------------------------------------------------------------------- > | Jim Hranicky, Senior SysAdmin UF/CISE Department | > | E314D CSE Building Phone (352) 392-1499 | > | jfh@cise.ufl.edu http://www.cise.ufl.edu/~jfh | > ---------------------------------------------------------------------- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > IMHO, it'd be great if IPSec had SSL's flexibility (NAT is no problem, dynamic IPs are ~usually~ no problem, highly portable, light weight) and SSL had IPSec's robustness (better encryption, (w/ public key) better authentication and integrity, gateway to gateway tunnel-like mode for network to network connectivity). I don't know if SSL handles multicast, but IPSec certainly needs to. As I said at the top, YMMV. HTH!!! :^D -- ( )) >===<--. Dexter Coffin - America's Favorite Ne'er-Do-Well C|~~| | = |-' idnopheq@home.com - http://www.members.home.com/idnopheq `--' `-----' idnopheq@perlmonk.org - http://idnopheq.perlmonk.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 7 13:42:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 8C4EC37B41D for ; Thu, 7 Feb 2002 13:42:25 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.11.4/8.11.4) id g17LgDL69359; Thu, 7 Feb 2002 16:42:13 -0500 (EST) (envelope-from wollman) Date: Thu, 7 Feb 2002 16:42:13 -0500 (EST) From: Garrett Wollman Message-Id: <200202072142.g17LgDL69359@khavrinen.lcs.mit.edu> To: "James F. Hranicky" Cc: security@FreeBSD.ORG Subject: Questions (Rants?) About IPSEC In-Reply-To: <20020207163347.51C606B29@mail.cise.ufl.edu> References: <20020207163347.51C606B29@mail.cise.ufl.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > After reading up on IPSEC, I have one major question: Is it really > a good protocol? No, but it's the best one we've got. > - IPSEC routers don't seem to be able to advertise routes > for an arbitrary number of networks behind them That's an issue with your routing process; it's not related to IPSEC. > - IPSEC routers have to basically be the border router for > a site, as there is no post-decryption NAT protocol to > get packets back to a router on the inside of the network > (Apparently, Cisco VPN boxes have this capability, but > it's an add-on to IPSEC AFAICT). IPSEC is designed to thwart processes which corrupt packet headers (including NAT). > - Clients with dynamic IPs are poorly supported. That's what the `generate_policy' option in racoon is for. > AFAICT, what I want is to be able to issuce x509 certs to > any of my remote users for key exchange, and accept any > cert from any client that was signed by my CA. That's what > PKI is all about, right? Checking the racoon.conf man pages > and sample racoon.conf files shows that I need to have the > client's *private* key for a *specific* IP address. > o Is this really the case, or am I just wrong here? You are wrong. There are two distinct models: you can have pre-shared keys, in which case you have no certificates and a single secret key for every pair of communicating entities; or you can use public-key certificates. I have some issues with the way the certificate support works, that's not one of them. Pre-shared keys are not necesarily specific to an IP address; you can use any type of identifier supported in the IKE protocol. > In the end, if I go with a FreeBSD racoon or isakmpd solution, am I limited > to the following setups ? : > - One shared secret for all my users in the interest of manageability. If you were to use pre-shared keys, and you're concerned about manageability, there is an obvious mechanism to avoid everyone use the same key. Let C be a standard representation of each client's identity, and S likewise for the server. H is a hash function of some sort; Kp is a key known only to you. Then, K = { H(C | S) } C,S Kp gives you a unique key for each pair (C,S) which you can easily derive at will given C, S, and Kp. Granted, this is not as theoretically secure as having a unique random bits for every key, but it's better than having every user know every other user's key. > I can only assume this means any user could theoretically listen in > on the key exchange and thus be able to decrypt another's IPSEC > communications If you all used the same keys, that is conceivable. More to the point, any user could impersonate any other user. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 7 13:48:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from relay.pair.com (relay1.pair.com [209.68.1.20]) by hub.freebsd.org (Postfix) with SMTP id 75D5337B41E for ; Thu, 7 Feb 2002 13:48:55 -0800 (PST) Received: (qmail 44579 invoked from network); 7 Feb 2002 21:48:54 -0000 Received: from pd90058f0.dip.t-dialin.net (HELO laptop) (217.0.88.240) by relay1.pair.com with SMTP; 7 Feb 2002 21:48:54 -0000 X-pair-Authenticated: 217.0.88.240 Message-ID: <005301c1b021$37d50040$0901a8c0@system> From: "Tom Beer" To: Subject: no matching session Date: Thu, 7 Feb 2002 22:48:44 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I just found in my logs the following: I asked on the ipf mailing list but didn't got a definitive answer. I checked my logs (all) and havn't found "no matching session". Feb 7 03:18:41 strawberry ipmon[95]: 03:18:41.294443 tun0 @0:33 b 217.2.169.226,2387 -> 217.80.41.192,21 PR tcp len 20 48 -S 639002257 0 16384 IN no matching seesion my block rule for port 21 is block return-rst in log body quick on tun0 proto tcp from any to any port = 21 What does no matching session mean? ipf -V ipf: IP Filter: v3.4.16 (264) Kernel: IP Filter: v3.4.16 Greets Tom To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 7 14:18:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.cise.ufl.edu (beach.cise.ufl.edu [128.227.205.211]) by hub.freebsd.org (Postfix) with ESMTP id DF90237B404 for ; Thu, 7 Feb 2002 14:18:24 -0800 (PST) Received: from cise.ufl.edu (shine.cise.ufl.edu [128.227.205.227]) by mail.cise.ufl.edu (Postfix) with ESMTP id BEA206B27; Thu, 7 Feb 2002 17:18:23 -0500 (EST) To: Garrett Wollman Cc: security@FreeBSD.ORG Subject: Re: Questions (Rants?) About IPSEC In-Reply-To: Message from Garrett Wollman of "Thu, 07 Feb 2002 16:42:13 EST." <200202072142.g17LgDL69359@khavrinen.lcs.mit.edu> Date: Thu, 07 Feb 2002 17:18:23 -0500 From: "James F. Hranicky" Message-Id: <20020207221823.BEA206B27@mail.cise.ufl.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Garrett Wollman wrote: > > > - IPSEC routers have to basically be the border router for > > a site, as there is no post-decryption NAT protocol to > > get packets back to a router on the inside of the network > > (Apparently, Cisco VPN boxes have this capability, but > > it's an add-on to IPSEC AFAICT). > > IPSEC is designed to thwart processes which corrupt packet headers > (including NAT). In my scenario, NAT would occur after decryption, allowing IPSEC routers to be placed at arbitrary points in the internal net. As I understand it, CISCO's VPN box does just that. Thanks for your input. Jim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 7 14:25:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtpzilla2.xs4all.nl (smtpzilla2.xs4all.nl [194.109.127.138]) by hub.freebsd.org (Postfix) with ESMTP id D92A137B404 for ; Thu, 7 Feb 2002 14:25:29 -0800 (PST) Received: from list1.xs4all.nl (list1.xs4all.nl [194.109.6.52]) by smtpzilla2.xs4all.nl (8.12.0/8.12.0) with ESMTP id g17MPSX1004903 for ; Thu, 7 Feb 2002 23:25:28 +0100 (CET) Received: (from root@localhost) by list1.xs4all.nl (8.9.3/8.9.3) id XAA18339; Thu, 7 Feb 2002 23:25:28 +0100 (CET) From: "Rob Frohwein" To: freebsd-security@freebsd.org X-Via: imploder /usr/local/lib/mail/news2mail/news2mail at list1.xs4all.nl Subject: Re: Questions (Rants?) About IPSEC Date: Thu, 7 Feb 2002 14:25:14 -0800 Organization: XS4ALL Internet BV Message-ID: In-Reply-To: <20020207163347.51C606B29@mail.cise.ufl.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "James F. Hranicky" wrote in message news:list.freebsd.security#20020207163347.51C606B29@mail.cise.ufl.edu... > > After reading up on IPSEC, I have one major question: Is it really > a good protocol? > > It may be that I don't understand it well enough, or that the > implementations I've looked at are lacking in features that I want, > but it seems to me that it simply isn't a good solution for anything > more than a small number of users. Here are the problems I have with > IPSEC: > > - IPSEC routers don't seem to be able to advertise routes > for an arbitrary number of networks behind them I dont understand what you mean here, ipsec doesnt require something special from routing. > > - IPSEC routers have to basically be the border router for > a site, as there is no post-decryption NAT protocol to > get packets back to a router on the inside of the network > (Apparently, Cisco VPN boxes have this capability, but > it's an add-on to IPSEC AFAICT). There are some new RFC's about natting ipsec tunnel packets. You can only nat tunnel packets because the outer headers are not authenticated. > > - Clients with dynamic IPs are poorly supported. Can only be done when using cert authentiaction. > > AFAICT, what I want is to be able to issuce x509 certs to > any of my remote users for key exchange, and accept any > cert from any client that was signed by my CA. That's what > PKI is all about, right? Checking the racoon.conf man pages > and sample racoon.conf files shows that I need to have the > client's *private* key for a *specific* IP address. > > o Is this really the case, or am I just wrong here? Every ipsec endpoint needs own private key + certificate + CA certificate, thats all. > > o Isn't requiring the server to have the private cert > key the same as having a shared secret? Every party needs to have its own private + public key. > > o If I'm not wrong, and cert's private keys are required per > IP address, is there some problem with the scheme I detailed > above? As a comparison, isn't the whole point of the > ssh_known_hosts file to keep only the public keys on the > remote server? I mean, wouldn't it be great if ssh supported > x509 certs, obviating the need for even the ssh_known_hosts > file, as host keys would be signed by the CA? > > Isn't this what we want for IPSEC??? The intention with ipsec is that you dont need all public certs from all your peers. You only need (all) Ca certs If you start a session , the remote party (racoon) sends its cert. Your local racoon looks if it has a CA cert which has signed your peers cert. It the verifies the peer cert. This is also the only way for mobile users. > > In the end, if I go with a FreeBSD racoon or isakmpd solution, am I limited > to the following setups ? : > > - One shared secret for all my users in the interest of manageability. > > I can only assume this means any user could theoretically listen in > on the key exchange and thus be able to decrypt another's IPSEC > communications > > - Different shared secrets for all users/client machines. > > Key management nightmare. > > - Different x509 certs for all users/client machines. > > See above. > > - GSSAPI Auth . > > Does this even work? Does it work with w2k clients and an MIT > KDC? If it does, this would probably do what I need for any w2k > boxes out there, but all the info I read said it didn't work > with w2k yet. Never mind any other IPSEC client software. > > Is there another VPN solution (mpd-netgraph+PPTP) that would suit my needs > any better? > > Any enlightenment I can receive that can convince me IPSEC is anything > more than an alpha-quality protocol that requires vendors (a la Cisco) > to fix it would be most appreciated. It's entirely possible I have > no idea what I'm talking about. > You should really first do some tests with ipsec. I used 2 freebsd machines (inside vmware). There are numerous examples on the net which clarifies your questions. I works with win2000 , with pre-shared authentication keys , associated with ip addresses. with cert authentication , associated with x509 names/email addresses. greeting Rob Frohwein > ---------------------------------------------------------------------- > | Jim Hranicky, Senior SysAdmin UF/CISE Department | > | E314D CSE Building Phone (352) 392-1499 | > | jfh@cise.ufl.edu http://www.cise.ufl.edu/~jfh | > ---------------------------------------------------------------------- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 7 14:41: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtpzilla2.xs4all.nl (smtpzilla2.xs4all.nl [194.109.127.138]) by hub.freebsd.org (Postfix) with ESMTP id 97A0437B42F for ; Thu, 7 Feb 2002 14:40:41 -0800 (PST) Received: from list1.xs4all.nl (list1.xs4all.nl [194.109.6.52]) by smtpzilla2.xs4all.nl (8.12.0/8.12.0) with ESMTP id g17Mee8p007244 for ; Thu, 7 Feb 2002 23:40:41 +0100 (CET) Received: (from root@localhost) by list1.xs4all.nl (8.9.3/8.9.3) id XAA21279; Thu, 7 Feb 2002 23:40:40 +0100 (CET) From: "Rob Frohwein" To: freebsd-security@freebsd.org X-Via: imploder /usr/local/lib/mail/news2mail/news2mail at list1.xs4all.nl Subject: Re: Racoon/sainfo - 'no policy found' Date: Thu, 7 Feb 2002 14:40:26 -0800 Organization: XS4ALL Internet BV Message-ID: In-Reply-To: <200202030048.QAA49670@mini.chicago.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Frank Drebin" wrote in message news:list.freebsd.security#200202030048.QAA49670@mini.chicago.com... > I'm trying to get working a 'standard' vpn setup. That is, > I have a FreeBSD (4.2) machine runing NAT, IPFilter, IPSec, > Racoon (version 20011215a) among other things. I want to > connect to it using Windows 98 and PGPNet (I've tried 6.5.8 > and 7.0.3) over the internet. No matter what I do, I get > 'no policy found' followed by 'failed to get proposal for > responder'. > > I should point out that I *HAVE* gotten this whole thing to > work when I replaced the '98 side with another FBSD machine > (4.4) running racoon (same version) along with all the other > appropriate pieces. > > I've attached a section of the log file generated when trying > to connect from '98. My racoon.conf is just a copy of the one > that comes with the distribution. It works for FBSD<->FBSD, > why doesn't it work with PGPNet? > > Oh, and in searching through the mailing lists I came across > a patch someone suggested for something similar. I tried > that too - no joy. > > Any help, suggestions, etc. would be greatly appreciated! > > Thanks > > ------------- > . . . > 2002-01-31 17:18:45: DEBUG: oakley.c:755:oakley_compute_hash1(): HASH computed: > 2002-01-31 17:18:45: DEBUG: plog.c:193:plogdump(): > 79d4fa1b 6c2b6af5 91173e15 f7f8729f 6215747a > 2002-01-31 17:18:45: DEBUG: sainfo.c:100:getsainfo(): anonymous sainfo selected.2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1815:get_sainfo_r(): get sa info: anonymous > . . . > > 2002-01-31 17:18:45: DEBUG: sainfo.c:100:getsainfo(): anonymous sainfo selected.2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1815:get_sainfo_r(): get sa info: anonymous > 2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1907:get_proposal_r(): get a destination address of SP index from phase1 address due to no ID payloads found OR because ID type is not address. ++++++++++++++++++++ It seems to me the your pgpnet peer is trying to use x509 authentication, because in this case the ip adres will not be used as an id. How do both configurations look? Try to look with ethereal, the first messages in fase 1 are not crypted. ++++++++++++++++++++++++ > 2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1968:get_proposal_r(): get a source address of SP index from phase1 address due to no ID payloads found OR because ID type is not address. > 2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1993:get_proposal_r(): get a src address from ID payload WINDOWS-EXTERNAL[0] prefixlen=32 ul_proto=0 > 2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1998:get_proposal_r(): get dst address from ID payload FBSD-EXTERNAL[0] prefixlen=32 ul_proto=0 > 2002-01-31 17:18:45: DEBUG: policy.c:216:cmpspidxwild(): sub:0xbfbff6b0: WINDOWS-EXTERNAL[0] FBSD-EXTERNAL[0] proto=any dir=in > 2002-01-31 17:18:45: DEBUG: policy.c:217:cmpspidxwild(): db: 0x80a3a08: WINDOWS-INTERNAL[0] FBSD-INTERNAL[0] proto=any dir=in > 2002-01-31 17:18:45: DEBUG: policy.c:244:cmpspidxwild(): 0xbfbff6b0 masked with /24: WINDOWS-EXTERNAL/24[0] > 2002-01-31 17:18:45: DEBUG: policy.c:246:cmpspidxwild(): 0x80a3a08 masked with /24: WINDOWS-INTERNAL/24[0] > 2002-01-31 17:18:45: DEBUG: policy.c:216:cmpspidxwild(): sub:0xbfbff6b0: WINDOWS-EXTERNAL[0] FBSD-EXTERNAL[0] proto=any dir=in > 2002-01-31 17:18:45: DEBUG: policy.c:217:cmpspidxwild(): db: 0x80a3e08: FBSD-INTERNAL/24[0] WINDOWS-INTERNAL/24[0] proto=any dir=out > 2002-01-31 17:18:45: ERROR: isakmp_quick.c:2028:get_proposal_r(): no policy found: WINDOWS-EXTERNAL[0] UNIX-EXTERNAL/32[0] proto=any dir=in > 2002-01-31 17:18:45: ERROR: isakmp_quick.c:1069:quick_r1recv(): failed to get proposal for responder. > 2002-01-31 17:18:45: ERROR: isakmp.c:1060:isakmp_ph2begin_r(): failed to pre-process packet. > . . . > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 7 17: 8:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from some.ants.ate.my.cat5.at.dsgx.org (some.ants.ate.my.cat5.at.dsgx.org [64.215.225.2]) by hub.freebsd.org (Postfix) with ESMTP id 2798F37B41C; Thu, 7 Feb 2002 17:08:41 -0800 (PST) Received: from some.ants.ate.my.cat5.at.dsgx.org (localhost.dsgx.org [64.215.225.2] (may be forged)) by some.ants.ate.my.cat5.at.dsgx.org (8.12.2/8.11.6) with SMTP id g17K66qo009642; Thu, 7 Feb 2002 20:06:06 GMT (envelope-from hh@dsgx.org) Date: Thu, 7 Feb 2002 20:06:06 +0000 From: hh To: questions@freebsd.org Cc: freebsd-security@freebsd.org Subject: 4.4-RELEASE-p7 FreeBSD 4.4-RELEASE-p7 problems Message-Id: <20020207200606.2514059d.hh@dsgx.org> X-Mailer: Sylpheed version 0.4.66 (GTK+ 1.2.10; i386-unknown-freebsdelf4.4) Organization: dsgx net solutions Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org razordea eggdrop- 1743 14 ? ? ? poker eggdrop- 1732 3 ? ? ? poker eggdrop- 1732 5 ? ? ? poker eggdrop- 1729 3 ? ? ? poker eggdrop- 1729 5 ? ? ? penhao eggdrop- 1706 3 ? ? ? penhao eggdrop- 1706 4 ? ? ? penhao eggdrop- 1706 6 ? ? ? penhao eggdrop- 1704 3 ? ? ? penhao eggdrop- 1704 4 ? ? ? some# netstat -na |more Active UNIX domain sockets Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr d9bc8d00 stream 0 0 0 d9bc8280 0 0 /tmp/mysql.soc k d9bc8280 stream 0 0 0 d9bc8d00 0 0 d9bc8d80 stream 0 0 0 d9bc8580 0 0 /tmp/mysql.soc k d9bc8580 stream 0 0 0 d9bc8d80 0 0 what's going on ? i can't see who's connect from anywhere to anywhere .. i have an 4.4-RELEASE-p7 FreeBSD 4.4-RELEASE-p7 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 7 17:30:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.cise.ufl.edu (beach.cise.ufl.edu [128.227.205.211]) by hub.freebsd.org (Postfix) with ESMTP id 7578537B400 for ; Thu, 7 Feb 2002 17:30:25 -0800 (PST) Received: from cise.ufl.edu (waterspout.cise.ufl.edu [128.227.205.52]) by mail.cise.ufl.edu (Postfix) with ESMTP id 39FC06B32 for ; Thu, 7 Feb 2002 20:30:24 -0500 (EST) To: security@freebsd.org Subject: Re: Questions (Rants?) About IPSEC X-mailer: nmh-1.0.3/vi Date: Thu, 07 Feb 2002 20:30:24 -0500 From: "James F. Hranicky" Message-Id: <20020208013024.39FC06B32@mail.cise.ufl.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "James F. Hranicky" wrote in message news:list.freebsd.security#20020207163347.51C606B29@mail.cise.ufl.edu... > I dont understand what you mean here, ipsec doesnt require something special > from routing. Hmmm...well, what I'd like is to be able to query the router for the nets that are behind it, and automagically add those to the IPSEC config. > There are some new RFC's about natting ipsec tunnel packets. > You can only nat tunnel packets because the outer headers are not > authenticated. I mean NATting them after decryption, so they can find their way back to an arbitrary IPSEC router within the internal net and not go back out the border router due to the outside source address. I sent a post detailing this a couple of weeks ago. ("IPSEC into network behind the primary router", 1/17/02) > > o Is this really the case, or am I just wrong here? > Every ipsec endpoint needs own private key + certificate + CA certificate, > thats all. Great! What a relief. I guess I've had a hard time understanding racoon.conf . > The intention with ipsec is that you dont need all public certs from all > your peers. > You only need (all) Ca certs > If you start a session , the remote party (racoon) sends its cert. > Your local racoon looks if it has a CA cert which has signed your peers > cert. > It the verifies the peer cert. > This is also the only way for mobile users. Ok, great. > You should really first do some tests with ipsec. > I used 2 freebsd machines (inside vmware). > There are numerous examples on the net which clarifies your questions. > I works with win2000 , > with pre-shared authentication keys , associated with ip addresses. > with cert authentication , associated with x509 names/email addresses. Awesome. I've been searching the 'net for quite a while, but the docs I've found seemed on the terse side. I'll give it a go and see what happens. I have been able to get simple transport mode + shared secrets working, so now I'll try out the certs. Thanks a ton! ---------------------------------------------------------------------- | Jim Hranicky, Senior SysAdmin UF/CISE Department | | E314D CSE Building Phone (352) 392-1499 | | jfh@cise.ufl.edu http://www.cise.ufl.edu/~jfh | ---------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 7 19: 7:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.cise.ufl.edu (beach.cise.ufl.edu [128.227.205.211]) by hub.freebsd.org (Postfix) with ESMTP id 2210937B404 for ; Thu, 7 Feb 2002 19:07:33 -0800 (PST) Received: from cise.ufl.edu (waterspout.cise.ufl.edu [128.227.205.52]) by mail.cise.ufl.edu (Postfix) with ESMTP id 5B73E6B32 for ; Thu, 7 Feb 2002 22:07:32 -0500 (EST) To: security@freebsd.org Subject: Re: Questions (Rants?) About IPSEC X-mailer: nmh-1.0.3/vi Date: Thu, 07 Feb 2002 22:07:32 -0500 From: "James F. Hranicky" Message-Id: <20020208030732.5B73E6B32@mail.cise.ufl.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Great! What a relief. I guess I've had a hard time understanding racoon.conf . I guess what happened was I got it stuck in my head that the "certificate_type x509" directive specified the *remote* cert and not the local one. Looking at it now it seems obvious. Well, I feel a bit foolish for my ranting, but much happier that certs are now working as expected. Many thanks to all who responded. ---------------------------------------------------------------------- | Jim Hranicky, Senior SysAdmin UF/CISE Department | | E314D CSE Building Phone (352) 392-1499 | | jfh@cise.ufl.edu http://www.cise.ufl.edu/~jfh | ---------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 8 8: 2:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from spitfire.velocet.net (spitfire.velocet.net [216.138.223.227]) by hub.freebsd.org (Postfix) with ESMTP id B740837B404 for ; Fri, 8 Feb 2002 08:02:42 -0800 (PST) Received: from office.tor.velocet.net (trooper.velocet.net [216.138.242.2]) by spitfire.velocet.net (Postfix) with ESMTP id C550EFB468D; Fri, 8 Feb 2002 11:02:41 -0500 (EST) Received: (from dgilbert@localhost) by office.tor.velocet.net (8.11.6/8.9.3) id g18G2f583812; Fri, 8 Feb 2002 11:02:41 -0500 (EST) (envelope-from dgilbert) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15459.63137.108296.892211@trooper.velocet.net> Date: Fri, 8 Feb 2002 11:02:41 -0500 To: Garrett Wollman Cc: "James F. Hranicky" , security@FreeBSD.ORG Subject: [security] Questions (Rants?) About IPSEC In-Reply-To: <200202072142.g17LgDL69359@khavrinen.lcs.mit.edu> References: <20020207163347.51C606B29@mail.cise.ufl.edu> <200202072142.g17LgDL69359@khavrinen.lcs.mit.edu> X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> "Garrett" == Garrett Wollman writes: Garrett> < said: >> After reading up on IPSEC, I have one major question: Is it really >> a good protocol? Garrett> No, but it's the best one we've got. I've been keen on IPSec for some time ... I've even had it running between selections of hosts, but I havn't been able to set up two scenarios that would make it actually useful to me: 1) Wireless DHCP laptop <-- tunnel mode --> gatewaybox 2) Home box on Cable Modem (DHCP) <-- tunnel mode --> office The basic blocking point is that none of the HOWTO's written on the subject say anything about dynamic clients. I would really like to see a HOWTO (from someone working on this stuff) that assumes the client is roaming. Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://daveg.ca | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 8 9: 2: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from q3.cybg.com (digex-ext.cybg.com [209.119.171.80]) by hub.freebsd.org (Postfix) with SMTP id 6BBE437B416 for ; Fri, 8 Feb 2002 09:01:45 -0800 (PST) Message-ID: From: Beth Reid To: "'freebsd-security@FreeBSD.org'" Cc: 'Bill Swingle' Subject: RE: Questions regarding the wheel group Date: Fri, 8 Feb 2002 11:57:38 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C1B0C1.B8EF151C" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C1B0C1.B8EF151C Content-Type: text/plain Bill, So sorry for the inconvenience. There was some formatting in the document which made readability easier. Hopefully freebsd-security can help me, thanx for suggestion. Here is the straight text rather than a word document attachment: ----- I am doing research on the wheel group and security and I had a couple of questions. I understand the purpose of wheel as follows: "Further protection is offered for the root account by using a special group called the wheel group. The wheel group adds greater security to a system by preventing users that are not in this group from using the su (super user) command to su to root." So, the majority of the time one would add a user to the wheel group and then give that person the root password so that these selected few users could become root when they "su". Makes sense and is a good feature. While doing my research, I wanted to know what other type of privileges a user would have if they belong to wheel. What if someone inadvertently added a user to the wheel group (and was not given root's password)? Would a user in the wheel group without the root password be able to compromise a system in any way? Some thoughts: Why should the wheel group be used on any files? I would think from a security point of view, wheel should not be the default or primary group for root. This way if you are in the wheel group and have root's password, you can become root. If you are in the wheel group, but do not have root's password you should not gain any special privileges to any files or directories. You should be like any other user. My initial step was to check the permissions on all of the files to see if files with a group of "wheel" had permission bits where the group and other bits differed. Although this may not be exhaustive for every type of system, this is what I found on a FreeBSD Release 4.3 (without source) system. The following files had a group of wheel and had different group and other permissions. 1) The only 2 devices on my system where wheel had more permission than other were the following. I am not sure yet if there is a vulnerability here. crw-rw---- 2 root wheel 14, 0x20000000 Nov 30 09:09 ./dev/rsa0.ctl crw-rw---- 2 root wheel 14, 0x20000000 Nov 30 09:09 ./dev/sa0.ctl 2) In the /proc directory there is a mem file for each process. This seems to me like a vulnerability. The odd thing is that on one similar FreeBSD 4.3 release system the group was kmem for all files in this directory, all other systems had the group for root as wheel. So two questions here: 1) why does the group differ on the two systems, and 2) why does the wheel group have read privilege on these mem files? -rw-r----- 1 root wheel 0 Feb 6 12:27 ./proc/317/mem -rw-r----- 1 root wheel 0 Feb 6 12:27 ./proc/318/mem 3) This seems harmless. -r-xr-x--- 1 root wheel 12424 Apr 21 2001 ./usr/sbin/mptable 4) This seems like it could be a vulnerability. If someone is in wheel that shouldn't be, he could read these files and perhaps gather some useful information. in /var/log -rw-r----- 1 root wheel 5490 Feb 6 03:01 setuid.today -rw-r----- 1 root wheel 5490 Feb 5 03:01 setuid.yesterday -rw-r----- 1 root wheel 5464 Feb 2 03:01 dmesg.today -rw-r----- 1 root wheel 5527 Feb 1 03:01 dmesg.yesterday -rw-r----- 1 root wheel 136 Dec 1 03:02 mount.today 5) These directories allow wheel to poke around in them, but not someone in the other group. It seems like I wouldn't want the crash files exposed. The cron directory is odd because although wheel can poke around in cron, he can't get to the tabs subfolder. The backup folder seems harmless(?). Someone in wheel can remove files from /tmp. in/var drwxrwxrwt 3 root wheel 512 Feb 6 03:01 tmp drwxr-x--- 2 root wheel 512 Feb 6 03:01 backups drwxr-x--- 3 root wheel 512 Nov 30 09:08 cron drwxr-x--- 2 root wheel 512 Nov 30 09:08 crash Again, I am under the impression that if you put someone in wheel you want him to be able to become root. It seems wheel acts more like a role mechanism where if you belong to it, you have an additional privilege. Should the additional privileges include access to the files above or just be the ability to execute the "su" command? In summary, if you could shed some light on any of these issues I would really appreciate it. If there are any documents you could point me to, I would be happy to do the research myself. I am looking for answers or information for the following: 1) What if someone inadvertently added a user to the wheel group (and was not given root's password)? Would a user in the wheel group without the root password be able to compromise a system in any way? 2) Why should the wheel group be used on any files? 3) Why is the wheel group the primary group for root? 4) Items 1-5 for the files where group and other permissions differ. An explanation for these files and directories. Also the kmem issue is very strange. 5) Should being in the wheel group give any other privilege other than to execute the "su" command? -------- Thanx again and apologies for inconvenience. Beth -----Original Message----- From: Bill Swingle [mailto:unfurl@dub.net] Sent: Friday, February 08, 2002 11:50 AM To: Beth Reid Cc: 'security-officer@FreeBSD.org' Subject: Re: Questions regarding the wheel group Beth, Being that we're a unix security group most of us use microsoft products very rarely. If your questions are text only, why complicate the matter with an attachment? Secondly, most likely the forum that you're looking for is the freebsd-security mailing list. Check the freebsd.org website for more info. -Bill On Fri, Feb 08, 2002 at 09:34:03AM -0500, Beth Reid wrote: > Hi > > Attached is document with a few questions regarding the wheel group and > security. If you have information, I would really appreciate it. If you > can't read the attachment for any reason, please let me know. > > Thanx! > > Beth Reid > CyberGuard Corporation > > phone: 954-958-3900 x3230 > email: breid@cyberguard.com > fax: 954-958-3901 > > > See the LX, a new, low-cost EAL4 certified firewall/VPN compact appliance! > http://www.cyberguard.com/SOLUTIONS/Solutions_lx1.html > > -- -=| Bill Swingle - -=| Every message PGP signed -=| Fingerprint: C1E3 49D1 EFC9 3EE0 EA6E 6414 5200 1C95 8E09 0223 -=| "Computers are useless. They can only give you answers" Pablo Picasso ------_=_NextPart_001_01C1B0C1.B8EF151C Content-Type: text/html Content-Transfer-Encoding: quoted-printable RE: Questions regarding the wheel group

Bill,

So sorry for the inconvenience.
There was some formatting in the document which made = readability easier.

Hopefully freebsd-security can help me, thanx for = suggestion.
Here is the straight text rather than a word = document attachment:
-----
I am doing research on the wheel group and security = and I had a couple of questions. 

I understand the purpose of wheel as follows:  = "Further protection is offered for the root account by using a = special group called the wheel group. The wheel group adds greater = security to a system by preventing users that are not in this group = from using the su (super user) command to su to root."

So, the majority of the time one would add a user to = the wheel group and then give that person the root password so that = these selected few users could become root when they = "su".  Makes sense and is a good feature.

While doing my research, I wanted to know what other = type of privileges a user would have if they belong to wheel.  = What if someone inadvertently added a user to the wheel group (and was = not given root's password)?   Would a user in the wheel group = without the root password be able to compromise a system in any = way?

Some thoughts: Why should the wheel group be used on = any files?  I would think from a security point of view, wheel = should not be the default or primary group for root.  This way if = you are in the wheel group and have root's password, you can become = root.  If you are in the wheel group, but do not have root's = password you should not gain any special privileges to any files or = directories.  You should be like any other user.

My initial step was to check the permissions on all = of the files to see if files with a group of "wheel" had = permission bits where the group and other bits differed.  Although = this may not be exhaustive for every type of system, this is what I = found on a FreeBSD Release 4.3 (without source) system.  The = following files had a group of wheel and had different group and other = permissions.


1)  The only 2 devices on my system where wheel = had more permission than other were the following.  I am not sure = yet if there is a vulnerability here.

crw-rw----   2 root     = wheel      14, 0x20000000 Nov 30 09:09 = ./dev/rsa0.ctl
crw-rw----   2 = root     wheel      14, = 0x20000000 Nov 30 09:09 ./dev/sa0.ctl

2)  In the /proc directory there is a mem file = for each process.  This seems to me like a vulnerability.  = The odd thing is that on one similar FreeBSD 4.3 release system the = group was kmem for all files in this directory, all other systems had = the group for root as wheel.  So two questions here: 1) why does = the group differ on the two systems, and 2) why does the wheel group = have read privilege on these mem files?

-rw-r-----   1 = root        = wheel       0 Feb  6 12:27 = ./proc/317/mem
-rw-r-----   1 = root        = wheel           &= nbsp;  0 Feb  6 12:27 ./proc/318/mem

3)  This seems harmless.
-r-xr-x---  1 root  = wheel     12424 Apr 21  2001 = ./usr/sbin/mptable

4)  This seems like it could be a = vulnerability.  If someone is in wheel that shouldn't be, he could = read these files and perhaps gather some useful information.

in /var/log
-rw-r-----  1 root  = wheel    5490 Feb  6 03:01 setuid.today
-rw-r-----  1 root  = wheel    5490 Feb  5 03:01 setuid.yesterday
-rw-r-----  1 root  = wheel    5464 Feb  2 03:01 dmesg.today
-rw-r-----  1 root  = wheel    5527 Feb  1 03:01 dmesg.yesterday
-rw-r-----  1 root  = wheel     136 Dec  1 03:02 mount.today

5)  These directories allow wheel to poke around = in them, but not someone in the other group.  It seems like I = wouldn't want the crash files exposed.  The cron directory is odd = because although wheel can poke around in cron, he can't get to the = tabs subfolder.  The backup folder seems harmless(?). Someone in = wheel can remove files from /tmp. 

in/var
drwxrwxrwt  3 root    = wheel    512 Feb  6 03:01 tmp
drwxr-x---  2 root    = wheel    512 Feb  6 03:01 backups
drwxr-x---  3 root    = wheel    512 Nov 30 09:08 cron
drwxr-x---  2 root    = wheel    512 Nov 30 09:08 crash

Again, I am under the impression that if you put = someone in wheel you want him to be able to become root.  It seems = wheel acts more like a role mechanism where if you belong to it, you = have an additional privilege.  Should the additional privileges = include access to the files above or just be the ability to execute the = "su" command? 

In summary, if you could shed some light on any of = these issues I would really appreciate it.   If there are any = documents you could point me to, I would be happy to do the research = myself.

I am looking for answers or information for the = following:

1)      What if someone = inadvertently added a user to the wheel group (and was not given root's = password)?   Would a user in the wheel group without the root = password be able to compromise a system in any way?

2)      Why should the wheel = group be used on any files?
3)      Why is the wheel = group the primary group for root?
4)      Items 1-5 for the = files where group and other permissions differ.  An explanation = for these files and directories.  Also the kmem issue is very = strange.

5)      Should being in the = wheel group give any other privilege other than to execute the = "su" command?
--------

Thanx again and apologies for inconvenience.
Beth



-----Original Message-----
From: Bill Swingle [mailto:unfurl@dub.net]
Sent: Friday, February 08, 2002 11:50 AM
To: Beth Reid
Cc: 'security-officer@FreeBSD.org'
Subject: Re: Questions regarding the wheel = group


Beth,

Being that we're a unix security group most of us use = microsoft products
very rarely. If your questions are text only, why = complicate the matter
with an attachment?

Secondly, most likely the forum that you're looking = for is the
freebsd-security mailing list. Check the freebsd.org = website for more
info.

-Bill

On Fri, Feb 08, 2002 at 09:34:03AM -0500, Beth Reid = wrote:
> Hi
>
> Attached is document with a few questions = regarding the wheel group and
> security.  If you have information, I = would really appreciate it.  If you
> can't read the attachment for any reason, = please let me know.
>
> Thanx!
>
> Beth Reid
> CyberGuard Corporation
>
> phone: 954-958-3900 x3230
> email: breid@cyberguard.com
> fax: 954-958-3901
>
>
> See the LX, a new, low-cost EAL4 certified = firewall/VPN compact appliance!
> http://www.cyberguard.com/SOLUTIONS/Solutions_lx1.html=
>
>



--
-=3D| Bill Swingle - = <unfurl@(dub.net|freebsd.org)>
-=3D| Every message PGP signed
-=3D| Fingerprint: C1E3 49D1 EFC9 3EE0 EA6E  = 6414 5200 1C95 8E09 0223
-=3D| "Computers are useless. They can only = give you answers" Pablo Picasso



------_=_NextPart_001_01C1B0C1.B8EF151C-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 8 15:56:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailhost.freebsd.lublin.pl (mailhost.freebsd.lublin.pl [212.182.115.12]) by hub.freebsd.org (Postfix) with ESMTP id 3C67737B41E for ; Fri, 8 Feb 2002 15:56:43 -0800 (PST) Received: (from root@localhost) by mailhost.freebsd.lublin.pl (8.11.6/8.11.4) id g18Nuep89832 for security@freebsd.org; Sat, 9 Feb 2002 00:56:40 +0100 (CET) (envelope-from venglin@freebsd.lublin.pl) Received: from lagoon.freebsd.lublin.pl (qmailr@lagoon.freebsd.lublin.pl [212.182.115.11]) by mailhost.freebsd.lublin.pl (8.11.6/8.11.4av) with SMTP id g18Ntvm89820 for ; Sat, 9 Feb 2002 00:55:59 +0100 (CET) (envelope-from venglin@freebsd.lublin.pl) Received: (qmail 89816 invoked by uid 1001); 8 Feb 2002 23:55:57 -0000 Date: Sat, 9 Feb 2002 00:55:57 +0100 From: Przemyslaw Frasunek To: security@freebsd.org Subject: [Announce] Cerber security module for FreeBSD 4.x Message-ID: <20020209005556.B8699@lagoon.freebsd.lublin.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, We would like to bring your attention to our recent tool, a Cerber security module for FreeBSD 4.x. It provides configurable restricions of execve(), ptrace(), open(), [l|f]chmod(), kld[un]load(), __sysctl(), unlink(), kill(), [sym]link(), [un]mount(), rename(), [l|f]chown(), ioctl() and set[e|r|s][u|g]id with extensive logging and argument checking. Please consider visiting homepage of our project: http://www.sourceforge.net/projects/cerber/ Notice that project is still under heavy development. Please report any bugs. -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 8 17:13:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id 8991737B484; Fri, 8 Feb 2002 17:12:33 -0800 (PST) Received: from hades.hell.gr (patr530-a070.otenet.gr [212.205.215.70]) by mailsrv.otenet.gr (8.12.2/8.12.2) with ESMTP id g191CLB2029972; Sat, 9 Feb 2002 03:12:22 +0200 (EET) Received: (from charon@localhost) by hades.hell.gr (8.11.6/8.11.6) id g191CKa00845; Sat, 9 Feb 2002 03:12:20 +0200 (EET) (envelope-from keramida@freebsd.org) Date: Sat, 9 Feb 2002 03:12:19 +0200 (EET) From: Giorgos Keramidas X-X-Sender: charon@hades To: hh Cc: questions@freebsd.org, Subject: Re: 4.4-RELEASE-p7 FreeBSD 4.4-RELEASE-p7 problems In-Reply-To: <20020207200606.2514059d.hh@dsgx.org> Message-ID: <20020209031201.H654-100000@hades> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [ Do not cross-post. This is only marginally related to -security. ] On 2002-02-07 20:06, hh wrote: > some# netstat -na |more > Active UNIX domain sockets > Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr > d9bc8d00 stream 0 0 0 d9bc8280 0 0 /tmp/mysql.soc > k > d9bc8280 stream 0 0 0 d9bc8d00 0 0 > d9bc8d80 stream 0 0 0 d9bc8580 0 0 /tmp/mysql.soc > k > d9bc8580 stream 0 0 0 d9bc8d80 0 0 > > what's going on ? i can't see who's connect from anywhere to anywhere .. > i have an 4.4-RELEASE-p7 FreeBSD 4.4-RELEASE-p7 Your world (i.e. userland binaries) is probably out of sync with the running kernel. Try the instructions of /usr/src/UPDATING for building both a world and kernel. While you're there, you will probably find it nice to oupdate to a newer version of -STABLE :-) - Giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 8 21:53:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id D0B5037B405 for ; Fri, 8 Feb 2002 21:53:50 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id WAA04578 for ; Fri, 8 Feb 2002 22:53:39 -0700 (MST) Message-Id: <4.3.2.7.2.20020208225248.026f08c0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 08 Feb 2002 22:53:34 -0700 To: security@FreeBSD.ORG From: Brett Glass Subject: Is the technique described in this article do-able with FreeBSD + ipf? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org http://www.samag.com/documents/s=1824/sam0201d/0201d.htm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 8 22:20:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id 4AF6E37B404 for ; Fri, 8 Feb 2002 22:20:51 -0800 (PST) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id RAA19299; Sat, 9 Feb 2002 17:20:40 +1100 (EST) From: Darren Reed Message-Id: <200202090620.RAA19299@caligula.anu.edu.au> Subject: Re: Is the technique described in this article do-able with To: brett@lariat.org (Brett Glass) Date: Sat, 9 Feb 2002 17:20:40 +1100 (Australia/ACT) Cc: security@FreeBSD.ORG In-Reply-To: <4.3.2.7.2.20020208225248.026f08c0@localhost> from "Brett Glass" at Feb 08, 2002 10:53:34 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Brett Glass, sie said: > > http://www.samag.com/documents/s=1824/sam0201d/0201d.htm I believe that when you "halt" FreeBSD the whole OS halts. When you see the "press any key to rebot" message, no more activity is happening. One question though, how do you generate log information? Personally, I think of this as a 'misfeature'. Cheers, Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 8 23:54:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from barney.sfrn.dnai.com (barney.sfrn.dnai.com [208.59.199.24]) by hub.freebsd.org (Postfix) with ESMTP id 7656237B404 for ; Fri, 8 Feb 2002 23:54:10 -0800 (PST) Received: from sideshow-mel.sfrn.dnai.com (sideshow-mel.sfrn.dnai.com [208.59.199.19]) by barney.sfrn.dnai.com (8.11.2/8.11.2) with ESMTP id g197ruG43188 for ; Fri, 8 Feb 2002 23:53:56 -0800 (PST) Received: from mini.chicago.com (dnai-216-15-39-222.cust.dnai.com [216.15.39.222]) by sideshow-mel.sfrn.dnai.com (8.11.3/8.11.3) with ESMTP id g197o3d29116 for ; Fri, 8 Feb 2002 23:50:03 -0800 (PST) (envelope-from frank@mini.chicago.com) Received: (from frank@localhost) by mini.chicago.com (8.9.3/8.9.3) id XAA35755 for freebsd-security@freebsd.org; Fri, 8 Feb 2002 23:57:26 -0800 (PST) (envelope-from frank) From: Frank Drebin Message-Id: <200202090757.XAA35755@mini.chicago.com> Subject: Re: Racoon/sainfo - 'no policy found' In-Reply-To: To: freebsd-security@freebsd.org Date: Fri, 8 Feb 2002 23:57:26 -0800 (PST) X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > It seems to me the your pgpnet peer is trying to use x509 > authentication because in this case > the ip adres will not be used as an id. > How do both configurations look? > > Try to look with ethereal, the first messages in fase 1 are > not crypted OK, the config file is at the end of this message. Both ends are the same. Since sending my first message I've found that FBSD/racoon<->FBSD/racoon only works till the first time the keys are renegotiated. At that point I get the message about the security association expiring but from then on I always get the 'policy not found' error. The following is part of the log from one side of the FBSD<->FBSD case. 2002-02-08 23:44:28: INFO: pfkey.c:1365:pk_recvexpire(): IPsec-SA expired: ESP/T unnel NODE-A->NODE-B spi=230063835(0xdb67edb) 2002-02-08 23:45:13: ERROR: pfkey.c:738:pfkey_timeover(): NODE-A give up to get IPsec-SA due to time up to wait. 2002-02-08 23:46:26: INFO: isakmp.c:1513:isakmp_ph1expire(): ISAKMP-SA expired N ODE-B[500]-NODE-A[500] spi:acb764b9c1e300cc:c458bd632f2ae2b0 2002-02-08 23:46:27: INFO: isakmp.c:1561:isakmp_ph1delete(): ISAKMP-SA deleted N ODE-B[500]-NODE-A[500] spi:acb764b9c1e300cc:c458bd632f2ae2b0 2002-02-08 23:47:31: INFO: isakmp.c:891:isakmp_ph1begin_r(): respond new phase 1 negotiation: NODE-B[500]<=>NODE-A[500] 2002-02-08 23:47:31: INFO: isakmp.c:896:isakmp_ph1begin_r(): begin Aggressive mo de. 2002-02-08 23:47:33: NOTIFY: oakley.c:2036:oakley_skeyid(): couldn't find pskey, try to get one by the peer's address. 2002-02-08 23:47:33: INFO: isakmp.c:2409:log_ph1established(): ISAKMP-SA establi shed NODE-B[500]-NODE-A[500] spi:d0ce96eebdeb0fec:3e4be8b2963f2ca6 2002-02-08 23:47:33: INFO: isakmp.c:1046:isakmp_ph2begin_r(): respond new phase 2 negotiation: NODE-B[0]<=>NODE-A[0] 2002-02-08 23:47:33: ERROR: proposal.c:965:set_proposal_from_policy(): not suppo rted nested SA.2002-02-08 23:47:33: ERROR: isakmp_quick.c:2070:get_proposal_r(): failed to create saprop. 2002-02-08 23:47:33: ERROR: isakmp_quick.c:1069:quick_r1recv(): failed to get pr oposal for responder. 2002-02-08 23:47:33: ERROR: isakmp.c:1060:isakmp_ph2begin_r(): failed to pre-pro cess packet. ... ad nauseum Thanks for your help! ------ racoon config file ------- # $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $ # "path" must be placed before it should be used. # You can overwrite which you defined, but it should not use due to confusing. path include "/usr/local/etc/racoon" ; #include "remote.conf" ; # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # racoon will look for certificate file in the directory, # if the certificate/certificate request payload is received. path certificate "/usr/local/etc/cert" ; # "log" specifies logging level. It is followed by either "notify", "debug" # or "debug2". #log debug; # "padding" defines some parameter of padding. You should not touch these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # if no listen directive is specified, racoon will listen to all # available interface addresses. listen { #isakmp ::1 [7000]; #isakmp 202.249.11.124 [500]; #admin [7002]; # administrative's port by kmpstat. #strict_address; # required all addresses must be bound. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec; } remote anonymous { #exchange_mode main,aggressive; exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; #my_identifier address; my_identifier user_fqdn "sakane@kame.net"; peers_identifier user_fqdn "sakane@kame.net"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; lifetime time 10 min; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 5; } } sainfo anonymous { pfs_group 5; lifetime time 10 min; authentication_algorithm hmac_sha1; encryption_algorithm 3des; compression_algorithm deflate ; } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 9 0:53:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by hub.freebsd.org (Postfix) with ESMTP id 6483937B400 for ; Sat, 9 Feb 2002 00:53:44 -0800 (PST) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id g198rbT51234; Sat, 9 Feb 2002 00:53:37 -0800 (PST) (envelope-from jan@caustic.org) Date: Sat, 9 Feb 2002 00:53:37 -0800 (PST) From: "f.johan.beisser" X-X-Sender: jan@localhost To: Darren Reed Cc: Brett Glass , Subject: Re: Is the technique described in this article do-able with In-Reply-To: <200202090620.RAA19299@caligula.anu.edu.au> Message-ID: <20020208234001.R21734-100000@localhost> X-Ignore: This statement isn't supposed to be read by you X-TO-THE-FBI-CIA-AND-NSA: HI! HOW YA DOIN? MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 9 Feb 2002, Darren Reed wrote: > In some mail from Brett Glass, sie said: > > > > http://www.samag.com/documents/s=1824/sam0201d/0201d.htm > > I believe that when you "halt" FreeBSD the whole OS halts. > When you see the "press any key to rebot" message, no more > activity is happening. true.. i don't think any of the BSDs will respond, since the kernel is only waiting for a keystroke to restart. to me this may be less secure than just having the machine fully up and running. > One question though, how do you generate log information? if the OS is still passing packets, you could easily have it set to output all log info to a serial port. this may, or may not, work even in linux. of course, you may not care about log info. > Personally, I think of this as a 'misfeature'. i wouldn't put it that far down, just yet. i don't see how much of an advantage it would be over a fully operational box, on the other hand. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 9 1: 5:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from theinternet.com.au (c20631.kelvn1.qld.optusnet.com.au [203.164.207.8]) by hub.freebsd.org (Postfix) with ESMTP id 1726137B417 for ; Sat, 9 Feb 2002 01:05:16 -0800 (PST) Received: (from akm@localhost) by theinternet.com.au (8.11.6/8.11.4) id g1993YZ67098; Sat, 9 Feb 2002 19:03:34 +1000 (EST) (envelope-from akm) Date: Sat, 9 Feb 2002 19:03:34 +1000 From: Andrew Kenneth Milton To: "f.johan.beisser" Cc: Darren Reed , Brett Glass , security@FreeBSD.ORG Subject: Re: Is the technique described in this article do-able with Message-ID: <20020209190334.I32999@zeus.theinternet.com.au> References: <200202090620.RAA19299@caligula.anu.edu.au> <20020208234001.R21734-100000@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020208234001.R21734-100000@localhost>; from jan@caustic.org on Sat, Feb 09, 2002 at 12:53:37AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org +-------[ f.johan.beisser ]---------------------- | | i wouldn't put it that far down, just yet. i don't see how much of an | advantage it would be over a fully operational box, on the other hand. Even if it were in a comatose state, you might have some problems with using natd since your userland is gone. You could only use kernel space tools. I don't see any real difference over a FreeBSD box in a halted state (assuming it worked that way), and a Packet Filter that was running on {MS|Free}DOS. It might be easier (and faster) to configure FreeBSD not to come all the way up, (or restrict what does) rather than not to go all the way down (we have a nice rc system d8) -- Totally Holistic Enterprises Internet| | Andrew Milton The Internet (Aust) Pty Ltd | | ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au| To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 9 1:20:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by hub.freebsd.org (Postfix) with ESMTP id DD10E37B400 for ; Sat, 9 Feb 2002 01:20:11 -0800 (PST) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id g199K2r51281; Sat, 9 Feb 2002 01:20:02 -0800 (PST) (envelope-from jan@caustic.org) Date: Sat, 9 Feb 2002 01:20:02 -0800 (PST) From: "f.johan.beisser" X-X-Sender: jan@localhost To: Andrew Kenneth Milton Cc: Darren Reed , Brett Glass , Subject: Re: Is the technique described in this article do-able with In-Reply-To: <20020209190334.I32999@zeus.theinternet.com.au> Message-ID: <20020209010627.Q21734-100000@localhost> X-Ignore: This statement isn't supposed to be read by you X-TO-THE-FBI-CIA-AND-NSA: HI! HOW YA DOIN? MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 9 Feb 2002, Andrew Kenneth Milton wrote: > +-------[ f.johan.beisser ]---------------------- > | > | i wouldn't put it that far down, just yet. i don't see how much of an > | advantage it would be over a fully operational box, on the other hand. > > Even if it were in a comatose state, you might have some problems with > using natd since your userland is gone. You could only use kernel space > tools. you're assuming ipfw, vs ipfilter. ipfilter is entirely run in the kernel. at a guess, you could create a small distrobution of FreeBSD (similar to picobsd) that works with ipfilter. the last i saw, though, picobsd is broken, and not usable. > I don't see any real difference over a FreeBSD box in a halted state > (assuming it worked that way), and a Packet Filter that was running on > {MS|Free}DOS. well, the major difference may be in the intelligence of the OS. essentially there is none, though. > It might be easier (and faster) to configure FreeBSD not to come all the > way up, (or restrict what does) rather than not to go all the way down > (we have a nice rc system d8) actually, if you're going that route, it's easier to strip the kernel down, lock everything nicely with a securelevel (read up in init(8) about this), and remount all of the drives read only. there's nothing preventing anyone from doing that. there's also nothing to prevent you from booting from a drive, and loading all the tools you need in to a ramdisk, and just using that.. of course, this is going a bit more hardcore than most people want or would. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 9 1:22:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from theinternet.com.au (c20631.kelvn1.qld.optusnet.com.au [203.164.207.8]) by hub.freebsd.org (Postfix) with ESMTP id 30BC937B43B for ; Sat, 9 Feb 2002 01:22:15 -0800 (PST) Received: (from akm@localhost) by theinternet.com.au (8.11.6/8.11.4) id g199M3U67213; Sat, 9 Feb 2002 19:22:03 +1000 (EST) (envelope-from akm) Date: Sat, 9 Feb 2002 19:22:03 +1000 From: Andrew Kenneth Milton To: "f.johan.beisser" Cc: Andrew Kenneth Milton , Darren Reed , Brett Glass , security@FreeBSD.ORG Subject: Re: Is the technique described in this article do-able with Message-ID: <20020209192203.J32999@zeus.theinternet.com.au> References: <20020209190334.I32999@zeus.theinternet.com.au> <20020209010627.Q21734-100000@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020209010627.Q21734-100000@localhost>; from jan@caustic.org on Sat, Feb 09, 2002 at 01:20:02AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org +-------[ f.johan.beisser ]---------------------- | | actually, if you're going that route, it's easier to strip the kernel | down, lock everything nicely with a securelevel (read up in init(8) about | this), and remount all of the drives read only. there's nothing preventing | anyone from doing that. there's also nothing to prevent you from booting | from a drive, and loading all the tools you need in to a ramdisk, and just | using that.. | | of course, this is going a bit more hardcore than most people want or | would. But saner than trying to get the box to partially halt d8) -- Totally Holistic Enterprises Internet| | Andrew Milton The Internet (Aust) Pty Ltd | | ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au| To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 9 1:31:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by hub.freebsd.org (Postfix) with ESMTP id B014D37B41F for ; Sat, 9 Feb 2002 01:31:12 -0800 (PST) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id g199V8S51322; Sat, 9 Feb 2002 01:31:08 -0800 (PST) (envelope-from jan@caustic.org) Date: Sat, 9 Feb 2002 01:31:08 -0800 (PST) From: "f.johan.beisser" X-X-Sender: jan@localhost To: Andrew Kenneth Milton Cc: security@FreeBSD.ORG Subject: Re: Is the technique described in this article do-able with In-Reply-To: <20020209192203.J32999@zeus.theinternet.com.au> Message-ID: <20020209012249.M21734-100000@localhost> X-Ignore: This statement isn't supposed to be read by you X-TO-THE-FBI-CIA-AND-NSA: HI! HOW YA DOIN? MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 9 Feb 2002, Andrew Kenneth Milton wrote: > | actually, if you're going that route, it's easier to strip the kernel > | down, lock everything nicely with a securelevel (read up in init(8) about > | this), and remount all of the drives read only. there's nothing preventing > | anyone from doing that. there's also nothing to prevent you from booting > | from a drive, and loading all the tools you need in to a ramdisk, and just > | using that.. > | > | of course, this is going a bit more hardcore than most people want or > | would. > > But saner than trying to get the box to partially halt d8) perhaps. i think it's a sane way to handle a firewall. if you're going to log it, you should be logging either to another machine or to a printer for hardcopy. better to do both, since the hardcopy is not really alterable. but this is not something for the home user.. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 9 1:50:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.ca (epsilon.lucida.ca [216.254.114.112]) by hub.freebsd.org (Postfix) with SMTP id 54C3C37B405 for ; Sat, 9 Feb 2002 01:50:50 -0800 (PST) Received: (qmail 80238 invoked by uid 1000); 9 Feb 2002 09:50:48 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 9 Feb 2002 09:50:48 -0000 Date: Sat, 9 Feb 2002 03:50:46 -0600 (CST) From: Matt Heckaman To: Andrew Kenneth Milton Cc: security@FreeBSD.ORG Subject: Re: Is the technique described in this article do-able with In-Reply-To: <20020209192203.J32999@zeus.theinternet.com.au> Message-ID: <20020209034130.H80207-100000@epsilon.lucida.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 9 Feb 2002, Andrew Kenneth Milton wrote: ... : But saner than trying to get the box to partially halt d8) Linux tends to go for the insane "cool factor" features to do the same job (for better or worse :P) as its proven real features. :) Somehow though, they tend to mysteriously make their way into the stable kernel... * Matt Heckaman - mailto:matt@LUCIDA.CA http://www.lucida.ca/gpg * * GPG fingerprint - 46D8 5C3B 5499 1D14 F01C 2ADD D1B9 6165 9E16 F8E4 * The Universe is run by the complex interweaving of three elements: energy, matter, and enlightened self-interest. -- G'Kar, "Survivors" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: http://www.lucida.ca/gpg/ iD8DBQE8ZPD40blhZZ4W+OQRAvzqAKCGWPzttJvJhQ3584Rmsf3sGQD/6QCeNMYo SMuP+MPPxngqAQpUWXtnt9w= =8FaD -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 9 14: 2:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id CB88637B405 for ; Sat, 9 Feb 2002 14:02:14 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id PAA15678; Sat, 9 Feb 2002 15:01:29 -0700 (MST) Message-Id: <4.3.2.7.2.20020209150043.00dd56a0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sat, 09 Feb 2002 15:01:22 -0700 To: Andrew Kenneth Milton , "f.johan.beisser" From: Brett Glass Subject: Re: Is the technique described in this article do-able with Cc: Darren Reed , security@FreeBSD.ORG In-Reply-To: <20020209190334.I32999@zeus.theinternet.com.au> References: <20020208234001.R21734-100000@localhost> <200202090620.RAA19299@caligula.anu.edu.au> <20020208234001.R21734-100000@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 02:03 AM 2/9/2002, Andrew Kenneth Milton wrote: >Even if it were in a comatose state, you might have some problems with >using natd since your userland is gone. You could use ipf, which (IIRC) does NAT in the kernel. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message